Brocade Switch Configuration Guide

(1)

ServerIron System Management

This chapter decribes ServerIron ADX

This chapter decribes ServerIron ADX system management features.system management features.

Setting up Local User Accounts

For each user account, you specify the

For each user account, you specify the user name. Yuser name. You can also specify:ou can also specify: •• A A ppaasssswwoorrdd

•• The The priprivilvilege ege lelevelvel, wh, which ich can can be obe one one of thf the fe follollowowinging:: •• FuFull ll acaccecess ss (s(supuperer-u-useser)r). . ThThis is is is the the dedefafaulult.t. •• PPorort-t-coconnfifiguguraratition acon accecessss

•• RReeaadd--oonnlly y aacccceessss T

To configure user accounts, you must add a o configure user accounts, you must add a user account for super-user access before you can add user account for super-user access before you can add accounts foraccounts for other access levels.

other access levels. YYou will need the super-user account to make further administrative changes.ou will need the super-user account to make further administrative changes. Y

You must be logged ou must be logged on with super-user on with super-user access (privilege level 0, oaccess (privilege level 0, or with a r with a valid Enable password for super-uservalid Enable password for super-user access) to add user accounts or configure other access parameters.

access) to add user accounts or configure other access parameters. T

To set up o set up local user accounts, local user accounts, enter commands such as enter commands such as the following:the following:

ServerIronADX(confi

ServerIronADX(config)# username g)# username greg-mcmillan nopasswordgreg-mcmillan nopassword ServerIronADX(confi

ServerIronADX(config)# username waldo privilege 5 g)# username waldo privilege 5 password whereispassword whereis

The first command adds a user account

The first command adds a user account for a super-user with the user for a super-user with the user name "greg-mcmillan" and no passwordname "greg-mcmillan" and no password with privilege level super-user

with privilege level super-user. . This user has full access to all configuration and display features.This user has full access to all configuration and display features. The second command adds a user account for user

The second command adds a user account for user name "waldo", password "whereis", with privilege level read-name "waldo", password "whereis", with privilege level read-only

only. . Waldo can look for infWaldo can look for information but cannot make configuration changes.ormation but cannot make configuration changes.

Syntax:

Syntax: [no] username <user-str[no] username <user-string> privilege <privilege-level> password | nopassword <password-string>ing> privilege <privilege-level> password | nopassword <password-string> The

Theprivilegeprivilege<privilege-level> parame<privilege-level> parameter specifies one ter specifies one of the following:of the following: •• 0 – F0 – Fulull al acccceess ss (s(supuperer-u-useser)r)

•• 4 – 4 – PPortort-c-cononfifiguguraratition on acaccecessss •• 5 5 – – RReeaadd--oonnlly y aacccceessss

The default privilege lev

The default privilege level is 0. el is 0. TTo assign full access to the user account, you can enter the command withouto assign full access to the user account, you can enter the command without

privilege 0

(2)

The

Thepassword | nopasswordpassword | nopassword parameter indicates whether the user parameter indicates whether the user must enter a passwmust enter a password. ord. If you specifyIf you specify

password,

password, enter the string enter the string for the user's password.for the user's password.

Displaying User Information

T

To display user o display user information, enter information, enter the following command:the following command:

ServerIronADX(config)# show users ServerIronADX(config)# show users Username

Username Password Password Encrypt Encrypt PrivPriv ====================== ======================================================================================================================== greg-mcmillan greg-mcmillan disabled 0 disabled 0

Configuring Telnet

The ServerIronADX suppor

The ServerIronADX supports up ts up to five concurrent inbound to five concurrent inbound TTelnet and SSH elnet and SSH sessions, one outbound Telnetsessions, one outbound Telnet session, and console access. Write

session, and console access. Write access through Taccess through Telnet and SSH is limited to elnet and SSH is limited to one session onlyone session only.. T

To access the CLI o access the CLI shell running Switch (S) code, shell running Switch (S) code, TTelnet or SSH to elnet or SSH to the assignment management ip address,the assignment management ip address, assuming your client is on the same subnet

assuming your client is on the same subnet of course:of course:

If you are on a different subnet

If you are on a different subnet and running Switch code, configure anand running Switch code, configure anip default-gatewayip default-gateway<ip-addr>.<ip-addr>. This

This command also command also assists SNMP massists SNMP management.anagement. If you are running Router

If you are running Router (R) code, the management(R) code, the managementipip addaddresresssmust be set on a reachable system interfacemust be set on a reachable system interface (physical or virtual). Use

(physical or virtual). Useip routeip route0.0.0.0 0.0.0.0 [<next-hop-ip>] to install a static route in R code.0.0.0.0 0.0.0.0 [<next-hop-ip>] to install a static route in R code. Use

Useshow whoshow whoororshow telnetshow telnetto display both Telnet and SSH user session to display both Telnet and SSH user session information:information:

ip address 10.1.1.1 255.255.255.0 ip address 10.1.1.1 255.255.255.0 ServerIron(config)#sh ServerIron(config)#show ow ipip Switch IP address: 10.1.1.1 Switch IP address: 10.1.1.1 Subnet mask: 255.255.255.0 Subnet mask: 255.255.255.0 Default router address: 10.1.1.2 Default router address: 10.1.1.2 Default IP MTU (Bytes): 1500 Default IP MTU (Bytes): 1500 TFTP server address: None TFTP server address: None Configuration filename: None Configuration filename: None Image filename: None Image filename: None

ServerIronADX# show who ServerIronADX# show who Console connections: Console connections: established established

you are connecting to this session you are connecting to this session 1 seconds in idle

1 seconds in idle Telnet connections (inbound): Telnet connections (inbound):

1 closed 1 closed 2 closed 2 closed 3 closed 3 closed 4 closed 4 closed 5 closed 5 closed

Telnet connection (outbound): Telnet connection (outbound):

6 closed 6 closed SSH connections: SSH connections: 1 closed 1 closed 2 closed 2 closed 3 closed 3 closed 4 closed 4 closed 5 closed 5 closed

(3)

Enabling Telnet Authentication

T

To use local access control o use local access control or a RADIUS seror a RADIUS ser ver to authenticate telnet access ver to authenticate telnet access to the ServerIron ADX, to the ServerIron ADX, enter theenter the following command:

following command:

ServerIronADX(confi

ServerIronADX(config)# enable g)# enable telnet authenticationtelnet authentication

Syntax:

Syntax: [no] enable telnet authentication[no] enable telnet authentication

Enabling

T

elnet

Password

T

To assign a o assign a password for Tpassword for Telnet session access, elnet session access, enter a command such enter a command such as the following:as the following:

ServerIronADX(confi

ServerIronADX(config)# enable g)# enable telnet password secretsalsotelnet password secretsalso

Syntax:

Syntax: [no] enable telnet password <text>[no] enable telnet password <text> The

The <text> parameter specifies the password and is up to 32 alphanumeric characters.<text> parameter specifies the password and is up to 32 alphanumeric characters. To close a Telnet session, enter

To close a Telnet session, enterlogoutlogout..

Using a Standard ACL to Control Telnet Access

You can apply an ACL to control Telnet access to the device.

The following commands configure ACL 10, then apply the ACL as the access list

The following commands configure ACL 10, then apply the ACL as the access list for Tfor Telnet access. elnet access. The deviceThe device will allow T

will allow Telnet access to all IP elnet access to all IP addresses except those listed in ACL 10.addresses except those listed in ACL 10.

ServerIronADX(confi

ServerIronADX(config)# access-list 10 deny g)# access-list 10 deny host 209.157.22.32 loghost 209.157.22.32 log ServerIronADX(confi

ServerIronADX(config)# access-list 10 deny g)# access-list 10 deny 209.157.23.0 0.0.0.255 log209.157.23.0 0.0.0.255 log ServerIronADX(confi

ServerIronADX(config)# access-list 10 g)# access-list 10 deny 209.157.25.0/24 logdeny 209.157.25.0/24 log ServerIronADX(confi

ServerIronADX(config)# access-list 10 g)# access-list 10 permit anypermit any ServerIronADX(confi

ServerIronADX(config)# telnet g)# telnet access-group 10access-group 10

Syntax:

Syntax: [no] telnet access-group <num>[no] telnet access-group <num>

The <num> parameter specifies the number of a standard ACL and must be

The <num> parameter specifies the number of a standard ACL and must be from 1 – 99.from 1 – 99.

Restricting Telnet Management Access

Y

You can restrict Telnet management access to the Brocade device to the host ou can restrict Telnet management access to the Brocade device to the host whose IP address you specify. whose IP address you specify. NoNo other device except the one with the specified IP address can access the Brocade device’

other device except the one with the specified IP address can access the Brocade device’s CLI s CLI through Tthrough Telnet.elnet. Y

You can use the command up to ou can use the command up to ten times for up to ten ten times for up to ten IP addresses.IP addresses. If you want to restrict

If you want to restrict access from SNMP or the access from SNMP or the WebWeb, use one or , use one or two of the following commands:two of the following commands: •• snmsnmp-cp-clielient – nt – resrestrictricts Sts SNMP NMP accaccess ess (in(inclucludinding Irg IronVonViewiew).).

•• weweb clb clieient – nt – rereststririctcts ws web eb acaccecessss.. If you want to restrict

If you want to restrict all management access, you can use the commands above and theall management access, you can use the commands above and thetelnet clienttelnet clientcommandcommand or you can use

or you can use the following command:the following command: all-clientall-client.. T

To restrict Telnet access (which includes IronView) to the Brocade device to the ho restrict Telnet access (which includes IronView) to the Brocade device to the h ost with IP addressost with IP address 209.157.22.26, enter the

209.157.22.26, enter the following command:following command:

ServerIronADX(confi

ServerIronADX(config)# telnet g)# telnet client 209.157.22.26client 209.157.22.26

Syntax:

Syntax: [no] telnet client <ip-addr>[no] telnet client <ip-addr>

Changing the Telnet Login Timeout Period

T

To change o change the login the login timeout period timeout period for Tfor Telnet sessions, elnet sessions, enter the enter the following command:following command:

ServerIronADX(confi

ServerIronADX(config)# telnet g)# telnet login-timeout 5login-timeout 5

Syntax:

(4)

The <minutes> parameter specifies 1 – 10 minutes. The default is 1 minute. The <minutes> parameter specifies 1 – 10 minutes. The default is 1 minute.

Enabling or Disabling Telnet Access

By default, T

By default, Telnet access is elnet access is enabled on the system.enabled on the system. T

To disable To disable Telnet access to elnet access to a ServerIron ADX, a ServerIron ADX, enter the following command:enter the following command:

ServerIronADX(confi

ServerIronADX(config)# no g)# no telnet servertelnet server

Syntax:

Syntax: [no] telnet server[no] telnet server

Allowing Telnet Access Only to Clients in a VLAN

Y

You can allow Telnet access only to clients ou can allow Telnet access only to clients in a specific in a specific VLAN.VLAN. The following command configures the device to

The following command configures the device to allow Tallow Telnet management access only elnet management access only to clients cto clients connected toonnected to ports within port-based VLAN 10.

ports within port-based VLAN 10. Clients connected to ports that are not in VLAN 10 are Clients connected to ports that are not in VLAN 10 are denied managementdenied management access:

access:

ServerIronADX(confi

ServerIronADX(config)# telnet server enable g)# telnet server enable vlan 10vlan 10

Syntax:

Syntax: [no] telnet server enable vlan <vlan-id>[no] telnet server enable vlan <vlan-id>

Suppressing the Rejection Message

Y

You can suppress ou can suppress the rejection message tthe rejection message the device sends in he device sends in response to a response to a denied Tdenied Telnet client.elnet client. If you enable suppression of the connection rejection

If you enable suppression of the connection rejection message, a denied Tmessage, a denied Telnet client does not receive a messageelnet client does not receive a message from the device

from the device. . Instead, the denied client simply Instead, the denied client simply does not gain access.does not gain access. T

To suppress the o suppress the connection rejection message sent connection rejection message sent by the device to by the device to a denied Telna denied Telnet client, et client, enter the followingenter the following command:

command:

ServerIronADX(confi

ServerIronADX(config)# g)# telnet server telnet server suppress-reject-messagsuppress-reject-messagee

Syntax:

Syntax: [no] telnet server suppress-reject-message[no] telnet server suppress-reject-message

Defining Telnet Timeout

By default, T

By default, Telnet sessions do not telnet sessions do not time out (0 seconds).ime out (0 seconds). T

To define how long o define how long a Ta Telnet session can elnet session can remain idle before it remain idle before it is timed out, is timed out, enter the following command:enter the following command:

ServerIronADX(confi

ServerIronADX(config)#telnet timeout g)#telnet timeout 120120

Syntax:

Syntax: [no] telnet timeout <seconds>[no] telnet timeout <seconds>

The <seconds> parameter is 0 – 240 seconds. The <seconds> parameter is 0 – 240 seconds.

Configuring SSH

The ServerIron ADX

The ServerIron ADX supports up supports up to five concurrent to five concurrent inbound Tinbound Telnet and SSH elnet and SSH sessions, one outbound Telnetsessions, one outbound Telnet session, and console access. Write

session, and console access. Write access through Taccess through Telnet and SSH is limited to elnet and SSH is limited to one session onlyone session only..

Enabling or Disabling SSH Service

The SSH service is not enabled by default. The SSH server starts once you configure a host RSA public and The SSH service is not enabled by default. The SSH server starts once you configure a host RSA public and private key pair for SSH:

private key pair for SSH:

ServerIronADX(confi

ServerIronADX(config)# crypto key g)# crypto key generate rsagenerate rsa ServerIronADX(confi

ServerIronADX(config)# write g)# write memmem

Syntax:

(5)

The host RSA key pair is stored in the system-config file. Only the public key is readable. The host RSA key pair is The host RSA key pair is stored in the system-config file. Only the public key is readable. The host RSA key pair is used to negotiate a session key and encryption method with the SSH clients trying to connect to it.

used to negotiate a session key and encryption method with the SSH clients trying to connect to it. The service is stopped

The service is stopped once the keys are destroyed from the system-config file:once the keys are destroyed from the system-config file:

ServerIronADX(confi

ServerIronADX(config)# crypto key g)# crypto key zeroize rsazeroize rsa ServerIronADX(confi

ServerIronADX(config)# write g)# write memmem

Syntax:

Syntax: crypto key zeroize rsacrypto key zeroize rsa

There is no SSH client within the ServerIronADX to support outbound sessions initiated from within the There is no SSH client within the ServerIronADX to support outbound sessions initiated from within the ServerIronADX.

ServerIronADX.

At a minimum, the following SSH clients are support

At a minimum, the following SSH clients are support ed for inbound connections:ed for inbound connections: •• FF--SSeeccuurre e 55..33

•• SSeeccuurre Se Shheelll l 33..22..33 •• SSeeccuurreeCCRRT T 44..00 •• PPuuTTTTY Y 00..5544

•• TTeerra Ta Teerm rm PPrro 3o 3.1.1..33 •• OOppeennSSSSHH__33..55pp11

Creating a Seed for Generating a Random Number

To create a new seed for generating a random number that is

To create a new seed for generating a random number that is used for generating the dynamically created serverused for generating the dynamically created server RSA key pair for SSH, enter the

RSA key pair for SSH, enter the following commandfollowing command::

ServerIronADX(confi

ServerIronADX(config)# crypto g)# crypto random-number-seed generaterandom-number-seed generate

Syntax:

Syntax: [no] crypto random-number-seed[no] crypto random-number-seed

Setting SSH

Authent

ication Retries

T

To set tho set the number of SSH e number of SSH authentication retries, enter authentication retries, enter the following command:the following command:

ServerIronADX(confi

ServerIronADX(config)# ip g)# ip ssh authentication-retries 5ssh authentication-retries 5

Syntax:

Syntax: [no] ip ssh authentication-retries <number>[no] ip ssh authentication-retries <number> The <number> parameter can be from 1 to 5.

The <number> parameter can be from 1 to 5. The default is 3.The default is 3.

Setting the SSH Key Size

The size of the

The size of thehost RSAhost RSA_{key that resides in the system-config file}_{key that resides in the system-config file is always 1024 bits and cannot be changed.}_{is always 1024 bits and cannot be changed.}

T

To set tho set the SSH key size, enter e SSH key size, enter the following command:the following command:

ServerIronADX(confi

ServerIronADX(config)# ip ssh g)# ip ssh key-size 896key-size 896

Syntax:

Syntax: [no] ip ssh [no] ip ssh key-size <number>key-size <number>

The <number> parameter can be from 512 – 896 bits.

The <number> parameter can be from 512 – 896 bits. The default is 768 bits.The default is 768 bits.

Configuring SSH Password Authentication

By default, SSH password authentication is enabled.

By default, SSH password authentication is enabled. After the SSH ser

After the SSH ser ver on the Brocade device negotiates a session key and encryption method with ver on the Brocade device negotiates a session key and encryption method with the connectingthe connecting client, user authentication takes place.

client, user authentication takes place. Of the methods of user authentication available in SSH, Brocade’Of the methods of user authentication available in SSH, Brocade’ss implementation of SSH suppor

implementation of SSH supports password authentication only.ts password authentication only.

With password authentication, users are prompted for a password when they attempt to log into

With password authentication, users are prompted for a password when they attempt to log into the device (unlessthe device (unless empty password logins are not allowed; see

empty password logins are not allowed; seeip ssh permit-empty-passwdip ssh permit-empty-passwd). ). If there is If there is no user no user account thataccount that matches the user name and password supplied by the user, the user is

(6)

Y

You can deactivate password authentication for SSH. ou can deactivate password authentication for SSH. HowevHowever, since password authentication is the only userer, since password authentication is the only user authentication method supported for SSH, this means that no user authentication is performed at all.

authentication method supported for SSH, this means that no user authentication is performed at all. DeactivatingDeactivating password authentication essentially disables the SSH

password authentication essentially disables the SSH server entirely.server entirely. T

To deactivate password authentication, o deactivate password authentication, enter the enter the following command:following command:

ServerIronADX(confi

ServerIronADX(config)# ip g)# ip ssh password-authentication nossh password-authentication no

Syntax:

Syntax: [no] ip ssh password-authentication no | yes[no] ip ssh password-authentication no | yes The

Theyesyesoption enables SSH password authentication.option enables SSH password authentication.

Enabling Empty Password Logins

By default, empty password logins are not allo

By default, empty password logins are not allowed. wed. This means that users with an SSH client are alwaysThis means that users with an SSH client are always prompted for a password when they log into the device.

prompted for a password when they log into the device. TTo gain access to the device, each user must have a usero gain access to the device, each user must have a user name

name and pand password. assword. .. If you enable empty passw

If you enable empty password logins, users are not prompted for a password when theord logins, users are not prompted for a password when they log in. y log in. Any user with anAny user with an SSH client can log in without

SSH client can log in without being prompted for a password.being prompted for a password. T

To enable empty o enable empty password logins, enter tpassword logins, enter the following command:he following command:

ServerIronADX(confi

ServerIronADX(config)# ip g)# ip ssh permit-empty-passwd yesssh permit-empty-passwd yes

Syntax:

Syntax: [no] ip ssh permit-empty-passwd no | yes[no] ip ssh permit-empty-passwd no | yes The

Theyesyesoption enables SSH empty option enables SSH empty password login.password login.

Changing the TCP Port Used for SSH

By default, SSH traffic occurs on TCP port 22.

By default, SSH traffic occurs on TCP port 22. T

To change the TCP poro change the TCP por t used for SSH, enter t used for SSH, enter the following command:the following command:

ServerIronADX(confi

ServerIronADX(config)# ip ssh g)# ip ssh port 2200port 2200

Syntax:

Syntax: [no] ip ssh port <number>[no] ip ssh port <number> The <number> parameter specifies a

The <number> parameter specifies a valid TCP port valid TCP port numbernumber.. Note that if you change the default SSH por

Note that if you change the default SSH por t number, you must configure SSH clients to connect to the new port.t number, you must configure SSH clients to connect to the new port. Also, you s

Also, you should be careful not to assign SSH to hould be careful not to assign SSH to a port that is used by another service. a port that is used by another service. If you change the SSHIf you change the SSH port number, We recommend that you change it to a por

port number, We recommend that you change it to a por t number greater than 1024.t number greater than 1024.

Loading a Public Key File

T

To cause a o cause a public key file to be public key file to be loaded onto the loaded onto the device, enter commands such as device, enter commands such as the following:the following:

ServerIronADX(confi

ServerIronADX(config)# ip ssh g)# ip ssh pub-key-file slot1 pkeys.txtpub-key-file slot1 pkeys.txt ServerIronADX(confi

ServerIronADX(config)# ip g)# ip ssh pub-key-file tftp ssh pub-key-file tftp 192.168.1.234 pkeys.txt192.168.1.234 pkeys.txt ServerIronADX(confi

ServerIronADX(config)# ip g)# ip ssh pub-key-file reloadssh pub-key-file reload ServerIronADX(confi

ServerIronADX(config)# ip g)# ip ssh pub-key-file flash-memoryssh pub-key-file flash-memory ServerIronADX(confi

ServerIronADX(config)# write g)# write memorymemory

Syntax:

Syntax: [no] ip ssh pub-key-file slot1 | slot2 [no] ip ssh pub-key-file slot1 | slot2 <filename><filename>

Syntax:

Syntax: [no] ip ssh pub-key-file tftp <tftp-ser[no] ip ssh pub-key-file tftp <tftp-ser ver-ip-addr> <filename>ver-ip-addr> <filename>

Syntax:

Syntax: [no] ip ssh pub-key-file reload[no] ip ssh pub-key-file reload

Syntax:

Syntax: [no] ip ssh pub-key-file flash-memory[no] ip ssh pub-key-file flash-memory The

Theslot1 | slot2 <filename>slot1 | slot2 <filename>parameter causes a public key file called <filename> to be loaded from theparameter causes a public key file called <filename> to be loaded from the Management IV module’s PCMCIA flash card each time the device is booted.

Management IV module’s PCMCIA flash card each time the device is booted. The

Thetftp <tftp-server-ip-addr> <filename>tftp <tftp-server-ip-addr> <filename> parameter causes a public key file called <filename> to be loadedparameter causes a public key file called <filename> to be loaded from a TFTP server each time the

from a TFTP server each time the Brocade device is booted.Brocade device is booted. The

(7)

The

Theflash-memoryflash-memory keyword makes the public kekeyword makes the public keys in the active configuration parys in the active configuration part of the stt of the startup-config file.artup-config file.

Disabling or Re-enabling RSA

Challenge-Respon

se Authentica-

se

Authentica-tion

tion

RSA challenge-response authentication is

RSA challenge-response authentication is enabled by default.enabled by default. T

To disable RSA o disable RSA challenge-response authentication, enter challenge-response authentication, enter the following command:the following command:

ServerIronADX(confi

ServerIronADX(config)# ip g)# ip ssh rsa-authentication nossh rsa-authentication no

Syntax:

Syntax: [no] ip ssh rsa-authentication yes | no[no] ip ssh rsa-authentication yes | no The

Theyesyesoption enables RSA challenge-response authentication.option enables RSA challenge-response authentication.

Disabling or Re-enabling Secure Copy

Secure Copy (SCP) is enabled by deafult.

Secure Copy (SCP) is enabled by deafult. To disable SCP, enter the following command: To disable SCP, enter the following command:

ServerIronADX(confi

ServerIronADX(config)# ip ssh g)# ip ssh scp disablescp disable

Syntax:

Syntax: [no] ip ssh scp disable | e[no] ip ssh scp disable | enablenable

NOTE:

NOTE: If you disable SSH, SCP is If you disable SSH, SCP is also disabled.also disabled.

Using Secure Copy

Secure Copy (SCP) uses security built into

Secure Copy (SCP) uses security built into SSH to transfer files between hosts SSH to transfer files between hosts on a network, providing a moreon a network, providing a more secure file transfer method than Remote Cop

secure file transfer method than Remote Copy (RCP) or FTPy (RCP) or FTP. . SCP automatically uses the authenticationSCP automatically uses the authentication methods, encryption algorithm, and data compression level configured f

methods, encryption algorithm, and data compression level configured for SSH. or SSH. For examFor example, if passwordple, if password authentication is enabled for SSH, the user is

authentication is enabled for SSH, the user is prompted for a user name and password before SCP allows a file toprompted for a user name and password before SCP allows a file to be transferred.

be transferred. No additional configuration is reqNo additional configuration is required for SCP on top of SSH.uired for SCP on top of SSH. Y

You can use SCP to ou can use SCP to copy files on the device, including the starcopy files on the device, including the star tup-config and running-config files, to or tup-config and running-config files, to or from anfrom an SCP-enabled remote host.

SCP-enabled remote host.

SCP is enabled by default and can be

SCP is enabled by default and can be disableddisabled. . TTo disable SCPo disable SCP, enter the following command:, enter the following command:

ServerIronADX(confi

ServerIronADX(config)# ip ssh g)# ip ssh scp disablescp disable

Syntax:

Syntax: [no] ip ssh scp disable | e[no] ip ssh scp disable | enablenable If you disable SSH, SCP is

If you disable SSH, SCP is also disabled.also disabled.

The following are examples of using SCP to transfer files from and to

The following are examples of using SCP to transfer files from and to a ServerIron ADX.a ServerIron ADX. When using SCP

When using SCP, you enter the scp , you enter the scp commands on the SCP-enabled client, rather than the commands on the SCP-enabled client, rather than the console on theconsole on the ServerIron ADX.

ServerIron ADX.

Certain SCP client options, including -p and -r, are ignored by the SCP server.

Certain SCP client options, including -p and -r, are ignored by the SCP server. If an option is ignored, the client isIf an option is ignored, the client is notified.

notified. T

To copy a configuration file (c:\cfg\brocade.cfg) to o copy a configuration file (c:\cfg\brocade.cfg) to the running-config file on a device at the running-config file on a device at 192.168.1.50 and log in as192.168.1.50 and log in as user terry, enter the following command on

user terry, enter the following command on the SCP-enabled client:the SCP-enabled client:

C:\> scp

C:\> scp c:\cfg\brocade.cfg [email protected]:runc:\cfg\brocade.cfg [email protected]:runConfigConfig

If password authentication is enabled for SSH, the user is

If password authentication is enabled for SSH, the user is prompted for user terry’s password before the fileprompted for user terry’s password before the file transfer takes place.

transfer takes place. T

To copy the configuration file to the o copy the configuration file to the startup-config file:startup-config file:

C:\> scp

C:\> scp c:\cfg\brocade.cfg [email protected]:stac:\cfg\brocade.cfg [email protected]:startConfigrtConfig

T

To copy the configuration file to a o copy the configuration file to a file called config1.cfg on the file called config1.cfg on the PCMCIA flash card in slot PCMCIA flash card in slot 1 on a Management IV1 on a Management IV module:

(8)

C:\> scp

C:\> scp c:\cfg\brocade.cfg [email protected]:a:/confic:\cfg\brocade.cfg [email protected]:a:/config1.cfgg1.cfg

T

To copy the configuration file to a o copy the configuration file to a file called config1.cfg on the file called config1.cfg on the PCMCIA flash card in slot PCMCIA flash card in slot 2 on a Management IV2 on a Management IV module:

module:

C:\> scp

C:\> scp c:\cfg\brocade.cfg [email protected]:b:/confic:\cfg\brocade.cfg [email protected]:b:/config1.cfgg1.cfg

T

To copy the running-config file on a Sero copy the running-config file on a Ser verIron ADX to a file called c:\cfverIron ADX to a file called c:\cf g\brcdhprun.cfg on the SCP-enabled client:g\brcdhprun.cfg on the SCP-enabled client:

C:\> scp

C:\> scp [email protected]:[email protected]:runConfig c:\cfg\brcdhprun.cfgConfig c:\cfg\brcdhprun.cfg

To copy the startup-config file on a ServerIron ADX to a file called c:\cfg\brcdhpstart.cfg on the SCP-enabled To copy the startup-config file on a ServerIron ADX to a file called c:\cfg\brcdhpstart.cfg on the SCP-enabled client:

client:

C:\> scp

C:\> scp [email protected]:[email protected]:startConfig c:\cfg\brcdhpstart.cfgrtConfig c:\cfg\brcdhpstart.cfg

T

To copy a file called config1.cfg on o copy a file called config1.cfg on the PCMCIA flash card in the PCMCIA flash card in slot 1 on a Management IV slot 1 on a Management IV module to the SCP-module to the SCP-enabled client:

enabled client:

C:\> scp

C:\> scp [email protected]:a:/[email protected]:a:/config1.cfg c:\cfg\config1.cfgconfig1.cfg c:\cfg\config1.cfg

T

To copy a file called config2.cfg on o copy a file called config2.cfg on the PCMCIA flash card in the PCMCIA flash card in slot 1 on a Management IV slot 1 on a Management IV module to the SCP-module to the SCP-enabled client:

enabled client:

C:\> scp

C:\> scp [email protected]:b:/[email protected]:b:/config2.cfg c:\cfg\config2.cfgconfig2.cfg c:\cfg\config2.cfg

Defining the SSH Timeout Value

When the SSH server attempts to negotiate a session key and encryption method with a

When the SSH server attempts to negotiate a session key and encryption method with a connecting client, it waitsconnecting client, it waits a maximum of 120 seconds for a response from the

a maximum of 120 seconds for a response from the client. If there is client. If there is no response from the client aftno response from the client after 120er 120 seconds, the SSH server disconnects.

seconds, the SSH server disconnects. T

To change the o change the SSH timeout value, enter SSH timeout value, enter the following command:the following command:

ServerIronADX(confi

ServerIronADX(config)# ip ssh g)# ip ssh timeout 60timeout 60

Syntax:

Syntax: [no] ip ssh timeout <seconds>[no] ip ssh timeout <seconds> The <seconds> parameter is from 1 to 120

The <seconds> parameter is from 1 to 120 seconds. The default is 120.seconds. The default is 120.

Using a Standard ACL to Control SSH Access

Y

You can apply ou can apply an ACL to control an ACL to control SSH access to SSH access to the device.the device. The following comm

The following commands configure ACL 10, then apply the ACL as the access list for SSH access. ands configure ACL 10, then apply the ACL as the access list for SSH access. The device willThe device will allow SSH access to all IP

allow SSH access to all IP addresses except those listed in ACL 10.addresses except those listed in ACL 10.

ServerIronADX(confi

ServerIronADX(config)# access-list 10 deny g)# access-list 10 deny host 209.157.22.32 loghost 209.157.22.32 log ServerIronADX(confi

ServerIronADX(config)# access-list 10 g)# access-list 10 deny 209.157.25.0/24 logdeny 209.157.25.0/24 log ServerIronADX(confi

ServerIronADX(config)# access-list 10 g)# access-list 10 permit anypermit any ServerIronADX(confi

ServerIronADX(config)# ssh g)# ssh access-group 10access-group 10

Syntax:

Syntax: [no] ssh access-group <num>[no] ssh access-group <num>

The <num> parameter specifies the number of a standard ACL and must be

(9)

Displaying SSH Information

T

To display detailed o display detailed SSH information, SSH information, enter the enter the following command:following command:

Syntax:

Syntax: show ip sshshow ip ssh

Displaying Currently Loaded Public Keys

T

To display the o display the currently loaded currently loaded public keys, enter the public keys, enter the following command:following command:

Syntax:

Syntax: show ip show ip client-public-keyclient-public-key

Managing System Functions

This section contains information on Managing the System Functions This section contains information on Managing the System Functions

Terminating the Active CLI Session

Y

You can terminate the specified ou can terminate the specified active CLI session and reset the configuration token. Once active CLI session and reset the configuration token. Once you know the sessionyou know the session ID of a

ID of a TTelnet connection (use elnet connection (use thetheshow whoshow whocommand), you can terminate it with thecommand), you can terminate it with thekillkillcommand. If thecommand. If the terminated session was a console, the console is sent back into User EXEC mode. If the terminated CLI session terminated session was a console, the console is sent back into User EXEC mode. If the terminated CLI session was a T

was a Telnet or SSH session, the elnet or SSH session, the connection is closed.connection is closed.

ServerIronADX# kill telnet 1 ServerIronADX# kill telnet 1

Syntax:

Syntax: kill {console | telnet <session-id> | skill {console | telnet <session-id> | s sh <session-id>}sh <session-id>}

Performing a Lookup on a Domain

T

To perform a o perform a lookup on a specified lookup on a specified domain, enter the domain, enter the following command:following command:

ServerIronADX# whois boole.com ServerIronADX# whois boole.com

ServerIronADX(config

ServerIronADX(config)# show ip )# show ip sshssh

Connection Version Encryption State Username Connection Version Encryption State Username

1 1 1.5 1.5 none none 0x000x00 2 2 1.5 1.5 none none 0x000x00 3 3 1.5 1.5 none none 0x000x00 4 4 1.5 1.5 none none 0x000x00 5 5 1.5 1.5 none none 0x000x00

ServerIronADX# show ip client-public-key ServerIronADX# show ip client-public-key 1024 1024 65537 65537 162566050678380006141625660506783800061494605502865140612303067994605502865140612303067977820651661106866485485777820651661106866485485744 949573392322599631573 9495733923225996315737968192484763461453274796819248476346145327421786527672319957469414217865276723199574694144160471468268041604714682680 006445367903333042029 0064453679033330420291249056907718288654183124905690771828865418396565567690254328814772965655676902543288147725297813592782152978135927821 675406294783926622751 6754062947839266227512877486181544852399702287748618154485239970236181733123284766607218361817331232847666072188887394675820188873946758201 user@csp_client user@csp_client 1024 1024 35 35 152676199889856769691526761998898567696935561556145872915538263556155614587291553826312328095300428421494164312328095300428421494164360924360924 762074755452346792684 7620747554523467926844323376229531297941883432337622953129794188335259756957757051018052352597569577570510180521254100807487712541008074877 265861198574227028970 2658611985742270289700411216885214507408796041121688521450740879698406424084517427145585984064240845174271455859236169370590892361693705908 748378755994055034796 74837875599405503479603024287131312793895000302428713131279389500792743807497278742369597927438074972787423695977635251943 77635251943 roro ot@unix_machine ot@unix_machine

There are 2 authorized client public keys configured There are 2 authorized client public keys configured

(10)

Syntax:

Syntax: whois <host-ip-addr> | <domain>whois <host-ip-addr> | <domain>

The <host-ip-addr> parameter is a valid IP address and <domain> is a

The <host-ip-addr> parameter is a valid IP address and <domain> is a valid domain name. A DNS gateway mustvalid domain name. A DNS gateway must be defined in order to use

be defined in order to use this command.this command.

Verifying Connectivity

The

Thepingpingcommand verifies connectivity to a device. The command performs an ICMP echo command verifies connectivity to a device. The command performs an ICMP echo test. An ICMPtest. An ICMP Request goes to the target host,

Request goes to the target host, and the host sends back an ICMP Reply packet. You can send a test packet to aand the host sends back an ICMP Reply packet. You can send a test packet to a host’s IP address or host name.

host’s IP address or host name. The ServerIronADX can

The ServerIronADX canpingpingusing arbitrary source IP addresses (Src-IPs) belonging to the device. The <source-using arbitrary source IP addresses (Src-IPs) belonging to the device. The <source-ip-addr> was the management IP

ip-addr> was the management IP of the switch by of the switch by default. Ydefault. You have the flexibility to use ou have the flexibility to use any <source-ip-addr>any <source-ip-addr> belonging to the device.

belonging to the device. T

To verify connectivity o verify connectivity to a device, enter to a device, enter the ping command such the ping command such as the following:as the following:

ServerIronADX> ping 192.22.2.33 ServerIronADX> ping 192.22.2.33

Syntax:

Syntax: ping <dest-ip-addr> | <hostname> [<source-ip-addr>] [count <num>] [timeout <msec>] [ttping <dest-ip-addr> | <hostname> [<source-ip-addr>] [count <num>] [timeout <msec>] [tt l <num>] [sizel <num>] [size <byte>] [quiet] [numeric] [no-fragment] [verify] [data

<byte>] [quiet] [numeric] [no-fragment] [verify] [data <1-to-4 byte hex>] [brief]<1-to-4 byte hex>] [brief] The <hostname> parameter can be used

The <hostname> parameter can be used only if you have already enabonly if you have already enabled the Domain Name Server (DNS)led the Domain Name Server (DNS) resolver feature on the device from which you are

resolver feature on the device from which you are sending the ping. Seesending the ping. Seeip dns domain-nameip dns domain-nameandandip dns server-ip dns server-address

address.. The

The<dest-ip-addr><dest-ip-addr>parameter specifies the IP address to parameter specifies the IP address to be used as the destination of be used as the destination of the ping packets.the ping packets. The

The<source-ip-addr><source-ip-addr>parameter specifies the IP address to parameter specifies the IP address to be used as the source (be used as the source (origin) of the ping packets.origin) of the ping packets. The

Thecount <num>count <num> parameter specifies the number of ping packets the device sends. Yparameter specifies the number of ping packets the device sends. You can specify from 1 ou can specify from 1 – – 4294967296.

