M03-L2 Dev Admin

Basic Device Administration

3 - 1Revision 0111

CNE200


3 - 2Revision 0111

CNE200

The chassis systems will have at least one management blade, and, depending on the

number of slots in the chassis, a number of interface modules, or blades

This blade has a DB-9 serial console port and an RJ-45 management port, and can be

installed in any open slot.


3 - 3Revision 0111

CNE200

•Standalone switches do not use blades, and are discreet systems with up to 48 ports,

depending on model

•The first step in configuring a Brocade device is to assign an IP address. Connect the

console cable shipped with the device and use the CLI to assign the IP address. After

the IP address is assigned, access to the system will be possible through Telnet, the

Web management interface, or Iron View. To connect a management station using the

serial port, use a straight through cable or use a DB9-to-USB converter, depending on

which type of port is available. A terminal emulation program such as Hyper terminal or

Putty is required on the PC. The session parameters should be set to 9600 baud, 8

data bits, no parity, 1 stop bit, and no flow control. For a modem connection, a cross-

over cable is required.

You may configure an IP address for the RJ45 management interface and Telnet to it; or

you may configure an IP address for the layer 2 switch (globally) and then Telnet to the

switch to access the CLI.

Some models are stackable, which combines standalone switches through a pluggable

backplane. Stackable models are managed as a single unit


3 - 4Revision 0111

CNE200


3 - 5Revision 0111

CNE200

Switch fabric modules switch packets from one interface module to another. NetIron

routers can be configured with multiple switch fabric modules as described here:

• 4-slot router: Accommodates three switch fabric modules (two required and one

redundant) for a fully-loaded system. Ships with two switch fabric modules. Additional

switch fabric modules must be purchased to equip the router for redundancy.

• 8-slot router: Accommodates three switch fabric modules (two required and one

redundant) for a fully-loaded system. Ships with two switch fabric modules. Additional


• 16-slot router: Accommodates four switch fabric modules (three required and one

redundant) for a fully-loaded system. Ships with three switch fabric modules. Additional


• 32-slot router: Accommodates and ships with eight switch fabric modules.


3 - 6Revision 0111

CNE200

The table below lists the descriptions for both port and SFP/SFP+ LEDs for the FCX648-

E. The following notes page has similar tables for the system status and power LEDs.

LED Condition Status

Ethernet

(1~24/48)

Link or

Activity or

Speed

On/Flashing

Green

The port has established a valid link at

10/100/1000 Mbps. Flashing indicates the

port is transmitting and receiving user packets.

Off A link is not established with a remote port.

SFP

(1F~4F)

Link or

Activity

On/Flashing

Green

The SFP port has established a valid link.

Flashing indicates the port is transmitting and

receiving user packets.


SFP+

(1F~4F)

Speed

On/Flashing

Green

The SFP port is operating at 10 Gbps. Flashing

indicates the port is transmitting and receiving

user packets.



3 - 7Revision 0111

CNE200

The table below lists the descriptions of the system status LEDs for the FCX648-E


PS1

PS2

(Power Supply

Status)

Green

Power supply is operating normally. It is

installed properly and the power cord is

attached to a power source.

AmberPower supply fault. The power supply

may not be installed properly.

Off Power off or failure

Diag

(Diagnostic)

Flashing Green System self-diagnostic test in progress.

GreenSystem self-diagnostic test successfully

completed.

Amber

System self-diagnostic test has

detected a fault. (Blower, thermal or

any interface fault.)

Out-of-band

Management

Link or Activity

On/Flashing Green


10/100/1000 Mbps.

Flashing indicates the port is

transmitting and receiving user

packets.

OffA link is not established with a remote

port.

Out-of-band

Management

Link or Activity

On/Flashing Green


10/100/1000 Mbps.

Flashing indicates the port is

transmitting and receiving user

packets.


3 - 8Revision 0111

CNE200

The tables below list the descriptions of the power status LEDs for the FCX648-E, for single and dual power supply models


DC OK

Green DC output ok

Red DC output fail

AC OK

Green AC output ok

Off AC output fail

NOTE: Both “AC OK” and “DC OK” LEDs must be green for the device to function normally.

State LED PSU1 PSU2Switch

StatusRedundancy

State LED

PSU1 PSU2

Switch Status

Redundancy

AC OK Green Green Running Yes

DC OK Green Green

Single Red „DC

OK‟ LED

AC OK Green Green Running No

DC OK Green Red

Both „DC OK‟

LEDs Red

AC OK Green Green Failure No

DC OK Red Red

One PSU with

both „AC OK‟

„DC OK‟ LEDs

Off

AC OK Green Off Running No

DC OK Green Off

„DC OK‟ LEDs

Red and Off

AC OK Green Off Failure No

DC OK Red Off

All „AC OK‟

LEDs Off

AC OK Off OffPower off

or failureNo

DC OK Off Off


3 - 9Revision 0111

CNE200

SW-Switch> User Level EXEC Command

SW-Switch# Privileged Level EXEC Command

Access to the CLI is established either through a direct serial connection to the device,

or through a Telnet session

The commands in the CLI are organized into the following levels:

User EXEC – Used to display information and perform basic tasks such as ping and

traceroute

• User EXEC level is indicated by a “>” at the end of the prompt, and is the first level

reached when booting the switch

Privileged EXEC – Allows use of the same commands as the User EXEC level, plus

configuration commands that do not require saving the changes to the system

configuration file, as well as detailed show output

• Privileged EXEC level is indicated by a “#” at the end of the prompt, and is

accessed by using the enable command at the User EXEC command prompt

• This level can be secured by a password


3 - 10Revision 0111

CNE200

The CLI prompt will change at each level of the CONFIG command structure, to easily

identify the current level.

Prompt Description

SW-Switch> User Level EXEC

SW-Switch# Privileged Level EXEC

SW-witch(config)# Global Level CONFIG

SW-Switch(config-if-5/1)# Interface Level CONFIG

SW-Switch(config-lbif-1)# Loopback Interface CONFIG

SW-Switch(config-ve-1)# Virtual Interface CONFIG

SW-Switch(config-trunk-4/1-4/8)# Trunk group CONFIG


3 - 11Revision 0111

CNE200


3 - 12Revision 0111

CNE200

copy flash flash: Copies a software image between the primary and secondary

flash storage locations.

Syntax: copy flash flash [primary | secondary]


3 - 13Revision 0111

CNE200


3 - 14Revision 0111

CNE200


3 - 15Revision 0111

CNE200

Footnote 1: Except for commands pertaining to passwords, which are always case

sensitive

If there is more than one command that begins with a particular string, the following

error message will appear:

SW_Switch# s

Ambiguous input -> s


3 - 16Revision 0111

CNE200

To go back and forth between the different levels, issue the exit command, or use

Ctrl+z. The end command will move the prompt to the Privileged level from any lower

level.

The up and down arrow keys can be used to scroll back and forth between previously

entered commands.


3 - 17Revision 0111

CNE200


3 - 18Revision 0111

CNE200

ip address CLI command: Assigns an IP address and network mask to a Layer 2

Switch to support Telnet and SNMP management.

Syntax: [no] ip address <ip-addr> <ip-mask>

Syntax: ip address <ip-addr>/<mask-bits>

Possible values: N/A

Default value: N/A

interface CLI command: Accesses the interface CONFIG level of the CLI. You can

define a physical interface, loopback interface, virtual interface (ve), Asynchronous

Transfer Mode (ATM) interface, or Packet Over SONET (POS) interface at the Interface

level.

Syntax: [no] interface atm <slot>/<port>.<subif> [multipoint |

point-to-point]

Syntax: [no] interface ethernet <portnum> [to <portnum>]

Syntax: [no] interface loopback <num>

Syntax: interface pos <slot>/<port>

Syntax: interface ve <num>


3 - 19Revision 0111

CNE200

Each 10/100/1000 port is designed to auto-sense and auto-negotiate the speed and

mode of the connected device. If the attached device does not support this operation,

the port speed may be set to operate at either 10, 100, or 1000 Mbps. The default

value is for the ports to auto-sense speed and duplex. Settings should be the same at

both ends.


3 - 20Revision 0111

CNE200

CNE200 Basic Device Administration

3 - 21Revision 0111


3 - 22Revision 0111

CNE200

show version: Lists software, hardware and firmware details for a Brocade device.

Syntax: show version


3 - 23Revision 0111

CNE200

Footnote 1: NetIron CES devices also have a Monitor Image that provides the router

image handling and the memory initialization process.

The primary and secondary codes refer to the IronView base OS and application

functionality.

The BootROM code refers to the Boot Image that provides the Bootstrap functionality.

The configuration shown above is not to be considered a best practice, and only reflects

the lab environment. In production, both partitions should contain the same image.

Configuration files are also stored in both the primary and secondary flash partitions.

Footnote 2: Only one is accessible by the user. The second is for system reliability and

uses a checksum. If the checksum is not valid, the system will use the second copy.


3 - 24Revision 0111

CNE200

Besides the flash partitions, the system can be booted from either a TFTP server, or a

BootP server

From the privileged exec level:

SW-Switch# boot system tftp 192.22.33.44 vm1r07501.bin

– Boots the system from the TFTP server at 192.22.33.44 using the file

“vm1r07501.bin ”

After booting from a TFTP server, the booted image file should be copied from the TFTP

server to primary flash when the boot is completed, so that the next system boot will

maintain the current functions independent of the TFTP server connection


3 - 25Revision 0111

CNE200

To copy the system image from the secondary flash to the TFTP server with the

filename “vm1r07501.bin”:

SW-Switch# copy flash tftp 192.22.33.44 vm1r07501.bin

secondary

Reload output varies from platform to platform. The following output is from a FastIron

FCX:

SW-Switch# reload

Are you sure? (enter 'y' or 'n'): y

Running Config data has been changed. Do you want to continue

the reload without saving the running config? (enter 'y' or 'n'): y

Halt and reboot

Rebooting...


3 - 26Revision 0111

CNE200


3 - 27Revision 0111

CNE200


3 - 28Revision 0111

CNE200

The graphic above shows both RAM and flash memory. RAM is where the current

running configuration file is stored. All changes to the current running configuration file

are kept here, and are temporary in nature. If there is a power failure, RAM is erased.

Flash memory is where the startup configuration file is stored. This file is loaded into

RAM when the system boots or is reloaded. FLASH is changed by executing a write

memory command, or a file copy from a TFTP server.


3 - 29Revision 0111

CNE200


3 - 30Revision 0111

CNE200

The commands above have more options which are displayed using a “?” at the end of

the command. For example “show ip ospf neighbor” provides OSPF neighbor

state information.


3 - 31Revision 0111

CNE200

Note: Trunk ID is usually the port number of the lead port.

Syntax: show <protocol> interfaces brief: show <protocol> interfaces

brief

Shows a summary of Layer 2 information for all interfaces.

Syntax: show interfaces [ethernet | pos <portnum>] | [loopback

<num>] | [slot <slot-num>] | [ve <num>] | [brief] [wide]

Syntax: show <protocol> interfaces interfaces [ethernet | pos

<portnum>] | [loopback <num>] | [slot <slot-num>] | [ve

<num>] | [brief] [wide]

Enter a protocol name for <protocol>; however, if not specified, IP is implied.


3 - 32Revision 0111

CNE200

GigabitEthernet is up means that the port has been administratively enabled.

Line protocol is up means that the port is physically online and able to send

traffic.

Brocade equipment supports frames greater in size than the standard Ethernet

maximum of 1518 bytes, called Jumbo Frames. On some Brocade switches, up to 9

kbyte frames are supported. Check documentation for your specific device.

show interfaces: Displays information about interfaces on the Brocade device,

including their state, duplex mode, STP state, priority and MAC address.

Syntax: show interfaces [atm | ethernet | pos <portnum>] |

[loopback <num>] | [slot <slot-num>] | [ve <num>]


3 - 33Revision 0111

CNE200

show statistics: Displays port statistics for a Brocade device (transmit, receive,

collisions, errors).

