ICX: Difference between revisions
|  (→Time) | |||
| (37 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
| = ICX Switch Consolidation = | = ICX Switch Consolidation = | ||
| In an effort to Consolidate Products Rucks is focusing on the ICX  | In an effort to Consolidate Products, Rucks is focusing on the ICX 7850, 7550 series of switches for core and aggregation layers, as well as the ICX 7150, especially if already in place.  The 7250, 7450, 7650 and 7750 are being discontinued.  For next generation, wireless-first Ruckus is focusing on the ICX 8200 series, with backing of the ICX 7850, 7550. | ||
| End of Sale: | End of Sale: | ||
| * 7150 - Mar 2025 (end of support Mar 2030) | |||
| * 7250 - Feb 2022 (end of support Dec 2027) | * 7250 - Feb 2022 (end of support Dec 2027) | ||
| * 7450 - Nov 2024 (end of support Nov 2029) | * 7450 - Nov 2024 (end of support Nov 2029) | ||
| * 7550 - No date posted yet - currently core focus for Ruckus Aggregation Switching | |||
| * 7650 - Dec 2023 (end of support Dec 2028) | * 7650 - Dec 2023 (end of support Dec 2028) | ||
| * 7750 - Dec 2023 (end of support Dec 2028) | * 7750 - Dec 2023 (end of support Dec 2028) | ||
| * 7850 - No date posted yet - currently core focus for Ruckus Core Switching | |||
| * 8200 - No date posted yet - currently core focus for Ruckus Access Switching | |||
| Reference: https://support.ruckuswireless.com/documents/3631-end-of-sale-and-end-of-life-product-datelines | Reference: | ||
|  RUCKUS End of Sale / End of Life Product Datelines  | |||
|  https://support.ruckuswireless.com/documents/3631-end-of-sale-and-end-of-life-product-datelines | |||
| <pre> | |||
| ICX         End of Sale         End of Support | |||
| ICX 6450    November 2, 2018    November 2, 2023   EOL DEAD!!! | |||
| ICX 7150    March 10, 2025      March 10, 2030 | |||
| ICX 7250    February 7, 2022    December 31, 2027 | |||
| ICX 7450    November 14, 2024   November 14, 2029 | |||
| ICX 7750    December 31, 2023   December 31, 2028 | |||
| ICX 7850    No date posted yet | |||
| </pre> | |||
| == ICX Focus == | |||
| === Core Switches === | |||
| * '''ICX 7850''' | |||
| * ICX 7750 <EOL 2028> | |||
| === Aggregation Switches === | |||
| * ICX 7850 (core ^) | |||
| * ICX 7750 (core ^) <EOL 2028> | |||
| * ICX 7650 <EOL 2028> | |||
| * '''ICX 7550''' | |||
| * ICX 7450 <EOL 2029> | |||
| === Access Sitches === | |||
| * '''ICX 8200''' | |||
| * ICX 7650 (aggregation ^) <EOL 2028> | |||
| * ICX 7550 (aggregation ^) | |||
| * ICX 7450 (aggregation ^) <EOL 2029> | |||
| * '''ICX 7150''' <long-term-eol 2030> | |||
| = Console Cables = | |||
|  Baud Bits per second -- 9600 | |||
|  Data bits -- 8 | |||
|  Parity -- None | |||
|  Stop bits -- 1 | |||
|  Flow control -- None | |||
| ref <ref>https://docs.commscope.com/bundle/icx7150-installguide/page/GUID-9FB7FB94-16E9-4FB8-8BBB-8B1BDD9B7E79.html</ref> | |||
| == 6450 Console Cable == | |||
| Brocade Rollover Cable (RJ45): | |||
|  USB Console Cable,USB to RJ45 Console Cable for Cisco Routers/AP Router/Switch Windows, Mac, Linux(1.8m,Blue) | |||
|  https://www.amazon.com/OIKWAN-Compatible-Opengear-Aruba%EF%BC%8CJuniper-Switches/dp/B075V1RGQK | |||
| <img src="https://m.media-amazon.com/images/I/61LZ6srk-+L._SL1000_.jpg" width="200" /> | |||
| == 7150 Console Cable == | |||
| Standard USB C Cable, with a backup of a Brocade Rollover Cable | |||
| USB C Cable | |||
| <img src="https://m.media-amazon.com/images/I/71cPa3L9RoL._AC_SL1500_.jpg" width="200" /> | |||
| Brocade Rollover Cable (RJ45): | |||
|  USB Console Cable,USB to RJ45 Console Cable for Cisco Routers/AP Router/Switch Windows, Mac, Linux(1.8m,Blue) | |||
|  https://www.amazon.com/OIKWAN-Compatible-Opengear-Aruba%EF%BC%8CJuniper-Switches/dp/B075V1RGQK | |||
| <img src="https://m.media-amazon.com/images/I/61LZ6srk-+L._SL1000_.jpg" width="200" /> | |||
| == 7250, 7450, 7750 Console Cable == | |||
| USB Mini to Serial DB9 type cable: | |||
|  USB to RS232 Serial Adapter, Mini USB 5 Pin Male to DB9 9 Pin Female Serial Converter Cable 1.8M/6Feet | |||
|  https://www.amazon.com/MTUERANC-Serial-Adapter-Female-Converter/dp/B0CL2BPDNK | |||
| <img src="https://m.media-amazon.com/images/I/71giGlbkvZL._SL1500_.jpg" width="200" /> | |||
| = Connect = | = Connect = | ||
| Line 259: | Line 337: | ||
| === dhcp ip === | === dhcp ip === | ||
| Enable DHCP | |||
|   ip dhcp-client enable |   ip dhcp-client enable | ||
|   ip dhcp-client auto-update enable |   ip dhcp-client auto-update enable | ||
| Disable DHCP | |||
|   no ip dhcp-client enable |   no ip dhcp-client enable | ||
| Line 282: | Line 364: | ||
| Default is VLAN 1 | Default is VLAN 1 | ||
| == License == | |||
| set license <ref>https://support.ruckuswireless.com/articles/000007612</ref> | |||
|  license install perpetual <unit number> <type of license> | |||
|  license install perpetual 1 4x10GR | |||
|  license delete perpetual 1 4x10gr | |||
| == SFP == | == SFP == | ||
| GBIC | GBIC | ||
| Types: | |||
| * 1G M-TX(SFP) - 1 GigE | |||
| Part# | |||
| * SFP-1000BASE-TX = 1 GigE Copper | |||
| * SFP-GE-T = 1 GigE Copper | |||
| Combos: | |||
| * 1G M-TX(SFP) w/ SFP-1000BASE-TX = 1 GigE Copper | |||
| * 1G M-TX(SFP) w/ SFP-GE-T = 1 GigE Copper | |||
| --- | |||
| <pre> | <pre> | ||
| Line 349: | Line 455: | ||
| <pre> | <pre> | ||
| interface ethernet 1/1/1 | interface ethernet 1/1/1 | ||
|   no spanning-tree |   no spanning-tree | ||
| ! | ! | ||
| Line 393: | Line 498: | ||
|   debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none |   debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none | ||
|   debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none |   debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none | ||
| === Linux Client === | |||
| To allow diffie-hellman-group1-sha1, edit either .ssh/config(to host) or /etc/ssh/ssh_config and add the following: | To allow diffie-hellman-group1-sha1, edit either .ssh/config(to host) or /etc/ssh/ssh_config and add the following: | ||
|   # ICX SSH |   # ICX SSH | ||
|   KexAlgorithms +diffie-hellman-group1-sha1 |   # KexAlgorithms +diffie-hellman-group1-sha1 | ||
|  KexAlgorithms +diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 | |||
|   HostKeyAlgorithms +ssh-dss,ssh-rsa |   HostKeyAlgorithms +ssh-dss,ssh-rsa | ||
|   # for ssh key to icx |   # for ssh key to icx | ||
|   PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa |   PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa | ||
| <pre> | |||
| .ssh/config | |||
| Host * | |||
|   # ICX SSH | |||
|   KexAlgorithms +diffie-hellman-group1-sha1 | |||
|   HostKeyAlgorithms +ssh-dss,ssh-rsa | |||
|   # for ssh key to icx | |||
|   PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa | |||
| </pre> | |||
| --- | --- | ||
| Line 408: | Line 527: | ||
|   HostKeyAlgorithms +ssh-dss,ssh-rsa |   HostKeyAlgorithms +ssh-dss,ssh-rsa | ||
|   ## PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa # icx doesn't have a private key option - sadness |   ## PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa # icx doesn't have a private key option - sadness | ||
| === Git-Bash Client === | |||
| <pre> | |||
| .ssh/config | |||
| Host 10.0.100.* 10.0.200.* | |||
|     User admin | |||
|     # ICX SSH | |||
|     KexAlgorithms +diffie-hellman-group1-sha1 | |||
|     HostKeyAlgorithms +ssh-rsa | |||
|     MACs hmac-sha1 | |||
|     # # for ssh key to icx | |||
|     #PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa | |||
| Host * | |||
|   # General settings | |||
| </pre> | |||
| === Public Keys === | === Public Keys === | ||
| Line 717: | Line 852: | ||
|   enable |   enable | ||
|   conf t |   conf t | ||
| == Default Login == | |||
|  super | |||
|  sp-admin | |||
| = Recovery Mode = | |||
| As switch boots up, when you see the following, press 'b': | |||
|  Enter 'b' to stop at boot monitor: | |||
| Useful commands: | |||
| * boot_primary | |||
| * boot_secondary | |||
| * show_image | |||
| * no password  (not even listed in the help!!) | |||
| Help: | |||
| <pre> | |||
| Enter 'b' to stop at boot monitor:  0 | |||
| ICX7250-Boot> help | |||
| ?       - alias for 'help' | |||
| boot    - boot default, i.e., run 'bootcmd' | |||
| boot_primary-  boot from primary partition | |||
| boot_secondary-  boot from secondary partition | |||
| bootm   - boot application image from memory | |||
| cp      - memory copy | |||
| cpld_read- Read from cpld | |||
| cpld_write- write to cpld | |||
| dump_cpld- Dump CPLD Registers | |||
| eeprom  - EEPROM sub-system | |||
| ext2load- load binary file from a Ext2 filesystem | |||
| ext2ls  - list files in a directory (default /) | |||
| help    - print command description/usage | |||
| hwinfo  - Show HW Info | |||
| logging_disable- Disable Uboot Logs. | |||
| logging_enable- Enable Uboot Logs. | |||
| md      - memory display | |||
| nand    - NAND sub-system | |||
| ping    - send ICMP ECHO_REQUEST to network host | |||
| powercycle- Do a Hard Reset | |||
| printenv- print environment variables | |||
| reset   - Perform RESET of the CPU | |||
| saveenv - save environment variables to persistent storage | |||
| setenv  - set environment variables | |||
| sf      - SPI flash sub-system | |||
| show_image- Show Stored Images. | |||
| tftpboot-  boot image via network using TFTP protocol | |||
| update_primary-  update primary partition | |||
| update_secondary-  update secondary partition | |||
| update_uboot-  - get the uboot image over tftp. | |||
| usb     - USB sub-system | |||
| verify  - Verify Image | |||
| version - print monitor, compiler and linker version | |||
| </pre> | |||
| == Recoverying Firmware == | |||
|  Recovering Software - explains how to recover devices from image installation failure or deleted or corrupted flash images. | |||
|  https://docs.commscope.com/bundle/fastiron-09010-upgradeguide/page/GUID-9B5D5A56-039D-44FB-8FD2-B9B55E71ADE8.html | |||
| Update flash image: <ref>https://docs.commscope.com/bundle/fastiron-09010-upgradeguide/page/GUID-9B5D5A56-039D-44FB-8FD2-B9B55E71ADE8.html</ref> <ref>https://community.ruckuswireless.com/t5/RUCKUS-Support-for-Lennar-Homes/How-to-perform-a-Software-recovery-on-an-ICX7150-switch/m-p/47483</ref> | |||
| * tftp 64 - https://bitbucket.org/phjounin/tftpd64/downloads/ | |||
| ** https://github.com/peacepenguin/tftpd64/releases | |||
| <pre> | |||
| setenv ipaddr 192.168.0.3 | |||
| setenv gatewayip 192.168.0.2 | |||
| setenv netmask 255.255.255.0 | |||
| setenv serverip 192.168.0.2 | |||
| printenv | |||
| saveenv | |||
| ping 192.168.0.2 | |||
| setenv image_name SPS08090k.bin | |||
| update_primary | |||
| # ... | |||
| reset | |||
| </pre> | |||
| = Advanced = | |||
| == Loop Detection == | |||
| <blockquote> | |||
| "Spanning Tree Protocol doesn't cause problems; loops cause problems.  STP is a way of dealing with loops.  If you don't have STP enabled already and your network is working correctly, then you don't have any loops.  So loop protect will not gain you anything.<br/> | |||
