Sunteți pe pagina 1din 2

Upgrading software for MLX/MXR Chassis (RX Chassis Similar) Securing Telnet Creating a Link Aggregation (Edge Switch)

Prerequisites: Refer to the release notes for specific upgrade procedures Prerequisites: Standard ACL created (optional) and user (if using enable Prerequisites: The ports that are to be aggregated must be the same
and requirements telnet authentication, see example for creating users in Enabling SSH) speed, same VLAN, etc to be combined.
Notes: You can do hitless firmware upgrades (hitless-reload) provided that Notes: Typically for security, telnet is disabled; however in addition to Notes: Depending on device, ports might have restrictions to on which
no hardware (FPGA) images require upgrades and the version you are disabling it (no telnet server), it is advised to secure it as if it was enabled, ports can be combined to create aggregated links. Once created, all
Configuration Cheat-Sheet for IP Switches version 0.6.2 upgrade to is hitless allowed from the current running version. just incase someone inadvertently turns it on. configurations for the link aggregation group are done via the lead port.
Troubleshooting: show flash Configuration Example: Troubleshooting: show trunk
Connecting Via Console Cable Typical File names: Static Configuration Example:
telnet access-group 10
Connect the Male DB-9 Serial Console port to the Male DB-9 Serial Port of xm = combined image for both management and line cards telnet timeout 10 trunk e 1 to 2
a PC using a straight through cable. The serial communications is 9600 enable telnet authentication trunk deploy
xmprm – management module boot code
Baud, 8 bits, parity none, 1 stop bit, and no flow control.
xmb – management module monitor code Dynamic (LACP – 802.1ad) Configuration Example:
Securing Web Access
Using the Command Line Interface mbridge – management module FPGA image int e 1
xmlprm – line card boot code Prerequisites: Standard ACL created (optional) and user (if using aaa link-aggregate configure key 10000
There are three modes: non-privileged, privileged, and configuration. In authentication, see example for creating users in Enabling SSH) link-aggregate active
xmlb – line card monitor code
order to execute commands to configure, reload, upgrade, etc, you must be int e 2
pbifsp2 – FPGA image for all line cards Notes: By default, the web-server responds and can be authenticated using
in privilege mode. For help at any time, press <tab> or <?>. Commands link-aggregate configure key 10000
user “get” and the read-only SNMP community string as the password.
may be abbreviated to the extent that no other command is recognized by xppsp2 – FPGA image for all line cards link-aggregate active
Alternatively, if a read-write community string is created, it can be accessed
the abbreviated command. To remove a configuration statement, use “no” in xgmacsp2 – FPGA image for 10G line cards via “set” and the read-write community string. Changing the aaa
front of it. There is a start-up configuration and a running configuration. To lpfpga – All FPGA images combined for line cards Creating a Link Aggregation (Core Switch)
authentication method will change this behavior. Also, it is advised to
commit changes so they are not lost during power failure or a reload, issue
Example: change access from http to https or disable it all together with “no web-
“write memory”. To view the start-up configuration, type “show Prerequisites: v.3.7.00 or greater; otherwise, use configuration for edge
management http”
configuration”. To view the running configuration, type “show run” ! Upgrade the boot and monitor images on the management switch. The ports that are to be aggregated must be the same speed, same
CLI Navigation Example: ! and line cards (Only do this if the release not specify) Configuration Example: VLAN, etc to be combined.
copy tftp flash 192.168.1.1 xmprm03500.bin boot crypto-ssl cert generate Notes: To enable or disable individual ports within a truck, you must use the
FES4802> enable
copy tftp flash 192.168.1.1 xmb03500f.bin monitor no web-management http disable/enable command within the lag commands.
