ICX: Difference between revisions
(→SSH) |
|||
(One intermediate revision by the same user not shown) | |||
Line 111: | Line 111: | ||
<pre> | <pre> | ||
# sh mac- | # sh mac-a | inc 1/1/ | ||
98xx.xx.xxxx 1/1/13 Dynamic 228 | 98xx.xx.xxxx 1/1/13 Dynamic 228 | ||
98xx.xx.xxxx 1/1/13 Dynamic 228 | 98xx.xx.xxxx 1/1/13 Dynamic 228 | ||
Line 401: | Line 401: | ||
NOTE: If you want to have the switch connect in reverse to do firmware updates, make sure to add the same to /etc/ssh/sshd_config | NOTE: If you want to have the switch connect in reverse to do firmware updates, make sure to add the same to /etc/ssh/sshd_config | ||
# Allow Legacy ICX switches | # Allow system to connect to Legacy ICX switches | ||
KexAlgorithms +diffie-hellman-group1-sha1 | KexAlgorithms +diffie-hellman-group1-sha1 | ||
HostKeyAlgorithms +ssh-dss,ssh-rsa | HostKeyAlgorithms +ssh-dss,ssh-rsa |
Revision as of 07:58, 9 October 2024
Ruckus / Brocade Switches
See Ruckus
ICX Switch Consolidation
In an effort to Consolidate Products Rucks is focusing on the ICX 7150, 7550 and 7850 series of switches. The 7250, 7450, 7650 and 7750 are being discontinued.
End of Sale:
- 7250 - Feb 2022 (end of support Dec 2027)
- 7450 - Nov 2024 (end of support Nov 2029)
- 7650 - Dec 2023 (end of support Dec 2028)
- 7750 - Dec 2023 (end of support Dec 2028)
Reference: https://support.ruckuswireless.com/documents/3631-end-of-sale-and-end-of-life-product-datelines
Connect
Connect on Linux
# apt install tio tio -b 9600 /dev/ttyS0 tio -b 9600 /dev/ttyUSB0
# apt install minicom minicom -b 9600 -D /dev/ttyS0 minicom -b 9600 -D /dev/ttyUSB0
Connect on Windows
Use Tera Term or Putty and connect to COMX with Baud 9600
CLI
Show Config
sh run
All but "show config" will need "enable"
>enable
Interface Show
Show Interfaces
sh int bri
Show specific port:
show int eth 1/1/1
Show management port:
sh int bri | begin mgmt
License
Show licenses:
sh license
L3 Premium Features
Layer 3 Premium Features and Platform Support https://docs.commscope.com/bundle/fastiron-08095-licenseguide/page/GUID-B01E798A-B196-4544-86C2-DC90AB21CD6A.html
The Layer 3 Premium license supports the following features on an ICX 7450.
