53-1002434-01 January, 2012 ServerIron ADX Administration Guide Supporting Brocade ServerIron ADX version 12.4.
© 2012 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, MLX, SAN Health, VCS, and VDX are registered trademarks, and AnyIO, Brocade One, CloudPlex, Effortless Networking, ICX, NET Health, OpenScript, and The Effortless Network are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners.
Document Titleiii 53-1002434-01
ivDocument Title 53-1002434-01
Contents About This Document In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Enabling or disabling SSH service . . . . . . . . . . . . . . . . . . . . . . . . 6 Creating a seed for generating a random number . . . . . . . . . . . 6 Setting SSH authentication retries . . . . . . . . . . . . . . . . . . . . . . . . 6 Setting the SSH key size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Configuring SSH password authentication. . . . . . . . . . . . . . . . . .
Configuring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Defining a domain name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Defining DNS servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Configuring DNS Resolver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 SNMP support . . . . . . . . . . . . . . . . .
Displaying system information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Displaying and saving tech support information . . . . . . . . . . . . 57 Displaying statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Displaying port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Displaying STP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Displaying trunk group information . . . . . . . . . . . . . . . .
Restricting remote access to management functions . . . . . . . . . . . 92 Using ACLs to restrict remote access . . . . . . . . . . . . . . . . . . . . 93 Restricting remote access to the device to specific IP addresses95 Restricting remote access to the device to specific VLAN IDs . 96 Designated VLAN for Telnet management sessions to a Layer 2 Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Disabling specific access methods. . . . . . . . . . . . . . .
Chapter 3 Role Based Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 Integrating RBM with RADIUS and TACACS+ . . . . . . . . . . . . . . . . . .144 Configuring the ServerIron ADX for AAA authentication . . . . .
Viewing information about software licenses . . . . . . . . . . . . . . . . . 174 Viewing the License ID (LID) . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Viewing the license database . . . . . . . . . . . . . . . . . . . . . . . . . .
xii ServerIron ADX Administration Guide 53-1002434-01
About This Document In this chapter • Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Related publications . . . . . . . . .
In this chapter bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords Identifies text to enter at the GUI or CLI italic text Provides emphasis Identifies variables Identifies document titles code text Identifies CLI output For readability, command names in the narrative portions of this guide are presented in bold: for example, show version. Notes, cautions, and danger notices The following notices and statements are used in this manual.
In this chapter Related publications The following Brocade documents supplement the information in this guide: • • • • • • • • • • • Release Notes for ServerIron Switch and Router Software TrafficWorks 12.3 ServerIron ADX Graphical User Interface .
In this chapter xvi ServerIron ADX Administration Guide 53-1002434-01
Chapter ServerIron System Management 1 Setting up local user accounts For each user account, you specify the user name. You can also specify: • A password • The privilege level, which can be one of the following: • Full access (super-user). This is the default. • Port-configuration access • Read-only access To configure user accounts, you must add a user account for super-user access before you can add accounts for other access levels.
1 Setting up local user accounts Displaying user information To display user information, enter the following command. ServerIronADX(config)# show users Username Password Encrypt Priv Status Expire Time ============================================================================= ====== admin $1$T62..hu1$hmRolcV1Vwc.FCtXVD6h9/ enabled 0 enabled Never Configuring Telnet The ServerIronADX supports up to five concurrent inbound Telnet and SSH sessions, one outbound Telnet session, and console access.
Setting up local user accounts 1 ServerIronADX# show who Console connections: established you are connecting to this session 1 seconds in idle Telnet connections (inbound): 1 closed 2 closed 3 closed 4 closed 5 closed Telnet connection (outbound): 6 closed SSH connections: 1 closed 2 closed 3 closed 4 closed 5 closed Enabling Telnet authentication To use local access control or a RADIUS server to authenticate telnet access to the ServerIron ADX, enter the following command.
1 Setting up local user accounts Restricting Telnet management access You can restrict Telnet management access to the Brocade device to the host whose IP address you specify. No other device except the one with the specified IP address can access the Brocade device’s CLI through Telnet. You can use the command up to ten times for up to ten IP addresses.
Setting up local user accounts 1 If you enable suppression of the connection rejection message, a denied Telnet client does not receive a message from the device. Instead, the denied client simply does not gain access. To suppress the connection rejection message sent by the device to a denied Telnet client, enter the following command.
1 Configuring SSH Configuring SSH The ServerIron ADX supports up to five concurrent inbound Telnet and SSH sessions, one outbound Telnet session, and console access. Write access through Telnet and SSH is limited to one session only. NOTE SSH public key authentication supports only DSA keys. RSA keys are not supported. Enabling or disabling SSH service The SSH service is not enabled by default. The SSH server starts once you configure a host DSA public and private key pair for SSH.
Configuring SSH 1 ServerIronADX(config)# ip ssh authentication-retries 5 Syntax: [no] ip ssh authentication-retries The parameter can be from 1 to 5. The default is 3. Setting the SSH key size The size of the host RSA key that resides in the system-config file is always 1024 bits and cannot be changed. To set the SSH key size, enter the following command. ServerIronADX(config)# ip ssh key-size 896 Syntax: [no] ip ssh key-size The parameter can be from 512 – 896 bits.
1 Configuring SSH The yes option enables SSH empty password login. Changing the TCP port used for SSH By default, SSH traffic occurs on TCP port 22. To change the TCP port used for SSH, enter the following command. ServerIronADX(config)# ip ssh port 2200 Syntax: [no] ip ssh port The parameter specifies a valid TCP port number. Note that if you change the default SSH port number, you must configure SSH clients to connect to the new port.
Configuring SSH 1 Syntax: [no] ip ssh rsa-authentication yes | no The yes option enables RSA challenge-response authentication. Disabling or re-enabling Secure Copy Secure Copy (SCP) is enabled by deafult. To disable SCP, enter the following command. ServerIronADX(config)# ip ssh scp disable Syntax: [no] ip ssh scp disable | enable NOTE If you disable SSH, SCP is also disabled.
1 Configuring SSH To copy the configuration file to a file called config1.cfg on the PCMCIA flash card in slot 2 on a Management IV module. C:\> scp c:\cfg\brocade.cfg terry@192.168.1.50:b:/config1.cfg To copy the running-config file on a ServerIron ADX to a file called c:\cfg\brcdhprun.cfg on the SCP-enabled client. C:\> scp terry@192.168.1.50:runConfig c:\cfg\brcdhprun.cfg To copy the startup-config file on a ServerIron ADX to a file called c:\cfg\brcdhpstart.cfg on the SCP-enabled client.
Managing System Functions ServerIronADX(config)# show ip ssh Connection Version Encryption 1 SSH-2 3des-cbc 1 Username admin Syntax: show ip ssh Displaying currently loaded public keys To display the currently loaded public keys, enter the following command.
1 Managing System Functions Verifying connectivity The ping command verifies connectivity to a device. The command performs an ICMP echo test. An ICMP Request goes to the target host, and the host sends back an ICMP Reply packet. You can send a test packet to a host’s IP address or host name. The ServerIronADX can ping using arbitrary source IP addresses (Src-IPs) belonging to the device. The was the management IP of the switch by default.
Managing System Functions 1 .—Indicates that the network server timed out while waiting for a reply. U—Indicates that a destination unreachable error PDU was received. I—Indicates that the user interrupted ping. If you address the ping to the IP broadcast address, the device lists the first four responses to the ping. Tracing the IP path to a host The traceroute command enables you to trace the IP path to a host.
1 Managing System Functions Syntax: reload [after ] | [at ] | [cancel] [primary | secondary] The after parameter reloads after the specified amount of time has passed. The at parameter reloads at exactly the specified time. The cancel option negates the scheduled reload. The primary | secondary option specifies whether the reload is to occur from the primary code flash module or the secondary code flash module. The default is primary.