Password: ********* copy tftp lp 192.168.1.1 xmlprm03500.bin boot all web-management https Troubleshooting: show lag brief
FES4802# show run (output not shown) copy tftp lp 192.168.1.1 xmlb03500f.bin monitor all web access-group 10
FES4802# configure terminal ! Upgrade image in primary flash for both management aaa authentication web-server default local Static Configuration Example:
FES4802(config)#hostname MySwitch ! and line processors (must be release 3.5 or greater) lag blue static
copy tftp image 192.168.1.1 xm03600d.bin ports ethernet 3/1 ethernet 7/2
MySwitch(config)#no hostname ! Upgrade mbridge on management modules: primary port 3/1
FES4802(config)#exit Using and Securing SNMPv2
copy tftp mbridge 192.168.1.1 mbridge_03600d.xvsf deploy
FES4802#wr m ! Upgrade FPGA's on line processors (1G & 10G) Prerequisites: Standard ACL created (optional) Dynamic (LACP – 802.1ad) Configuration Example:
copy tftp lp 192.168.1.1 pbifsp2_03600d.bin fpga-pbif all Notes: By default, a read-only community string of “public” is defined. It will
copy tftp lp 192.168.1.1 xppsp2_03600d.bin fpga-xpp all lag red dynamic
not appear in the configuration, but is present. You need to change this from ports ethernet 3/4 to 3/5
Setting IP Address and default gateway on a switch copy tftp lp 192.168.1.1 xgmacsp2_03600d.bin fpga-xgmac all the default value. A snmp-server host is the server to which SNMP traps will primary port 3/4
! If on release 4.0 or greater, you can upgrade all FPGA’s be sent. IMPORTANT: If you remove all SNMPv2 strings, the system will
Notes: This is for a device running switch code. For devices in Layer-3 ! on the line processors at once with this command deploy
mode, refer to “Configuring Router Interfaces” or “Configuring Virtual Router replace “public” on reload.
copy tftp lp 192.168.1.1 lpfpga04000.bin fpga-all all
Interfaces” to assign an IP. To assign a default-grateway on a router, use Troubleshooting: show snmp server Creating a VLAN
“ip route 0.0.0.0/0 192.168.10.1” Configuration Example:
Troubleshooting: show ip Setting Passwords Prerequisites: None
snmp-server host 192.168.10.2
Configuration Example: Notes: By default, a device has no passwords assigned and will allow Notes: VLAN’s segment ports into separate broadcast/multicast domains.
no snmp-server community public ro
access. Brocade’s implementation is based on IEEE 802.1Q which defines “tagged”
ip address 192.168.10.2/24 snmp-server community <secret> ro 10 packets. Ports that are defined as “tagged” send the 801.Q VLAN ID
ip default-gateway 192.168.10.1 Configuration Example: snmp-server community <secret> rw 10 embedded in the packets. Ports defined as “untagged” do not send the
enable telnet password <password> VLAN ID in the packet.
Password Recovery enable super-user <password> Caveats: “Untagged” ports an only belong to one VLAN and only those
Using and Securing SNMPv3
Prerequisites: Must have physical access to the switch and console port ports belonging to the Default VLAN can be assigned to another VLAN. If
Prerequisites: Standard ACL created (optional) you wish to move “untagged” ports from one VLAN to another, they must
Notes: Press ‘b’ within 3-seconds of power-cycling the switch to enter the Securing Remote Access with ACL’s
Notes: SNMPv3 using encryption to send and receive SNMP traffic. first be placed back into the Default VLAN by the command “no untagged e
boot prompt. This removes passwords in the running configuration, so be
Notes: Creating a standard ACL for using in restricting access. Standard Configuration Example: <port number>”
sure to set passwords. Alternatively, you can reset the configuration to
factory defaults by replacing the command “no password” with “use default”. access list are numbered from 1 to 99. Items are grouped by number and snmp-server group admin v3 auth access 10 read all write all notify Configuration Example:
This only effects the running configuration, so be sure to “write mem” or executed in order. At the end of each access-list is an explicit “deny ip any”. all vlan 10 name Accounting
“erase start” once you’re into the CLI. These ACL numbers are used for restricting access to SSH, Telnet, Web, snmp-server user admin admin v3 auth md5 <passwd> priv des
SNMP, etc. tagged e 49
Example: <passwd>
Troubleshooting: show access-list untagged e 1 to 10
snmp-server host 192.168.10.2 version v3 privacy <passwd>
Boot>no password Configuration Example: untagged e 15
Boot>boot system flash primary no untagged e 8
access-list 10 permit host 192.168.10.24 Syslog and NTP Server
access-list 10 deny host 192.168.20.5
Upgrading software access-list 10 permit 192.168.20.0/24 Prerequisites: A syslog server to receive messages and a NTP time Creating a management VLAN for switches
source.
Prerequisites: Refer to the release notes for specific upgrade procedures Prerequisites: VLAN created with ports assigned.
Notes: Logging on the devices is limited by space. It’s advised to send a
and requirements Enabling Secure Shell Access (SSH) Notes: By default, a switch will respond to requests on all VLAN’s provided
copy to a server for more permanent storage.
Notes: For most devices, there is boot code, monitor code, and a running the Layer-3 addressing matches. Creating a management VLAN stops that
Prerequisites: Standard ACL created (optional) Configuration Example:
image. You can store two versions on the device at a time. and the switch management will only answer requests the are on the
Notes: Requires username/passwords to be created. sntp server 192.168.10.3
Troubleshooting: show flash specified VLAN.
Configuration Example: logging 192.168.10.2
Typical File names: (First two letters is device type, third letter is code Caveats: Only one management VLAN can be assigned. If a “ip default-
logging buffered 100
type. Remaining digits is the version number) crypto key generate gateway” has already been assigned, it will be moved into the VLAN
user jdoe privi 0 password p@ssw0rd configuration as “default-gateway”.
FEB = Boot FEL = Base Layer-3 Securing the Console Port
aaa authentication login default local Configuration Example:
FEM = Monitor FER = Full Layer-3 ssh access-group 10
FES = Switch ip ssh idle-time 20 Prerequisites: aaa authenication methods configured vlan 10 name Management
Example: Configuration Example: management-vlan
enable aaa console default-gateway 192.168.10.1 1
copy tftp flash 192.168.10.2 fes04000.bin primary | secondary |
boot | monitor console timeout 10
Dual-Mode Ports Configuring Router Interfaces Configuring VRRP-Extended Enabling sFlow (RFC 3164)
Prerequisites: VLANs created with ports assigned. Prerequisites: Switch is in Full Layer-3 code Prerequisites: Switch is running Full Layer-3 code and IP address are Prerequisites: sFlow collector to receive the sFlow information
Notes: In some situations, like connecting to a Cisco ® device or VoIP Notes: The route-only statement ensures that no broadcast will leak already assigned to interface or virtual interfaces. Notes: sFlow samples packets flowing through the switch and reports them
device, traffic may appear on an interface both tagged and untagged. For between the ports that are assigned to the same VLAN. Doing this Notes: VRRP provides redundancy for routers. Two (or more) routers back to a collector for analysis. The devices process the packets in
example, Cisco native vlan will not have a VLAN tag on a Cisco 802.1Q precludes have to have every port in it’s own VLAN. backup a single IP. hardware; however, care should be taken in selecting a sample rate as not
link. A port that is dual-mode, will send/receive untagged packets and place Troubleshooting: show ip int Troubleshooting: show ip vrrp-e brief to overwhelm processing and storage space of the collector. Most devices
it into the appropriate VLAN while also accepting normal tagged traffic. only sample on the inbound direction, so all ports must be enable to report
Configuration Example: Configuration Example:
Configuration Example (Edge Device): all traffic on the device.
int e 1 ROUTER A: Configuration Example:
vlan 10 name Voice ip address 192.168.10.1/24 router vrrp-extended
tagged e 1 sflow destination 192.168.100.2
route-only int ve 10 sflow sample 512
vlan 20 name Data ip address 192.168.10.2/24 sflow enable
tagged e 1 Configuring Virtual Router Interfaces int e 1 to 24
ip vrrp-extended vrid 10
int e 1 sflow-forwarding
Prerequisites: Switch is in Base Layer-3 or Full Layer-3 code and ports backup priority 200
dual-mode 20 !—Untagged traffic goes to VLAN 20
are assigned to a VLAN. ip-address 192.168.10.1
Configuration Example (Core Devices): Enabling MAC-Based Port Security
Notes: This is to assign a router interface to a group of ports with a VLAN. advertise backup
vlan 10 name Voice activate Notes: Interface can be set up to accept a certain number of MAC address
Troubleshooting: show ip int
tagged e 1/1 ROUTER B: per port and automatically shutdown/restrict the port if mac changes or
Configuration Example:
vlan 20 name Data router vrrp-extended more than number of mac addresses are discovered on the port.
