Basic Device Administration
3 - 1Revision 0111
CNE200
Basic Device Administration
3 - 2Revision 0111
CNE200
The chassis systems will have at least one management blade, and, depending on the
number of slots in the chassis, a number of interface modules, or blades
This blade has a DB-9 serial console port and an RJ-45 management port, and can be
installed in any open slot.
Basic Device Administration
3 - 3Revision 0111
CNE200
•Standalone switches do not use blades, and are discreet systems with up to 48 ports,
depending on model
•The first step in configuring a Brocade device is to assign an IP address. Connect the
console cable shipped with the device and use the CLI to assign the IP address. After
the IP address is assigned, access to the system will be possible through Telnet, the
Web management interface, or Iron View. To connect a management station using the
serial port, use a straight through cable or use a DB9-to-USB converter, depending on
which type of port is available. A terminal emulation program such as Hyper terminal or
Putty is required on the PC. The session parameters should be set to 9600 baud, 8
data bits, no parity, 1 stop bit, and no flow control. For a modem connection, a cross-
over cable is required.
You may configure an IP address for the RJ45 management interface and Telnet to it; or
you may configure an IP address for the layer 2 switch (globally) and then Telnet to the
switch to access the CLI.
Some models are stackable, which combines standalone switches through a pluggable
backplane. Stackable models are managed as a single unit
Basic Device Administration
3 - 4Revision 0111
CNE200
Basic Device Administration
3 - 5Revision 0111
CNE200
Switch fabric modules switch packets from one interface module to another. NetIron
routers can be configured with multiple switch fabric modules as described here:
• 4-slot router: Accommodates three switch fabric modules (two required and one
redundant) for a fully-loaded system. Ships with two switch fabric modules. Additional
switch fabric modules must be purchased to equip the router for redundancy.
• 8-slot router: Accommodates three switch fabric modules (two required and one
redundant) for a fully-loaded system. Ships with two switch fabric modules. Additional
switch fabric modules must be purchased to equip the router for redundancy.
• 16-slot router: Accommodates four switch fabric modules (three required and one
redundant) for a fully-loaded system. Ships with three switch fabric modules. Additional
switch fabric modules must be purchased to equip the router for redundancy.
• 32-slot router: Accommodates and ships with eight switch fabric modules.
Basic Device Administration
3 - 6Revision 0111
CNE200
The table below lists the descriptions for both port and SFP/SFP+ LEDs for the FCX648-
E. The following notes page has similar tables for the system status and power LEDs.
LED Condition Status
Ethernet
(1~24/48)
Link or
Activity or
Speed
On/Flashing
Green
The port has established a valid link at
10/100/1000 Mbps. Flashing indicates the
port is transmitting and receiving user packets.
Off A link is not established with a remote port.
SFP
(1F~4F)
Link or
Activity
On/Flashing
Green
The SFP port has established a valid link.
Flashing indicates the port is transmitting and
receiving user packets.
Off A link is not established with a remote port.
SFP+
(1F~4F)
Speed
On/Flashing
Green
The SFP port is operating at 10 Gbps. Flashing
indicates the port is transmitting and receiving
user packets.
Off A link is not established with a remote port.
Basic Device Administration
3 - 7Revision 0111
CNE200
The table below lists the descriptions of the system status LEDs for the FCX648-E
LED Condition Status
PS1
PS2
(Power Supply
Status)
Green
Power supply is operating normally. It is
installed properly and the power cord is
attached to a power source.
AmberPower supply fault. The power supply
may not be installed properly.
Off Power off or failure
Diag
(Diagnostic)
Flashing Green System self-diagnostic test in progress.
GreenSystem self-diagnostic test successfully
completed.
Amber
System self-diagnostic test has
detected a fault. (Blower, thermal or
any interface fault.)
Out-of-band
Management
Link or Activity
On/Flashing Green
The port has established a valid link at
10/100/1000 Mbps.
Flashing indicates the port is
transmitting and receiving user
packets.
OffA link is not established with a remote
port.
Out-of-band
Management
Link or Activity
On/Flashing Green
The port has established a valid link at
10/100/1000 Mbps.
Flashing indicates the port is
transmitting and receiving user
packets.
Basic Device Administration
3 - 8Revision 0111
CNE200
The tables below list the descriptions of the power status LEDs for the FCX648-E, for single and dual power supply models
LED Condition Status
DC OK
Green DC output ok
Red DC output fail
AC OK
Green AC output ok
Off AC output fail
NOTE: Both “AC OK” and “DC OK” LEDs must be green for the device to function normally.
State LED PSU1 PSU2Switch
StatusRedundancy
State LED
PSU1 PSU2
Switch Status
Redundancy
AC OK Green Green Running Yes
DC OK Green Green
Single Red „DC
OK‟ LED
AC OK Green Green Running No
DC OK Green Red
Both „DC OK‟
LEDs Red
AC OK Green Green Failure No
DC OK Red Red
One PSU with
both „AC OK‟
„DC OK‟ LEDs
Off
AC OK Green Off Running No
DC OK Green Off
„DC OK‟ LEDs
Red and Off
AC OK Green Off Failure No
DC OK Red Off
All „AC OK‟
LEDs Off
AC OK Off OffPower off
or failureNo
DC OK Off Off
Basic Device Administration
3 - 9Revision 0111
CNE200
SW-Switch> User Level EXEC Command
SW-Switch# Privileged Level EXEC Command
Access to the CLI is established either through a direct serial connection to the device,
or through a Telnet session
The commands in the CLI are organized into the following levels:
User EXEC – Used to display information and perform basic tasks such as ping and
traceroute
• User EXEC level is indicated by a “>” at the end of the prompt, and is the first level
reached when booting the switch
Privileged EXEC – Allows use of the same commands as the User EXEC level, plus
configuration commands that do not require saving the changes to the system
configuration file, as well as detailed show output
• Privileged EXEC level is indicated by a “#” at the end of the prompt, and is
accessed by using the enable command at the User EXEC command prompt
• This level can be secured by a password
Basic Device Administration
3 - 10Revision 0111
CNE200
The CLI prompt will change at each level of the CONFIG command structure, to easily
identify the current level.
Prompt Description
SW-Switch> User Level EXEC
SW-Switch# Privileged Level EXEC
SW-witch(config)# Global Level CONFIG
SW-Switch(config-if-5/1)# Interface Level CONFIG
SW-Switch(config-lbif-1)# Loopback Interface CONFIG
SW-Switch(config-ve-1)# Virtual Interface CONFIG
SW-Switch(config-trunk-4/1-4/8)# Trunk group CONFIG
Basic Device Administration
3 - 11Revision 0111
CNE200
Basic Device Administration
3 - 12Revision 0111
CNE200
copy flash flash: Copies a software image between the primary and secondary
flash storage locations.
Syntax: copy flash flash [primary | secondary]
Basic Device Administration
3 - 13Revision 0111
CNE200
Basic Device Administration
3 - 14Revision 0111
CNE200
Basic Device Administration
3 - 15Revision 0111
CNE200
Footnote 1: Except for commands pertaining to passwords, which are always case
sensitive
If there is more than one command that begins with a particular string, the following
error message will appear:
SW_Switch# s
Ambiguous input -> s
Basic Device Administration
3 - 16Revision 0111
CNE200
To go back and forth between the different levels, issue the exit command, or use
Ctrl+z. The end command will move the prompt to the Privileged level from any lower
level.
The up and down arrow keys can be used to scroll back and forth between previously
entered commands.
Basic Device Administration
3 - 17Revision 0111
CNE200
Basic Device Administration
3 - 18Revision 0111
CNE200
ip address CLI command: Assigns an IP address and network mask to a Layer 2
Switch to support Telnet and SNMP management.
Syntax: [no] ip address <ip-addr> <ip-mask>
Syntax: ip address <ip-addr>/<mask-bits>
Possible values: N/A
Default value: N/A
interface CLI command: Accesses the interface CONFIG level of the CLI. You can
define a physical interface, loopback interface, virtual interface (ve), Asynchronous
Transfer Mode (ATM) interface, or Packet Over SONET (POS) interface at the Interface
level.
Syntax: [no] interface atm <slot>/<port>.<subif> [multipoint |
point-to-point]
Syntax: [no] interface ethernet <portnum> [to <portnum>]
Syntax: [no] interface loopback <num>
Syntax: interface pos <slot>/<port>
Syntax: interface ve <num>
Basic Device Administration
3 - 19Revision 0111
CNE200
Each 10/100/1000 port is designed to auto-sense and auto-negotiate the speed and
mode of the connected device. If the attached device does not support this operation,
the port speed may be set to operate at either 10, 100, or 1000 Mbps. The default
value is for the ports to auto-sense speed and duplex. Settings should be the same at
both ends.
Basic Device Administration
3 - 20Revision 0111
CNE200
CNE200 Basic Device Administration
3 - 21Revision 0111
Basic Device Administration
3 - 22Revision 0111
CNE200
show version: Lists software, hardware and firmware details for a Brocade device.
Syntax: show version
Basic Device Administration
3 - 23Revision 0111
CNE200
Footnote 1: NetIron CES devices also have a Monitor Image that provides the router
image handling and the memory initialization process.
The primary and secondary codes refer to the IronView base OS and application
functionality.
The BootROM code refers to the Boot Image that provides the Bootstrap functionality.
The configuration shown above is not to be considered a best practice, and only reflects
the lab environment. In production, both partitions should contain the same image.
Configuration files are also stored in both the primary and secondary flash partitions.
Footnote 2: Only one is accessible by the user. The second is for system reliability and
uses a checksum. If the checksum is not valid, the system will use the second copy.
Basic Device Administration
3 - 24Revision 0111
CNE200
Besides the flash partitions, the system can be booted from either a TFTP server, or a
BootP server
From the privileged exec level:
SW-Switch# boot system tftp 192.22.33.44 vm1r07501.bin
– Boots the system from the TFTP server at 192.22.33.44 using the file
“vm1r07501.bin ”
After booting from a TFTP server, the booted image file should be copied from the TFTP
server to primary flash when the boot is completed, so that the next system boot will
maintain the current functions independent of the TFTP server connection
Basic Device Administration
3 - 25Revision 0111
CNE200
To copy the system image from the secondary flash to the TFTP server with the
filename “vm1r07501.bin”:
SW-Switch# copy flash tftp 192.22.33.44 vm1r07501.bin
secondary
Reload output varies from platform to platform. The following output is from a FastIron
FCX:
SW-Switch# reload
Are you sure? (enter 'y' or 'n'): y
Running Config data has been changed. Do you want to continue
the reload without saving the running config? (enter 'y' or 'n'): y
Halt and reboot
Rebooting...
Basic Device Administration
3 - 26Revision 0111
CNE200
Basic Device Administration
3 - 27Revision 0111
CNE200
Basic Device Administration
3 - 28Revision 0111
CNE200
The graphic above shows both RAM and flash memory. RAM is where the current
running configuration file is stored. All changes to the current running configuration file
are kept here, and are temporary in nature. If there is a power failure, RAM is erased.
Flash memory is where the startup configuration file is stored. This file is loaded into
RAM when the system boots or is reloaded. FLASH is changed by executing a write
memory command, or a file copy from a TFTP server.
Basic Device Administration
3 - 29Revision 0111
CNE200
Basic Device Administration
3 - 30Revision 0111
CNE200
The commands above have more options which are displayed using a “?” at the end of
the command. For example “show ip ospf neighbor” provides OSPF neighbor
state information.
Basic Device Administration
3 - 31Revision 0111
CNE200
Note: Trunk ID is usually the port number of the lead port.
Syntax: show <protocol> interfaces brief: show <protocol> interfaces
brief
Shows a summary of Layer 2 information for all interfaces.
Syntax: show interfaces [ethernet | pos <portnum>] | [loopback
<num>] | [slot <slot-num>] | [ve <num>] | [brief] [wide]
Syntax: show <protocol> interfaces interfaces [ethernet | pos
<portnum>] | [loopback <num>] | [slot <slot-num>] | [ve
<num>] | [brief] [wide]
Enter a protocol name for <protocol>; however, if not specified, IP is implied.
Basic Device Administration
3 - 32Revision 0111
CNE200
GigabitEthernet is up means that the port has been administratively enabled.
Line protocol is up means that the port is physically online and able to send
traffic.
Brocade equipment supports frames greater in size than the standard Ethernet
maximum of 1518 bytes, called Jumbo Frames. On some Brocade switches, up to 9
kbyte frames are supported. Check documentation for your specific device.
show interfaces: Displays information about interfaces on the Brocade device,
including their state, duplex mode, STP state, priority and MAC address.
Syntax: show interfaces [atm | ethernet | pos <portnum>] |
[loopback <num>] | [slot <slot-num>] | [ve <num>]
Basic Device Administration
3 - 33Revision 0111
CNE200
show statistics: Displays port statistics for a Brocade device (transmit, receive,
collisions, errors).
Syntax: show statistics [atm <portnum> [to <portnum>]] |
[ethernet <portnum> [to <portnum>]] | [pos <portnum> [to
<portnum>]] | [slot <slot-num>]
The atm <portnum> parameter displays statistics for a specific ATM port.
The ethernet <portnum> parameter displays statistics for a specific Ethernet port.
The pos <portnum> parameter displays statistics for a specific POS port.
The slot <slot-num> parameter displays statistics for a specific chassis slot.
Basic Device Administration
3 - 34Revision 0111
CNE200
Counter Description
InOctetsThe total number of good octets and bad octets
received.
InPkts
The total number of packets received. The count
includes rejected and local packets that are not sent
to the switching core for transmission.
InBroadcastPktsThe total number of good broadcast packets
received.
InMulticastPktsThe total number of good multicast packets
received.
InUnicastPkts The total number of good unicast packets received.
InDiscards
The total number of packets that were received and
then dropped due
to one of the following conditions:
• Lack of receive buffers
• Overload on the address recognition machine
InErrors
The total number of packets received that contained
one of the
following errors:
• CRC error – applies to regularly sized packets
between 64 bytes
and the maximum allowable frame size.
• Oversize – applies to packets longer than the
maximum allowable
frame size but with a valid CRC.
• Jabber – applies to packets longer than the
maximum allowable
frame size and with an invalid CRC.
• Fragment – applies to packets shorter than 64
bytes and with an
invalid CRC.
• Runt – applies to packets shorter than 64 bytes but
with a valid
CRC, received on a full-duplex port.
InCollisionsThe number of collisions that have occurred when
receiving packets.
Basic Device Administration
3 - 35Revision 0111
CNE200
Counter Description
GiantPkts
The total number of packets for which the following
was true:
• The data length was longer than the maximum
allowable frame size.
• No Rx Error was detected.
Note: Packets are counted for this statistic regardless
of whether the CRC is valid or invalid
InBitsPerSec The number of bits received per second.
InPktsPerSec The number of bits sent per second.
InUtilizationThe percentage of the port‟s bandwidth used by
received traffic.
OutOctets The total number of good octets and bad octets sent.
OutPktsThe total number of good packets sent. The count
includes unicast, multicast, and broadcast packets.
OutBroadcastPkts The total number of good broadcast packets sent.
OutMulticastPkts The total number of good multicast packets sent.
OutUnicastPkts The total number of good unicast packets sent.
OutDiscards
Out Errors The number of outbound packets that had errors.
OutCollisionsThe number of collisions that have occurred when
sending packets.
OutLateCollisions
The total number of packets received in which a
Collision event was detected, but for which a receive
error (Rx Error) event was not detected.
Basic Device Administration
3 - 36Revision 0111
CNE200
Counter Description
ShortPkts
The total number of packets received for which the
following was true:
• The data length was less than 64 bytes.
• No Rx Error was detected.
• No Collision or Late Collision was detected.
Note: Packets are counted for this statistic regardless
of whether the
CRC is valid or invalid.
OutBitsPerSec The number of bits sent per second.
OutPktsPerSec The number of packets sent per second.
OutUtilizationThe percentage of the port‟s bandwidth used by sent
traffic.
Basic Device Administration
3 - 37Revision 0111
CNE200
The example above filters the output of the show interface brief command so
it displays only lines containing the word “Down”. This command can be used to only
display specific interface states.
Syntax: <show-command> | include <regular-expression>
Note: The regular expression specified as the search string is case sensitive. In the
example above, a search string of “Down” would match the output above, but a search
string of “down” would not.
Basic Device Administration
3 - 38Revision 0111
CNE200
The command above filters the output of the show interface brief command
so it displays only lines that do not contain the word “Down”.
Syntax: <show-command> | exclude <regular-expression>
Basic Device Administration
3 - 39Revision 0111
CNE200
The command above filters the output of the show who command so it displays
output starting with the first line that contains the word “SSH”. This command can be
used to display information about SSH connections to the Brocade device.
Syntax: <show-command> | begin <regular-expression>
Basic Device Administration
3 - 40Revision 0111
CNE200
The tables below list the descriptions of the special characters allowed in search strings.
Character Operation
Period (.)
The period matches on any single character, including a blank
space.
For example, the following regular expression matches “aaz”,
“abz”, “acz”, and so on, but not just “az”: a.z
Asterisk (*)
The asterisk matches on zero or more sequential instances of a
pattern.
For example, the following regular expression matches output
that contains the string “abc”, followed by zero or more Xs: abcX*
Plus (+)
The plus sign matches on one or more sequential instances of a
pattern.
For example, the following regular expression matches output
that contains "de", followed by a sequence of “g”s, such as “deg”,
“degg”, “deggg”, and so on: deg+
Question Mark
(?)
The question mark matches on zero occurrences or one
occurrence of a pattern.
For example, the following regular expression matches output
that contains "dg" or "deg": de?g
Note: Normally when you type a question mark, the CLI lists the
commands or options at that CLI level that begin with the
character or string you entered. However, if you enter Ctrl-
V and then type a question mark, the question mark is inserted
into the command line, allowing you to use it as part of a regular
expression.
Caret (^)
A caret (when not used within brackets) matches on the
beginning of an input string.
For example, the following regular expression matches output
that begins with “deg”: ^deg
Dollar Sign ($)
A dollar sign matches on the end of an input string.
For example, the following regular expression matches output
that ends with “deg”: deg$
Basic Device Administration
3 - 41Revision 0111
CNE200
Character Operation
Underscore (_)
An underscore matches on one or more of the following:
• , (comma)
• { (left curly brace)
• } (right curly brace)
• ( (left parenthesis)
• ) (right parenthesis)
• The beginning of the input string
• The end of the input string
• A blank space
For example, the following regular expression matches on “100”
but not on “1002”, “2100”, and so on. _100_
Square
Brackets []
Square brackets enclose a range of single-character patterns.
For example, the following regular expression matches output
that contains “1”, “2”, “3”, “4”, or “5”: [1-5]
You can use the following expression symbols within the brackets.
These symbols are allowed only inside the brackets.
• ^ – The caret matches on any characters except the ones in the
brackets. For example, the following regular expression matches
output that does not contain “1”, “2”, “3”, “4”, or “5”: [^1-5]
• - The hyphen separates the beginning and ending of a range of
characters. A match occurs if any of the characters within the
range is present.
Vertical Bar |
A vertical bar separates two alternative values or sets of values.
The output can match one
or the other value.
For example, the following regular expression matches output
that contains either “abc” or “defg”: abc|defg
Parentheses ()
Parentheses allow you to create complex expressions.
For example, the following complex expression matches on “abc”,
“abcabc”, or “defg”, but not on “abcdefgdefg”: ((abc)+)|((defg)?)
Basic Device Administration
3 - 42Revision 0111
CNE200
Also at the --More-- prompt, press the forward slash key ( / ) and then enter a
search string. The Brocade device displays output starting from the first line that
contains the search string, similar to the begin option for show commands.
For example: --More--, next page: Space, next line: Return key,
quit: Control-c /telnet
To display lines containing only a specified search string (similar to the include option
for show commands) press the plus sign key ( + ) at the --More-- prompt and then
enter the search string.
For example: --More--, next page: Space, next line: Return key,
quit: Control-c +telnet
To display lines that do not contain a specified search string (similar to the exclude
option for show commands) press the minus sign key ( - ) at the --More-- prompt
and then enter the search string.
For example: --More--, next page: Space, next line: Return key,
quit: Control-c -telnet
Basic Device Administration
3 - 43Revision 0111
CNE200
Syntax for clearing individual entries:
clear mac-address <mac-address>|ethernet<port#>|vlan<vlan#>
If clear mac-address is entered without any parameter, all MAC addresses are
removed.
Use the <mac-address> parameter to remove a specific MAC address from all
VLANs.
Use the ethernet <port-num> parameter to remove all MAC addresses for a specific
port.
Use the vlan <num> parameter to remove all MAC addresses for a specific VLAN.
Example: SW-Switch# clear mac-address ethernet 1/1
Basic Device Administration
3 - 44Revision 0111
CNE200
The ping command can be used for troubleshooting the accessibility of devices. It uses a
series of Internet Control Message Protocol (ICMP) Echo messages to determine:
• Whether a remote host is active or inactive.
• The round-trip delay in communicating with the host, to help determine if the link is up.
• Packet loss
Basic Device Administration
3 - 45Revision 0111
CNE200
A test packet can be sent to a host‟s IP address or host name. If the packet reaches the host, the host generally sends a reply packet to the receipt of the ping. If the host does not reply within a specific interval, the Brocade device re-attempts the ping up to a specified number of times.Syntax: ping <ip addr> | <hostname> [source <ip addr>] [count <num>] [timeout <msec>] [ttl <num>] [size <byte>] [quiet] [numeric] [no-fragment] [verify] [data <1-to-4 byte hex>] [brief]
source <ip addr> specifies an IP address to be used as the origin of the ping packets.count <num> specifies how many ping packets the device sends. The range is 1 – 4294967296 and the default is 1.timeout <msec> specifies how many milliseconds the Brocade device
waits for a reply from the pinged device. The timeout range is 1 –4294967296 milliseconds. The default is 5000 (5 seconds).ttl <num> specifies the maximum number of hops. You can specify a
TTL from 1 – 255. The default is 64.size <byte> specifies the size of the ICMP data portion of the packet. This is the payload and does not include the header. The range is 0 – 4000. The default is 16.quiet hides informational messages such as a summary of the ping parameters sent to the device and instead only displays messages indicating the success or failure of the ping. This option is disabled by default. no-fragment turns on the “don‟t fragment” bit in the IP header of the
ping packet. This option is disabled by default.verify parameter verifies that the data in the echo packet (the reply packet) is the same as the data in the echo request (the ping). By default the device does not verify the data.data <1 – 4 byte hex> allows use of a specific data pattern for the payload instead of the default data pattern, “abcd”, in the packet‟s data payload. The pattern repeats itself throughout the ICMP message (payload) portion of the packet.brief causes ping test characters to be displayed.
.
Basic Device Administration
3 - 46Revision 0111
CNE200
Basic Device Administration
3 - 47Revision 0111
CNE200
Basic Device Administration
3 - 48Revision 0111
CNE200
For a Web browser connection, the user must enter the device‟s IP address. If the
device is a switch, the management IP is used, if it is a router, then the IP address of
one of the physical interfaces, or of a loopback interface is entered.
For an IronView Network Manager (INM) connection, access is allowed if the device has
been discovered by the INM server.
For a serial console connection, physical access to the device is required, as well as
terminal emulation software.
For a telnet connection, the user can access the device by typing in telnet <ip
address of device>
Secure Shell (SSH) connections are also available.
Basic Device Administration
3 - 49Revision 0111
CNE200
Basic Device Administration
3 - 50Revision 0111
CNE200
Basic Device Administration
3 - 51Revision 0111
CNE200
Basic Device Administration
3 - 52Revision 0111
CNE200
If the write memory command is not run, the next login session will revert to the old password.
SW-Switch#reload
Are you sure? (enter 'y' or 'n'): y
Halt and reboot
Enter 'b' to go to boot monitor ... [User presses "b" key]
BOOT MONITOR> no password
OK! Skip password check when the system is up.
BOOT MONITOR> ?
?
reset
boot system flash primary
boot system flash secondary
boot system bootp
boot system tftp 1.2.3.4 file_name
boot system slot1 | slot2 file_name
ip address 1.2.3.4 255.255.255.0
ip address 1.2.3.4/24
ip default_gateway 1.2.3.1
ping 1.2.3.4
BOOT MONITOR> boot system flash primary
BOOT INFO: load from primary copy
<Truncated Output>
SW-Switch>
Basic Device Administration
3 - 53Revision 0111
CNE200
Once you have bypassed the password and entered into the configuration mode,
ensure that you assign a new password and save the configuration. Otherwise, once
you log out or reload the device, you will have to go through the password recovery
process again.
Basic Device Administration
3 - 54Revision 0111
CNE200
If no privilege level is specified, the command defaults the user to super user.
Basic Device Administration
3 - 55Revision 0111
CNE200
AAA is a term for a framework for intelligently controlling access to computer resources,
enforcing policies, and auditing usage generally using a remote server running the
RADIUS or TACACS/TACACS+ protocol
Authentication provides a way of identifying a user, typically by having the user enter a
unique, valid user name and password before access is granted
RADIUS stands for Remote Authentication Dial-in User Service, and is a client/server
protocol that runs in the application layer, using UDP as transport. The Remote Access
Server, the Virtual Private Network server, the Network switch with port-based
authentication, and the Network Access Server, are all gateways that control access to
the network, and all have a RADIUS client component that communicates with the
RADIUS server.
TACACS stands for Terminal Access Controller Access-Control System, commonly used
in Unix networks, is a remote authentication protocol used to communicate with a
remote authentication server.
TACACS+ offers multiprotocol support, such as IP and AppleTalk. Normal operation fully
encrypts the body of the packet for more secure communications. It is not backwards
compatible with TACACS. It is a Cisco proprietary enhancement to the original TACACS
protocol, and has, for all intents and purposes, replaced TACACS
Basic Device Administration
3 - 56Revision 0111
CNE200
To configure the device to use the local user accounts to authenticate access to the
device through the Web management interface, use the following command:
SW-Switch(config)# aaa authentication web-server default
local
If the first authentication method is successful, the software grants access and stops
the authentication process. If the access is rejected by the first authentication method,
the software denies access and stops checking. However, if an error occurs with an
authentication method, the software tries the next method on the list, and so on. For
example, if the first authentication method is the RADIUS server but the link to the
server is down, the software will try the next authentication method in the list. If an
application method is working properly and the password (and user name, if applicable)
is not known to that method, this is not a system error. The authentication attempt
stops, and the user is denied access.
Basic Device Administration
3 - 57Revision 0111
CNE200
Method Value Description
tacacs or
tacacs+
A TACACS/TACACS+ server. You can use either parameter. Each
parameter supports both TACACS and TACACS+. You also must
identify the server to the device using the tacacs-server
command.
radiusA RADIUS server. You also must identify the server to the device
using the radius-server command.
local
A local user name and password you configured on the device.
Local user names and passwords are configured using the
username command.
line
The password you configured for Telnet access. The Telnet
password is configured using the enable telnet
password command
enable
The super-user "enable" password you configured on the device.
The enable password is configured using the enable super-
userpassword command.
noneNo authentication is used. The device automatically permits
access.
Syntax: [no] aaa authentication snmp-server | web-server | enable | login | dot1x
default <method1> [<method2>]
[<method3>] [<method4>] [<method5>] [<method6>] [<method7>]
Syntax: [no] aaa authentication login privilege-mode
The snmp-server | web-server | enable | login | dot1x parameter specifies the type
of access this
authentication-method list controls. You can configure one authentication-method
list for each type of access.
The aaa authentication login privilege-mode command configures the device so
that a user enters Privileged
EXEC mode after a Telnet or SSH login.
The <method1> parameter specifies the primary authentication method. The
remaining optional <method> parameters specify the secondary methods to try if
an error occurs with the primary method. A method can be one of the values listed
in the Method Value column in the following table.
Basic Device Administration
3 - 58Revision 0111
CNE200
The device sends all the SNMP traps to the specified hosts and includes specified community string. Traps can then be filtered based on IP address or community string.
To specify the host to which the device sends all SNMP traps:
SW-Switch(config)#snmp-server host <ip address>
<community string>
The community string is configured on the device. The string can be a read only or a read-write string. It is not used to authenticate access to the trap host but is instead a useful method for filtering trap on the host.
For example, each of the devices that use the trap host is configured to send a different community string, it is easy to distinguish which device sent the traps.
Basic Device Administration
3 - 59Revision 0111
CNE200
Basic Device Administration
3 - 60Revision 0111
CNE200
Basic Device Administration
3 - 61Revision 0111
CNE200
Basic Device Administration
3 - 62Revision 0111
CNE200
To configure an ACL that restricts SSH access:
Switch(config)# access-list 12 deny host 209.157.22.98 log
Switch(config)# access-list 12 deny 209.157.23.0 0.0.0.255
log
Switch(config)# access-list 12 deny 209.157.24.0/24 log
Switch(config)# access-list 12 permit any
Switch(config)# ssh access-group 12
Switch(config)# write memory
Syntax: ssh access-group <num>
The <num> parameter specifies the number of a standard ACL and must be from 1 –
99.
Please see the Switch and Router Security Guide for for the particular platform for more
details.
Basic Device Administration
3 - 63Revision 0111
CNE200
Basic Device Administration
3 - 64Revision 0111
CNE200
Basic Device Administration
3 - 65Revision 0111
CNE200
This page intentionally left blank
Basic Device Administration
3 - 66Revision 0111
CNE200