Restricting Port Profile Visibility

This chapter contains the following sections:

Information About Restricting Port Profile Visibility

Information About Port Profile Visibility

You can restrict which VMware vCenter users or user groups have visibility into specific port groups on the Cisco Nexus 1000V.

Before you can restrict the visibility of a port group, the server administrator must define which VMware vCenter users and user groups have access to the Cisco Nexus 1000V DVS top level folder in VMware vCenter Server. Once this is done, the network administrator can further define the visibility of specific port groups on the VSM. This configuration on the VSM is then published to the VMware vCenter Server so that access to specific port groups is restricted.

Information About Allow Groups or Users

You can save the time of defining access on the VSM per user by, instead, adding new users to groups in VMware vCenter where access is already defined. Group members defined in VMware vCenter automatically gain access to the port groups defined for the group.

You can see in the following figure the relationship between users and groups in vCenter Server and port profiles and port profile roles in Cisco Nexus 1000V.
Figure 1. Port Profile Visibility: User, Groups, Roles, and Port Profiles



Guidelines and Limitations for Restricting Port Profile Visibility

  • The server administrator does not propagate access from the DVS down to lower folders. Instead, port group access is defined by the network administrator on the VSM and then published to the VMware vCenter Server.
  • The Cisco Nexus 1000V VSM must be connected to the VMware vCenter Server before port profile roles are created or assigned. If this connection is not in place when port profile visibility is updated on the VSM, it is not published to VMware vCenter Server and is not affected.
  • The following are guidelines for port profile roles on the VSM:
    • You cannot remove a port profile role if a port profile is assigned to it. You must first remove the role from the port profile.
    • Multiple users and groups can be assigned to a role.
    • Only one role can be assigned to a port profile.
    • A role can be assigned to multiple port profiles.
  • You can define up to 256 port-profile-roles per VSM.
  • You can define a total of 16 users and groups per role.

Defining DVS Access in vSphere Client

The server administrator can use this procedure to allow access to the top level Cisco Nexus 1000V DVS folder in vSphere client.

Before You Begin
  • You are logged in to the vSphere Client.
  • You know which users or groups need access to the DVS.
  • This procedure defines who can access the Cisco Nexus 1000V DVS. Access to individual port groups is done on the VSM, using the Restricting Port Profile Visibility on the VSM.
SUMMARY STEPS

    1.    In the vSphere Client window, do the following:

    2.    In the Select Users and Groups window, do the following:

    3.    In the Assign Permission window, do the following:


DETAILED STEPS
    Step 1   In the vSphere Client window, do the following:
    1. Choose Inventory > Networking.
    2. Choose Add Permission.
    Figure 2. vSphere Client Window



    Step 2   In the Select Users and Groups window, do the following:
    1. Choose the name from the list of users and groups.
    2. Click Add.
    3. Click OK.
    Figure 3. Select Users and Groups Window



    Step 3   In the Assign Permission window, do the following:
    1. From the Assigned Role selection list, choose a role for this user or group.
    2. Make sure that the Propagate to Child Objects check box is unchecked.
    3. Click OK.
    Figure 4. Assign Permissions Window



    The user is granted the same access to the DVS object. In the example shown, user Sean is granted read-only access to the DVS folder object and eventually the DVS object.

    Note   

    Do not propagate the role definition here. Specific port group access is configured on the VSM which is then pushed to vSphere Client.

    The user may now access the top level Cisco Nexus 1000V DVS folder according to the assigned role.


    Note

    To restrict access to specific port groups, go to the Restricting Port Profile Visibility on the VSM.

    Enabling the Port Profile Role Feature

    Before You Begin

    You are logged in to the CLI in EXEC mode.

    SUMMARY STEPS

      1.    switch# configure terminal

      2.    switch(config)# feature port-profile-role

      3.    (Optional) switch(config)# show feature

      4.    (Optional) switch(config)# copy running-config startup-config


    DETAILED STEPS
        Command or Action Purpose
      Step 1 switch# configure terminal 

      Enters global configuration mode.

       
      Step 2 switch(config)# feature port-profile-role  

      Enables the port profile roles feature to restrict user and group access.

       
      Step 3 switch(config)# show feature   (Optional)

      Displays the configuration for verification.

       
      Step 4 switch(config)# copy running-config startup-config  (Optional)

      Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

       

      The following example shows how to enable the port profile role feature.

      switch# configure terminal
switch(config)# feature port-profile-role adminUser
switch(config)# show feature
Feature Name          Instance  State   
--------------------  --------  --------
dhcp-snooping         1         enabled 
http-server           1         enabled 
ippool                1         enabled 
lacp                  1         enabled 
lisp                  1         enabled 
lisphelper            1         enabled 
netflow               1         disabled
port-profile-roles    1         enabled 
private-vlan          1         disabled
sshServer             1         enabled 
tacacs                1         enabled 
telnetServer          1         enabled 
switch(config)# copy running-config startup-config

      Restricting Port Profile Visibility on the VSM

      The network administrator can use this procedure to create a role for restricting port profile visibility on the VSM which is then pushed to vCenter Server.

      Before You Begin
      • You are logged in to the CLI in EXEC mode.
      • You know which users or groups should have access to the role you are creating.
      • You have already created the users and groups to be assigned to this role in vCenter and have access to the Cisco Nexus 1000V DVS folder where the VSM resides. See the Defining DVS Access in vSphere Client.
      • You have enabled the port profile role feature using the Enabling the Port Profile Role Feature.
      • You have identified the characteristics needed for this role:
        • role name
        • role description
        • users to assign
        • groups to assign
        • port profile to assign
      SUMMARY STEPS

        1.    switch# configure terminal

        2.    switch(config)# port-profile-role role-name

        3.    (Optional) switch(config-port-prof-role)# description role-description

        4.    (Optional) switch(config-port-prof-role)# show port-profile-role users

        5.    (Optional) Enter one or more user or group roles.

        6.    switch(config-port-prof-role)# exit

        7.    switch(config)# port-profile profile-name

        8.    switch(config-port-prof)# assign port-profile-role role-name

        9.    (Optional) switch(config-port-prof)# show port-profile-role [name role-name]

        10.    (Optional) switch(config-port-prof)# copy running-config startup-config


      DETAILED STEPS
          Command or Action Purpose
        Step 1 switch# configure terminal 

        Enters global configuration mode.

         
        Step 2 switch(config)# port-profile-role role-name 

        Enters port profile role configuration mode for the named role. If the role does not already exist, it is created with the following characteristic:

        • role-name—The role name can be up to 32 characters and must be unique for each role on the Cisco Nexus 1000V.
         
        Step 3 switch(config-port-prof-role)# description role-description   (Optional)

        Adds a description of up to 32 characters to the role. This description is automatically pushed to vCenter Server.

         
        Step 4 switch(config-port-prof-role)# show port-profile-role users  (Optional)

        Displays all the users on vCenter Server who have access to the DVS parent folder and who can be assigned to the role.

         
        Step 5 Enter one or more user or group roles.  (Optional)
        Assigns a user or a group to the role. The user or group gains the ability to use all port profiles assigned to the role.
        • switch(config-port-prof-role)# user user-name
        • switch(config-port-prof-role)# group group-name
        Note   

        Multiple users and groups can be assigned to a role.

        The users and groups must exist on vCenter server and must have access to the top level Cisco Nexus 1000V DVS folder in vSphere client. For more information, see the Defining DVS Access in vSphere Client.
         
        Step 6 switch(config-port-prof-role)# exit 

        Exits port-profile-role configuration mode and returns you to global configuration mode.

         
        Step 7 switch(config)# port-profile profile-name 

        Enters port profile configuration mode for the named port profile.

         
        Step 8 switch(config-port-prof)# assign port-profile-role role-name 

        Assigns the role to a port profile. The port group is updated in vCenter Server and the user or group assigned to this role is granted access. The user or group can assign the port group to a vNIC in a virtual machine or vSWIF or vMKNIC on a host.

        Note   

        Only one role can be assigned to a port profile.

        A role can be assigned to multiple port profiles.
         
        Step 9 switch(config-port-prof)# show port-profile-role [name role-name]   (Optional)

        Displays the configuration for verification.

         
        Step 10 switch(config-port-prof)# copy running-config startup-config  (Optional)

        Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

         

        This example shows how to define access for the allaccess2 port profile by creating and assigning the adminUser port profile role.

        switch# configure terminal
switch(config)# port-profile-role adminUser
switch(config-port-prof-role)# description adminOnly
switch(config-port-prof-role)# user hdbaar
switch(config-port-prof-role)# exit
switch(config)# port-profile allaccess2
switch(config-port-prof)# assign port-profile-role adminUser
switch(config-port-prof)# show port-profile-role name adminUser

Name: adminUser
Description: adminOnly
Users:
    hdbaar (user)
Assigned port-profiles:
    allaccess2
switch(config-port-prof)# copy running-config startup-config

        Removing a Port Profile Role

        You can use this procedure to remove a role that was used for restricting port profile visibility on vCenter Server.

        Before You Begin
        • You are logged in to the CLI in EXEC mode.
        • You cannot remove a port profile role if a port profile is assigned to it. You must first remove the role from the port profile. This procedure includes a step for doing this.
        SUMMARY STEPS

          1.    (Optional) switch# show port-profile-role [name role-name]

          2.    switch# configure terminal

          3.    switch(config)# port-profile [type {ethernet | vethernet}] name

          4.    switch(config-port-prof)# no assign port-profile-role role-name

          5.    switch(config-port-prof)# exit

          6.    switch(config)# no port-profile-role role-name

          7.    (Optional) switch# show port-profile-role [name role-name]

          8.    (Optional) switch(config)# copy running-config startup-config


        DETAILED STEPS
            Command or Action Purpose
          Step 1 switch# show port-profile-role [name role-name]   (Optional)

          Displays the port profile role including any port profiles assigned to it. If there are port profiles assigned to the role, they must be removed before you can remove the role.

           
          Step 2 switch# configure terminal 

          Enters global configuration mode.

           
          Step 3 switch(config)# port-profile [type {ethernet | vethernet}] name 

          Enters port profile configuration mode for the named port profile. If the port profile does not already exist, it is created using the following characteristics:

          • name—The port profile name can be up to 80 characters and must be unique for each port profile on the Cisco Nexus 1000V.
          • type—(Optional) The port profile type can be Ethernet or vEthernet. Once configured, the type cannot be changed. The default is the vEthernet type. Defining a port profile type as Ethernet allows the port profile to be used for physical (Ethernet) ports. In the vCenter Server, the corresponding port group can be selected and assigned to physical ports (PNICs).
            Note   

            If a port profile is configured as an Ethernet type, then it cannot be used to configure VMware virtual ports.
           
          Step 4 switch(config-port-prof)# no assign port-profile-role role-name 

          Removes the role from the port profile. The port group is updated in vCenter Server.

           
          Step 5 switch(config-port-prof)# exit 

          Exits port-profile configuration mode and returns you to global configuration mode.

           
          Step 6 switch(config)# no port-profile-role role-name 

          Removes the role from the VSM.

           
          Step 7 switch# show port-profile-role [name role-name]   (Optional)

          Displays the port profile role including any port profiles assigned to it. If there are port profiles assigned to the role, they must be removed before you can remove the role.

           
          Step 8 switch(config)# copy running-config startup-config  (Optional)

          Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

           

          This example shows how to remove a port profile role.

          switch# show port-profile-role name adminUser
Name: adminUser
Description: adminOnly
Users:
    hdbaar (user)
Assigned port-profiles:
    allaccess2
switch# configure terminal
switch(config)# port-profile allaccess2
switch(config-port-prof)# no assign port-profile-role adminUser
switch(config-port-prof)# exit
switch(config)# no port-profile-role adminUser
switch(config)# show port-profile-role name adminUser
switch(config)# copy running-config startup-config
switch(config)#

          Feature History for Restricting Port Profile Visibility

          This section provides the feature history for restricting port profile visibility.

          Feature Name

          Releases

          Feature Information

          Restricting Port Profile Visibility

          4.2(1)SV1(4)

          This feature was introduced.