Syntax: show statistics [atm <portnum> [to <portnum>]] |

[ethernet <portnum> [to <portnum>]] | [pos <portnum> [to

<portnum>]] | [slot <slot-num>]

The atm <portnum> parameter displays statistics for a specific ATM port.

The ethernet <portnum> parameter displays statistics for a specific Ethernet port.

The pos <portnum> parameter displays statistics for a specific POS port.

The slot <slot-num> parameter displays statistics for a specific chassis slot.


3 - 34Revision 0111

CNE200

Counter Description

InOctetsThe total number of good octets and bad octets

received.

InPkts

The total number of packets received. The count

includes rejected and local packets that are not sent

to the switching core for transmission.

InBroadcastPktsThe total number of good broadcast packets

received.

InMulticastPktsThe total number of good multicast packets

received.

InUnicastPkts The total number of good unicast packets received.

InDiscards

The total number of packets that were received and

then dropped due

to one of the following conditions:

• Lack of receive buffers

• Overload on the address recognition machine

InErrors

The total number of packets received that contained

one of the

following errors:

• CRC error – applies to regularly sized packets

between 64 bytes

and the maximum allowable frame size.

• Oversize – applies to packets longer than the

maximum allowable

frame size but with a valid CRC.

• Jabber – applies to packets longer than the

maximum allowable

frame size and with an invalid CRC.

• Fragment – applies to packets shorter than 64

bytes and with an

invalid CRC.

• Runt – applies to packets shorter than 64 bytes but

with a valid

CRC, received on a full-duplex port.

InCollisionsThe number of collisions that have occurred when

receiving packets.


3 - 35Revision 0111

CNE200

Counter Description

GiantPkts

The total number of packets for which the following

was true:

• The data length was longer than the maximum

allowable frame size.

• No Rx Error was detected.

Note: Packets are counted for this statistic regardless

of whether the CRC is valid or invalid

InBitsPerSec The number of bits received per second.

InPktsPerSec The number of bits sent per second.

InUtilizationThe percentage of the port‟s bandwidth used by

received traffic.

OutOctets The total number of good octets and bad octets sent.

OutPktsThe total number of good packets sent. The count

includes unicast, multicast, and broadcast packets.

OutBroadcastPkts The total number of good broadcast packets sent.

OutMulticastPkts The total number of good multicast packets sent.

OutUnicastPkts The total number of good unicast packets sent.

OutDiscards

Out Errors The number of outbound packets that had errors.

OutCollisionsThe number of collisions that have occurred when

sending packets.

OutLateCollisions

The total number of packets received in which a

Collision event was detected, but for which a receive

error (Rx Error) event was not detected.


3 - 36Revision 0111

CNE200

Counter Description

ShortPkts

The total number of packets received for which the

following was true:

• The data length was less than 64 bytes.

• No Rx Error was detected.

• No Collision or Late Collision was detected.

Note: Packets are counted for this statistic regardless

of whether the

CRC is valid or invalid.

OutBitsPerSec The number of bits sent per second.

OutPktsPerSec The number of packets sent per second.

OutUtilizationThe percentage of the port‟s bandwidth used by sent

traffic.


3 - 37Revision 0111

CNE200

The example above filters the output of the show interface brief command so

it displays only lines containing the word “Down”. This command can be used to only

display specific interface states.

Syntax: <show-command> | include <regular-expression>

Note: The regular expression specified as the search string is case sensitive. In the

example above, a search string of “Down” would match the output above, but a search

string of “down” would not.


3 - 38Revision 0111

CNE200

The command above filters the output of the show interface brief command

so it displays only lines that do not contain the word “Down”.

Syntax: <show-command> | exclude <regular-expression>


3 - 39Revision 0111

CNE200

The command above filters the output of the show who command so it displays

output starting with the first line that contains the word “SSH”. This command can be

used to display information about SSH connections to the Brocade device.

Syntax: <show-command> | begin <regular-expression>


3 - 40Revision 0111

CNE200

The tables below list the descriptions of the special characters allowed in search strings.

Character Operation

Period (.)

The period matches on any single character, including a blank

space.

For example, the following regular expression matches “aaz”,

“abz”, “acz”, and so on, but not just “az”: a.z

Asterisk (*)

The asterisk matches on zero or more sequential instances of a

pattern.

For example, the following regular expression matches output

that contains the string “abc”, followed by zero or more Xs: abcX*

Plus (+)

The plus sign matches on one or more sequential instances of a

pattern.


that contains "de", followed by a sequence of “g”s, such as “deg”,

“degg”, “deggg”, and so on: deg+

Question Mark

(?)

The question mark matches on zero occurrences or one

occurrence of a pattern.


that contains "dg" or "deg": de?g

Note: Normally when you type a question mark, the CLI lists the

commands or options at that CLI level that begin with the

character or string you entered. However, if you enter Ctrl-

V and then type a question mark, the question mark is inserted

into the command line, allowing you to use it as part of a regular

expression.

Caret (^)

A caret (when not used within brackets) matches on the

beginning of an input string.


that begins with “deg”: ^deg

Dollar Sign ($)

A dollar sign matches on the end of an input string.


that ends with “deg”: deg$


3 - 41Revision 0111

CNE200

Character Operation

Underscore (_)

An underscore matches on one or more of the following:

• , (comma)

• { (left curly brace)

• } (right curly brace)

• ( (left parenthesis)

• ) (right parenthesis)

• The beginning of the input string

• The end of the input string

• A blank space

For example, the following regular expression matches on “100”

but not on “1002”, “2100”, and so on. _100_

Square

Brackets []

Square brackets enclose a range of single-character patterns.


that contains “1”, “2”, “3”, “4”, or “5”: [1-5]

You can use the following expression symbols within the brackets.

These symbols are allowed only inside the brackets.

• ^ – The caret matches on any characters except the ones in the

brackets. For example, the following regular expression matches

output that does not contain “1”, “2”, “3”, “4”, or “5”: [^1-5]

• - The hyphen separates the beginning and ending of a range of

characters. A match occurs if any of the characters within the

range is present.

Vertical Bar |

A vertical bar separates two alternative values or sets of values.

The output can match one

or the other value.


that contains either “abc” or “defg”: abc|defg

Parentheses ()

Parentheses allow you to create complex expressions.

For example, the following complex expression matches on “abc”,

“abcabc”, or “defg”, but not on “abcdefgdefg”: ((abc)+)|((defg)?)


3 - 42Revision 0111

CNE200

Also at the --More-- prompt, press the forward slash key ( / ) and then enter a

search string. The Brocade device displays output starting from the first line that

contains the search string, similar to the begin option for show commands.

For example: --More--, next page: Space, next line: Return key,

quit: Control-c /telnet

To display lines containing only a specified search string (similar to the include option

for show commands) press the plus sign key ( + ) at the --More-- prompt and then

enter the search string.


quit: Control-c +telnet

To display lines that do not contain a specified search string (similar to the exclude

option for show commands) press the minus sign key ( - ) at the --More-- prompt

and then enter the search string.


quit: Control-c -telnet


3 - 43Revision 0111

CNE200

Syntax for clearing individual entries:

clear mac-address <mac-address>|ethernet<port#>|vlan<vlan#>

If clear mac-address is entered without any parameter, all MAC addresses are

removed.

Use the <mac-address> parameter to remove a specific MAC address from all

VLANs.

Use the ethernet <port-num> parameter to remove all MAC addresses for a specific

port.

Use the vlan <num> parameter to remove all MAC addresses for a specific VLAN.

Example: SW-Switch# clear mac-address ethernet 1/1


3 - 44Revision 0111

CNE200

The ping command can be used for troubleshooting the accessibility of devices. It uses a

series of Internet Control Message Protocol (ICMP) Echo messages to determine:

• Whether a remote host is active or inactive.

• The round-trip delay in communicating with the host, to help determine if the link is up.

• Packet loss


3 - 45Revision 0111

CNE200

A test packet can be sent to a host‟s IP address or host name. If the packet reaches the host, the host generally sends a reply packet to the receipt of the ping. If the host does not reply within a specific interval, the Brocade device re-attempts the ping up to a specified number of times.Syntax: ping <ip addr> | <hostname> [source <ip addr>] [count <num>] [timeout <msec>] [ttl <num>] [size <byte>] [quiet] [numeric] [no-fragment] [verify] [data <1-to-4 byte hex>] [brief]

source <ip addr> specifies an IP address to be used as the origin of the ping packets.count <num> specifies how many ping packets the device sends. The range is 1 – 4294967296 and the default is 1.timeout <msec> specifies how many milliseconds the Brocade device

waits for a reply from the pinged device. The timeout range is 1 –4294967296 milliseconds. The default is 5000 (5 seconds).ttl <num> specifies the maximum number of hops. You can specify a

TTL from 1 – 255. The default is 64.size <byte> specifies the size of the ICMP data portion of the packet. This is the payload and does not include the header. The range is 0 – 4000. The default is 16.quiet hides informational messages such as a summary of the ping parameters sent to the device and instead only displays messages indicating the success or failure of the ping. This option is disabled by default. no-fragment turns on the “don‟t fragment” bit in the IP header of the

ping packet. This option is disabled by default.verify parameter verifies that the data in the echo packet (the reply packet) is the same as the data in the echo request (the ping). By default the device does not verify the data.data <1 – 4 byte hex> allows use of a specific data pattern for the payload instead of the default data pattern, “abcd”, in the packet‟s data payload. The pattern repeats itself throughout the ICMP message (payload) portion of the packet.brief causes ping test characters to be displayed.

.


3 - 46Revision 0111

CNE200


3 - 47Revision 0111

CNE200


3 - 48Revision 0111

CNE200

For a Web browser connection, the user must enter the device‟s IP address. If the

device is a switch, the management IP is used, if it is a router, then the IP address of

one of the physical interfaces, or of a loopback interface is entered.

For an IronView Network Manager (INM) connection, access is allowed if the device has

been discovered by the INM server.

For a serial console connection, physical access to the device is required, as well as

terminal emulation software.

For a telnet connection, the user can access the device by typing in telnet <ip

address of device>

Secure Shell (SSH) connections are also available.


3 - 49Revision 0111

CNE200


3 - 50Revision 0111

CNE200


3 - 51Revision 0111

CNE200


3 - 52Revision 0111

CNE200

If the write memory command is not run, the next login session will revert to the old password.

SW-Switch#reload

Are you sure? (enter 'y' or 'n'): y

Halt and reboot

Enter 'b' to go to boot monitor ... [User presses "b" key]

BOOT MONITOR> no password

OK! Skip password check when the system is up.

BOOT MONITOR> ?

?

reset

boot system flash primary

boot system flash secondary

boot system bootp

boot system tftp 1.2.3.4 file_name

boot system slot1 | slot2 file_name

ip address 1.2.3.4 255.255.255.0

ip address 1.2.3.4/24

ip default_gateway 1.2.3.1

ping 1.2.3.4

BOOT MONITOR> boot system flash primary

BOOT INFO: load from primary copy

<Truncated Output>

SW-Switch>


3 - 53Revision 0111

CNE200

Once you have bypassed the password and entered into the configuration mode,

ensure that you assign a new password and save the configuration. Otherwise, once

you log out or reload the device, you will have to go through the password recovery

process again.


3 - 54Revision 0111

CNE200

If no privilege level is specified, the command defaults the user to super user.


3 - 55Revision 0111

CNE200

AAA is a term for a framework for intelligently controlling access to computer resources,

enforcing policies, and auditing usage generally using a remote server running the

RADIUS or TACACS/TACACS+ protocol

Authentication provides a way of identifying a user, typically by having the user enter a

unique, valid user name and password before access is granted

RADIUS stands for Remote Authentication Dial-in User Service, and is a client/server

protocol that runs in the application layer, using UDP as transport. The Remote Access

Server, the Virtual Private Network server, the Network switch with port-based

authentication, and the Network Access Server, are all gateways that control access to

the network, and all have a RADIUS client component that communicates with the

RADIUS server.

TACACS stands for Terminal Access Controller Access-Control System, commonly used

in Unix networks, is a remote authentication protocol used to communicate with a

remote authentication server.

TACACS+ offers multiprotocol support, such as IP and AppleTalk. Normal operation fully

encrypts the body of the packet for more secure communications. It is not backwards

compatible with TACACS. It is a Cisco proprietary enhancement to the original TACACS

protocol, and has, for all intents and purposes, replaced TACACS


3 - 56Revision 0111

CNE200

To configure the device to use the local user accounts to authenticate access to the

device through the Web management interface, use the following command:

SW-Switch(config)# aaa authentication web-server default

local

If the first authentication method is successful, the software grants access and stops

the authentication process. If the access is rejected by the first authentication method,

the software denies access and stops checking. However, if an error occurs with an

authentication method, the software tries the next method on the list, and so on. For

example, if the first authentication method is the RADIUS server but the link to the

server is down, the software will try the next authentication method in the list. If an

application method is working properly and the password (and user name, if applicable)

is not known to that method, this is not a system error. The authentication attempt

stops, and the user is denied access.


3 - 57Revision 0111

CNE200

Method Value Description

tacacs or

tacacs+

A TACACS/TACACS+ server. You can use either parameter. Each

parameter supports both TACACS and TACACS+. You also must

identify the server to the device using the tacacs-server

command.

radiusA RADIUS server. You also must identify the server to the device

using the radius-server command.

local

A local user name and password you configured on the device.

Local user names and passwords are configured using the

username command.

line

The password you configured for Telnet access. The Telnet

password is configured using the enable telnet

password command

enable

The super-user "enable" password you configured on the device.

The enable password is configured using the enable super-

userpassword command.

noneNo authentication is used. The device automatically permits

access.

Syntax: [no] aaa authentication snmp-server | web-server | enable | login | dot1x

default <method1> [<method2>]

[<method3>] [<method4>] [<method5>] [<method6>] [<method7>]

Syntax: [no] aaa authentication login privilege-mode

The snmp-server | web-server | enable | login | dot1x parameter specifies the type

of access this

authentication-method list controls. You can configure one authentication-method

list for each type of access.

The aaa authentication login privilege-mode command configures the device so

that a user enters Privileged

EXEC mode after a Telnet or SSH login.

The <method1> parameter specifies the primary authentication method. The

remaining optional <method> parameters specify the secondary methods to try if

an error occurs with the primary method. A method can be one of the values listed

in the Method Value column in the following table.


3 - 58Revision 0111

CNE200

The device sends all the SNMP traps to the specified hosts and includes specified community string. Traps can then be filtered based on IP address or community string.

To specify the host to which the device sends all SNMP traps:

SW-Switch(config)#snmp-server host <ip address>

<community string>

The community string is configured on the device. The string can be a read only or a read-write string. It is not used to authenticate access to the trap host but is instead a useful method for filtering trap on the host.

For example, each of the devices that use the trap host is configured to send a different community string, it is easy to distinguish which device sent the traps.


3 - 59Revision 0111

CNE200


3 - 60Revision 0111

CNE200


3 - 61Revision 0111

CNE200


3 - 62Revision 0111

CNE200

To configure an ACL that restricts SSH access:

Switch(config)# access-list 12 deny host 209.157.22.98 log

Switch(config)# access-list 12 deny 209.157.23.0 0.0.0.255

log

Switch(config)# access-list 12 deny 209.157.24.0/24 log

Switch(config)# access-list 12 permit any

Switch(config)# ssh access-group 12

Switch(config)# write memory

Syntax: ssh access-group <num>

The <num> parameter specifies the number of a standard ACL and must be from 1 –

99.

Please see the Switch and Router Security Guide for for the particular platform for more

details.


3 - 63Revision 0111

CNE200


3 - 64Revision 0111

CNE200


3 - 65Revision 0111

CNE200

This page intentionally left blank


3 - 66Revision 0111

CNE200

M03-L2 Dev Admin

Documents

Transcript of M03-L2 Dev Admin