Shell Access

Cisco Nexus switches support access to the Bourne-Again SHell (Bash). Bash interprets commands that you enter or commands that are read from a shell script. Using bash enables access to the underlying Linux system on the device and to manage the system.

Access to the bash shell and Linux is controlled via feature enablement on the Nexus platform. You must explicitly enable feature bash-shell to gain access to bash as user admin, which is by default part of DevOps role on the switch.

n9k-sw-1# show role name dev-ops  

Role: dev-ops
Description: Predefined system role for devops access. This role cannot be modified.

Rule Perm Type Scope Entity
6 permit command conf t ; username *
5 permit command attach module *
4 permit command slot *
3 permit command bcm module *
2 permit command run bash *
1 permit command python *

Enabling and Accessing Bash

  n9k-sw-1(config)# do show feature | grep bash  
  bash-shell             1          disabled  
  n9k-sw-1(config)# feature bash-shell  
  n9k-sw-1(config)# do show feature | grep bash  
  bash-shell             1          enabled  

  n9k-sw-1# run bash  
  bash-4.2$ id  
  uid=2002(admin) gid=503(network-admin) groups=503(network-admin)  

By default you are still user admin. In order to install third-party agents on the switch, you are required to be root user and either utilize sudo root to enable the agent to be installed in the filesystem, or authenticate as root within bash using su - root.

  bash-4.2$ yum install puppet  
  Loaded plugins: downloadonly, importpubkey, localrpmDB, patchaction, patching,
                : protect-packages  

You need to be root to perform this command.

Other capabilities available within bash are covered in the other sections of this chapter, such as manipulating, configuring and monitoring the switch in Linux, and agent installation. Refer to these specific sections for further information.

From within bash, you also have the capability to execute NX-OS commands using our virtual shell utility (vsh). This enables the use of bash utilities (sed, grep, awk) to parse output to produce proper formatting.

Virtual Shell Utility Example - Provisioning a New Tenant on the Network

Ensure the following features are enabled on the switch for this particular example:

  n93k-sw-1# show feature | include bash  
  bash-shell             1          enabled  
  n93k-sw-1# show feature | include interface-vlan  
  interface-vlan         1          enabled  
  Go to bash shell  n93k-sw-1# run bash  
  Switch to user root  bash-4.2$ su - root  
  Password:  
  Switch to management namespace in Linux&#  ​root@n93k-sw-1#ip netns exec management bash  
  Verify current configuration of tenant interface eth2/4  root@n93k-sw-1#vsh -c "show interface Eth2/4 brief"  
Ethernet Interface VLAN Type Mode Status Reason Speed Port Ch #
Eth2/4 1 eth access up none 40G(D) --
Configure tenant vlan 200, SVI, and assign provision tenant port"  
root@n93k-sw-1#vsh -c "config terminal ; vlan 200 ; name TenantA ; exit"  
root@n93k-sw-1#vsh -c "config terminal ; interface vlan 200 ; no shutdown ; exit"  
root@n93k-sw-1#vsh -c "configure terminal ; interface eth2/4 ; switchport access vlan 200 ; no shutdown"  
Verify tenant is configured correctly in the network  
root@n93k-sw-1#vsh -c "show running-config interface Eth2/4"  
!Command: show running-config interface Ethernet2/4  
version 7.0(3)I2(1)  
interface Ethernet2/4  
switchport access vlan 200  
root@n93k-sw-1#vsh -c "show interface vlan 200 brief"  
Interface Secondary VLAN(Type) Status Reason
Vlan200 -- up --

The capabilities depicted above are simple examples to illustrate the flexibility of using bash for automation. These types of functions/examples could be combined and built into a bash-developed monitoring "agent" for your switch. For specifics on making agents/processes persistent in the native Linux shell, refer to the Custom Developed Applications section of the document.