Hi Pico,
(Also, read Chris’s reply.)
Thanks; so, we’re dealing with a Nexus 9k, and basically the same version NX-OS I have running on my N9k. Therefor, cisco-nx is the correct type. In reading further into the details of what you posted, you said rancid was having an issue with the command “system redundancy status”. I checked, and I also don’t have this command:
cumm111-0b05es63# system red?
^
% Invalid command at '^' marker.
cumm111-0b05es63# system red
Then I dug further and I realized you’re talking “show system redundancy status”:
cumm111-0b05es63# show system redundancy status
Redundancy mode
---------------
administrative: HA
operational: None
This supervisor (sup-1)
-----------------------
Redundancy state: Active, SC not present
Supervisor state: Active
Internal state: Active with no standby
Other supervisor (sup-1)
------------------------
Redundancy state: Not present
cumm111-0b05es63#
Since “rule 3 permit command show *” is already included in your role definition, I might suggest this:
1. Log in as a user whose role is “rancid”, run the command, and see what the output is.
2. If you’re having an issue running the command, open a TAC case.
3. If the command runs just fine from the CLI when role=rancid, that’s something for this list.
You can verify the role the account has through the command “show user-account <acct_name>”. there will be a line “roles:<list>” that will show all the roles applied to your account (see yellow highlighting below). Be mindful of other roles the user has; a “deny” statement in one of the other role definitions might possibly cause this.
Also, if there’s a AAA server (RADIUS, Tacacs+, LDAP… possibly Kerberos or AD but I’m not sure those are supported), the AAA server might also have some server-side config blocking successful execution (server-side AAA is how I enforce this kind of policy on rancid).
cumm111-0b05es63# show user-account weylin
user:weylin
roles:network-admin vdc-admin
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user
account
Local login not possible
cumm111-0b05es63#
Weylin
From: Pico Leto <picoleto420@gmail.com>
Date: Monday, February 12, 2018 at 11:39 AM
To: "Gauthier, Chris" <cgauthier@comscore.com>
Cc: Weylin Piegorsch <weylin@bu.edu>, "rancid-discuss@shrubbery.net" <rancid-discuss@shrubbery.net>
Subject: Re: [rancid] Role Privileges for Nexus 9k
Show inventory is below:
sw1# show version | include hassis ; show version | include ersion
cisco Nexus9000 C93108TC-EX chassis
the GNU General Public License (GPL) version 2.0 or
GNU General Public License (GPL) version 3.0 or the GNU
Lesser General Public License (LGPL) Version 2.1 or
Lesser General Public License (LGPL) Version 2.0.
BIOS: version 07.59
NXOS: version 7.0(3)I4(4)
System version: 7.0(3)I5(1)
# show inventory
NAME: "Chassis", DESCR: "Nexus9000 C93108TC-EX chassis"
PID: N9K-C93108TC-EX , VID: V01 , SN: FDO20261CKV
NAME: "Slot 1", DESCR: "48x10GT + 6x40G/100G Ethernet Module"
PID: N9K-C93108TC-EX , VID: V01 , SN: FDO20261CKV
NAME: "Power Supply 1", DESCR: "Nexus9000 C93108TC-EX chassis Power Supply"
PID: NXA-PAC-650W-PE , VID: V01 , SN: LIT20130ZDY
NAME: "Power Supply 2", DESCR: "Nexus9000 C93108TC-EX chassis Power Supply"
PID: NXA-PAC-650W-PE , VID: V01 , SN: LIT20130ZDU
NAME: "Fan 1", DESCR: "Nexus9000 C93108TC-EX chassis Fan Module"
PID: NXA-FAN-30CFM-F , VID: V01 , SN: N/A
NAME: "Fan 2", DESCR: "Nexus9000 C93108TC-EX chassis Fan Module"
PID: NXA-FAN-30CFM-F , VID: V01 , SN: N/A
NAME: "Fan 3", DESCR: "Nexus9000 C93108TC-EX chassis Fan Module"
PID: NXA-FAN-30CFM-F , VID: V01 , SN: N/A
NAME: "Fan 4", DESCR: "Nexus9000 C93108TC-EX chassis Fan Module"
PID: NXA-FAN-30CFM-F , VID: V01 , SN: N/A
On Fri, Feb 9, 2018 at 9:58 AM, Gauthier, Chris <cgauthier@comscore.com<mailto:cgauthier@comscore.com>> wrote:
Or just run “show inventory”
Chris
Gauthier
Senior Network Engineer
|
comScore, Inc.
