I am in a similar position. I need to define four roles - Network admin/operators and San admin/operators. The document on RBAC is one of those that is probably accurate, but not a great deal of use - what it really needs is a few examples that we could use as start points.
So, has anyone set up RBAC yet, and would they mind sharing what they did?
I have soldiered on and mde a first stab at RBAC. It might help you get a start. I am fully expecting that once we try using theroles there are glaring errors. We are taking the position that initially we will have three users, and everyone knows all the passwords while we sort out the roles properly. The standard admin, a san-admin and net-admin, so that not having access does not delay things. Once we are happy, the main admin will be a "sealed envelope" job.
I would appreciate anyone pointing out any glaring omissions!
role feature-group name My-SAN-Features feature license feature fc-qos feature fcanalyzer feature fcns feature fcsp feature fdmi feature ficon feature fspf feature iscsi feature isns feature ivr feature rlir feature rscn feature san-ext-tuner feature sfm feature sme feature sme-kmc-admin feature sme-recovery-officer feature sme-stg-admin feature vsan feature wwnm feature zone role feature-group name My-NET-Features feature aaa feature access-list feature arp feature callhome feature cdp feature install feature l3vm feature license feature ping feature platform feature radius feature snmp feature syslog feature tacacs feature eth-span feature ethanalyzer feature spanning-tree feature svi feature vlan feature acl feature cloud feature mpls-tunnel feature span role name default-role description This is a system defined role and applies to all users.
role name My-net-admin description This role is read-write for network staff rule 100 permit read-write feature-group FJ-NET-Features rule 90 permit command configure terminal ; interface * rule 10 permit read vsan policy deny interface policy deny permit interface mgmt0 permit interface port-channel1-4096 permit interface Ethernet1/1-40 role name My-san-admin description This role is read-write for SMS staff rule 100 permit read-write feature-group FJ-SAN-Features rule 90 permit command configure terminal ; interface * rule 10 permit read interface policy deny permit interface fc2/1-4 permit interface san-port-channel 1-256
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
In the Previous articles of ACI Automation, we are using Postman/Newman as the Rest API tool to automate the ACI Configuration.
In this article I’m going to discuss on usin...
One of the first steps in building your ACI Fabric is to go through Fabric Discovery. While Fabric Discovery is usually a straightforward process, there are various issues that may prevent you from discovering an ACI switch. This article wil...