VMware Cloud Community
kara323
Contributor
Contributor
Jump to solution

Nexus 1000v installation / vCenter user privilege level

Good afternoon,

I had a question about the needed privilege regarding the installation of a Nexus 1000v.

Last week we were installing last version of Nexus1000v switch on ESXi 5.0.0 Releasebuild-721882.

After a first installation we noticed we could not establish the connection between the Nexus1000v and the vCenter [Error message => vCenter Extension key was not registered before its use].

The key was present on the Nexus 1000v but was not registred under the vCenter MOB (Extension manager).

We had to increase the privilege level of the service account (to vCenter admin) and re-install to get the extension key registred.

Cisco says we need to use vCenter user with administrator-level privileges to install the Nexus 1000v, but please find my questions :

1/ Is it possible to install a Nexus 1000v with "Datacenter" admin privilege (not vCenter admin). In general, what is the minimum possible privilege level to install a Nexus 1000v ? 

2/ Once the privilege increased to vCenter admin and the install done, is it possible to decrease it back to a lower level privilege without impacting the Nexus 1000v ?

I am a network guy, not a server guy sorry if I am not clear in my questions 🙂

Thanks in advance for your answers.

Regards.

Kara

Tags (3)
Reply
0 Kudos
1 Solution

Accepted Solutions
lwatta
Hot Shot
Hot Shot
Jump to solution

You cannot change the privilege level after the initial connection. It needs to stay at the same priv level.

One of the things to keep in mind is that there is a constant back and forth between the VSM and vCenter. We are pulling and pushing data into vcenter. Everytime a VM vmotions, gets powered on, destroyed, or modified requires communication between the VSM and vCenter.

louis

View solution in original post

Reply
0 Kudos
3 Replies
lwatta
Hot Shot
Hot Shot
Jump to solution

You cannot change the privilege level after the initial connection. It needs to stay at the same priv level.

One of the things to keep in mind is that there is a constant back and forth between the VSM and vCenter. We are pulling and pushing data into vcenter. Everytime a VM vmotions, gets powered on, destroyed, or modified requires communication between the VSM and vCenter.

louis

Reply
0 Kudos
gary1012
Expert
Expert
Jump to solution

This doesn't answer your question directly, but I'll throw it out there anyways. The way my shop handles this is that the VMware admins will install the VSM including answering the OVA questions (hostname, IP, subnet mask, domain ID, etc.), and then work with the network admins to do the plug-in registration and svs conn. Once this is initial config is done, our network admins are granted permissions slightly above read-only so that they can see if the VSM is powered up, the NICs are in the right port-profiles/network labels, and to interact with the console.

This arrangement has worked well for us as after the initial config, the network admin requires very little interaction with the appliance hardware. Most of their post-install customization/maintenance is performed via telnet/ssh. Occassionally the virtualization admins must get involved when/if the network admin needs deeper inspection of the appliance itself.

Community Supported, Community Rewarded - Please consider marking questions answered and awarding points to the correct post. It helps us all.
kara323
Contributor
Contributor
Jump to solution

Hello Louis & Gary,

Thank you very much for your answers. I appreciate.

My question was specifically related to the vCenter crendentials to enter after lauching the java tool during the installation process (‘VC connection’).

http://www.cisco.com/en/US/i/300001-400000/330001-340000/331001-332000/331957.jpg

I know understand that :

1/ For the VC connection establishment we cannot use a Vcenter with a privilege level OTHER than administrator-level.

2/ Once the installation finished we cannot change this level. We need to keep this admin privilege level because it is needed for the opaque data to be exchanged between the VSM<->vCenter<->VEM.

And yes, we have indeed asked to be given a vCenter account with some read-only privileges which can help us in case of verification/troubleshooting tasks.

PS: Louis, now that I have asked a question, may I have my 16Gb USB key : -))     [ I have watched your great presentation on Cisco live website…thanks for that]

Thanks again to both of you.

Cheers.

Kara

Reply
0 Kudos