t +1 (503) 331-2704<tel:(503)%20331-2704>
|
cgauthier@comscore.com<mailto:cgauthier@comscore.com>
317<
https://maps.google.com/?q=317%C2%A0SW%C2%A0Alder%C2%A0Street,%C2%A0Suite%C2%A0700%C2%A0%7C%C2%A0Portland,%C2%A0OR%C2%A097204%C2%A0%C2%A0United%C2%A0States&entry=gmail&source=g> SW<
https://maps.google.com/?q=317%C2%A0SW%C2%A0Alder%C2%A0Street,%C2%A0Suite%C2%A0700%C2%A0%7C%C2%A0Portland,%C2%A0OR%C2%A097204%C2%A0%C2%A0United%C2%A0States&entry=gmail&source=g> Alder<
https://maps.google.com/?q=317%C2%A0SW%C2%A0Alder%C2%A0Street,%C2%A0Suite%C2%A0700%C2%A0%7C%C2%A0Portland,%C2%A0OR%C2%A097204%C2%A0%C2%A0United%C2%A0States&entry=gmail&source=g> Street,<
https://maps.google.com/?q=317%C2%A0SW%C2%A0Alder%C2%A0Street,%C2%A0Suite%C2%A0700%C2%A0%7C%C2%A0Portland,%C2%A0OR%C2%A097204%C2%A0%C2%A0United%C2%A0States&entry=gmail&source=g> Suite<
https://maps.google.com/?q=317%C2%A0SW%C2%A0Alder%C2%A0Street,%C2%A0Suite%C2%A0700%C2%A0%7C%C2%A0Portland,%C2%A0OR%C2%A097204%C2%A0%C2%A0United%C2%A0States&entry=gmail&source=g> 700<
https://maps.google.com/?q=317%C2%A0SW%C2%A0Alder%C2%A0Street,%C2%A0Suite%C2%A0700%C2%A0%7C%C2%A0Portland,%C2%A0OR%C2%A097204%C2%A0%C2%A0United%C2%A0States&entry=gmail&source=g>
|<https://maps.google.com/?q=317%C2%A0SW%C2%A0Alder%C2%A0Street,%C2%A0Suite%C2%A0700%C2%A0%7C%C2%A0Portland,%C2%A0OR%C2%A097204%C2%A0%C2%A0United%C2%A0States&entry=gmail&source=g>
Portland,<
https://maps.google.com/?q=317%C2%A0SW%C2%A0Alder%C2%A0Street,%C2%A0Suite%C2%A0700%C2%A0%7C%C2%A0Portland,%C2%A0OR%C2%A097204%C2%A0%C2%A0United%C2%A0States&entry=gmail&source=g> OR<
https://maps.google.com/?q=317%C2%A0SW%C2%A0Alder%C2%A0Street,%C2%A0Suite%C2%A0700%C2%A0%7C%C2%A0Portland,%C2%A0OR%C2%A097204%C2%A0%C2%A0United%C2%A0States&entry=gmail&source=g> 97204<
https://maps.google.com/?q=317%C2%A0SW%C2%A0Alder%C2%A0Street,%C2%A0Suite%C2%A0700%C2%A0%7C%C2%A0Portland,%C2%A0OR%C2%A097204%C2%A0%C2%A0United%C2%A0States&entry=gmail&source=g>
United<
https://maps.google.com/?q=317%C2%A0SW%C2%A0Alder%C2%A0Street,%C2%A0Suite%C2%A0700%C2%A0%7C%C2%A0Portland,%C2%A0OR%C2%A097204%C2%A0%C2%A0United%C2%A0States&entry=gmail&source=g> States<
https://maps.google.com/?q=317%C2%A0SW%C2%A0Alder%C2%A0Street,%C2%A0Suite%C2%A0700%C2%A0%7C%C2%A0Portland,%C2%A0OR%C2%A097204%C2%A0%C2%A0United%C2%A0States&entry=gmail&source=g>
comscore.com<
http://www.comscore.com/>
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net<mailto:rancid-discuss-bounces@shrubbery.net>> on behalf of "Piegorsch, Weylin William" <weylin@bu.edu<mailto:weylin@bu.edu>>
Date: Thursday, February 8, 2018 at 9:54 PM
To: Pico Leto <picoleto420@gmail.com<mailto:picoleto420@gmail.com>>
Cc: "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Role Privileges for Nexus 9k
If it’s made by Cisco and its running NX-OS, it can’t be an ASR9k:
https://www.cisco.com/c/en/us/products/ios-nx-os-software/nx-os/index.html (The non-advertised thing is that UCS also runs NX-OS under the hood.)
If it’s a “C93108TC-EX”, then it’s likely a Nexus 93108TC-EX:
https://www.cisco.com/c/en/us/support/switches/nexus-93108tc-ex-switch/model.html Are you running it in ACI or NXOS mode? Actually nevermind, 7-point-anything is non-ACI.
