Ruckus/ICX-7150: Difference between revisions
| Line 92: | Line 92: | ||
| or | or | ||
|   (config)# ip address 172.31.0.1 255.255.255.0 |   (config)# ip address 172.31.0.1 255.255.255.0 | ||
| == Privilege Levels == | |||
| 3 privileged levels: | |||
| #  super-user-password           Super-user level password | |||
| #  port-config-password          Port level configuration password | |||
| #  read-only-password            Read-only level password | |||
|  enable | |||
|  conf term | |||
| 1. Set Super User level password: | |||
|  enable super-user-password [PASSWORD] | |||
| 2. Set Port Configure password: | |||
|  enable port-config-password [PASSWORD] | |||
| 3. Set Read Only level password: | |||
|  enable read-only-password [PASSWORD] | |||
| ref: https://docs.ruckuswireless.com/fastiron/08.0.60/fastiron-08060-securityguide/GUID-F35168E7-729D-46A2-ACE1-68148B01443D.html | |||
| == Recover from a Lost Password == | |||
| # Reboot the device. | |||
| # At the initial boot prompt at system startup, enter '''b''' to enter the boot monitor mode. | |||
| # Enter '''no password''' at the prompt. (You cannot abbreviate this command.) This command will cause the device to bypass the system password check. | |||
| # Enter '''boot system flash primary''' at the prompt. | |||
| ref: https://docs.ruckuswireless.com/fastiron/08.0.60/fastiron-08060-securityguide/GUID-986D5DF0-BF7E-4327-9030-396433DFFD9D.html | |||
| == Show Software Version and Hardware Model == | == Show Software Version and Hardware Model == | ||
Revision as of 21:42, 16 February 2024
USB C Management Console Connection
[ 1783.328741] usb 3-3: new full-speed USB device number 4 using xhci_hcd [ 1783.470048] usb 3-3: New USB device found, idVendor=10c4, idProduct=ea60 [ 1783.470052] usb 3-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1783.470054] usb 3-3: Product: CP2104 USB to UART Bridge Controller [ 1783.470055] usb 3-3: Manufacturer: Silicon Labs [ 1783.470057] usb 3-3: SerialNumber: 017C6EED [ 1783.534393] usbcore: registered new interface driver usbserial [ 1783.534405] usbcore: registered new interface driver usbserial_generic [ 1783.534416] usbserial: USB Serial support registered for generic [ 1783.550518] usbcore: registered new interface driver cp210x [ 1783.550531] usbserial: USB Serial support registered for cp210x [ 1783.550559] cp210x 3-3:1.0: cp210x converter detected [ 1783.551382] usb 3-3: cp210x converter now attached to ttyUSB0
# tio -b 9600 /dev/ttyUSB0 [tio 07:47:59] tio v1.32 [tio 07:47:59] Press ctrl-t q to quit [tio 07:47:59] Connected ICX7150-48-Switch>
| Parameter | Value | 
| Baud Rate | 9600 | 
| Data Bits | 8 | 
| Parity | None | 
| Stop Bits | 1 | 
| Flow Control | None | 
Initial View
ICX7150-48-Switch>enable No password has been assigned yet... ICX7150-48-Switch#show config INFO: empty config data in the primary area, try to read from backup INFO: empty config data in the backup area also
Show IP
Initially the switch is configured for DHCP, with telnet access. To see the address:
ICX7150-48-Switch#show ip
     Switch IP address: 10.10.10.228
           Subnet mask: 255.255.255.0
Default router address: 10.10.10.1
   TFTP server address: 10.248.1.206
Configuration filename: None
        Image filename: None
            DNS Server: 10.10.10.1
                IP MTU: 1500
Initial telnet: "The ICX7150-24F, ICX7150-C08P, and ICX7150-C10ZP switches ship from the factory with SSH enabled and Telnet disabled. All other switches have Telnet enabled only."
Assign IP
(config)# ip address 172.31.0.1/24
or
(config)# ip address 172.31.0.1 255.255.255.0
Privilege Levels
3 privileged levels:
- super-user-password Super-user level password
- port-config-password Port level configuration password
- read-only-password Read-only level password
enable conf term
1. Set Super User level password:
enable super-user-password [PASSWORD]
2. Set Port Configure password:
enable port-config-password [PASSWORD]
3. Set Read Only level password:
enable read-only-password [PASSWORD]
Recover from a Lost Password
- Reboot the device.
- At the initial boot prompt at system startup, enter b to enter the boot monitor mode.
- Enter no password at the prompt. (You cannot abbreviate this command.) This command will cause the device to bypass the system password check.
- Enter boot system flash primary at the prompt.
Show Software Version and Hardware Model
>sh ver
  Copyright (c) 2017 Ruckus Wireless, Inc. All rights reserved.
    UNIT 1: compiled on Apr 12 2019 at 11:46:50 labeled as SPS08070db
      (25717216 bytes) from Primary SPS08070db.bin
        SW: Version 08.0.70dbT211
      Compressed Boot-Monitor Image size = 786944, Version:10.1.14T225 (mnz10114)
       Compiled on Thu Nov 15 12:59:22 2018
  HW: Stackable ICX7150-48-POEF
==========================================================================
UNIT 1: SL 1: ICX7150-48PF-4X1G POE 48-port Management Module
      Serial  #:XXXXXXXXXXX
      Current License: 4X1G
      P-ASIC  0: type B160, rev 11  Chip BCM56160_B0
==========================================================================
UNIT 1: SL 2: ICX7150-2X1GC 2-port 2G Module
==========================================================================
UNIT 1: SL 3: ICX7150-4X10GF 4-port 40G Module
==========================================================================
 1000 MHz ARM processor ARMv7 88 MHz bus
 8192 KB boot flash memory
 2048 MB code flash memory
 1024 MB DRAM
STACKID 1  system uptime is 336 day(s) 1 hour(s) 11 minute(s) 35 second(s)
The system started at 04:05:00 GMT+00 Sat Jan 01 2000
The system : started=cold start
Enable SSH
(Note telnet is enabled by default, and doesn't require user)
crypto key generate - http://docs.ruckuswireless.com/fastiron/08.0.50/fastiron-08050-commandref/GUID-74724EE0-E8FB-46A1-8FBA-9E2F342D5B93.html
- To enable SSH, you generate a DSA or RSA host key on the device. The SSH server on the Brocade device uses this host DSA or RSA key, along with a dynamically generated server DSA or RSA key pair, to negotiate a session key and encryption method with the client trying to connect to it. While the SSH listener exists at all times, sessions cannot be started from clients until a host key is generated. After a host key is generated, clients can start sessions. When a host key is generated, it is saved to the flash memory of all management modules. The time to initially generate SSH keys varies depending on the configuration, and can be from a under a minute to several minutes.
- To disable SSH, you delete all of the host keys from the device. When a host key is deleted, it is deleted from the flash memory of all management modules.
Enable SSH: [1]
## Generate keys crypto key generate dsa # Add admin user: username admin pri 0 password passphrase # enable aaa authentication login default local
then wait... takes about 5 minutes, and you will eventually see:
DSA Key pair is successfully created
.. ..
root@server:~# ssh admin@10.10.10.100 Unable to negotiate with 10.10.10.100 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
fix with: (from switch)
ip ssh key-exchange-method dh-group14-sha1
or from SSH:
ssh -v -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -caes256-cbc 10.10.10.100
Generate keys:
(config)#crypto key generate rsa modulus 2048 (config)#ip ssh key-exchange-method dh-group14-sha1 Warning: This operation would close all existing SSH connection. (config)#username admin privilege 0 password [PASSWORD] DECIMAL <0 READ-WRITE, 4 PORT-CONFIG, 5 READ-ONLY> User privilege level (config)#aaa authentication login default local
To require the enable login locally as well:
(config)#aaa authentication enable default local
To auto go to privileged mode after login (use in labs only, not production):
(config)#aaa authentication login privilege-mode
To change password:
(config)#username admin password [PASSWORD]
ref: https://robrobstation.com/2017/07/17/ruckus-icx7150-c12p-initial-configuration/
Sample config:
ICX7150-48-Switch(config)#write terminal Current configuration: ! ver 08.0.61aT211 ! stack unit 1 module 1 icx7150-48-port-management-module module 2 icx7150-2-copper-port-2g-module module 3 icx7150-4-sfp-plus-port-40g-module ! ! ! ! ! ! ! ! ! ! aaa authentication enable default local aaa authentication login default local ip address 10.10.10.228 255.255.255.0 dynamic ip default-gateway 10.10.10.1 dynamic ! username admin password ..... ! ! interface ethernet 1/3/1 speed-duplex 1000-full ! interface ethernet 1/3/2 speed-duplex 1000-full ! interface ethernet 1/3/3 speed-duplex 1000-full ! interface ethernet 1/3/4 speed-duplex 1000-full ! ! ! ! ! ! ip ssh key-exchange-method dh-group14-sha1 ! ! end
Disable SSH
Delete the host keys
crypto key zeroize
crypto key zeroize dsa
crypto key generate - http://docs.ruckuswireless.com/fastiron/08.0.50/fastiron-08050-commandref/GUID-74724EE0-E8FB-46A1-8FBA-9E2F342D5B93.html
- To disable SSH, you delete all of the host keys from the device. When a host key is deleted, it is deleted from the flash memory of all management modules.
