ICX: Difference between revisions

From Omnia
Jump to navigation Jump to search
 
(74 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Models ==
= Ruckus / Brocade Switches =


=== 6xxx ===
See [[Ruckus]]


[[Ruckus/ICX-6450]]
= ICX Switch Consolidation =


=== 7xxx ===
In an effort to Consolidate Products Rucks is focusing on the ICX 7150, 7550 and 7850 series of switches.  The 7250, 7450, 7650 and 7750 are being discontinued.


[[Ruckus/ICX-7150]]
End of Sale:
* 7250 - Feb 2022 (end of support Dec 2027)
* 7450 - Nov 2024 (end of support Nov 2029)
* 7650 - Dec 2023 (end of support Dec 2028)
* 7750 - Dec 2023 (end of support Dec 2028)


7450
Reference: https://support.ruckuswireless.com/documents/3631-end-of-sale-and-end-of-life-product-datelines


7850
= Connect =


== Product Line ==
== Connect on Linux ==


  RUCKUS Ethernet Switches | RUCKUS Networks
  # apt install tio
  https://www.ruckusnetworks.com/products/ethernet-switches/
tio -b 9600 /dev/ttyS0
tio -b 9600 /dev/ttyUSB0
 
# apt install minicom
minicom -b 9600 -D /dev/ttyS0
minicom -b 9600 -D /dev/ttyUSB0
 
== Connect on Windows ==
 
Use Tera Term or Putty and connect to COMX with Baud 9600
 
= CLI =
 
Show Config
sh run
 
All but "show config" will need "enable"
>enable
 
== Interface Show ==
 
Show Interfaces
sh int bri
 
Show specific port:
show int eth 1/1/1
 
Show management port:
sh int bri | begin mgmt
 
== License ==
 
Show licenses:
sh license
 
=== L3 Premium Features ===
 
Layer 3 Premium Features and Platform Support
https://docs.commscope.com/bundle/fastiron-08095-licenseguide/page/GUID-B01E798A-B196-4544-86C2-DC90AB21CD6A.html
 
The Layer 3 Premium license supports the following features on an ICX 7450.
 
    OSPFv2
    OSPFv3 (IPv6)
    VRRP
    VRRPv3 (IPv6)
    VRRP-E
    GRE
    PBR
    PIM-SM, PIM-SSM, PIM-DM
    PIM Passive
    BGP, BGP4+ (IPv6)
    VRF (IPv4 and IPv6)
    IPv6 over IPv4 Tunnels
 
<pre>
#sh license
Unit  License Name    L3 Premium Port Speed Upgrade  Speed    Ports    MACsec
1    l3-prem        Yes        NA                  NA      NA      No
</pre>
 
== Logs ==
 
Show logs:
sh log
 
Clear logs:
clear log
 
Sample:
<pre>
Syslog logging: enabled ( 0 messages dropped, 1 flushes, 0 overruns)
    Buffer logging: level ACDMEINW, 0 messages logged
    level code: A=alert C=critical D=debugging M=emergency E=error
                I=informational N=notification W=warning
 
Dynamic Log Buffer (50 lines):
Jan  1 12:19:30:I:Security: SSH login by myuser from src IP 10.10.10.10 from src MAC xxxx.xxxx.xxxx to USER EXEC mode using RSA as Server Host Key.
Jan  1 00:00:57:I:STP: VLAN 1 Port 1/1/30 STP State -> FORWARDING (FwdDlyExpiry)
Jan  1 00:00:55:I:STP: VLAN 1 Port 1/1/48 STP State -> LEARNING (FwdDlyExpiry)
</pre>
 
== MAC Addresses ==
 
Show collected MACs:
sh mac-addresses
 
Show just those local to interfaces on 1/1/*
sh mac-addresses | inc 1/1
 
<pre>
# sh mac-a | inc 1/1/
98xx.xx.xxxx  1/1/13              Dynamic      228
98xx.xx.xxxx  1/1/13              Dynamic      228
f4xx.xx.xxxx  1/1/13              Dynamic      228
98xx.xx.xxxx  1/1/13              Dynamic      228
f4xx.xx.xxxx  1/1/14              Dynamic      300
0cxx.xx.xxxx  1/1/14              Dynamic      300
</pre>
 
=== ARP Table ===
 
Show Arp Table:
<pre>
# sh arp
Total number of ARP entries: 1
Entries in default routing instance:
No.  IP Address      MAC Address    Type    Age Port              Status
1    10.10.10.1    b4xx.xxxx.xxxx Dynamic  1    lg01              Valid
</pre>
 
== Management IP Show ==
 
Show IP:
show ip
 
If using router firmware:
show ip address  # or 'sh ip addr'
 
== Pagination ==
 
>enable
 
to skip pagination:
skip
# or skip-page-display
  Disable page display mode
 
to page:
page
  Enable page display mode
 
== Ping ==
 
ping [IP]
 
== POE ==
 
Enable POE:
conf t
  interface eth 1/1/1
  inline power
 
Disable POE:
conf t
  interface eth 1/1/1
  no inline power
 
Show Interface POE:
show inline power
 
Show Interface POE details: (and firmware version)
show inline power details
 
Limit POE on interface:
int ent ethernet 1/1/1 to 1/1/48
  inline power
  inline power power-limit 25000
 
== Reboot Switch ==
 
reload
 
== Version ==
 
Show switch version and model and serial:
show version
sh ver
 
Example:
<pre>
>sh ver
...
    UNIT 1: compiled on Mar  2 2012 at 12:38:17 labeled as ICX64S07400
                (10360844 bytes) from Primary ICX64S07400.bin
        SW: Version 07.4.00T311
  Boot-Monitor Image size = 512, Version:07.4.00T310 (kxz07400)
  HW: Stackable ICX6450-48-HPOE
==========================================================================
UNIT 1: SL 1: ICX6450-48p POE 48-port Management Module
        Serial  #: BZTXXXXXXXX
        License: BASE_SOFT_PACKAGE  (LID: dbvHKIFjFox)
...
</pre>
 
