HON95-wiki/network/brocade-fastiron-switches.md

---

title: Brocade FastIron Switches breadcrumbs:

• title: Network --- {% include header.md %}

Using

{:.no_toc}

• Brocade/Ruckus ICX 6610 (v08.0.30 router edition).

Disclaimer

{:.no_toc}

Security features like port security, dynamic ARP inspection, DHCP snooping, IP source guard, DHCPv6 snooping, IPv6 NDP inspection and IPv6 RA guard will not be covered since I mainly use the switch as a core/dist. switch and not an access switch.

Initial Configuration

1. Connect using serial: 9600bps baud, 8 data bits, no paroty, 1 stop bit, no flow control.
2. Enter privileged exec mode: enable
3. Enter configuration mode: conf t
4. Shut down all interfaces:
   1. Alternatively, shut down unused interfaces afterwards.
   2. Select range of innterfaces: int e1/1/1 to 1/1/24 (example)
   3. Shut them down: disable
   4. Repeat for other interface ranges.
5. Set the correct boot preference:
   1. Change it: boot system flash primary
   2. Check it (priv exec): sh boot-pref
6. Set the hostname: hostname <name>
7. Disable unused features:
   1. Web management: no web-management
   2. VSRP: no router vsrd
   3. Telnet: no telnet server
8. Set the superuser enable password: enable super-user-password <password>
9. Add a user and enable login:
   1. Enable password encryption (requires v8.0.40 or later): service password-encryption sha256
   2. Add user: user <username> privilege 0 create-password <password>
      • Privilege 0 is the highest.
      • The default password hashing algorithm is MD5.
      • The password can't contain spaces.
   3. Enable remote login: aaa authentication login default local
   4. Make remote login enter priv exec mode: aaa authentication login privilege-mode
   5. Enable priv exec mode login: aaa authentication enable default local
   6. Enable login log messages and traps: logging enable user-login
10. Configure time zone (Norway):
    1. Time zone: clock timezone gmt gmt+01
    2. Manual summer time: clock summer-time
    3. Set the time (priv exec): clock set <hh:mm:ss> <mm-dd-yyyy>
11. Setup DNS:
    1. IPv4 DNS servers: ip dns server-address <address> [...]
    2. IPv6 DNS servers: ipv6 dns server-address <address> [...]
12. Enable SSH:
    1. Delete the old key: crypto key zeroize [rsa]
    2. Generate new key: crypto key generate rsa modulus 2048
    3. Remove old public keys: ip ssh pub-key-file remove
    4. Disable unused authentication methods:
       1. ip ssh interactive-authentication no
       2. ip ssh key-authentication no
    5. Make it secure:
       1. ip ssh encryption aes-only
       2. ip ssh encryption disable-aes-cbc
       3. jitc enable
    6. Set the idle timer: ip ssh idle-time <minutes> (e.g. 15)
    7. Notes:
       • SSH may crash if key-authentication is enabled but not configured.
       • Both password and key based authentication is enabled by default.
       • SCP is enabled by default.
13. (Optional) Enable HTTPS:
    1. Delete the old SSL/TLS certificate: crypto-ssl certificate zeroize
    2. Generate new SSL/TLS certificate: crypto-ssl certificate generate
    3. Enable HTTPS: web-management https
    4. Disable HTTP: no web-management http
    5. Use local auth: aaa authentication web-server default local
14. Configure physical interfaces (int eth <unit/slot/port> [to ...]):
    1. Set the port name: post-name <name>
    2. (SFP+ ports) Set the post speed and duplex: speed-duplex 10g-full
    3. VLAN configuration: See separate section.
15. Configure link aggregation:
    1. Create it: lag <name> dynamic
       • The "dynamic" can be omitted once created.
    2. Add ports to it: ports ethernet <if> [to <if>]
       • Use no to remove ports.
    3. Set the primary port: primary-port <if>
       • All other ports will inherit the config for the primary port.
    4. Use frequent LACPDUs: lacp-timeout short
    5. Deploy/enable it: deploy
16. Configure VLANs:
    1. Create VLAN: vlan <VID> name <name>
       • The name can be omitted once created.
    2. Create untagged og tagged ports: <untagged | tagged> <if> [<if>*]
    3. (Optional) Set a dual mode VLAN (aka native VLAN):
       1. Add the port as tagged.
       2. Enter the physical interface configuration.
       3. Set it for the current interface: dual-mode <VID>
    4. Enable spanning tree (same type as global): spanning-tree
17. Enable IPv6 forwarding: ipv6 unicast-routing
18. Configure in-band management interface and disable out-of-band interface:
    1. Disable the OOB mgmt. interface:
       1. Enter: int man 1
       2. Disable: disable
    2. Enter management VLAN config: vlan <VID>
    3. Add router interface to the VLAN: router-interface ve <VID>
    4. Exit VLAN config.
    5. Enter router interface: int ve <VID>
    6. Set IPv4 address for it: ip address <address>/length
    7. Set IPv6 address for it: ipv6 address <address>/length
    8. Exit router interface.
    9. Add a default IPv4 route: ip route 0.0.0.0/0 <gateway>
    10. Add a default IPv6 route: ipv6 route ::/0 <gateway>
    11. Disable sending IPv6 RAs: ipv6 nd suppress-ra
19. Enable LLDP: lldp run
20. Configure spanning tree (802-1w):
    1. Enable globally: spanning-tree single 802-1w
    2. Set priority: spanning-tree single 802-1w priority 0 (0 for root)
    3. Set a port as edge port (aka portfast): spanning-tree 802-1w admin-edge-port
    4. Enable root guard on a port: spanning-tree root-protect
    5. Enable BPDU guard on a port: stp-bpdu-guard
    6. Enable BPDU filter on a port: stp-protect
    7. Show status: show 802-1w
21. (Optional) Configure NTP client:
    1. Enter config: ntp
    2. Enable with server: server <address>
    3. Show status:
       • sh ntp assoc
       • sh ntp status
22. Save the config: write memory

General Configuration

Basics

• Console:
  • Enable logging to the serial console: logging console
  • Enable logging to SSH/Telnet: terminal monitor(in privileged exec mode)
• Hardware:
  • Reboot: boot system
  • Show hardware: sh chassis
  • Log: sh log
  • CPU usage: sh cpu
• Interfaces:
  • Interface list: sh int br
  • Interface stats: sh int
• Spanning tree:
  • Show: sh span
• Link aggregation (LAG):
  • Show info: sh lag
• File management:
  • Show directory contents: sh dir
  • Show file contents: copy flash console
• Config management:
  • Save running config: write memory
  • Restore the startup config: reload
• Transceivers:
  • Show transceivers: show media validation
• LLDP:
  • Enable (config): lldp run
  • Show status: show lldp
  • Show neighbors overview: show lldp neigh
  • Show neighbor details: show lldp neigh ports <port>

Ports

• Enable SFP+ ports: speed-duplex 10g-full

Tasks

Reset Configuration

Run erase startup-config and then reload. Don't write mem as it will recreate the startup config.

Features

Virtual Switch Redundancy Protocol (VSRP)

• A Ruckus-proprietary protocol for L2/L3 redundancy and failover.
• Enabled by default.

Theory

Using the CLI

• Backspace: Ctrl+H

Miscellaneous

• Brocade devices operate in cut-through switching mode instead of store-and-forward by default.

{% include footer.md %}