ICX: Difference between revisions
(→LAG) |
|||
Line 160: | Line 160: | ||
hostname [name] | hostname [name] | ||
== Banner == | |||
Display banner at login: <ref>https://docs.commscope.com/bundle/fastiron-08095-managementguide/page/GUID-5A14B1C5-DD1A-40E3-A371-6C7A0407D796.html</ref> | |||
banner motd $ | |||
Enter TEXT message, End with the character '$'. | |||
Welcome!!! $ | |||
== Interface == | == Interface == |
Revision as of 05:18, 8 June 2024
Ruckus / Brocade Switches
See Ruckus
Connect
Connect on Linux
# apt install tio tio -b 9600 /dev/ttyS0 tio -b 9600 /dev/ttyUSB0
# apt install minicom minicom -b 9600 -D /dev/ttyS0 minicom -b 9600 -D /dev/ttyUSB0
Connect on Windows
Use Tera Term or Putty and connect to COMX with Baud 9600
CLI
Show Config
sh run
All but "show config" will need "enable"
>enable
Interface Show
Show Interfaces
sh int bri
Show specific port:
show int eth 1/1/1
Show management port:
sh int bri | begin mgmt
License
Show licenses:
sh license
Logs
Show logs:
sh log
Clear logs:
clear log
Sample:
Syslog logging: enabled ( 0 messages dropped, 1 flushes, 0 overruns) Buffer logging: level ACDMEINW, 0 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Dynamic Log Buffer (50 lines): Jan 1 12:19:30:I:Security: SSH login by myuser from src IP 10.10.10.10 from src MAC xxxx.xxxx.xxxx to USER EXEC mode using RSA as Server Host Key. Jan 1 00:00:57:I:STP: VLAN 1 Port 1/1/30 STP State -> FORWARDING (FwdDlyExpiry) Jan 1 00:00:55:I:STP: VLAN 1 Port 1/1/48 STP State -> LEARNING (FwdDlyExpiry)
Management IP Show
Show IP:
show ip
Pagination
>enable
to skip pagination:
skip # or skip-page-display Disable page display mode
to page:
page Enable page display mode
Ping
ping [IP]
POE
Enable POE:
conf t interface eth 1/1/1 inline power
Disable POE:
conf t interface eth 1/1/1 no inline power
Show Interface POE:
show inline power
Show Interface POE details: (and firmware version)
show inline power details
Limit POE on interface:
int ent ethernet 1/1/1 to 1/1/48 inline power inline power power-limit 25000
Reboot Switch
reload
Version
Show switch version and model and serial:
show version sh ver
Example:
>sh ver ... UNIT 1: compiled on Mar 2 2012 at 12:38:17 labeled as ICX64S07400 (10360844 bytes) from Primary ICX64S07400.bin SW: Version 07.4.00T311 Boot-Monitor Image size = 512, Version:07.4.00T310 (kxz07400) HW: Stackable ICX6450-48-HPOE ========================================================================== UNIT 1: SL 1: ICX6450-48p POE 48-port Management Module Serial #: BZTXXXXXXXX License: BASE_SOFT_PACKAGE (LID: dbvHKIFjFox) ...
VLAN Show
Show VLANs:
show vlan
Config
Configure:
enable configure terminal # or conf t
Show Config:
show config sh run
Write Config:
write mem
Clear Config:
erase startup-config
Hostname
hostname [name]
Banner
Display banner at login: [1]
banner motd $ Enter TEXT message, End with the character '$'. Welcome!!! $
Interface
sh int bri
Show specific port:
show int eth 1/1/1
Show management port:
sh int bri | begin mgmt
Disable Interface
int eth 1/1/48 disable enable
IP
Management Interface DHCP Client
dhcp ip
ip dhcp-client enable ip dhcp-client auto-update enable no ip dhcp-client enable
Static IP
ip address 10.10.10.104/24 # or ip address 10.10.10.104 255.255.255.0
ip default-gateway 10.10.10.1 no ip dhcp-client auto-update enable no ip dhcp-client enable
Show IP:
show ip
SFP
GBIC
# show media ... Port 1/3/1: Type : EMPTY Port 1/3/2: Type : EMPTY Port 1/3/3: Type : 1G M-TX(SFP) Port 1/3/4: Type : EMPTY
# sh media et 1/3/3 Port 1/3/3: Type : 1G M-TX(SFP) Vendor: XXX Version: D1 Part# : SFP-1000BASE-TX Serial#: XXX
# sh int bri .. 1/3/3 Up Forward Full 1G None No 1 0 xxxx.xxxx.xxxx
#sh int et 1/3/3 10GigabitEthernet1/3/3 is up, line protocol is up
Note: If a 1-Gbps optic transceiver is inserted, you must configure the port using the speed-duplex 1000-full-master command at the interface level. [2]
Enable port: [3]
# conf term # int ethernet 1/3/3 # speed-duplex 1000-full-master
or short form: [4]
config t int e 1/2/1 speed 1000-full
# sh run ... stack unit 1 module 1 icx7150-48pf-poe-port-management-module module 2 icx7150-2-copper-port-2g-module module 3 icx7150-4-sfp-plus-port-40g-module stack-port 1/3/1 stack-port 1/3/3 ! interface ethernet 1/3/3 speed-duplex 1000-full !
10GE SFP+
- 10GE SR 300m ((SFP+))
- 10GE USR 100m (SFP +)
Spanning Tree
Disable Spanning Tree On specific port:
interface ethernet 1/1/1 loop-detection no spanning-tree !
SSH
Show ssh config settings:
sh ip ssh config
> sh ip ssh config ... SSH server : Enabled SSH port : tcp\22 Host Key : DSA 1024, RSA 1024 Encryption : aes256-cbc, aes192-cbc, aes128-cbc, aes256-ctr, aes192-ctr, aes128-ctr, 3des-cbc ... Authentication methods : Password, Public-key, Interactive ...
Enable SSH:
## Generate keys crypto key generate rsa # ^ Their offer: ssh-rsa crypto key generate dsa # ^ Their offer: ssh-dss # Add admin user: username admin pri 0 password [PASSWORD] # enable aaa authentication login default local
Disable SSH:
crypto key zeroize crypto key zeroize dsa
Note, the ICX uses really old key exchange method 'diffie-hellman-group1-sha1'
debug1: kex: algorithm: diffie-hellman-group1-sha1 debug1: kex: host key algorithm: ssh-rsa # or debug1: kex: host key algorithm: ssh-dss debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
To allow diffie-hellman-group1-sha1, edit either .ssh/config(to host) or /etc/ssh/ssh_config and add the following:
# ICX SSH KexAlgorithms +diffie-hellman-group1-sha1 HostKeyAlgorithms +ssh-dss,ssh-rsa PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa
NOTE: If you want to have the switch connect in reverse to do firmware updates, make sure to add the same to /etc/ssh/sshd_config
# Allow Legacy ICX switches to connect KexAlgorithms +diffie-hellman-group1-sha1 HostKeyAlgorithms +ssh-dss,ssh-rsa
## PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa # icx doesn't have a private key option - sadness
Public Keys
- Note: The public key file may contain up to 16 DSA or RSA key pairs.
- Note: Each key in the public key must be in exactly this format (remove the ssh-rsa prefix, the 'Comment' line is optional): [5]
- Note: Use a 2048 bit key (ssh-keygen -b 2048). The larger key will generate connect issues for 6450s (probably 7150s too). (no key from blob. pkalg ssh-rsa: invalid format) [6]
ssh-keygen -b 2048
---- BEGIN SSH2 PUBLIC KEY ---- Comment: "2048-bit RSA, converted from OpenSSH" AAAAB3NaC1yc2EAAAABIwAAAQEA0pt94yJmKwPfPZnxxYSS1aVaaqWgRM79EfRXf2XUrs 834hx881MmQedye1oJrntvA8LyVUIepOdbc874i4259mtSXx+cfZW0/QeJggT/1zE82+n w706gGqNsE+XsT12bi6KU4Al2IWULce74yfQY9/amy38ZPCesKKurH4+2m/Ba69391lp nJ0BIQidn+I8hARUGayrOTrx/e2^kdC+2aNh6mS17KDiRyj8WBV3F5z5f5rlYBL/WoJ2beo R3L6H6wHXP8dZ1F4IqeVxeIimkFTzMEE*r/wHCnhewetnDy3iJAgr0TXTicJ1Qpb1MCBkB XaynjuDYSf4Kmgn8znaQ== ---- END SSH2 PUBLIC KEY ----
Copy the combined key file (up to 16 keys) to tftp server, and have the ICX pull and override keyfile with:
conf term ip ssh pub-key-file tftp [TFTP_IP] [PATH/keyfile.txt]
List keys:
show ip client-pub-key
Remove pub key file:
ip ssh pub-key-file remove
Neighbour Detection
Neighbour Detection [7]
Link Layer Discovery Protocol (LLDP) - Vendor agnostic link layer protocol to advertise device capabilities and directly connected neighbours on the network.
lldp run show lldp neighbors
Foundry Discovery Protocol (FDP) - Foundry/Brocade specific link layer protocol to advertise device capabilities and directly connected neighbours on the network.
fdp run show fdp neighbors
Cisco Discovery Protocol (CDP) - Cisco specific link layer protocol to advertise device capabilities and directly connected neighbours on the network.
cdp run show cdp neighbors
VLAN
Show VLANs:
show vlan
Clear VLAN:
no vlan [#]
Simple VLAN
vlan 100 name MyVLAN by port tagged e 1/2/1 untagged e 1/1/1 to 1/1/48 !
LAG
Simple LAG with VLAN:
lag LAG1 dynamic id 1 ports ethe 1/1/47 to 1/1/48 ! vlan 3200 name MyVLAN by port tagged lag 1 untagged e 1/1/1 to 1/1/46 !
Static vs dynamic:
lag LAG1 dynamic id 1
lag LAG1 static id 1
Show lag:
sh lag sh lag id 1
Name ports:
lag LAG1 port-name UPLINK-A ethernet 1/1/47 port-name UPLINK-B ethernet 1/1/48
Disable one port:
lag LAG1 disable e 1/1/48
lag LAG1 enable e 1/1/48
Remove a port:
lag LAG1 no ports e 1/1/47
Time
Daylight Saving (Summer Time) [8]
clock summer-time zone us pacific start 02-28-21 02:00:00 end 10-30-21 02:00:00 offset 60
Note: Will have to be manually updated each year.
Users
Add Users:
username admin password [PASSWORD] no username admin
username myuser privilege [LEVEL] password [PASSWORD] # LEVEL: <0 READ-WRITE, 4 PORT-CONFIG, 5 READ-ONLY> User privilege level
Require Login:
aaa authentication web-server default local aaa authentication login default local
Configure seperate enable privilege passwords:
enable super-user-password [PASSWORD] enable port-config-password [PASSWORD] enable read-only-password [PASSWORD]
no enable super-user-password
Enter enable mode:
enable
Show who logged in as:
sh who
Privilege Levels
3 privileged levels:
- enable super-user-password [PASSWORD]] - Super-user level password
- enable port-config-password [PASSWORD]] - Port level configuration password
- enable read-only-password [PASSWORD]] - Read-only level password
- Super User level - Allows complete read-and-write access to the system. This is generally for system administrators and is the only management privilege level that allows you to configure passwords.
- Port Configuration level - Allows read-and-write access for specific ports but not for global (system-wide) parameters.
- Read-only level - Allows access to the Privileged EXEC mode and User EXEC mode of the CLI but only with read access.
Firmware
Select Boot Slot
Show boot configuration:
ICX7450 #sh boot-preference Boot system preference(Configured): Use Default Boot system preference(Default): Boot system flash primary Boot system flash secondary
Select second boot slot:
ICX7450# Boot system flash secondary
Show boot configuration after change:
ICX7450# sh boot-preference Boot system preference(Configured): Boot system flash secondary Boot system preference(Default): Boot system flash primary Boot system flash secondary
Show configuration:
ICX7450# sh run Current configuration: ! ... ! boot sys fl sec
Reset Password
As switch boots up, when you see the following, press 'b':
Enter 'b' to stop at boot monitor:
then type "no password":
no password
then type "boot" to continue booting:
boot # or boot_primary
Then either change password
enable conf t
keywords
- ↑ https://docs.commscope.com/bundle/fastiron-08095-managementguide/page/GUID-5A14B1C5-DD1A-40E3-A371-6C7A0407D796.html
- ↑ https://docs.commscope.com/bundle/icx7150-installguide/page/GUID-B346251F-DFCC-4441-B047-6E3A3E88839C.html
- ↑ https://docs.commscope.com/bundle/icx7150-installguide/page/GUID-B346251F-DFCC-4441-B047-6E3A3E88839C.html
- ↑ https://community.ruckuswireless.com/t5/ICX-Switches/Configuring-SFP-port-on-7150-C08p/td-p/27124
- ↑ ref https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-E00DB049-9D65-4438-A64F-A947648A70AE.html
- ↑ https://apple.stackexchange.com/questions/356323/ssh-fails-with-ssh-dispatch-run-fatal-invalid-format
- ↑ https://support.purdi.com/hc/en-gb/articles/360021220292-Ruckus-ICX-Neighbour-Detection-using-LLDP-CDP-FDP
- ↑ https://docs.commscope.com/bundle/fastiron-08091-managementguide/page/GUID-E670EE11-FBD6-4D1E-9099-6E231887D245.html