w1kl4s/lab-docu
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fix directories

Browse Source
This commit is contained in:
Jon Sands
2019-10-29 05:06:35 -04:00
parent aa34c89655
commit bf7806b6f0
16 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
docs/64nix.md Normal file
View File

@@ -0,0 +1,90 @@
# Assigning tons of /64s to *nix machines (telehouse-NY)
### Get a /125 transit net for the connection to the server:
`2620:57:e000:e::10/125`
### give the first IP in transit subnet to the ICX7750:
```
enable
conf t
int ve 2000
ipv6 addr 2620:57:e000:e::11/125
ipv6 nd suppress-ra
```
The next IP after this, `2620:57:e000:e::12`, will be given to the server.
### Choose a /56 to give to the server:
`2620:57:e000:400::/56`
### Tell the ICX7750 the entire /56 is accessible over previous transit link:
```
enable
conf t
ipv6 route 2620:57:e000:400::/56 2620:57:e000:e::12
```
The destination is your chosen `2620:57:e000:400::/56` subnet, the next-hop is the server end of the transit subnet, `2620:57:e000:e::12`
### Give the server its own address in the transit subnet:
**Note**: this should be one address up from what the router (ICX7750) has.
```
nano /etc/network/interfaces
auto eth1
iface eth1 inet6 static
address 2620:57:e000:e::12
netmask 125
gateway 2620:57:e000:e::11
autoconf 0
```
### Assign an entire /56 to a linux server
Run the below command to assign the entire /56 to the server's loopback interface:
**Note:** this uses Linux's [AnyIP](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ab79ad14a2d51e95f0ac3cef7cd116a57089ba82) feature:
`ip -6 route add local 2620:57:e000:400::/56 dev lo`
Your server will now respond to any address in the entire /56 - however most applications and daemons will complain when you try to bind them to an address in this block, since they're not *technically* assigned to any real linux interface. To solve this, enable the `net.ipv6.ip_nonlocal_bind` sysctl:
`sysctl -w net.ipv6.ip_nonlocal_bind=1`
Applications can now bind to any IP address in the /56. To make this permanent so it persists reboots, you need to edit `/etc/sysctl.conf`:
```nano /etc/sysctl.conf```
Add the following line and then save it:
`net.ipv6.ip_nonlocal_bind = 1`
The `ip -6 route` command we ran earlier to assign the /56 will also disappear on reboot, to make it persist reboots, add it as a `pre-up` command to our network interfaces file, under your transit subnet interface:
```
nano /etc/network/interfaces
auto eth1
iface eth1 inet6 static
address 2620:57:e000:e::12
netmask 125
gateway 2620:57:e000:e::11
autoconf 0
pre-up ip -6 route add local 2620:57:e000:400::/56 dev lo
```
### Finding all the /64s to bind to
If your application needs to be bound to each /64, stick our `2620:57:e000:400::/56` subnet into [this calculator](https://subnettingpractice.com/ipv6_subnetting.html), and choose /64s from the dropdown then press calculate:
![calculator](../../data/other/brocade/64nix-1.png)
Then simply bind each of your application instances to the first address in each /64 - For instance:
```
Instance 1 - 2620:57:e000:400::1/64
Instance 2 - 2620:57:e000:401::1/64
Instance 3 - 2620:57:e000:402::1/64
etc etc etc
```

122
docs/eeprom.md Normal file
View File

@@ -0,0 +1,122 @@
# EEPROM Unlocks
## Information
Before software licensing came around, during the Foundry and early Brocade days, the older FastIron switches used hardware licensing in the form of optional 16kbit EEPROM chips in a socket on the switches mainboard. These were either installed from factory, or you could purchase them and install them yourself.
The EEPROM would contain a magic string of letters and numbers, and when the switch OS saw this it knew to unlock said features. These products are now very old, have not been sold for a decade, and the below license EEPROMs are impossible to buy as the company no longer exists (Foundry is gone). I am providing the strings here to give these old pieces of hardware a little more life.
**Note:** All FastIron devices had two EEPROMs - a soldered in main EEPROM that contained chassis data like MAC address, serial number, manufacture date, etc. Then the second optional EEPROM in a removable socket: this is the EEPROM that contains the magic string. Some devices shipped with a blank EEPROM already in the slot that you can program from the bootloader, others came with none.
## Programming Information
If the switch didn't come with a blank EEPROM already in the socket, you need to purchase one. They need to be `AT24C164` chips, the later revision `24LC16B` will not work. All US vendors I could find are out of these as they are old, [this](https://www.aliexpress.com/item/new-100-24C164-AT24C164-DIP-8/32858414375.html) is the only place I could find to order some. They will take 3 to 4 weeks to arrive, but they work.
For programming the strings into the EEPROM, it's possible to do it from the v7 bootloaders with the `i2cWriteByte` command, but it involves multiple commands.
You can also buy a cheap [EEPROM Programmer](https://www.amazon.com/gp/product/B013Q5P3ES) - see the EEPROM Programmer guide at the bottom of this page.
**Note:** These are raw HEX bytes (not ASCII) to be written starting at the beginning of the EEPROM. So your EEPROM programmer/contents should look like this:
![eeprom](store/eeprom.png)
## EEPROM Unlock Strings
### FCX Advanced Routing
The Brocade FCX was the last switch to use EEPROM based licensing - in fact, in the middle of its sales life, they added software based licensing. This means the FCX can be unlocked via an EEPROM, or via software license. The nice thing is every FCX seems to have come with a blank EEPROM in the socket already, so if you own one you can reboot into the bootloader and run the below to fully unlock it.
**Note:** Make sure you are running the latest bootloader, `grz10100` - earlier bootloaders had different I2C addresses and the below command would not work.
Enter the bootloader (when the switch is booting fresh, over a serial connection, smash the `b` key until you drop into the bootloader prompt) then run the following commands:
```
i2c write a 0 feedface00000200ffffffffffffffff 1
reset
```
The switch will reboot, and when it does, it will be licensed for advanced routing features (BGP, VRFs, tunnels, etc).
### FESX424 & FESX448 Layer 3 Routing Upgrade
```
FEEDFACE02000C00
```
You can program this into a new EEPROM that you've installed from a hidden OS console. Boot the switch fully, then, over a serial connection, press ctrl+y, let go, press m, then press enter. Now enter the following one line at a time:
```
i2cWriteByte 40 0 fe
i2cWriteByte 40 1 ed
i2cWriteByte 40 2 fa
i2cWriteByte 40 3 ce
i2cWriteByte 40 4 2
i2cWriteByte 40 5 0
i2cWriteByte 40 6 c
i2cWriteByte 40 7 0
reset
```
### SuperX Layer 3 Routing Upgrade
```
FEEDFACE09000C00
```
### FGS / FLS 24 & 48 Port Stack Upgrade
**Note:** The stack upgrade also came with upgraded RAM (256MB DIMM versus the stock 128MB). Stacking will not work on this older platform without 256MB of RAM, so do not use this code without it.
```
FEEDFACE01001000
```
You can program this into a new EEPROM that you've installed from a hidden OS console. Boot the switch fully, then, over a serial connection, press ctrl+y, let go, press m, then press enter. Now enter the following one line at a time:
```
i2cWriteByte 40 0 fe
i2cWriteByte 40 1 ed
i2cWriteByte 40 2 fa
i2cWriteByte 40 3 ce
i2cWriteByte 40 4 1
i2cWriteByte 40 5 0
i2cWriteByte 40 6 10
i2cWriteByte 40 7 0
reset
```
### FGS / FLS 24 & 48 Port Layer 3 Routing Upgrade
```
FEEDFACE01000100
```
You can program this into a new EEPROM that you've installed from a hidden OS console. Boot the switch fully, then, over a serial connection, press ctrl+y, let go, press m, then press enter. Now enter the following one line at a time:
```
i2cWriteByte 40 0 fe
i2cWriteByte 40 1 ed
i2cWriteByte 40 2 fa
i2cWriteByte 40 3 ce
i2cWriteByte 40 4 1
i2cWriteByte 40 5 0
i2cWriteByte 40 6 1
i2cWriteByte 40 7 0
reset
```
## Using the CH341A EEPROM Writer
If you want to burn blank EEPROM chips yourself, you can pick up a $10 [EEPROM Programmer](https://www.amazon.com/gp/product/B013Q5P3ES). This will be a brief guide on using it under Windows.
First download [this ZIP](https://fohdeesha.com/data/other/EEPROM.zip) which contains the driver, software, and EEPROM dumps. Extract the ZIP to an easy to find location like your desktop.
Put your EEPROM chip into the programmer socket - it should have a little picture silkscreened on the PCB showing you which direction to insert it. Once inserted, plug in the EEPROM Writer to a USB port - it will show up as an unrecognized device, you need to install the driver. Open up Device Manager and find it - it will be an Unknown Device with a yellow icon - then right click and hit update driver:
![eeprom](https://fohdeesha.com/data/other/eepromguide/eeprom%20install1.png)
In the following prompt, select **Browse my computer for driver software**:
![eeprom](https://fohdeesha.com/data/other/eepromguide/eeprom%20install2.png)
In the following prompt, browse to the folder you extracted from the ZIP, then select the Driver folder within it, then click OK/next:
![eeprom](https://fohdeesha.com/data/other/eepromguide/eeprom%20install3.png)
It should successfully install the driver, and you're good to go. Now launch the EEPROM programming software - in the **CH341A Programmer 1.29** folder, double click the executable named **Run Me**, and it will launch the software. Now just follow the instructions in the image below to program the EEPROM. When done, just close the program and remove the EEPROM writer from your PC.
![eeprom](https://fohdeesha.com/data/other/eepromguide/eepromguide.png)

91
docs/extract.md Normal file
View File

@@ -0,0 +1,91 @@
# Extracting Licenses
**Note:** This is intended for those who are curious, or who have licenses you legitimately own installed on a switch, but have lost the original license files. This is for the ICX6xxx series and is unnecessary on the ICX7xxx series with honor-based licensing (no license files to lose).
When licenses are purchased and used to unlock a switch, the license string is stored on the switch. To extract licenses from a switch back to a license file, follow the below.
## For ARM Models
Thankfully on ARM architecture Brocade devices (ICX6430, ICX6450, any ICX7xxx or newer), you can extract any applied licenses without special JTAG hardware. Just use the **Accessing Linux** guide to boot into linux.
Now that you're booted into a linux shell: There is a `system` file in the `/fast_iron/sys/` directory which contains the license strings if the switch has been licensed:
```
cd /fast_iron/sys/
cat system
```
`cat`'ing the file, you'll get some strange characters with any present license strings buried inside (example strings randomly generated, not legit license strings):
```
LMLSk*B LoXskI065X5NfpQuE3SUCsnoadI656ajE:IIlOsgywL,UrHduINy6k5wz,:IlzS0r5S9w,sg69l0I848tL5m5SLUdf9dmIzkCtIIu5sRrL032UUNSsX6bfI6fXdkbeSE68uV?=2*B L2CrsQxIn9LdEa6NP5k10d2Rs8Tdf6l0dk0t:0jH9rSALukn99a9ygb1xIl0IdxEEssSNkUOvOPl0rosRxAtLLStLv0k22kv0lkkAXrrpM5rA0SuA6urzEIIdIaqMU20Me:p#%%%%?/ #
```
To easier discern where the license strings begin and end, you need to get the `system` file off the box and onto your desktop. Plug the management port into your network, then give the linux system a temporary IP:
```
ifconfig br0 192.168.1.56 netmask 255.255.255.0 up
```
Give it a default gateway as well:
```
route add default gw 192.168.1.1
```
Now assuming you're still in the `/fast_iron/sys/` directory, TFTP the file off the box onto your TFTP server:
```
tftp -p -l system 192.168.1.8
```
>Note: if you are running your TFTP server on linux, you need to create an empty file with this filename (system) in your tftp root directory, and chmod it with 777 so the switch can write to said empty file. Otherwise the switch will give a "file not found" error.
