Tag Archive : Brocade

/ Brocade

Disable Telnet Port 23 on Brocade Switches

Are you considering to disable Telnet port 23? Then this article will help you out.

It’s obvious that more and more companies start investing on the security aspect of their environment. We see that the legendary legacy protocols, such as http, ftp or telnet ports, become useless day by day. As the technology evolves, new more secure protocols become as a new standard.

Prior to FOS 5.3.0 you could turn off the Telnet sevice by executing the configuration command on the switch. However, the latest FOS versions do not support altering communication services by the configuration command. Instead, we will need to modify the ipfilter database and deny traffic on port 23.

Before we start, let me give you a short guide on the steps we will take. As you probably know, the ipfilter is a table where the incoming and outgoing traffic rules are defined. Every switch by default has 2 ipfilters: IPV4 and IPV6. In short, we will:

  • Clone the existing Ipfilter
  • Remove the rule to allow traffic on port 23
  • Define new rule to deny traffic on Telnet port 23
  • Save and activate the new iptables configuration

View existing iptable configuration

To show the current ip filter rules, enter: ipfilter –show

STORFOS:FID128:storcom> ipfilter --show

Name: default_ipv4, Type: ipv4, State: active
Rule    Source IP                               Protocol   Dest Port         Action
1     any                                            tcp       22            permit
2     any                                            tcp       23            permit
3     any                                            tcp       80            permit
4     any                                            tcp      443            permit
5     any                                            udp      161            permit
6     any                                            udp      123            permit
7     any                                            tcp      600 - 1023     permit
8     any                                            udp      600 - 1023     permit

Name: default_ipv6, Type: ipv6, State: active
Rule    Source IP                               Protocol   Dest Port         Action
1     any                                            tcp       22            permit
2     any                                            tcp       23            permit
3     any                                            tcp       80            permit
4     any                                            tcp      443            permit
5     any                                            udp      161            permit
6     any                                            udp      123            permit
7     any                                            tcp      600 - 1023     permit
8     any                                            udp      600 - 1023     permit

Clone existing configuration

Go ahead and clone both iptable configurations. In the example above, they are named: default_ipv4 and default_ipv6. I will give the clones a new name: BlockTelnet_ipv4 and BlockTelnet_ipv6.

ipfilter --clone BlockTelnet_ipv4 -from default_ipv4
ipfilter --clone BlockTelnet_ipv6 -from default_ipv6

Save the clones you just created

ipfilter --save BlockTelnet_ipv4
ipfilter --save BlockTelnet_ipv6

Modify the cloned ipfilters

Next, we will remove rule 2 which permits traffic on port 23, then define a new rule that denies traffic on port 23.

To remove Rule 2 on the cloned ip tables, enter:

ipfilter --delrule BlockTelnet_ipv4 -rule 2
ipfilter --delrule BlockTelnet_ipv6 -rule 2

Use the following command to deny traffic on TCP port 23

ipfilter --addrule BlockTelnet_ipv4 -rule 2 -sip any -dp 23 -proto tcp -act deny
ipfilter --addrule BlockTelnet_ipv6 -rule 2 -sip any -dp 23 -proto tcp -act deny

Save configuration and activate ipfilters

To save the modified ipfilter clones, enter:

ipfilter --save BlockTelnet_ipv4
ipfilter --save BlockTelnet_ipv6

Before you activate, you can double-check the new configuration by entering the command:

ipfilter --show BlockTelnet_ipv4
ipfilter --show BlockTelnet_ipv4

Finally, you can activate the new ipfilters

ipfilter --activate BlockTelnet_ipv4
ipfilter --activate BlockTelnet_ipv6

Removing an ipfilter

Alternatively, if you think need need to clean up the ipfilter policies, it is very easy to do it. Use the following command:

STORFOS:FID128:storcom> ipfilter --delete BlockTelnet_ipv6
This will delete the IP filter policy.
ARE YOU SURE (yes, y, no, n): [no] y

Sources

Read here related articles for Brocade switches:

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.

Brocade ISL Trunk configuration

07/11/2019 | SAN | 3 Comments

One of the most interesting parts of administrating FC switches is implementing ISL’s (Inter-Switch Links) between 2 datacenters. In this article, we will cover the steps that need to be taken in order to create a fabric. We assume that the physical link (cabling) has already been set up and that the switch is already configured.

On the demonstration below I’m using Brocade SAN switches G62-series running Fabric OS version 8.0.2e.

  1. We start off by disabling the switch.
    FOS_STORCOM1:admin> switchdisable
  2. Next, we need to configure the port speed of the ports which will be inter-connected.
    FOS_STORCOM1:admin> portcfgspeed -i <port number> -f <port speed>

  3. Brocade SAN switches can be easily configured using the configure command. Once entered  it will lead you through some important configuration steps.
  4. Next, we’ll need to calculate the ISL distance. A rule of thumb will be to multiply the real physical distance with 1.5 to get the ISL distance.
    real_distance_km x 1.5 = ISL_logical_distance

    In my case, I have two switches with a physical distance of 146 km. I will use 220 km as ISL distance.

  5. To activate the port in LS (Long Distance Dynamic) mode enter the following command
    FOS_STORCOM1:admin> portcfglongdistance <port number> LS 1

    A vc_link_init value of 1 uses the ARB fill word (default). A value of 0 uses IDLE. The required value might depend on the link being used. The commands must be repeated for each ISL port.

  6. Optionally, you can enable the QOS on the ISL ports by using the following command:
    FOS_STORCOM1:admin> portcfgqos --enable <port number>
  7. To check and confirm the port parameters use the following command:
    FOS_STORCOM1:admin> portshow <port number>
  8. At this step the port is ready. Enable the switch and the ports using the following commands
    FOS_STORCOM1:admin> switchenable
    FOS_STORCOM1:admin> portcfgpersistantenable <port number>
  9. Log on to the second switch and perform the same operations from Step 1 to Step 7
  10. Your SAN fabric should be ready now. Verify it using the following commands:
    FOS_STORCOM1:admin> fabricshow
    FOS_STORCOM1:admin> trunkshow

The article Essential troubleshooting command lines every Storage Administrator should know offers interesting stuff related to the switch administration.

A complete command line list and other switch administration can be found on the Brocade Fabric OS Administration Guide.

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.

A CLI (Command Language Interpreter or Command Line Interface) is a program which handles the interface using text in lines (command lines). The usage of Command Lines dates back from from the mid-1960s where computer terminals were widely used as the standard technology.

Today, almost every platform or software’s fundamentals are based on the command line. Starting from Windows Server 2012, any Linux distribution or even computer or storage networks (SAN).

Below we will cover some command line commands which are essential for every Storage Administrator. If you think there’s more interesting to be added, feel encouraged to contact us.

Microsoft Windows Powershell

Determine a Virtual Machine’s underlying physical host (Command execution: Guest computer)

(get-item "HKLM:\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters").GetValue("HostName")

Get a VM’s .VHD(X) location files and .VHD details (Command execution: On the host computer)

Get-VM | Select-Object VMID | Get-VHD | Select-Object Path
Get-VHD <.VHDX file path>

Get a Host Adapter’s WWN (Command execution: On the host computer)

Get-InitiatorPort | Select-Object -Property PortAddress | Format-List -Property PortAddress

Get Host Adapter’s WWN remotely or for a whole cluster (Command Execution: On the host computer)

Get-InitiatorPort -CimSession <Computer name>
Get-ClusterNode | %{Get-InitiatorPort -cimsession $_.Name}

Show MPIO disk paths of a volume / vlun (Command execution: On the host computer)

(gwmi -Namespace root\wmi -Class mpio_disk_info).driveinfo | % {Write-host "Name: $($_.name) Paths: $($_.numberpaths)"}

 

Brocade OS CLI

Find a host Alias name using WWN

nodefind <Host's wwn>

Find a host alias using a wildcard ” ”

nsaliasshow | grep -i "<alias name>"

Display zone information of an alias

zoneshow | grep -i "<alias name>"

Display error information of a single port of all switch ports

porterrshow
porterrshow <port number>

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.