Home > Hardware, Home Lab, IBM, RackSwitch > HOWTO: IBM RackSwitch G8124 – Initial Configuration

HOWTO: IBM RackSwitch G8124 – Initial Configuration

With the acquiring of my new G8124F 10GbE switches (https://vnetwise.wordpress.com/2014/09/20/ibm-rackswitch10gbe-comes-to-the-lab/) , we need to look at the basic configuration. This is going to include general switch management that will be generic to any switches, such as:

  • Setting hostname and management IP on the OoB interface
  • DNS, SysLog, NTP
  • Management users
  • Confirming we can back up the config files to a TFTP server
  • RADIUS – I expect to need a HOWTO of its own, largely because I’m going to have to figure out what the RADIUS Server side requires

Information we’ll need:

Top Switch:

  • Hostname: NW-IBMG8124A
  • IP: 10.0.0.94
  • MGMT_A: NW-PC6248_1/g39 – VLAN 1 – Access
  • p24 -> NW-IBMG8124B/p24
  • p23 -> NW-IBMG8124B/p23
  • p01 -> NW-ESXI04 vmnic5

Bottom Switch:

  • Hostname: NW-IBMG8124B
  • IP: 10.0.0.95
  • MGMT_A: NW-PC6248_1/g39 – VLAN 1 – Access
  • p24 -> NW-IBMG8124A/p24
  • p23 -> NW-IBMG8124A/p23

Common Information:

  • Subnet: 255.255.255.0
  • Gateway: 10.0.0.1
  • DNS1: 10.0.0.11
  • DNS2: 10.0.0.12
  • NTP: 10.0.0.11
  • SysLog: 10.0.0.10

Manual Links:

What you can tell from above, is that ports 23/24 are linked together with a pair of Cisco passive DAC SFP+ TwinAx cables. Port 1 on the top switch is connected to an unused 10GbE port on an ESXi host so we can do some basic testing. Both switches have their MGTA ports connected to my current Dell PowerConnect 6248 switches, on ports {Top/Bottom}/g39 respectively, with no VLAN trunking. This won’t really matter for the basic configuration we’re doing now, but it will once we start configuring data ports vs simply management interfaces.

1) Initial Login:

I was going to use my Digi CM32 and an RJ45 cable and converter to connect to the DB9, however, both the cable and my converters are both female and I have no serial gender benders on hand. So instead, I opted to use two serial ports on two ESXi hosts, and connect the COM port to a VM. Note, you will have to power down the VM to do so, and it will prevent vMotion, etc. I’m using disposable VM’s I use for benchmarking and testing, so this isn’t a concern. Port speeds are whatever the default PuTTY assumes – 9600,8,N,1, I’m sure.

clip_image001

First, the hard part. The default password is “admin” with no password.

2) Enter configuration:

clip_image002

The first thing you’ll notice, is that so far, this feels very Cisco like. To get started, we enter the “enable” mode and then “conf t” to configure from the terminal.

Command:

enable

configure terminal

3) Let’s confirm our running configuration:

clip_image003

Yup. That’s pretty reset to factory.

Command:

show running-config

4) As per the manual, we’ll set up the management IP’s on both switches:

clip_image004

Page 44 suggests the following commands:

interface ip-mgmt address 10.0.0.94

interface ip-mgmt netmask 255.255.255.0

interface ip-mgmt enable

interface ip-mgmt gateway 10.0.0.1

interface ip-mgmt gateway enable

However, as you can see above, it appears that the version of the firmware I’m running has two options for “interface ip-mgmt gateway” – address w.x.y.z and enable. So the actual commands are:

Commands:

interface ip-mgmt address 10.0.0.94

interface ip-mgmt netmask 255.255.255.0

interface ip-mgmt enable

interface ip-mgmt gateway address 10.0.0.1

interface ip-mgmt gateway enable

clip_image005

You can expect to see a message like the above when the link comes up. In my case, this was because I didn’t configure the Dell PC6248’s until after doing this step.

5) Set the hostname:

clip_image006

Command:

hostname NW-IBMG8124B

We can set the hostname. Note that it changes immediately.

6) Now would be a good time to save our work:

clip_image007

Just like on a Cisco, we can use:

wr mem

or

copy running-config startup-config

Note the prompt above – because the switch is restored to factory defaults, it is booting in a special mode that bypasses any existing configurations. This is why it confirming if you want your next boot to go to the current running/startup config.

7) Set NTP server(s):

clip_image008

You will need to configure at least the “primary-server” if not also the “secondary-server” with an IP address as well as the PORT on the switch that will do the communication. In my case, I’ll be letting the mgta-port connect out, but this could easily be a data port on the switch as well. Do note that it requires an IP address, so you won’t be able to use DNS names such as “ntp1.netwise.ca”, unfortunately. Then, enable the NTP functionality.

Command:

ntp primary-server 10.0.0.11 mgta-port

ntp enable

You’ll note I made a typo, and used the wrong IP. That actually worked out well for the documentation:

clip_image009

When I changed the IP, you can see console immediately displays that it has updated the time.

This is also a good time (pun intended) to set up your timezone. You can use the “system timezone” command to be prompted via menus to select your numbered timezone. As I had no clue what my number might be for Alberta (DST-7?), I ran through the wizard – then checked the running config:

clip_image010

There we go. Command to set America/Canada/Mountain-Alberta as your timezeone:

system timezone 93

8) Setup an admin user:

clip_image011

User access is a little different from a Cisco switch. Here we need to set the name, enter a password, give the user a level, and then enable the user. Note that you cannot enter the password at the command line – it will interactively prompt you. So there’s no point entering any password in the config

Commands:

access user 10 name nwadmin

access user 10 password

access user 10 level administrator

access user 10 enable

The running-config shows the password command as:

access user 10 password "f2cbfe00a240aa00b396b7e361f009f2402cfac143ff32cb09efa7212f92cef2"

Which suggests you must be able to provide the password at the command line, non-interactively.

It is worth noting the built in “administrator” account has some specialty to it. To change this password you would use:

Access user administrator-password <password>

Setting the password to blank (null) will disable the account. Similar also exists for “operator-password” for the “oper” account, but it is disabled by default.

9) Setup SSH:

At this point, the switches are on the network, but I’m still configuring them via serial console. If we attempt to connect to them, we’ll realize that SSH doesn’t work but Telnet does – which is generally expected.

clip_image012

Commands:

ssh port 22

ssh enable

You should now be able to connect as the user you just created, AS WELL AS the default user – admin with a password of admin.

10) Disable Telnet

Now that we’ve configured SSH, let’s get rid of telnet. There is no equivalent “telnet disable”, but you can use “no …” commands.

clip_image013

Commands:

no access telnet enable

Note that my active Telnet configurations has their configurations closed, and indicated on the console.

11) Set SNMP:

My SNMP needs are basic – I largely use it for testing monitoring and management products. So we’ll just set a basic Read Only and Read Write community, and we’ll set it for SNMP v2 which is the most common:

clip_image014

Commands:

snmp location "NetWise Lab"

snmp name NW-IBMG8124B

snmp read-community "nw-ro"

snmp write-community "nw-rw"

snmp version v1v2v3

access snmp read-only

access snmp read-write

NOTE: The SNMP name will change the HOSTNAME, and should not include quotes. This makes me believe it would ASSUME the hostname, which is what most people set to anyway.

12) Configure HTTPS access:

Some people like HTTPS configuration access, some see it as a security risk. I’ll enable it so I have the option of seeing what it looks like

clip_image015

Commands:

access https enable

If there is no self signed certificate, it will generate one.

13) Configure DNS

It would be nice if we could get DNS for hostname resolution. Nothing is worse than having to remember IP’s.

clip_image016

Commands:

ip dns primary-server 10.0.0.11 mgta-port

ip dns secondary-server 10.0.0.12 mgta-port

ip dns domain-name netwise.ca

14) Configure Spanning Tree

Any good switch should do some manner of Spanning Tree. As these will be my storage switches, we’ll ensure these are set to protect against loops and also set as Rapid Spanning Tree (RSTP)

clip_image017

Command:

spanning-tree loopguard

spanning-tree mode rstp

15) Configure SysLog:

clip_image018

This is pretty simple, we simply point it at the IP and tell it to use the mgta-port.

