HON’s Wiki # FS FSOS Switches

Home / Networking

Contents

• Basics
• Initial Setup
  • Core Switch
  • Access Switch
• Commands
  • Configuration Mode
• Tasks
  • Reset the Configuration
  • Mount a USB Drive
  • Provision with ZTP
  • Upgrade Firmware
    • Via Web Panel
    • Via CLI

Using

• FS S5860-20SQ (core switch)
• FS S3700-24T4F (access switch)

Basics

• Default credentials: Username admin and password admin.
• Default mgmt. IP address: 192.168.1.1/24
• By default, SSH, Telnet and HTTP servers are accessible using the default mgmt. address and credentials.
• For SSH you might need to specify -o HostKeyAlgorithms=+ssh-rsa.
• Serial config: RS-232 w/ RJ45, baud 115200, 8 data bits, no parity bits, 1 stop bit, no flow control.
• The default VLAN is VLAN1.

Initial Setup

Core Switch

Using an FS S5860-20SQ.

Using an FS S3700-24T4F (access) and an FS S5860-20SQ (core).

1. Connect to the switch using serial.
   • Using RS-232 w/ RJ45, baud 115200, 8 data bits, no parity bits, 1 stop bit, no flow control.
   • Use Ctrl+H for backspace.
2. You should already be in the unprivileged exec mode (with FS> prompt).
3. Enter privileged exec mode: enable
   • The prompt should change from > tp #.
4. (Optional) Show version: show version
   • See the note below on how to upgrade it.
5. Make sure it’s running in standalone mode (no stacking): switch convert mode standalone
6. Enter config mode: conf
   • The prompt should change from # tp (config)#.
7. Set hostname:
8. Enable password services:
   1. Enable automatic hashing of passwords (using some weak alg.): service password-encryption
9. Add user: username <username> privilege 15 password 0 <password>
10. Disable admin user: no username admin
11. Setup basic authentication (defaults to local):
    1. Enable new model: aaa new-model
    2. Disable enable authn: aaa authentication enable default none
    3. Enable login authn using local users: aaa authentication login default local
12. Enable login for console:
    1. Enter line config: line con 0 (leave with exit)
    2. Use default authentication (e.g. local): login authentication default
13. Disable web server and telnet server, enable SSH server:
    1. Disable web server: no enable service web-server
    2. Disable telnet server: no enable service telnet-server
    3. Enable SSH server: enable service ssh-server
    4. Enter VTY lines: line vty 0 35
    5. Use default authentication (e.g. local): login authentication default
14. (Optional) Disable inactivity timeout:
    1. (Note) For prod systems you should keep this disabled, but it’s really annoying when labbing.
    2. Enter console line.
    3. Disable timer: exec-timeout 0
15. (Optional) Disable management interface:
    1. Enter: int mgmt 0
    2. Disable: shut
    3. Remove address: no ip addr
16. Disable unused interfaces:
    1. Enter physical interface range (e.g. int range te0/1-20).
    2. Disable them: shutdown
17. (Meta) Setup basic interface:
    1. (Note) Applies to most interfaces.
    2. Set description: description <description>
    3. Enable or disable: [no] shutdown
18. Setup physical L2 interface:
    1. (VLAN/LAG/etc. configured later.)
19. Setup LAGs (LACP):
    1. Enter member interfaces: int range te0/3-4 (example)
    2. (Optional) Enter some description.
    3. Enable active LACP: port-group 1 mode active (for group number 1)
    4. Set short LACP period: lacp short-timeout
    5. Enter LAG interface: int aggregatePort 1
    6. Set load balancing method: aggregate load-balance src-dst-ip
    7. Configure as normal switch interface.
    8. Verify: show aggregatePort summary and show lacp summary
20. Setup VLANs:
