Tag Archives: brocade

Configuring a Brocade Switch for Access Gateway (AG) Mode

What is Access Gateway Mode?

Access Gateway mode is useful when you need to add more ports to your fabric without the additional complexity of using additional zoning configurations or additional domains.  It allows us to configure an F port as N port.

Other Useful Brocade related posts

FOS CLI Reference Guide
Automating Config Zone Backups
Scripting Alias and Zone Creation
Switch Type Matrix
Disabling Telnet

Verify NPIV is enabled on the Upstream Switch

We first need to ensure that the upstream switch that the access gateway (AG) switch will connect to has NPIV enabled.  Log in to the upstream switch to verify.

  1. Verify NPIV is enabled by running ‘portcfgshow’.
  2. If it is not enabled, enable it by running ‘portcfgnpivport’.

Steps to Configure and Enable AG Mode

Below are the steps for placing a switch in Access Gateway Mode.  Note that all zoning information on the switch that you’re enabling it on will be lost.  In addition, it’s important to note that Access Gateway mode changes other standard behaviors of the switch as well.  I encourage you to review the Brocade Access Gateway Administrator’s Guide if you have any doubts. In addition to zoning, the following servers are also not available in AG mode:  FCAL, Fabric Manager, FICON, IP over FC, ISL Trunking, Extended Fabrics, Management Platform services, Name services (SNS), Port Mirroring, and SMI-S.

  1. Backing up your current configuration is important, and should be done first. I’ve automated this in my environment, you can view my post on automating configuration and zone backups here.  The basic command for backing up your configuration manually is below.
configupload -ftp $FTPHOST, $FTPUSER, $FTPPATH, $FTPPASSWORD
  1. Next you should verify that the switch is in native mode. This can be verified by running ‘switchshow’ and checking the mode, it should be set to 0 (zero).  To change it to zero, use the ‘interopmode’ command.
interopmode 0
  1. Next we disable the switch, run the ‘switchdisable’ command for this step.
switchdisable
  1. Next we enable access gateway mode on the switch with the ‘ag –modeenable’ command. Enabling agmode will remove all the configuration data on the switch, including your zoning configuration and security database.  Make sure you backup your configuration using configupload before performing this step.  After running the command, you will be prompted to reboot the switch.
ag –modeenable

Verify AG Mode is enabled

  1. After the switch has rebooted, log in and verify that access gateway mode is enabled. This is done with the “modeshow” switch on the ag command.
ag --modeshow

Access Gateway mode is enabled
  1. In order to view how the automatic port mapping has been configured on the switch, use the “ag –mapshow” command.
ag --mapshow

N_Port|Config_F_Ports|Static_F_Prt|Current_F_Prt|Failovr|Failbck|PGID|PG_Name

------------------------------------------------------------------------------

0   13;14    None           None             1       1         0   pg0

1   1;2      None           None             1       1         0   pg0

2   9;10     None           None             1       1         0   pg0

3   7;8      None           None             1       1         0   pg0

4   11;12    None           None             1       1         0   pg0

5   5;6      None           None             1       1         0   pg0

6   15;16    None           None             1       1         0   pg0

7   3;4      None           None             1       1         0   pg0

Modifying AG Port Mappings

It is possible to change the port mappings after the initial configuration if modifications are necessary.  Below are the steps to do so.

  1. A port’s existing mapping bust be removed before it can be modified. Delete the configuration with the “ag –mapdel” command, as shown below.
ag --mapdel N_Port “fport1;fport2”

ag --mapdel 0 "13;14"

F_Port to N_Port mapping has been updated successfully
  1. Now that the original mapping has been removed, the new port mapping can be created.
ag --mapadd n_portnumber fport1;fport2

ag --mapadd 13 "1;2;5;6"

Sample Output:

WARNING: Mapping F_Port(s) to this N_Port may cause the F_Port(s) to be disabled

F_Port to N_Port mapping has been updated successfully

 

Advertisements

Brocade Switch Type Matrix

I recently performed an inventory of all of our Brocade switches and stumbled upon this list of switch types that allows you to identify the Brocade model number.  Simply go to http:///SwitchInfo.html, do a search for “switchType” in the report, and compare that number to the table below to identify your model.

12

3900

2 Gb 32-port switch

16

3200

2 Gb 8-port value line switch

21

24000

2 Gb 128-port core fabric switch

26

3850

2 Gb 16-port switch with switch limit

27

3250

2 Gb 8-port switch with switch limit

29

4012

2 Gb 12-port Blade Server SAN I/O Module

34

200E

2 Gb 16-port switch with switch limit

37

4020

2 Gb 20-port Blade Server SAN I/O Module

43

4024

4 Gb 24-port Blade Server SAN I/O Module

44

4900

4 Gb 64-port switch

45

4016

2 Gb 16-port Blade Server SAN I/O Module

51

4018

2 Gb 16/18-port Blade Server SAN I/O Module

61

4424

2 Gb 24-port Blade Server SAN I/O Module

62

DCX

8 Gb 798-port core fabric backbone

64

5300

8 Gb 80-port switch

66

5100

8 Gb 40-port switch

67

Encryption Switch

8 Gb 16-port encryption switch

70

5410

8 Gb 12-port Blade Server SAN I/O Module

71

300

8 Gb 16-port switch

72

5480

8 Gb 24-port Blade Server SAN I/O Module

73

5470

8 Gb 20-port Blade Server SAN I/O Module

75

M5424

8 Gb 24-port Blade Server SAN I/O Module

77

DCX-4S

8 Gb 192-port core fabric backbone

83

7800

8 Gb 16-FC ports, 6 GbE ports extension switch

86

5450

8 Gb 26-port Blade Server SAN I/O Module

87

5460

8 Gb 26-port Blade Server SAN I/O Module

92

VA-40FC

8 Gb 40-port switch

109

6510

16 Gb 48-port switch

117

6547

16 Gb 48-port Blade Server SAN I/O Module

118

6505

16 Gb 24-port switch

120

DCX 8510-8

16 Gb 512-port core fabric backbone

121

DCX 8510-4

16 Gb 256-port core fabric backbone

124

5430

8 Gb 16-port Blade Server SAN I/O Module

125

5431

8 Gbit 16-port stackable switch module

129

6548

16 Gb 28-port Blade Server SAN I/O Module

130

M6505

16 Gbit 24-port Blade Server SAN I/O Module

133

6520

16 Gb 96-port switch

134

5432

8 Gb 24-port Blade Server SAN I/O Module

148

7840

16 Gb 24-FC ports, 16 10GbE ports, 2 40GbE ports extension switch

Disabling Telnet on Brocade Switches

We were recently directed by audit requirements to disable telnet access on all of our brocade switches.  We’re going to use ssh only for remote access.   The steps for disabling telnet aren’t obvious although it’s not difficult to do.  I’ve outlined two different procedures below for disabling telnet on FOS, as it’s different if you’re running an FOS version below 5.3.x.

Commands for disabling telnet for ipv4 and ipv6

For FOS 5.3.x and above:

You cannot change the default filter sets,  you have to clone the default_ipv4 and default_ipv6 to new sets.  While logged on to the switch using ssh enter the following command:

ipfilter –clone BlockPort23 -from default_ipv4 ipfilter –clone BlockPort23ipv6 -from default_ipv6

A filter set is built on a list of numbered rules.   You need to verify the number of the rule for the telnet port (23). This can be done with this command:

ipfilter –show  

The default rule for telnet is 2.

The next step is to delete the old rule and create a new one.  Change the -rule 2 to the appropriate rule number from the previous step, if needed.

ipfilter –delrule BlockPort23 -rule 2

ipfilter –delrule BlockPort23ipv6 -rule 2

ipfilter –addrule BlockPort23 -rule 2 -sip any -dp 23 -proto tcp -act deny

ipfilter –addrule BlockPort23ipv6 -rule 2 -sip any -dp 23 -proto tcp -act deny

Next you need to save the new filter set and activate it:

ipfilter –save BlockPort23 ipfilter –save BlockPort23ipv6

ipfilter –activate BlockPort23 ipfilter –activate BlockPort23ipv6

Now all traffic on port 23 is blocked.  You can verify it by typing in  ipfilter –show again:

Name: BlockPort23ipv6, Type: ipv6, State: active
Rule    Source IP                               Protocol   Dest Port   Action
1     any                                            tcp       22     permit 
2     any                                            tcp       23     deny 
3     any                                            tcp      897     permit 
4     any                                            tcp      898     permit 
5     any                                            tcp      111     permit 
6     any                                            tcp       80     permit 
7     any                                            tcp      443     permit 
8     any                                            udp      161     permit 
9     any                                            udp      111     permit 
10    any                                            udp      123     permit 
11    any                                            tcp      600 - 1023     permit 
12    any                                            udp      600 - 1023     permit 

For FOS 5.2.x and below:

It’s a bit simpler for the older FOS versions.  Simply type “configure” at the prompt, type yes for system services, then ‘off’ for telnetd.

switchname:admin> configure
Not all options will be available on an enabled switch. To disable the switch, use the “switchDisable” command.
Configure…
  System services (yes, y, no, n): [no] y
    rstatd (on, off): [off]
    rusersd (on, off): [off]
    telnetd (on, off): [on] off
    ssl attributes (yes, y, no, n): [no]
   http attributes (yes, y, no, n): [no]
   snmp attributes (yes, y, no, n): [no]
   rpcd attributes (yes, y, no, n): [no]
   cfgload attributes (yes, y, no, n): [no]
   webtools attributes (yes, y, no, n): [no]