Disable Telnet
Once SSH is enabled, telnet is best disabled.
(config)#no telnet server
Clock
Daylight Saving (Summer Time) [2]
clock summer-time zone us pacific start 02-28-21 02:00:00 end 10-30-21 02:00:00 offset 60
Note: Will have to be updated each year.
Enable POE
See Ruckus/ICX-6450-48#Enable POE
Firmware
Newer firmware combines the bootrom and firmware images into a single file, called the Unified FastIron Image (UFI) [3]
"Ruckus recommends that you always use the manifest file for any image upgrade or downgrade." [4]
"If you are upgrading from FastIron release 08.0.80 to release 08.0.90, Ruckus recommends using SCP to transfer files." [5]
"Software images for all RUCKUS ICX devices can be uploaded and downloaded between flash modules on the device and a TFTP, SCP, HTTPS, or USB module on the network." [6]
Ruckus FastIron Software Upgrade Guide, 08.0.90 PDF [7]
username: super default password: sp-admin
copy tftp system-manifest 10.0.0.10 FI08090j_Manifest.txt all-images-primary
copy tftp flash 10.0.0.10 ICX7150/Images/SPS08090j.bin primary
copy tftp system-manifest 10.0.0.10 FI08090_Manifest.txt all_images_primary copy tftp system-manifest 10.0.0.10 FI08090_Manifest.txt primary
! Doesn't work, due to TFTP issues copy tftp system-manifest 10.0.0.10 08080f/FI08080f_Manifest.txt all-images-primary
copy tftp flash 10.0.0.10 08080f/ICX7150/Boot/mnz10114.bin bootrom ! wait for this command to complete! ! wait for this command to complete! ! wait for this command to complete!
erase flash primary
copy tftp flash 10.0.0.10 08080f/ICX7150/Images/SPS08080f.bin primary ! wait for this command to complete! ! wait for this command to complete! ! wait for this command to complete!
erase flash secondary
copy tftp flash 10.0.0.10 08080f/ICX7150/Images/SPR08080f.bin secondary ! wait for this command to complete! ! wait for this command to complete! ! wait for this command to complete!
show flash
config t boot sys flash prim exit wr mem reload
copy tftp system-manifest 10.0.0.10 08090j/FI08090j_Manifest.txt all-images-primary copy tftp system-manifest 10.0.0.10 08090j/FI08090j_Manifest.txt primary copy tftp system-manifest 10.0.0.10 08090j/FI08090j_Manifest.txt secondary
copy scp system-manifest 10.0.0.10 /tftp/08090j/FI08090j_Manifest.txt primary
copy tftp system-manifest 10.0.0.10 08090d/FI08090d_Manifest.txt all-images-primary copy tftp system-manifest 10.0.0.10 08090d/FI08090d_Manifest.txt primary copy tftp system-manifest 10.0.0.10 08090d/FI08090d_Manifest.txt secondary
erase flash primary erase flash secondary
copy tftp flash 10.0.0.10 08090d/ICX7150/Boot/mnz10115.bin bootrom copy tftp flash 10.0.0.10 08090d/ICX7150/Images/SPS08090d.bin primary copy tftp flash 10.0.0.10 08090d/ICX7150/Images/SPR08090d.bin secondary
copy tftp flash 10.0.0.10 08090d/ICX7150/Images/SPS08090dufi.bin primary copy tftp flash 10.0.0.10 08090d/ICX7150/Images/SPS08090dufi.bin secondary copy tftp flash 10.0.0.10 08090d/ICX7150/Images/SPR08090dufi.bin secondary
erase flash primary
copy tftp flash 10.0.0.10 08090j/ICX7150/Images/SPS08090jufi.bin primary
erase flash secondary
copy tftp flash 10.0.0.10 08090j/ICX7150/Images/SPR08090jufi.bin secondary
! Enable SSH crypto key generate dsa
conf t crypto key generate dsa end
copy scp flash 10.0.0.10 /tftp/08090d/ICX7150/Boot/mnz10115.bin bootrom copy scp flash 10.0.0.10 /tftp/08090d/ICX7150/Images/SPS08090d.bin primary
show flash config t boot sys flash prim exit wr mem reload
copy scp flash 10.0.0.10 /tftp/08090j/ICX7150/Images/SPS08090jufi.bin primary
copy scp flash 10.0.0.10 /tftp/08090j/ICX7150/Images/SPS08090jufi.bin secondary
! Copy primary to secondary copy flash flash secondary
show flash config t boot sys flash prim exit wr mem reload
! Write POE Flash inline power install-firmware stack-unit 1 scp 10.0.0.10 /tftp/08090j/ICX7150/Firmware/icx7xxx_poe_02.1.1.b002.fw
Error: No Unit in the system has PoE module
poe fw ref: https://docs.commscope.com/bundle/fastiron-08030-adminguide/page/GUID-2E378DEB-4CD3-41F8-90E4-28EA47BCAD28.html
sh inl pow det Firmware Version ---------------- 02.1.1 Build 002 Hardware Version ---------------- V2R4
boot system flash secondary
# permanent boot system flash primary yes
ref: http://docs.ruckuswireless.com/fastiron/08.0.50/fastiron-08050-commandref/GUID-9B008914-403A-4FE1-8445-5DCD63F9A1A2.html
sh boot-preference
Configure SSH on a Ruckus Switch | me@luiscachog.io - https://luiscachog.io/configure-ruckus-switch/
device(config)# crypto-ssl certificate generate device(config)# username USERNAME password PASSWORD device(config)# aaa authentication login default local device(config)# aaa authentication web-server default local
TFTP session timed out - on boot
Summary: TFTP session timed out messages on console after boot up Question: Why did TFTP session time out messages on console after boot up? Customer Environment: FI 07.1.00 -- Root Cause -- In the FastIron series, starting from FI 07.1.00, DHCP Client-Based Auto-Configuration is supported and enabled by default. DHCP Client-Based Auto-Configuration allows Layer 2 and Layer 3 devices to automatically obtain leased IP addresses through a DHCP server, negotiate an address lease renewal, and obtain the flash image and configuration files. For the details, please refer to FastIron configuration guide. The above messages mean FastIron switch got an IP address from the DHCP server and is trying to get a configuration file from the TFTP server but there is no resposne from the TFTP server. The messages can be ignored if the user is not trying to download a configuration file from TFTP server. -- Troubleshooting Steps -- In FastIron 7.1.00 and later, when booting up the FastIron switch, the user is seeing the following messages on console and an output in show log: ##console FWS648G Switch#TFTP session timed out FWS648G Switch#TFTP session timed out ##show log 0d00h03m30s:D:DHCPC: TFTP unable to download running-configuration 0d00h03m13s:D:DHCPC: sending TFTP request for bootfile name fws-switch.cfg 0d00h02m56s:D:DHCPC: sending TFTP request for bootfile name brocade.cfg 0d00h02m39s:D:DHCPC: sending TFTP request for bootfile name foundry.cfg 0d00h02m22s:D:DHCPC: sending TFTP request for bootfile name FWS648G-Switch0024.38fb.9000.cfg 0d00h02m05s:D:DHCPC: sending TFTP request for bootfile name FWS648G-Switch0024.38fb.9000-config.cfg 0d00h01m49s:D:DHCPC: sending TFTP request for bootfile name FWS648G-Switch0024.38fb.9000-config.cfg 0d00h01m33s:D:DHCPC: sending TFTP request for bootfile name FWS648G-Switch0024.38fb.9000-config.cfg 0d00h01m17s:D:DHCPC: sending TFTP request for bootfile name FWS648G-Switch0024.38fb.9000-config.cfg 0d00h01m01s:D:DHCPC: sending TFTP request for bootfile name FWS648G-Switch0024.38fb.9000-config.cfg -- Resolution -- If the user does not want to see such a message, users can do the following: 1. Configure the IP address on the switch statically 2. Configure no ip dhcp-client enable command.
ref: [8]