Open the downloaded file on your desktop with something like NotePad++, and it should look like [This](https://fohdeesha.com/data/other/system.png). License strings start with `*B ` and are followed by a string (note, there must be a space after `*B`), and the license string ends where the `NUL` characters begin.
So applying this knowledge, we can extract the following two licenses from that system file in the screenshot. You'll need to remove the newline after the `*B`, so the `*B` and then the string are on the same line. Make sure to leave a space between `*B` and the string as well:
```
#first license (example is randomly generated, not a legit license)
*B 9iCL80dHxLmvid3SxhIuk9zsalx630zHSpadlLlIfSTblqCSlSejIw5zibzBIyafEOvCrobl:OL8lwN4Rzd9zQCNIhsd,ASV0Bzgks5rlLMCwk,kA:mkdOCzZvVENVUluHX2
#second license (example is randomly generated, not a legit license)
*B pBNnASnpOSSmd55l:OUZUrU,5k8M5lLvOQCNuH6IUn:u:MbU0kSkNdrCCdIyEAIAki99zICC8dvA9LtnnLbwrAAy1OohuhnCkLb0dUHEv4xCInr:y8OBwLLso:,df3ORy5bd
```
Now you just need to stick those strings in an XML file, like `newlicense.xml` - Using the template below, you can see where to stick the license string. Note: No other fields in this file matter or are even checked, they can be left alone. Just insert the string into the `<licKey>` field:
```
<?xml version="1.0" encoding="ISO-8859-1"?>
<lic:licenseInfo xmlns:lic="http://license.brocade.com/licensefile">
<licenseHeader>
<serialNumber>dbuHKIIjMxI</serialNumber>
<productNumber>ICX6450-PREM-LIC-SW</productNumber>
<description>ICX6450-PREM-LIC-SW</description>
<version xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<dateGenerated>20121212120317372</dateGenerated>
</licenseHeader>
<license>
<featureName>ICX6450-PREM-LIC-SW</featureName>
<featureVersion>dbuHKIIjMxI</featureVersion>
<licKey>*B 9iCL80dHxLmvid3SxhIuk9zsalx630zHSpadlLlIfSTblqCSlSejIw5zibzBIyafEOvCrobl:OL8lwN4Rzd9zQCNIhsd,ASV0Bzgks5rlLMCwk,kA:mkdOCzZvVENVUluHX2</licKey>
</license>
</lic:licenseInfo>
```
Now you have a backup of your legitimate license file just as you would receive from Brocade.
## For PowerPC Models
On PowerPC models (FCX, ICX6610) it is more complicated, as they do not run linux. These units store the license strings directly on raw system flash in random locations. To extract these strings, you pretty much have to open the switch, attach a JTAG unit (such as a BDI2000) to the JTAG header, and dump the entire switch flash to a file, then open it in a hex editor.
Once you have a file containing a dump of the entire onboard flash, and have opened it in a hex editor, you search it for the characters `*B` - you will eventually come across the license string(s) like so:
![lic strings](https://fohdeesha.com/data/other/ppclic.png)
There's our license string, starting with `*B` as always. So, extracted, it looks like this (again, not a real license):
```
*B 8:n,UyAs6b9TXB3sowQ81lk,oLxLdkH:L:SIhdOko0lOEoIeSMl4dspO898E::LlSdEutafAA,bvuzxlr2so2Uks92ObyrkMyI5:rAd25Edr29ICgkqd3a,iv:bukvbO:,eO
```
Interestingly, on PPC platforms, when a user deletes licenses from the switch, it does not remove these strings - it just moves them to another part of flash. I have purchased ICX6610's on ebay where the previous owner deleted all licenses, so it boots up unlicensed. However after dumping the flash via JTAG, I found perfectly legitimate license strings still in flash that I was able to extract.
#### PowerPC Models, Desperate Edition
If you have a non-linux based switch (eg ICX6610) and you REALLY want to extract the licenses, but have no JTAG unit, there's still a way to extract them. You need to connect to the switch over serial, and get into the bootloader. Use a program like putty, and configure it to log the serial session (in Putty, Session > Logging > select a filename/location and choose the "printable output" option).
Now run the following in the bootloader:
```
dd f4000000 8388608
```
It will start printing the raw flash contents line by line in your serial window, and putty will be logging it. This will take about 10 hours, so go to bed. In the morning, reboot the switch, and take a look at your putty log file. Search it for our `*B` string just like above, and you will eventually find your license strings.

286
docs/fcx.md Normal file
View File

@@ -0,0 +1,286 @@
# Setting up Brocade FCX & ICX6610
**Note:** This page is for the FCX & ICX6610. If you have a different model, choose it from the lefthand menu.
## Updating The Software
Download the ZIP below, which contains the firmware files and documentation you'll need.
[```Brocade v8030 Firmware/Docu Zip```](http://fohdeesha.com/data/other/brocade/8030t.zip)
```SW version: 08030t```
```ZIP Updated: 03-21-2019```
```MD5: 6f4b1c6b2f1faf4c8c5d1f647b6505f2```
**Connect** to the switches serial/console port using a program like Putty (9600 8N1), and connect the dedicated management port to your network (do not use a "normal" port).
You need to set up a temporary TFTP server - I recommend [Tftpd32 Portable Edition](http://www.tftpd64.com/tftpd32_download.html) if you're on Windows and don't want to install anything. Point the server to an empty folder to serve files from. From the ZIP, copy the bootloader from the ```Boot``` folder into your tftp server directory. Then, from the ```Images``` folder, copy over the OS image to the same place. If you have a PoE model, copy over the PoE firmware from the `PoE Firmware` folder to your TFTP directory as well.
Power on the switch while watching your serial terminal - it will have a prompt saying ```Hit b to enter the boot monitor``` - press ```b``` quickly and you'll be dropped into the bootloader prompt, now we can upgrade the software. If you missed the prompt and it boots the OS instead, pull power and try again.
At the boot prompt, we need to give it a temporary IP in the subnet of your network, so it can talk to your TFTP server. This IP will not be used again after it leaves the bootloader. Replace the IP in the example below with an unused IP on your subnet:
```
ip address 192.168.1.50/24
```
Now we can update the bootloader. Replace the IP with the IP of your tftp server, and replace the filename with the name of the file you copied out of the boot folder if it differs:
```
copy tftp flash 192.168.1.49 grz10100.bin boot
```
After a few seconds it should finish, then we can flash the main OS. Replace the IP with the IP of your tftp server, and change the filename to match if necessary:
```
copy tftp flash 192.168.1.49 FCXR08030t.bin primary
```
It will take a little longer. When it finishes, we need to erase the current config & any passwords, then tell the switch to reboot into the full OS:
```
factory set-default
reset
```
**Note:** If you get an error stating `factory set-default` is not a valid command, this means your switch has a very old bootloader. To clear the existing passworded config in this case, do the following:
```
#only follow this section if factory set-default did not work
no password
boot
#it will boot the OS. Once booted:
enable
erase startup-config
reload
#it will boot fresh with a clear config, then you can move to the next section
```
**Note:** If your switch says that it is part of a stack even after doing the above, then you will need to unstack it before being able to configure and update it. You'll see several prompts when booting that it is a stack member and the command menu will show stack specific commands (ex: stack, simulate-non-stacking-unit). You can unstack your switch by running the following command:
```
stack unconfigure clean
# hit y at the prompt
```
You can then continue on to the below.
## Initial Configuration
Now that it's booted into the full OS you may get ***TFTP timed out*** errors in the console, this is normal. We'll fix that in the next section. Check that the version matches what you just flashed:
```
show version
```
Towards the top of the output, it should say ```SW: Version XX.X.XXX``` - it should be the v8 version you flashed.
Now to make any changes we must enter the enable level:
```
enable
```
To make configuration changes, we must then enter the configure CLI level:
```
configure terminal
```
Now tell it to generate an RSA keypair - this enables SSH access:
```
crypto key generate rsa
```
## Configuring Network Details
First we need to disable DHCP so it doesn't automatically grab an address and attempt to load a config via tftp, then reload so it takes effect:
```
ip dhcp-client disable
write memory
exit
reload
```
Once the switch comes back up, enter the configure terminal level and give the switch a friendly name:
```
enable
configure terminal
hostname intertubes
```
We need to give the switch an IP. By default, all ports are in VLAN 1, so it will behave like a typical switch. First we need to give VLAN 1 its own virtual interface:
```
vlan 1
router-interface ve 1
exit
```
Now we need to assign that virtual interface an address. Choose an IP that is unused in your subnet, and out of your DHCP server range (ping it first to be sure it's unused):
```
interface ve 1
ip address 192.168.1.2/24
exit
```
The switch now has an IP. **Unplug your ethernet cable from the isolated management port, and plug it into any of the normal ports on the front.** You can now telnet to it and no longer need serial access. It also supports SSH access, but you need to follow the rest of the guide first.
## Update PoE Firmware
If your switch is the PoE model, you need to update the PoE controller firmware. If it's a non-PoE model, skip this step. Assuming you completed the previous section and the switch now has in-band network access, just do the following:
```
exit
inline power install-firmware stack-unit 1 tftp 192.168.1.8 fcx_poeplus_02.1.0.b004.fw
#after a few seconds, hit enter to return to cli
#save changes you made from the previous section
write memory
#reload the switch
reload
#you'll probably get a message that it hasn't finished. it can take up to 10 minutes
#run "show log" occasionally to monitor the update progress
#try the "reload" command again once it's reached 100%
#once you've rebooted back into the OS:
enable
configure terminal
```
Now you have the latest PoE firmware, and can continue on.
## If Access Protection Is NOT Required
If you do **not** want to password protect access to the switch (you're using it in a lab), follow this section. If you'd like to password protect it, skip to the next section.
Allow SSH login with no passwords configured:
```
ip ssh permit-empty-passwd yes
```
## If Access Protection IS Required (or WEB-UI Access)
If you do want to secure access to the switch, or use the (limited) web UI, follow this section. If not, skip it.
To secure the switch, we need to create an account - "root" can be any username string you wish:
```
username root password yourpasshere
```
We also need to tell it to use our new local user account(s) to authorize attempts to log in, use the webpage, as well as attempts to enter the ```enable``` CLI level:
```
aaa authentication login default local
aaa authentication enable default local
aaa authentication web default local
```
If you wanted to use the WEB UI, you can now log into it using the credentials you created above.
You should enable authentication for telnet access as well:
```
enable telnet authentication
```
If your switch is outside of your home, or accessible by others in any way, telnet should be disabled entirely, and access to the serial console should also be password protected. Otherwise skip this step at your discretion:
```
no telnet server
enable aaa console
```
### OPTIONAL: Key Based SSH Access
If you have followed the above to set up authentication, and also wish to disable password-based SSH login and set up a key pair instead, follow this section. If not, skip it. Enable key login, and disable password login:
```
ip ssh key-authentication yes
ip ssh password-authentication no
```
Now we have to generate our key pair with [puttygen](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) on windows or ```ssh-keygen -t rsa``` on linux. The default settings of RSA @ 2048 bits works without issue. Generate the pair and save out both the public and private key.
Copy the public key file to your TFTP server. Then use the following command to import it into your switch:
```
ip ssh pub-key-file tftp 192.168.1.49 public.key
```
You shouldn't need to be told basic key management if you're following this section, but just in case - copy your private key to the proper location on the *nix machine you'll be SSH'ing from, or if you're on windows, load it using [pageant](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html). Now when you SSH to the switch, it will authenticate using your private key.
## Saving & Conclusions
Whenever you make changes (like above) they take effect immediately, however they are not saved to onboard flash. So if you reboot the switch, they will be lost. To permanently save them to onboard flash, use the following command:
```
write memory
```
Your switch now has a basic configuration, as well as an IP address you can telnet or SSH to for further configuration.