== VLAN Show ==
 
Show VLANs:
show vlan
 
= Config =
 
Configure:
enable
configure terminal
# or conf t
 
Show Config:
show config
sh run
 
Write Config:
write mem
 
Clear Config:
erase startup-config
 
== Hostname ==
 
hostname [name]
 
== Banner ==
 
Display banner at login: <ref>https://docs.commscope.com/bundle/fastiron-08095-managementguide/page/GUID-5A14B1C5-DD1A-40E3-A371-6C7A0407D796.html</ref>
banner motd $
  Enter TEXT message, End with the character '$'.
  Welcome!!! $
 
== Interface ==
 
sh int bri
 
Show specific port:
show int eth 1/1/1
 
Show management port:
sh int bri | begin mgmt
 
Disable Interface
int eth 1/1/48
  disable
  enable
 
 
== IP ==
 
Management Interface DHCP Client
 
=== dhcp ip ===
ip dhcp-client enable
ip dhcp-client auto-update enable
no ip dhcp-client enable
 
=== Static IP ===
ip address 10.10.10.104/24
# or
ip address 10.10.10.104 255.255.255.0
 
ip default-gateway 10.10.10.1
no ip dhcp-client auto-update enable
no ip dhcp-client enable
 
Show IP:
show ip
 
=== Management VLAN ===
 
Desginate which VLAN carries the management traffic: <ref>https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-61483D35-3F95-43FB-8092-33C14E0D188D.html</ref>
vlan 10 by port
  management-vlan
 
Default is VLAN 1
 
== SFP ==
 
GBIC
 
<pre>
# show media
...
Port 1/3/1:  Type  : EMPTY
Port 1/3/2:  Type  : EMPTY
Port 1/3/3:  Type  : 1G M-TX(SFP)
Port 1/3/4:  Type  : EMPTY
</pre>
 
<pre>
# sh media et 1/3/3
Port  1/3/3: Type  : 1G M-TX(SFP)
            Vendor: XXX    Version: D1
            Part# : SFP-1000BASE-TX    Serial#: XXX
</pre>
 
# sh int bri
..
1/3/3      Up      Forward Full 1G    None  No  1    0  xxxx.xxxx.xxxx
 
#sh int et 1/3/3
10GigabitEthernet1/3/3 is up, line protocol is up
 
Note: If a 1-Gbps optic transceiver is inserted, you must configure the port using the ''speed-duplex 1000-full-master'' command at the interface level. <ref>https://docs.commscope.com/bundle/icx7150-installguide/page/GUID-B346251F-DFCC-4441-B047-6E3A3E88839C.html</ref>
 
Enable port: <ref>https://docs.commscope.com/bundle/icx7150-installguide/page/GUID-B346251F-DFCC-4441-B047-6E3A3E88839C.html</ref>
# conf term
# int ethernet 1/3/3
# speed-duplex 1000-full-master
 
or short form: <ref>https://community.ruckuswireless.com/t5/ICX-Switches/Configuring-SFP-port-on-7150-C08p/td-p/27124</ref>
<pre>
config t
int e 1/2/1
speed 1000-full
</pre>
 
<pre>
# sh run
...
stack unit 1
  module 1 icx7150-48pf-poe-port-management-module
  module 2 icx7150-2-copper-port-2g-module
  module 3 icx7150-4-sfp-plus-port-40g-module
  stack-port 1/3/1
  stack-port 1/3/3
!
interface ethernet 1/3/3
speed-duplex 1000-full
!
</pre>
 
=== 10GE SFP+ ===
 
* 10GE SR 300m ((SFP+))
* 10GE USR 100m (SFP +)
 
== Spanning Tree ==
 
Disable Spanning Tree On specific port:
<pre>
interface ethernet 1/1/1
loop-detection
no spanning-tree
!
</pre>
 
== SSH ==
 
Show ssh config settings:
sh ip ssh config
 
<pre>
> sh ip ssh config
...
SSH server                : Enabled
SSH port                  : tcp\22
Host Key                  : DSA 1024,  RSA 1024
Encryption                : aes256-cbc, aes192-cbc, aes128-cbc, aes256-ctr, aes192-ctr, aes128-ctr, 3des-cbc
...
Authentication methods    : Password, Public-key, Interactive
...
</pre>
 
Enable SSH:
## Generate keys
crypto key generate rsa
  # ^ Their offer: ssh-rsa
crypto key generate dsa
  # ^ Their offer: ssh-dss
# Add admin user:
username admin pri 0 password [PASSWORD]
# enable
aaa authentication login default local
 
Disable SSH:
crypto key zeroize
crypto key zeroize dsa
 
Note, the ICX uses really old key exchange method 'diffie-hellman-group1-sha1'
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-rsa
# or
debug1: kex: host key algorithm: ssh-dss
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
 
To allow diffie-hellman-group1-sha1, edit either .ssh/config(to host) or /etc/ssh/ssh_config and add the following:
# ICX SSH
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-dss,ssh-rsa
# for ssh key to icx
PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa
 
---
 
NOTE: If you want to have the switch connect in reverse to do firmware updates, make sure to add the same to /etc/ssh/sshd_config
# Allow system to connect to Legacy ICX switches
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-dss,ssh-rsa
## PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa # icx doesn't have a private key option - sadness
 
=== Public Keys ===
 
* Note: The public key file may contain up to 16 DSA or RSA key pairs.
* Note: Each key in the public key must be in exactly this format (remove the ssh-rsa prefix, the 'Comment' line is optional): <ref>ref https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-E00DB049-9D65-4438-A64F-A947648A70AE.html</ref>
* Note: Use a 2048 bit key (ssh-keygen -b 2048).  The larger key will generate connect issues for 6450s (probably 7150s too). (no key from blob. pkalg ssh-rsa: invalid format) <ref>https://apple.stackexchange.com/questions/356323/ssh-fails-with-ssh-dispatch-run-fatal-invalid-format</ref>
ssh-keygen -b 2048
 
<pre>
---- BEGIN SSH2 PUBLIC KEY ----
Comment:  "2048-bit RSA, converted from OpenSSH"
AAAAB3NaC1yc2EAAAABIwAAAQEA0pt94yJmKwPfPZnxxYSS1aVaaqWgRM79EfRXf2XUrs
834hx881MmQedye1oJrntvA8LyVUIepOdbc874i4259mtSXx+cfZW0/QeJggT/1zE82+n
w706gGqNsE+XsT12bi6KU4Al2IWULce74yfQY9/amy38ZPCesKKurH4+2m/Ba69391lp
nJ0BIQidn+I8hARUGayrOTrx/e2^kdC+2aNh6mS17KDiRyj8WBV3F5z5f5rlYBL/WoJ2beo
R3L6H6wHXP8dZ1F4IqeVxeIimkFTzMEE*r/wHCnhewetnDy3iJAgr0TXTicJ1Qpb1MCBkB
XaynjuDYSf4Kmgn8znaQ==
---- END SSH2 PUBLIC KEY ----
</pre>
 
Copy the combined key file (up to 16 keys) to tftp server, and have the ICX pull and override keyfile with:
conf term
  ip ssh pub-key-file tftp [TFTP_IP] [PATH/keyfile.txt]
 
List keys:
show ip client-pub-key
 
Remove pub key file:
ip ssh pub-key-file remove
 
== Neighbour Detection ==
 
Neighbour Detection <ref>https://support.purdi.com/hc/en-gb/articles/360021220292-Ruckus-ICX-Neighbour-Detection-using-LLDP-CDP-FDP</ref>
 
'''Link Layer Discovery Protocol (LLDP)''' - Vendor agnostic link layer protocol to advertise device capabilities and directly connected neighbours on the network.
lldp run
show lldp neighbors
 
'''Foundry Discovery Protocol (FDP)''' - Foundry/Brocade specific link layer protocol to advertise device capabilities and directly connected neighbours on the network.
fdp run
show fdp neighbors
 
'''Cisco Discovery Protocol (CDP)''' - Cisco specific link layer protocol to advertise device capabilities and directly connected neighbours on the network.
cdp run
show cdp neighbors
 
== VLAN ==
 
Show VLANs:
show vlan
 
Clear VLAN:
no vlan [#]
 
Simple VLAN
vlan 100 name MyVLAN by port
  tagged e 1/2/1
  untagged e 1/1/1 to 1/1/48
!
 
== LAG ==
 
Simple LAG with VLAN:
lag LAG1 dynamic id 1
  ports ethe 1/1/47 to 1/1/48
!
vlan 3200 name MyVLAN by port
  tagged lag 1
  untagged e 1/1/1 to 1/1/46
!
 
Static vs dynamic:
lag LAG1 dynamic id 1
 
lag LAG1 static id 1
 
Show lag:
sh lag
sh lag id 1
 
Name ports:
lag LAG1
  port-name UPLINK-A ethernet 1/1/47
  port-name UPLINK-B ethernet 1/1/48
 
Disable one port:
lag LAG1
  disable e 1/1/48
 
lag LAG1
  enable e 1/1/48
Remove a port:
lag LAG1
  no ports e 1/1/47
 
== Time ==
 
clock summer-time
clock timezone us Pacific
clock timezone us mountain
 
sh clock
sh clock detail
 
NTP Client:
ntp
  server 10.x.x.1
  server 10.x.x.2
 
  server 0.pool.ntp.org minpoll 10 burst
  server 1.pool.ntp.org minpoll 10 burst
 
Show ntp status: <ref>https://docs.commscope.com/bundle/fastiron-08095-managementguide/page/GUID-98F32DCC-B4D7-4531-BC58-42F47C984868.html</ref>
show ntp status
show ntp associations
 
Disable NTP client:
ntp
  disable
 
Enable NTP client:
ntp
  no disable
 
Disable serving time to clients:
ntp
  disable serve
 
Specify source interface: <ref>https://docs.commscope.com/bundle/fastiron-08095-managementguide/page/GUID-0A5F29D9-CBA8-440A-9EB7-61BCEA35E240.html</ref>
source-interface ethernet 1/3/1
 
! ntp-interface management 1
 
Daylight Saving (Summer Time) <ref>https://docs.commscope.com/bundle/fastiron-08091-managementguide/page/GUID-E670EE11-FBD6-4D1E-9099-6E231887D245.html</ref> <ref>https://docs.commscope.com/bundle/fastiron-08095-managementguide/page/GUID-E670EE11-FBD6-4D1E-9099-6E231887D245.html</ref>
clock summer-time zone us pacific start 02-28-21 02:00:00 end 10-30-21 02:00:00 offset 60
clock summer-time zone us mountain start 02-28-16 02:00:00 end 10-30-16 02:00:00 offset 30
 
Note: Will have to be manually updated each year.
 
Note: "Before you begin to configure NTP, you must use the clock set command to set the time on your device to within 1000 seconds of the coordinated Universal Time (UTC)." <ref>https://community.ruckuswireless.com/t5/ICX-Switches/Force-sync-ntp/m-p/45909</ref>
 
clock set <ref>https://docs.commscope.com/bundle/icx7150-installguide/page/GUID-453AC7E4-0CCF-4EB0-8E4B-3002CE8CCB24.html</ref>
exit
! clock set hh:mm:ss mm-dd-yy/yyyy
clock set 02:49:00 11-23-24
 
== Users ==
 
Add Users:
username admin password [PASSWORD]
no username admin
 
username myuser privilege [LEVEL] password [PASSWORD]
# LEVEL:  <0 READ-WRITE, 4 PORT-CONFIG, 5 READ-ONLY> User privilege level
 
Require Login:
aaa authentication web-server default local
aaa authentication login default local
 
Configure seperate enable privilege passwords:
enable super-user-password [PASSWORD]
enable port-config-password [PASSWORD]
enable read-only-password [PASSWORD]
 
no enable super-user-password
 
Enter enable mode:
enable
 
Show who logged in as:
sh who
 
=== Privilege Levels ===
 
3 privileged levels:
#  enable '''super-user-password''' [PASSWORD] -          Super-user level password
#  enable '''port-config-password''' [PASSWORD] -        Port level configuration password
#  enable '''read-only-password''' [PASSWORD] -          Read-only level password
 
* ''Super User level'' - Allows complete read-and-write access to the system. This is generally for system administrators and is the only management privilege level that allows you to configure passwords.
* ''Port Configuration level'' - Allows read-and-write access for specific ports but not for global (system-wide) parameters.
* ''Read-only level'' - Allows access to the Privileged EXEC mode and User EXEC mode of the CLI but only with read access.
 
== Authentication, Authorization, and Accounting ==
 
Authentication, Authorization, and Accounting (AAA) is a security framework that controls access to computer resources, enforces policies, and audits usage.
 
* '''Authentication''' - confirm users are who they claim they are (username/password)
* '''Authorization ''' - granted privileges to authorized user
* '''Accounting''' - tracking user activity
 
Sample config:
<pre>
aaa authentication web-server default local
aaa authentication login default tacacs+ local
aaa authentication login privilege-mode
 
aaa authorization exec default tacacs+
 
aaa accounting exec default start-stop tacacs+
</pre>
 
AAA Protocols:
* '''Remote Authentication Dial-In User Service (RADIUS)''' is a networking protocol that authorizes and authenticates users who access a remote network
* '''Terminal Access Controller Access Control System Plus (TACACS+)''' - a remote authentication AAA protocol that lets a remote access server communicate with an authentication server for user validation
* '''Diameter''' - evolved from the RADIUS protocol
 
= Firmware =
 
== Firmware Versions ==
 
ICX FastIron Stable series:
<pre>
08.0.95p 2024-06-27
08.0.95n 2024-01-31  *** recommended stable ***
08.0.95m 2023-08-24
08.0.95k 2023-06-16
08.0.95j 2023-06-16
08.0.95h 2022-09-02
...
08.0.95 2020-09-14
...
08.0.90d 2019-09-27 *** used as jump to ufi ***
</pre>
 
https://support.ruckuswireless.com/software/1186-ruckus-icx-7xxx-icx-6xxxx-campus-switch-firmware-download
 
  https://support.ruckuswireless.com/products/108-ruckus-icx-7150-campus-switches?open=document#firmwares
 
https://support.ruckuswireless.com/products/108-ruckus-icx-7150-campus-switches
Recommended Software: (as of 2024.07.08)
  Stability Release: RUCKUS ICX FastIron 08.0.95n (GA) Software Release (.zip)


<blockquote>
<blockquote>
'''ICX® switches: flexible scalability and simplified management'''
"Ruckus ICX software currently has two recommended release types; Stability and Technology.


Our RUCKUS® ICX family of fixed form-factor switches works together to simplify network set-up and management, enhance security, minimize troubleshooting and make upgrades easy. Our low-latency, non-blocking architecture provides excellent throughput for the most demanding applications.
Stability Release: This is for customers where stability is of utmost importance. This release may not contain every feature available for your product.


ICX switches work seamlessly with RUCKUS wireless access points (APs), RUCKUS SmartZone™ network controllers and RUCKUS Cloud™ to deliver a high-performance, cost-effective unified wired and wireless access solution.
Technology Release: This is for customers looking to utilize the maximum feature set available for your product.


Whether you’re deploying a standalone switch, a stack or a fabric network—you’ll reap the benefits of RUCKUS performance, flexibility and investment protection.
We recommend most customers utilize the Stability Release if it contains all needed features for your network. A Technology Release is recommended if your network requires newer features not available in the Stability Release."
</blockquote>
</blockquote>


=== ICX access switches ===
=== 08.0.95n ===


https://www.ruckusnetworks.com/globalassets/digizuite/924188-icx-access-switches-products-hero400b.jpg
RUCKUS ICX FastIron 08.0.95n (GA) Software Release (.zip)
https://support.ruckuswireless.com/software/3958-ruckus-icx-fastiron-08-0-95n-ga-software-release-zip


  The RUCKUS family of stackable access switches delivers the performance, flexibility and scalability required for enterprise access deployment. These switches raise the bar with non-blocking performance and 1, 10, 40 and 100 GbE uplinks and stacking options. These switches deliver seamless interoperability with RUCKUS wireless products to deliver unified wired and wireless network access. In addition, RUCKUS Multigigabit Ethernet technology offers bandwidth speeds needed to optimize performance of the latest generation high-performance wireless APs and edge devices, over standard Ethernet cables.
  Applies to: ICX7150, ICX7250, ICX7450, ICX7550, ICX7650, ICX7750, ICX7850


* ICX 7150 - Entry-Level Enterprise-Class Stackable Access Switch
=== 08.0.95m ===
* ICX 8200 - Entry-Level+ Enterprise-Class Stackable Access Switch
* ICX 7450 - Mid-Range Enterprise-Class Stackable Access/Aggregation Switch with 100GbE
* ICX 7550 - Mid-Range Enterprise-Class Stackable Access/Aggregation Switch with 100GbE
* ICX 7650 - High-End Enterprise-Class Stackable Access/Aggregation Switch with 100GbE


=== ICX aggregation switches ===
RUCKUS ICX FastIron 08.0.95m (GA) Software Release (.zip)
https://support.ruckuswireless.com/software/3749-ruckus-icx-fastiron-08-0-95m-ga-software-release-zip


The aggregation switches appear to have an "F" in the model number, likely to indicate all "Fiber" ports.  Eg. RUCKUS ICX 7450-48F or RUCKUS ICX 7850-48F.
Applies to: ICX7150, ICX7250, ICX7450, ICX7550, ICX7650, ICX7750, ICX7850


https://www.ruckusnetworks.com/globalassets/digizuite/967123-ruckus-icx-aggregation.jpg
== Select Boot Slot ==


Today’s enterprise network aggregation layers are quickly moving to 10, 40 and 100 Gbps speeds as organization rapidly deploy latest generation wireless APs and applications such as 4K video and Virtual Desktop Infrastructure (VDI), which drive the need for resilient, high-bandwidth aggregation switches. To meet these challenges, RUCKUS campus network solutions provide better performance, port density, reliability, security, quality of service (QoS) and lower total cost of ownership (TCO).
Show boot configuration:
<pre>
ICX7450 #sh boot-preference
Boot system preference(Configured):
        Use Default