| It's not as simple as just enabling spanning tree.  You need to plan your topology, then set your switch priorities so that the planned topology is achieved.  To achieve protection against loops (due to users plugging switches into each other), the preferred approach would be to set up STP correctly, then enable BPDU guard and loop protect on all edge ports.<br/> | |||
| '''Definitely don't use loop protect on uplinks and trunks; it is designed for edge ports.'''" <ref>https://community.hpe.com/t5/hpe-aruba-networking-provision/loop-protect-and-trunk-groups-or-uplinks/td-p/6098585</ref> | |||
| </blockquote> | |||
|  sh loop-detection status | |||
|  sh loop-detection disabled | |||
|  sh errdisable summary | |||
|  sh errdisable recovery | |||
| == More == | |||
|  hitless-failover enable | |||
|  sz registrar | |||
| = Example Dumps = | |||
| <pre> | |||
| interface ethernet 1/1/1 | |||
|  port-name UPLINK | |||
|  loop-detection shutdown-disable | |||
|  speed-duplex 10G-full | |||
| ! | |||
| </pre> | |||
| <pre> | |||
| interface ethernet 1/1/5 | |||
|  loop-detection | |||
|  speed-duplex 1000-full | |||
|  spanning-tree root-protect | |||
|  spanning-tree 802-1w admin-edge-port | |||
|  broadcast limit 1000 kbps | |||
|  multicast limit 8000 kbps | |||
|  trust dscp | |||
| ! | |||
| </pre> | |||
| <pre> | |||
| lag UPLINK1010 dynamic id 13 | |||
|  ports ethe 1/1/3 to 1/1/4 ethe 2/1/3 to 2/1/4 | |||
|  port-name UPLINK ethernet 1/1/3 | |||
|  port-name UPLINK ethernet 1/1/4 | |||
|  port-name UPLINK ethernet 2/1/3 | |||
|  port-name UPLINK ethernet 2/1/4 | |||
| ! | |||
| </pre> | |||
| <pre> | |||
| vlan 1010 name XYZ_1010_CI by port | |||
|  tagged ethe 1/1/10 to 1/1/20 ethe 2/1/15 to 2/1/20 lag 13 | |||
|  spanning-tree 802-1w | |||
|  spanning-tree 802-1w priority 65535 | |||
|  loop-detection | |||
| ! | |||
| </pre> | |||
| <pre> | |||
| vlan 3000 name LAB_MANAGEMENT by port | |||
|  tagged lag 10 | |||
|  router-interface ve 3000 | |||
|  spanning-tree 802-1w | |||
|  spanning-tree 802-1w priority 65535 | |||
|  loop-detection | |||
| ! | |||
| hostname MRSwitch | |||
| ip dhcp-client disable | |||
| ip dns domain-list example.com | |||
| ip dns server-address 10.10.10.2 | |||
| ip route 0.0.0.0/0 10.10.10.1 | |||
| interface ve 3000 | |||
|  ip address 10.10.10.10 255.255.255.0 | |||
| ! | |||
| ntp | |||
|  source-interface ve 3000 | |||
|  server 10.20.2.1 | |||
|  server 10.20.1.1 | |||
| </pre> | |||
| <pre> | |||
| ntp | |||
|  server 10.20.2.1 | |||
|  server 10.20.1.1 | |||
| </pre> | |||
| <pre> | |||
| banner motd ^C | |||
| ################################################################################^C | |||
| #                          NOTICE TO USERS                                     #^C | |||
| # This is an official computer system and is the property of Example Corp.     #^C | |||
| # It is for authorized users only. Unauthorized users are prohibited. Users    #^C | |||
| # (authorized or unauthorized) have no explicit or implicit expectation of     #^C | |||
| # privacy. Any or all uses of this system may be subject to one or more of the #^C | |||
| # following actions: interception, monitoring, recording, auditing, inspection #^C | |||
| # and disclosing to security personnel and law enforcement personnel, as well  #^C | |||
| # as authorized officials of other agencies, both domestic and foreign. By     #^C | |||
| # using this system, the user consents to these actions. Unauthorized or       #^C | |||
| # improper use of this system may result in administrative disciplinary action #^C | |||
| # and civil and criminal penalties. By accessing this system you indicate your #^C | |||
| # awareness of and consent to these terms and conditions of use. Discontinue   #^C | |||
| # access immediately if you do not agree to the conditions stated in this      #^C | |||
| # notice.                                                                      #^C | |||
| ################################################################################^C | |||
| ^C | |||
| ! | |||
| </pre> | |||
| <pre> | |||
| banner motd ^C | |||
| -------------------------------------------------------------^C | |||
| - Note: Legal Notice!                                       -^C | |||
| -                                                           -^C | |||
| - You must have prior authorization to access this system.  -^C | |||
| - All connections to this system are logged and monitored.  -^C | |||
| - By connecting to this system you fully consent to all     -^C | |||
| - monitoring. Unauthorized access or use will be prosecuted -^C | |||
| - to the full extent of the law.                            -^C | |||
| -------------------------------------------------------------^C | |||
| ^C | |||
| </pre> | |||
| <pre> | |||
| interface ethernet 1/1/1 to 1/1/48 | |||
|  port-name DATA | |||
|  loop-detection | |||
|  spanning-tree root-protect | |||
|  spanning-tree 802-1w admin-edge-port | |||
|  broadcast limit 8192 | |||
|  multicast limit 8192 | |||
|  stp-bpdu-guard | |||
|  trust dscp | |||
|  enable | |||
|  exit | |||
| </pre> | |||
| = keywords = | = keywords = | ||
Latest revision as of 20:58, 2 October 2025
Ruckus / Brocade Switches
See Ruckus
ICX Switch Consolidation
In an effort to Consolidate Products, Rucks is focusing on the ICX 7850, 7550 series of switches for core and aggregation layers, as well as the ICX 7150, especially if already in place. The 7250, 7450, 7650 and 7750 are being discontinued. For next generation, wireless-first Ruckus is focusing on the ICX 8200 series, with backing of the ICX 7850, 7550.
End of Sale:
- 7150 - Mar 2025 (end of support Mar 2030)
- 7250 - Feb 2022 (end of support Dec 2027)
- 7450 - Nov 2024 (end of support Nov 2029)
- 7550 - No date posted yet - currently core focus for Ruckus Aggregation Switching
- 7650 - Dec 2023 (end of support Dec 2028)
- 7750 - Dec 2023 (end of support Dec 2028)
- 7850 - No date posted yet - currently core focus for Ruckus Core Switching
- 8200 - No date posted yet - currently core focus for Ruckus Access Switching
Reference:
RUCKUS End of Sale / End of Life Product Datelines https://support.ruckuswireless.com/documents/3631-end-of-sale-and-end-of-life-product-datelines
ICX End of Sale End of Support ICX 6450 November 2, 2018 November 2, 2023 EOL DEAD!!! ICX 7150 March 10, 2025 March 10, 2030 ICX 7250 February 7, 2022 December 31, 2027 ICX 7450 November 14, 2024 November 14, 2029 ICX 7750 December 31, 2023 December 31, 2028 ICX 7850 No date posted yet
ICX Focus
Core Switches
- ICX 7850
- ICX 7750 <EOL 2028>
Aggregation Switches
- ICX 7850 (core ^)
- ICX 7750 (core ^) <EOL 2028>
- ICX 7650 <EOL 2028>
- ICX 7550
- ICX 7450 <EOL 2029>
Access Sitches
- ICX 8200
- ICX 7650 (aggregation ^) <EOL 2028>
- ICX 7550 (aggregation ^)
- ICX 7450 (aggregation ^) <EOL 2029>
- ICX 7150 <long-term-eol 2030>
Console Cables
Baud Bits per second -- 9600 Data bits -- 8 Parity -- None Stop bits -- 1 Flow control -- None
ref [1]
6450 Console Cable
Brocade Rollover Cable (RJ45):
USB Console Cable,USB to RJ45 Console Cable for Cisco Routers/AP Router/Switch Windows, Mac, Linux(1.8m,Blue) https://www.amazon.com/OIKWAN-Compatible-Opengear-Aruba%EF%BC%8CJuniper-Switches/dp/B075V1RGQK
 
7150 Console Cable
Standard USB C Cable, with a backup of a Brocade Rollover Cable
USB C Cable
 
Brocade Rollover Cable (RJ45):
USB Console Cable,USB to RJ45 Console Cable for Cisco Routers/AP Router/Switch Windows, Mac, Linux(1.8m,Blue) https://www.amazon.com/OIKWAN-Compatible-Opengear-Aruba%EF%BC%8CJuniper-Switches/dp/B075V1RGQK
 
7250, 7450, 7750 Console Cable
USB Mini to Serial DB9 type cable:
USB to RS232 Serial Adapter, Mini USB 5 Pin Male to DB9 9 Pin Female Serial Converter Cable 1.8M/6Feet https://www.amazon.com/MTUERANC-Serial-Adapter-Female-Converter/dp/B0CL2BPDNK
 
Connect
Connect on Linux
# apt install tio tio -b 9600 /dev/ttyS0 tio -b 9600 /dev/ttyUSB0
# apt install minicom minicom -b 9600 -D /dev/ttyS0 minicom -b 9600 -D /dev/ttyUSB0
Connect on Windows
Use Tera Term or Putty and connect to COMX with Baud 9600
CLI
Show Config
sh run
All but "show config" will need "enable"
>enable
Interface Show
Show Interfaces
sh int bri
Show specific port:
show int eth 1/1/1
Show management port:
sh int bri | begin mgmt
License
Show licenses:
sh license
L3 Premium Features
Layer 3 Premium Features and Platform Support https://docs.commscope.com/bundle/fastiron-08095-licenseguide/page/GUID-B01E798A-B196-4544-86C2-DC90AB21CD6A.html
The Layer 3 Premium license supports the following features on an ICX 7450.
OSPFv2 OSPFv3 (IPv6) VRRP VRRPv3 (IPv6) VRRP-E GRE PBR PIM-SM, PIM-SSM, PIM-DM PIM Passive BGP, BGP4+ (IPv6) VRF (IPv4 and IPv6) IPv6 over IPv4 Tunnels
#sh license Unit License Name L3 Premium Port Speed Upgrade Speed Ports MACsec 1 l3-prem Yes NA NA NA No
Logs
Show logs:
sh log
Clear logs:
clear log
Sample:
Syslog logging: enabled ( 0 messages dropped, 1 flushes, 0 overruns)
    Buffer logging: level ACDMEINW, 0 messages logged
    level code: A=alert C=critical D=debugging M=emergency E=error
                I=informational N=notification W=warning
Dynamic Log Buffer (50 lines):
Jan  1 12:19:30:I:Security: SSH login by myuser from src IP 10.10.10.10 from src MAC xxxx.xxxx.xxxx to USER EXEC mode using RSA as Server Host Key.
Jan  1 00:00:57:I:STP: VLAN 1 Port 1/1/30 STP State -> FORWARDING (FwdDlyExpiry)
Jan  1 00:00:55:I:STP: VLAN 1 Port 1/1/48 STP State -> LEARNING (FwdDlyExpiry)
MAC Addresses
Show collected MACs:
sh mac-addresses
Show just those local to interfaces on 1/1/*
sh mac-addresses | inc 1/1
# sh mac-a | inc 1/1/ 98xx.xx.xxxx 1/1/13 Dynamic 228 98xx.xx.xxxx 1/1/13 Dynamic 228 f4xx.xx.xxxx 1/1/13 Dynamic 228 98xx.xx.xxxx 1/1/13 Dynamic 228 f4xx.xx.xxxx 1/1/14 Dynamic 300 0cxx.xx.xxxx 1/1/14 Dynamic 300
ARP Table
Show Arp Table:
# sh arp Total number of ARP entries: 1 Entries in default routing instance: No. IP Address MAC Address Type Age Port Status 1 10.10.10.1 b4xx.xxxx.xxxx Dynamic 1 lg01 Valid
Management IP Show
Show IP:
show ip
If using router firmware:
show ip address # or 'sh ip addr'
Pagination
>enable
to skip pagination:
skip # or skip-page-display Disable page display mode
to page:
page Enable page display mode
Ping
ping [IP]
POE
Enable POE:
conf t interface eth 1/1/1 inline power
Disable POE:
conf t interface eth 1/1/1 no inline power
Show Interface POE:
show inline power
Show Interface POE details: (and firmware version)
show inline power details
Limit POE on interface:
int ent ethernet 1/1/1 to 1/1/48 inline power inline power power-limit 25000
Reboot Switch
reload
Version
Show switch version and model and serial:
show version sh ver
Example:
>sh ver
...
    UNIT 1: compiled on Mar  2 2012 at 12:38:17 labeled as ICX64S07400
                (10360844 bytes) from Primary ICX64S07400.bin
        SW: Version 07.4.00T311
  Boot-Monitor Image size = 512, Version:07.4.00T310 (kxz07400)
  HW: Stackable ICX6450-48-HPOE
==========================================================================
UNIT 1: SL 1: ICX6450-48p POE 48-port Management Module
         Serial  #: BZTXXXXXXXX
         License: BASE_SOFT_PACKAGE   (LID: dbvHKIFjFox)
...
VLAN Show
Show VLANs:
show vlan
Config
Configure:
enable configure terminal # or conf t
Show Config:
show config sh run
Write Config:
write mem
Clear Config:
erase startup-config
Hostname
hostname [name]
Banner
Display banner at login: [2]
banner motd $ Enter TEXT message, End with the character '$'. Welcome!!! $
Interface
sh int bri
Show specific port:
show int eth 1/1/1
Show management port:
sh int bri | begin mgmt
Disable Interface
int eth 1/1/48 disable enable
IP
Management Interface DHCP Client
dhcp ip
Enable DHCP
ip dhcp-client enable ip dhcp-client auto-update enable
Disable DHCP
no ip dhcp-client enable
Static IP
ip address 10.10.10.104/24 # or ip address 10.10.10.104 255.255.255.0
ip default-gateway 10.10.10.1 no ip dhcp-client auto-update enable no ip dhcp-client enable
Show IP:
show ip
Management VLAN
Desginate which VLAN carries the management traffic: [3]
vlan 10 by port management-vlan
Default is VLAN 1
License
set license [4]
license install perpetual <unit number> <type of license>
license install perpetual 1 4x10GR
license delete perpetual 1 4x10gr
SFP
GBIC
Types:
- 1G M-TX(SFP) - 1 GigE
Part#
- SFP-1000BASE-TX = 1 GigE Copper
- SFP-GE-T = 1 GigE Copper
Combos:
- 1G M-TX(SFP) w/ SFP-1000BASE-TX = 1 GigE Copper
- 1G M-TX(SFP) w/ SFP-GE-T = 1 GigE Copper
---
# show media ... Port 1/3/1: Type : EMPTY Port 1/3/2: Type : EMPTY Port 1/3/3: Type : 1G M-TX(SFP) Port 1/3/4: Type : EMPTY
# sh media et 1/3/3
Port   1/3/3: Type  : 1G M-TX(SFP)
             Vendor: XXX    Version: D1
             Part# : SFP-1000BASE-TX    Serial#: XXX
# sh int bri .. 1/3/3 Up Forward Full 1G None No 1 0 xxxx.xxxx.xxxx
#sh int et 1/3/3 10GigabitEthernet1/3/3 is up, line protocol is up
Note: If a 1-Gbps optic transceiver is inserted, you must configure the port using the speed-duplex 1000-full-master command at the interface level. [5]
Enable port: [6]
# conf term # int ethernet 1/3/3 # speed-duplex 1000-full-master
or short form: [7]
config t int e 1/2/1 speed 1000-full
# sh run ... stack unit 1 module 1 icx7150-48pf-poe-port-management-module module 2 icx7150-2-copper-port-2g-module module 3 icx7150-4-sfp-plus-port-40g-module stack-port 1/3/1 stack-port 1/3/3 ! interface ethernet 1/3/3 speed-duplex 1000-full !
10GE SFP+
- 10GE SR 300m ((SFP+))
- 10GE USR 100m (SFP +)
Spanning Tree
Disable Spanning Tree On specific port:
interface ethernet 1/1/1 no spanning-tree !
SSH
Show ssh config settings:
sh ip ssh config
> sh ip ssh config ... SSH server : Enabled SSH port : tcp\22 Host Key : DSA 1024, RSA 1024 Encryption : aes256-cbc, aes192-cbc, aes128-cbc, aes256-ctr, aes192-ctr, aes128-ctr, 3des-cbc ... Authentication methods : Password, Public-key, Interactive ...
