- Information About Restricting Port Profile Visibility
- Guidelines and Limitations for Restricting Port Profile Visibility
- Defining DVS Access in vSphere Client
- Enabling the Port Profile Role Feature
- Restricting Port Profile Visibility on the VSM
- Removing a Port Profile Role
- Feature History for Restricting Port Profile Visibility
Restricting Port Profile Visibility
This chapter contains the following sections:
- Information About Restricting Port Profile Visibility
- Guidelines and Limitations for Restricting Port Profile Visibility
- Defining DVS Access in vSphere Client
- Enabling the Port Profile Role Feature
- Restricting Port Profile Visibility on the VSM
- Removing a Port Profile Role
- Feature History for Restricting Port Profile Visibility
Information About Restricting Port Profile Visibility
Information About Port Profile Visibility
You can restrict which VMware vCenter users or user groups have visibility into specific port groups on the Cisco Nexus 1000V.
Before you can restrict the visibility of a port group, the server administrator must define which VMware vCenter users and user groups have access to the Cisco Nexus 1000V DVS top level folder in VMware vCenter Server. Once this is done, the network administrator can further define the visibility of specific port groups on the VSM. This configuration on the VSM is then published to the VMware vCenter Server so that access to specific port groups is restricted.
Information About Allow Groups or Users
You can save the time of defining access on the VSM per user by, instead, adding new users to groups in VMware vCenter where access is already defined. Group members defined in VMware vCenter automatically gain access to the port groups defined for the group.
Guidelines and Limitations for Restricting Port Profile Visibility
- The server administrator does not propagate access from the DVS down to lower folders. Instead, port group access is defined by the network administrator on the VSM and then published to the VMware vCenter Server.
- The Cisco Nexus 1000V VSM must be connected to the VMware vCenter Server before port profile roles are created or assigned. If this connection is not in place when port profile visibility is updated on the VSM, it is not published to VMware vCenter Server and is not affected.
- The following are guidelines for port profile roles on the VSM:
- You can define up to 256 port-profile-roles per VSM.
- You can define a total of 16 users and groups per role.
Defining DVS Access in vSphere Client
The server administrator can use this procedure to allow access to the top level Cisco Nexus 1000V DVS folder in vSphere client.
- You are logged in to the vSphere Client.
- You know which users or groups need access to the DVS.
- This procedure defines who can access the Cisco Nexus 1000V DVS. Access to individual port groups is done on the VSM, using the Restricting Port Profile Visibility on the VSM.
1. In the vSphere Client window, do the following:
2. In the Select Users and Groups window, do the following:
3. In the Assign Permission window, do the following:
DETAILED STEPS
The user may now access the top level Cisco Nexus 1000V DVS folder according to the assigned role.
Note |
To restrict access to specific port groups, go to the Restricting Port Profile Visibility on the VSM. |
Enabling the Port Profile Role Feature
You are logged in to the CLI in EXEC mode.
1. switch# configure terminal
2. switch(config)# feature port-profile-role
3. (Optional) switch(config)# show feature
4. (Optional) switch(config)# copy running-config startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# configure terminal | Enters global configuration mode. |
Step 2 | switch(config)# feature port-profile-role | Enables the port profile roles feature to restrict user and group access. |
Step 3 | switch(config)# show feature | (Optional) Displays the configuration for verification. |
Step 4 | switch(config)# copy running-config startup-config | (Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration. |
The following example shows how to enable the port profile role feature.
switch# configure terminal switch(config)# feature port-profile-role adminUser switch(config)# show feature Feature Name Instance State -------------------- -------- -------- dhcp-snooping 1 enabled http-server 1 enabled ippool 1 enabled lacp 1 enabled lisp 1 enabled lisphelper 1 enabled netflow 1 disabled port-profile-roles 1 enabled private-vlan 1 disabled sshServer 1 enabled tacacs 1 enabled telnetServer 1 enabled switch(config)# copy running-config startup-config
Restricting Port Profile Visibility on the VSM
The network administrator can use this procedure to create a role for restricting port profile visibility on the VSM which is then pushed to vCenter Server.
- You are logged in to the CLI in EXEC mode.
- You know which users or groups should have access to the role you are creating.
- You have already created the users and groups to be assigned to this role in vCenter and have access to the Cisco Nexus 1000V DVS folder where the VSM resides. See the Defining DVS Access in vSphere Client.
- You have enabled the port profile role feature using the Enabling the Port Profile Role Feature.
- You have identified the characteristics needed for this role:
1. switch# configure terminal
2. switch(config)# port-profile-role role-name
3. (Optional) switch(config-port-prof-role)# description role-description
4. (Optional) switch(config-port-prof-role)# show port-profile-role users
5. (Optional) Enter one or more user or group roles.
6. switch(config-port-prof-role)# exit
7. switch(config)# port-profile profile-name
8. switch(config-port-prof)# assign port-profile-role role-name
9. (Optional) switch(config-port-prof)# show port-profile-role [name role-name]
10. (Optional) switch(config-port-prof)# copy running-config startup-config
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | switch# configure terminal | Enters global configuration mode. |
||
Step 2 | switch(config)# port-profile-role role-name | Enters port profile role configuration mode for the named role. If the role does not already exist, it is created with the following characteristic: |
||
Step 3 | switch(config-port-prof-role)# description role-description | (Optional) Adds a description of up to 32 characters to the role. This description is automatically pushed to vCenter Server. |
||
Step 4 | switch(config-port-prof-role)# show port-profile-role users | (Optional) Displays all the users on vCenter Server who have access to the DVS parent folder and who can be assigned to the role. |
||
Step 5 | Enter one or more user or group roles. | (Optional)
|
||
Step 6 | switch(config-port-prof-role)# exit | Exits port-profile-role configuration mode and returns you to global configuration mode. |
||
Step 7 | switch(config)# port-profile profile-name | Enters port profile configuration mode for the named port profile. |
||
Step 8 | switch(config-port-prof)# assign port-profile-role role-name | Assigns the role to a port profile. The port group is updated in vCenter Server and the user or group assigned to this role is granted access. The user or group can assign the port group to a vNIC in a virtual machine or vSWIF or vMKNIC on a host.
|
||
Step 9 | switch(config-port-prof)# show port-profile-role [name role-name] | (Optional) Displays the configuration for verification. |
||
Step 10 | switch(config-port-prof)# copy running-config startup-config | (Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration. |
This example shows how to define access for the allaccess2 port profile by creating and assigning the adminUser port profile role.
switch# configure terminal switch(config)# port-profile-role adminUser switch(config-port-prof-role)# description adminOnly switch(config-port-prof-role)# user hdbaar switch(config-port-prof-role)# exit switch(config)# port-profile allaccess2 switch(config-port-prof)# assign port-profile-role adminUser switch(config-port-prof)# show port-profile-role name adminUser Name: adminUser Description: adminOnly Users: hdbaar (user) Assigned port-profiles: allaccess2 switch(config-port-prof)# copy running-config startup-config
Removing a Port Profile Role
You can use this procedure to remove a role that was used for restricting port profile visibility on vCenter Server.
1. (Optional) switch# show port-profile-role [name role-name]
2. switch# configure terminal
3. switch(config)# port-profile [type {ethernet | vethernet}] name
4. switch(config-port-prof)# no assign port-profile-role role-name
5. switch(config-port-prof)# exit
6. switch(config)# no port-profile-role role-name
7. (Optional) switch# show port-profile-role [name role-name]
8. (Optional) switch(config)# copy running-config startup-config
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | switch# show port-profile-role [name role-name] | (Optional) Displays the port profile role including any port profiles assigned to it. If there are port profiles assigned to the role, they must be removed before you can remove the role. |
||
Step 2 | switch# configure terminal | Enters global configuration mode. |
||
Step 3 | switch(config)# port-profile [type {ethernet | vethernet}] name | Enters port profile configuration mode for the named port profile. If the port profile does not already exist, it is created using the following characteristics:
|
||
Step 4 | switch(config-port-prof)# no assign port-profile-role role-name | Removes the role from the port profile. The port group is updated in vCenter Server. |
||
Step 5 | switch(config-port-prof)# exit | Exits port-profile configuration mode and returns you to global configuration mode. |
||
Step 6 | switch(config)# no port-profile-role role-name | Removes the role from the VSM. |
||
Step 7 | switch# show port-profile-role [name role-name] | (Optional) Displays the port profile role including any port profiles assigned to it. If there are port profiles assigned to the role, they must be removed before you can remove the role. |
||
Step 8 | switch(config)# copy running-config startup-config | (Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration. |
This example shows how to remove a port profile role.
switch# show port-profile-role name adminUser Name: adminUser Description: adminOnly Users: hdbaar (user) Assigned port-profiles: allaccess2 switch# configure terminal switch(config)# port-profile allaccess2 switch(config-port-prof)# no assign port-profile-role adminUser switch(config-port-prof)# exit switch(config)# no port-profile-role adminUser switch(config)# show port-profile-role name adminUser switch(config)# copy running-config startup-config switch(config)#
Feature History for Restricting Port Profile Visibility
This section provides the feature history for restricting port profile visibility.
Feature Name |
Releases |
Feature Information |
---|---|---|
Restricting Port Profile Visibility |
4.2(1)SV1(4) |
This feature was introduced. |