Some more useful general commands:
Show chassis information like fan and temperature status:
```
show chassis
```
Show a table of all interfaces:
```
show interface brief
```
To show one interface in detail:
```
show interfaces ethernet 1/1/1
#Also works for virtual interfaces:
show interfaces ve 1
```
Give a port a friendly name:
```
interface ethernet 1/1/1
port-name freenas
show interfaces brief ethernet 1/1/1
exit
```
Show the running configuration:
```
show run
```
Show the system log:
```
show log
```
To remove configuration options, put a ```no``` in front of them at the appropriate CLI level:
```
no hostname intertubes
```
## Tips
To exit the CLI level you are at, use `exit`. So assuming you are still at the ```configure terminal``` level, type the following to exit back to the ```enable``` level:
```
exit
```
Commands can also be shortened, as long as they are still unique. So to re-enter the configure terminal level, Instead of typing the entirety of ```configure terminal```, the following will also work:
```
conf t
```
There is also tab help and completion. To see all the commands available at the current CLI level, just hit tab. To see the options available for a certain command, just type that command (like ```ip```) then hit tab a couple times.
## Advanced Configuration
### Default Route & DNS
To give the switch a default route and a DNS server so it can reach external hostnames and IP's (to ping external servers or to update time via NTP etc), do the following. replace the IP with the IP of your gateway/router/etc. Assuming you are still at the ```configure terminal``` level:
```
ip dns server-address 192.168.1.1
ip route 0.0.0.0/0 192.168.1.1
```
### NTP
To have the switch keep its time synced via NTP (so its logs make more sense), use the following. If you live in an area that doesn't use Daylight Savings, skip the ```clock summer-time``` command. Use tab completion for the timezone command to see what's available. The IP's in the following example are google's NTP servers and work well for most cases:
```
clock summer-time
clock timezone gmt GMT-05
ntp
disable serve
server 216.239.35.0
server 216.239.35.4
exit
```
### SNMP
To quickly enable SNMPv2 (read only), follow the below. SNMP v3 is available but you'll have to refer to the included documentation:
```
snmp-server community public ro
```
### Saving
If you made any of the above extra changes, remember they have not been saved to onboard flash yet. Do so:
```
write memory
```
## SFP/Optics Information
Brocade does not restrict the use of optics by manufacturer, they'll take anything given it's the right protocol. However optical monitoring information is disabled unless it sees Brocade or Foundry optics.
So if you want to see information like this :
```
telnet@Route2(config)#sh optic 5
Port Temperature Tx Power Rx Power Tx Bias Current
+----+-----------+--------------+--------------+---------------+
5 32.7460 C -002.6688 dBm -002.8091 dBm 5.472 mA
Normal Normal Normal Normal
```
You'll need to pick up some official Brocade or Foundry optics on ebay, or buy some flashed optics from FiberStore.
### Thanks:
[**Fohdeesha**](http://fohdeesha.com/)
### Contributing:
The markdown source for these guides is hosted on [**my Github repo.**](https://github.com/Fohdeesha/lab-docu) If you have any suggested changes or additions feel free to submit a pull request.
```Documentation version:``` [ v1.8 (03-27-19)](https://github.com/Fohdeesha/lab-docu/commits/master)

92
docs/firmware.md Normal file
View File

@@ -0,0 +1,92 @@
# Extracting Brocade Firmware
Around the v8060 codetrain and above, Brocade seems to have moved to using the standard [FIT](https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/18842374/U-Boot+Images) image type for their firmware files. These contain the linux kernel, ramdisk, device tree, etc, all in a standard structure, so we can extract them. This is not an exhaustive or detailed guide, some knowledge of linux etc is assumed.
## Trim the firmware file
Brocade adds some Brocade-specific metadata in front of the FIT image, so it needs to be removed before FIT tools will recognize it. For most files it seems to be 512 bytes we need to remove:
```
dd if="SPR08080e.bin" of="trimmed.bin" bs=512 skip=1
```
For the newer "UFI" images (where they've combined the bootloader and OS in one file), it seems to usually be 1360 bytes:
```
dd if=SPR08091ufi.bin of="trimmed.bin" bs=1360 skip=1
```
However some images seem to need 1276 bytes removed:
```
dd if=TNR08091ufi.bin of="trimmed.bin" bs=1276 skip=1
```
To be sure, just open the firmware file with a [hex editor](https://mh-nexus.de/en/hxd/) and highlight and delete everything before the HEX values `D0 0D FE ED` (the FIT file should start with `D0 0D FE ED`)
Now install u-boot-tools:
```
apt install u-boot-tools
```
Debian 9 (and maybe others) have a very old uboot-tools version in the default repo, and does not come with the required dumpimage program. In that case, just manually install the recent tools:
```
wget http://ftp.us.debian.org/debian/pool/main/u/u-boot/u-boot-tools_2019.01+dfsg-7_amd64.deb
dpkg -i u-boot-tools_2019.01+dfsg-7_amd64.deb
```
Now use `dumpimage` to view a list of all the components in the firmware package:
```
dumpimage -l trimmed.bin
```
You'll get a list of everything in the package:
```
root@testing:~# dumpimage -l trimmed.bin
FIT description: Linux kernel and FDT blob
Created: Fri Jun 7 00:19:54 2019
Image 1 (fdt@1)
Description: ICX7650.dtb
Created: Fri Jun 7 00:19:54 2019
Type: Flat Device Tree
Compression: uncompressed
Data Size: 27517 Bytes = 26.87 KiB = 0.03 MiB
Architecture: AArch64
Load Address: 0x81200000
Hash algo: crc32
Hash value: fd8efcc8
Image 3 (ramdisk@1)
Description: Ramdisk -rootfs
Created: Fri Jun 7 00:19:54 2019
Type: RAMDisk Image
Compression: lzma compressed
Data Size: 57735137 Bytes = 56381.97 KiB = 55.06 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x00000000
Entry Point: 0x00000000
Hash algo: crc32
Hash value: 0749eb07
-----trimmed-----
```
Choose a part to extract to a separate file, putting the image number after the `-p` argument.
**Note:** The `-T` argument must always be set to `-T flat_dt`, even if you are extracting a different image type, only change the `-p` number:
```
dumpimage -T flat_dt -p 3 -i trimmed.bin ramdisk.zip
```
The above example extracts the ramdisk from the above firmware file, which is the main filesystem for the switch. If you open up the resulting `ramdisk.zip` with 7zip or similar, you'll be able to explore the switch filesystem, including the interesting init scripts under `/etc/`:
![7zip](https://fohdeesha.com/data/other/7zip.png)
**Note:** Notice `FastIron.xz` - this is the FastIron binary that gets uncompressed and ran after Linux boots, and this is what provides the FastIron interface you're used to.
## Packaging Modifications
With the appropriate tools (such as `mkimage`) you can modify the filesystem/ramdisk, kernel, etc after extraction, and repackage them for flashing back to the switch. You will most likely need to update the checksum for the new FIT package in the brocade metadata. More info on packaging FIT images [here.](https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/18842374/U-Boot+Images)
## Bonus: Viewing FDTs
If you extract firmware device trees, like below for example:
```
dumpimage -T flat_dt -p 1 -i trimmed.bin ICX7650.bin
```
and want to see them in human-readable form, run the following:
```
apt install device-tree-compiler
fdtdump ICX7650.bin
```
You'll get a nice human-readable view of the device tree.

107
docs/hidden.md Normal file
View File

@@ -0,0 +1,107 @@
# Hidden Brocade Dev Stuff
This is a collection of hidden tools, modes, and commands buried inside Brocade FastIron products.
## Hidden Commands
All Fastiron platforms have hidden CLI commands, with the biggest one being `dm`. The ```dm``` command is available (but hidden) for diagnostic use. Type ```dm``` and hit tab to see available options, like the below for example:
```
FCX3(config)#dm
HEX Number
802-1w show 802-1w internal information
aaa-acct-session
acl_tcam command for tcam manager
aging-loop Turn off/on system aging loop
allled Toggle -On/Off All LED
alt-diag Test only, off/on
app_vlan_debug App VLAN table (shadow)
auq-resync Sync Auq for a device
auq-status show auq status
badaddr Test only, will reboot
blink Show gig link changes due to PHY blink
buffer DMA CPU buffer related
cancel-flash-timeout set flash timeout to default
clear_boot_count Clear crash dump
cpld-reg-dump Dump the CPLD register
```
There's hundreds of other options. These are low level debug commands, so if you don't know what they do you can easily break your switch.
**Note:** There are most likely many other commands that are hidden so they do not show up under tab completion, like the commands above do. An example of some of these that I have managed to find are below:
```
dm license get
dm license exempt
dm license reset
dm license version
dm license vls
```
## Hidden OS Console
This only works over a serial connection. It will not work over telnet/ssh/etc. Connect to a FastIron device over serial, and once it's fully booted and running, press ```ctrl+y```, let go, then press ```m```. Then hit enter. It should drop you down to the OS console:
```
OS>
```
> Note: This is mainly for the PowerPC architecture switches (FCX, ICX6610). The ARM switches (ICX6450, ICX7xxx) still have this hidden console available, but it only has ~5 commands. For a proper low level CLI on ARM switches, use the *Accessing Linux* section.
Press the question mark on your keyboard for a list of all available options:
```
OS>
clear Clear internal table
console Attach console to a process
copy Copy file
daw Set data address watchpoint
dbg Toggle debug mode
dq Display memory in 64-bit quad word
dd Display memory in 32-bit double word
del Delete flash file
dir List flash files
----trimmed----
```
You'll note the options are nearly identical to what's available in the bootloader, except while the switch is fully booted and running. There's a couple extra options here too that aren't available in just the bootloader. To exit this mode, just hit ```ctrl+z```.
## Hidden Bootloader Modes
All the newer switches that run linux (ICX6450, ICX6650, ICX7xxx) use u-boot as the bootloader. However it runs in a very locked down mode with only a few commands available. Thankfully after contacting Arris (who own Ruckus, who now owns Brocade), they published their u-boot [source code](https://sourceforge.net/arris/wiki/Projects/).
From analyzing their u-boot source, we are able to find some hidden environment variables that will force the switch to boot into fully unlocked u-boot. To do so, run the following in the bootloader:
#### ICX6430 & ICX6450
```
setenv pp_init_enable 1
setenv diag_cmd_on 1
saveenv
reset
## it will reboot into fully unlocked u-boot
## set it back to normal
setenv pp_init_enable
setenv diag_cmd_on
saveenv
reset
```
#### ICX6650 & ICX7250 & ICX7450
```
setenv diag_mode_enable 1
saveenv
reset
## it will reboot into fully unlocked u-boot
## set it back to normal
setenv diag_mode_enable
saveenv
reset
```
#### ICX7650:
```
setenv diag_mode_on 1
saveenv
reset
## it will reboot into fully unlocked u-boot
## set it back to normal
setenv diag_mode_on
saveenv
reset
```
#### ICX7150, ICX7750, ICX7850
Unknown, but most likely one of the three above. If you try all three, make sure to undo each one (follow the `back to normal` bit) before moving onto the next attempt.

300
docs/icx64xx.md Normal file
View File

@@ -0,0 +1,300 @@
# Setting up Brocade ICX6450
## Preparation
Download the ZIP below, which contains the firmware files and documentation you'll need.
[```Brocade v8030 Firmware/Docu Zip```](http://fohdeesha.com/data/other/brocade/8030t.zip)
```SW version: 08030t```
```ZIP Updated: 03-21-2019```
```MD5: 6f4b1c6b2f1faf4c8c5d1f647b6505f2```
**Connect** to the switches serial/console port on the front using a program like Putty (9600 8N1), and connect any of the normal switch ports to your network (do NOT use the dedicated management port).
You need to set up a temporary TFTP server - I recommend [Tftpd32 Portable Edition](http://www.tftpd64.com/tftpd32_download.html) if you're on Windows and don't want to install anything. Point the server to an empty folder to serve files from. From the ZIP, copy the bootloader from the ```Boot``` folder into your tftp server directory. Then, from the ```Images``` folder, copy over the OS image to the same place. If you have a PoE model, copy over the PoE firmware from the `PoE Firmware` folder to your TFTP directory as well.
Power on the switch while watching your serial terminal - start smashing the `b` key until you're dropped into the bootloader prompt, which looks like `ICX64XX-boot>>` . If you missed the prompt and it boots the OS instead, pull power and try again.
Now at the boot prompt, we tell the switch to clear all current configs and old keys, so it boots into a fresh state:
```
factory set-default
```
To confirm this action, you must send CAPITAL `Y` - sending a lowercase `y` will just make it abort.
Now just tell the switch to reboot:
```
reset
```
It will boot into the full OS and you can continue to the next section.
**Note:** If you get an error stating `factory set-default` is not a valid command, this means your switch has a very old bootloader. To clear the existing passworded config in this case, do the following:
```
#only follow this section if factory set-default did not work
no password
boot
#it will boot the OS. Once booted:
enable
erase startup-config
reload
#it will boot fresh with a clear config, then you can move to the next section
```
**Note:** If your switch says that it is part of a stack even after doing the above, then you will need to unstack it before being able to configure and update it. You'll see several prompts when booting that it is a stack member and the command menu will show stack specific commands (ex: stack, simulate-non-stacking-unit). You can unstack your switch by running the following command:
```
stack unconfigure clean
# hit y at the prompt
```
You can then continue on to the below.
## Initial Configuration & update
Now that it's booted into the full OS you may get ***TFTP timed out*** errors in the console, this is normal. just hit enter until they go away. We'll fix that in the next section. Now to make any changes we must enter the enable level:
```
enable
```
Now we enter the configure terminal level to make config changes:
```
configure terminal
```
Now we turn off the DHCP client, so it doesn't automatically grab an IP and look for a TFTP config (the cause of the earlier timeout messages):
```
ip dhcp-client disable
write memory
exit
```
>**Note:** If during the `ip dhcp-client disable` command you get an invalid input error, your switch probably came with the layer 2 only firmware loaded. In that case, just run `ip address 192.168.1.55/24` (replace the IP) - this will give it a temporary IP, so it can load the layer 3 firmware. Then skip down to the `Load The New Images` section below, and use those commands to copy in the latest layer 3 firmware and reload. Once the switch comes back up, **don't forget** to come back and follow this **Initial Configuration** section all the way through now that you have the proper firmware!
Now just reload the switch so it comes back up without an IP assigned to a port via DHCP:
```
reload
```
Once it's back up, enter the configure level again:
```
enable
configure terminal
```
We need to give it an IP so we can load the new firmware. By default, all ports are in VLAN 1, so it will behave like a typical switch. First we need to give VLAN 1 its own virtual interface:
```
vlan 1
router-interface ve 1
exit
```
Now we need to assign that virtual interface an address. Choose an IP that is unused in your subnet, and out of your DHCP server range (ping it first to be sure it's unused):
```
interface ve 1
ip address 192.168.1.55/24
exit
write mem
```
## Load The New Images
Now that the switch has an IP address, we can TFTP in the new images, then reload:
```
exit
copy tftp flash 192.168.1.8 kxz10105.bin bootrom
copy tftp flash 192.168.1.8 ICX64R08030t.bin primary
reload
```
>Note: if you skipped to this section because your switch had layer 2 firmware on it and a note in the previous section instructed you to, go back above and go through the whole **Initial Configuration & update** section once the switch finishes rebooting.
The switch will reload, loading the new software. Continue on to the **Configuration Details** section below.
## Configuration Details
Your switch should now be freshly booted with the latest layer 3 firmware image and bootloader. First give the switch a name:
```
enable
configure terminal
hostname intertubes
```
Now tell it to generate an RSA keypair - this is the first step to enable SSH access:
```
crypto key generate rsa
```
## Update PoE Firmware
If your switch is the PoE model, you need to update the PoE controller firmware. If it's a non-PoE model, skip this step. Assuming you completed the previous section and the switch now has in-band network access, just do the following:
**Note:** if you have the small C12 version of this switch, use the `icx64xxc12_poeplus_02.03.09.fw` file instead.
```
exit
inline power install-firmware stack-unit 1 tftp 192.168.1.8 icx64xx_poeplus_02.1.0.b004.fw
#after a few seconds, hit enter to return to cli
#save changes you made from the previous section
write memory
#reload the switch
reload
#you'll probably get a message that it hasn't finished. it can take up to 10 minutes
#run "show log" occasionally to monitor the update progress
#try the "reload" command again once it's reached 100%
#once you've rebooted back into the OS:
enable
configure terminal
```
Now you have the latest PoE firmware, and can continue on.
## If Access Protection Is NOT Required
If you do **not** want to password protect access to the switch (you're using it in a lab), follow this section. If you'd like to password protect it, skip to the next section.
Allow SSH login with no passwords configured:
```
ip ssh permit-empty-passwd yes
```
## If Access Protection IS Required (or WEB-UI Access)
If you do want to secure access to the switch, or use the (limited) web UI, follow this section. If not, skip it.
To secure the switch, we need to create an account - "root" can be any username string you wish:
```
username root password yourpasshere
```
We also need to tell it to use our new local user account(s) to authorize attempts to log in, use the webpage, as well as attempts to enter the ```enable``` CLI level:
```
aaa authentication login default local
aaa authentication enable default local
aaa authentication web default local
```
If you wanted to use the WEB UI, you can now log into it using the credentials you created above.
You should enable authentication for telnet access as well:
```
enable telnet authentication
```
If your switch is outside of your home, or accessible by others in any way, telnet should be disabled entirely, and access to the serial console should also be password protected. Otherwise skip this step at your discretion:
```
no telnet server
enable aaa console
```
### OPTIONAL: Key Based SSH Access
If you have followed the above to set up authentication, and also wish to disable password-based SSH login and set up a key pair instead, follow this section. If not, skip it. Enable key login, and disable password login:
```
ip ssh key-authentication yes
ip ssh password-authentication no
```
Now we have to generate our key pair with [puttygen](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) on windows or ```ssh-keygen -t rsa``` on linux. The default settings of RSA @ 2048 bits works without issue. Generate the pair and save out both the public and private key.
Copy the public key file to your TFTP server. Then use the following command to import it into your switch:
```
ip ssh pub-key-file tftp 192.168.1.49 public.key
```
You shouldn't need to be told basic key management if you're following this section, but just in case - copy your private key to the proper location on the *nix machine you'll be SSH'ing from, or if you're on windows, load it using [pageant](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html). Now when you SSH to the switch, it will authenticate using your private key.
## Saving & Conclusions
Whenever you make changes (like above) they take effect immediately, however they are not saved to onboard flash. So if you reboot the switch, they will be lost. To permanently save them to onboard flash, use the following command:
```
write memory
```
Your switch now has a basic configuration, as well as an IP address you can telnet or SSH to for further configuration.
Some more useful general commands:
Show chassis information like fan and temperature status:
```
show chassis
```
Show a table of all interfaces:
```
show interface brief
```
To show one interface in detail:
```
show interfaces ethernet 1/1/1
#Also works for virtual interfaces:
show interfaces ve 1
```
Give a port a friendly name:
```
interface ethernet 1/1/1
port-name freenas
show interfaces brief ethernet 1/1/1
exit
```
Show the running configuration:
```
show run
```
Show the system log:
```
show log
```
To remove configuration options, put a ```no``` in front of them at the appropriate CLI level:
```
no hostname intertubes
```
## Tips
To exit the CLI level you are at, use `exit`. So assuming you are still at the ```configure terminal``` level, type the following to exit back to the ```enable``` level:
```
exit
```
Commands can also be shortened, as long as they are still unique. So to re-enter the configure terminal level, Instead of typing the entirety of ```configure terminal```, the following will also work:
```
conf t
```
There is also tab help and completion. To see all the commands available at the current CLI level, just hit tab. To see the options available for a certain command, just type that command (like ```ip```) then hit tab a couple times.
## Advanced Configuration
### Default Route & DNS
To give the switch a default route and a DNS server so it can reach external hostnames and IP's (to ping external servers or to update time via NTP etc), do the following. replace the IP with the IP of your gateway/router/etc. Assuming you are still at the ```configure terminal``` level:
```
ip dns server-address 192.168.1.1
ip route 0.0.0.0/0 192.168.1.1
```
### NTP
To have the switch keep its time synced via NTP (so its logs make more sense), use the following. If you live in an area that doesn't use Daylight Savings, skip the ```clock summer-time``` command. Use tab completion for the timezone command to see what's available. The IP's in the following example are google's NTP servers and work well for most cases:
```
clock summer-time
clock timezone gmt GMT-05
ntp
disable serve
server 216.239.35.0
server 216.239.35.4
exit
```
### SNMP
To quickly enable SNMPv2 (read only), follow the below. SNMP v3 is available but you'll have to refer to the included documentation:
```
snmp-server community public ro
```
### Saving
If you made any of the above extra changes, remember they have not been saved to onboard flash yet. Do so:
```
write memory
```
## SFP/Optics Information
Brocade does not restrict the use of optics by manufacturer, they'll take anything given it's the right protocol. However optical monitoring information is disabled unless it sees Brocade or Foundry optics.
So if you want to see information like this :
```
telnet@Route2(config)#sh optic 5
Port Temperature Tx Power Rx Power Tx Bias Current
+----+-----------+--------------+--------------+---------------+
5 32.7460 C -002.6688 dBm -002.8091 dBm 5.472 mA
Normal Normal Normal Normal
```
You'll need to pick up some official Brocade or Foundry optics on ebay, or buy some flashed optics from FiberStore.
### Thanks:
[**Fohdeesha**](http://fohdeesha.com/)
### Contributing:
The markdown source for these guides is hosted on [**my Github repo.**](https://github.com/Fohdeesha/lab-docu) If you have any suggested changes or additions feel free to submit a pull request.
```Documentation version:``` [ v1.8 (03-06-19)](https://github.com/Fohdeesha/lab-docu/commits/master)

279
docs/icx6650.md Normal file
View File

@@ -0,0 +1,279 @@
# Setting up Brocade ICX6650
## Preparation
Download the ZIP below, which contains the firmware files and documentation you'll need.
[```Brocade v8030 Firmware/Docu Zip```](http://fohdeesha.com/data/other/brocade/8030t.zip)
```SW version: 08030t```
```ZIP Updated: 03-21-2019```
```MD5: 6f4b1c6b2f1faf4c8c5d1f647b6505f2```
**Connect** to the switches serial/console port on the rear using a program like Putty (9600 8N1), and connect the rear copper management port to your network.
You need to set up a temporary TFTP server - I recommend [Tftpd32 Portable Edition](http://www.tftpd64.com/tftpd32_download.html) if you're on Windows and don't want to install anything. Point the server to an empty folder to serve files from. From the ZIP, copy the bootloader from the ```Boot``` folder into your tftp server directory. Then, from the ```Images``` folder, copy over the OS image to the same place.
Power on the switch while watching your serial terminal - start smashing the `b` key until you're dropped into the bootloader prompt, which looks like `ICX6650-boot>>` . If you missed the prompt and it boots the OS instead, pull power and try again.
Now at the boot prompt, we tell the switch to clear all current configs and old keys, so it boots into a fresh state:
```
factory set-default
```
To confirm this action, you must send CAPITAL `Y` - sending a lowercase `y` will just make it abort.
Now just tell the switch to reboot:
```
reset
```
It will boot into the full OS and you can continue to the next section.
**Note:** If you get an error stating `factory set-default` is not a valid command, this means your switch has a very old bootloader. To clear the existing passworded config in this case, do the following:
```
#only follow this section if factory set-default did not work
no password
boot
#it will boot the OS. Once booted:
enable
erase startup-config
reload
#it will boot fresh with a clear config, then you can move to the next section
```
You can then continue on to the below.