Enable SSH:
## Generate keys crypto key generate rsa # ^ Their offer: ssh-rsa crypto key generate dsa # ^ Their offer: ssh-dss # Add admin user: username admin pri 0 password [PASSWORD] # enable aaa authentication login default local
Disable SSH:
crypto key zeroize crypto key zeroize dsa
Note, the ICX uses really old key exchange method 'diffie-hellman-group1-sha1'
debug1: kex: algorithm: diffie-hellman-group1-sha1 debug1: kex: host key algorithm: ssh-rsa # or debug1: kex: host key algorithm: ssh-dss debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
Linux Client
To allow diffie-hellman-group1-sha1, edit either .ssh/config(to host) or /etc/ssh/ssh_config and add the following:
# ICX SSH # KexAlgorithms +diffie-hellman-group1-sha1 KexAlgorithms +diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 HostKeyAlgorithms +ssh-dss,ssh-rsa # for ssh key to icx PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa
.ssh/config Host * # ICX SSH KexAlgorithms +diffie-hellman-group1-sha1 HostKeyAlgorithms +ssh-dss,ssh-rsa # for ssh key to icx PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa
---
NOTE: If you want to have the switch connect in reverse to do firmware updates, make sure to add the same to /etc/ssh/sshd_config
# Allow system to connect to Legacy ICX switches KexAlgorithms +diffie-hellman-group1-sha1 HostKeyAlgorithms +ssh-dss,ssh-rsa ## PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa # icx doesn't have a private key option - sadness
Git-Bash Client
.ssh/config
Host 10.0.100.* 10.0.200.*
    User admin
    # ICX SSH
    KexAlgorithms +diffie-hellman-group1-sha1
    HostKeyAlgorithms +ssh-rsa
    MACs hmac-sha1
    # # for ssh key to icx
    #PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa
Host *
  # General settings
Public Keys
- Note: The public key file may contain up to 16 DSA or RSA key pairs.
- Note: Each key in the public key must be in exactly this format (remove the ssh-rsa prefix, the 'Comment' line is optional): [8]
- Note: Use a 2048 bit key (ssh-keygen -b 2048). The larger key will generate connect issues for 6450s (probably 7150s too). (no key from blob. pkalg ssh-rsa: invalid format) [9]
ssh-keygen -b 2048
---- BEGIN SSH2 PUBLIC KEY ---- Comment: "2048-bit RSA, converted from OpenSSH" AAAAB3NaC1yc2EAAAABIwAAAQEA0pt94yJmKwPfPZnxxYSS1aVaaqWgRM79EfRXf2XUrs 834hx881MmQedye1oJrntvA8LyVUIepOdbc874i4259mtSXx+cfZW0/QeJggT/1zE82+n w706gGqNsE+XsT12bi6KU4Al2IWULce74yfQY9/amy38ZPCesKKurH4+2m/Ba69391lp nJ0BIQidn+I8hARUGayrOTrx/e2^kdC+2aNh6mS17KDiRyj8WBV3F5z5f5rlYBL/WoJ2beo R3L6H6wHXP8dZ1F4IqeVxeIimkFTzMEE*r/wHCnhewetnDy3iJAgr0TXTicJ1Qpb1MCBkB XaynjuDYSf4Kmgn8znaQ== ---- END SSH2 PUBLIC KEY ----
Copy the combined key file (up to 16 keys) to tftp server, and have the ICX pull and override keyfile with:
conf term ip ssh pub-key-file tftp [TFTP_IP] [PATH/keyfile.txt]
List keys:
show ip client-pub-key
Remove pub key file:
ip ssh pub-key-file remove
Neighbour Detection
Neighbour Detection [10]
Link Layer Discovery Protocol (LLDP) - Vendor agnostic link layer protocol to advertise device capabilities and directly connected neighbours on the network.
lldp run show lldp neighbors
Foundry Discovery Protocol (FDP) - Foundry/Brocade specific link layer protocol to advertise device capabilities and directly connected neighbours on the network.
fdp run show fdp neighbors
Cisco Discovery Protocol (CDP) - Cisco specific link layer protocol to advertise device capabilities and directly connected neighbours on the network.
cdp run show cdp neighbors
VLAN
Show VLANs:
show vlan
Clear VLAN:
no vlan [#]
Simple VLAN
vlan 100 name MyVLAN by port tagged e 1/2/1 untagged e 1/1/1 to 1/1/48 !
LAG
Simple LAG with VLAN:
lag LAG1 dynamic id 1 ports ethe 1/1/47 to 1/1/48 ! vlan 3200 name MyVLAN by port tagged lag 1 untagged e 1/1/1 to 1/1/46 !
Static vs dynamic:
lag LAG1 dynamic id 1
lag LAG1 static id 1
Show lag:
sh lag sh lag id 1
Name ports:
lag LAG1 port-name UPLINK-A ethernet 1/1/47 port-name UPLINK-B ethernet 1/1/48
Disable one port:
lag LAG1 disable e 1/1/48
lag LAG1 enable e 1/1/48
Remove a port:
lag LAG1 no ports e 1/1/47
Time
clock summer-time clock timezone us Pacific clock timezone us mountain
sh clock sh clock detail
NTP Client:
ntp server 10.x.x.1 server 10.x.x.2
server 0.pool.ntp.org minpoll 10 burst server 1.pool.ntp.org minpoll 10 burst
Show ntp status: [11]
show ntp status show ntp associations
Disable NTP client:
ntp disable
Enable NTP client:
ntp no disable
Disable serving time to clients:
ntp disable serve
Specify source interface: [12]
source-interface ethernet 1/3/1
! ntp-interface management 1
Daylight Saving (Summer Time) [13] [14]
clock summer-time zone us pacific start 02-28-21 02:00:00 end 10-30-21 02:00:00 offset 60 clock summer-time zone us mountain start 02-28-16 02:00:00 end 10-30-16 02:00:00 offset 30
Note: Will have to be manually updated each year.
Note: "Before you begin to configure NTP, you must use the clock set command to set the time on your device to within 1000 seconds of the coordinated Universal Time (UTC)." [15]
clock set [16]
exit ! clock set hh:mm:ss mm-dd-yy/yyyy clock set 02:49:00 11-23-24
Users
Add Users:
username admin password [PASSWORD] no username admin
username myuser privilege [LEVEL] password [PASSWORD] # LEVEL: <0 READ-WRITE, 4 PORT-CONFIG, 5 READ-ONLY> User privilege level
Require Login:
aaa authentication web-server default local aaa authentication login default local
Configure seperate enable privilege passwords:
enable super-user-password [PASSWORD] enable port-config-password [PASSWORD] enable read-only-password [PASSWORD]
no enable super-user-password
Enter enable mode:
enable
Show who logged in as:
sh who
Privilege Levels
3 privileged levels:
- enable super-user-password [PASSWORD] - Super-user level password
- enable port-config-password [PASSWORD] - Port level configuration password
- enable read-only-password [PASSWORD] - Read-only level password
- Super User level - Allows complete read-and-write access to the system. This is generally for system administrators and is the only management privilege level that allows you to configure passwords.
- Port Configuration level - Allows read-and-write access for specific ports but not for global (system-wide) parameters.
- Read-only level - Allows access to the Privileged EXEC mode and User EXEC mode of the CLI but only with read access.
Authentication, Authorization, and Accounting
Authentication, Authorization, and Accounting (AAA) is a security framework that controls access to computer resources, enforces policies, and audits usage.
- Authentication - confirm users are who they claim they are (username/password)
- Authorization - granted privileges to authorized user
- Accounting - tracking user activity
Sample config:
aaa authentication web-server default local aaa authentication login default tacacs+ local aaa authentication login privilege-mode aaa authorization exec default tacacs+ aaa accounting exec default start-stop tacacs+
AAA Protocols:
- Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that authorizes and authenticates users who access a remote network
- Terminal Access Controller Access Control System Plus (TACACS+) - a remote authentication AAA protocol that lets a remote access server communicate with an authentication server for user validation
- Diameter - evolved from the RADIUS protocol
Firmware
Firmware Versions
ICX FastIron Stable series:
08.0.95p 2024-06-27 08.0.95n 2024-01-31 *** recommended stable *** 08.0.95m 2023-08-24 08.0.95k 2023-06-16 08.0.95j 2023-06-16 08.0.95h 2022-09-02 ... 08.0.95 2020-09-14 ... 08.0.90d 2019-09-27 *** used as jump to ufi ***
https://support.ruckuswireless.com/software/1186-ruckus-icx-7xxx-icx-6xxxx-campus-switch-firmware-download
https://support.ruckuswireless.com/products/108-ruckus-icx-7150-campus-switches?open=document#firmwares
https://support.ruckuswireless.com/products/108-ruckus-icx-7150-campus-switches Recommended Software: (as of 2024.07.08) Stability Release: RUCKUS ICX FastIron 08.0.95n (GA) Software Release (.zip)
"Ruckus ICX software currently has two recommended release types; Stability and Technology.
Stability Release: This is for customers where stability is of utmost importance. This release may not contain every feature available for your product.
Technology Release: This is for customers looking to utilize the maximum feature set available for your product.
We recommend most customers utilize the Stability Release if it contains all needed features for your network. A Technology Release is recommended if your network requires newer features not available in the Stability Release."
08.0.95n
RUCKUS ICX FastIron 08.0.95n (GA) Software Release (.zip) https://support.ruckuswireless.com/software/3958-ruckus-icx-fastiron-08-0-95n-ga-software-release-zip
Applies to: ICX7150, ICX7250, ICX7450, ICX7550, ICX7650, ICX7750, ICX7850
08.0.95m
RUCKUS ICX FastIron 08.0.95m (GA) Software Release (.zip) https://support.ruckuswireless.com/software/3749-ruckus-icx-fastiron-08-0-95m-ga-software-release-zip
Applies to: ICX7150, ICX7250, ICX7450, ICX7550, ICX7650, ICX7750, ICX7850
Select Boot Slot
Show boot configuration:
ICX7450 #sh boot-preference
Boot system preference(Configured):
        Use Default
Boot system preference(Default):
        Boot system flash primary
        Boot system flash secondary
Select second boot slot:
ICX7450# Boot system flash secondary
Show boot configuration after change:
ICX7450# sh boot-preference
Boot system preference(Configured):
        Boot system flash secondary
Boot system preference(Default):
        Boot system flash primary
        Boot system flash secondary
Show configuration:
ICX7450# sh run Current configuration: ! ... ! boot sys fl sec
Reset Password
As switch boots up, when you see the following, press 'b':
Enter 'b' to stop at boot monitor:
then type "no password":
no password
then type "boot" to continue booting:
boot # or boot_primary
Then either change password
enable conf t
Default Login
super sp-admin
Recovery Mode
As switch boots up, when you see the following, press 'b':
Enter 'b' to stop at boot monitor:
Useful commands:
- boot_primary
- boot_secondary
- show_image
- no password (not even listed in the help!!)
Help:
Enter 'b' to stop at boot monitor: 0 ICX7250-Boot> help ? - alias for 'help' boot - boot default, i.e., run 'bootcmd' boot_primary- boot from primary partition boot_secondary- boot from secondary partition bootm - boot application image from memory cp - memory copy cpld_read- Read from cpld cpld_write- write to cpld dump_cpld- Dump CPLD Registers eeprom - EEPROM sub-system ext2load- load binary file from a Ext2 filesystem ext2ls - list files in a directory (default /) help - print command description/usage hwinfo - Show HW Info logging_disable- Disable Uboot Logs. logging_enable- Enable Uboot Logs. md - memory display nand - NAND sub-system ping - send ICMP ECHO_REQUEST to network host powercycle- Do a Hard Reset printenv- print environment variables reset - Perform RESET of the CPU saveenv - save environment variables to persistent storage setenv - set environment variables sf - SPI flash sub-system show_image- Show Stored Images. tftpboot- boot image via network using TFTP protocol update_primary- update primary partition update_secondary- update secondary partition update_uboot- - get the uboot image over tftp. usb - USB sub-system verify - Verify Image version - print monitor, compiler and linker version
Recoverying Firmware
Recovering Software - explains how to recover devices from image installation failure or deleted or corrupted flash images. https://docs.commscope.com/bundle/fastiron-09010-upgradeguide/page/GUID-9B5D5A56-039D-44FB-8FD2-B9B55E71ADE8.html
setenv ipaddr 192.168.0.3 setenv gatewayip 192.168.0.2 setenv netmask 255.255.255.0 setenv serverip 192.168.0.2 printenv saveenv ping 192.168.0.2 setenv image_name SPS08090k.bin update_primary # ... reset
Advanced
Loop Detection
"Spanning Tree Protocol doesn't cause problems; loops cause problems. STP is a way of dealing with loops. If you don't have STP enabled already and your network is working correctly, then you don't have any loops. So loop protect will not gain you anything.
It's not as simple as just enabling spanning tree. You need to plan your topology, then set your switch priorities so that the planned topology is achieved. To achieve protection against loops (due to users plugging switches into each other), the preferred approach would be to set up STP correctly, then enable BPDU guard and loop protect on all edge ports.
Definitely don't use loop protect on uplinks and trunks; it is designed for edge ports." [19]
sh loop-detection status
sh loop-detection disabled
sh errdisable summary
sh errdisable recovery
More
hitless-failover enable
sz registrar
Example Dumps
interface ethernet 1/1/1 port-name UPLINK loop-detection shutdown-disable speed-duplex 10G-full !
interface ethernet 1/1/5 loop-detection speed-duplex 1000-full spanning-tree root-protect spanning-tree 802-1w admin-edge-port broadcast limit 1000 kbps multicast limit 8000 kbps trust dscp !
lag UPLINK1010 dynamic id 13 ports ethe 1/1/3 to 1/1/4 ethe 2/1/3 to 2/1/4 port-name UPLINK ethernet 1/1/3 port-name UPLINK ethernet 1/1/4 port-name UPLINK ethernet 2/1/3 port-name UPLINK ethernet 2/1/4 !
vlan 1010 name XYZ_1010_CI by port tagged ethe 1/1/10 to 1/1/20 ethe 2/1/15 to 2/1/20 lag 13 spanning-tree 802-1w spanning-tree 802-1w priority 65535 loop-detection !
vlan 3000 name LAB_MANAGEMENT by port tagged lag 10 router-interface ve 3000 spanning-tree 802-1w spanning-tree 802-1w priority 65535 loop-detection ! hostname MRSwitch ip dhcp-client disable ip dns domain-list example.com ip dns server-address 10.10.10.2 ip route 0.0.0.0/0 10.10.10.1 interface ve 3000 ip address 10.10.10.10 255.255.255.0 ! ntp source-interface ve 3000 server 10.20.2.1 server 10.20.1.1
ntp server 10.20.2.1 server 10.20.1.1
banner motd ^C ################################################################################^C # NOTICE TO USERS #^C # This is an official computer system and is the property of Example Corp. #^C # It is for authorized users only. Unauthorized users are prohibited. Users #^C # (authorized or unauthorized) have no explicit or implicit expectation of #^C # privacy. Any or all uses of this system may be subject to one or more of the #^C # following actions: interception, monitoring, recording, auditing, inspection #^C # and disclosing to security personnel and law enforcement personnel, as well #^C # as authorized officials of other agencies, both domestic and foreign. By #^C # using this system, the user consents to these actions. Unauthorized or #^C # improper use of this system may result in administrative disciplinary action #^C # and civil and criminal penalties. By accessing this system you indicate your #^C # awareness of and consent to these terms and conditions of use. Discontinue #^C # access immediately if you do not agree to the conditions stated in this #^C # notice. #^C ################################################################################^C ^C !
banner motd ^C -------------------------------------------------------------^C - Note: Legal Notice! -^C - -^C - You must have prior authorization to access this system. -^C - All connections to this system are logged and monitored. -^C - By connecting to this system you fully consent to all -^C - monitoring. Unauthorized access or use will be prosecuted -^C - to the full extent of the law. -^C -------------------------------------------------------------^C ^C
interface ethernet 1/1/1 to 1/1/48 port-name DATA loop-detection spanning-tree root-protect spanning-tree 802-1w admin-edge-port broadcast limit 8192 multicast limit 8192 stp-bpdu-guard trust dscp enable exit
keywords
- ↑ https://docs.commscope.com/bundle/icx7150-installguide/page/GUID-9FB7FB94-16E9-4FB8-8BBB-8B1BDD9B7E79.html
- ↑ https://docs.commscope.com/bundle/fastiron-08095-managementguide/page/GUID-5A14B1C5-DD1A-40E3-A371-6C7A0407D796.html
- ↑ https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-61483D35-3F95-43FB-8092-33C14E0D188D.html
- ↑ https://support.ruckuswireless.com/articles/000007612
- ↑ https://docs.commscope.com/bundle/icx7150-installguide/page/GUID-B346251F-DFCC-4441-B047-6E3A3E88839C.html
- ↑ https://docs.commscope.com/bundle/icx7150-installguide/page/GUID-B346251F-DFCC-4441-B047-6E3A3E88839C.html
- ↑ https://community.ruckuswireless.com/t5/ICX-Switches/Configuring-SFP-port-on-7150-C08p/td-p/27124
- ↑ ref https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-E00DB049-9D65-4438-A64F-A947648A70AE.html
- ↑ https://apple.stackexchange.com/questions/356323/ssh-fails-with-ssh-dispatch-run-fatal-invalid-format
- ↑ https://support.purdi.com/hc/en-gb/articles/360021220292-Ruckus-ICX-Neighbour-Detection-using-LLDP-CDP-FDP
- ↑ https://docs.commscope.com/bundle/fastiron-08095-managementguide/page/GUID-98F32DCC-B4D7-4531-BC58-42F47C984868.html
- ↑ https://docs.commscope.com/bundle/fastiron-08095-managementguide/page/GUID-0A5F29D9-CBA8-440A-9EB7-61BCEA35E240.html
- ↑ https://docs.commscope.com/bundle/fastiron-08091-managementguide/page/GUID-E670EE11-FBD6-4D1E-9099-6E231887D245.html
- ↑ https://docs.commscope.com/bundle/fastiron-08095-managementguide/page/GUID-E670EE11-FBD6-4D1E-9099-6E231887D245.html
- ↑ https://community.ruckuswireless.com/t5/ICX-Switches/Force-sync-ntp/m-p/45909
- ↑ https://docs.commscope.com/bundle/icx7150-installguide/page/GUID-453AC7E4-0CCF-4EB0-8E4B-3002CE8CCB24.html
- ↑ https://docs.commscope.com/bundle/fastiron-09010-upgradeguide/page/GUID-9B5D5A56-039D-44FB-8FD2-B9B55E71ADE8.html
- ↑ https://community.ruckuswireless.com/t5/RUCKUS-Support-for-Lennar-Homes/How-to-perform-a-Software-recovery-on-an-ICX7150-switch/m-p/47483
- ↑ https://community.hpe.com/t5/hpe-aruba-networking-provision/loop-protect-and-trunk-groups-or-uplinks/td-p/6098585