Accueil Explorer Aide
S'inscrire Connexion
jeremy
/
HON95-wiki
miroir de https://github.com/HON95/wiki
1
0
Fork 0
Fichiers Tickets 0 Wiki
Aborescence: 5432d54493
Branches Tags
HON95-wiki
/
network
/
brocade-fastiron-switches.md

brocade-fastiron-switches.md 7.2 KB
Historique Raw

title: Brocade FastIron Switches breadcrumbs:

  • title: Network --- {% include header.md %}

Using

{:.no_toc}

  • Brocade/Ruckus ICX 6610 (v08.0.30 router edition).

Disclaimer

{:.no_toc}

Security features like port security, dynamic ARP inspection, DHCP snooping, IP source guard, DHCPv6 snooping, IPv6 NDP inspection and IPv6 RA guard will not be covered since I mainly use the switch as a core/dist. switch and not an access switch.

Initial Configuration

  1. Connect using serial: 9600bps baud, 8 data bits, no paroty, 1 stop bit, no flow control.
  2. Enter privileged exec mode: enable
  3. Enter configuration mode: conf t
  4. Shut down all interfaces:
    1. Alternatively, shut down unused interfaces afterwards.
    2. Select range of innterfaces: int e1/1/1 to 1/1/24 (example)
    3. Shut them down: disable
    4. Repeat for other interface ranges.
  5. Set the correct boot preference:
    1. Change it: boot system flash primary
    2. Check it (priv exec): sh boot-pref
  6. Set the hostname: hostname <name>
  7. Disable unused features:
    1. Web management: no web-management
    2. VSRP: no router vsrd
    3. Telnet: no telnet server
  8. Set the superuser enable password: enable super-user-password <password>
  9. Add a user and enable login:
    1. Enable password encryption (requires v8.0.40 or later): service password-encryption sha256
    2. Add user: user <username> privilege 0 create-password <password>
      • Privilege 0 is the highest.
      • The default password hashing algorithm is MD5.
      • The password can't contain spaces.
    3. Enable remote login: aaa authentication login default local
    4. Make remote login enter priv exec mode: aaa authentication login privilege-mode
    5. Enable priv exec mode login: aaa authentication enable default local
    6. Enable login log messages and traps: logging enable user-login
  10. Configure time zone (Norway):
    1. Time zone: clock timezone gmt gmt+01
    2. Manual summer time: clock summer-time
    3. Set the time (priv exec): clock set <hh:mm:ss> <mm-dd-yyyy>
  11. Setup DNS:
    1. IPv4 DNS servers: ip dns server-address <address> [...]
    2. IPv6 DNS servers: ipv6 dns server-address <address> [...]
  12. Enable SSH:
    1. Delete the old key: crypto key zeroize [rsa]
    2. Generate new key: crypto key generate rsa modulus 2048
    3. Remove old public keys: ip ssh pub-key-file remove
    4. Disable unused authentication methods:
      1. ip ssh interactive-authentication no
      2. ip ssh key-authentication no
    5. Make it secure:
      1. ip ssh encryption aes-only
      2. ip ssh encryption disable-aes-cbc
      3. jitc enable
    6. Set the idle timer: ip ssh idle-time <minutes> (e.g. 15)
    7. Notes:
      • SSH may crash if key-authentication is enabled but not configured.
      • Both password and key based authentication is enabled by default.
      • SCP is enabled by default.
  13. (Optional) Enable HTTPS:
    1. Delete the old SSL/TLS certificate: crypto-ssl certificate zeroize
    2. Generate new SSL/TLS certificate: crypto-ssl certificate generate
    3. Enable HTTPS: web-management https
    4. Disable HTTP: no web-management http
    5. Use local auth: aaa authentication web-server default local
  14. Configure physical interfaces (int eth <unit/slot/port> [to ...]):
    1. Set the port name: post-name <name>
    2. (SFP+ ports) Set the post speed and duplex: speed-duplex 10g-full
    3. VLAN configuration: See separate section.
  15. Configure link aggregation:
    1. Create it: lag <name> dynamic
      • The "dynamic" can be omitted once created.
    2. Add ports to it: ports ethernet <if> [to <if>]
      • Use no to remove ports.
    3. Set the primary port: primary-port <if>
      • All other ports will inherit the config for the primary port.
    4. Use frequent LACPDUs: lacp-timeout short
    5. Deploy/enable it: deploy
  16. Configure VLANs:
    1. Create VLAN: vlan <VID> name <name>
      • The name can be omitted once created.
    2. Create untagged og tagged ports: <untagged | tagged> <if> [<if>*]
    3. (Optional) Set a dual mode VLAN (aka native VLAN):
      1. Add the port as tagged.
      2. Enter the physical interface configuration.
      3. Set it for the current interface: dual-mode <VID>
    4. Enable spanning tree (same type as global): spanning-tree
  17. Enable IPv6 forwarding: ipv6 unicast-routing
  18. Configure in-band management interface and disable out-of-band interface:
    1. Disable the OOB mgmt. interface:
      1. Enter: int man 1
      2. Disable: disable
    2. Enter management VLAN config: vlan <VID>
    3. Add router interface to the VLAN: router-interface ve <VID>
    4. Exit VLAN config.
    5. Enter router interface: int ve <VID>
    6. Set IPv4 address for it: ip address <address>/length
    7. Set IPv6 address for it: ipv6 address <address>/length
    8. Exit router interface.
    9. Add a default IPv4 route: ip route 0.0.0.0/0 <gateway>
    10. Add a default IPv6 route: ipv6 route ::/0 <gateway>
    11. Disable sending IPv6 RAs: ipv6 nd suppress-ra
  19. Enable LLDP: lldp run
  20. Configure spanning tree (802-1w):
    1. Enable globally: spanning-tree single 802-1w
    2. Set priority: spanning-tree single 802-1w priority 0 (0 for root)
    3. Set a port as edge port (aka portfast): spanning-tree 802-1w admin-edge-port
    4. Enable root guard on a port: spanning-tree root-protect
    5. Enable BPDU guard on a port: stp-bpdu-guard
    6. Enable BPDU filter on a port: stp-protect
    7. Show status: show 802-1w
  21. (Optional) Configure NTP client:
    1. Enter config: ntp
    2. Enable with server: server <address>
    3. Show status:
      • sh ntp assoc
      • sh ntp status
  22. Save the config: write memory

General Configuration

Basics

  • Console:
    • Enable logging to the serial console: logging console
    • Enable logging to SSH/Telnet: terminal monitor(in privileged exec mode)
  • Hardware:
    • Reboot: boot system
    • Show hardware: sh chassis
    • Log: sh log
    • CPU usage: sh cpu
  • Interfaces:
    • Interface list: sh int br
    • Interface stats: sh int
  • Spanning tree:
    • Show: sh span
  • Link aggregation (LAG):
    • Show info: sh lag
  • File management:
    • Show directory contents: sh dir
    • Show file contents: copy flash console
  • Config management:
    • Save running config: write memory
    • Restore the startup config: reload
  • Transceivers:
    • Show transceivers: show media validation
  • LLDP:
    • Enable (config): lldp run
    • Show status: show lldp
    • Show neighbors overview: show lldp neigh
    • Show neighbor details: show lldp neigh ports <port>

Ports

  • Enable SFP+ ports: speed-duplex 10g-full

Tasks

Reset Configuration

Run erase startup-config and then reload. Don't write mem as it will recreate the startup config.

Features

Virtual Switch Redundancy Protocol (VSRP)

  • A Ruckus-proprietary protocol for L2/L3 redundancy and failover.
  • Enabled by default.

Theory

Using the CLI

  • Backspace: Ctrl+H

Miscellaneous

  • Brocade devices operate in cut-through switching mode instead of store-and-forward by default.

{% include footer.md %}