vlan 10
untagged e 1/1 !--- Port can only be “untagged” for one vlan int ve 10 Troubleshooting: show port security, clear port security
untagged e 1 to 2
ip address 192.168.10.3/24 Configuration Example:
router-interface ve 10
! By default, ports will remain untagged in the default vlan as ip vrrp-extended vrid 10 port-security
interface ve 10
! you tag them into other vlans unless you remove them violation shutdown 10 !—shutdown the port for 10 min
ip address 192.168.10.1/24 backup priority 150
! individually: autosave 60 !—save learned macs to flash every 60 min
ip-address 192.168.10.1 int e 1 to 24
vlan 1 advertise backup
Configuring Static Routes port security
no untagged e 1/1 activate enable
! or to stop that behavior globally (v3.7.0 and greater) Prerequisites: Switch is running Full Layer-3 code and IP address are maximum 1 !—Note: 1 is the default
no dual-mode-default-vlan already assigned to interface or virtual interfaces
Securing Management to Specific Router IPs
Notes: Although the next hop can be the interface name, Do NOT use this.
Always specify the IP address of the next router for which the packets Prerequisites: Appropriate telnet/snmp/syslog/ssh/web configurations
Per VLAN Spanning Tree
should be sent to. Notes: Using a loopback interface is best as it’s not tied to an interface that
Prerequisites: VLAN created with ports assigned Troubleshooting: show ip route potential can go down. Some options may not be available on some
Notes: By default, devices running switch code have Per-VLAN STP Configuration Example: devices.
running. Devices running router code do not. Default spanning tree priority ip route 192.168.10.0/24 192.168.2.1 Configuration Example:
is 32768.
interface loopback 1
Caveats: None ip address 192.168.100.1/32
Troubleshooting: show spanning-tree Configuring OSPF !
Configuration Example: ip telnet source-interface loopback 1
Prerequisites: Switch is running Full Layer-3 code and IP address are
ip ssh source-interface loopback 1
vlan 10 already assigned to interface or virtual interfaces
ip web source-interface loopback 1
spanning-tree Notes: Passive interface do not transmit OSPF hello’s. This is for security ip snmp source-interface loopback 1
spanning-tree priority 256 on subnets that don’t have neighboring routers. Additionally, consider MD5 ip syslog source-interface loopback 1
authentication of neighbors (example not show). Configuring a loopback
interface is recommended as the router-id for OSPF.
Per VLAN Rapid Spanning Tree Backing up the Configuration Brocade Technical Contacts:
Troubleshooting: show ip ospf
Prerequisites: VLAN created with ports assigned Configuration Example: Prerequisites: A TFTP server or Secure Copy program and SSH enabled
Notes: All switches in the VLAN need to be running RSTP. All switch to on the the device Rick Macchio Allen Hébert
interface loopback 1
switch interfaces must be defined as “admin-pt2pt-mac ports”. Priority only Notes: TFTP commands are issued on the device. SCP commands are Systems Engineer Systems Engineer
ip address 192.168.100.1/32
needs to be assigned on the primary and backup root switches. issued on the server. DoD Medical East DoD Medical Program
router ospf
Troubleshooting: show 802-1w Example Commands for TFTP: rmacchio@brocade.com ahebert@brocade.com
area 0
Configuration Example: Backing up the device: 301-807-1066 512-691-9394
int e 1
vlan 10 copy run tftp 192.168.10.2 myswitch.cfg
ip ospf area 0 Restoring the device:
spanning-tree 802-1w
int ve 10 copy tftp start 192.168.10.2 myswitch.cfg
spanning-tree 802-1w priority 256 reload Brocade Account Management Contact:
ip opsf area 0
int e 49
ip ospf passive
spanning-tree 802-1w admin-pt2pt-mac Example Commands for SCP: Jim Johnson
Backing up the device: Regional Sales Manager
MSTP (802.1s) – IEEE based per Vlan Rapid Spanning Tree scp username@192.168.10.1:runConfig myswtich.cfg DoD Medical Program
Prerequisites: VLAN created with ports assigned Restoring the device: johnsonj@brocade.com
scp myswitch.cfg username@192.168.10.1:startConfig
Notes: mstp name and revision number must be same across all switches. Reload the switch for the restored configuration to take effect. 936-232-4658
in the same region. MSTP operates just like RSTP.
Troubleshooting: show mstp config
Configuration Example:
mstp name Campus
mstp revision 1
mstp instance 6 vlan 6
mstp instance 6 priority 8192
mstp admin-pt2pt-mac ethe 1/5 to 1/20
mstp start © 2010 by Brocade Communications
Produced by: Tim Braly, BCNP, BCFP Systems
Engineer III. tbraly@brocade.com