OSPFv2 OSPFv3 (IPv6) VRRP VRRPv3 (IPv6) VRRP-E GRE PBR PIM-SM, PIM-SSM, PIM-DM PIM Passive BGP, BGP4+ (IPv6) VRF (IPv4 and IPv6) IPv6 over IPv4 Tunnels
#sh license Unit License Name L3 Premium Port Speed Upgrade Speed Ports MACsec 1 l3-prem Yes NA NA NA No
Logs
Show logs:
sh log
Clear logs:
clear log
Sample:
Syslog logging: enabled ( 0 messages dropped, 1 flushes, 0 overruns) Buffer logging: level ACDMEINW, 0 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Dynamic Log Buffer (50 lines): Jan 1 12:19:30:I:Security: SSH login by myuser from src IP 10.10.10.10 from src MAC xxxx.xxxx.xxxx to USER EXEC mode using RSA as Server Host Key. Jan 1 00:00:57:I:STP: VLAN 1 Port 1/1/30 STP State -> FORWARDING (FwdDlyExpiry) Jan 1 00:00:55:I:STP: VLAN 1 Port 1/1/48 STP State -> LEARNING (FwdDlyExpiry)
MAC Addresses
Show collected MACs:
sh mac-addresses
Show just those local to interfaces on 1/1/*
sh mac-addresses | inc 1/1
# sh mac-a | inc 1/1/ 98xx.xx.xxxx 1/1/13 Dynamic 228 98xx.xx.xxxx 1/1/13 Dynamic 228 f4xx.xx.xxxx 1/1/13 Dynamic 228 98xx.xx.xxxx 1/1/13 Dynamic 228 f4xx.xx.xxxx 1/1/14 Dynamic 300 0cxx.xx.xxxx 1/1/14 Dynamic 300
ARP Table
Show Arp Table:
# sh arp Total number of ARP entries: 1 Entries in default routing instance: No. IP Address MAC Address Type Age Port Status 1 10.10.10.1 b4xx.xxxx.xxxx Dynamic 1 lg01 Valid
Management IP Show
Show IP:
show ip
If using router firmware:
show ip address # or 'sh ip addr'
Pagination
>enable
to skip pagination:
skip # or skip-page-display Disable page display mode
to page:
page Enable page display mode
Ping
ping [IP]
POE
Enable POE:
conf t interface eth 1/1/1 inline power
Disable POE:
conf t interface eth 1/1/1 no inline power
Show Interface POE:
show inline power
Show Interface POE details: (and firmware version)
show inline power details
Limit POE on interface:
int ent ethernet 1/1/1 to 1/1/48 inline power inline power power-limit 25000
Reboot Switch
reload
Version
Show switch version and model and serial:
show version sh ver
Example:
>sh ver ... UNIT 1: compiled on Mar 2 2012 at 12:38:17 labeled as ICX64S07400 (10360844 bytes) from Primary ICX64S07400.bin SW: Version 07.4.00T311 Boot-Monitor Image size = 512, Version:07.4.00T310 (kxz07400) HW: Stackable ICX6450-48-HPOE ========================================================================== UNIT 1: SL 1: ICX6450-48p POE 48-port Management Module Serial #: BZTXXXXXXXX License: BASE_SOFT_PACKAGE (LID: dbvHKIFjFox) ...
VLAN Show
Show VLANs:
show vlan
Config
Configure:
enable configure terminal # or conf t
Show Config:
show config sh run
Write Config:
write mem
Clear Config:
erase startup-config
Hostname
hostname [name]
Banner
Display banner at login: [1]
banner motd $ Enter TEXT message, End with the character '$'. Welcome!!! $
Interface
sh int bri
Show specific port:
show int eth 1/1/1
Show management port:
sh int bri | begin mgmt
Disable Interface
int eth 1/1/48 disable enable
IP
Management Interface DHCP Client
dhcp ip
ip dhcp-client enable ip dhcp-client auto-update enable no ip dhcp-client enable
Static IP
ip address 10.10.10.104/24 # or ip address 10.10.10.104 255.255.255.0
ip default-gateway 10.10.10.1 no ip dhcp-client auto-update enable no ip dhcp-client enable
Show IP:
show ip
Management VLAN
Desginate which VLAN carries the management traffic: [2]
vlan 10 by port management-vlan
Default is VLAN 1
SFP
GBIC
# show media ... Port 1/3/1: Type : EMPTY Port 1/3/2: Type : EMPTY Port 1/3/3: Type : 1G M-TX(SFP) Port 1/3/4: Type : EMPTY
# sh media et 1/3/3 Port 1/3/3: Type : 1G M-TX(SFP) Vendor: XXX Version: D1 Part# : SFP-1000BASE-TX Serial#: XXX
# sh int bri .. 1/3/3 Up Forward Full 1G None No 1 0 xxxx.xxxx.xxxx
#sh int et 1/3/3 10GigabitEthernet1/3/3 is up, line protocol is up
Note: If a 1-Gbps optic transceiver is inserted, you must configure the port using the speed-duplex 1000-full-master command at the interface level. [3]
Enable port: [4]
# conf term # int ethernet 1/3/3 # speed-duplex 1000-full-master
or short form: [5]
config t int e 1/2/1 speed 1000-full
# sh run ... stack unit 1 module 1 icx7150-48pf-poe-port-management-module module 2 icx7150-2-copper-port-2g-module module 3 icx7150-4-sfp-plus-port-40g-module stack-port 1/3/1 stack-port 1/3/3 ! interface ethernet 1/3/3 speed-duplex 1000-full !
