Ethernet Switches & Routers

Reply
Occasional Contributor
Posts: 15
Registered: ‎07-02-2015

Access to new ICX switch trouble

[ Edited ]

I've got a network of 10 ICX6610 switches. They are all based on the same configuration and are all running 08.0.10h software. I can communicate with switches 1-9 from my desktop computer as well as through the Brocade Network Advisor software. 

 

I've just racked switch 10. I cannot telnet to it, ssh into it, ping it, nor will the BNA software recognize it. I have combed over configurations to find dfiferences between 1-9 and 10, but I can't seem to pinpoint the problem. I have also rebooted the switch since the install but still have no access. It is set up in the same IP range with the same gateway and subnet mask.

 

I should bring up the fact that if I were to telnet or ssh into switch 1-9, I CAN from there ping, ssh or telnet to/into switch 10. 

 

Maybe I'm on the wrong track, but this is the ONLY switch in our network that is uplinked using MMF. Would that make a difference?  

 

Can anyone point me in the right direction? Feel free to ask for more information and I'll provide it.

 

Thanks.

New Contributor
Posts: 2
Registered: ‎05-12-2015

Re: Access to new ICX switch trouble

Couple things to check:

 

ACL preventing access to telnet/ssh. 

Switch number 10 doesn't have a default-gateway set or it is wrong.  Hence other switches can get to it but possibly not your desktop.

 

Can you ping back to your workstation once on the switch?

 

 

 

Dave

Occasional Contributor
Posts: 15
Registered: ‎07-02-2015

Re: Access to new ICX switch trouble

ACL preventing access to telnet/ssh

The ACL is the same on both batches of switches (1-9) & 10.

 

Switch 10 doesn't have a default-gateway set or it is wrong. 

Gateway is configured to the same IP address as switches 1-9 are.

 

Can you ping back to your workstation once on the switch?

No, but neither can I on switches 1-9. 

 

Thanks for the suggestions, but still no dice :/

Occasional Contributor
Posts: 15
Registered: ‎07-02-2015

Re: Access to new ICX switch trouble

Still having this problem. Does anyone else have any insight as to what could be causing this?

 

I've looked once more through the configurations and have found these differences:

 

Switches 1-9 have PW Masking. Switch 10 does not.

Switches 1-9 have an SNMP server set up. Switch 10 does not.

Switches 1-9 have flow control enabled. Switch 10 does not.

 

I know the first two shouldn't have anything to do with it, but could the 3rd be causing some issue?

Contributor
Posts: 47
Registered: ‎08-03-2015

Re: Access to new ICX switch trouble

As you have informed that all the switches have exact configuration, but switch 10 is not working but other 9 switches are working, I will recommend you to check if the ports are up physically,

 

Check the physical connectivity, cables, Transceivers. Also try configuring the speed manually on both interfaces

and Check vlans on both sides as well.

______________________
Umair Khan Patel
https://in.linkedin.com/in/patelumairkhan
Occasional Contributor
Posts: 15
Registered: ‎07-02-2015

Re: Access to new ICX switch trouble

[ Edited ]

I think I *may* have found my solution. When running through the results from a 'sho conf' command, I found this little section defining who gets SSH access. 

 

'ssh access-group 7

hitless-failover enable

interface ethernet 1/3/1

  port-name To: XXXX-CES-Edge

  speed duplex 10G-Full

  no flow-control'

 

The problem is in the bolded section above... switch 10's uplink is on 1/5/1 as opposed to 1/3/1. As mentioned, switches 1-9 have the same config, but all of which are uplinked through 1/3/1. Does the bolded portion of the results above indicate that 1/3/1 is the only port for which SSH can be accessed through? If so, how could I change that to 1/3/5?

Frequent Contributor
Posts: 105
Registered: ‎07-12-2011

Re: Access to new ICX switch trouble

One thing that could be is the lack of a generated cryptographic key

 

Start with this

 

show ip ssh detail

 

That should show something like this if it's setup correctly with a key

 

SSH@BRNCMCMP1BAR01#show ip ssh config
SSH server                 : Enabled
SSH port                   : tcp\22
Host Key                   :  RSA 1024
Encryption                 : AES-256, AES-192, AES-128, 3-DES
Permit empty password      : No
Authentication methods     : Password, Public-key, Interactive
Authentication retries     : 3
Login timeout (seconds)    : 120
Idle timeout (minutes)     : 30
Strict management VRF      : Disabled
SCP                        : Enabled
SSH IPv4 clients           : All
SSH IPv6 clients           : All
SSH IPv4 access-group      : 23
SSH IPv6 access-group      :
SSH Client Keys            :

 

Here is one that isn't setup for SSH

 

telnet@SwRm_FCXA#sh ip ssh config
SSH server                 : Disabled
SSH port                   : tcp\22
Encryption                 : AES-256, AES-192, AES-128, 3-DES
Permit empty password      : No
Authentication methods     : Password, Public-key
Authentication retries     : 3
Login timeout (seconds)    : 120
Idle timeout (minutes)     : 0
SCP                        : Enabled
SSH IPv4 clients           : All
SSH IPv6 clients           : All
SSH IPv4 access-group      :
SSH IPv6 access-group      :

 

 

If the key hasn't been created, go to conf t

 

crypto key generate rsa mod 2048

 

Wait a few minutes and make sure the key is generated then go back and verify it was setup with the sh ip ssh config again.

 

If that doesn't work, you likely have an ACL issue

 

sh run | in access-list 7

 

That should show you the ACL that is limiting access

 

the other thing to look for is ssh source

 

sh run | in ssh source-interface

 

You would be looking for something that says something like

 

ip ssh source-interface loopback 1

 

or even a specific interface

 

ip ssh source-interface ethernet 1/3/1

 

 

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook