HON’s Wiki # Brocade FastIron Switches

Home / Networking

Contents

• Initial Configuration
• General Configuration
  • Basics
  • Ports
• Tasks
  • Reset Configuration
• Features
  • Virtual Switch Redundancy Protocol (VSRP)
• Theory
  • Using the CLI
  • Miscellaneous

Using

• Brocade/Ruckus ICX 6610 (v08.0.30 router edition).

Disclaimer

Security features like port security, dynamic ARP inspection, DHCP snooping, IP source guard, DHCPv6 snooping, IPv6 NDP inspection and IPv6 RA guard will not be covered since I mainly use the switch as a core/dist. switch and not an access switch.

Initial Configuration

1. Connect using serial: 9600bps baud, 8 data bits, no paroty, 1 stop bit, no flow control.
2. Enter privileged exec mode: enable
3. Enter configuration mode: conf t
4. Shut down all interfaces:
   1. Alternatively, shut down unused interfaces afterwards.
   2. Select range of innterfaces: int e1/1/1 to 1/1/24 (example)
   3. Shut them down: disable
   4. Repeat for other interface ranges.
5. Set the correct boot preference:
   1. Change it: boot system flash primary
   2. Check it (priv exec): sh boot-pref
6. Set the hostname: hostname <name>
7. Disable unused features:
   1. Web management: no web-management
   2. VSRP: no router vsrd
   3. Telnet: no telnet server
8. Set the superuser enable password: enable super-user-password <password>
9. Add a user and enable login:
   1. Enable password encryption (requires v8.0.40 or later): service password-encryption sha256
   2. Add user: user <username> privilege 0 create-password <password>
      • Privilege 0 is the highest.
      • The default password hashing algorithm is MD5.
      • The password can’t contain spaces.
   3. Enable remote login: aaa authentication login default local
   4. Make remote login enter priv exec mode: aaa authentication login privilege-mode
   5. Enable priv exec mode login: aaa authentication enable default local
   6. Enable login log messages and traps: logging enable user-login
10. Configure time zone (Norway):
    1. Time zone: clock timezone gmt gmt+01
    2. Manual summer time: clock summer-time
    3. Set the time (priv exec): clock set <hh:mm:ss> <mm-dd-yyyy>
11. Setup DNS:
    1. IPv4 DNS servers: ip dns server-address <address> [...]
    2. IPv6 DNS servers: ipv6 dns server-address <address> [...]
12. Enable SSH:
    1. Delete the old key: crypto key zeroize [rsa]
    2. Generate new key: crypto key generate rsa modulus 2048
    3. Remove old public keys: ip ssh pub-key-file remove
    4. Disable unused authentication methods:
       1. ip ssh interactive-authentication no
       2. ip ssh key-authentication no
    5. Make it secure:
       1. ip ssh encryption aes-only
       2. ip ssh encryption disable-aes-cbc
       3. jitc enable
    6. Set the idle timer: ip ssh idle-time <minutes> (e.g. 15)
    7. Notes:
       • SSH may crash if key-authentication is enabled but not configured.
       • Both password and key based authentication is enabled by default.
       • SCP is enabled by default.
13. (Optional) Enable HTTPS:
    1. Delete the old SSL/TLS certificate: crypto-ssl certificate zeroize
    2. Generate new SSL/TLS certificate: crypto-ssl certificate generate
    3. Enable HTTPS: web-management https
    4. Disable HTTP: no web-management http
    5. Use local auth: aaa authentication web-server default local
14. Configure physical interfaces (int eth <unit/slot/port> [to ...]):
    1. Set the port name: post-name <name>
    2. (SFP+ ports) Set the post speed and duplex: speed-duplex 10g-full
    3. VLAN configuration: See separate section.
15. Configure link aggregation:
    1. Create it: lag <name> dynamic
       • The “dynamic” can be omitted once created.
    2. Add ports to it: ports ethernet <if> [to <if>]
       • Use no to remove ports.
    3. Set the primary port: primary-port <if>
       • All other ports will inherit the config for the primary port.
    4. Use frequent LACPDUs: lacp-timeout short
    5. Deploy/enable it: deploy
16. Configure VLANs:
    1. Create VLAN: vlan <VID> name <name>
       • The name can be omitted once created.
    2. Create untagged og tagged ports: <untagged | tagged> <if> [<if>*]
    3. (Optional) Set a dual mode VLAN (aka native VLAN):
       1. Add the port as tagged.
       2. Enter the physical interface configuration.
       3. Set it for the current interface: dual-mode <VID>
    4. Enable spanning tree (same type as global): spanning-tree
17. Enable IPv6 forwarding: ipv6 unicast-routing
18. Configure in-band management interface and disable out-of-band interface:
    1. Disable the OOB mgmt. interface:
       1. Enter: int man 1
       2. Disable: disable
    2. Enter management VLAN config: vlan <VID>
    3. Add router interface to the VLAN: router-interface ve <VID>
    4. Exit VLAN config.
    5. Enter router interface: int ve <VID>
    6. Set IPv4 address for it: ip address <address>/length
    7. Set IPv6 address for it: ipv6 address <address>/length
    8. Exit router interface.
    9. Add a default IPv4 route: ip route 0.0.0.0/0 <gateway>
    10. Add a default IPv6 route: ipv6 route ::/0 <gateway>
    11. Disable sending IPv6 RAs: ipv6 nd suppress-ra
19. Enable LLDP: lldp run
20. Configure spanning tree (802-1w):
    1. Enable globally: spanning-tree single 802-1w
    2. Set priority: spanning-tree single 802-1w priority 0 (0 for root)
    3. Set a port as edge port (aka portfast): spanning-tree 802-1w admin-edge-port
    4. Enable root guard on a port: spanning-tree root-protect
    5. Enable BPDU guard on a port: stp-bpdu-guard
    6. Enable BPDU filter on a port: stp-protect
    7. Show status: show 802-1w
21. (Optional) Configure NTP client:
    1. Enter config: ntp
    2. Enable with server: server <address>
    3. Show status:
       • sh ntp assoc
       • sh ntp status
22. Save the config: write memory

General Configuration

Basics

• Console:
  • Enable logging to the serial console: logging console
  • Enable logging to SSH/Telnet: terminal monitor(in privileged exec mode)
• Hardware:
  • Reboot: boot system
  • Show hardware: sh chassis
  • Log: sh log
  • CPU usage: sh cpu
• Interfaces:
  • Interface list: sh int br
  • Interface stats: sh int
• Spanning tree:
  • Show: sh span
• Link aggregation (LAG):
  • Show info: sh lag
• File management:
  • Show directory contents: sh dir
  • Show file contents: copy flash console
• Config management:
  • Save running config: write memory
  • Restore the startup config: reload
• Transceivers:
  • Show transceivers: show media validation
• LLDP:
  • Enable (config): lldp run
  • Show status: show lldp
  • Show neighbors overview: show lldp neigh
  • Show neighbor details: show lldp neigh ports <port>

Ports

• Enable SFP+ ports: speed-duplex 10g-full

Tasks

Reset Configuration

Run erase startup-config and then reload. Don’t write mem as it will recreate the startup config.

Features

Virtual Switch Redundancy Protocol (VSRP)

• A Ruckus-proprietary protocol for L2/L3 redundancy and failover.
• Enabled by default.

Theory

Using the CLI

• Backspace: Ctrl+H

Miscellaneous

• Brocade devices operate in cut-through switching mode instead of store-and-forward by default.

---

hon.one | HON95/wiki | Edit page