Brocade ICX 6610 – enabling ssh and a few other things…

After an exhaustive search of a WAN switch, we finally made our minds up to go with the brocade ICX series. We are primarily an enterasys extreme networks shop, but we are on a budget, like most other public education institutions. In my experience, I have seen many shops stick to what they know, cough, cough cisco, but is that always going to be the best price/solution? The brocade command line is very similar to cisco, so for you peep’s out there looking for an alternative to cisco, take a look at the brocade ICX lineup.

Now on to the good stuff. I’ve listed a few pointers to get ssh properly setup on an ICX 6610. You can also view more icx 6610 commands in my brocade ICX 6610 part 2 article.

//This command enables ssh on the icx 6610
(config)#crypto key generate dsa
//We can then setup a local account to use for ssh, but we first want to mask passwords
(config)#enable user password-masking
(config)#username yourusername password
//The next command enables the brocade to use the local user for ssh login
(config)#aaa authentication login default local
//We can then further secure by which IP’s are allowed to ssh
(config)#ip ssh client yourclientip
//Here is how we disable ssh.
(config)#crypto key zeroize dsa

Thanks,

@jhazesnooty

Feel free to share.

10 comments

  • Very good post.

  • I am trying to enable an ACL on my Brocade ICX 6610. I have the ACL configuration but how do I implement it . I need to implement it on my Management ve so that only subnets in that ACL can access it. how ever when I implemented the ACL on the ve interface (inbound) , my colleague was still able to access the devices from an external IP.
    any help ?
    Follow was the command I used.
    ip access-group Management_Access in

    • In order to restrict access to your mgmt. IP via ACL, you have to enter the following commands:

      for Telnet:
      telnet access-group your-acl-num
      for SSH:
      ssh access-group your-acl-num
      for Web:
      web access-group your-acl-num
      for SNMP:
      snmp-server community public ro

      According to the 7400a_config guide from brocade, only these four access methods can be controlled. There are other simpler methods that you can use rather than an ACL, here’s an example of allowing on a certain IP for ssh access:

      ip ssh client

      I then disable all the other services with a no command:

      no web-management
      no telnet server

      I hope this helps.

  • Waow… i dint expect a reply so soon . Thank You… i will try what you ve mentioned. I have loads of doubts and not too many support sites . Plus worst of all … our support with brocade expired.
    Here is my exact problem . Following is my ACL
    ip access-list standard Management_Access
    permit 66.xxx.122.0 0.0.0.255
    permit 10.xxx.201.0 0.0.0.255
    permit 10.xxx.200.0 0.0.0.255
    permit 192.xxx.254.0 0.0.0.255
    permit host 192.xxx.253.63
    permit host 69.xxx.37.3

    *————————————–
    Here is the interface i want to implemnt it on

    interface ve 204
    port-name MANAGEMENT
    ip address 10.xxx.200.1 255.255.255.0

    ————————————————–
    the current ssh config is :
    ip ssh timeout 5
    ip ssh client 69.xxx.37.3
    ip ssh client 66.xxx.122.61
    ip ssh source-interface ve 3
    ——————————————–

    I want it to be set up in such a way that only systems in the 10.xxx.200.0 network can access the mngmt vlan devices. 69.xxx.37.3 is my vpn gateway … and i want to restrict access to the mngment network ONLY through the vpn .. please advise how i can do this.

    • I’m running this on icx 6610 with ver 7.3.001T7f1 firmware in switch mode. First you have to run the “management-vlan” command within the vlan interface that you want management to be enabled on.
      Example:
      #config t
      (config)#vlan 204
      (config-vlan-204)#management-vlan

      Then run the following:
      (config)#ssh access-group Management_Access

      However, your ip ssh client rules may already be affecting your setup as you can use ACL or the ip ssh client x.x.x.x to filter ssh access. I’m not sure which one will trump the other.

      Sorry, my last response didn’t display that you needed the acl number after the access-group command, wordpress removed my text that I put in when I entered the greater and less than symbols.

  • Thanks it did help a bit. I have a new query. I am trying to set up an new interface and want to connect an Alcatel Lucent Device on the other end. I want to allow an IPv6 vlan on the new interface. here a some doubts
    1) This is the existing config of one of the interfaces which has an IPv4 vlan
    vlan 131 name CUSTOMER_DATA_EH by port
    tagged ethe 1/1/2 to 1/1/3 ethe 1/3/1
    untagged ethe 1/1/11
    router-interface ve 131

    I need to set up a new interface with IPv6 capabilities. so far this is what i ve set up
    vlan 133 name CUSTOMER_DATA_EH_3 by port
    router-interface ve 133

    not sure how to put in the comand for tagging.can you explain what this line is
    tagged ethe 1/1/2 to 1/1/3 ethe 1/3/1

  • Ok I got the answer to my question 🙂 ..
    CAn brocade handle routing between an IPv6 and IPv4 network, i.e. if i want to contact a switch on my IPv4 network but i have an IPv6 address … is this allowed.

    • Sorry, I didn’t get back so soon. Some of the emails went into my spam box. I actually haven’t played with the IPv6 and IPv4 stuff. I would think that whatever is directly connected to your router (either IPv6 or IPv4) would be able to communicate as the routing table would have your directly connected routes. You would have to test it out as I haven’t needed to deploy IPv6 yet.

  • Hi,

    I have looked around on internet for quite some time now but could not find any hints.

    How can I execute a telnet from an interface inside a VRF from Brocade ICX6610?

    I have a non-brocade (Cisco and Juniper) devices on the other side which can allow in-coming telnet sessions on interfaces within different VRFs than management. My problem is that there is no CLI possibility or at least I could not find anything for originating a telnet request using source interface or IP in a VRF in ICX6610.

    Can you help? Have you seen this?

    Regards,
    Ashis

Leave a Reply

Your email address will not be published. Required fields are marked *