## Initial Configuration & update
Now that it's booted into the full OS you may get ***TFTP timed out*** errors in the console, this is normal. just hit enter until they go away. We'll fix that in the next section. Now to make any changes we must enter the enable level:
```
enable
```
Now we enter the configure terminal level to make config changes:
```
configure terminal
```
Now we turn off the DHCP client, so it doesn't automatically grab an IP and look for a TFTP config (the cause of the earlier timeout messages):
```
ip dhcp-client disable
write memory
exit
```
>**Note:** If during the `ip dhcp-client disable` command you get an invalid input error, your switch probably came with the layer 2 only firmware loaded. In that case, just run `int ma 1` then `ip address 192.168.1.55/24` (replace the IP) - this will give it a temporary IP, so it can load the layer 3 firmware. Then skip down to the `Load The New Images` section below, and use those commands to copy in the latest layer 3 firmware and reload. Once the switch comes back up, **don't forget** to come back and follow this **Initial Configuration** section all the way through now that you have the proper firmware!
Now just reload the switch so it comes back up without an IP assigned to a port via DHCP:
```
reload
```
Once it's back up, enter the configure level again:
```
enable
configure terminal
```
We need to give the rear management port a temporary IP so it can load the new firmware:
```
int ma 1
ip addr 192.168.1.55/24
```
## Load The New Images
Now that the switch has an IP address, we can TFTP in the new images, then reload:
```
exit
copy tftp flash 192.168.1.8 fxz10101.bin bootrom
copy tftp flash 192.168.1.8 ICXR08030t.bin primary
reload
```
The switch will reload, loading the new software. Continue on to the **Configuration Details** section below.
## Configuration Details
Your switch should now be freshly booted with the latest layer 3 firmware image and bootloader. You will note we did not save our previous management interface configuration before rebooting, so it is now gone. If you plan on using the management port for access in production, just repeat those commands from the previous section to re-assign an IP to the dedicated management port.
However if you would like to assign an in-band IP address to the switch so you can access it from any of the regular ports, do the following. By default, all ports are in VLAN 1, so it will behave like a typical switch. First we need to give VLAN 1 its own virtual interface:
```
enable
conf t
vlan 1
router-interface ve 1
exit
```
Now we need to assign that virtual interface an address. Choose an IP that is unused in your subnet, and out of your DHCP server range (ping it first to be sure it's unused):
```
interface ve 1
ip address 192.168.1.55/24
exit
write mem
```
You can now access the switch (telnet, SSH, etc) via that IP when connected to any of the regular ports, not the dedicated management port. We can also give the switch a name:
```
hostname intertubes
```
Now tell it to generate an RSA keypair - this is the first step to enable SSH access:
```
crypto key generate rsa
```
## If Access Protection Is NOT Required
If you do **not** want to password protect access to the switch (you're using it in a lab), follow this section. If you'd like to password protect it, skip to the next section.
Allow SSH login with no passwords configured:
```
ip ssh permit-empty-passwd yes
```
## If Access Protection IS Required (or WEB-UI Access)
If you do want to secure access to the switch, or use the (limited) web UI, follow this section. If not, skip it.
To secure the switch, we need to create an account - "root" can be any username string you wish:
```
username root password yourpasshere
```
We also need to tell it to use our new local user account(s) to authorize attempts to log in, use the webpage, as well as attempts to enter the ```enable``` CLI level:
```
aaa authentication login default local
aaa authentication enable default local
aaa authentication web default local
```
If you wanted to use the WEB UI, you can now log into it using the credentials you created above.
You should enable authentication for telnet access as well:
```
enable telnet authentication
```
If your switch is outside of your home, or accessible by others in any way, telnet should be disabled entirely, and access to the serial console should also be password protected. Otherwise skip this step at your discretion:
```
no telnet server
enable aaa console
```
### OPTIONAL: Key Based SSH Access
If you have followed the above to set up authentication, and also wish to disable password-based SSH login and set up a key pair instead, follow this section. If not, skip it. Enable key login, and disable password login:
```
ip ssh key-authentication yes
ip ssh password-authentication no
```
Now we have to generate our key pair with [puttygen](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) on windows or ```ssh-keygen -t rsa``` on linux. The default settings of RSA @ 2048 bits works without issue. Generate the pair and save out both the public and private key.
Copy the public key file to your TFTP server. Then use the following command to import it into your switch:
```
ip ssh pub-key-file tftp 192.168.1.49 public.key
```
You shouldn't need to be told basic key management if you're following this section, but just in case - copy your private key to the proper location on the *nix machine you'll be SSH'ing from, or if you're on windows, load it using [pageant](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html). Now when you SSH to the switch, it will authenticate using your private key.
## Saving & Conclusions
Whenever you make changes (like above) they take effect immediately, however they are not saved to onboard flash. So if you reboot the switch, they will be lost. To permanently save them to onboard flash, use the following command:
```
write memory
```
Your switch now has a basic configuration, as well as an IP address you can telnet or SSH to for further configuration.
Some more useful general commands:
Show chassis information like fan and temperature status:
```
show chassis
```
Show a table of all interfaces:
```
show interface brief
```
To show one interface in detail:
```
show interfaces ethernet 1/1/1
#Also works for virtual interfaces:
show interfaces ve 1
```
Give a port a friendly name:
```
interface ethernet 1/1/1
port-name freenas
show interfaces brief ethernet 1/1/1
exit
```
Show the running configuration:
```
show run
```
Show the system log:
```
show log
```
To remove configuration options, put a ```no``` in front of them at the appropriate CLI level:
```
no hostname intertubes
```
## Tips
To exit the CLI level you are at, use `exit`. So assuming you are still at the ```configure terminal``` level, type the following to exit back to the ```enable``` level:
```
exit
```
Commands can also be shortened, as long as they are still unique. So to re-enter the configure terminal level, Instead of typing the entirety of ```configure terminal```, the following will also work:
```
conf t
```
There is also tab help and completion. To see all the commands available at the current CLI level, just hit tab. To see the options available for a certain command, just type that command (like ```ip```) then hit tab a couple times.
## Advanced Configuration
### Default Route & DNS
To give the switch a default route and a DNS server so it can reach external hostnames and IP's (to ping external servers or to update time via NTP etc), do the following. replace the IP with the IP of your gateway/router/etc. Assuming you are still at the ```configure terminal``` level:
```
ip dns server-address 192.168.1.1
ip route 0.0.0.0/0 192.168.1.1
```
### NTP
To have the switch keep its time synced via NTP (so its logs make more sense), use the following. If you live in an area that doesn't use Daylight Savings, skip the ```clock summer-time``` command. Use tab completion for the timezone command to see what's available. The IP's in the following example are google's NTP servers and work well for most cases:
```
clock summer-time
clock timezone gmt GMT-05
ntp
disable serve
server 216.239.35.0
server 216.239.35.4
exit
```
### SNMP
To quickly enable SNMPv2 (read only), follow the below. SNMP v3 is available but you'll have to refer to the included documentation:
```
snmp-server community public ro
```
### Saving
If you made any of the above extra changes, remember they have not been saved to onboard flash yet. Do so:
```
write memory
```
## SFP/Optics Information
Brocade does not restrict the use of optics by manufacturer, they'll take anything given it's the right protocol. However optical monitoring information is disabled unless it sees Brocade or Foundry optics.
So if you want to see information like this :
```
telnet@Route2(config)#sh optic 5
Port Temperature Tx Power Rx Power Tx Bias Current
+----+-----------+--------------+--------------+---------------+
5 32.7460 C -002.6688 dBm -002.8091 dBm 5.472 mA
Normal Normal Normal Normal
```
You'll need to pick up some official Brocade or Foundry optics on ebay, or buy some flashed optics from FiberStore.
### Thanks:
[**Fohdeesha**](http://fohdeesha.com/)
### Contributing:
The markdown source for these guides is hosted on [**my Github repo.**](https://github.com/Fohdeesha/lab-docu) If you have any suggested changes or additions feel free to submit a pull request.
```Documentation version:``` [ v1.1 (03-21-19)](https://github.com/Fohdeesha/lab-docu/commits/master)

303
docs/icx7150.md Normal file
View File

@@ -0,0 +1,303 @@
# Setting up Brocade ICX7150
## Preparation
Download the ZIP below, which contains the firmware files and documentation you'll need.
[```Brocade v8080 Firmware/Docu Zip```](http://fohdeesha.com/data/other/brocade/8080e.zip)
```SW version: 08080e```
```ZIP Updated: 10-29-2019```
```MD5: 0d9c19da7ab9c9e69596efc7235da27b```
**Connect** to the switches serial/console port on the front using a program like Putty (9600 8N1), and connect any of the normal switch ports to your network (do NOT use the dedicated management port).
**Note:** Aside from the usual RJ45 serial port, the ICX7150 also has a USB-C port. On this port, it has a built in USB to serial adapter, so you can plug the USB-C port directly into your PC, and it will then show up as a serial port. You will need to install the serial adapter driver from the `USB-C Serial Driver` folder.
You need to set up a temporary TFTP server - I recommend [Tftpd32 Portable Edition](http://www.tftpd64.com/tftpd32_download.html) if you're on Windows and don't want to install anything. Point the server to an empty folder to serve files from. From the ZIP, copy the bootloader from the ```Boot``` folder into your tftp server directory. Then, from the ```Images``` folder, copy over the OS image to the same place. If you have a PoE model, copy over the PoE firmware from the `PoE Firmware` folder to your TFTP directory as well.
Power on the switch while watching your serial terminal - start smashing the `b` key until you're dropped into the bootloader prompt, which looks like `ICX7150-Boot>` . If you missed the prompt and it boots the OS instead, pull power and try again.
Now at the boot prompt, we tell the switch to clear all current configs and old keys, so it boots into a fresh state:
```
factory set-default
```
To confirm this action, you must send CAPITAL `Y` - sending a lowercase `y` will just make it abort.
Now just tell the switch to reboot:
```
reset
```
It will boot into the full OS and you can continue to the next section.
## Initial Configuration & update
Now that it's booted into the full OS you may get ***TFTP timed out*** errors in the console, this is normal. just hit enter until they go away. We'll fix that in the next section. Now to make any changes we must enter the enable level:
```
enable
```
Now we enter the configure terminal level to make config changes:
```
configure terminal
```
Now we turn off the DHCP client, so it doesn't automatically grab an IP and look for a TFTP config (the cause of the earlier timeout messages):
```
ip dhcp-client disable
write memory
exit
```
>**Note:** If during the `ip dhcp-client disable` command you get an invalid input error, your switch probably came with the layer 2 only firmware loaded. In that case, just run `ip address 192.168.1.55/24` (replace the IP) - this will give it a temporary IP, so it can load the layer 3 firmware. Then skip down to the `Load The New Images` section below, and use those commands to copy in the latest layer 3 firmware and reload. Once the switch comes back up, **don't forget** to come back and follow this **Initial Configuration** section all the way through now that you have the proper firmware!
Now just reload the switch so it comes back up without an IP assigned to a port via DHCP:
```
reload
```
Once it's back up, enter the configure level again:
```
enable
configure terminal
```
We need to give it an IP so we can load the new firmware. By default, all ports are in VLAN 1, so it will behave like a typical switch. First we need to give VLAN 1 its own virtual interface:
```
vlan 1
router-interface ve 1
exit
```
Now we need to assign that virtual interface an address. Choose an IP that is unused in your subnet, and out of your DHCP server range (ping it first to be sure it's unused):
```
interface ve 1
ip address 192.168.1.55/24
exit
write mem
```
## Load The New Images
Now that the switch has an IP address, we can TFTP in the new images, then reload:
```
exit
copy tftp flash 192.168.1.8 mnz10114.bin bootrom
copy tftp flash 192.168.1.8 SPR08080e.bin primary
reload
```
>Note: if you skipped to this section because your switch had layer 2 firmware on it and a note in the previous section instructed you to, go back above and go through the whole **Initial Configuration & update** section once the switch finishes rebooting.
The switch will reload, loading the new software. Continue on to the **Configuration Details** section below.
## Configuration Details
Your switch should now be freshly booted with the latest layer 3 firmware image and bootloader. First give the switch a name:
```
enable
configure terminal
hostname intertubes
```
Now tell it to generate an RSA keypair - this is the first step to enable SSH access:
```
crypto key generate rsa
```
## Update PoE Firmware
Assuming you completed the previous section and the switch now has in-band network access, just do the following:
```
exit
inline power install-firmware stack-unit 1 tftp 192.168.1.8 icx7xxx_poe_02.1.1.b002.fw
#after a few seconds, hit enter to return to cli
#save changes you made from the previous section
write memory
#reload the switch
reload
#you'll probably get a message that it hasn't finished. it can take up to 10 minutes
#run "show log" occasionally to monitor the update progress
#try the "reload" command again once it's reached 100%
#once you've rebooted back into the OS:
enable
configure terminal
```
Now you have the latest PoE firmware, and can continue on.
## If Access Protection Is NOT Required
If you do **not** want to password protect access to the switch (you're using it in a lab), follow this section. If you'd like to password protect it, skip to the next section.
Allow SSH login with no passwords configured:
```
ip ssh permit-empty-passwd yes
```
## If Access Protection IS Required (or WEB-UI Access)
If you do want to secure access to the switch, or use the (limited) web UI, follow this section. If not, skip it.
To secure the switch, we need to create an account - "root" can be any username string you wish:
```
username root password yourpasshere
```
We also need to tell it to use our new local user account(s) to authorize attempts to log in, use the webpage, as well as attempts to enter the ```enable``` CLI level:
```
aaa authentication login default local
aaa authentication enable default local
aaa authentication web default local
```
If you wanted to use the WEB UI, you can now log into it using the credentials you created above.
You should enable authentication for telnet access as well:
```
enable telnet authentication
```
If your switch is outside of your home, or accessible by others in any way, telnet should be disabled entirely, and access to the serial console should also be password protected. Otherwise skip this step at your discretion:
```
no telnet server
enable aaa console
```
### OPTIONAL: Key Based SSH Access
If you have followed the above to set up authentication, and also wish to disable password-based SSH login and set up a key pair instead, follow this section. If not, skip it. Enable key login, and disable password login:
```
ip ssh key-authentication yes
ip ssh password-authentication no
```
Now we have to generate our key pair with [puttygen](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) on windows or ```ssh-keygen -t rsa``` on linux. The default settings of RSA @ 2048 bits works without issue. Generate the pair and save out both the public and private key.
Copy the public key file to your TFTP server. Then use the following command to import it into your switch:
```
ip ssh pub-key-file tftp 192.168.1.49 public.key
```
You shouldn't need to be told basic key management if you're following this section, but just in case - copy your private key to the proper location on the *nix machine you'll be SSH'ing from, or if you're on windows, load it using [pageant](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html). Now when you SSH to the switch, it will authenticate using your private key.
## License The Switch
Run the following to unlock all the features of the switch (10gbE ports, advanced routing, etc). If you are using this switch in a commercial setting or to make money, please purchase a license entitlement from Ruckus.
```
exit
license install perpetual 1 2x10gr
conf t
int e 1/3/1 to 1/3/2
no speed-duplex 1000-full
exit
write mem
exit
reload
```
The switch will reload, and the 10gbE ports and everything else will now be functional.
## Saving & Conclusions
Whenever you make changes (like above) they take effect immediately, however they are not saved to onboard flash. So if you reboot the switch, they will be lost. To permanently save them to onboard flash, use the `write memory` command. To do so, you must be at the `enable` level or higher.
**Note:** Since you did a `write memory` in the previous section before reloading the switch, there are no changes to save. But just for practice:
```
enable
write memory
```
Your switch now has a basic configuration, as well as an IP address you can telnet or SSH to for further configuration.
Some more useful general commands:
Show chassis information like fan and temperature status:
```
show chassis
```
Show a table of all interfaces:
```
show interface brief
```
To show one interface in detail:
```
show interfaces ethernet 1/1/1
#Also works for virtual interfaces:
show interfaces ve 1
```
Give a port a friendly name:
```
interface ethernet 1/1/1
port-name freenas
show interfaces brief ethernet 1/1/1
exit
```
Show the running configuration:
```
show run
```
Show the system log:
```
show log
```
To remove configuration options, put a ```no``` in front of them at the appropriate CLI level:
```
no hostname intertubes
```
## Tips
To exit the CLI level you are at, use `exit`. So assuming you are still at the ```configure terminal``` level, type the following to exit back to the ```enable``` level:
```
exit
```
Commands can also be shortened, as long as they are still unique. So to re-enter the configure terminal level, Instead of typing the entirety of ```configure terminal```, the following will also work:
```
conf t
```
There is also tab help and completion. To see all the commands available at the current CLI level, just hit tab. To see the options available for a certain command, just type that command (like ```ip```) then hit tab a couple times.
## Advanced Configuration
### Default Route & DNS
To give the switch a default route and a DNS server so it can reach external hostnames and IP's (to ping external servers or to update time via NTP etc), do the following. replace the IP with the IP of your gateway/router/etc. Assuming you are still at the ```configure terminal``` level:
```
ip dns server-address 192.168.1.1
ip route 0.0.0.0/0 192.168.1.1
```
### NTP
To have the switch keep its time synced via NTP (so its logs make more sense), use the following. If you live in an area that doesn't use Daylight Savings, skip the ```clock summer-time``` command. Use tab completion for the timezone command to see what's available. The IP's in the following example are google's NTP servers and work well for most cases:
```
clock summer-time
clock timezone gmt GMT-05
ntp
disable serve
server 216.239.35.0
server 216.239.35.4
exit
```
### SNMP
To quickly enable SNMPv2 (read only), follow the below. SNMP v3 is available but you'll have to refer to the included documentation:
```
snmp-server community public ro
```
### Saving
If you made any of the above extra changes, remember they have not been saved to onboard flash yet. Do so:
```
write memory
```
## SFP/Optics Information
Brocade does not restrict the use of optics by manufacturer, they'll take anything given it's the right protocol. However optical monitoring information is disabled unless it sees Brocade or Foundry optics.
So if you want to see information like this :
```
telnet@Route2(config)#sh optic 5
Port Temperature Tx Power Rx Power Tx Bias Current
+----+-----------+--------------+--------------+---------------+
5 32.7460 C -002.6688 dBm -002.8091 dBm 5.472 mA
Normal Normal Normal Normal
```
You'll need to pick up some official Brocade or Foundry optics on ebay, or buy some flashed optics from FiberStore.
### Thanks:
[**Fohdeesha**](http://fohdeesha.com/)
### Contributing:
The markdown source for these guides is hosted on [**my Github repo.**](https://github.com/Fohdeesha/lab-docu) If you have any suggested changes or additions feel free to submit a pull request.
```Documentation version:``` [ v1.8 (10-29-19)](https://github.com/Fohdeesha/lab-docu/commits/master)

303
docs/icx7250.md Normal file
View File

@@ -0,0 +1,303 @@
# Setting up Brocade ICX7250 & ICX7450
## Preparation
Download the ZIP below, which contains the firmware files and documentation you'll need. The ICX7250 and ICX7450 run the same PoE firmware, bootloader, and OS image so this guide can be used for either.
[```Brocade v8080 Firmware/Docu Zip```](http://fohdeesha.com/data/other/brocade/8080e.zip)
```SW version: 08080e```
```ZIP Updated: 10-29-2019```
```MD5: 0d9c19da7ab9c9e69596efc7235da27b```
**Connect** to the switches serial/console port on the front using a program like Putty (9600 8N1), and connect any of the normal switch ports to your network (do NOT use the dedicated management port).
You need to set up a temporary TFTP server - I recommend [Tftpd32 Portable Edition](http://www.tftpd64.com/tftpd32_download.html) if you're on Windows and don't want to install anything. Point the server to an empty folder to serve files from. From the ZIP, copy the bootloader from the ```Boot``` folder into your tftp server directory. Then, from the ```Images``` folder, copy over the OS image to the same place. If you have a PoE model, copy over the PoE firmware from the `PoE Firmware` folder to your TFTP directory as well.
Power on the switch while watching your serial terminal - start smashing the `b` key until you're dropped into the bootloader prompt, which looks like `ICX7250-Boot>` . If you missed the prompt and it boots the OS instead, pull power and try again.
Now at the boot prompt, we tell the switch to clear all current configs and old keys, so it boots into a fresh state:
```
factory set-default
```
To confirm this action, you must send CAPITAL `Y` - sending a lowercase `y` will just make it abort.
Now just tell the switch to reboot:
```
reset
```
It will boot into the full OS and you can continue to the next section.
## Initial Configuration & update
Now that it's booted into the full OS you may get ***TFTP timed out*** errors in the console, this is normal. just hit enter until they go away. We'll fix that in the next section. Now to make any changes we must enter the enable level:
```
enable
```
Now we enter the configure terminal level to make config changes:
```
configure terminal
```
Now we turn off the DHCP client, so it doesn't automatically grab an IP and look for a TFTP config (the cause of the earlier timeout messages):
```
ip dhcp-client disable
write memory
exit
```
>**Note:** If during the `ip dhcp-client disable` command you get an invalid input error, your switch probably came with the layer 2 only firmware loaded. In that case, just run `ip address 192.168.1.55/24` (replace the IP) - this will give it a temporary IP, so it can load the layer 3 firmware. Then skip down to the `Load The New Images` section below, and use those commands to copy in the latest layer 3 firmware and reload. Once the switch comes back up, **don't forget** to come back and follow this **Initial Configuration** section all the way through now that you have the proper firmware!
Now just reload the switch so it comes back up without an IP assigned to a port via DHCP:
```
reload
```
Once it's back up, enter the configure level again:
```
enable
configure terminal
```
We need to give it an IP so we can load the new firmware. By default, all ports are in VLAN 1, so it will behave like a typical switch. First we need to give VLAN 1 its own virtual interface:
```
vlan 1
router-interface ve 1
exit
```
Now we need to assign that virtual interface an address. Choose an IP that is unused in your subnet, and out of your DHCP server range (ping it first to be sure it's unused):
```
interface ve 1
ip address 192.168.1.55/24
exit
write mem
```
## Load The New Images
Now that the switch has an IP address, we can TFTP in the new images, then reload:
```
exit
copy tftp flash 192.168.1.8 spz10114.bin bootrom
copy tftp flash 192.168.1.8 SPR08080e.bin primary
reload
```
>Note: if you skipped to this section because your switch had layer 2 firmware on it and a note in the previous section instructed you to, go back above and go through the whole **Initial Configuration & update** section once the switch finishes rebooting.
The switch will reload, loading the new software. Continue on to the **Configuration Details** section below.
## Configuration Details
Your switch should now be freshly booted with the latest layer 3 firmware image and bootloader. First give the switch a name:
```
enable
configure terminal
hostname intertubes
```
Now tell it to generate an RSA keypair - this is the first step to enable SSH access:
```
crypto key generate rsa
```
## Update PoE Firmware
If your switch is the PoE model, you need to update the PoE controller firmware. If it's a non-PoE model, skip this step. Assuming you completed the previous section and the switch now has in-band network access, just do the following:
```
exit
inline power install-firmware stack-unit 1 tftp 192.168.1.8 icx7xxx_poe_02.1.1.b002.fw
#after a few seconds, hit enter to return to cli
#save changes you made from the previous section
write memory
#reload the switch
reload
#you'll probably get a message that it hasn't finished. it can take up to 10 minutes
#run "show log" occasionally to monitor the update progress
#try the "reload" command again once it's reached 100%
#once you've rebooted back into the OS:
enable
configure terminal
```
Now you have the latest PoE firmware, and can continue on.
## If Access Protection Is NOT Required
If you do **not** want to password protect access to the switch (you're using it in a lab), follow this section. If you'd like to password protect it, skip to the next section.
Allow SSH login with no passwords configured:
```
ip ssh permit-empty-passwd yes
```
## If Access Protection IS Required (or WEB-UI Access)
If you do want to secure access to the switch, or use the (limited) web UI, follow this section. If not, skip it.
To secure the switch, we need to create an account - "root" can be any username string you wish:
```
username root password yourpasshere
```
We also need to tell it to use our new local user account(s) to authorize attempts to log in, use the webpage, as well as attempts to enter the ```enable``` CLI level:
```
aaa authentication login default local
aaa authentication enable default local
aaa authentication web default local
```
If you wanted to use the WEB UI, you can now log into it using the credentials you created above.
You should enable authentication for telnet access as well:
```
enable telnet authentication
```
If your switch is outside of your home, or accessible by others in any way, telnet should be disabled entirely, and access to the serial console should also be password protected. Otherwise skip this step at your discretion:
```
no telnet server
enable aaa console
```
### OPTIONAL: Key Based SSH Access
If you have followed the above to set up authentication, and also wish to disable password-based SSH login and set up a key pair instead, follow this section. If not, skip it. Enable key login, and disable password login:
```
ip ssh key-authentication yes
ip ssh password-authentication no
```
Now we have to generate our key pair with [puttygen](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) on windows or ```ssh-keygen -t rsa``` on linux. The default settings of RSA @ 2048 bits works without issue. Generate the pair and save out both the public and private key.
Copy the public key file to your TFTP server. Then use the following command to import it into your switch:
```
ip ssh pub-key-file tftp 192.168.1.49 public.key
```
You shouldn't need to be told basic key management if you're following this section, but just in case - copy your private key to the proper location on the *nix machine you'll be SSH'ing from, or if you're on windows, load it using [pageant](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html). Now when you SSH to the switch, it will authenticate using your private key.
## License The Switch (ICX7250)
Run the following to unlock all the features of the switch (10gbE ports, advanced routing, etc). If you are using this switch in a commercial setting or to make money, please purchase a license entitlement from Ruckus.
```
exit
license install perpetual 1 8x10g
license install perpetual 1 l3-prem
conf t
interface ethernet 1/2/1 to 1/2/8
no speed-duplex 1000-full
exit
write mem
exit
reload
```
The switch will reload, and the 10gbE ports and everything else will now be functional.
## License The Switch (ICX7450)
TBD
## Saving & Conclusions
Whenever you make changes (like above) they take effect immediately, however they are not saved to onboard flash. So if you reboot the switch, they will be lost. To permanently save them to onboard flash, use the `write memory` command. To do so, you must be at the `enable` level or higher.
**Note:** Since you did a `write memory` in the previous section before reloading the switch, there are no changes to save. But just for practice:
```
enable
write memory
```
Your switch now has a basic configuration, as well as an IP address you can telnet or SSH to for further configuration.
Some more useful general commands:
Show chassis information like fan and temperature status:
```
show chassis
```
Show a table of all interfaces:
```
show interface brief
```
To show one interface in detail:
```
show interfaces ethernet 1/1/1
#Also works for virtual interfaces:
show interfaces ve 1
```
Give a port a friendly name:
```
interface ethernet 1/1/1
port-name freenas
show interfaces brief ethernet 1/1/1
exit
```
Show the running configuration:
```
show run
```
Show the system log:
```
show log
```
To remove configuration options, put a ```no``` in front of them at the appropriate CLI level:
```
no hostname intertubes
```
## Tips
To exit the CLI level you are at, use `exit`. So assuming you are still at the ```configure terminal``` level, type the following to exit back to the ```enable``` level:
```
exit
```
Commands can also be shortened, as long as they are still unique. So to re-enter the configure terminal level, Instead of typing the entirety of ```configure terminal```, the following will also work:
```
conf t
```
There is also tab help and completion. To see all the commands available at the current CLI level, just hit tab. To see the options available for a certain command, just type that command (like ```ip```) then hit tab a couple times.
## Advanced Configuration
### Default Route & DNS
To give the switch a default route and a DNS server so it can reach external hostnames and IP's (to ping external servers or to update time via NTP etc), do the following. replace the IP with the IP of your gateway/router/etc. Assuming you are still at the ```configure terminal``` level:
```
ip dns server-address 192.168.1.1
ip route 0.0.0.0/0 192.168.1.1
```
### NTP
To have the switch keep its time synced via NTP (so its logs make more sense), use the following. If you live in an area that doesn't use Daylight Savings, skip the ```clock summer-time``` command. Use tab completion for the timezone command to see what's available. The IP's in the following example are google's NTP servers and work well for most cases:
```
clock summer-time
clock timezone gmt GMT-05
ntp
disable serve
server 216.239.35.0
server 216.239.35.4
exit
```
### SNMP
To quickly enable SNMPv2 (read only), follow the below. SNMP v3 is available but you'll have to refer to the included documentation:
```
snmp-server community public ro
```
### Saving
If you made any of the above extra changes, remember they have not been saved to onboard flash yet. Do so:
```
write memory
```
## SFP/Optics Information
Brocade does not restrict the use of optics by manufacturer, they'll take anything given it's the right protocol. However optical monitoring information is disabled unless it sees Brocade or Foundry optics.
So if you want to see information like this :
```
telnet@Route2(config)#sh optic 5
Port Temperature Tx Power Rx Power Tx Bias Current
+----+-----------+--------------+--------------+---------------+
5 32.7460 C -002.6688 dBm -002.8091 dBm 5.472 mA
Normal Normal Normal Normal
```
You'll need to pick up some official Brocade or Foundry optics on ebay, or buy some flashed optics from FiberStore.
### Thanks:
[**Fohdeesha**](http://fohdeesha.com/)
### Contributing:
The markdown source for these guides is hosted on [**my Github repo.**](https://github.com/Fohdeesha/lab-docu) If you have any suggested changes or additions feel free to submit a pull request.
```Documentation version:``` [ v1.8 (10-29-19)](https://github.com/Fohdeesha/lab-docu/commits/master)

7
docs/index.md Normal file
View File

@@ -0,0 +1,7 @@
# Welcome
This is the home of all public documentation by Jon Sands. Originally planned as documentation to share amongst [FBOM](http://fbom.club/) members, it has become more useful on [STH](https://forums.servethehome.com/index.php?threads/brocade-icx6450-icx6610-etc.21107/). Pull requests to the [github repo](https://github.com/Fohdeesha/lab-docu) are always welcome.
Other documentation I have written:
- [Brokeaid Crossflashing](http://brokeaid.com/)
- [Xen Orchestra](https://xen-orchestra.com/docs/)

103
docs/jtag.md Normal file
View File

@@ -0,0 +1,103 @@
# PowerPC JTAG Recovery (LB6M)
This is a brief guide to recover corrupt bootloaders on PowerPC 85xx switches (LB6M) using a BDI2000.
## Preparation
Start by downloading [this ZIP](http://fohdeesha.com/data/other/jtag-recovery.zip).
Put all the files from the zip into the root of your TFTP server - the JTAG unit has been preprogrammed to look for a TFTP server at the address you specified before the unit was shipped - make sure said TFTP server is running with above files before powering the BDI2000.
**Note:** If you are attempting this with your own BDI2000 and need the appropriate MPC85xx BDI firmware, contact me via [GitHub](https://github.com/Fohdeesha) or [STH](https://forums.servethehome.com/index.php?threads/brocade-icx-series-cheap-powerful-10gbe-40gbe-switching.21107/).
If the TFTP server is running on linux, you need to create an empty file in the TFTP root called `badboot.bin` - and give it write permission by running `CHMOD 777 badboot.bin` - this allows the JTAG unit to write to this file. if you are using a windows TFTP server, this shouldn't be necessary.
## Connections
If you are outside the US, please plug the power brick into the wall first WITHOUT CONNECTING IT TO THE BDI2000! This is to test the power adapter, if it blows up from 220 volts, it won't take the BDI2000 with it.
If you plug it into the wall and nothing happens (it shouldn't), unplug it from the wall. Now plug your ethernet cable into the BDI2000 (which should still be powered off).
Now plug in the power supply to the BDI2000. Be gentle and make sure the key on the plug is facing the correct way - I had to hack up that power supply out of parts as it did not come with one.
Once you are sure it is plugged in correctly, and it is also connected to your network via ethernet, plug the power brick into an outlet - the BDI2000 should power up.
Using a telnet capable program like putty, telnet to the BDI2000 unit - it has been preconfigured with the IP you specified before shipping - You should get output like the below, saying it's waiting for a target:
```
TARGET: waiting for target Vcc
TARGET: waiting for target Vcc
TARGET: waiting for target Vcc
```
Now you must connect the BDI2000 to the LB6M. Make sure the switch is unplugged and powered off! Find the 16-pin JTAG header on the switch. On the JTAG header, `1` should be printed on one side of the header to indicate pin number 1. Find which side of the header that `1` is on.
Plug in the cable so pin #1 is on the left side, like this:
![bdi-pins](http://fohdeesha.com/data/other/bdipins.jpg)
On an LB6M, the connection should look like this:
![bdi-lb6m](http://fohdeesha.com/data/other/bdilb6m.jpg)
Now that everything is plugged in and the BDI2000 is powered, power up the switch.
**Startup Order Summary:**
1. Connect ethernet to the BDI2000
2. Connect the power brick to the BDI2000
3. Connect the BDI2000 to the switch JTAG header
4. Power on the switch
## JTAG Commands
When the switch powers up, you should get some new output in your telnet connection to the unit, similar to the below:
```
- TARGET: resetting target passed
- TARGET: processing target startup ....
- TARGET: processing target startup passed
```
Make sure you got `processing target startup passed` at the end, this means the CPU is successfully halted. Test the JTAG session by reading the beginning bootloader area of flash:
```
md 0xfff80000
```
Depending on how corrupt your bootloader area is, you should see something that looks similar to the u-boot or brocade beginning contents below (might not match exactly, depending on what bootloader you are running):
```
fff80000: 4d554348 02057be5 0005a2d6 00004058 MUCH..{.......@X
fff80010: 00000000 00012f2c 0004d880 00600028 ....../,.....`.(
fff80020: 00030030 0004ffff ffffffff 00000000 ...0............
fff80030: 4e6ab6ae 07030000 74727a30 37333030 Nj......trz07300
```
If you get something similar to above, the JTAG session is working.
Now we tell it to copy the corrupted flash bootloader to a file on your TFTP server named `badboot.bin` - this is an important step as it will let me see exactly what in the bootloader got corrupted:
```
dump 0xfff80000 0x00080000 badboot.bin
```
>Note: if you get an error here, it is most likely related to TFTP permissions (it can't write the file on your TFTP server). See the intro paragraph for linux TFTP permission information.
Once that finishes, we can write the new bootloader. First we must erase the bootloader section of flash properly before we can write to it:
```
erase 0xfff80000 0x20000 4
```
Now we copy the bootloader from the TFTP server to onboard flash:
```
prog 0xfff80000 brocadeboot.bin bin
```
When that finishes, connect a serial console cable to the LB6M switch (while it is still running and connected to JTAG). Open up a serial program so you can watch it's output. We will tell the switch to reset and run like normal (run the following command in the JTAG telnet console):
```
reset run
```
The switch should boot normally and you should see it's usual boot text in your serial console.
>If you don't see any text in your serial window and the switch seems like it's still bricked, Unplug the switch power, then plug it back in, then follow the above erasing and flashing steps again as you must have skipped something.
Once you have confirmed it has booted succesfully - unplug/power off the switch - do not run it for very long with the top off - once the ASIC is initialized it gets VERY hot without any airflow being forced over it.
>This is not an issue when initially booting the switch with JTAG, as the CPU is halted before it has a chance to bring the ASIC online. It is only once the switch boots successfully in which it will begin heating.
Unplug the switch power first! When the switch is off and powered down, then unplug the power cable from the BDI2000, then disconnect it from the JTAG header, and you are done. **PLEASE SEND ME THE badboot.bin FILE FROM YOUR TFTP SERVER!** This will allow me to see exactly what got corrupted on your switch.
**Shutdown Order Summary:**
1. Power down the switch (unplug power)
2. Power down the BDI2000 (unplug power brick)
3. Disconnect the BDI2000 16 pin cable from the JTAG header
Put the switch cover back on. Now that your switch is booting into the bootloader, you can go and follow the [flashing guide](https://brokeaid.com/#booting-brocade) - start from the **Booting Brocade** section as linked.

