Ethernet Switches & Routers

Reply
New Contributor
Posts: 2
Registered: ‎10-31-2017

switch vs router setting ip address for the web portal

I am new to networking let alone the brocade brand.  I was able to setup the icx6450 in switch mode to allow access to the web management protal.  Which basically set an ip address for the entire switch and was accessable from every port.  On the other hand Im confused about the setup of the web portal in router mode.  It seems that the router you have to set an ip address to a specific port and somehow allow access from the port to the web portal.  Can someone explain exactly how this is done.  And can you set a different ip address for each port on a router?  Im used to home routers where the deviece as a whole has an ip address not a port. thank you

Frequent Contributor
Posts: 134
Registered: ‎07-20-2015

Re: switch vs router setting ip address for the web portal

[ Edited ]

It is pretty much the same.

 

The difference is a router routes for directly connected routes by default.  If you put an IP on an Interface, that network gets added to the routing table.  If you add it to a a SVI (Software Virtual Interface) which brocade calls a VE, it then routes for entire collections of interfaces that are a member of that VLAN where the VE is assigned.

 

Static routes tell a router where to find subnets that are not directly connected, and dynamic routes build routing tables automatically.

 

 

 

Personally, I don't like the web interface.  I can make changes in seconds at the terminal via SSH, and I can confgure an entire switch in maybe 5 to 10 minutes by pasting in blocks from a template.

 

Here are items from my standard router configureation for an ICX 6450:

 

 

As for the web interface it merely needs to be reachable.

 

Here is kind of what I do:

 

hostname somename

username myuser password somepassword

 

Setup SSH keying:

 

crypto key zeroize rsa

cryoto key zeroize dsa

 

crypto key generate rsa mod 2048

 

 

<wait until it gens>

 

 

crypto-ssl certificate generate

 

<wait until it gens>

 

 

Next I usually provision a couple VLANs and assign the VEs.  Untagged simply means we are using Access Ports not trunk ports...

 

vlan 1 name Data by port
router-interface ve 1
!
exit
vlan 100 name WAN by port
untagged ethe 1/2/1
router-interface ve 100
!
exit

 

<show vlan shows what you have>

<dual-mode is a native vlan>

 

Setup AAA Behavior.  You would change this if you are doing RADIUS or similar: 


aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
aaa authentication login privilege-mode

 

enable aaa console

 

 


console timeout 30

 

 

A default route if you want one:
ip route 0.0.0.0/0 10.1.2.3

 

 

For security:

no telnet server

 

If you want discovery protocols:

cdp run
fdp run
lldp run

 

 Secure web management only:

 

no web-management http
web-management https

 

 

You probably want to do routing:

 

interface ve 1
port-name Data Gateway
ip address 10.16.0.1/16
ip helper-address 1 10.8.9.10
ip helper-address 2 192.168.5.1
!
exit

 

interface ve 100
port-name Metro-E Circuit
ip address 10.11.12.13/30
!
exit

 

 

 

At this point, you have got it.  You will probably want to create an ACL to limit access to SSH and the website.  Remember there is an implicit deny at the end and a simple standard ACL is what you need.

 

Something like:

 

access-list 99 permit host 10.1.5.6
access-list 99 permit 10.1.2.0 0.0.0.255

 

 

To apply it:

 

ssh access-group 99
web access-group 99

 

 

If you want to sync time set your zone and an NTP source:

 

 

clock summer-time
clock timezone us Eastern
!
!
ntp
server 10.1.2.3
!
!
exit

 

If you want a banner:

 

banner motd ^
------------------------------------------------------------------------

your banner here

------------------------------------------------------------------------
^

 

To describe your ports:

 

interface ethernet 1/2/1
port-name My WAN Circuit

!

 

 

 

Secureing SSH:

 

ip ssh authentication-retries 2
ip ssh timeout 30
ip ssh idle-time 30
ip ssh scp disable
ip ssh encryption disable-aes-cbc

 

 

Improve Logging:

 

logging console
logging persistence

 

 

 

Perhaps you want to capture flows:

sflow agent-ip 10.1.2.3

sflow sample 512
sflow polling-interval 30
sflow destination 10.15.16.17 2055
sflow enable

 

For whatever interfaces you want to report flows:

 

interface ethernet 1/1/1 
sflow forwarding
!

 

New Contributor
Posts: 2
Registered: ‎10-31-2017

Re: switch vs router setting ip address for the web portal

Thank you very much for your help do you mind if I msg you if I hit a snag with setting it up?
Frequent Contributor
Posts: 134
Registered: ‎07-20-2015

Re: switch vs router setting ip address for the web portal

That's fine.... Go ahead. In fact if you make it after 4 PM EDT, you can even call me.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook