Category Archives: Brocade

Web interface disabled on brocade switch

I ran into an issue where one of our brocade switches was inaccessible via the web browser. The error below was displayed when connecting to the IP:

Interface disabled
This Interface (10.2.2.23) has been blocked by the administrator.

In order to resolve this, you’ll need to allow port 80 traffic on the switch.  It was disabled on mine.

First, Log in to the switch and review the existing IP filters (Look for port 80 set to deny):

switcho1:admin> ipfilter –show

Name: default_ipv4, Type: ipv4, State: active
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 deny
3 any tcp 897 permit
4 any tcp 898 permit
5 any tcp 111 permit
6 any tcp 80 deny
7 any tcp 443 permit
8 any udp 161 permit
9 any udp 111 permit
10 any udp 123 permit
11 any tcp 600 – 1023 permit
12 any udp 600 – 1023 permit

Next, clone the default policy, as you cannot make changes to the default policy.  Note that you can name the policy anything you like, I chose to name it “Allow80”.

ipfilter –clone Allow80 -from default_ipv4

Delete the rule that denys port 80 (rule 6 in the above example):

ipfilter –delrule Allow80 -rule 6

Add a rule back in to permit it:

ipfilter –addrule Allow80 -rule 12 -sip any -dp 80 -proto tcp -act permit

Save it:

ipfilter –save Allow80

Activate it (this will change default policy to a “defined” state):

ipfilter –activate Allow80

 

That’s it… you should now be able to access your switch via the web browser.

Advertisements

Automating Config / Zone backups for Brocade Switches

I was looking for an easy way to make backups of our fabric and report the status of the backup on our internal web page. I wrote a script that will remotely run configupload and pull the script config file from all the switches via FTP, move the previous config file to an archive location, create a report of the output and copy it to a web page folder. I run the bash script using cygwin on our internal IIS server, and it’s scheduled to run daily.

The script uses ssh, so you could either set up ssh keys or use an opensource package called sshpass (http://sourceforge.net/projects/sshpass). In this example script I’m using sshpass to avoid having to type in a password for each command when the script runs.

I figured out that you must connect to a new switch at least once manually without using sshpass, as it supresses the output that asks you to confirm adding it as a known host. Below is the output, I simply ran a ‘zoneshow’ as the initial command to set it up.

$ ssh USERID@brocade_switch_1 zoneshow
 The authenticity of host ‘brocade_switch_1 (10.0.0.9)’ can’t be established.
 DSA key fingerprint is 3b:cd:98:62:4a:67:99:28:c4:41:f3:19:8d:f1:7d:a0.
 Are you sure you want to continue connecting (yes/no)? yes
 Warning: Permanently added ‘brocade_switch_1,10.0.0.9’ (DSA) to the list of known hosts.

My original script is set up to run for multiple geographical locations which is why I have separate lists set up.   This sample script is set up for two separate theoretical locations, it could easily be expanded or reduced based on your environment.

#Set Environment 
TODAY=`date`
TIMESTAMP=`date +”%Y%m%d%H%M”`
LOCALPATH=”/cygdrive/c/scripts/brocade”
WEBPATH=”/cygdrive/c/inetpub/wwwroot”
FTPHOST=”10.0.0.1″
FTPUSER=”ftpuser”
FTPPATH=”/brocade”
FTPPASSWORD=”password”

#Add timestamp to top of report
echo $TODAY > $WEBPATH/brocade_backup_report.txt
echo ” ” >> $WEBPATH/brocade_backup_report.txt

#Clear data from last run
>$LOCALPATH/brocade_backup_report_1.txt
>$LOCALPATH/brocade_backup_report_2.txt

#Move yesterday’s backups to an archive location
mv $WEBPATH/brocade/*.txt /cygdrive/e/archive/brocade

#List of Switches to be backed up
SWITCHLIST1=”switch1siteA switch2siteA switch3siteA switch4siteA”
SWITCHLIST2=”switch1siteB switch2siteB switch3siteB switch4siteB switch5siteB switch6siteB”

for x in $SWITCHLIST1
do
echo “$x”: “$FTPPATH/$x.$TIMESTAMP” >> $LOCALPATH/brocade_backup_report_1.txt
sshpass -p ‘password’ ssh admin@$x configupload -ftp $FTPHOST,$FTPUSER,$FTPPATH/$x.$TIMESTAMP.txt,$FTPPASSWORD >> $LOCALPATH/brocade_backup_report_1.txt
echo ” ” >> $LOCALPATH/brocade_backup_report_1.txt
done

for x in $SWITCHLIST2
do
echo “$x”: “$FTPPATH/$x.$TIMESTAMP” >> $LOCALPATH/brocade_backup_report_2.txt
sshpass -p ‘password’ ssh USERID@$x configupload -ftp $FTPHOST,$FTPUSER,$FTPPATH/$x.$TIMESTAMP.txt,$FTPPASSWORD >> $LOCALPATH/brocade_backup_report_2.txt
echo ” ” >> $LOCALPATH/brocade_backup_report_2.txt
done

# This last section creates the report for the web page.
cat $LOCALPATH/brocade_backup_report_1.txt.txt $LOCALPATH/brocade_backup_report_2.txt.txt >> $WEBPATH/brocade_backup_report.txt

The report output looks like this:

Thu Sep 12 06:00:01 CDT 2013
 
switch1siteA: /brocade/switch1siteA.201309120600
configUpload complete: All selected config parameters are uploaded
 
switch2siteA: /brocade/switch2siteA.201309120600
configUpload complete: All selected config parameters are uploaded
 
switch3siteA: /brocade/switch3siteA.201309120600
configUpload complete: All selected config parameters are uploaded
 
switch4siteA: /brocade/switch4siteA.201309120600
configUpload complete: All selected config parameters are uploaded
 
switch1siteB: /brocade/switch1siteB.201309120600
configUpload complete: All selected config parameters are uploaded
 
switch2siteB: /brocade/switch2siteB.201309120600
configUpload complete: All selected config parameters are uploaded
 
switch3siteB: /brocade/switch3siteB.201309120600
configUpload complete: All selected config parameters are uploaded
 
switch4siteB: /brocade/switch4siteB.201309120600
configUpload complete: All selected config parameters are uploaded
 
switch5siteB: /brocade/switch5siteB.201309120600
configUpload complete: All selected config parameters are uploaded
 
switch6siteB: /brocade/switch6siteB.201309120600
configUpload complete: All selected config parameters are uploaded

Useful Brocade FOS CLI Commands

brocadefosclireference

Below is a list of useful Brocade CLI commands that I keep at my desk for reference. They are divided up into categories for Zoning, Show, Port, Time/Date, License, Banner, Password, SNMP, User Config, Firmware, and Miscellaneous.

Zoning Commands

alicreate “Name”, “domain,port#” Used to create an alias
alicreate “Name”,”portname1; portname2″ To create multiple ports under a single alias
alidelete “Name” To delete an alias
aliadd “Name”, “domain,port#” To add additional ports to an alias
aliremove “Name”, “domain,port#” To remove a port from the alias
alishow “AliName” To show the alias configuration on the switch
zonecreate “Zone Name”, “alias1; alias2″ To create zones based on alias
zonedelete “ZoneName” To delete a zone
zoneadd “ZoneName”, “alias name” To add additional alias into the zone
zoneremove “ZoneName”, “alias name” To remove an alias from the zone
zoneshow “zoneName” To show the zone configuration information
cfgcreate “Configname”, “Zone1; Zone2″ To create configurations by adding in zones
cfgdelete “ConfigName” To delete a configuration
cfgadd “ConfigName”, “Zone3″ To add additional zones in the configuration
cfgremove “ConfigName”, “Zone3″ To remove a zone from the configuration
cfgshow “ConfigName” To show the details of that configuration
cfgenable “ConfigName” To enable a configuration on the switch
cfgsave To have the effective configuration to be written into the flash memory

Show Commands

 psshow Displays the status of the power supply
fansshow Displays the status of the fans
tempshow Displays the status of the temperature readings
sensorshow Displays the status of the sensor readings
nsshow Displays information in the name server
nsshow -t Displays information in the name server
nsshow -r Displays the information in the name server along with the state change registration details
nscamshow Displays detailed information of all the devices connected to all the switches in the fabric (Remote Name Servers)
nsallshow Displays the 24 bit address of all devices that are in the fabric
licenseshow Displays all the licenses that have been added in the switch
date Displays the current date set on the switch
bannershow Displays the banner that will appear when logging in using the CLI or web tools
httpcfgshow Displays the JAVA version the switch expects at the management console
switchname Displays the name of the switch
fabricshow Displays information of all the switches in the fabric
userconfig –show -a Displays the account information like role , description , password exp date , locked status
switchstatusshow Displays the overall status of the switch
switchstatuspolicyshow Displays policy set for the switch regarding Marginal(Yellow) or Down(Red) error status
portshow To show the port status
portcfgshow Displays the speed set for all ports on all slots and other detailed port information
configshow fabric.ops Displays the parameters of the switch. Ensure all switches in a fabric have the same parameters in order to communicate
configshow fabric.ops.pidFormat Displays the PID set for a switch Core , Native or Extended edge
switchuptime OR uptime Displays the uptime for the switch
firmwareshow Displays the firmware on the switch
version Displays the current firmware version on the switch
hashow Displays the status of local and remote CP’s. High availability , heartbeat and synchronization

Port Settings

portcfgshow Displays the port settings
portcfg rscnsupr [slot/port] –enable A registered state change registration is suppressed when a state change occurs on the port
portcfg rscnsupr [slot/port] –disable A registered state change registration is sent when a state change occurs on the port
portname To assign a name for a port
portdisable To disable a port or slot
portenable To enable a port or slot
portcfgpersistentdisable To disable a port , status would not change even after rebooting the switch
portcfgpersistentenable To enable a port , status would not change even after rebooting the switch
portshow To show the port status
portcfgspeed , To set speed for a port#te – 0:auto negotiated 1,2,4 Gbit/sec , 1 : 1Gbit/sec , 2 : 2 Gbit/sec , 4 : 4Gbit/sec
switchcfgspeed To set speed for all the ports on the switch Note – 0:auto negotiated 1,2,4 Gbit/sec , 1 : 1Gbit/sec , 2 : 2 Gbit/sec , 4 : 4Gbit/sec
portcfgshow Displays the speed set for all ports on all slots and other detailed port information
portcfgdefault To set the port settings to default
portcfglongdistance To set the long distance mode . Default is L0(Normal), as per distance will display LE <=10 kms , L0.5 <=25kms , L1 <=50 kms, L2<=100kms , LD=auto , LS = Static
portcfgeport Used to disable a port from being a E port

Time and Date Settings

date Displays the current date set on the switch
tsclockserver 10.10.1.1 Instruction for the principal switch to synchronize time with the NTP server (specify the  ip address of the NTP server)
tsclockserver LOCL Instruction to stop NTP server synchronization (Local time of the switch)
date mmddhhmmyy To set the time of the switch when the NTP server synchronization is cancelled
tstimezone -5 To set the time zone for individual switches

License Commands

licenseshow Displays all the licenses that are added in the switch
licenseadd To add a new license to the switch
licenseremove To remove a license from the switch
licenseidshow Based on Switch WWN

Banner Commands

bannershow Displays the banner that will appear when logging in using the CLI or web tools
bannerset To set the banner which will appear when logging in using the CLI or web tools
bannerset “” To remove the bannerset (two quotes)