105
docs/jtag6610.md Normal file
View File

@@ -0,0 +1,105 @@
# PowerPC JTAG Recovery (ICX6610)
This is a brief guide to recover corrupt bootloaders on PowerPC 85xx switches (ICX6610 or FCX) using a BDI2000.
## Preparation
Start by downloading [this ZIP](http://fohdeesha.com/data/other/jtag-recovery-6610-fcx.zip).
Put all the files from the zip into the root of your TFTP server - the JTAG unit has been preprogrammed to look for a TFTP server at the address you specified before the unit was shipped - make sure said TFTP server is running with above files before powering the BDI2000.
**Note:** If you are attempting this with your own BDI2000 and need the appropriate MPC85xx BDI firmware, contact me via [GitHub](https://github.com/Fohdeesha) or [STH](https://forums.servethehome.com/index.php?threads/brocade-icx-series-cheap-powerful-10gbe-40gbe-switching.21107/).
If the TFTP server is running on linux, you need to create an empty file in the TFTP root called `badboot.bin` - and give it write permission by running `CHMOD 777 badboot.bin` - this allows the JTAG unit to write to this file. if you are using a windows TFTP server, this shouldn't be necessary.
## Connections
If you are outside the US, please plug the power brick into the wall first WITHOUT CONNECTING IT TO THE BDI2000! This is to test the power adapter, if it blows up from 220 volts, it won't take the BDI2000 with it.
If you plug it into the wall and nothing happens (it shouldn't), unplug it from the wall. Now plug your ethernet cable into the BDI2000 (which should still be powered off).
Now plug in the power supply to the BDI2000. Be gentle and make sure the key on the plug is facing the correct way - I had to hack up that power supply out of parts as it did not come with one.
Once you are sure it is plugged in correctly, and it is also connected to your network via ethernet, plug the power brick into an outlet - the BDI2000 should power up.
Using a telnet capable program like putty, telnet to the BDI2000 unit - it has been preconfigured with the IP you specified before shipping - You should get output like the below, saying it's waiting for a target:
```
TARGET: waiting for target Vcc
TARGET: waiting for target Vcc
TARGET: waiting for target Vcc
```
Now you must connect the BDI2000 to the ICX6610. Make sure the switch is unplugged and powered off! Find the 16-pin JTAG header on the switch. On the JTAG header, `1` should be printed on one side of the header to indicate pin number 1. Find which side of the header that `1` is on.
Plug in the cable so pin #1 is on the left side, like this:
![bdi-pins](http://fohdeesha.com/data/other/bdipins.jpg)
On an ICX6610, the connection should look like this:
![bdi-6610](http://fohdeesha.com/data/other/bdi6610.jpg)
**Note:** The above picture is a 48 port ICX6610. The 24 port ICX6610 will have a slightly different board layout, and I believe the JTAG connector is on the opposite side.
Now that everything is plugged in and the BDI2000 is powered, power up the switch.
**Startup Order Summary:**
1. Connect ethernet to the BDI2000
2. Connect the power brick to the BDI2000
3. Connect the BDI2000 to the switch JTAG header
4. Power on the switch
## JTAG Commands
When the switch powers up, you should get some new output in your telnet connection to the unit, similar to the below:
```
- TARGET: resetting target passed
- TARGET: processing target startup ....
- TARGET: processing target startup passed
```
Make sure you got `processing target startup passed` at the end, this means the CPU is successfully halted. Test the JTAG session by reading the beginning bootloader area of flash:
```
md 0xfff80000
```
Depending on how corrupt your bootloader area is, you should see something that looks similar to the u-boot or brocade beginning contents below (might not match exactly, depending on what bootloader you are running):
```
fff80000: 4d554348 02057be5 0005a2d6 00004058 MUCH..{.......@X
fff80010: 00000000 00012f2c 0004d880 00600028 ....../,.....`.(
fff80020: 00030030 0004ffff ffffffff 00000000 ...0............
fff80030: 4e6ab6ae 07030000 74727a30 37333030 Nj......trz07300
```
If you get something similar to above, the JTAG session is working.
Now we tell it to copy the corrupted flash bootloader to a file on your TFTP server named `badboot.bin` - this is an important step as it will let me see exactly what in the bootloader got corrupted:
```
dump 0xfff80000 0x00080000 badboot.bin
```
>Note: if you get an error here, it is most likely related to TFTP permissions (it can't write the file on your TFTP server). See the intro paragraph for linux TFTP permission information.
Once that finishes, we can write the new bootloader. First we must erase the bootloader section of flash properly before we can write to it:
```
erase 0xfff80000 0x20000 4
```
Now we copy the bootloader from the TFTP server to onboard flash:
```
prog 0xfff80000 grz10100.bin bin
```
When that finishes, connect a serial console cable to the switch (while it is still running and connected to JTAG). Open up a serial program so you can watch it's output. We will tell the switch to reset and run like normal (run the following command in the JTAG telnet console):
```
reset run
```
The switch should boot normally and you should see it's usual boot text in your serial console.
>If you don't see any text in your serial window and the switch seems like it's still bricked, Unplug the switch power, then plug it back in, then follow the above erasing and flashing steps again as you must have skipped something.
Once you have confirmed it has booted succesfully - unplug/power off the switch - do not run it for very long with the top off - once the ASIC is initialized it gets VERY hot without any airflow being forced over it.
>This is not an issue when initially booting the switch with JTAG, as the CPU is halted before it has a chance to bring the ASIC online. It is only once the switch boots successfully in which it will begin heating.
Unplug the switch power first! When the switch is off and powered down, then unplug the power cable from the BDI2000, then disconnect it from the JTAG header, and you are done. **PLEASE SEND ME THE badboot.bin FILE FROM YOUR TFTP SERVER!** This will allow me to see exactly what got corrupted on your switch.
**Shutdown Order Summary:**
1. Power down the switch (unplug power)
2. Power down the BDI2000 (unplug power brick)
3. Disconnect the BDI2000 16 pin cable from the JTAG header
Put the switch cover back on. Now that your switch is booting into the bootloader, you can go and follow the [update guide](https://fohdeesha.com/docs/fcx/) to flash a new OS etc to the switch from the bootloader.

88
docs/linux.md Normal file
View File

@@ -0,0 +1,88 @@
# Accessing Linux
This only applies to the newer architecture switches - the ICX6450, ICX6650, and the ICX7xxx series. The older models (GS, FCX, ICX6610, etc) run a proprietary bootloader and OS, so there is no Linux to access.
Some time after the ICX6610 design, they moved to using the popular u-boot bootloader, which then boots good old linux. The linux system then launches a monolithic FastIron binary. This is of course all transparent, all you will see is the normal FastIron interface - except now it's an application being ran on top of linux.
After some poking around in a dump of a running switches RAM, I stumbled upon the INIT script used to start the linux system. Of interest were these statements (trimmed for brevity):
```
#If noautostart is set in uboot, stop at linux prompt
cat /proc/cmdline |grep "noautostart" 1>/dev/null 2>&1 if [ $? -eq 0 ] then START_FI_AUTO=0
#If enabletelnet is set in uboot, then start telnet daemon
cat /proc/cmdline |grep "enabletelnet" 1>/dev/null 2>&1 if [ $? -eq 0 ] then
/usr/sbin/telnetd -l /bin/sh -f /etc/welcome
```
It's looking at the boot arguments passed by the bootloader for a `noautostart` or `enabletelnet` string. If it sees the `noautostart` string, it does not start the Fastiron app and drops you right into linux. If it sees the `enabletelnet` string, it starts a hidden telnet server with raw access to linux. These are our two ways in.
## Method 1: Disable FastIron AutoStart
This method tells the switch not to boot the Fastiron app, and drops you right into linux. You will only have serial access to the switch, the usual networking software will NOT be loaded.
Get into the bootloader like usual (hit `b` during boot), then run the following:
```
setenv extra_bootargs noautostart
boot
```
>note: this only sets this argument once and does not save it. So on subsequent reboots or power-ons, the string will be gone and it will boot normally.
It will begin booting like normal, but eventually you'll land in a shell:
```
BusyBox v1.18.3 (2013-11-22 14:33:50 IST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ #
```
Press tab twice and it'll show you all possible commands (just typing `help` will not show you all commands), there's a couple hundred, most of the utilities you'd expect including `wget`, `curl`, `vi`, and `ftpput`.
Check out the filesystem:
```
/ # ls
FastIron.xz etc home mnt sbin tmp
bin fast_iron init proc sys usr
dev ftp lib root tftpboot var
/ #
```
In the `fast_iron` directory, you'll find the startup configs you save from the normal switch CLI, as well as some logs. To reboot back to normal FastIron, just issue the `reboot` command.
## Method 2: Enable Hidden Telnet Server
This method tells the switch to start a hidden telnet server attached to the underlying Linux OS. It's only accessible via the management port (this is the only networking port Linux can see as it's off the management CPU, not the switching ASIC). The IP for Linux (where the telnet server will be) is set by a bootloader variable.
The upside of this method is that FastIron will still start, so you'll still have a normal functioning switch. There will just be an (unsecure) telnet daemon running on the management port with raw access to the underlying Linux OS - great for live debugging.
Get into the bootloader like usual (hit `b` during boot), then run the following. For the IP, choose an IP that is not in use anywhere else, especially on the switch. If you have a management IP assigned to the switch, this is separate from that and needs to be a different IP:
```
setenv extra_bootargs enabletelnet
setenv ipaddr 192.168.1.57
boot
```
>note: this only sets this argument once and does not save it. So on subsequent reboots or power-ons, the string will be gone and it will boot normally.
The switch will boot as normal, except now the underlying Linux OS has launched a telnet server at the specified IP, and is accessible via the management port only. When you telnet to it (default telnet port), you will have a full Linux CLI:
```
Welcome to FastIron Board's Telnet session
_ _
| ||_|
| | _ ____ _ _ _ _
| || | _ \| | | |\ \/ /
| || | | | | |_| |/ \
|_||_|_| |_|\____|\_/\_/
On Brocade's FastIron board
BusyBox v1.18.3 (2013-11-22 14:33:50 IST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ # ls
FastIron etc home mnt sbin tmp
bin fast_iron init proc sys usr
dev ftp lib root tftpboot var
/ #
```

45
docs/stack-ports.md Normal file
View File

@@ -0,0 +1,45 @@
# ICX6610 Stack Ports
## Upgrading The Software
Thankfully in FastIron release 08.0.10 and up, Brocade quietly removed the "stack-only" restriction on the rear 40gbE ports.
This means the first step is to update to the latest release. This link has instructions and a ZIP of the latest images - [FastIron Upgrade & Config Guide](http://fohdeesha.com/docs/fcx/).
However you're not done yet!
## Removing Stack Configuration
There are going to be some stacking commands automatically put in your configuration, so we need to remove them. To see what you need to remove, show the config:
```
show run
```
Towards the top you should see a stacking related block similar to the below:
```
stack unit 1
module 1 icx6610-48-port-management-module
module 2 icx6610-qsfp-10-port-160g-module
module 3 icx6610-8-port-10g-dual-mode-module
stack-trunk 1/2/1 to 1/2/2
stack-trunk 1/2/6 to 1/2/7
```
We need to remove the two ```stack-trunk``` lines. They may be slightly different on your end, so substitute whatever was in your config. Notice that they are under the ```stack unit 1``` level, so you need to enter that CLI level first:
```
enable
conf t
stack unit 1
no stack-trunk 1/2/1 to 1/2/2
no stack-trunk 1/2/6 to 1/2/7
exit
write mem
```
Now show the config:
```
show run
```
There should no longer be any ```stack-trunk``` commands, or any commands referencing stack ports. That's pretty much it! You can now use the ports on the rear as normal. However, see the next section on how they are laid out.
## Port Layout
Keep in mind two of the rear ports are 4x 10gbE breakout only, and the remaining two are 40gbE only. The two 40gbE-only ports will NOT run at 10gbE (for instance with a QSFP to SFP+ adapter), so use these two for 40gbE links only. The extremely professional diagram below shows the port config and their associated port numbers in the OS:
![Port Diagram](https://fohdeesha.com/data/other/icx-ports.png)