    1. Define L2 VLAN and enter section: vlan <VID>
    2. Set name: name <name>
    3. (Note) To setup L3 interfaces for VLANs, enter interface VLAN <VID>.
21. Add interfaces to VLANs:
    1. Enter the interface(s).
    2. Set the mode: switchport mode {access|trunk}
    3. (Access) Set access VLAN: switch access vlan <VID>
    4. (Trunk) Set native VLAN (if any): switch trunk native vlan <VID>
    5. (Trunk) Set allowed VLANs (defaults to all): switch trunk allowed only 10,20 (example)
22. Setup L3 interface:
    1. Enter the interface (physical, VLAN, etc.).
    2. Enable L3 mode: no switchport
    3. Set IPv4 address: ip address <address>/<length>
    4. Set IPv6 address: ipv6 address <address>/<length>
    5. Explicitly enable IPv6: ipv6 enable
23. Disable default VLAN interface:
    1. Enter VLAN: int VLAN1
    2. Disable it: shutdown
24. Set default gateway (and other static routes):
    1. Set default gateway (IPv4): ip route 0.0.0.0 0.0.0.0 <next-hop>
    2. Set default gateway (IPv6): ipv6 route ::/0 <next-hop>
    3. (Note) To avoid leakage, you may want to setup a blackhole route for the site prefixes on the topmost routers.
25. Enable router advertisements (RAs) for IPv6 L3 interfaces:
    1. (Note) This is required for IPv6 autoconfiguration. Set the two flags for DHCPv6 or unset them for SLAAC.
    2. Enter the interface.
    3. (DHCPv6) Set the ND managed flag: ipv6 nd managed-config-flag
    4. (DHCPv6) Set the ND other flag: ipv6 nd other-config-flag
    5. Set DNS servers (RDNSS): ipv6 nd ra dns server <ipv6-server> infinite sequence 0 (only supports IPv6 addresses) (use sequence 1 for the next server)
    6. Set DNS search list (DNSSL): ipv6 nd ra dns search-list <domain> infinite sequence 0
    7. (Optional) Disable sending RAs: suppress-ra (TODO Does this suppress sending or receiving??)
    8. TODO Requires testing.
26. Set DNS servers:
    1. Add server (for each one): ip name-server <ip-address>
27. Set time and NTP servers:
    1. Set time zone: clock timezone UTC 1 0 (Norway)
    2. Enable automatic summer time: clock summer-time CEST start March last Sunday 2:00 end October last Sun 3:00 (Norway)
    3. Enable SNTP: sntp enable
    4. Set NTP server: sntp server <hostname>
28. (Optional) Add MOTD:
    1. Start input for login banner: banner login $ (for delimiter $ to end input with)
29. Setup LLDP:
    1. Enable: lldp enable
30. Setup SNMP:
    1. TODO
    2. Enable RO for public community: snmp-server community 0 public ro
31. Setup STP (802.1W/RSTP):
    1. TODO
    2. spanning-tree
    3. errdisable recovery interval 300
32. Enable/disable flow control:
    1. Enter a physical interface range.
    2. (Optional) Enable auto mode: flow-control auto
    3. (Optional) Disable auto mode: flow-control off
33. (Optional) Setup VRF:
    1. Create: vrf definition <name>
    2. (Optional) Set a description.
    3. Enable IPv4: address-family ipv4
    4. Enable IPv6: address-family ipv6
    5. Bind interface to VRF (interface config): vrf forwarding <vrf-name> (removes existing IP addresses)
    6. TODO Test
34. (Optional) Setup RADIUS: TODO
35. (Optional) Setup TACACS+:
    1. Enable and set server: tacacs-server host <server> key 0 <key-or-prompt>
    2. Set login authn to use TACACS+ and fallback to local: aaa authentication login default group tacacs+ local
    3. TODO Set authz too?
    4. TODO Add accounting too?
    5. TODO Test.
36. Set terminal idle timer:
    1. Enter console line: line console 0
    2. Set timeout: exec-timeout <seconds>
    3. Enter VTY lines: line vty 0 31
    4. Set timeout (again).
37. (Optional) Split 40G-interface (QSFP+) into 4x 10G (SFP+): split interface <if>
38. Save the config: write mem

Random notes (TODO):

1. Configure RSTP:
   • Set protocol: spanning-tree mode rstp (default MSTP)
   • Set priority: spanning-tree priority <priority> (default 32768, should be a multiple of 4096, use e.g. 32768 for access, 16384 for distro and 8192 for core)
   • Set hello time: spanning-tree hello-time <seconds> (default 2s)
   • Set maximum age: spanning-tree max-age <seconds> (default 20s)
   • Set forward delay: spanning-tree forward-time <seconds> (default 15s)
   • Enable: spanning-tree
   • TODO Enabled on all interfaces and VLANs by default?
   • TODO Portfast for access ports? spanning-treelink-type ...
   • TODO Guards.
   • errdisable recovery interval 300 - VRF (avoid DHCP relay on VyOS?) - Access lists for SSH etc. - Disable mgmt. LAN - URPF.

Access Switch

Using an FS S3700-24T4F.

1. Connect to the switch using serial.
   • Using RS-232 w/ RJ45, baud 115200, 8 data bits, no parity bits, 1 stop bit, no flow control.
   • Use Ctrl+H for backspace.
2. Login with username admin and password admin.
3. Enter exec mode: enable
4. (Optional) Show version: show version
   • See the note below on how to upgrade it.
5. Enable password services:
   1. Enable prompting for password after command: service password-hidden
   2. Enable automatic hashing of passwords (using some weak alg.): service password-encryption
6. Add user: username <username> password 0 <password>
7. Disable admin user: no username admin
8. (Optional) Setup authentication (defaults to local):
   1. Disable enable authn: aaa authentication enable default none
   2. Enable login authn using local users: aaa authentication login default local
9. Disable HTTP server:
   1. no ip http server
   2. no ip http language
10. Enable SSH and disable Telnet:
    1. Enable SSH server (enabled by default): ip sshd enable
    2. Set SSH version: ip sshd version 2
    3. Disable SSH RC4 cipher: ip sshd disable-rc4
    4. Save the current key pair to flash to avoid regenerating it: ip sshd save
    5. (Optional) Enable SFTP: ip sshd sftp
    6. Disable Telnet: no ip telnet enable
11. Disable unused interfaces:
    1. Enter physical interface range (e.g. int range g0/25-28).
    2. Disable them: shutdown
12. Setup physical interface (applies motsly to other interfaces too):
    1. Set description: description <description>
    2. Enable or disable: [no] shutdown
13. Setup LAGs:
    1. Enter port agg. interface: interface port-aggregator <n>
    2. Set load balancing/hashing method: aggregator-group load-balance both-ip
    3. Change LACP timeout to fast (1s) or slow (30s): agg-period <seconds>
    4. Enter a physical interface range.
    5. Set agg. group and mode: aggregator-group <n> mode lacp
    6. Show LACP status: show aggregator-group brief
14. Setup VLANs:
    1. Define VLAN: vlan <VID>
    2. Enter VLAN interface: interface VLAN<VID>
    3. TODO Member interfaces etc.
15. Setup L3 interface:
    1. Enter the interface (physical, VLAN, etc.).
    2. Set the IPv4 address: ip address <address> <subnet>
    3. Set the IPv6 address: ipv6 address <address>/<prefix-length>
    4. (Optional) Explicitly enable IPv6 (not required if an address is specified): ipv6 enable
    5. Disable directed broadcasts: no ip directed-broadcast
    6. TODO Test IPv6.
16. Disable default VLAN:
    1. Enter VLAN: int VLAN1
    2. Disable it: shutdown
    3. TODO Needs testing.
17. Set hostname: TODO
18. Set mgmt. addresses: TODO
19. Set default and static routes: TODO
20. Set DNS servers: TODO
21. Set time and NTP servers: TODO
22. (Optional) Add MOTD: greeting <text-line> (for each line, no quotes required)
23. Enable LLDP: lldp run
24. Enable SNMP:
    1. Enable RO for public community: snmp-server community 0 public ro
    2. TODO Filter slow OIDs.
25. Setup STP (802.1W/RSTP): TODO
26. Enable/disable flow control:
    1. Enter a physical interface range.
    2. (Optional) Enable auto mode: flow-control auto
    3. (Optional) Disable auto mode: flow-control off
27. Enable storm control:
    1. Enter an interface range.
    2. Enable for broadcast: storm-control broadcast threashold <n> (units of 64kb/s)
    3. Enable for unknown-destination unicast: storm-control unicast threashold <n> (units of 64kb/s)
    4. (Optional) Enable for multicast: storm-control multicast threashold <n> (units of 64kb/s)
    5. TODO Test.
28. Enable port security:
    1. Enter an interface range.
    2. Enable dynamic mode: switchport port-security mode dynamic
    3. Enable maximum addresses: switchport port-security dynamic maximum <1>
    4. TODO Test timeout etc.
29. Setup IGMP and MLD snooping: TODO
30. Setup security mechanisms (DHCP snooping, IPSG, DAI, IPv6 stuff, etc.): TODO
31. (Optional) Setup RADIUS: TODO
32. (Optional) Setup TACACS+:
    1. Enable and set server: tacacs-server host <server> key 0 <key-or-prompt>
    2. Set login authn to use TACACS+ and fallback to local: aaa authentication login default group tacacs+ local
    3. TODO Set authz too?
    4. TODO Add accounting too?
    5. TODO Test.
33. Set terminal idle timer:
    1. Enter console line: line console 0
    2. Set timeout: exec-timeout <seconds>
    3. Enter VTY lines: line vty 0 31
    4. Set timeout (again).
34. Save the config: write all

Commands

• Configuration:
  • Show startup config: show configuration
  • Show running config: show running-config
  • Show interface config: show {conf | run} <interface>
  • Save configuration: write all
  • Format system: format (TODO: Does it keep the software image?)
• Interfaces:
  • (Core) Show L2 brief: show int status
  • (Access) Show L2 brief: show int brief
  • Show L3 brief: show ip int brief
• STP:
  • Show details: show spanning-tree
  • Show overview and interfaces: show spanning-tree summary
• (Core) LACP:
  • Show LAG interfaces: show aggregatePort summary
  • Show LACP status: show lacp summary
• (Access) LACP:
  • Show semi-detailed overview: show aggregator-group [n] brief
  • Show member ports: show aggregator-group [n] summary
• Reboot: reboot

Configuration Mode

• Enter interface range: interface range <type><slot>/<port-range>[,<port-range>]* (e.g. interface range g0/1-3,5)

Tasks

Reset the Configuration

1. Check that the startup config config.txt actually exists yet: dir
2. Delete startup config: delete config.text
3. Restart: reload

Mount a USB Drive

1. Format the USB drive as FAT32.
2. Physically mount it.
   • Something like USB-5-USB_DISK_FOUND and usb-5-usb_DISK_PARTITION_MOUNT should appear in the console.
3. Wait for it to automount.
   • No explicit mounting and unmounting of the filesystem is required (as far as I know). Data is flushed after every write.
4. (Optional) View file systems: show file systems
5. Use it.
   • Use dir usb0: to view files.
   • Use copy flash:config.txt usb0: to copy the startup config to the drive.
6. Physically unmount it.

Provision with ZTP

TODO

Upgrade Firmware

Via Web Panel

1. Log into the Web panel.
2. Go to “System Mgr.”, “System Software”.
3. Select the software image (FS-something.bin) and check automatic reboot.
4. Start the upgrade and do not leave the webpage until it tells you to.
5. Verify.

Via CLI

1. Put the image file on a TFTP server.
2. Download it to the switch: copy tftp:<file> flash:<file> <host>
   • Make sure it has a descriptive name like S3700-24T4F_V63289.bin.
3. Set to boot the new image (conf mode): boot system flash <file>
4. Reboot: reboot
5. Verify: show version

---

hon.one | HON95/wiki | Edit page