4294967296. The defaThe default is 1.ult is 1. The

Thetimeout <msec>timeout <msec>parameter specifies the number of milliseconds the Brocade device waits for a reply parameter specifies the number of milliseconds the Brocade device waits for a reply fromfrom the pinged device.

the pinged device. YYou can specify a timeout from 1 – 4294967296 miou can specify a timeout from 1 – 4294967296 milliseconds. lliseconds. The default is 5000 (5 seconds).The default is 5000 (5 seconds). The

Thettl <num>ttl <num>parameter specifies the maximparameter specifies the maximum number of hopsum number of hops. . YYou can specify a TTL from ou can specify a TTL from 1 – 255. 1 – 255. TheThe default is 64.

default is 64. The

Thesize <byte>size <byte>parameter specifies the size parameter specifies the size of the ICMP data portion of the packet. of the ICMP data portion of the packet. This is the payloaThis is the payload andd and does not include the header

does not include the header. . YYou can specify from 0 – 4000ou can specify from 0 – 4000. . The default is 16.The default is 16. The

Theno-fragmentno-fragmentoption turns on the “don’t fragment” bit in the option turns on the “don’t fragment” bit in the IP header of the ping packIP header of the ping packet. et. This option isThis option is disabled by default.

disabled by default. The

Thequietquietoption hides informational messages such as a summary of toption hides informational messages such as a summary of t he ping parameters sent to the device andhe ping parameters sent to the device and instead only displays messages indicating the success or failu

instead only displays messages indicating the success or failure of the ping. re of the ping. This option is disabled by defThis option is disabled by default.ault. The

Theverifyverifyoption ensures the data in option ensures the data in the echo packet (the reply packet) is the sthe echo packet (the reply packet) is the s ame as the data in the ame as the data in the echoecho request (the ping).

request (the ping). By default the deBy default the device does not verify the data.vice does not verify the data. The

Thedata <1 – 4 byte hex>data <1 – 4 byte hex> parameter specifies a specific data patterparameter specifies a specific data patter n for the payload instead of the default datan for the payload instead of the default data pattern, “abcd”, in

pattern, “abcd”, in the packet’s data payload. The pattern repeats itself throughout the the packet’s data payload. The pattern repeats itself throughout the ICMP message (payload)ICMP message (payload) portion of the

portion of the packet. For numeric parameter valuespacket. For numeric parameter values, the CLI does not , the CLI does not check that the value you enter is within thecheck that the value you enter is within the allowed range. Instead, if you do exceed the range for a numeric value, the software rounds t

allowed range. Instead, if you do exceed the range for a numeric value, the software rounds t he value to thehe value to the nearest valid value.

nearest valid value. The

Thebriefbriefparameter causes ping test characters to be displayed. parameter causes ping test characters to be displayed. The following ping test characters areThe following ping test characters are supported:

supported:

!

!_{—Indicates that a reply was received.}_{—Indicates that a reply was received.} .

._{—Indicates that the network server timed out while waiting for a reply}_{—Indicates that the network server timed out while waiting for a reply..} U

U_{—Indicates that a destination unreachable error PDU was received.}_{—Indicates that a destination unreachable error PDU was received.} I

I_{—Indicates that the user interrupted ping.}_{—Indicates that the user interrupted ping.}

If you address the ping to the IP broadcast address, the device lists the first four responses to the ping. If you address the ping to the IP broadcast address, the device lists the first four responses to the ping.

(11)

Tracing the IP Path to a Host

The

Thetraceroutetraceroutecommand enables you to trace the IP path command enables you to trace the IP path to a host. It to a host. It displays a list of all the interdisplays a list of all the inter vening routervening router hops the trace-route request traversed to reach the host. In addition, if there are multiple equal-cost routes to the hops the trace-route request traversed to reach the host. In addition, if there are multiple equal-cost routes to the destination, the Brocade device displays up to three responses

destination, the Brocade device displays up to three responses by default.by default. T

To perform a o perform a traceroute, enter a traceroute, enter a command such as the command such as the following:following:

ServerIronADX> traceroute 192.33.4.7 minttl 5 maxttl 5

ServerIronADX> traceroute 192.33.4.7 minttl 5 maxttl 5 timeout 5timeout 5

Syntax:

Syntax: traceroute <host-ip-addr> [maxttl <value>] [minttl <value>] [numeric] [timeout <value>]traceroute <host-ip-addr> [maxttl <value>] [minttl <value>] [numeric] [timeout <value>] [source-ip <ip addr>]

[source-ip <ip addr>]

The minttl parameter specifies the minimum

The minttl parameter specifies the minimum TTL (hops) value. TTL (hops) value. PossiblPossible values are 1 – 255. The default is 1e values are 1 – 255. The default is 1 second.

second.

The maxttl parameter specifies the maximum TTL (hops) value. Possible values are 1 – 255. The default is 30 The maxttl parameter specifies the maximum TTL (hops) value. Possible values are 1 – 255. The default is 30 seconds.

seconds.

The timeout value can be from 1 –

The timeout value can be from 1 – 120. The default is 2 seconds.120. The default is 2 seconds. The numeric option changes the display to list th

The numeric option changes the display to list th e devices by their IP addresses instead of e devices by their IP addresses instead of their names.their names. The source-ip <ip addr> parameter specifies an IP

The source-ip <ip addr> parameter specifies an IP address to be used as address to be used as the origin for the traceroute.the origin for the traceroute. T

To halt an o halt an initiated trace, enter tinitiated trace, enter t he following command:he following command:

ServerIronADX> stop-traceroute ServerIronADX> stop-traceroute

Syntax:

Syntax: stop-traceroutestop-traceroute

Initiating a System Reset

Use the

Use thereloadreloadcommand to initiate a system reset. command to initiate a system reset. YYou will be prompted to save all configuration changes madeou will be prompted to save all configuration changes made since the last reset or start of the ServerIron ADX to the startup configuration file.

since the last reset or start of the ServerIron ADX to the startup configuration file.

Although the dynamic configuration feature allows many parameter changes to take effect immediately without a Although the dynamic configuration feature allows many parameter changes to take effect immediately without a system reset, other parameters do require

system reset, other parameters do require a system reset. To place these parameters into effect, you must savea system reset. To place these parameters into effect, you must save the configuration changes to the configuration file, then reload the

the configuration changes to the configuration file, then reload the system. The management interfaces provide ansystem. The management interfaces provide an option to immediately reset the system.

option to immediately reset the system. AlternativelyAlternatively, you can use the scheduled , you can use the scheduled system reload feature tosystem reload feature to configure the system to reload its flash code at

configure the system to reload its flash code at a specific time (based on the system time counter or a specific time (based on the system time counter or SNTP time) orSNTP time) or after a specific amount of time has passed.

after a specific amount of time has passed. T

To initiate a o initiate a system reset, enter system reset, enter the following command:the following command:

ServerIronADX# reload ServerIronADX# reload

Syntax:

The after <dd:hh:mm> parameter reloads after the specified amount of time has passed.amount of time has passed. The at <hh:mm:ss> <mm-dd-yy> parameter reloads at exactly the specified time.

The at <hh:mm:ss> <mm-dd-yy> parameter reloads at exactly the specified time. The cancel option negates the scheduled reload.

The cancel option negates the scheduled reload. The primary | secondary

The primary | secondary option specifies whether the reload is to occur option specifies whether the reload is to occur from the primary code flash module or thefrom the primary code flash module or the secondary code flash module. The default is pr

secondary code flash module. The default is pr imaryimary.. The

(12)

Logging Into a BP

To log into a Barrel Processor

To log into a Barrel Processor (BP) on the Application Switching (BP) on the Application Switching Module card, enter the followingModule card, enter the followingrconsolerconsole

command: command:

NOTE:

NOTE: A BP is the A BP is the Applications traffic switching processor.Applications traffic switching processor. The example mov

The example moves the CLI session es the CLI session from the management processor (MP) to BP from the management processor (MP) to BP 1 on the Application Switching1 on the Application Switching Module in slot 1. Notice the

Module in slot 1. Notice the end of the command prompt changes to end of the command prompt changes to indicate the ASM slot number and BPindicate the ASM slot number and BP number.

number.

Syntax:

Syntax: rconsole <asm-slot-number> <bp-number>rconsole <asm-slot-number> <bp-number>

The <asm-slot-number> variable specifies the chassis slot containing the module (see

The <asm-slot-number> variable specifies the chassis slot containing the module (seeshow moduleshow module):): The chassis slots specified in t

The chassis slots specified in t he <asm-slot-number> variable are numbered 1 - 2 from top to botthe <asm-slot-number> variable are numbered 1 - 2 from top to bott om in aom in a ServerIron ADX 4000 chassis.

ServerIron ADX 4000 chassis. The chassis slots specified in t

The chassis slots specified in t he <asm-slot-number> variable are numbered 1 - 4 from top to botthe <asm-slot-number> variable are numbered 1 - 4 from top to bott om in aom in a ServerIron ADX 8000 chassis.

ServerIron ADX 8000 chassis.

The slot specified in the <asm-slot-number> variable is always 1 in a Ser

The slot specified in the <asm-slot-number> variable is always 1 in a Ser verIron ADX 1000.verIron ADX 1000. The <bp-number> parameter specifies the BP (numbered from 1 – 8

The <bp-number> parameter specifies the BP (numbered from 1 – 8 maximum).maximum). Use the

Use therconsole-exitrconsole-exitcommand to return to the MP.command to return to the MP.

Timing out Idle Serial

Management Sessions

Y

You can time ou can time out idle serial maout idle serial management sessions. nagement sessions. By default, a By default, a device does nodevice does not time out serial CLt time out serial CLI sessions. I sessions. AA serial session remains open indefinitely until you close it.

serial session remains open indefinitely until you close it.

NOTE:

NOTE: If a session times out, the deIf a session times out, the device does not close the connection. vice does not close the connection. Instead, the CLI changes to the UserInstead, the CLI changes to the User EXEC mode (for example: ServerIronADX

EXEC mode (for example: ServerIronADX>>).). T

To time out o time out idle serial management sessions, enter idle serial management sessions, enter the following command:the following command:

ServerIronADX(confi

ServerIronADX(config)#console timeout g)#console timeout 2020

Syntax:

Syntax: [no] console timeout <num>[no] console timeout <num>

The <num> parameter specifies the number of minutes, from 0 – 240,

The <num> parameter specifies the number of minutes, from 0 – 240, that the serial CLI that the serial CLI session can remain idlesession can remain idle before it times out.

before it times out. The default is 0 (sessiThe default is 0 (sessions never timons never time out).e out).

Configuring a ServerIron ADX to Broadcast a Session Delete

Message

T

To configure the ServerIron ADX o configure the ServerIron ADX to broadcast a session delete to broadcast a session delete message to all of its BPmessage to all of its BPs when it deletes as when it deletes a server’s session table entry

server’s session table entry pair, enter the following command:pair, enter the following command:

ServerIronADX(confi

ServerIronADX(config)#server g)#server udp-bc-client-sessionudp-bc-client-session-del-del ServerIron# rconsole 1 1

ServerIron# rconsole 1 1 ServerIron1/1#

ServerIron1/1# asm

asm show show all all application application switch switch module module commandscommands rcon-exit

rcon-exit Exit Exit rconsolerconsole rconsole-exit

rconsole-exit Exit Exit rconsolerconsole show

show Display Display system system informationinformation write

write Write Write running running configuration configuration to to terminalterminal ServerIron1/1# rconsole-exit

(13)

Syntax:

Syntax: [no] server udp-bc-client-session-del[no] server udp-bc-client-session-del

This command applies only to configurations where a client is connected to a router that is not the ServerIron This command applies only to configurations where a client is connected to a router that is not the ServerIron ADX’s default gatewa

ADX’s default gatewayy, and which , and which is handled by a is handled by a BP that BP that does not also does not also handle the Serhandle the ServerIron ADX’s defaultverIron ADX’s default gateway.

gateway.

Assigning a Name to the Ser

verIron ADX

Y

You can assign ou can assign a name to ta name to the device, by entering a he device, by entering a command such as thcommand such as th e following:e following:

ServerIronADX(confi

ServerIronADX(config)# g)# hostname chassishostname chassis ServerIronADX(config)#

ServerIronADX(config)#

Syntax:

Syntax: [no] hostname <text>[no] hostname <text>

The <text> parameter can be up to 32 alphanumeric characters. The <text> parameter can be up to 32 alphanumeric characters.

Assigning an Administrative ID

Y

You can assign ou can assign an administrative ID to an administrative ID to the device, by entering a the device, by entering a command such as tcommand such as t he following:he following:

ServerIronADX(confi

ServerIronADX(config)# chassis name g)# chassis name routernycrouternyc

Syntax:

Syntax: [no] chassis name <text>[no] chassis name <text>

The <text> parameter is up to 32 alphanumeric characters. The <text> parameter is up to 32 alphanumeric characters. This command does not change the CLI prompt.

This command does not change the CLI prompt. TTo change the CLI prompt, o change the CLI prompt, use theuse thehostnamehostnamecommand.command.

Disabling or Re-enabling Password Encryption

Passw

Password encryption is ord encryption is enabled by default. When encryption is enabled, users cannot learenabled by default. When encryption is enabled, users cannot lear n the device’sn the device’s passwords by viewing the configuration file.

passwords by viewing the configuration file. Passw

Password encryption does not encrord encryption does not encr ypt the password in Typt the password in Telnet packets sent to the device. elnet packets sent to the device. This feature applies onlyThis feature applies only to the configuration file.

to the configuration file. T

To disable password encro disable password encryption, enter yption, enter the following command:the following command:

ServerIronADX(confi

ServerIronADX(config)# no g)# no service password-encryptionservice password-encryption

Syntax:

Syntax: [no] service password-encryption[no] service password-encryption

Understan

ding

Dynamic Configuration

In most cases, dynamic configuration enables you to make configuration changes without rebooting the

In most cases, dynamic configuration enables you to make configuration changes without rebooting the system.system. Most Layer 2 configuration changes are dynamic. All Layer 4-7 configuration changes are dynamic.

Most Layer 2 configuration changes are dynamic. All Layer 4-7 configuration changes are dynamic. If a command requires a

If a command requires areloadreloadto be effective, the device will display this information after the command isto be effective, the device will display this information after the command is entered. Where reload is needed use the

entered. Where reload is needed use thesystem-maxsystem-maxcommand.command.

Disabling or Re-enabling the Page-Display Mode

The page-display mode displays the file one page at a time and prompts

The page-display mode displays the file one page at a time and prompts you to continue or cancel the display.you to continue or cancel the display. When page-display mode is disabled, if you display or save the configuration file, the CLI displays the entire file When page-display mode is disabled, if you display or save the configuration file, the CLI displays the entire file without interruption.

without interruption.

By default, the page-display mode is enabled. When the ServerIron ADX

By default, the page-display mode is enabled. When the ServerIron ADX prints text, one "page" (window-full) ofprints text, one "page" (window-full) of the file is displayed.

the file is displayed. The following line proThe following line provides you with options to continue the display or to cancel with Ctrl-c:vides you with options to continue the display or to cancel with Ctrl-c:

--More--, next page: Space/Return key, quit:

--More--, next page: Space/Return key, quit: Control-cControl-c

T

To disable the o disable the page-display mode, enter the page-display mode, enter the following command:following command:

ServerIronADX# skip-page-display ServerIronADX# skip-page-display Disable page display mode

Disable page display mode

T

(14)

ServerIronADX# page-display ServerIronADX# page-display Enable page display mode Enable page display mode

Syntax:

Syntax: skip-page-displayskip-page-display

Syntax:

Syntax: page-displaypage-display

Disabling or Re-enabling the Stop Page Display Characteristic

Y

You can remove the stou can remove the st op page display characteristic op page display characteristic for thefor thewrite terminalwrite terminalcommand.command. For example

For example, by default, when a user , by default, when a user enters the command write enters the command write terminal the full configuration will terminal the full configuration will generally involvgenerally involvee more than a single page display

more than a single page display. . YYou are prompted to enter ou are prompted to enter the return key to view the the return key to view the next page of information.next page of information. When this command is enabled, this

When this command is enabled, this page-by-page prompting will be removed and the entire dpage-by-page prompting will be removed and the entire d isplay will roll on theisplay will roll on the screen until the end is reached.

screen until the end is reached. T

To remove the stop o remove the stop page display characteristic for thepage display characteristic for thewrite terminalwrite terminalcommand, enter the command, enter the following command:following command:

ServerIronADX(confi

ServerIronADX(config)# g)# enable skip-page-displayenable skip-page-display

T

To re-enable the stop o re-enable the stop page display characteristic, enterpage display characteristic, enterno enable skip-page-displayno enable skip-page-display..

Syntax:

Syntax: [no] enable skip-page-display[no] enable skip-page-display

Configuring a Message for Display at the Privileged EXEC Level

Y

You can configure the Serou can configure the ServerIron ADX to display a message when a user verIron ADX to display a message when a user enters the Privileged EXEC enters the Privileged EXEC CLI level.CLI level. A delimiting character is established on the first

A delimiting character is established on the first line of theline of thebanner execbanner execcommand. You begin and end thecommand. You begin and end the message with this delimiting character

message with this delimiting character. . It can be any character except “ (double-quotation mark) and cannotIt can be any character except “ (double-quotation mark) and cannot appear in the banner text.

appear in the banner text. The banner text can be up to 2048 characters long and can consist of multiple lines.The banner text can be up to 2048 characters long and can consist of multiple lines. T

To configure the Sero configure the Ser verIronADX to display a message when verIronADX to display a message when a user enters ta user enters t he Privileged EXEC CLI he Privileged EXEC CLI level, enter thelevel, enter the following command:

following command:

ServerIronADX(confi

ServerIronADX(config)# banner exec g)# banner exec $ (Press Return)$ (Press Return) Enter TEXT message, End with the character '$'. Enter TEXT message, End with the character '$'. You are entering Privileged EXEC level

You are entering Privileged EXEC level Don’t foul anything up! $

Don’t foul anything up! $

In this example, the delimiting character is $ (dollar sign). The text in between the dollar signs is the contents of the In this example, the delimiting character is $ (dollar sign). The text in between the dollar signs is the contents of the banner.

banner.

To remove the banner, enter

To remove the banner, enterno banner execno banner exec..

Syntax:

Syntax: [no] banner [no] banner exec <delimiting-character>exec <delimiting-character>

The <delimiting-character> parameter can be any character except “ (double-quotation mark) The <delimiting-character> parameter can be any character except “ (double-quotation mark)

Configuring a Message for Display on a Console

Y

You can configure ou can configure the ServerIron ADX the ServerIron ADX to display a message on to display a message on the Console when the Console when a user establishes a a user establishes a TTelnetelnet session.

session. This message indicates where the user is connecting from and displays a configurabThis message indicates where the user is connecting from and displays a configurable text message.le text message. T

To configure a o configure a message on the message on the Console, enter the Console, enter the following:following:

ServerIronADX(confi

ServerIronADX(config)# banner incoming $ g)# banner incoming $ (Press Return)(Press Return) Enter TEXT message, End with the character '$'.

Enter TEXT message, End with the character '$'. Incoming Telnet Session!! $

Incoming Telnet Session!! $

When a user connects to

When a user connects to the CLI using Tethe CLI using Telnet, the following message appears on the Console:lnet, the following message appears on the Console:

Telnet from 209.157.22.63 Telnet from 209.157.22.63 Incoming Telnet Session!! Incoming Telnet Session!!

Syntax:

(15)

Configuring a Message for Display on a Terminal

Y

You can configure the Serou can configure the ServerIronADX to display a message on a user’s terminal when he or verIronADX to display a message on a user’s terminal when he or she establishes ashe establishes a Telnet CLI session.

Telnet CLI session. T

To display the message o display the message “Welcome to ServerIron ADX!” “Welcome to ServerIron ADX!” when a Telnet CLI session is established, enter when a Telnet CLI session is established, enter thethe following:

following:

ServerIronADX(confi

ServerIronADX(config)# banner motd g)# banner motd $ (Press Return)$ (Press Return) Enter TEXT message, End with the character '$'. Enter TEXT message, End with the character '$'. Welcome to ServerIron ADX! $

Welcome to ServerIron ADX! $

When you access the Web management interface, the banner is displayed on the login panel. When you access the Web management interface, the banner is displayed on the login panel.

Syntax:

Syntax: [no] banner <delimiting-character> | [no] banner <delimiting-character> | [motd <delimiting-character>][motd <delimiting-character>]

NOTE:

NOTE: TheThebannerbanner<delimiting-character> command is equivalent to the<delimiting-character> command is equivalent to thebanner motdbanner motd <delimiting-character><delimiting-character> command.

command.

Configuring TFTP

All Brocade devices allow you to

All Brocade devices allow you to use Tuse Trivial File Trarivial File Transfer Protocol (TFTP) to nsfer Protocol (TFTP) to copy files to and copy files to and from the flashfrom the flash memory modules on the

memory modules on the management module. Ymanagement module. You can use ou can use TFTP to perform the TFTP to perform the following operations:following operations: •• UpUpggrradade be boooot ot or fr fllasash ch cododee..

•• ArchArchivive booe boot or flt or flash cash code oode or a cor a confinfigurguratiation fion file on le on a TFa TFTP seTP serverver.r.

•• Load thLoad the systee system usinm using flash g flash code acode and a cnd a configuonfiguratioration file n file stored stored on a Ton a TFTP seFTP serverrver. (Thi. (This occus occurs as prs as part of theart of the BootP or DHCP process.)

BootP or DHCP process.)

NOTE:

NOTE: Certain boot upgrades may require you to install new firCertain boot upgrades may require you to install new fir mware. Contact your reseller or Brocademware. Contact your reseller or Brocade Communications Systems Inc. for information.