Command:

logging host 1 address 10.0.0.10 mgta-port

logging host 1 severity 7

logging log all

What is nice is you can define two of them, by specifying “host 2”

16) Backup the running config:

clip_image019

Configuring the switch isn’t a lot of good if you don’t back up the configuration. So we’ll make a copy of the config to our TFTP server.

Command:

copy running-config tftp address 10.0.0.48 filename NW-IBMG8124B_orig.cfg mgta-port

It is worth noting that it does support standard FTP as well, if you desire.

So if we take all of the above and put the commands together, we get:

enable

conf t

interface ip-mgmt address 10.0.0.94

interface ip-mgmt netmask 255.255.255.0

interface ip-mgmt enable

interface ip-mgmt gateway address 10.0.0.1

interface ip-mgmt gateway enable

hostname NW-IBMG8124A

copy running-config startup-config

ntp primary-server 10.0.0.11 mgta-port

ntp enable

access user 10 name nwadmin

access user 10 password "f2cbfe00a240aa00b396b7e361f009f2402cfac143ff32cb09efa7212f92cef2"

access user 10 level administrator

access user 10 enable

#access user administrator-password <ChangeMe>

ssh port 22

ssh enable

no access telnet enable

snmp location "NetWise Lab"

snmp name NW-IBMG8124A

snmp read-community "nw-ro"

snmp write-community "nw-rw"

snmp version v1v2v3

access snmp read-only

access snmp read-write

access https enable

ip dns primary-server 10.0.0.11 mgta-port

ip dns secondary-server 10.0.0.12 mgta-port

ip dns domain-name netwise.ca

spanning-tree loopguard

spanning-tree mode rstp

logging host 1 address 10.0.0.10 mgta-port

logging host 1 severity 7

logging log all

We now have a basically working switch, from a management perspective.  Next will be to get it passing some actual data!

 

Some other interesting command:

While poking around in the (conf t) “list” command, which will show you all the command options, I found some interesting ones:

boot cli-mode ibmnos-cli

boot cli-mode iscli

boot cli-mode prompt

The ISCLI is the “Is Cisco Like” which is why it seems familiar. The other option is IBMNOS-CLI, which is… probably painful

 

boot configuration-block active

boot configuration-block backup

boot configuration-block factory

Here is how we can tell the switch to reset itself or boot clean. It’s not immediately clear to me how this would be better than “erase startup-config”, “reload”, but it’s there.

 

boot schedule friday hh:mm

boot schedule monday hh:mm

boot schedule saturday hh:mm

boot schedule sunday hh:mm

boot schedule thursday hh:mm

boot schedule tuesday hh:mm

boot schedule wednesday hh:mm

I can’t think of a lot of times I’ve wanted to schedule the reboot of switches on a weekly basis. Or reasons why I’d need to, on a good switch. But… maybe it’s to know that it WILL reboot when the time comes? If you reboot it weekly, then you might not be so timid to do so after the uptime is 300+ days and no one remembers if this is the switch that has startup issues?

 

interface ip-mgta address A.B.C.D A.B.C.D A.B.C.D enable

Not sure why I’d want multiple IP’s on the management interface – but you can.

interface ip-mgta dhcp

In case you want to set your management IP’s to DHCP. Which sounds like a fun way to have a bad day someday…

 

ldap-server backdoor

Not sure what on earth this does

 

ldap-server domain WORD

ldap-server enable

ldap-server primary-host A.B.C.D mgta-port

ldap-server secondary-host A.B.C.D mgta-port

Need to look into what LDAP supports

 

logging console severify <0-7>

logging console

Sets up how much is logged to the console

 

logging host 1 address A.B.C.D mgta-port

Configures syslog via the mgta-port

 

logging log all

Logs everything, but you can do very granular enablement.

 

radius-server backdoor

Not sure what on earth this does

radius-server domain WORD

radius-server enable

radius-server primary-host A.B.C.D mgta-port

radius-server secondary-host A.B.C.D mgta-port

I’ll need to find the appropriate commands for both the switches as well as the RADIUS server to enable groups.

 

virt vmware dpg update WORD WORD <1-4094>

virt vmware dpg vmac WORD WORD

virt vmware dvswitch add WORD WORD WORD

virt vmware dvswitch add WORD WORD

virt vmware dvswitch addhost WORD WORD

virt vmware dvswitch adduplnk WORD WORD WORD

virt vmware dvswitch del WORD WORD

virt vmware dvswitch remhost WORD WORD

virt vmware dvswitch remuplnk WORD WORD WORD

virt vmware export WORD WORD WORD

I understood the switch was virtualization aware – but this is going to need some deeper investigation!

Advertisements
Categories: Hardware, Home Lab, IBM, RackSwitch
  1. Will Lewis
    March 22, 2015 at 3:36 PM

    I was looking at these switches to purchase. Are they loud? I have a Cisco Nexus 5010 10GBe SFP+, but I would like a quieter 10GBe SFP+ switch.

    • March 22, 2015 at 7:31 PM

      ‘loud’ is going to be pretty subjective. I’ve never heard a 5010 but have heard a 5548. I’m going to say these are quieter than that. But they ARE enterprise grade, datacenter switches. They make no efforts to be quiet. I tolerate them in my basement just fine.

  2. J
    September 19, 2017 at 7:38 PM

    Hi,

    Found your blog now in 2017, this is SUPER helpful info as we’re currently setting up two of these 8124E’s (although now branded as Lenovo instead of IBM), they’re the exact same model as far as I can tell.

    Quick question, with regards to DNS how do you set the port, I guess I don’t really understand the port part of this but if I wanted all regular data ports to see DNS servers outside of the switch how do you do that? The same goes for NTP.

    Here’s my conf:

    ip dns primary-server 192.168.100.1 DATA
    ip dns secondary-server 216.87.64.2 DATA

    Thanks!

    • September 19, 2017 at 8:43 PM

      You’re almost there!

      By default, the MGT port is DHCP. In fact, I’ve tried a few ways, and never been able to set a static IP on it, or configure it in the CLI and the GUI just accepts it when I hit save and then… doesn’t. Maybe a bug. So I’ve just opted to use a DHCP reservation, and called it a day. That handles how you get an IP on your MGT interface.

      From there, your commands above are right, just replace “DATA” with “MGT”. When you say “DATA” you’re saying “use the data plane” for this activity (same type of command for NTP, SysLog, etc). If you’ve set an IP on one of your VLAN’s, then DATA should work, but as I haven’t done it, I’m not sure how you might specify which VLAN/IP it should choose, preference, or order. But when you set it to “MGT”, and DHCP, it “just works”, and I was satisfied with that solution.

      Glad I could help!

  3. J
    September 20, 2017 at 12:07 PM

    Hmmm, I’m confused by the nomenclature and purpose for MGTA/MGTB. Are these ports meant to be used adhoc for switch administration purposes and are otherwise not plugged in when not in use? I wish the documentation was clearer on it’s purpose.

    What I don’t understand is when I ‘show version’ it tells me there’s no IP for MGTA but then ‘show running-config’ shows an IP for interface 127 (which is MGTA) and when I ping an external host I get:

    “Connecting via MGTA port.
    [host 8.8.8.8, max tries 5, delay 1000 msec, length 0, ping source N/S, ttl 255, tos 0]
    Error: MGTA interface or port is not available.”

    Very weird.

  4. September 20, 2017 at 1:04 PM

    Typically, switch management would/should not be on any of your normal data subnets, but from a secure/management subnet/vlan. In this case, the MGT ports would be used as an out of band interface. This is especially true if you are not converging all your data onto the 10GbE, but perhaps segregating out your ISCSI/vMotion/etc traffic on these 10GbE switches, and then using 1GbE for your data/management services. In this scenario, the ONLY thing connecting the switches to your network would be the MGT port, and it would be in use full time vs ad-hoc.

    Looking back, I realize we’re talking about the G8124 and not the G8264. I no longer have the G8124’s, but if I recall the management ports were simply redundant, so you could connect them to redundant management switches, which is a nice thing.

    I had advised to use “MGT” but reviewing my notes above I use “logging host 1 address 10.0.0.10 mgta-port”, suggesting the terminology is “mgta-port” and likely “mgtb-port”. If your pings are using “mgta” vs “mgta-port” that might be why they cannot find the port.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: