ipnetworking.net

linux and networking articles

Category: Brocade (page 1 of 2)

Brocade VDX – Interconnecting Fabrics – line protocol down (ISL down)

While interconnecting two Brocade VDX VCS fabrics using normal ethernet trunks i stumbled on the following interface status during a migration:

The interface configuration was configured as follows on both ends:

Note that ISL is disabled and fabric trunking is disabled as well. No problem to connect two separate fabrics this way you would think….. :)

After some attempts getting this interface up and running, it appears there is a neighbor discovery protocol on the VDX that still checks for the VCS ID configured on the fabrics ( you cant turn it off).  When both fabrics that you would like to interconnect are using the same VCS ID you will not be able to get a normal trunk up even if you disable ISL on these links. Solution is to renumber one of the fabrics to another VCS id. Sad thing is that renumbering a VCS id means you will loose the current configuration of the fabric member.

I hope this post helps, as it took me some time to figure this stupid thing out.

Cheers!

Deny SSH on Brocade VDX

Yet another Brocade VDX post! This time on how to block SSH access on VE interfaces. Sounds pretty simple, but took some time to find out how to do it!

After some Cisco Catalyst to Brocade VDX configuration conversions, i was not able to block SSH access to the IP interfaces that existed on the Brocade VDX. Usually some of these options are available:

  1. SSH access-group (not supported)
  2. VTY lines configured with access-group and transport set to SSH
  3. VRF aware SSH daemon support (not supported), current Brocade NOS versions (>5.x) have mgmt-vrf capabilities. So you would think SSH could be limited to the mgmt-vrf, unfortunately not (yet).
  4.  ip access-list denying non-management networks to SSH

So i focused on solution 4, but couldn’t get it work. What i tried to use was the following configuration stanza, for this internet facing ve:

I was still able to SSH to the ip address configured on ve 100.

Apparently there is a Brocade style ACE action, named “hard-drop”. The hard-drop action denies traffic to the CPU of the VDX and also works for ‘transit traffic’.

The access-list INET-IN should be configured to:

Now the ACL is doing what it is supposed to do, dropping SSH access to the VDX VE interface from the big bad interwebz. Eventually pretty easy!

CLI commands to check optical attenuation

This post outlines CLI commands to check the optical attenuation on Cisco , Juniper , Huawei and Brocade platforms.

To check the attenuation, you need to have DOM (Digital Optical Monitoring) support in the optics.

Cisco Catalyst series:

Continue reading

Configuring Brocade VDX for FreeRADIUS authentication

This post will display the configuration for the FreeRADIUS server and the Brocade VDX 6740 configuration in distributed fabric-mode visit here.

FreeRADIUS configuration

Add the Brocade VDX radius clients into the following file:

/etc/freeradius/clients.conf

This example is for a fabric with two Brocade VDX 6740 switches. If you have more then two units in the fabric, add more clients to this section. The <ip> part should match the mgmt0 interface ip address of the individual unit in the fabric and not the VCS virtual-ip.

The Brocade VDX requires additional radius attributes in the authentication section. Below is the configuration of a user in the file:

/etc/freeradius/users

The highlighted radius attributes are the ones that need to be added. (Your authentication method/setup may be different).

Final config on the server-side is to add the Brocade dictionary file. Create the following file:

/etc/freeradius/dictionary.brocade with this content:

Reload the freeradius service after this edit.

Brocade VDX configuration

Add the FreeRADIUS server into the configuration of the VDX:

Add the authentication method, here the primary resource for authentication is radius and secondary is local authentication fallback.

Check the authentication, the raslog should display a similar output like this:

This confirms you have a working Brocade VDX with FreeRADIUS authentication.

Older posts

© 2017 ipnetworking.net

Theme by Anders NorenUp ↑