10GE SFP+
- 10GE SR 300m ((SFP+))
- 10GE USR 100m (SFP +)
Spanning Tree
Disable Spanning Tree On specific port:
interface ethernet 1/1/1 loop-detection no spanning-tree !
SSH
Show ssh config settings:
sh ip ssh config
> sh ip ssh config ... SSH server : Enabled SSH port : tcp\22 Host Key : DSA 1024, RSA 1024 Encryption : aes256-cbc, aes192-cbc, aes128-cbc, aes256-ctr, aes192-ctr, aes128-ctr, 3des-cbc ... Authentication methods : Password, Public-key, Interactive ...
Enable SSH:
## Generate keys crypto key generate rsa # ^ Their offer: ssh-rsa crypto key generate dsa # ^ Their offer: ssh-dss # Add admin user: username admin pri 0 password [PASSWORD] # enable aaa authentication login default local
Disable SSH:
crypto key zeroize crypto key zeroize dsa
Note, the ICX uses really old key exchange method 'diffie-hellman-group1-sha1'
debug1: kex: algorithm: diffie-hellman-group1-sha1 debug1: kex: host key algorithm: ssh-rsa # or debug1: kex: host key algorithm: ssh-dss debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
To allow diffie-hellman-group1-sha1, edit either .ssh/config(to host) or /etc/ssh/ssh_config and add the following:
# ICX SSH KexAlgorithms +diffie-hellman-group1-sha1 HostKeyAlgorithms +ssh-dss,ssh-rsa PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa
NOTE: If you want to have the switch connect in reverse to do firmware updates, make sure to add the same to /etc/ssh/sshd_config
# Allow system to connect to Legacy ICX switches KexAlgorithms +diffie-hellman-group1-sha1 HostKeyAlgorithms +ssh-dss,ssh-rsa
## PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa # icx doesn't have a private key option - sadness
Public Keys
- Note: The public key file may contain up to 16 DSA or RSA key pairs.
- Note: Each key in the public key must be in exactly this format (remove the ssh-rsa prefix, the 'Comment' line is optional): [6]
- Note: Use a 2048 bit key (ssh-keygen -b 2048). The larger key will generate connect issues for 6450s (probably 7150s too). (no key from blob. pkalg ssh-rsa: invalid format) [7]
ssh-keygen -b 2048
---- BEGIN SSH2 PUBLIC KEY ---- Comment: "2048-bit RSA, converted from OpenSSH" AAAAB3NaC1yc2EAAAABIwAAAQEA0pt94yJmKwPfPZnxxYSS1aVaaqWgRM79EfRXf2XUrs 834hx881MmQedye1oJrntvA8LyVUIepOdbc874i4259mtSXx+cfZW0/QeJggT/1zE82+n w706gGqNsE+XsT12bi6KU4Al2IWULce74yfQY9/amy38ZPCesKKurH4+2m/Ba69391lp nJ0BIQidn+I8hARUGayrOTrx/e2^kdC+2aNh6mS17KDiRyj8WBV3F5z5f5rlYBL/WoJ2beo R3L6H6wHXP8dZ1F4IqeVxeIimkFTzMEE*r/wHCnhewetnDy3iJAgr0TXTicJ1Qpb1MCBkB XaynjuDYSf4Kmgn8znaQ== ---- END SSH2 PUBLIC KEY ----
Copy the combined key file (up to 16 keys) to tftp server, and have the ICX pull and override keyfile with:
conf term ip ssh pub-key-file tftp [TFTP_IP] [PATH/keyfile.txt]
List keys:
show ip client-pub-key
Remove pub key file:
ip ssh pub-key-file remove
Neighbour Detection
Neighbour Detection [8]
Link Layer Discovery Protocol (LLDP) - Vendor agnostic link layer protocol to advertise device capabilities and directly connected neighbours on the network.