Managing System Functions 1 NOTE If a session times out, the device does not close the connection. Instead, the CLI changes to the User EXEC mode (for example: ServerIronADX>). To time out idle serial management sessions, enter the following command. ServerIronADX(config)#console timeout 20 Syntax: [no] console timeout The parameter specifies the number of minutes, from 0 – 240, that the serial CLI session can remain idle before it times out. The default is 0 (sessions never time out).
1 Managing System Functions To disable password encryption, enter the following command. ServerIronADX(config)# no service password-encryption Syntax: [no] service password-encryption Understanding dynamic configuration In most cases, dynamic configuration enables you to make configuration changes without rebooting the system. Most Layer 2 configuration changes are dynamic. All Layer 4-7 configuration changes are dynamic.
Managing System Functions 1 Configuring a message for display at the Privileged EXEC level You can configure the ServerIron ADX to display a message when a user enters the Privileged EXEC CLI level. A delimiting character is established on the first line of the banner exec command. You begin and end the message with this delimiting character. It can be any character except “ (double-quotation mark) and cannot appear in the banner text.
1 Using the management port Syntax: [no] banner | [motd ] NOTE The banner command is equivalent to the banner motd command. Configuring TFTP All Brocade devices allow you to use Trivial File Transfer Protocol (TFTP) to copy files to and from the flash memory modules on the management module. You can use TFTP to perform the following operations: • Upgrade boot or flash code.
Using the management port 1 Management Module Management Port Mgmt SI-MM Aux1 Console Aux2 Aux Console Pwr Act USB The ServerIron ADX management port functions as described in the following” • The management port supports IPv4 operations and ARP packets. It does not support IPv6 operations. • The management port allows you to configure and manage the ServerIron ADX only. As a result, this port has the same limited functionality as an IP host port.
1 Using the management port Syntax: enable | disable Configuring an IP address on a management port The managment port can be configured with a distinct IP address that is different than an other IP address configured on the ServerIron ADX. This is true whether you are running switch or router code. You can configure an IP address for the management port as shown in the following.
Using the management port 1 In addition, the management port should not be connected to the same vlan that has the data ports connecting from the ADX. Configuring an IP route over the management port You can configure up to 32 static routes over the management port. On switch code, in order to configure an IP static route on the management port with a destination address of 192.0.0.0 255.0.0.0 and a next-hop router IP address of 195.1.1.1 , enter the following commands.
1 Using the USB port and USB flash drive The show ip mgmt-route command is shown in the following and the other commands are described in the ServerIron ADX Switch and Router Guide. Displaying management port route information On switch code you can display management port route information as shown in the following.
Using the USB port and USB flash drive 1 Creating directories on USB drives Using the mkdir and md commands You can create up to two directory levels on an internal USB drive (usb0) or USB drive attached to the external USB port (usb1) and can copy files to or remove files from these directories. As an example, a first-level directory structure on usb0 would be usb0/dir1. An example of a second-level directory structure would be usb1/dir1/dir2.
1 Using the USB port and USB flash drive • Use the following command to remove the first-level directory dirA from the USB drive connected to the external USB port (usb1). ServerIronADX# rd usb1/dirA Syntax: rmdir or Syntax: rd The rmdir or rd command removes a directory. The parameter specifies the internal USB drive (usb0) or the external USB port (usb1) on the ServerIron ADX connected to a USB drive and full path of the directory.
Using the USB port and USB flash drive 1 copy flash usb1 primary /abc/dir1/my_file Syntax: copy flash primary|secondary The copy command copies the specified file. Flash specifies that the file resides in ServerIron ADX code flash. The variable specifies the USB drive that the file will be copied to. The value can be either usb0 (the internal USB drive) or usb1 (a USB drive attached to the USB port on the ServerIron ADX).
1 Using the USB port and USB flash drive • Use the following command to copy the file named “filexxx.bin” on the root level of the internal USB drive (usb0) to a file of the same name on the first-level directory “dir1” of a USB drive attached to the external USB port (usb1) on a ServerIron ADX switch. ServerIronADX# copy usb0 usb1 filexxx.bin /dir1/filexxx.bin • Use the following command to copy the file named “filexxx.
Using the USB port and USB flash drive 1 Syntax: copy flash tftp primary|secondary The copy command copies the specified file. Flash specifies that the file resides on ServerIron ADX code flash. tftp specifies that the file resides on the tftp server. The parameter is the IP address of the tftp server. Note that this can be an IPV6 address (X:X::X:X). The parameter specifies the destination file name.
1 Using the USB port and USB flash drive The variable specifies the USB drive that the file will be copied from. The value can be either usb0 (the internal USB drive) or usb1 (a USB drive attached to the USB port on the ServerIron ADX). tftp specifies that the file resides on a tftp server. The variable specifies the full directory path and name of the file that you want to copy to the USB drive. The parameter is the IP address of the tftp server.
Using the USB port and USB flash drive 1 ServerIronADX# rename usb0/dir1/filexxx.bin fileyyy.bin • Use the following command to rename the file “asm12000.bin“in the root level of a USB drive attached to the external USB port (usb1) of the ServerIron ADX to “asm12000b.bin“. ServerIronADX# rename usb1/asm12000.bin asm12000b.bin • Use the following command to rename the file “file_abc.
1 Clearing persistent information before an RMA Testing USB Drives You can test either the internal USB drive (usb0) or a USB drive attached to the external USB port (usb1). The following example tests a USB drive attached to the USB port of the ServerIron ADX. ServerIronADX# usb test 1 Syntax: usb test 0 | 1 The 0 parameter directs the ServerIron ADX to test the internal USB drive. The 1 parameter directs the ServerIron ADX to test an externally connected USB drive.
Configuring SNTP 1 Configuring an SNTP server location You can define the SNTP server’s location and specify an IP address or hostname. You can configure up to three SNTP servers by entering three separate sntp server commands. To configure an SNTP server location, enter a command such as the following. ServerIronADX(config)# sntp server 1.1.1.1 Syntax: [no] sntp server | [] The parameter specifies the SNTP version the server is running and can be from 1 – 4.
1 Configuring DNS This field... Indicates... unsynchronized System is not synchronized to an NTP peer. synchronized System is synchronized to an NTP peer.
Configuring SNMP 1 To define a domain name, enter a command such as the following. ServerIronADX(config)# ip dns domain-name brocade.com Syntax: [no] ip dns domain-name Defining DNS servers You can define up to four DNS servers for each DNS entry. The first entry serves as the primary default address (207.95.6.199). If a query to the primary address fails to be resolved after three attempts, the next gateway address will be queried for three times as well.
1 Configuring SNMP Partial trap list: • SNMP Authentication – Indicates a failed attempt to access the device through SNMP using an invalid SNMP community string. • • • • • • • • Power Supply – Indicates a power supply failure. Fan – Indicates a fan failure. Cold Start – Indicates a restart from a powered down state. Link Up – Indicates that a port link has come up. Link Down – Indicates that a port link has gone down. Bridge New Root – Indicates a spanning-tree change.
Configuring SNMP 1 This trap is generated when the number of source MAC addresses received from a port is greater than the maximum number of MAC addresses configured for that port. It displays the following trap message. Locked address violation at , address In addition, the following standard traps now display the port name and port number in the trap message when generated by the ServerIron ADX.
1 Configuring SNMP To restrict SNMP access (which includes IronView) to the Brocade device to the host with IP address 209.157.22.26, enter the following command. ServerIronADX(config)# snmp-client 209.157.22.26 Syntax: [no] snmp-client You can use the command up to ten times for up to ten IP addresses. Assigning an SNMP community string You can assign an SNMP community string for the system.
Configuring SNMP 1 ServerIronADX(config)# no snmp-server enable traps link-down Syntax: [no] snmp-server enable traps Allowing SNMP access only to clients in a VLAN You can allow SNMP access only to clients in a specific VLAN. The following example configures the device to allow SNMP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.
1 Configuring SNMP ServerIronADX(config)# snmp-server trap-source ethernet 4 Syntax: [no] snmp-server trap-source ethernet | ve The ethernet parameter specifies a physical port on the device. Alternatively, you can specify a virtual interface using the ve parameter, where is the number of a virtual interface configured on the device. It uses the lowest-numbered address on the interface.
Configuring access control 1 Configuring access control This section contains information on configuring Access Control. Enabling configuration of RADIUS To enable users of IronView or other SNMP management applications to configure RADIUS authentication parameters on the ServerIron ADX, enter the following command.
1 Configuring access control Enhancing access privileges You can augment the default access privileges for an access level. When you configure a user account, you can give the account one of three privilege levels: full access, port-configuration access, and read-only access. Each privilege level provides access to specific areas of the CLI by default: • Full access provides access to all commands and displays.
Configuring access control 1 TACACS and TACACS+ You can secure CLI access to the switch or router by configuring the device to consult a Terminal Access Controller Access Control System (TACACS) or TACACS+ server to authenticate user names and passwords. NOTE TACACS or TACACS+ authentication is not supported for Web management or IronView access.
1 Configuring access control ATTENTION If you have previously configured the device to perform command authorization using a RADIUS server, entering enable aaa console may prevent the execution of any subsequent commands entered on the console. This happens because RADIUS command authorization requires a list of allowable commands from the RADIUS server. This list is obtained during RADIUS authentication.
Configuring access control 1 Syntax: [no] radius-server host | [auth-port ] [acct-port ] Syntax: [no] radius-server [key ] [timeout ] [retransmit ] [dead-time ] The | parameter specifies either an IP address or an ASCII text string. The optional parameter specifies Authentication port number. The default is 1645. The optional parameter specifies the accounting port number.
1 Power budgeting on the ServerIron ADX ServerIronADX1/1#show feature l7 switching : OFF sFlow : OFF NAT : ON TCS/FW : OFF ACL : OFF inbound ACL : OFF GSLB controller : ON SYN proxy : ON SYN defence : OFF SLB only : OFF Syntax: show feature Power budgeting on the ServerIron ADX The following power budged it available on the ServerIron ADX models as shown in the following: • ServerIron ADX 1000 – A maximum of 2 power supplies are available. Each power supply is rated at 504 W.
Configuring the cooling system 1 1. The power required to operate the Management module (or modules if a standby Management module is installed) and the fans (at 100% RPM) is deducted from the available power budget. NOTE The power budget is calculated based on the number of power supplies that are operating in the system and the power consumption of the system component is calculated using the values described in Table 1. 2.
1 Configuring the cooling system TABLE 2 Default low and high temperature thresholds for modules and fan speeds (Continued) Fan Speed Low Temperature Threshold High Temperature Threshold High 57 C 75 C Medium-high 47 C 60 C Medium 0 C 50 C Low –1 37 C Interface modules Switch fabric module High 57 C 75 C Medium-high 47 C 60 C Medium 0 C 50 C Low –1 37 C High 70 C 95 C Medium-high 62 C 80 C Medium 0 C 70 C Low –1 60 C ASM module ServerIron
Configuring a redundant management module 1 Configuring a redundant management module In a ServerIron ADX chassis that contains a redundant Management module, You can install a redundant management module in a ServerIron ADX chassis. (By default, the system considers the module in the lower slot number to be the active management module and the other module to be the redundant, or standby module.
1 High availability configurations ServerIronADX# sync-standby ssl-key-cert Syntax: sync-standby { code | config | ssl-key-cert} NOTE The sync-standby boot command was deprecated in release 12.2.0 and is no longer available. NOTE The sync-standby command applies only to a ServerIron ADX with redundant management modules. BP boot and flash code must be synchronized manually. We recommend re-downloading over TFTP to simultaneously update the BP boot and flash images on both modules.
High availability configurations 1 In Figure 3, the commands you enter on ServerIron ADX A while that device is at the configure sync-terminal level, are duplicated on ServerIron ADX B. FIGURE 4 ServerIron ADXs with connection to each other ServerIron A IP: 192.168.1.1 SI ServerIron B IP: 192.168.1.2 Port2/1 Port1/1 MAC address: 00e0.5201.
1 High availability configurations ServerIronADXA# configure terminal ServerIronADXA(config)# config-sync eth 2 mac 00e0.5201.0c72 ServerIronADXA(config)# write mem ServerIronADXA(config)# exit ServerIronADXA# configure sync-terminal ServerIronADXA#(config-sync)# server virtual v1 10.10.1.
High availability configurations 1 The config-sync receiver command enables the destination ServerIron ADX to receive configuration commands from the source ServerIron ADX. You can configure this command to allow the destination ServerIron ADX to receive configuration commands only on a specified port, MAC address, or VLAN ID.
1 High availability configurations ServerIronADXA# configure sync-terminal ServerIronADXA#(config-sync)# server virtual v1 10.10.1.1 ServerIronADXA(config-sync-vs-v1)# port http ServerIronADXA(config-sync-vs-v1)# exit ServerIronADXA(config-sync)# write mem ServerIronADXA(config-sync)# exit Syntax: configure sync-terminal Once you enter the configure sync-terminal level, commands entered on ServerIron ADX A are duplicated on ServerIron ADX B.
High availability configurations 1 Synchronizing sections of a ServerIron ADX’s configuration is useful if you want to synchronize only a portion of the ServerIron ADX’s configuration to a peer, or if you want the synchronization to occur manually instead of automatically. The following sections of the ServerIron ADX’s configuration can be synchronized individually. Synchronizing real server configuration To synchronize the ServerIron ADX’s real server configuration, enter the following commands.
1 Displaying system information ServerIronADXA# configure terminal ServerIronADXA(config)# config-sync port-profile all This may remove some configuration on the peer box. Are you sure? (enter ’y’ or ’n’): y Syntax: config-sync port-profile |all The config-sync real-server command synchronizes the device’s port profile configuration with the peer. The command first removes the existing port profiles on the peer before applying the new configuration.
Displaying system information 1 ServerIronADX# show version Copyright (c) 1996-2009 Brocade Communications Systems, Inc. Boot Version 02.00.09 Apr 27 2009 17:13:05 PDT label: dobv2 Monitor Version 02.00.09 Apr 27 2009 17:13:05 PDT label: dobv2 System Version 12.00.00 May 1 2009 13:01:28 PDT label: ASM12000dev AXP Version: 0.00 Dated: 2009/03/31 11:53:57 PAX Version: 0.
1 Displaying system information Displaying chassis information To display chassis information, enter the following command. ServerIronADX8000# show chassis Boot Prom MAC: 001b.ed06.
Displaying system information 1 Displaying and saving tech support information Commands are provided on the ServerIron ADX that help you display and save information that can help Brocade Technical support troubleshoot your system. These commands are described in the following sections. Displaying tech support information To display technical support information use the following command.
1 Displaying system information ! route-map blockuser permit 10 match tag 50 set ip next-hop 192.168.0.
Displaying system information 1 The system uptime is 15 days 1 hours 34 minutes 17 seconds The system started at 15:38:46, GMT+10 Daylight Time, Mon Aug 29 2011 The system - boot source: secondary, mode: cold start, soft reset, total resets:0 Port Link State Dupl Speed Trunk Tag Priori MAC Name 1 Down None None None 1 No level0 001b.ed06.0300 marsha markey 2 Down None None None 1 No level0 001b.ed06.0300 3 Down None None None 1 No level0 001b.ed06.0300 4 Down None None None 1 No level0 001b.ed06.
1 Displaying system information Static Log Buffer: Aug 29 15:39:24:A:Power supply 1, 1st from left, (NOT PRESENT) Aug 29 15:46:07:A:BP1&2 Temperature 82 C degrees is normal Dynamic Log Buffer (50 lines): Sep 13 17:09:42:W:NTP server 208.99.8.95 Sep 13 16:54:42:W:NTP server 208.99.8.95 Sep 13 16:39:42:W:NTP server 208.99.8.95 Sep 13 16:24:42:W:NTP server 208.99.8.95 Sep 13 16:09:42:W:NTP server 208.99.8.95 Sep 13 15:54:42:W:NTP server 208.99.8.95 Sep 13 15:39:42:W:NTP server 208.99.8.
