The Multi-Vendor Networking Forum and Resources
Brocade FastIron Configuration Tips


Here you will find some basic configuration for the Brocade FastIron switches. Commands may be different within the FastIron family, so some may not work on your specific switch. If you find this to be true, please let me know so I can update this page. If you find other useful information that I may have missed, please let me know. Keep in mind that these setting may not meet your companies security or technical goals.  **Always read the configuration guide to make sure the configuration you are using does everything you want it to do**

For more information on Brocade switches, please click here to look through my forum


Brocade FastIron SX, TurboIrons, etc..

-- Global configuration
on a FastIron Switch --

– global-stp                                       - Enables Spanning tree on the switch
- system-max ip-static-route 256           - Sets max static routes 256
– system-max vlan 1024                      - Sets max number of VLANs
–jumbo                                             - Enables Jumbo frames, requires a reboot
–default-vlan-id 4000                          - Sets default vlan to vlan 4000
–link-keepalive ethe <port#>               - Enables UDLD on the specified ports
–router vrrp-extended                         - Enables VRRP-e
–ip tacacs source-interface loopback 1   - Forces Loopback 1 to be the source of the packet
–ip sntp source-interface loopback 1     - Forces Loopback 1 to be the source of the packet
–ip syslog source-interface loopback 1   - Forces Loopback 1 to be the source of the packet
–ip ssh  idle-time <Minutes>                - SSH session will time out in minutes
–errdisable recovery cause bpduguard   - Automatically recovers in 5 minutes

 
-- How to Configure SFLOW on a FastIron Switch --

–sflow sample 512                             - Sets sample rate to 512 (Default)
–sflow destination <IP ADDRESS>       - SFLOW collector IP
–sflow enable                                   - Enables Sflow
–Sflow forwarding                             - Add to interface to enable sflow on  that interface

-- How to create and apply a VLAN to a port
on a FastIron Switch --

  vlan <#> name <VLAN-Name>
        tagged eth <slot/port>             - Tags the VLAN out specified interface
                untagged eth <slot/port> - Applies the vlan to an access port
            spanning-tree 802.1w           - Configured Rapid Spanning Tree on FastIron Switch                                                                     

-- Port level Configuration Options
on a FastIron Switch --

port-name <Description>                        - Label a port with a description
ip access-group <QOS-MARKING-ACL> in   - Apply QOS ACL if layer 2 Code
spanning-tree root-protect                      - Apply to ports that should never connect to the spanning tree root
spanning-tree 802-1w admin-edge-port     - Apply to end user port, enables Rapid Spanning Tree on this port
spanning-tree 802-1w admin-pt2pt-mac    - Apply to 802.1q ports or ports to other network gear, enables Rapid Spanning Tree on this port
stp-bpdu-guard                                     - Will err-disable the port and block bpdu's if they are received
no snmp-server enable traps link-change   - Prevents SNMP link up/down traps (Add to end user ports, not links to other network gear)
optical-monitor                                      - Apply to optical ports, allow you to see optical levels if the SFP/SFP+/XFP has the ability to provide that information
disable                                                 - Disables port
enable                                                 - Enables the port, by default the ports are enabled
trust dscp                                            - Trusts DSCP values on inbound packets
sflow forwarding                                   - Enables SFlow statistic collection on this port
dual-mode  <vlan>                               - Sets trunk ports to accept untagged packets on the vlan specified
ip-port-mtu <576 to 9198>                   - Sets the MTU for this port
pvst-mode                                           - Enables PVST mode to connect a trunk port to a Cisco switch running PVST
route-only                                           - Disables switching and makes the port a routed port

-- Configure a LACP
on a FastIron Switch --

The key number is what ties the two interfaces together, each LAG should have a different number.
I used ports 1/1 and 2/1 for my example

interface ethernet 1/1
link-aggregate configure timeout short
link-aggregate configure key 10000
link-aggregate active
!
interface ethernet 2/1
link-aggregate configure key 10000
link-aggregate configure timeout short
link-aggregate active


-- How to enable SSH
on a FastIron Switch --

crypto key generate rsa modulus <KEY SIZE>                       - Generates the RSA Key
username <USERNAME> privilege 0 password <PASSWORD>  - Configure username and password on the switch
aaa authentication login default local                                     - Tells the switch to authenticate to the local database
ip ssh idle-time <Time in Minutes>                                        - Sets the idle time out to a specified time in minutes

-- How to configure TACACS+ on a Brocade FastIron Switch --

aaa authentication login default tacacs+ local                         - States to use TACACS+ first, then fall back to local database
aaa authentication login privilege-mode                   
aaa authorization commands 0 default  tacacs+ none
aaa authorization exec default  tacacs+ none
aaa accounting commands 0 default start-stop  tacacs+ none       
aaa accounting exec default start-stop  tacacs+ none             
aaa accounting system default start-stop  tacacs+ none 
tacacs-server host <Primary TACACS+ Server IP>                   - Sets the primary TACACS+ server by IP
tacacs-server host <Secondary TACACS+ Server IP>              - Sets the Secondary TACACS+ server by IP
tacacs-server key 1 <passcode>                                          - Sets the password or key, must match the TACACS+ server key
tacacs-server timeout <Time in Minutes>                              - Sets the automatic log out time


-- How to mark DSCP values on inbound packets on a Brocade Fastiron SX running Layer 3 Code --


Layer 3 code requires you to apply the ACL to the VE instead of the physical interface. If you have a VE configured, it will not allow the ACL to be applied to the interface, but will allow it to be applied if there is NOT a VE.

Global Config    --- You will need to modify the following config to work in your network ---

vlan 5
router-interface ve 5
untagged eth 1/1


enable acl-per-port-per-vlan            - Allows marking of packets that are staying on the same vlan  ==> Requires a reboot
traffic-policy <name=QOS> count   - Tells the switch to count the packets that his the policy


ip access-list 101 bridged-routed  ==>> You must add this command or it will not work!!!!
ip access-list extended 101
remark RTP-ACL
permit udp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 range 16384 32767 dscp-marking <DSCP #> dscp-cos-mapping traffic-policy QOS
remark VOICE-CONTROL-ACL
permit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 range 2000 2002 dscp-marking <DSCP #> dscp-cos-mapping traffic-policy QOS
remark EVERYTHING-ELSE
permit ip any any dscp-marking 0 dscp-cos-mapping traffic-policy QOS

interface VE 5
ip access-group 101 IN   - Applies the ACL to the VE

***You will need to write an ACL that works for your network and your needs. Make sure you have permit ip any any at the end!!!***

dscp-marking = Mark the packet with the DSCP Value
dscp-cos-mapping = Use the internal mappings to map DSCP to COS values
traffic-policy = Allows you to see some counters on the ACL (Not very helpfull)


-- How to mark DSCP values on inbound packets on a Brocade Fastiron SX running Layer 2 Code --


Global Config

enable acl-per-port-per-vlan             - Allows marking of packets that are staying on the same vlan ==> Requires a reboot
traffic-policy <name=QOS> count    - Tells the switch to count the packets that his the policy

ip access-list extended 101
remark RTP-ACL
permit udp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 range 16384 32767 dscp-marking <DSCP #> dscp-cos-mapping traffic-policy QOS
remark VOICE-CONTROL-ACL
permit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 range 2000 2002 dscp-marking <DSCP #> dscp-cos-mapping traffic-policy QOS
remark EVERYTHING-ELSE
permit ip any any dscp-marking 0 dscp-cos-mapping traffic-policy QOS

interface ethernet 1/1
ip access-group 101 IN   - Applies the ACL to the interface

***You will need to write an ACL that works for your network and your needs. Make sure you have permit ip any any at the end!!!***

dscp-marking = Mark the packet with the DSCP Value
dscp-cos-mapping = Use the internal mappings to map DSCP to COS values
traffic-policy = Allows you to see some counters on the ACL (Not very helpfull)