Password commands

passwd To change the password for that particular login
passwdcfg –set -lowercase 3 uppercase 1 -digits 2 -punctuation 2 -minlength 10 -history 3 To set the password rules
passwdcfg –set -minpasswordage 1 To set the minimum password age in Days
passwdcfg –set -maxpasswordage 30 To set the maximum password age in Days
passwdcfg –set -warning 23 To set a warning for the expiration Days remaining
passwdcfg –set -lockoutthreshold 5 To set the account lockout thresh hold
passwdcfg –set -lockoutduration 30 To set the account lockout duration in Minutes
passwdcfg –setdefault To restore the password policy to Factory settings (min length – 8, history -1 , lockoutduration – 30)

SNMP Commands

snmpconfig snmpconfig for 5.0 above fos
agtcfgset snmp config for fos below 5.0
snmpmibcapset for choosing the MIB’s for the snmp settings

User Configuration

userconfig –show -a / userconfig –show Displays all the account information like role , description , password expiration date , locked status
userconfig –add john -r admin -d “John Doe” To add a new account -r = role , -d = description
userconfig –show john Displays all the information for the account john
userconfig –change -e no To Disable an account , usually default a/cs like admin and user . But ensure before disabling the admin a/c there is another a/c with admin rights
userconfig –change -e yes To Enable an account

Firmware commands

configupload Saves the switch config as an ASCII text file to an FTP server
configdownload To restore a switch configuration from ASCII text file Note – Need to disable the switch before downloading the config file
configure => cfgload attributes : [y] => Ensure secure config upload / download : [y] Fabric OS v 4.4 & above provides Secure File Copy Protocol (SCP) during upload or download of configurations
firmwaredownload To download the firmware to be installed on the switch
firmwareshow To be run after installing the firmware on the switch
version Displays the current firmware version on the switch
fastboot Needs to be run after installing the firmware. This does not include the post.
reboot Needs to be run after installing the firmware. This includes the post.

Miscellaneous commands

killtelnet To kill a particular session which is using telnet
configure To configure a switch
quietmode To switch off the quiet mode
quietmode 1 To suppress messages to the console
switchname Displays the switch name
switchname “EXAMPLE” To assign a switch name
bannerset To set the banner which will appear when logging in using the CLI or web tools
timeout Displays the timeout time set for Telnet session on the switch
timeout 10 To set a specific timeout time for the Telnet session
switchuptime or uptime Displays the uptime for the switch
switchcfgspeed To set speed for all the ports on the switch Note – 0:auto negotiated 1,2,4 Gbit/sec , 1 : 1Gbit/sec , 2 : 2 Gbit/sec , 4 : 4Gbit/sec
fastboot To reboot the switch without post
reboot To reboot the switch with the post
switchstatusshow Displays the overall status of the switch
switchstatuspolicyshow Displays policy set for the switch regarding Marginal(Yellow) or Down(Red) error status
switchstatuspolicyset To change the policy set for the switch regarding Marginal(Yellow) or Down(Red) error status

 

Scripting Alias and Zone creation for Brocade Switches

Whenever a new array is added in our environment we usually have to add hundreds and hundreds of new zones to our core brocade fabric.  It’s a very tedious job so I started investigating ways to script the process.

Here is the syntax for running an ssh command remotely (telnet is disabled on all of our switches):

ssh userid@switchname [command]
 

so, if I wanted to show all of the zones on a switch the command would look like this:

ssh admin@10.0.0.1 zoneshow
 

While those commands work perfectly and could be added in to a bash script as-is, the caveat is that the password must be typed in for every command.  That’s not very practical if there are hundreds of lines in the script.  You could set up ssh keys on every switch, but I was looking for a quicker, easier solution.  I found that quick solution with an opensource package called sshpass (http://sourceforge.net/projects/sshpass).  It allows you to enter the password on the command line.  I use Cygwin on a windows server for all my bash scripts and it was a very simple installation in that environment, and I’m sure would be just as easy on Linux.  Download it to a folder,  uncompress it, run “./configure”, “make”, and “make install” and you’re all done.

