Category Archives: guides-brocade

Configuring a Brocade Switch for Access Gateway (AG) Mode

What is Access Gateway Mode?

Access Gateway mode is useful when you need to add more ports to your fabric without the additional complexity of using additional zoning configurations or additional domains.  It allows us to configure an F port as N port.

Other Useful Brocade related posts

FOS CLI Reference Guide
Automating Config Zone Backups
Scripting Alias and Zone Creation
Switch Type Matrix
Disabling Telnet

Verify NPIV is enabled on the Upstream Switch

We first need to ensure that the upstream switch that the access gateway (AG) switch will connect to has NPIV enabled.  Log in to the upstream switch to verify.

  1. Verify NPIV is enabled by running ‘portcfgshow’.
  2. If it is not enabled, enable it by running ‘portcfgnpivport’.

Steps to Configure and Enable AG Mode

Below are the steps for placing a switch in Access Gateway Mode.  Note that all zoning information on the switch that you’re enabling it on will be lost.  In addition, it’s important to note that Access Gateway mode changes other standard behaviors of the switch as well.  I encourage you to review the Brocade Access Gateway Administrator’s Guide if you have any doubts. In addition to zoning, the following servers are also not available in AG mode:  FCAL, Fabric Manager, FICON, IP over FC, ISL Trunking, Extended Fabrics, Management Platform services, Name services (SNS), Port Mirroring, and SMI-S.

  1. Backing up your current configuration is important, and should be done first. I’ve automated this in my environment, you can view my post on automating configuration and zone backups here.  The basic command for backing up your configuration manually is below.
  1. Next you should verify that the switch is in native mode. This can be verified by running ‘switchshow’ and checking the mode, it should be set to 0 (zero).  To change it to zero, use the ‘interopmode’ command.
interopmode 0
  1. Next we disable the switch, run the ‘switchdisable’ command for this step.
  1. Next we enable access gateway mode on the switch with the ‘ag –modeenable’ command. Enabling agmode will remove all the configuration data on the switch, including your zoning configuration and security database.  Make sure you backup your configuration using configupload before performing this step.  After running the command, you will be prompted to reboot the switch.
ag –modeenable

Verify AG Mode is enabled

  1. After the switch has rebooted, log in and verify that access gateway mode is enabled. This is done with the “modeshow” switch on the ag command.
ag --modeshow

Access Gateway mode is enabled
  1. In order to view how the automatic port mapping has been configured on the switch, use the “ag –mapshow” command.
ag --mapshow



0   13;14    None           None             1       1         0   pg0

1   1;2      None           None             1       1         0   pg0

2   9;10     None           None             1       1         0   pg0

3   7;8      None           None             1       1         0   pg0

4   11;12    None           None             1       1         0   pg0

5   5;6      None           None             1       1         0   pg0

6   15;16    None           None             1       1         0   pg0

7   3;4      None           None             1       1         0   pg0

Modifying AG Port Mappings

It is possible to change the port mappings after the initial configuration if modifications are necessary.  Below are the steps to do so.

  1. A port’s existing mapping bust be removed before it can be modified. Delete the configuration with the “ag –mapdel” command, as shown below.
ag --mapdel N_Port “fport1;fport2”

ag --mapdel 0 "13;14"

F_Port to N_Port mapping has been updated successfully
  1. Now that the original mapping has been removed, the new port mapping can be created.
ag --mapadd n_portnumber fport1;fport2

ag --mapadd 13 "1;2;5;6"

Sample Output:

WARNING: Mapping F_Port(s) to this N_Port may cause the F_Port(s) to be disabled

F_Port to N_Port mapping has been updated successfully


Web interface disabled on brocade switch

I ran into an issue where one of our brocade switches was inaccessible via the web browser. The error below was displayed when connecting to the IP:

Interface disabled
This Interface ( has been blocked by the administrator.

In order to resolve this, you’ll need to allow port 80 traffic on the switch.  It was disabled on mine.

First, Log in to the switch and review the existing IP filters (Look for port 80 set to deny):

switcho1:admin> ipfilter –show

Name: default_ipv4, Type: ipv4, State: active
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 deny
3 any tcp 897 permit
4 any tcp 898 permit
5 any tcp 111 permit
6 any tcp 80 deny
7 any tcp 443 permit
8 any udp 161 permit
9 any udp 111 permit
10 any udp 123 permit
11 any tcp 600 – 1023 permit
12 any udp 600 – 1023 permit

Next, clone the default policy, as you cannot make changes to the default policy.  Note that you can name the policy anything you like, I chose to name it “Allow80”.

ipfilter –clone Allow80 -from default_ipv4

Delete the rule that denys port 80 (rule 6 in the above example):

ipfilter –delrule Allow80 -rule 6

Add a rule back in to permit it:

ipfilter –addrule Allow80 -rule 12 -sip any -dp 80 -proto tcp -act permit

Save it:

ipfilter –save Allow80

Activate it (this will change default policy to a “defined” state):

ipfilter –activate Allow80


That’s it… you should now be able to access your switch via the web browser.

Disabling Telnet on Brocade Switches

We were recently directed by audit requirements to disable telnet access on all of our brocade switches.  We’re going to use ssh only for remote access.   The steps for disabling telnet aren’t obvious although it’s not difficult to do.  I’ve outlined two different procedures below for disabling telnet on FOS, as it’s different if you’re running an FOS version below 5.3.x.

Commands for disabling telnet for ipv4 and ipv6

For FOS 5.3.x and above:

You cannot change the default filter sets,  you have to clone the default_ipv4 and default_ipv6 to new sets.  While logged on to the switch using ssh enter the following command:

ipfilter –clone BlockPort23 -from default_ipv4 ipfilter –clone BlockPort23ipv6 -from default_ipv6

A filter set is built on a list of numbered rules.   You need to verify the number of the rule for the telnet port (23). This can be done with this command:

ipfilter –show  

The default rule for telnet is 2.

The next step is to delete the old rule and create a new one.  Change the -rule 2 to the appropriate rule number from the previous step, if needed.

ipfilter –delrule BlockPort23 -rule 2

ipfilter –delrule BlockPort23ipv6 -rule 2

ipfilter –addrule BlockPort23 -rule 2 -sip any -dp 23 -proto tcp -act deny

ipfilter –addrule BlockPort23ipv6 -rule 2 -sip any -dp 23 -proto tcp -act deny

Next you need to save the new filter set and activate it:

ipfilter –save BlockPort23 ipfilter –save BlockPort23ipv6

ipfilter –activate BlockPort23 ipfilter –activate BlockPort23ipv6

Now all traffic on port 23 is blocked.  You can verify it by typing in  ipfilter –show again:

Name: BlockPort23ipv6, Type: ipv6, State: active
Rule    Source IP                               Protocol   Dest Port   Action
1     any                                            tcp       22     permit 
2     any                                            tcp       23     deny 
3     any                                            tcp      897     permit 
4     any                                            tcp      898     permit 
5     any                                            tcp      111     permit 
6     any                                            tcp       80     permit 
7     any                                            tcp      443     permit 
8     any                                            udp      161     permit 
9     any                                            udp      111     permit 
10    any                                            udp      123     permit 
11    any                                            tcp      600 - 1023     permit 
12    any                                            udp      600 - 1023     permit 

For FOS 5.2.x and below:

It’s a bit simpler for the older FOS versions.  Simply type “configure” at the prompt, type yes for system services, then ‘off’ for telnetd.

switchname:admin> configure
Not all options will be available on an enabled switch. To disable the switch, use the “switchDisable” command.
  System services (yes, y, no, n): [no] y
    rstatd (on, off): [off]
    rusersd (on, off): [off]
    telnetd (on, off): [on] off
    ssl attributes (yes, y, no, n): [no]
   http attributes (yes, y, no, n): [no]
   snmp attributes (yes, y, no, n): [no]
   rpcd attributes (yes, y, no, n): [no]
   cfgload attributes (yes, y, no, n): [no]
   webtools attributes (yes, y, no, n): [no]