Ethernet Fabric (VDX, CNA)

Reply
Visitor
Posts: 1
Registered: ‎05-15-2013

How do you Enable/Configure SSH access to VDX 6710?

[ Edited ]

I have been searching around the internet and forums all morning trying to find this information. I am a new Network Admin and I have never touched a Brocade switch before. 

 

The Network Admin before me had not setup SSH on our Brocade switches. This mean for just the brocade switches I have to go into our server room and connect with a console cable to configure anything. 

 

Really I am looking for some sort of reference material to help me configure this. I have provided the config from one of the switches. I have read somewhere that SSH is enabled by default so I'm a bit befuddled. 

Occasional Contributor
Posts: 10
Registered: ‎04-03-2012

Re: How do you Enable/Configure SSH access to VDX 6710?

SSH is enabled by default.  Looking over your config, you have IP address on

interface Management 1/0 only. You need to make sure you have a cable connected to your management port on your Switch #1. You will not be able to SSH to this inband with the IP on the management interface.

 

I hope this helps.

Brocadian
Posts: 12
Registered: ‎12-10-2013

Re: How do you Enable/Configure SSH access to VDX 6710?


Solutions ID:   SLN2330 

 

 

Host A resides on VLAN 11 with an IP address of 11.1.1.10/24.

The default gateway for Host-A is the VRRP-e address 11.1.1.1, which resides on VE 11 on the VDXs.

 

 

Host B resides on VLAN 14 with an IP address of 14.1.1.10/24.

The default gateway for Host-B is the VRRP-e address 14.1.1.1, which resides on VE 14 on the VDXs.

 

The user manages the VDXs using the VE interfaces and wishes to restrict SSH access to Host-B only.

Symptoms
 

Workaround
 

Root Cause
 

Resolution

To restrict SSH access to the VE interfaces to Host-B only, the below ACL should be configured and applied to the VE interfaces of ALL VDXs in the fabric.

NOTE:While running in VCS mode traffic that ingress the VDX via an ISL interface is considered to be trusted and will NOT be filtered by an ACL.

Hence, the ACL should be configured on ALL VDXs in the fabric causing the traffic to be filtered on the edge VDX.

 

For example, if  the below ACL was ONLY applied to VE 11 and VE 14 on VDX-3, Host-A would be allowed to SSH to VDX-3 on both VE 11 and VE 14. To disallow Host-A from accessing VDX-3 via SSH the ACL will have to be applied to the VE interfaces of VDX-2.

 

VDX-2(conf-ipacl-ext)# do show running-config ip access-list

ip access-list extended sshAccess

seq 10 permit tcp host 14.1.1.10 host 14.1.1.2 eq 22

seq 20 permit tcp host 14.1.1.10 host 14.1.1.3 eq 22

seq 30 permit tcp host 14.1.1.10 host 11.1.1.2 eq 22

seq 40 permit tcp host 14.1.1.10 host 11.1.1.3 eq 22

seq 50 hard-drop tcp any host 14.1.1.2 eq 22

seq 60 hard-drop tcp any host 14.1.1.3 eq 22

seq 70 hard-drop tcp any host 14.1.1.1 eq 22

seq 80 hard-drop tcp any host 11.1.1.2 eq 22

seq 90 hard-drop tcp any host 11.1.1.3 eq 22

seq 100 hard-drop tcp any host 11.1.1.1 eq 22

seq 110 permit ip any any

 

 
In the ACL above note the use of the ‘hard-drop’ keyword. Traffic that is destined to the switch (CPU) will not be filtered with the usual ‘deny’ keyword. The ‘hard-drop’ keyword is used to filter both transit traffic, as well as traffic destined to the switch CPU.

VDX-2 Config:
VDX-2(config-vrrp-extended-group-14)# do show run rbridge interface ve 14

rbridge-id 2

 interface Ve 14

 ip access-group sshAccess in

 ip proxy-arp

 ip address 14.1.1.2/24

 no shutdown

 vrrp-extended-group 14

   virtual-ip 14.1.1.1

   enable

   no preempt-mode

   advertise-backup

   short-path-forwarding

 

VDX-2(config-vrrp-extended-group-11)# do show run rbridge interface ve 11

rbridge-id 2

 interface Ve 11

 ip access-group sshAccess in

 ip proxy-arp

 ip address 11.1.1.2/24

 no shutdown

 vrrp-extended-group 11

   virtual-ip 11.1.1.1

   enable

   no preempt-mode

   advertise-backup

   short-path-forwarding

 

VDX-3 Config:

VDX-3(config-vrrp-extended-group-14)# do show run rbridge interface ve 14

rbridge-id 3

 interface Ve 14

 ip access-group sshAccess in

 ip proxy-arp

 ip address 14.1.1.3/24

 no shutdown

 vrrp-extended-group 14

   virtual-ip 14.1.1.1

   enable

   no preempt-mode

   advertise-backup

   short-path-forwarding

 

VDX-3(config-vrrp-extended-group-11)# do show run rbridge interface ve 11

rbridge-id 3

 interface Ve 11

 ip access-group sshAccess in

 ip proxy-arp

 ip address 11.1.1.3/24

 no shutdown

 vrrp-extended-group 11

   virtual-ip 11.1.1.1

   enable

   no preempt-mode

   advertise-backup

   short-path-forwarding

 

 

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.