Once sshpass is installed, the syntax for showing the zones on a brocade switch would look like this:

sshpass –p “[password]” ssh admin@10.0.0.1 zoneshow
 

Now that the commands can be run very easily from a remote shell, I needed to make creating the script much easier.  That’s where a spreadsheet application helps tremendously.  Divide the script line into different cells on the spreadsheet, making sure to separate any part of the command that’s going to change.  In the last cell on the line, you concatenate all of the previous cells together to create the complete command.  Below is how I did it.

Here’s the syntax output I want for creating a zone:

sshpass -p ‘password’ ssh [User_ID]@[Switch_Name] zonecreate “[Zone_Name]”,”[Host_Alias]”,”[SP_Alias]”
 

Here’s how I divide the command up in the spreadsheet:

A1          sshpass  -p ‘password’ ssh

B1          [User_ID]

C1          @

D1          [switch_name]

E1           Zonecreate “

F1           [Zone_Name]

G1           “,”

H1           [Host_Alias]

I1            “,”

J1            [Clarrion/VNX_SP_Alias]

K1           “

L1           =concatenate(A1,B1,C1,D1,E1,F1,G1,H1,J1,K1)

Now you can copy line 1 of the spreadsheet to as many lines as you need, change the User ID, Switch Name, Zone_Name, Host Alias, and Clariion/VNX SP Alias as needed, and the L column will have all the completed commands for you that you can cut and paste into a bash script.  Create a blank script file with ‘touch file.sh’, do a ‘chmod +X file.sh’ and ‘chmod 777 file.sh’ on it, use vi to copy and paste in the script data, then run it with ‘./file.sh’ from the prompt.

The same thing can be done for creating the initial aliases, here’s the syntax of the command for that:

sshpass -p ‘password’ ssh [User_ID]@[Switch_Name] alicreate “[Alias_Name]”,”[WWN]”
 

And finally, here’s what it looks like entered into a spreadsheet:

BrocadeScript

Brocade Switch Type Matrix

I recently performed an inventory of all of our Brocade switches and stumbled upon this list of switch types that allows you to identify the Brocade model number.  Simply go to http:///SwitchInfo.html, do a search for “switchType” in the report, and compare that number to the table below to identify your model.