* ICX 7450 - Mid-Range Enterprise-Class Stackable Access/Aggregation Switch with 100GbE
Boot system preference(Default):
* ICX 7550 - Mid-Range Enterprise-Class Stackable Access/Aggregation Switch with 100GbE
        Boot system flash primary
* ICX 7650 - High-End Enterprise-Class Stackable Access/Aggregation Switch with 100GbE
        Boot system flash secondary
* ICX 7750 - High-End Enterprise-Class Stackable Core/Aggregation Switch with 40GbE
</pre>
* ICX 7850 - High-End Enterprise-Class Stackable Core/Aggregation Switch with 100GbE


=== ICX core switches  ===
Select second boot slot:
<pre>
ICX7450# Boot system flash secondary
</pre>


The core switches appear to have:
Show boot configuration after change:
* an "F" in the model number, likely to indicate all "Fiber" ports:  Eg. ICX 7750-48F <ref>https://www.ruckusnetworks.com/products/ethernet-switches/itemicx7750-48f/</ref> or RUCKUS ICX 7850-48F <ref>https://www.ruckusnetworks.com/products/ethernet-switches/itemicx7850-48f/</ref>
<pre>
* or a "Q" in the model number, likely to indicate QSFP ports: Eg. RUCKUS ICX 7750-26Q <ref>https://www.ruckusnetworks.com/products/ethernet-switches/itemicx7750-26q/</ref> or RUCKUS ICX 7850-32Q <ref>https://www.ruckusnetworks.com/products/ethernet-switches/itemicx7850-32q/</ref>
ICX7450# sh boot-preference
* or a "C" in the model number, likely to indicate Combo ports: Eg. RUCKUS ICX 7750-48C <ref>https://www.ruckusnetworks.com/products/ethernet-switches/itemicx7750-48c/</ref> or RUCKUS ICX 7850-48C <ref>https://www.ruckusnetworks.com/products/ethernet-switches/itemicx7850-48c/</ref>
Boot system preference(Configured):
        Boot system flash secondary


https://www.ruckusnetworks.com/globalassets/digizuite/967124-ruckus-icx-core.jpg
Boot system preference(Default):
        Boot system flash primary
        Boot system flash secondary
</pre>


Traditional enterprise networks were architected to utilize chassis systems to deliver reliable, high-speed, and scalable routing capabilities to the campus. With recent advances in network processors, these capabilities can be packaged into a more flexible stackable switch design. This opens the door to new network architectures where the core can be distributed across the campus—deploying ports and switching capacity directly where they are needed.  
Show configuration:
<pre>
ICX7450# sh run
Current configuration:
!
...
!
boot sys fl sec
</pre>


RUCKUS core switches are designed to meet the most demanding enterprise requirements. They deliver non-blocking line-rate performance on all ports concurrently, with a switching capacity up to 6.4 Tbps—supporting next-generation Ethernet speeds with 10/25 Gigabit Ethernet at the aggregation and 40/100 Gigabit Ethernet to meet the high volume of traffic driving from the edge into the core. They also support a rich array of routing protocols and deliver a range of high-availability hardware and software features
= Reset Password =


* ICX 7750 - High-End Enterprise-Class Stackable Core/Aggregation Switch with 40GbE
As switch boots up, when you see the following, press 'b':
* ICX 7850 - High-End Enterprise-Class Stackable Core/Aggregation Switch with 100GbE
Enter 'b' to stop at boot monitor:
then type "no password":
no password
then type "boot" to continue booting:
boot
# or boot_primary
Then either change password
enable
conf t


== keywords ==
= keywords =

Latest revision as of 11:20, 23 November 2024

Ruckus / Brocade Switches

See Ruckus

ICX Switch Consolidation

In an effort to Consolidate Products Rucks is focusing on the ICX 7150, 7550 and 7850 series of switches. The 7250, 7450, 7650 and 7750 are being discontinued.

End of Sale:

  • 7250 - Feb 2022 (end of support Dec 2027)
  • 7450 - Nov 2024 (end of support Nov 2029)
  • 7650 - Dec 2023 (end of support Dec 2028)
  • 7750 - Dec 2023 (end of support Dec 2028)

Reference: https://support.ruckuswireless.com/documents/3631-end-of-sale-and-end-of-life-product-datelines

Connect

Connect on Linux

# apt install tio
tio -b 9600 /dev/ttyS0
tio -b 9600 /dev/ttyUSB0
# apt install minicom
minicom -b 9600 -D /dev/ttyS0
minicom -b 9600 -D /dev/ttyUSB0

Connect on Windows

Use Tera Term or Putty and connect to COMX with Baud 9600

CLI

Show Config

sh run

All but "show config" will need "enable"

>enable

Interface Show

Show Interfaces

sh int bri

Show specific port:

show int eth 1/1/1

Show management port:

sh int bri | begin mgmt

License

Show licenses:

sh license

L3 Premium Features

Layer 3 Premium Features and Platform Support
https://docs.commscope.com/bundle/fastiron-08095-licenseguide/page/GUID-B01E798A-B196-4544-86C2-DC90AB21CD6A.html

The Layer 3 Premium license supports the following features on an ICX 7450.

   OSPFv2
   OSPFv3 (IPv6)
   VRRP
   VRRPv3 (IPv6)
   VRRP-E
   GRE
   PBR
   PIM-SM, PIM-SSM, PIM-DM
   PIM Passive
   BGP, BGP4+ (IPv6)
   VRF (IPv4 and IPv6)
   IPv6 over IPv4 Tunnels
#sh license
Unit  License Name    L3 Premium Port Speed Upgrade   Speed    Ports    MACsec
1     l3-prem         Yes        NA                   NA       NA       No

Logs

Show logs:

sh log

Clear logs:

clear log

Sample:

Syslog logging: enabled ( 0 messages dropped, 1 flushes, 0 overruns)
    Buffer logging: level ACDMEINW, 0 messages logged
    level code: A=alert C=critical D=debugging M=emergency E=error
                I=informational N=notification W=warning

Dynamic Log Buffer (50 lines):
Jan  1 12:19:30:I:Security: SSH login by myuser from src IP 10.10.10.10 from src MAC xxxx.xxxx.xxxx to USER EXEC mode using RSA as Server Host Key.
Jan  1 00:00:57:I:STP: VLAN 1 Port 1/1/30 STP State -> FORWARDING (FwdDlyExpiry)
Jan  1 00:00:55:I:STP: VLAN 1 Port 1/1/48 STP State -> LEARNING (FwdDlyExpiry)

MAC Addresses

Show collected MACs:

sh mac-addresses

Show just those local to interfaces on 1/1/*

sh mac-addresses | inc 1/1
# sh mac-a | inc 1/1/
98xx.xx.xxxx  1/1/13               Dynamic      228
98xx.xx.xxxx  1/1/13               Dynamic      228
f4xx.xx.xxxx  1/1/13               Dynamic      228
98xx.xx.xxxx  1/1/13               Dynamic      228
f4xx.xx.xxxx  1/1/14               Dynamic      300
0cxx.xx.xxxx  1/1/14               Dynamic      300

ARP Table

Show Arp Table:

# sh arp
Total number of ARP entries: 1
Entries in default routing instance:
No.   IP Address       MAC Address    Type     Age Port               Status
1     10.10.10.1     b4xx.xxxx.xxxx Dynamic  1    lg01              Valid

Management IP Show

Show IP:

show ip

If using router firmware:

show ip address  # or 'sh ip addr'

Pagination

>enable

to skip pagination:

skip
# or skip-page-display
  Disable page display mode

to page:

page
  Enable page display mode

Ping

ping [IP]

POE

Enable POE:

conf t
 interface eth 1/1/1
  inline power

Disable POE:

conf t
 interface eth 1/1/1
  no inline power

Show Interface POE:

show inline power

Show Interface POE details: (and firmware version)

show inline power details

Limit POE on interface:

int ent ethernet 1/1/1 to 1/1/48
  inline power
  inline power power-limit 25000

Reboot Switch

reload

Version

Show switch version and model and serial:

show version
sh ver

Example:

>sh ver
...
    UNIT 1: compiled on Mar  2 2012 at 12:38:17 labeled as ICX64S07400
                (10360844 bytes) from Primary ICX64S07400.bin
        SW: Version 07.4.00T311
  Boot-Monitor Image size = 512, Version:07.4.00T310 (kxz07400)
  HW: Stackable ICX6450-48-HPOE
==========================================================================
UNIT 1: SL 1: ICX6450-48p POE 48-port Management Module
         Serial  #: BZTXXXXXXXX
         License: BASE_SOFT_PACKAGE   (LID: dbvHKIFjFox)
...

VLAN Show

Show VLANs:

show vlan

Config

Configure:

enable
configure terminal
# or conf t

Show Config:

show config
sh run

Write Config:

write mem

Clear Config:

erase startup-config

Hostname

hostname [name]

Display banner at login: [1]

banner motd $
  Enter TEXT message, End with the character '$'.
  Welcome!!! $

Interface

sh int bri

Show specific port:

show int eth 1/1/1

Show management port:

sh int bri | begin mgmt

Disable Interface

int eth 1/1/48
  disable
  enable


IP

Management Interface DHCP Client

dhcp ip

ip dhcp-client enable
ip dhcp-client auto-update enable
no ip dhcp-client enable

Static IP

ip address 10.10.10.104/24
# or
ip address 10.10.10.104 255.255.255.0
ip default-gateway 10.10.10.1
no ip dhcp-client auto-update enable
no ip dhcp-client enable

Show IP:

show ip

Management VLAN

Desginate which VLAN carries the management traffic: [2]

vlan 10 by port
  management-vlan

Default is VLAN 1

SFP

GBIC

# show media
...
Port 1/3/1:  Type  : EMPTY
Port 1/3/2:  Type  : EMPTY
Port 1/3/3:  Type  : 1G M-TX(SFP)
Port 1/3/4:  Type  : EMPTY
# sh media et 1/3/3
Port   1/3/3: Type  : 1G M-TX(SFP)
             Vendor: XXX    Version: D1
             Part# : SFP-1000BASE-TX    Serial#: XXX
# sh int bri
..
1/3/3      Up      Forward Full 1G    None  No  1    0   xxxx.xxxx.xxxx
#sh int et 1/3/3
10GigabitEthernet1/3/3 is up, line protocol is up

Note: If a 1-Gbps optic transceiver is inserted, you must configure the port using the speed-duplex 1000-full-master command at the interface level. [3]

Enable port: [4]

# conf term
# int ethernet 1/3/3
# speed-duplex 1000-full-master

or short form: [5]

config t
int e 1/2/1
speed 1000-full
# sh run
...
stack unit 1
  module 1 icx7150-48pf-poe-port-management-module
  module 2 icx7150-2-copper-port-2g-module
  module 3 icx7150-4-sfp-plus-port-40g-module
  stack-port 1/3/1
  stack-port 1/3/3
!
interface ethernet 1/3/3
 speed-duplex 1000-full
!

10GE SFP+

  • 10GE SR 300m ((SFP+))
  • 10GE USR 100m (SFP +)

Spanning Tree

Disable Spanning Tree On specific port:

interface ethernet 1/1/1
 loop-detection
 no spanning-tree
!

SSH

Show ssh config settings:

sh ip ssh config
> sh ip ssh config
...
SSH server                 : Enabled
SSH port                   : tcp\22
Host Key                   : DSA 1024,  RSA 1024
Encryption                 : aes256-cbc, aes192-cbc, aes128-cbc, aes256-ctr, aes192-ctr, aes128-ctr, 3des-cbc
...
Authentication methods     : Password, Public-key, Interactive
...

Enable SSH:

## Generate keys
crypto key generate rsa
  # ^ Their offer: ssh-rsa
crypto key generate dsa
  # ^ Their offer: ssh-dss
# Add admin user:
username admin pri 0 password [PASSWORD]
# enable 
aaa authentication login default local

Disable SSH:

crypto key zeroize
crypto key zeroize dsa

Note, the ICX uses really old key exchange method 'diffie-hellman-group1-sha1'

debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-rsa
# or
debug1: kex: host key algorithm: ssh-dss
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none

To allow diffie-hellman-group1-sha1, edit either .ssh/config(to host) or /etc/ssh/ssh_config and add the following:

# ICX SSH
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-dss,ssh-rsa
# for ssh key to icx
PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa

---

NOTE: If you want to have the switch connect in reverse to do firmware updates, make sure to add the same to /etc/ssh/sshd_config

# Allow system to connect to Legacy ICX switches
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-dss,ssh-rsa
## PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa # icx doesn't have a private key option - sadness

Public Keys

  • Note: The public key file may contain up to 16 DSA or RSA key pairs.
  • Note: Each key in the public key must be in exactly this format (remove the ssh-rsa prefix, the 'Comment' line is optional): [6]
  • Note: Use a 2048 bit key (ssh-keygen -b 2048). The larger key will generate connect issues for 6450s (probably 7150s too). (no key from blob. pkalg ssh-rsa: invalid format) [7]
ssh-keygen -b 2048
---- BEGIN SSH2 PUBLIC KEY ---- 
Comment:  "2048-bit RSA, converted from OpenSSH"
AAAAB3NaC1yc2EAAAABIwAAAQEA0pt94yJmKwPfPZnxxYSS1aVaaqWgRM79EfRXf2XUrs
834hx881MmQedye1oJrntvA8LyVUIepOdbc874i4259mtSXx+cfZW0/QeJggT/1zE82+n
w706gGqNsE+XsT12bi6KU4Al2IWULce74yfQY9/amy38ZPCesKKurH4+2m/Ba69391lp
nJ0BIQidn+I8hARUGayrOTrx/e2^kdC+2aNh6mS17KDiRyj8WBV3F5z5f5rlYBL/WoJ2beo
R3L6H6wHXP8dZ1F4IqeVxeIimkFTzMEE*r/wHCnhewetnDy3iJAgr0TXTicJ1Qpb1MCBkB
XaynjuDYSf4Kmgn8znaQ==
---- END SSH2 PUBLIC KEY ----

Copy the combined key file (up to 16 keys) to tftp server, and have the ICX pull and override keyfile with:

conf term
 ip ssh pub-key-file tftp [TFTP_IP] [PATH/keyfile.txt]

List keys:

show ip client-pub-key

Remove pub key file:

ip ssh pub-key-file remove

Neighbour Detection

Neighbour Detection [8]

Link Layer Discovery Protocol (LLDP) - Vendor agnostic link layer protocol to advertise device capabilities and directly connected neighbours on the network.

lldp run
show lldp neighbors

Foundry Discovery Protocol (FDP) - Foundry/Brocade specific link layer protocol to advertise device capabilities and directly connected neighbours on the network.

fdp run
show fdp neighbors

Cisco Discovery Protocol (CDP) - Cisco specific link layer protocol to advertise device capabilities and directly connected neighbours on the network.

cdp run
show cdp neighbors

VLAN

Show VLANs:

show vlan

Clear VLAN:

no vlan [#]

Simple VLAN

vlan 100 name MyVLAN by port
 tagged e 1/2/1
 untagged e 1/1/1 to 1/1/48
!

LAG

Simple LAG with VLAN:

lag LAG1 dynamic id 1
 ports ethe 1/1/47 to 1/1/48
!
vlan 3200 name MyVLAN by port
 tagged lag 1
 untagged e 1/1/1 to 1/1/46
!

Static vs dynamic:

lag LAG1 dynamic id 1
lag LAG1 static id 1

Show lag:

sh lag
sh lag id 1

Name ports:

lag LAG1
  port-name UPLINK-A ethernet 1/1/47
  port-name UPLINK-B ethernet 1/1/48

Disable one port:

lag LAG1
  disable e 1/1/48
lag LAG1
  enable e 1/1/48

Remove a port:

lag LAG1
  no ports e 1/1/47

Time

clock summer-time
clock timezone us Pacific
clock timezone us mountain
sh clock
sh clock detail

NTP Client:

ntp
  server 10.x.x.1
  server 10.x.x.2
  server 0.pool.ntp.org minpoll 10 burst
  server 1.pool.ntp.org minpoll 10 burst

Show ntp status: [9]

show ntp status
show ntp associations

Disable NTP client:

ntp
  disable

Enable NTP client:

ntp
  no disable

Disable serving time to clients:

ntp
  disable serve

Specify source interface: [10]

source-interface ethernet 1/3/1
! ntp-interface management 1

Daylight Saving (Summer Time) [11] [12]

clock summer-time zone us pacific start 02-28-21 02:00:00 end 10-30-21 02:00:00 offset 60
clock summer-time zone us mountain start 02-28-16 02:00:00 end 10-30-16 02:00:00 offset 30

Note: Will have to be manually updated each year.

Note: "Before you begin to configure NTP, you must use the clock set command to set the time on your device to within 1000 seconds of the coordinated Universal Time (UTC)." [13]

clock set [14]

exit
! clock set hh:mm:ss mm-dd-yy/yyyy
clock set 02:49:00 11-23-24

Users

Add Users:

username admin password [PASSWORD]
no username admin
username myuser privilege [LEVEL] password [PASSWORD]
# LEVEL:   <0 READ-WRITE, 4 PORT-CONFIG, 5 READ-ONLY> User privilege level

Require Login:

aaa authentication web-server default local
aaa authentication login default local

Configure seperate enable privilege passwords:

enable super-user-password [PASSWORD]
enable port-config-password [PASSWORD]
enable read-only-password [PASSWORD]
no enable super-user-password

Enter enable mode:

enable

Show who logged in as:

sh who

Privilege Levels

3 privileged levels:

  1. enable super-user-password [PASSWORD] - Super-user level password
  2. enable port-config-password [PASSWORD] - Port level configuration password
  3. enable read-only-password [PASSWORD] - Read-only level password
  • Super User level - Allows complete read-and-write access to the system. This is generally for system administrators and is the only management privilege level that allows you to configure passwords.
  • Port Configuration level - Allows read-and-write access for specific ports but not for global (system-wide) parameters.
  • Read-only level - Allows access to the Privileged EXEC mode and User EXEC mode of the CLI but only with read access.

Authentication, Authorization, and Accounting

Authentication, Authorization, and Accounting (AAA) is a security framework that controls access to computer resources, enforces policies, and audits usage.
  • Authentication - confirm users are who they claim they are (username/password)
  • Authorization - granted privileges to authorized user
  • Accounting - tracking user activity

Sample config:

 aaa authentication web-server default local
 aaa authentication login default tacacs+ local
 aaa authentication login privilege-mode

 aaa authorization exec default tacacs+

 aaa accounting exec default start-stop tacacs+

AAA Protocols:

  • Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that authorizes and authenticates users who access a remote network
  • Terminal Access Controller Access Control System Plus (TACACS+) - a remote authentication AAA protocol that lets a remote access server communicate with an authentication server for user validation
  • Diameter - evolved from the RADIUS protocol

Firmware

Firmware Versions

ICX FastIron Stable series:

08.0.95p	2024-06-27
08.0.95n	2024-01-31  *** recommended stable ***
08.0.95m	2023-08-24
08.0.95k	2023-06-16
08.0.95j	2023-06-16
08.0.95h	2022-09-02
...
08.0.95 	2020-09-14
...
08.0.90d	2019-09-27 *** used as jump to ufi ***
https://support.ruckuswireless.com/software/1186-ruckus-icx-7xxx-icx-6xxxx-campus-switch-firmware-download
https://support.ruckuswireless.com/products/108-ruckus-icx-7150-campus-switches?open=document#firmwares
https://support.ruckuswireless.com/products/108-ruckus-icx-7150-campus-switches
Recommended Software: (as of 2024.07.08)
 Stability Release: RUCKUS ICX FastIron 08.0.95n (GA) Software Release (.zip)

"Ruckus ICX software currently has two recommended release types; Stability and Technology.

Stability Release: This is for customers where stability is of utmost importance. This release may not contain every feature available for your product.

Technology Release: This is for customers looking to utilize the maximum feature set available for your product.

We recommend most customers utilize the Stability Release if it contains all needed features for your network. A Technology Release is recommended if your network requires newer features not available in the Stability Release."

08.0.95n

RUCKUS ICX FastIron 08.0.95n (GA) Software Release (.zip)
https://support.ruckuswireless.com/software/3958-ruckus-icx-fastiron-08-0-95n-ga-software-release-zip
Applies to: ICX7150, ICX7250, ICX7450, ICX7550, ICX7650, ICX7750, ICX7850

08.0.95m

RUCKUS ICX FastIron 08.0.95m (GA) Software Release (.zip)
https://support.ruckuswireless.com/software/3749-ruckus-icx-fastiron-08-0-95m-ga-software-release-zip
Applies to: ICX7150, ICX7250, ICX7450, ICX7550, ICX7650, ICX7750, ICX7850

Select Boot Slot

Show boot configuration:

ICX7450 #sh boot-preference
Boot system preference(Configured):
        Use Default

Boot system preference(Default):
        Boot system flash primary
        Boot system flash secondary

Select second boot slot:

ICX7450# Boot system flash secondary

Show boot configuration after change:

ICX7450# sh boot-preference
Boot system preference(Configured):
        Boot system flash secondary

Boot system preference(Default):
        Boot system flash primary
        Boot system flash secondary

Show configuration:

ICX7450# sh run
Current configuration:
!
...
!
boot sys fl sec

Reset Password

As switch boots up, when you see the following, press 'b':

Enter 'b' to stop at boot monitor:

then type "no password":

no password

then type "boot" to continue booting:

boot
# or boot_primary

Then either change password

enable
conf t

keywords

  1. https://docs.commscope.com/bundle/fastiron-08095-managementguide/page/GUID-5A14B1C5-DD1A-40E3-A371-6C7A0407D796.html
  2. https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-61483D35-3F95-43FB-8092-33C14E0D188D.html
  3. https://docs.commscope.com/bundle/icx7150-installguide/page/GUID-B346251F-DFCC-4441-B047-6E3A3E88839C.html
  4. https://docs.commscope.com/bundle/icx7150-installguide/page/GUID-B346251F-DFCC-4441-B047-6E3A3E88839C.html
  5. https://community.ruckuswireless.com/t5/ICX-Switches/Configuring-SFP-port-on-7150-C08p/td-p/27124
  6. ref https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-E00DB049-9D65-4438-A64F-A947648A70AE.html
  7. https://apple.stackexchange.com/questions/356323/ssh-fails-with-ssh-dispatch-run-fatal-invalid-format
  8. https://support.purdi.com/hc/en-gb/articles/360021220292-Ruckus-ICX-Neighbour-Detection-using-LLDP-CDP-FDP
  9. https://docs.commscope.com/bundle/fastiron-08095-managementguide/page/GUID-98F32DCC-B4D7-4531-BC58-42F47C984868.html
  10. https://docs.commscope.com/bundle/fastiron-08095-managementguide/page/GUID-0A5F29D9-CBA8-440A-9EB7-61BCEA35E240.html
  11. https://docs.commscope.com/bundle/fastiron-08091-managementguide/page/GUID-E670EE11-FBD6-4D1E-9099-6E231887D245.html
  12. https://docs.commscope.com/bundle/fastiron-08095-managementguide/page/GUID-E670EE11-FBD6-4D1E-9099-6E231887D245.html
  13. https://community.ruckuswireless.com/t5/ICX-Switches/Force-sync-ntp/m-p/45909
  14. https://docs.commscope.com/bundle/icx7150-installguide/page/GUID-453AC7E4-0CCF-4EB0-8E4B-3002CE8CCB24.html