Displaying system information 1 Saving tech support information to a file You can save detailed technical information to a file to the internal USB drive of the ServerIron ADX for assistance in troubleshooting issues when working with technical support. ServerIronADX1000# save tech-support text test1 Msg: tech-support info to be saved in test1 Retrieving save tech infomation, please wait... checking bp dumps on usb0 start to write file to flash..............Done saving tech-support info to file.
1 Displaying system information ServerIronADX# show statistics brief Buffer Manager Queue [Pkt Receive Pkt Transmit] 0 0 Ethernet Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ServerIronADX# Packets [Receive 0 0 0 0 0 0 0 0 0 615934 0 0 0 0 0 0 0 Transmit] 0 0 0 0 0 0 0 0 0 4033121 0 0 0 0 0 0 0 Collisions [Recv Txmit] 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Errors [InErr OutErr] 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Syntax: show statistics eth
Displaying system information 1 Displaying port statistics Port statistics are polled by default every 10 seconds. You can view statistics for ports by entering the following show commands: • show interfaces • show configuration Displaying STP statistics You can view a summary of STP statistics on the ServerIron ADX. STP statistics are by default polled every 10 seconds. To view spanning tree statistics, enter the show span command. To view STP statistics for a VLAN, enter the span vlan command.
1 Using Syslog ServerIronADX# clear statistics ? dos-attack Clear DOS-attack statistics ethernet Ethernet port pos POS port rate-counters slot Module slot Syntax: clear statistics [] Clearing all sessions In rare instances, it may be necessary to delete all the sessions on the ServerIron ADX at once. You can delete all regular (non-static) sessions on the ServerIron ADX, by entering the following command (Use this command with caution).
Using Syslog 1 The device writes the messages to a local buffer that can hold up to 100 messages. You also can specify the IP address or host name of up to six syslog servers. When you specify a syslog server, the Brocade device writes the messages both to the system log and to the syslog server. Using a syslog server ensures that the messages remain available even after a system reload.
1 Using Syslog • • • • • • • • • • • • • • • • • • • • • • • • kern – kernel messages user – random user-level messages (default) mail – mail system daemon – system daemons auth – security or authorization messages syslog – messages generated internally by Syslog lpr – line printer subsystem news – netnews subsystem uucp – uucp subsystem sys9 – cron or at subsystem sys10 – reserved for system use sys11 – reserved for system use sys12 – reserved for system use sys13 – reserved for system use sys14 – reser
Using Syslog 1 This example shows log entries for authentication failures. If someone enters an invalid community string when attempting to access the SNMP server on the Brocade device, the device generates a trap in the device's Syslog buffer. (If you have configured the device to use a third-party Syslog server, the device also sends a log entry to the server.) Syntax: show logging Here is an example of a log that contains SNMP authentication traps.
1 Using Syslog ServerIronADX(config)# show log Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 38 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Log Buffer (50 entries): 21d07h02m40s:warning:list 101 denied tcp 209.157.22.191(0)(Ethernet 4/18 0010.5a1f.77ed) -> 198.99.4.69(http), 2 packets 00d07h03m30s:warning:list 101 denied tcp 209.157.22.26(0)(Ethernet 4/18 0010.5a1f.
Using Syslog 1 ServerIronADX(config)# show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 12 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Log Buffer (50 entries): Oct 15 18:01:11:info:dg logout from USER EXEC mode Oct 15 17:59:22:info:dg logout from PRIVILEDGE EXEC mode Oct 15 17:38:07:info:dg login to PRIVILEDGE EXEC mode Oct 15 17:38:03:info:dg login to USER EXEC mode
1 Using Syslog TABLE 4 70 Brocade Syslog messages Message Level Message Format Explanation Alert Power supply , , failed A power supply has failed. The is the power supply number. The describes where the failed power supply is in the chassis.
Using Syslog TABLE 4 1 Brocade Syslog messages (Continued) Message Level Message Format Explanation Alert Management module at slot state changed from to . Indicates a state change in a management module. The indicates the chassis slot containing the module.
1 Using Syslog TABLE 4 72 Brocade Syslog messages (Continued) Message Level Message Format Explanation Warning Dup IP detected, sent from MAC interface Indicates that the Brocade device received a packet from another device on the network with an IP address that is also configured on the Brocade device. The is the duplicate IP address. The is the MAC address of the device with the duplicate IP address.
Using Syslog TABLE 4 1 Brocade Syslog messages (Continued) Message Level Message Format Explanation Warning firewall path up target nexthop path port Indicates that a firewall path has come up (and is therefore good). The is the IP interface at the remote end of the path. The is the IP interface of the next hop in the path. The is the ID you assigned to the path when you configured it.
1 Using Syslog TABLE 4 74 Brocade Syslog messages (Continued) Message Level Message Format Explanation Warning HTTP match-list with compound pattern1 and pattern2 Alert: bring server up and Extract message: Indicates that an HTTP content verification health check has matched a set of selection criteria specified in a up compound statement.
Using Syslog TABLE 4 Message Level 1 Brocade Syslog messages (Continued) Message Format Explanation Notification L4 server is up Indicates that a real server or cache server has come up. The is the server’s IP address. The is the name of the server. Notification L4 server is down due to Indicates that a real server or cache server has gone down. The is the server’s IP address. The is the name of the server.
1 Using Syslog TABLE 4 Message Level 76 Brocade Syslog messages (Continued) Message Format Explanation Notification L4 gslb connection to site ServerIronADX is down The GSLB protocol connection from this GSLB ServerIron ADX to a remote site ServerIron ADX went down. The first the site name. The and are the site ServerIron ADX’s management IP address and name.
Using Syslog TABLE 4 1 Brocade Syslog messages (Continued) Message Level Message Format Explanation Informatio nal SNMP Auth. failure, intruder IP: A user has tried to open a management session with the device using an invalid SNMP community string. The is the IP address of the host that sent the invalid community string. Informatio nal Interface , state up A port has come up. The is the port number.
1 Event logging Event logging The Event Logging feature of the ServerIron ADX captures all of the activity on the MP and BP consoles and saves it in a file named "eventlog.txt" which is saved on the internal USB drive.
Additional system management functions 1 Displaying event log status You can display the current status of the event log as shown in the following. ServerIronADX# show eventlog Event Log is enabled Event Log MAX specified size is 256 MB Event Log Size is - .2fMB Syntax: show eventlog The contents of the display are defined in the following table. TABLE 5 Display from show eventlog command This field... Displays... Enabled Displays if eventlog is currently enabled.
1 Additional system management functions Each list displays the uplink port and the percentage of that port’s bandwidth that was utilized by the downlink ports over the most recent 30-second interval. You can configure up to four bandwidth utilization lists. To configure a link utilization list with port 1 as the uplink port and ports 2 and 3 as the downlink ports, enter a command such as the following.
Additional system management functions 1 Activating or deactivating daylight savings time To automatically activate and deactivate daylight savings time for the relevant time zones, enter the following command. ServerIronADX(config)# clock summer-time Syntax: [no] clock summer-time Setting the time zone To define the time zone of the clock, enter a command such as the following.
1 Additional system management functions Syntax: show clock showing with RTC... 08:23:42, GMT+00, Mon Sep 12 2011 For more information, refer to the marketing advisory. Changing the shutdown temperature You can change the shutdown temperature of a module containing a temperature sensor. If the temperature matches or exceeds the shutdown temperature, the software sends a Syslog message to the Syslog buffer and also to the Syslog server if configured.
Additional system management functions 1 Syntax: temperature warning lc The parameter can be 0 – 65. The default is 65. NOTE The lc option is required only for chassis type model such as ADX4000, ADX10000, and so on. NOTE if you change the temperature, you must execute “write memory” to save the changed temperature.
1 Additional system management functions To increase the delay between packets by 3.2 microseconds, enter commands such as the following. ServerIronADX(config) #int e 4 ServerIronADX(config-if-4)# ipg10 4 Syntax: [no] ipg10 The parameter is 0 – 100 bytes. By default, the delay between packets will be 12 bytes (9.6 microseconds, ipg10 0).
Additional system management functions 1 Assigning a port name To assign a name to an interface, which provides additional identification for a segment on the network, enter commands such as the following. ServerIronADX(config)# interface e 1 ServerIronADX(config-if-1)# port-name marketing-funk Syntax: [no] port-name Modifying port speed and duplex mode You can modify the port speed and duplex mode for 10BaseT and 100BaseTx ports.
1 Additional system management functions Displaying port mirroring and monitoring information The mirror port feature lets you connect a protocol analyzer to a port on a Brocade device to observe the traffic flowing into and out of another port on the same device. To use this feature, you specify the port you want to monitor and the port into which you are plugging the protocol analyzer. NOTE ServerIron supports more than one active mirror port at a time. By default, no mirror port is assigned.
Additional system management functions 1 Setting the negotiation mode You can change the default negotiation mode for Gigabit ports on Chassis devices, by using the gig-default command. It enables 802.3z negotiation for gigabit over optical fiber. Both sides of the circuit need to be configured with this feature. If you enter auto-gig, then gig-default auto-gig is added to the running config. NOTE 802.3x is flow-control over full-duplex regardless of speed. Half duplex flow control uses backpressure.
1 Remapping processing for a forwarding module to a BP You can configure the device to forward Layer 2 and Layer 3 pass-through traffic to the CPU for processing, instead of processing it in hardware. To do this, enter the following command. ServerIronADX(config)# server cpu-forward Syntax: [no] server cpu-forward Hardware forwarding for non L4-7 traffic flows The ServerIron ADX supports hardware forwarding of pass-through traffic in SLB and TCS modes.
Specifying the maximum number of unknown unicast packets 1 ServerIronADX(config)# wsm wsm-map slot 3 wsm-slot 2 wsm-cpu 1 This command remaps processing for the forwarding module in slot 3 to BP 1 on the Application Switching Module in slot 2. Syntax: [no] wsm wsm-map wsm-slot wsm-cpu The parameter specifies the slot that contains the forwarding module. The parameter specifies the slot that contains the Application Switching Module.
1 90 Specifying the maximum number of unknown unicast packets ServerIron ADX Administration Guide 53-1002434-01
Chapter 2 Secure Access Management Securing access methods The following table lists the management access methods available on a ServerIron, how they are secured by default, and the ways in which they can be secured.
2 Restricting remote access to management functions TABLE 6 Ways to secure management access to ServerIrons (Continued) Access method How the access method is secured by default Ways to secure the access method See page Web management access IPv4 and IPv6 addresses SNMP read or read-write community strings Regulate Web management access using ACLs page 94 Allow Web management access only from specific IP addresses page 95 Allow Web management access only to clients connected to a specific VLAN
Restricting remote access to management functions 2 Using ACLs to restrict remote access You can use standard ACLs to control the following access methods to management functions on a ServerIron: • • • • Telnet access SSH access Web management access SNMP access To configure access control for these management access methods. 1. Configure an ACL with the IP addresses you want to allow to access the device 2.
2 Restricting remote access to management functions ServerIronADX(config)# ServerIronADX(config)# ServerIronADX(config)# ServerIronADX(config)# ServerIronADX(config)# ServerIronADX(config)# access-list 12 deny host 209.157.22.98 log access-list 12 deny 209.157.23.0 0.0.0.255 log access-list 12 deny 209.157.24.0/24 log access-list 12 permit any ssh access-group 12 write memory Syntax: ssh access-group The parameter specifies the number of a standard ACL and must be from 1 – 99.
Restricting remote access to management functions 2 Syntax: snmp-server community ro | rw The parameter specifies the SNMP community string the user must enter to gain SNMP access. The ro parameter indicates that the community string is for read-only (“get”) access. The rw parameter indicates the community string is for read-write (“set”) access. The parameter specifies the number of a standard ACL and must be from 1 – 99.
2 Restricting remote access to management functions Restricting SNMP access to a specific IP address To allow SNMP access (which includes IronView) to the ServerIron only to the host with IP address 209.157.22.14, enter the following command. ServerIronADX(config)# snmp-client 209.157.22.14 Syntax: [no] snmp-client Restricting all remote management access to a specific IP address To allow Telnet, Web, and SNMP management access to the ServerIron only to the host with IP address 209.157.22.
Restricting remote access to management functions 2 Restricting Web management access to a specific VLAN To allow Web management access only to clients in a specific VLAN, enter a command such as the following. ServerIronADX(config)# web-management enable vlan 10 The command in this example configures the device to allow Web management access only to clients connected to ports within port-based VLAN 10. Clients connected to ports that are not in VLAN 10 are denied management access.
2 Restricting remote access to management functions If more than one gateway has the lowest metric, the software uses the gateway that appears first in the running-config. NOTE If you have already configured a default gateway globally and you do not configure a gateway in the VLAN, the software uses the globally configured gateway and gives the gateway a metric value of 1. To configure a designated management VLAN, enter commands such as the following.
Setting passwords 2 Disabling Web management access If you want to prevent access to the device through the Web Management Interface, you can disable the Web Management Interface. NOTE As soon as you make this change, the device stops responding to Web management sessions. If you make this change using your Web browser, your browser can contact the device, but the device will not reply once the change takes place. To disable the Web Management Interface, enter the following command.
2 Setting passwords Setting a Telnet password By default, the device does not require a user name or password when you log in to the CLI using Telnet. To set the password “letmein” for Telnet access to the CLI, enter the following command at the global CONFIG level. ServerIronADX(config)# enable telnet password letmein Syntax: [no] enable telnet password NOTE Any user who knows telnet password can login. User validation does not occur here.
Setting passwords 2 To set passwords for management privilege levels. 1. At the opening CLI prompt, enter the following command to change to the Privileged level of the EXEC mode. ServerIronADX> enable ServerIronADX# 2. Access the CONFIG level of the CLI by entering the following command. ServerIronADX# configure terminal ServerIronADX(config)# 3. Enter the following command to set the Super User level password.
2 Setting passwords In this command, configure specifies that the enhanced access is for a command at the global CONFIG level of the CLI. The level 4 parameter indicates that the enhanced access is for management privilege level 4 (Port Configuration). All users with Port Configuration privileges will have the enhanced access. The ip parameter indicates that the enhanced access is for the IP commands.
Setting passwords 2 NOTE You cannot abbreviate this command. This command causes the device to ignore saved config. 5. Enter boot system flash primary at the prompt. 6. After the login prompt appears, use user name admin and password brocade to gain access to the Exec Mode. 7. Enter enable to gain access to the privileged mode. 8.
2 Setting up local user accounts Disabling password encryption When you configure a password, then save the configuration to the ServerIron’s flash memory, the password is also saved to flash as part of the configuration file. By default, the passwords are encrypted so that the passwords cannot be observed by another user who displays the configuration file. Even if someone observes the file while it is being transmitted over TFTP, the password is encrypted.
Setting up local user accounts 2 • A management privilege level, which can be one of the following: • Super User level – Allows complete read-and-write access to the system. This is generally for system administrators and is the only privilege level that allows you to configure passwords. This is the default. • Port Configuration level – Allows read-and-write access for specific ports but not for global (system-wide) parameters.
2 Configuring TACACS or TACACS+ security To display user account information, enter the following command. ServerIronADX(config)# show users Username Password Encrypt Priv Status Expire Time ================================================================================= == admin $1$T62..hu1$hmRolcV1Vwc.
Configuring TACACS or TACACS+ security 2 TACACS or TACACS+ authentication, authorization, and accounting When you configure a ServerIron to use a TACACS or TACACS+ server for authentication, the device prompts users who are trying to access the CLI for a user name and password, then verifies the password with the TACACS or TACACS+ server.
2 Configuring TACACS or TACACS+ security 9. If the password is valid, the user is authenticated. TACACS+ authorization ServerIrons support two kinds of TACACS+ authorization: • Exec authorization determines a user’s privilege level when they are authenticated • Command authorization consults a TACACS+ server to get authorization for commands entered by the user When TACACS+ exec authorization takes place, the following events occur. 1.
Configuring TACACS or TACACS+ security 2 AAA operations for TACACS or TACACS+ The following table lists the sequence of authentication, authorization, and accounting operations that take place when a user gains access to a ServerIron that has TACACS or TACACS+ security configured.
2 Configuring TACACS or TACACS+ security User action Applicable AAA operations User enters other commands Command authorization (TACACS+): aaa authorization commands default Command accounting (TACACS+): aaa accounting commands default start-stop AAA security for commands pasted into the running-config If AAA security is enabled on the device, commands pasted into the running-config are subject to the same AAA operations as if they were e
Configuring TACACS or TACACS+ security 2 1. Identify TACACS+ servers. Refer to “Identifying the TACACS or TACACS+ servers” on page 111. 2. Set optional parameters. Refer to “Setting optional TACACS or TACACS+ parameters” on page 112. 3. Configure authentication-method lists. Refer to “Configuring authentication-method lists for TACACS or TACACS+” on page 114. 4. Optionally configure TACACS+ authorization. Refer to “Configuring TACACS+ authorization” on page 116. 5. Optionally configure TACACS+ accounting.
2 Configuring TACACS or TACACS+ security Specifying different servers for individual AAA functions In a TACACS+ configuration, you can designate a server to handle a specific AAA task. For example, you can designate one TACACS+ server to handle authorization and another TACACS+ server to handle accounting. You can set the TACACS+ key for each server. To specify different TACACS+ servers for authentication, authorization, and accounting, enter commands such as the following.
Configuring TACACS or TACACS+ security 2 ServerIronADX(config)# tacacs-server key rkwong Syntax: tacacs-server key [0 | 1] The key parameter in the tacacs-server command is used to encrypt TACACS+ packets before they are sent over the network. The value for the key parameter on the ServerIron should match the one configured on the TACACS+ server. The key can be from 1 – 32 characters in length and cannot include any space characters.
2 Configuring TACACS or TACACS+ security Configuring authentication-method lists for TACACS or TACACS+ You can use TACACS or TACACS+ to authenticate Telnet or SSH access and access to Privileged EXEC level and CONFIG levels of the CLI. When configuring TACACS or TACACS+ authentication, you create authentication-method lists specifically for these access methods, specifying TACACS or TACACS+ as the primary authentication method.
Configuring TACACS or TACACS+ security TABLE 7 2 Authentication method values Method parameter Description line Authenticate using the password you configured for Telnet access. The Telnet password is configured using the enable telnet password… command. Refer to “Setting a Telnet password” on page 100. enable Authenticate using the password you configured for the Super User privilege level. This password is configured using the enable super-user-password… command.
2 Configuring TACACS or TACACS+ security Telnet or SSH prompts when TACACS+ server is unavailable When TACACS+ is the first method in the authentication method list, the device displays the login prompt received from the TACACS+ server.
Configuring TACACS or TACACS+ security 2 Configuring an attribute-value pair on the TACACS+ server During TACACS+ exec authorization, the ServerIron expects the TACACS+ server to send a response containing an A-V (Attribute-Value) pair that specifies the privilege level of the user. When the ServerIron receives the response, it extracts an A-V pair configured for the Exec service and uses it to determine the user’s privilege level.
2 Configuring TACACS or TACACS+ security In the example above, the A-V pair configured for the Exec service is privlvl = 15. The ServerIron uses the value in this A-V pair to set the user’s privilege level to 0 (super-user), granting the user full read-write access. In a configuration that has both a “brocade-privlvl” A-V pair and a non-”brocade-privlvl” A-V pair for the Exec service, the non-”brocade-privlvl” A-V pair is ignored.
Configuring TACACS or TACACS+ security 2 If configured, command accounting is performed for these commands. Command authorization and accounting for console commands The ServerIron supports command authorization and command accounting for CLI commands entered at the console. To configure the device to perform command authorization and command accounting for console commands, enter the following.
2 Configuring TACACS or TACACS+ security Configuring TACACS+ accounting for system events You can configure TACACS+ accounting to record when system events occur on the ServerIron. System events include rebooting and when changes to the active configuration are made. The following command causes an Accounting Start packet to be sent to the TACACS+ accounting server when a system event occurs, and a Accounting Stop packet to be sent when the system event is completed.
Configuring TACACS or TACACS+ security 2 The parameter is a loopback interface or virtual interface number. If you specify an Ethernet or POS port, the is the port’s number (including the slot number, if you are configuring a chassis device). Displaying TACACS or TACACS+ statistics and configuration information The show aaa command displays information about all TACACS+ and RADIUS servers identified on the device.
2 Configuring RADIUS security Example ServerIronADX(config)# show web User set Privilege 0 IP address 192.168.1.
Configuring RADIUS security 7. 2 If the username is found in the database, the RADIUS server validates the password. 8. If the password is valid, the RADIUS server sends an Access-Accept packet to the ServerIron, authenticating the user.
2 Configuring RADIUS security 4. The RADIUS accounting server acknowledges the Accounting Start packet. 5. The RADIUS accounting server records information about the event. 6. When the event is concluded, the ServerIron sends an Accounting Stop packet to the RADIUS accounting server. 7. The RADIUS accounting server acknowledges the Accounting Stop packet.
Configuring RADIUS security 2 User action Applicable AAA operations User enters other commands Command authorization: aaa authorization commands default Command accounting: aaa accounting commands default start-stop AAA security for commands pasted into the running-config If AAA security is enabled on the device, commands pasted into the running-config are subject to the same AAA operations as if they were entered manually.
2 Configuring RADIUS security • You can select only one primary authentication method for each type of access to a device (CLI through Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select RADIUS as the primary authentication method for Telnet CLI access, but you cannot also select TACACS+ authentication as the primary method for the same type of access. However, you can configure backup authentication methods for each access type.
Configuring RADIUS security TABLE 10 2 Brocade vendor-specific attributes for RADIUS Attribute name Attribute ID Data type Description brocade-privilege-level 1 integer Specifies the privilege level for the user. This attribute can be set to one of the following: 0 Super User level – Allows complete read-and-write access to the system. This is generally for system administrators and is the only management privilege level that allows you to configure passwords.
2 Configuring RADIUS security Specifying different servers for individual AAA functions In a RADIUS configuration, you can designate a server to handle a specific AAA task. For example, you can designate one RADIUS server to handle authorization and another RADIUS server to handle accounting. You can specify individual servers for authentication and accounting, but not for authorization. You can set the RADIUS key for each server.
Configuring RADIUS security 2 Example ServerIronADX(config)# radius-server key 1 abc ServerIronADX(config)# write terminal ... radius-server host 1.2.3.5 radius key 1 $!2d NOTE Encryption of the RADIUS keys is done by default. The 0 parameter disables encryption. The 1 parameter is not required; it is provided for backwards compatibility. Setting the retransmission limit The retransmit parameter specifies the maximum number of retransmission attempts.
2 Configuring RADIUS security The commands above cause RADIUS to be the primary authentication method for securing Telnet access to the CLI. If RADIUS authentication fails due to an error with the server, local authentication is used instead. To create an authentication-method list that specifies RADIUS as the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI.
Configuring RADIUS security 2 NOTE For examples of how to define authentication-method lists for types of authentication other than RADIUS, refer to “Configuring authentication-method lists” on page 136. Entering privileged EXEC mode after a Telnet or SSH login By default, a user enters User EXEC mode after a successful login through Telnet or SSH. Optionally, you can configure the device so that a user enters Privileged EXEC mode after a Telnet or SSH login. To do this, use the following command.
2 Configuring RADIUS security NOTE If the aaa authorization exec default radius command exists in the configuration, following successful authentication the device assigns the user the privilege level specified by the brocade-privilege-level attribute received from the RADIUS server. If the aaa authorization exec default radius command does not exist in the configuration, then the value in the brocade-privilege-level attribute is ignored, and the user is granted Super User access.
Configuring RADIUS security 2 Syntax: enable aaa console DANGER If you have previously configured the device to perform command authorization using a RADIUS server, entering the enable aaa console command may prevent the execution of any subsequent commands entered on the console. NOTE This happens because RADIUS command authorization requires a list of allowable commands from the RADIUS server. This list is obtained during RADIUS authentication.
2 Configuring RADIUS security Syntax: aaa accounting commands default start-stop radius | tacacs | none The parameter can be one of the following: • 0 – Records commands available at the Super User level (all commands) • 4 – Records commands available at the Port Configuration level (port-config and read-only commands) • 5 – Records commands available at the Read Only level (read-only commands) Configuring RADIUS accounting for system events You can configure RADIUS
Configuring RADIUS security 2 The commands in this example configure virtual interface 1, assign IP address 10.0.0.3/24 to the interface, then designate the interface as the source for all RADIUS packets from the Layer 3 Switch. Syntax: ip radius source-interface ethernet | pos | loopback | ve The parameter is a loopback interface or virtual interface number.
2 Configuring authentication-method lists TABLE 12 Output of the show aaa command for RADIUS (Continued) Field Description Radius Server For each RADIUS server, the IP address, and the following statistics are displayed: • Auth PortRADIUS authentication port number (default 1645) • Acct PortRADIUS accounting port number (default 1646) • opensNumber of times the port was opened for communication with the server • closesNumber of times the port was closed normally • timeoutsNumber of times port was clo
Configuring authentication-method lists 2 NOTE You do not need an authentication-method list to secure access based on ACLs or a list of IP addresses. Refer to “Using ACLs to restrict remote access” on page 93 or “Restricting remote access to the device to specific IP addresses” on page 95. In an authentication-method list for a particular access method, you can specify up to seven authentication methods.
2 Configuring authentication-method lists Examples of authentication-method lists Example The following example shows how to configure authentication-method lists for the Web Management Interface, IronView and the Privileged EXEC and CONFIG levels of the CLI. The primary authentication method for each is “local”. The device will authenticate access attempts using the locally configured user names and passwords first.
Configuring authentication-method lists TABLE 13 2 Authentication method values Method parameter Description line Authenticate using the password you configured for Telnet access. The Telnet password is configured using the enable telnet password… command. Refer to “Setting a Telnet password” on page 100. enable Authenticate using the password you configured for the Super User privilege level. This password is configured using the enable super-user-password… command.
2 140 Configuring authentication-method lists ServerIron ADX Administration Guide 53-1002434-01
Chapter Role Based Management 3 The Role Based Management (RBM) feature allows users to create different administrative domains and enable user-based access privileges on a ServerIron ADX. Overview With this feature, a user can view and/or update configurations, such as virtual servers, real servers, and csw policies, without having the capability of viewing or editing configurations associated with another user. This feature also helps to address "virtualization" requirements.
3 Overview • A resource in a context cannot be deleted if the user is in a different context at the time. • One default context can be configured for a user if the user has privileges for more than one context. For simplicity of the configuration, the super user can choose to create some role templates and associate the template with a set of privileges (available privileges are the same as the user level configurations).
Command Line Interface 3 When privileges for a user are changed after the user login, the user's privilege takes effect immediately Command Line Interface After user login, the user is automatically associated with the configured context (if there is only one) or the default context (if there are more than one and a default context is configured).
3 Integrating RBM with RADIUS and TACACS+ Integrating RBM with RADIUS and TACACS+ You can configure a ServerIron ADX and its corresponding AAA (Radius or TACAC+) server to have RBM access authenticated from the respective AAA server.
Integrating RBM with RADIUS and TACACS+ 3 ServerIronADX(config)# radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 default ServerIronADX(config)# radius-server key brocade Configuring a ServerIron ADX for authentication by a TACACS+ server Procedures for configuring a ServerIron ADX for authentication by a TACACS+ server are described in detail in “Configuring TACACS or TACACS+ security” on page 106.
3 Integrating RBM with RADIUS and TACACS+ Configuring the AAA server to authenticate RBM on a ServerIron ADX The AAA server must be configured to authenticate RBM on the ServerIron ADX for RADIUS or TACACS as shown in the following example for a typical CentOS LINUX operating system. Configuring a RADIUS server to authenticate RBM In the file “/usr/local/etc/raddb/users” a configuration such as the following must be added for the RADIUS server to authenticate RBM.
Chapter Securing SNMP Access 4 Simple Network Management Protocol (SNMP) is a set of protocols for managing complex networks. SNMP sends messages, called protocol data units (PDUs), to different parts of a network. An SNMP-compliant device, called an agent, stores data about itself in Management Information Bases (MIBs) and SNMP requesters or managers. Establishing SNMP community strings SNMP versions 1 and 2c use community strings to restrict SNMP access.
4 Establishing SNMP community strings The parameter specifies the community string name. The string can be up to 32 characters long. The ro | rw parameter specifies whether the string is read-only (ro) or read-write (rw). The view parameter is optional. It allows you to associate a view to the members of this community string. Enter up to 32 alphanumeric characters. If no view is specified, access to the full MIB is granted.
Using the user-based security mode 4 NOTE If display of the strings is encrypted, the strings are not displayed. Encryption is enabled by default. Using the user-based security mode SNMP version 3 (RFC 2570 through 2575) introduces a User-Based Security model (RFC 2574) for authentication and privacy services. SNMP version 1 and version 2 use community strings to authenticate SNMP access to management modules. This method can still be used for authentication.
4 Using the user-based security mode Defining the engine ID A default engine ID is generated during system start up.The format of the default engine ID is derived from RFC 2571 (Architecture for SNMP frameworks) within the MIB description for object SnmpEngineID. To determine what the default engine ID of the device is, enter the show snmp engineid command and find the following line. Local SNMP Engine ID: 800007c70300e05290ab60 See the section“Displaying the engine ID” on page 153 for details.
Using the user-based security mode 4 auth | noauth | priv [access ] [read ] [ write ] [notify ] NOTE This command is not used for SNMP version 1 and SNMP version 2. In these versions, groups and group views are created internally using community strings. (See “Establishing SNMP community strings” on page 147.) When a community string is created, two groups are created, based on the community string name.
4 Using the user-based security mode ServerIronADX(config)# snmp-s user bob admin v3 access 2 auth md5 bobmd5 priv des bobdes The CLI for creating SNMP version 3 users has been updated as follows.
Using the user-based security mode 4 • If AES is the privacy protocol to be used, enter aes and an . Enter either 12 (for a small key) or 16 (for a big key) characters for the . If you include the encrypted keyword, enter a password string containing 32 hexadecimal characters.
4 SNMP v3 configuration examples Displaying user information To display the definition of an SNMP user account, enter a command such as the following.
SNMP v3 configuration examples 4 Simple SNMP v3 configuration ServerIronADX(config)# snmp-s group admingrp v3 priv read all write all notify all ServerIronADX(config)# snmp-s user adminuser admingrp v3 auth md5 priv ServerIronADX(config)# snmp-s host adminuser More detailed SNMP v3 configuration ServerIronADX(config)# snmp-server view system system included ServerIronADX(config)# snmp-server community ..... ro ServerIronADX(config)# snmp-server community .....
4 156 SNMP v3 configuration examples ServerIron ADX Administration Guide 53-1002434-01
Chapter Capacity on Demand 5 You can upgrade an existing ServerIron ADX to increase system capacity by purchasing and applying a new software license. This chapter describes the upgrades available the process required to implement those upgrade. Software license terminology This section defines the key terms used in this chapter. • Entitlement certificate – The proof-of-purchase certificate (paper-pack) issued by Brocade when a license is purchased.
5 Software-based licensing overview Software-based licensing overview Software and hardware features of both fixed-configuration (ServerIron ADX 1000 series) and chassis (ServerIron ADX 4000 and 10000) ServerIron ADX application switches can be obtained at time of purchase or upgraded later through software-based licensing.
Licensed features and SKU numbers 5 NOTE The license that upgrades the ASM4 to an ASM8 is not available as a trial license. 12 x 1 GF Interface Module – A 12 x 1 GF Interface Module equipped with 8 Copper SFPs is included in the ServerIron ADX ASM4 Bundle. Management Module – A single Management module is included in the ServerIron ADX ASM4 Bundle. Power Supplies – Two AC Power Supplies are included in the ServerIron ADX ASM4 Bundle.
5 Licensed features and SKU numbers TABLE 14 ServerIron ADX 1000 series base configurations (Continued) 160 Base SKUs Enabled features SI-1008-1-DC ServerIron ADX 1000 switch: • 1 Application Processor (AP) • eight 1 Gbps ports • Supports switch image only • DC power SI-1008-1-PREM ServerIron ADX 1000 switch: • 1 Application Processor (AP) • eight 1 Gbps ports • Supports PREM (L3) license • Supports switch and router images SI-1008-1-SSL ServerIron ADX 1000 switch: • 1 Application Processor (AP
Licensed features and SKU numbers TABLE 14 5 ServerIron ADX 1000 series base configurations (Continued) Base SKUs Enabled features SI-1016-4 ServerIron ADX 1000 switch: • 4 Application Processors (AP) • Sixteen 1 Gbps ports • Supports switch image only SI-1016-4-PREM • • • • SI-1016-4-SSL ServerIron ADX 1000 switch: • 4Application Processors (AP) • Sixteen 1 Gbps ports • Supports switch image only • Supports SSL hardware acceleration SI-1016-4-SSL-PREM ServerIron ADX 1000 switch: • 4 Applicati
5 162 Licensed features and SKU numbers Licence Eligible Base SKU Equivalent Licence after upgrade ADX-1008-1-LIC-2PPLS (Perpetual License) SI-1008-1 SI-1016-2 SI-1008-1-DC SI-1016-2 ADX-1008-1-TRP-2PPLS (Trial License) SI-1008-1-PREM SI-1016-2-PREM SI-1008-1-SSL SI-1016-2-SSL SI-1008-1-SSL-PREM SI-1016-2-SSL-PREM ADX-1K-LIC-PREM (Perpetual License) SI-1008-1 SI-1008-1-PREM SI-1008-1-DC SI-1008-1-PREM ADX-1K-TRL-PREM (Trial License) SI-1008-1-SSL SI-1008-1-SSL-PREM SI-1016-2 SI-10
Licensed features and SKU numbers Licence Eligible Base SKU Equivalent Licence after upgrade ADX-1016-4-LIC-10G (Perpetual License) SI-1016-4 SI-1216-4 SI-1016-4-PREM SI-1216-4-PREM ADX-1016-4-TRL-10G (Trial License) SI-1016-4-SSL SI-1216-4-SSL SI-1016-4-SSL-PREM SI-1216-4-SSL-PREM 5 Table 16 lists the base configurations available for ServerIron ADX chassis-based application switches by SKU number.
5 Licensed features and SKU numbers TABLE 17 Upgrade licenses available for ServerIron ADX chassis-based application switches Licence Eligible Base SKU Equivalent Licence after upgrade ADX-CH-LIC-PREM (Perpetual License) SI-4000 SI-4000-PREM SI-4000-DC SI-4000-PREM or SI-8000 SI-8000-PREM SI-8000-DC SI-8000-PREM SI-10000 SI-10000-PREM SI-10000-DC SI-10000-PREM ASM4 ASM8 ADX-CH -TRL-PREM (Trial License) ADX-CH-LIC-ASM4-8 (Perpetual License) There is no trial license available for this
Configuration tasks 5 Configuration tasks This section describes the configuration tasks for generating and obtaining a software license, then installing it on the Brocade device. Perform the tasks in the order listed in Table 18. TABLE 18 Configuration tasks for software licensing Configuration task See... 1 Order the desired license. For a list of available licenses and associated part numbers, see “Licensed features and SKU numbers” on page 159.
5 Configuration tasks Figure 5 shows the Software Portal Login window.
Configuration tasks 5 From the License Management menu, select Brocade IP/ADP > License Generation with Transaction key. The IP/ADP License Generation dialog box displays.
5 Configuration tasks Figure 7 shows the IP/ADP License Generation dialog box for generating a license using a transaction key and LID. FIGURE 7 IP/ADP License Generation window IP/ADP Licence Generation Enter the required information. • For a description of the field, move the pointer over the field. • An asterisk next to a field indicates that the information is required. NOTE You can generate multiple licenses at a time.
5 Configuration tasks When you have finished entering the required information, read the Brocade End User License Agreement, and select the I have read and accept check box. Click the Generate button to generate the license. Figure 8 shows the results window, which displays an order summary and the results of the license request. • If the license request was successful, the Status field shows “Success” and the License File field contains a hyperlink to the generated license file.
5 Using a trial license • Copy the license file to the ServerIron ADX internal flash memory and then add the license to the ServerIron ADX license database. Using TFTP to install a license file To copy a license file from a TFTP server to the license database of the ServerIron ADX application switch, enter a command such as the following at the Privileged EXEC level of the CLI: ServerIronADX# copy tftp license 10.1.1.1 lic.
Deleting a license 5 What happens when a trial license expires A trial license will expire when it exceeds the specified expiration time or date. The countdown starts when the trial license is generated. When the license expires, the CLI commands related to the licensed feature will no longer be available from the CLI. The licensed feature will continue to run as configured until the software is reloaded, at which time the feature will be disabled and removed from the system.
5 Viewing software license information from the Brocade software portal The variable is a valid license index number. This information can be retrieved from the show license command output. For more information, refer to “Viewing information about software licenses” on page 174. Viewing software license information from the Brocade software portal This section describes other software licensing tasks supported from the Brocade software portal.
Syslog messages information 5 Figure 10 shows an example of the license query results. FIGURE 10 License Query results window In this example, the line items for Level 1 display hardware-related information and the line items for Level 2 display software-related information. If the query was performed before the transaction key was generated, the first row (Level 1) would not appear as part of the search results.
5 Viewing information about software licenses Viewing information about software licenses This section describes the show commands associated with software licensing. These commands are issued on the Brocade device, at any level of the CLI. Viewing the License ID (LID) Brocade devices that ship during and after the release of software licensing will have the LID imprinted on the label affixed to the device. You also can use the CLI command show version to view the LID on these devices.
Viewing information about software licenses 5 For ServerIron ADX chassis devices, a separate license is displayed for the chassis and the ASM module. The following example displays the “LID #” for the chassis and the “ASM-LID#” for the ASM module. ServerIronADX4000#show version Copyright (c) 1996-2009 Brocade Communications Systems, Inc. Boot Version 12.1.00aT405 Jul 9 2010 19:03:54 PDT label: dob12100a Monitor Version 12.1.00aT405 Jul 9 2010 19:03:54 PDT label: dob12100a System Version 12.3.
5 Viewing information about software licenses Viewing the license database To display general information about all software licenses in the license database, use the show license command. The following shows example output.
Viewing information about software licenses TABLE 20 5 Output from the show license command This field... Displays... Index The license hash number that uniquely identifies the license. Package Name The package name for the license. LID The license ID. This number is embedded in the Brocade device. Status Indicates the status of the license: Invalid – A license is invalid when the LID doesn’t match the serial number of the device for which the license was purchased.
5 178 Viewing information about software licenses ServerIron ADX Administration Guide 53-1002434-01
