ICX: Difference between revisions

From Omnia
Jump to navigation Jump to search
Line 163: Line 163:
* Note: The public key file may contain up to 16 DSA or RSA key pairs.
* Note: The public key file may contain up to 16 DSA or RSA key pairs.
* Note: Each key in the public key must be in exactly this format (remove the ssh-rsa prefix, the 'Comment' line is optional): <ref>ref https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-E00DB049-9D65-4438-A64F-A947648A70AE.html</ref>
* Note: Each key in the public key must be in exactly this format (remove the ssh-rsa prefix, the 'Comment' line is optional): <ref>ref https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-E00DB049-9D65-4438-A64F-A947648A70AE.html</ref>
* Note: Use a 2048 bit key (ssh-keygen -b 2048).  The larger key will generate issues for 6450s (probably 7150s too).
* Note: Use a 2048 bit key (ssh-keygen -b 2048).  The larger key will generate connect issues for 6450s (probably 7150s too). (no key from blob. pkalg ssh-rsa: invalid format) <ref>https://apple.stackexchange.com/questions/356323/ssh-fails-with-ssh-dispatch-run-fatal-invalid-format</ref>


<pre>
<pre>

Revision as of 20:32, 15 March 2024

Ruckus / Brocade Switches

See Ruckus

Connect

Connect on Linux

# apt install tio
tio -b 9600 /dev/ttyS0
tio -b 9600 /dev/ttyUSB0
# apt install minicom
minicom -b 9600 -D /dev/ttyS0
minicom -b 9600 -D /dev/ttyUSB0

Connect on Windows

Use Tera Term or Putty and connect to COMX with Baud 9600

CLI

Show Config

sh run

All but "show config" will need "enable"

>enable

Interfaces

Show Interfaces

sh int bri

Show specific port:

show int eth 1/1/1

Show management port:

sh int bri | begin mgmt

IP

Show IP:

show ip

License

Show licenses:

sh license

Logs

Show logs:

sh log

Clear logs:

clear log

Sample:

Syslog logging: enabled ( 0 messages dropped, 1 flushes, 0 overruns)
    Buffer logging: level ACDMEINW, 0 messages logged
    level code: A=alert C=critical D=debugging M=emergency E=error
                I=informational N=notification W=warning

Dynamic Log Buffer (50 lines):
Jan  1 12:19:30:I:Security: SSH login by myuser from src IP 10.10.10.10 from src MAC xxxx.xxxx.xxxx to USER EXEC mode using RSA as Server Host Key.
Jan  1 00:00:57:I:STP: VLAN 1 Port 1/1/30 STP State -> FORWARDING (FwdDlyExpiry)
Jan  1 00:00:55:I:STP: VLAN 1 Port 1/1/48 STP State -> LEARNING (FwdDlyExpiry)

Pagination

>enable

to skip pagination:

skip
# or skip-page-display
  Disable page display mode

to page:

page
  Enable page display mode

Ping

ping [IP]

POE

Enable POE:

conf t
 interface eth 1/1/1
  inline power

Disable POE:

conf t
 interface eth 1/1/1
  no inline power

Show Interface POE:

show inline power

Show Interface POE details: (and firmware version)

show inline power details

Limit POE on interface:

int ent ethernet 1/1/1 to 1/1/48
  inline power
  inline power power-limit 25000

Reboot Switch

reload

SSH

Show ssh config settings:

sh ip ssh config
> sh ip ssh config
...
SSH server                 : Enabled
SSH port                   : tcp\22
Host Key                   : DSA 1024,  RSA 1024
Encryption                 : aes256-cbc, aes192-cbc, aes128-cbc, aes256-ctr, aes192-ctr, aes128-ctr, 3des-cbc
...
Authentication methods     : Password, Public-key, Interactive
...

Enable SSH:

## Generate keys
crypto key generate rsa
  # ^ Their offer: ssh-rsa
crypto key generate dsa
  # ^ Their offer: ssh-dss
# Add admin user:
username admin pri 0 password [PASSWORD]
# enable 
aaa authentication login default local

Disable SSH:

crypto key zeroize
crypto key zeroize dsa

Note, the ICX uses really old key exchange method 'diffie-hellman-group1-sha1'

debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-rsa
# or
debug1: kex: host key algorithm: ssh-dss
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none

To allow diffie-hellman-group1-sha1, edit either .ssh/config(to host) or /etc/ssh/ssh_config and add the following:

KexAlgorithms=+diffie-hellman-group1-sha1

If you want to use dsa/dss, you will need to add (DSA was open source alternative to RSA while it was still in patent life, which has since expired):

PubkeyAcceptedKeyTypes +ssh-dss

Public Keys

  • Note: The public key file may contain up to 16 DSA or RSA key pairs.
  • Note: Each key in the public key must be in exactly this format (remove the ssh-rsa prefix, the 'Comment' line is optional): [1]
  • Note: Use a 2048 bit key (ssh-keygen -b 2048). The larger key will generate connect issues for 6450s (probably 7150s too). (no key from blob. pkalg ssh-rsa: invalid format) [2]
---- BEGIN SSH2 PUBLIC KEY ---- 
Comment:  "2048-bit RSA, converted from OpenSSH"
AAAAB3NaC1yc2EAAAABIwAAAQEA0pt94yJmKwPfPZnxxYSS1aVaaqWgRM79EfRXf2XUrs
834hx881MmQedye1oJrntvA8LyVUIepOdbc874i4259mtSXx+cfZW0/QeJggT/1zE82+n
w706gGqNsE+XsT12bi6KU4Al2IWULce74yfQY9/amy38ZPCesKKurH4+2m/Ba69391lp
nJ0BIQidn+I8hARUGayrOTrx/e2^kdC+2aNh6mS17KDiRyj8WBV3F5z5f5rlYBL/WoJ2beo
R3L6H6wHXP8dZ1F4IqeVxeIimkFTzMEE*r/wHCnhewetnDy3iJAgr0TXTicJ1Qpb1MCBkB
XaynjuDYSf4Kmgn8znaQ==
---- END SSH2 PUBLIC KEY ----

Copy the combined key file (up to 16 keys) to tftp server, and have the ICX pull and override keyfile with:

conf term
 ip ssh pub-key-file tftp [TFTP_IP] [PATH/keyfile.txt]

List keys:

show ip client-pub-key

Remove pub key file:

ip ssh pub-key-file remove

Version

Show switch version and model and serial:

show version
sh ver

Example:

>sh ver
...
    UNIT 1: compiled on Mar  2 2012 at 12:38:17 labeled as ICX64S07400
                (10360844 bytes) from Primary ICX64S07400.bin
        SW: Version 07.4.00T311
  Boot-Monitor Image size = 512, Version:07.4.00T310 (kxz07400)
  HW: Stackable ICX6450-48-HPOE
==========================================================================
UNIT 1: SL 1: ICX6450-48p POE 48-port Management Module
         Serial  #: BZTXXXXXXXX
         License: BASE_SOFT_PACKAGE   (LID: dbvHKIFjFox)
...

VLANs

Show VLANs:

show vlan

Config

Configure:

enable
configure terminal
# or conf t

Show Config:

show config
sh run

Write Config:

write mem

Clear Config:

erase startup-config

DHCP Client

Management Interface DHCP Client

dhcp ip

ip dhcp-client enable
ip dhcp-client auto-update enable
no ip dhcp-client enable

Static IP

ip address 10.10.10.104/24
# or
ip address 10.10.10.104 255.255.255.0
ip default-gateway 10.10.10.1
no ip dhcp-client auto-update enable
no ip dhcp-client enable

Show IP:

show ip

Interface

sh int bri

Show specific port:

show int eth 1/1/1

Show management port:

sh int bri | begin mgmt

Disable Interface

int eth 1/1/48
  disable
  enable

Spanning Tree

Disable Spanning Tree On specific port:

interface ethernet 1/1/1
 loop-detection
 no spanning-tree
!

VLAN

Show VLANs:

show vlan

Clear VLAN:

no vlan [#]

Hostname

hostname [name]

Users

Add Users:

username admin password [PASSWORD]
no username admin
username myuser privilege [LEVEL] password [PASSWORD]
# LEVEL:   <0 READ-WRITE, 4 PORT-CONFIG, 5 READ-ONLY> User privilege level

Require Login:

aaa authentication web-server default local
aaa authentication login default local

Configure seperate enable privilege passwords:

enable super-user-password [PASSWORD]
enable port-config-password [PASSWORD]
enable read-only-password [PASSWORD]
no enable super-user-password

Enter enable mode:

enable

Show who logged in as:

sh who

Privilege Levels

3 privileged levels:

  1. enable super-user-password [PASSWORD]] - Super-user level password
  2. enable port-config-password [PASSWORD]] - Port level configuration password
  3. enable read-only-password [PASSWORD]] - Read-only level password
  • Super User level - Allows complete read-and-write access to the system. This is generally for system administrators and is the only management privilege level that allows you to configure passwords.
  • Port Configuration level - Allows read-and-write access for specific ports but not for global (system-wide) parameters.
  • Read-only level - Allows access to the Privileged EXEC mode and User EXEC mode of the CLI but only with read access.

Reset Password

As switch boots up, when you see the following, press 'b':

Enter 'b' to stop at boot monitor:

then type "no password":

no password

then type "boot" to continue booting:

boot
# or boot_primary

Then either change password

enable
conf t

keywords