lldp run show lldp neighbors
Foundry Discovery Protocol (FDP) - Foundry/Brocade specific link layer protocol to advertise device capabilities and directly connected neighbours on the network.
fdp run show fdp neighbors
Cisco Discovery Protocol (CDP) - Cisco specific link layer protocol to advertise device capabilities and directly connected neighbours on the network.
cdp run show cdp neighbors
VLAN
Show VLANs:
show vlan
Clear VLAN:
no vlan [#]
Simple VLAN
vlan 100 name MyVLAN by port tagged e 1/2/1 untagged e 1/1/1 to 1/1/48 !
LAG
Simple LAG with VLAN:
lag LAG1 dynamic id 1 ports ethe 1/1/47 to 1/1/48 ! vlan 3200 name MyVLAN by port tagged lag 1 untagged e 1/1/1 to 1/1/46 !
Static vs dynamic:
lag LAG1 dynamic id 1
lag LAG1 static id 1
Show lag:
sh lag sh lag id 1
Name ports:
lag LAG1 port-name UPLINK-A ethernet 1/1/47 port-name UPLINK-B ethernet 1/1/48
Disable one port:
lag LAG1 disable e 1/1/48
lag LAG1 enable e 1/1/48
Remove a port:
lag LAG1 no ports e 1/1/47
Time
Daylight Saving (Summer Time) [9]
clock summer-time zone us pacific start 02-28-21 02:00:00 end 10-30-21 02:00:00 offset 60
Note: Will have to be manually updated each year.
Users
Add Users:
username admin password [PASSWORD] no username admin
username myuser privilege [LEVEL] password [PASSWORD] # LEVEL: <0 READ-WRITE, 4 PORT-CONFIG, 5 READ-ONLY> User privilege level
Require Login:
aaa authentication web-server default local aaa authentication login default local
Configure seperate enable privilege passwords:
enable super-user-password [PASSWORD] enable port-config-password [PASSWORD] enable read-only-password [PASSWORD]
no enable super-user-password
Enter enable mode:
enable
Show who logged in as:
sh who
Privilege Levels
3 privileged levels:
- enable super-user-password [PASSWORD] - Super-user level password
- enable port-config-password [PASSWORD] - Port level configuration password
- enable read-only-password [PASSWORD] - Read-only level password
- Super User level - Allows complete read-and-write access to the system. This is generally for system administrators and is the only management privilege level that allows you to configure passwords.
- Port Configuration level - Allows read-and-write access for specific ports but not for global (system-wide) parameters.
- Read-only level - Allows access to the Privileged EXEC mode and User EXEC mode of the CLI but only with read access.
Authentication, Authorization, and Accounting
Authentication, Authorization, and Accounting (AAA) is a security framework that controls access to computer resources, enforces policies, and audits usage.
