Rule Changes Between SAN-OS Release 3.3(1c) and NX-OS Release 4.2(1a) Affect Role Behavior
Rule Changes Between SAN-OS Release 3.3(1c) and NX-OS Release 4.2(1a) Affect Role Behavior
The rules that can be configured for roles were modified between SAN-OS Release 3.3(1c) and NX-OS
Release 4.2(1a). As a result, roles do not behave as expected following an upgrade from SAN-OS Release
3.3(1c) to NX-OS Release 4.2(1a). Manual configuration changes are required to restore the desired behavior.
Rule 4 and Rule 3: after the upgrade, exec and feature are removed. Change rule 4 and rule 3 as follows:
SAN-OS Release 3.3(1c) Rule
rule 4 permit exec feature debug
rule 3 permit exec feature clear
Rule 2: after the upgrade, exec feature license is obsolete.
SAN-OS Release 3.3(1c) Rule
rule 2 permit exec feature debug
Rule 9, Rule 8, and Rule 7: after the upgrade, you need to have the feature enabled to configure it. In SAN-OS
Release 3.3(1c), you could configure a feature without enabling it.
SAN-OS Release 3.3(1c) Rule
rule 9 deny config feature telnet
rule 8 deny config feature tacacs-server
rule 7 deny config feature tacacs+
Modifying Profiles
To modify the profile for an existing role, follow these steps:
Procedure
Step 1
switch# configure terminal
Enters configuration mode.
Step 2
switch(config)# role name sangroup
switch(config-role)#
Places you in role configuration submode for the existing role sangroup.
Step 3
switch(config-role)# rule 1 permit config
switch(config-role)# rule 2 deny config feature fspf
switch(config-role)# rule 3 permit debug feature zone
switch(config-role)# rule 4 permit exec feature fcping
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
14
NX-OS Release 4.2(1a), Set the Rule to:
rule 4 permit debug
rule 3 permit clear
NX-OS Release 4.2(1a) Rule
Not available in Release 4.2(1).
NX-OS Release 4.2(1a), to Preserve the Rule:
Not available in Release 4.2(1) and cannot be used.
During the upgrade, enable the feature to preserve the rule;
otherwise, the rule disappears.
During the upgrade, enable the feature to preserve the rule;
otherwise, the rule disappears.
Common Roles