06-17-2014 04:29 AM - edited 06-17-2014 04:34 AM
I am currently configuring an ICX 6450-24 Switch. Since I am new to Brocade, I am doing a bit of practise with the device to understand the configuration fully.
When I create a "management-vlan" and add only a few ports in that vlan, then I am not able to access switch from any other port as it should be the case (with all the other ports on default vlan ID).
But when I am assigning IP to the Management Port, then I am able to access the switch from other ports, as the IP assignment to the switch is done globally and not for Management Interface.
If that is the case, how will I be able to configure Out-of-Band network configuration using only management ports. Moreover, it is not possible to add those ports on any VLANs. Not even on default VLAN. It seems that the Management Port becomes a part of Default VLAN
This also means that if someone connects a system to a default VLAN port, then they have the ability to issue, for example, "telnet", even though they may not have telnet access permissions through acl or user ID/pass. Doesn't this pose a security risk?
I know, some people may say that I should keep the unused ports "disabled". But, what if I don't want to do that?
06-18-2014 01:54 PM
some of the rules on Management port:
- A management port is not part of any VLAN
- Creating a management VLAN disables the management port on the device.
For switches, any in-band port may be used for management purposes. A router sends Layer 3
packets using the MAC address of the port as the source MAC address.
Designated VLAN for Telnet management sessions to a Layer 2 Switch
All Brocade FastIron devices support the creation of management VLANs. By default, the
management IP address you configure on a Layer 2 Switch applies globally to all the ports on the
device. This is true even if you divide the device ports into multiple port-based VLANs.
If you want to restrict the IP management address to a specific port-based VLAN, you can make
that VLAN the designated management VLAN for the device. When you configure a VLAN to be the
designated management VLAN, the management IP address you configure on the device is
associated only with the ports in the designated VLAN.
To establish a Telnet management session with the device, a user must access the device through one of the ports in the designated management VLAN.
07-24-2014 06:45 AM
...so the key phrase here is "designated management vlan".
That's the phrase which will unlock all the useful info buried somewhere in the manuals.
In the config it will look something like:
vlan 100 name data by port
So now the IP Addr you globally configured for the switch-code (6430 ?) now resides in vlan 100.
08-04-2014 02:55 PM
My problem is that on my CER, it has a dedicated management port that can't be used to send sflow data through. So If I create a new vlan for management, I can't designate it as the management vlan!! (I have CER 2024C running Ironware Version 5.4.0dT183).
How can I configure a regular unused ethernet port as a management port?
vlan 130 name Switch_Management
untagged ethe 1/12
router-interface ve 130
interface ethernet 1/12
interface ve 130
ip address 18.104.22.168/21
08-05-2014 10:28 AM
Did you try this?
Enabling sFlow forwarding (from config guide)
To enable sFlow forwarding, enter commands such as the following.
Brocade(config)# sflow enable
Brocade(config)# interface ethernet 1/1 to 1/8
Brocade(config-mif-1/1-1/8)# sflow forwarding
These commands globally enable sFlow, then enable sFlow forwarding on Ethernet ports 1/1