Device management security, Allowing sshv2 access to the brocade device – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 31

Advertising
background image

Brocade ICX 6650 Security Configuration Guide

11

53-1002601-01

Remote access to management function restrictions

NOTE

If you have already configured a default gateway globally and you do not configure a gateway in the
VLAN, the software uses the globally configured gateway and gives the gateway a metric value of 1.

To configure a designated management VLAN, enter commands such as the following.

Brocade(config)# vlan 10 by port
Brocade(config-vlan-10)# untag ethernet 1/1/1 to 1/1/4
Brocade(config-vlan-10)# management-vlan
Brocade(config-vlan-10)# default-gateway 10.10.10.1 1
Brocade(config-vlan-10)# default-gateway 10.20.20.1 2

These commands configure port-based VLAN 10 to consist of ports 1/1/1–1/1/4 and to be the
designated management VLAN. The last two commands configure default gateways for the VLAN.
Since the 10.10.10.1 gateway has a lower metric, the software uses this gateway. The other
gateway remains in the configuration but is not used. You can use the other one by changing the
metrics so that the 10.20.20.1 gateway has the lower metric.

Syntax: [no] default-gateway ip-addr metric

The ip-addr parameters specify the IP address of the gateway router.

The metric parameter specifies the metric (cost) of the gateway. You can specify a value from 1–5.
There is no default. The software uses the gateway with the lowest metric.

Device management security

By default, all management access is disabled. Each of the following management access methods
must be specifically enabled as required in your installation:

SSHv2

SNMP

The commands for granting access to each of these management interfaces is described in the
following.

Allowing SSHv2 access to the Brocade device

To allow SSHv2 access to the Brocade device, you must generate a Crypto Key as shown in the
following command.

Brocade(config)# crypto key generate

Syntax: crypto key [generate | zeroize]

The generate parameter generates a dsa key pair.

The zeroize parameter deletes the currently operative dsa key pair.

In addition, you must use AAA authentication to create a password to allow SSHv2 access. For
example the following command configures AAA authentication to use TACACS+ for authentication
as the default or local if TACACS+ is not available.

Brocade(config)# aaa authentication login default tacacs+ local

Advertising
Popular Brands
Popular manuals