To make certain about the hardware type, can you do a “show version | include hassis ; show version | inc ersion” (yes, with those first letters missing to avoid capitalization issues) and send the output? This is what I get one of my ASR 9k:
RP/0/RSP0/CPU0:Comm595-bdr-gw01#show version | include hassis ; show version | include ersion
#sh ver | include hassis
Fri Feb 9 00:36:45.478 EST
ASR-9001 Chassis
#show ver | inc ersion
Fri Feb 9 00:36:53.058 EST
Cisco IOS XR Software, Version 5.3.3[Default]
ROM: System Bootstrap, Version 2.04(20140227:092320) [ASR9K ROMMON],
RP/0/RSP0/CPU0:Comm595-bdr-gw01#
And one of my Nexus 9k:
cumm111-0b05es63# show version | include hassis ; show version | include ersion
cisco Nexus9000 C9372PX chassis
the GNU General Public License (GPL) version 2.0 or
GNU General Public License (GPL) version 3.0 or the GNU
Lesser General Public License (LGPL) Version 2.1 or
Lesser General Public License (LGPL) Version 2.0.
BIOS: version 07.59
NXOS: version 7.0(3)I5(2)
System version: 7.0(3)I5(2)
cumm111-0b05es63#
weylin
From: Pico Leto <picoleto420@gmail.com<mailto:picoleto420@gmail.com>>
Date: Friday, February 9, 2018 at 12:17 AM
To: Weylin Piegorsch <weylin@bu.edu<mailto:weylin@bu.edu>>
Cc: "rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>" <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] Role Privileges for Nexus 9k
Hi,
I'm definitely running NX-OS however running the debug under cisco-xr gives me better results, with the exception that the end of run isn't found
$ rancid -t cisco-xr -d host.xx.
loadtype: device type cisco-xr
loadtype: found device type cisco-xr in /usr/local/rancid/etc/rancid.types.base
executing clogin -t 90 -c"terminal no-timestamp;terminal exec prompt no-timestamp;admin show version;admin show install summary;admin show license udi;admin show license;admin show variables boot;admin show hw-module fpd location all;show redundancy secondary;show install active;admin show env all;dir /all nvram:;dir /all bootflash:;dir /all compactflash:;dir /all compactflasha:;dir /all slot0:;dir /all disk0:;dir /all disk0a:;dir /all slot1:;dir /all disk1:;dir /all disk1a:;dir /all slot2:;dir /all disk2:;dir /all harddisk:;dir /all harddiska:;dir /all harddiskb:;show controllers;admin show diag;admin show inventory raw;show vlan;show debug;show rpl maximum;admin show running;show running-config" host.xx.
PROMPT MATCH: host.xx#
HIT COMMAND:host.xx# terminal no-timestamp
In RunCommand: host.xx# terminal no-timestamp
HIT COMMAND:host.xx# terminal exec prompt no-timestamp
In RunCommand: host.xx# terminal exec prompt no-timestamp
HIT COMMAND:host.xx# admin show version
In ShowVersion: host.xx# admin show version
HIT COMMAND:host.xx# admin show install summary
In ShowInstallSummary: host.xx# admin show install summary
HIT COMMAND:host.xx# admin show license u
In ShowLicense: host.xx# admin show license udi
HIT COMMAND:host.xx# admin show license
In ShowLicense: host.xx# admin show license
HIT COMMAND:host.xx# admin show variables boot
In ShowBootVar: host.xx# admin show variables boot
HIT COMMAND:host.xx# admin show hw-module fpd location all
In ShowRunning: host.xx# admin show hw-module fpd location all
HIT COMMAND:host.xx# show redundancy secondary
In ShowRedundancy: host.xx# show redundancy secondary
HIT COMMAND:host.xx# show install active
In ShowInstallActive: host.xx# show install active
HIT COMMAND:host.xx# admin show env all
In ShowEnv: host.xx# admin show env all
HIT COMMAND:host.xx# dir /all nvram:
In DirSlotN: host.xx# dir /all nvram:
HIT COMMAND:host.xx# dir /all bootflash:
In DirSlotN: host.xx# dir /all bootflash:
HIT COMMAND:host.xx# dir /all compactflash:
In DirSlotN: host.xx# dir /all compactflash:
HIT COMMAND:host.xx# dir /all compactflasha:
In DirSlotN: host.xx# dir /all compactflasha:
HIT COMMAND:host.xx# dir /all slot0:
In DirSlotN: host.xx# dir /all slot0:
HIT COMMAND:host.xx# dir /all disk0:
In DirSlotN: host.xx# dir /all disk0:
HIT COMMAND:host.xx# dir /all disk0a:
In DirSlotN: host.xx# dir /all disk0a:
HIT COMMAND:host.xx# dir /all slot1:
In DirSlotN: host.xx# dir /all slot1:
HIT COMMAND:host.xx# dir /all disk1:
In DirSlotN: host.xx# dir /all disk1:
HIT COMMAND:host.xx# dir /all disk1a:
In DirSlotN: host.xx# dir /all disk1a:
HIT COMMAND:host.xx# dir /all slot2:
In DirSlotN: host.xx# dir /all slot2:
HIT COMMAND:host.xx# dir /all disk2:
In DirSlotN: host.xx# dir /all disk2:
HIT COMMAND:host.xx# dir /all harddisk:
In DirSlotN: host.xx# dir /all harddisk:
HIT COMMAND:host.xx# dir /all harddiska:
In DirSlotN: host.xx# dir /all harddiska:
HIT COMMAND:host.xx# dir /all harddiskb:
In DirSlotN: host.xx# dir /all harddiskb:
HIT COMMAND:host.xx# show controllers
In ShowContAll: host.xx# show controllers
HIT COMMAND:host.xx# admin show diag
In ShowDiag: host.xx# admin show diag
HIT COMMAND:host.xx# admin show inventory raw
In ShowInventory: host.xx# admin show inventory raw
HIT COMMAND:host.xx# show vlan
In ShowVLAN: host.xx# show vlan
HIT COMMAND:host.xx# show debug
In ShowDebug: host.xx# show debug
HIT COMMAND:host.xx# show rpl maximum
In ShowRPL: host.xx# show rpl maximum
HIT COMMAND:host.xx# admin show running
In ShowRunning: host.xx# admin show running
HIT COMMAND:host.xx# show running-config
In WriteTerm: host.xx# show running-config
host.xx.: End of run not found
host.xx.: found_end is false
On Thu, Feb 8, 2018 at 1:33 PM, Piegorsch, Weylin William <weylin@bu.edu<mailto:weylin@bu.edu>> wrote:
Doesn’t ASR9k run IOS XR (rancid type “ios-xr”)? I didn’t think it supported NX-OS. I’ve only seen NX-OS on Nexus (including N9k), MDS, and UCS devices.
weylin
From: Pico Leto <picoleto420@gmail.com<mailto:picoleto420@gmail.com>>
Date: Wednesday, February 7, 2018 at 2:05 PM
To: <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>>
Subject: [rancid] Role Privileges for Nexus 9k
Hi,
I seem to be having some troubles backing up my configs for a ASR9k (C93108TC-EX) running NXOS 7.0.3.I4.4. My current version of rancid is 3.7
I thought I created the correct role for rancid to run under however my debug seems to end after 'system redundancy status'. The command is actually available however you have to be in config term mode to see the output.
Role: rancid
Description: rancid restricted access
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
4 permit command dir *
3 permit command show *
2 permit command terminal *
1 permit command show running-config
Debug:
rancid -t cisco-nx -d host.xx.xx
loadtype: device type cisco-nx
loadtype: found device type cisco-nx in /usr/local/rancid/etc/rancid.types.base
executing clogin -t 90 -c"term no monitor-force;show version;show version build-info all;show license;show license usage;show license host.xx.xx-id;show system redundancy status;show environment clock;show environment fan;show environment fex all fan;show environment temperature;show environment power;show boot;dir bootflash:;dir debug:;dir logflash:;dir slot0:;dir usb1:;dir usb2:;dir volatile:;show module;show module xbar;show inventory;show vtp status;show vlan;show debug;show cores vdc-all;show processes log vdc-all;show module fex;show fex;show running-config" host.xx.xx
PROMPT MATCH: host.xx#
HIT COMMAND:host.xx# term no monitor-force
In RunCommand: host.xx# term no monitor-force
HIT COMMAND:host.xx# show version
In ShowVersion: host.xx# show version
TYPE = NXOS
HIT COMMAND:host.xx# show version build-info all
In ShowVersionBuild: host.xx# show version build-info all
HIT COMMAND:host.xx# show license
In ShowLicense: host.xx# show license
HIT COMMAND:host.xx# show license usage
In ShowLicense: host.xx# show license usage
HIT COMMAND:host.xx# show license host.xx.xx-id
In ShowLicense: host.xx# show license host.xx.xx-id
HIT COMMAND:host.xx# show system redundancy status
In ShowRedundancy: host.xx# show system redundancy status
host.xx.xx: show system redundancy status failed: -1
host.xx.xx: missed cmd(s): show environment clock, show environment fan, show environment fex all fan, show environment temperature, show environment power, show boot, dir bootflash:, dir debug:, dir logflash:, dir slot0:, dir usb1:, dir usb2:, dir volatile:, show module, show module xbar, show inventory, show vtp status, show vlan, show debug, show cores vdc-all, show processes log vdc-all, show module fex, show fex
host.xx.xx: End of run not found
host.xx.xx: clean_run is false
host.xx.xx: found_end is false