- Authentication - confirm users are who they claim they are (username/password)
- Authorization - granted privileges to authorized user
- Accounting - tracking user activity
Sample config:
aaa authentication web-server default local aaa authentication login default tacacs+ local aaa authentication login privilege-mode aaa authorization exec default tacacs+ aaa accounting exec default start-stop tacacs+
AAA Protocols:
- Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that authorizes and authenticates users who access a remote network
- Terminal Access Controller Access Control System Plus (TACACS+) - a remote authentication AAA protocol that lets a remote access server communicate with an authentication server for user validation
- Diameter - evolved from the RADIUS protocol
Firmware
Firmware Versions
ICX FastIron Stable series:
08.0.95p 2024-06-27 08.0.95n 2024-01-31 *** recommended stable *** 08.0.95m 2023-08-24 08.0.95k 2023-06-16 08.0.95j 2023-06-16 08.0.95h 2022-09-02 ... 08.0.95 2020-09-14 ... 08.0.90d 2019-09-27 *** used as jump to ufi ***
https://support.ruckuswireless.com/software/1186-ruckus-icx-7xxx-icx-6xxxx-campus-switch-firmware-download
https://support.ruckuswireless.com/products/108-ruckus-icx-7150-campus-switches?open=document#firmwares
https://support.ruckuswireless.com/products/108-ruckus-icx-7150-campus-switches Recommended Software: (as of 2024.07.08) Stability Release: RUCKUS ICX FastIron 08.0.95n (GA) Software Release (.zip)
"Ruckus ICX software currently has two recommended release types; Stability and Technology.
Stability Release: This is for customers where stability is of utmost importance. This release may not contain every feature available for your product.
Technology Release: This is for customers looking to utilize the maximum feature set available for your product.
We recommend most customers utilize the Stability Release if it contains all needed features for your network. A Technology Release is recommended if your network requires newer features not available in the Stability Release."
08.0.95n
RUCKUS ICX FastIron 08.0.95n (GA) Software Release (.zip) https://support.ruckuswireless.com/software/3958-ruckus-icx-fastiron-08-0-95n-ga-software-release-zip
Applies to: ICX7150, ICX7250, ICX7450, ICX7550, ICX7650, ICX7750, ICX7850
08.0.95m
RUCKUS ICX FastIron 08.0.95m (GA) Software Release (.zip) https://support.ruckuswireless.com/software/3749-ruckus-icx-fastiron-08-0-95m-ga-software-release-zip
Applies to: ICX7150, ICX7250, ICX7450, ICX7550, ICX7650, ICX7750, ICX7850
Select Boot Slot
Show boot configuration:
ICX7450 #sh boot-preference Boot system preference(Configured): Use Default Boot system preference(Default): Boot system flash primary Boot system flash secondary
Select second boot slot:
ICX7450# Boot system flash secondary
Show boot configuration after change:
ICX7450# sh boot-preference Boot system preference(Configured): Boot system flash secondary Boot system preference(Default): Boot system flash primary Boot system flash secondary
Show configuration:
ICX7450# sh run Current configuration: ! ... ! boot sys fl sec
Reset Password
As switch boots up, when you see the following, press 'b':
Enter 'b' to stop at boot monitor:
then type "no password":
no password
then type "boot" to continue booting:
boot # or boot_primary
Then either change password
enable conf t
keywords
- ↑ https://docs.commscope.com/bundle/fastiron-08095-managementguide/page/GUID-5A14B1C5-DD1A-40E3-A371-6C7A0407D796.html
- ↑ https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-61483D35-3F95-43FB-8092-33C14E0D188D.html
- ↑ https://docs.commscope.com/bundle/icx7150-installguide/page/GUID-B346251F-DFCC-4441-B047-6E3A3E88839C.html
- ↑ https://docs.commscope.com/bundle/icx7150-installguide/page/GUID-B346251F-DFCC-4441-B047-6E3A3E88839C.html
- ↑ https://community.ruckuswireless.com/t5/ICX-Switches/Configuring-SFP-port-on-7150-C08p/td-p/27124
- ↑ ref https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-E00DB049-9D65-4438-A64F-A947648A70AE.html
- ↑ https://apple.stackexchange.com/questions/356323/ssh-fails-with-ssh-dispatch-run-fatal-invalid-format
- ↑ https://support.purdi.com/hc/en-gb/articles/360021220292-Ruckus-ICX-Neighbour-Detection-using-LLDP-CDP-FDP
- ↑ https://docs.commscope.com/bundle/fastiron-08091-managementguide/page/GUID-E670EE11-FBD6-4D1E-9099-6E231887D245.html