12

3900

2 Gb 32-port switch

16

3200

2 Gb 8-port value line switch

21

24000

2 Gb 128-port core fabric switch

26

3850

2 Gb 16-port switch with switch limit

27

3250

2 Gb 8-port switch with switch limit

29

4012

2 Gb 12-port Blade Server SAN I/O Module

34

200E

2 Gb 16-port switch with switch limit

37

4020

2 Gb 20-port Blade Server SAN I/O Module

43

4024

4 Gb 24-port Blade Server SAN I/O Module

44

4900

4 Gb 64-port switch

45

4016

2 Gb 16-port Blade Server SAN I/O Module

51

4018

2 Gb 16/18-port Blade Server SAN I/O Module

61

4424

2 Gb 24-port Blade Server SAN I/O Module

62

DCX

8 Gb 798-port core fabric backbone

64

5300

8 Gb 80-port switch

66

5100

8 Gb 40-port switch

67

Encryption Switch

8 Gb 16-port encryption switch

70

5410

8 Gb 12-port Blade Server SAN I/O Module

71

300

8 Gb 16-port switch

72

5480

8 Gb 24-port Blade Server SAN I/O Module

73

5470

8 Gb 20-port Blade Server SAN I/O Module

75

M5424

8 Gb 24-port Blade Server SAN I/O Module

77

DCX-4S

8 Gb 192-port core fabric backbone

83

7800

8 Gb 16-FC ports, 6 GbE ports extension switch

86

5450

8 Gb 26-port Blade Server SAN I/O Module

87

5460

8 Gb 26-port Blade Server SAN I/O Module

92

VA-40FC

8 Gb 40-port switch

109

6510

16 Gb 48-port switch

117

6547

16 Gb 48-port Blade Server SAN I/O Module

118

6505

16 Gb 24-port switch

120

DCX 8510-8

16 Gb 512-port core fabric backbone

121

DCX 8510-4

16 Gb 256-port core fabric backbone

124

5430

8 Gb 16-port Blade Server SAN I/O Module

125

5431

8 Gbit 16-port stackable switch module

129

6548

16 Gb 28-port Blade Server SAN I/O Module

130

M6505

16 Gbit 24-port Blade Server SAN I/O Module

133

6520

16 Gb 96-port switch

134

5432

8 Gb 24-port Blade Server SAN I/O Module

148

7840

16 Gb 24-FC ports, 16 10GbE ports, 2 40GbE ports extension switch

Disabling Telnet on Brocade Switches

We were recently directed by audit requirements to disable telnet access on all of our brocade switches.  We’re going to use ssh only for remote access.   The steps for disabling telnet aren’t obvious although it’s not difficult to do.  I’ve outlined two different procedures below, as it’s different if you’re running an FOS version below 5.3.x.

Commands for disabling telnet for ipv4 and ipv6

For FOS 5.3.x and above:

You cannot change the default filter sets,  you have to clone the default_ipv4 and default_ipv6 to new sets.  While logged on to the switch using ssh enter the following command:

ipfilter –clone BlockPort23 -from default_ipv4 ipfilter –clone BlockPort23ipv6 -from default_ipv6

A filter set is built on a list of numbered rules.   You need to verify the number of the rule for the telnet port (23). This can be done with this command:

ipfilter –show  

The default rule for telnet is 2.

The next step is to delete the old rule and create a new one.  Change the -rule 2 to the appropriate rule number from the previous step, if needed.

ipfilter –delrule BlockPort23 -rule 2

ipfilter –delrule BlockPort23ipv6 -rule 2

ipfilter –addrule BlockPort23 -rule 2 -sip any -dp 23 -proto tcp -act deny

ipfilter –addrule BlockPort23ipv6 -rule 2 -sip any -dp 23 -proto tcp -act deny

Next you need to save the new filter set and activate it:

ipfilter –save BlockPort23 ipfilter –save BlockPort23ipv6

ipfilter –activate BlockPort23 ipfilter –activate BlockPort23ipv6

Now all traffic on port 23 is blocked.  You can verify it by typing in  ipfilter –show again:

Name: BlockPort23ipv6, Type: ipv6, State: active
Rule    Source IP                               Protocol   Dest Port   Action
1     any                                            tcp       22     permit 
2     any                                            tcp       23     deny 
3     any                                            tcp      897     permit 
4     any                                            tcp      898     permit 
5     any                                            tcp      111     permit 
6     any                                            tcp       80     permit 
7     any                                            tcp      443     permit 
8     any                                            udp      161     permit 
9     any                                            udp      111     permit 
10    any                                            udp      123     permit 
11    any                                            tcp      600 - 1023     permit 
12    any                                            udp      600 - 1023     permit 

For FOS 5.2.x and below:

It’s a bit simpler for the older FOS versions.  Simply type “configure” at the prompt, type yes for system services, then ‘off’ for telnetd.

switchname:admin> configure
Not all options will be available on an enabled switch. To disable the switch, use the “switchDisable” command.
Configure…
  System services (yes, y, no, n): [no] y
    rstatd (on, off): [off]
    rusersd (on, off): [off]
    telnetd (on, off): [on] off
    ssl attributes (yes, y, no, n): [no]
   http attributes (yes, y, no, n): [no]
   snmp attributes (yes, y, no, n): [no]
   rpcd attributes (yes, y, no, n): [no]
   cfgload attributes (yes, y, no, n): [no]
   webtools attributes (yes, y, no, n): [no]