Tag Archive : Brocade

/ Brocade

LDAP(s) Configuration on Brocade switches

26/10/2021 | SAN | No Comments

Brocade LDAPs

In this tutorial we will go through the steps that need to be followed in order to implement LDAP(s) Microsoft Active Directory on Brocade SAN switches.
Authenticating with a local user on any network devices is not only time consuming, but also very dangerous in terms of security.

Before making any changes to your infrastructure, it is always recommended to make a copy of your switch configuration. Always make sure to perform changes onto testing devices before replicating them to your production environment.

On Fabric OS we have the possibility to use LDAP or LDAPS. As you can tell by its name, LDAP is the simple & unsecure protocol, and LDAPS uses certificates to perform the secure authentication.

Certificate for LDAPs service

  1. Log in to your switch using an priviledged account
  2. To list the available certificate on the switch, use the command:
    seccertmgmt show --all
  3. To create the Certificate Signing Request (.csr) use:
    seccertmgmt generate -csr ldap
  4. Note the file name created in the previous step. File should end with .csr extension.
  5. To export the CSR file from the switch use the following command. Make sure to have any FTP client ready for transfer.
    seccertmgmt export -csr ldap -protocol ftp
  6. Have the CSR file signed by your certificate administrator.
  7. First, we will import the CA (root & intermediate) bundled certificate.
    seccertmgmt import -ca -client ldap
  8. If you don’t know how to combine root & intermediate CA certificate, please check Enable HTTPS protocol on Brocade switches under Combining Root and Intermediate certificate.
  9. Next, we will import the bundled certificate again, under server role. Use the same file as on step 6.
    seccertmgmt import -ca -server ldap
  10. Finally, we will import the switch/client certificate that we exported in the previous step, and which should be signed by our certificate administrator.
    seccertmgmt import -cert ldap
  11.  At this point, we have completed LDAP certificates, we can continue with implementation.

Switch authentication methods

There are several methods to authenticate on the switch but we will make use of two. We will use LDAPS as primary authentication and Local DB as secondary. The secondary authentication comes in force if LDAP does not respond or if a local account & password is matched.

To see the current configuration use:

aaaconfig --show
Fabric OS - Show authentication methods
Brocade – Show authentication methods

To add an LDAP server to the switch use the following command:

aaaconfig --add <LDAP server FQDN> -conf ldap -d <domain name>

Where <LDAP server FQDN> is the Fully Qualified Domain Name of the LDAP server, for example ldap1.storcom.com

Where <domain name> is the domain name where the LDAP server resides in.

Finally, we will configure LDAP as primary authentication method, and local database as secondary:

aaaconfig --authspec "ldap;local"

LDAP supported configurations

In the picture below we see different authentication configurations. In this tutorial we will use Option 3: LDAPv3 with TLS and Certificate over port 389

LDAP Authentication Supported Configurations
Brocade LDAP Authentication Supported Configurations

LDAPS implementation

Prior to performing any other configuration, we will have to create authentication groups in LDAP, or Active Directory in our case. Make sure to create the desired groups in AD so that we can make the link between them and the switch configuration.

In this example I have created an AD group called “STORCOM FOS Admins”. This LDAP group will be mapped against the local admin role on the switch.

To map the LDAP group with the SAN switch role, use the following command:

ldapcfg --maprole "STORCOM FOS Admins" admin

To add extra attributes, for example domain ID’s, use the following command:

ldapcfg -- mapattr "STORCOM FOS Admins" -l "admin=1-128" -h 128 -c admin

For more available attributes, please check Brocade Fabric OS Command Reference.

To see the existing role mappings, use:

ldapcfg --show

To unmap a role, use:

ldapcfg --unmaprole "STORCOM FOS Admins" admin

Any suggestion or question? Leave a reply below, or feel free to contact us. Also make sure to subscribe to our mailing list to get the latest updates.

Disable Telnet Port 23 on Brocade Switches

Are you considering to disable Telnet port 23? Then this article will help you out.

It’s obvious that more and more companies start investing on the security aspect of their environment. We see that the legendary legacy protocols, such as http, ftp or telnet ports, become useless day by day. As the technology evolves, new more secure protocols become as a new standard.

Prior to FOS 5.3.0 you could turn off the Telnet sevice by executing the configuration command on the switch. However, the latest FOS versions do not support altering communication services by the configuration command. Instead, we will need to modify the ipfilter database and deny traffic on port 23.

Before we start, let me give you a short guide on the steps we will take. As you probably know, the ipfilter is a table where the incoming and outgoing traffic rules are defined. Every switch by default has 2 ipfilters: IPV4 and IPV6. In short, we will:

  • Clone the existing Ipfilter
  • Remove the rule to allow traffic on port 23
  • Define new rule to deny traffic on Telnet port 23
  • Save and activate the new iptables configuration

View existing iptable configuration

To show the current ip filter rules, enter: ipfilter –show

STORFOS:FID128:storcom> ipfilter --show

Name: default_ipv4, Type: ipv4, State: active
Rule    Source IP                               Protocol   Dest Port         Action
1     any                                            tcp       22            permit
2     any                                            tcp       23            permit
3     any                                            tcp       80            permit
4     any                                            tcp      443            permit
5     any                                            udp      161            permit
6     any                                            udp      123            permit
7     any                                            tcp      600 - 1023     permit
8     any                                            udp      600 - 1023     permit

Name: default_ipv6, Type: ipv6, State: active
Rule    Source IP                               Protocol   Dest Port         Action
1     any                                            tcp       22            permit
2     any                                            tcp       23            permit
3     any                                            tcp       80            permit
4     any                                            tcp      443            permit
5     any                                            udp      161            permit
6     any                                            udp      123            permit
7     any                                            tcp      600 - 1023     permit
8     any                                            udp      600 - 1023     permit

Clone existing configuration

Go ahead and clone both iptable configurations. In the example above, they are named: default_ipv4 and default_ipv6. I will give the clones a new name: BlockTelnet_ipv4 and BlockTelnet_ipv6.

ipfilter --clone BlockTelnet_ipv4 -from default_ipv4
ipfilter --clone BlockTelnet_ipv6 -from default_ipv6

Save the clones you just created

ipfilter --save BlockTelnet_ipv4
ipfilter --save BlockTelnet_ipv6

Modify the cloned ipfilters

Next, we will remove rule 2 which permits traffic on port 23, then define a new rule that denies traffic on port 23.

To remove Rule 2 on the cloned ip tables, enter:

ipfilter --delrule BlockTelnet_ipv4 -rule 2
ipfilter --delrule BlockTelnet_ipv6 -rule 2

Use the following command to deny traffic on TCP port 23

ipfilter --addrule BlockTelnet_ipv4 -rule 2 -sip any -dp 23 -proto tcp -act deny
ipfilter --addrule BlockTelnet_ipv6 -rule 2 -sip any -dp 23 -proto tcp -act deny

Save configuration and activate ipfilters

To save the modified ipfilter clones, enter:

ipfilter --save BlockTelnet_ipv4
ipfilter --save BlockTelnet_ipv6

Before you activate, you can double-check the new configuration by entering the command:

ipfilter --show BlockTelnet_ipv4
ipfilter --show BlockTelnet_ipv6

Finally, you can activate the new ipfilters

ipfilter --activate BlockTelnet_ipv4
ipfilter --activate BlockTelnet_ipv6

Removing an ipfilter

Alternatively, if you think need need to clean up the ipfilter policies, it is very easy to do it. Use the following command:

STORFOS:FID128:storcom> ipfilter --delete BlockTelnet_ipv6
This will delete the IP filter policy.
ARE YOU SURE (yes, y, no, n): [no] y


Read here related articles for Brocade switches:

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.

Brocade ISL Trunk configuration

07/11/2019 | SAN | 4 Comments

One of the most interesting parts of administrating FC switches is implementing ISL’s (Inter-Switch Links) between 2 datacenters. In this article, we will cover the steps that need to be taken in order to create a fabric. We assume that the physical link (cabling) has already been set up and that the switch is already configured.

On the demonstration below I’m using Brocade SAN switches G62-series running Fabric OS version 8.0.2e.

  1. We start off by disabling the switch.
    FOS_STORCOM1:admin> switchdisable
  2. Next, we need to configure the port speed of the ports which will be inter-connected.
    FOS_STORCOM1:admin> portcfgspeed -i <port number> -f <port speed>

  3. Brocade SAN switches can be easily configured using the configure command. Once entered  it will lead you through some important configuration steps.
  4. Next, we’ll need to calculate the ISL distance. A rule of thumb will be to multiply the real physical distance with 1.5 to get the ISL distance.
    real_distance_km x 1.5 = ISL_logical_distance

    In my case, I have two switches with a physical distance of 146 km. I will use 220 km as ISL distance.

  5. To activate the port in LS (Long Distance Dynamic) mode enter the following command
    FOS_STORCOM1:admin> portcfglongdistance <port number> LS 1

    A vc_link_init value of 1 uses the ARB fill word (default). A value of 0 uses IDLE. The required value might depend on the link being used. The commands must be repeated for each ISL port.

  6. Optionally, you can enable the QOS on the ISL ports by using the following command:
    FOS_STORCOM1:admin> portcfgqos --enable <port number>
  7. To check and confirm the port parameters use the following command:
    FOS_STORCOM1:admin> portshow <port number>
  8. At this step the port is ready. Enable the switch and the ports using the following commands
    FOS_STORCOM1:admin> switchenable
    FOS_STORCOM1:admin> portcfgpersistantenable <port number>
  9. Log on to the second switch and perform the same operations from Step 1 to Step 7
  10. Your SAN fabric should be ready now. Verify it using the following commands:
    FOS_STORCOM1:admin> fabricshow
    FOS_STORCOM1:admin> trunkshow

The article Essential troubleshooting command lines every Storage Administrator should know offers interesting stuff related to the switch administration.

A complete command line list and other switch administration can be found on the Brocade Fabric OS Administration Guide.

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.

A CLI (Command Language Interpreter or Command Line Interface) is a program which handles the interface using text in lines (command lines). The usage of Command Lines dates back from from the mid-1960s where computer terminals were widely used as the standard technology.

Today, almost every platform or software’s fundamentals are based on the command line. Starting from Windows Server 2012, any Linux distribution or even computer or storage networks (SAN).

Below we will cover some command line commands which are essential for every Storage Administrator. If you think there’s more interesting to be added, feel encouraged to contact us.

Microsoft Windows Powershell

Determine a Virtual Machine’s underlying physical host (Command execution: Guest computer)

(get-item "HKLM:\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters").GetValue("HostName")

Get a VM’s .VHD(X) location files and .VHD details (Command execution: On the host computer)

Get-VM | Select-Object VMID | Get-VHD | Select-Object Path
Get-VHD <.VHDX file path>

Get a Host Adapter’s WWN (Command execution: On the host computer)

Get-InitiatorPort | Select-Object -Property PortAddress | Format-List -Property PortAddress

Get Host Adapter’s WWN remotely or for a whole cluster (Command Execution: On the host computer)

Get-InitiatorPort -CimSession <Computer name>
Get-ClusterNode | %{Get-InitiatorPort -cimsession $_.Name}

Show MPIO disk paths of a volume / vlun (Command execution: On the host computer)

(gwmi -Namespace root\wmi -Class mpio_disk_info).driveinfo | % {Write-host "Name: $($_.name) Paths: $($_.numberpaths)"}

Brocade OS CLI

Find a host Alias name using WWN

nodefind <Host's wwn>

Find a host alias using a wildcard ” ”

nsaliasshow | grep -i "<alias name>"

Display zone information of an alias

zoneshow | grep -i "<alias name>"

Display error information of a single port of all switch ports

porterrshow <port number>

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.