Upstream/lab-docu
1
0
Fork 0
mirror of https://github.com/Fohdeesha/lab-docu.git synced 2024-11-28 11:05:13 +01:00
Code Issues Projects Releases Wiki Activity

icx7150 page cleanup

Browse Source
This commit is contained in:
Jon Sands 2021-09-15 06:00:24 -04:00
parent a952dd0dbb
commit 6d75a67183
1 changed files with 6 additions and 177 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

183
docs/icx7150.md
View File

@ -69,16 +69,10 @@ interface ve 1
ip address 192.168.1.50/24
exit
```
We'll also disable the phone-home SmartZone functionality. If you want to integrate this switch to appear in the web UI of an Unleashed AP or SmartZone account in the future, skip this step:
```
no sz registrar
sz disable
write mem
exit
```
## Load The Latest UFI Image
Now that the switch has an IP address & is booted into `v08090` (which is capable of flashing the new UFI format images), we can TFTP the latest stable FastIron version. **First, move your ethernet cable** from the dedicated management port, to any of the regular switch ports. Then, run the following. Like previous commands, replace the IP with the IP of your own TFTP server:
Now that the switch has an IP address & is booted into `v08090` (which is capable of flashing the new UFI format images), we can flash the latest stable FastIron version. **First, move your ethernet cable** from the dedicated management port to any of the **regular switch ports**. Then run the following to flash the new UFI image. Like previous commands, replace the IP with the IP of your own TFTP server:
```
copy tftp flash 192.168.1.8 ICX7xxx/SPR08095dufi.bin primary
erase flash secondary
@ -89,180 +83,15 @@ The switch will reload, loading the new software. This boot will take some time
```
PoE Info: PoE module 1 of Unit 1 initialization is done.
```
It is finally done, and you can hit enter to get a login prompt and continue to the next section.
## Configuration Details
Now that all the updates are finished, we can log in using the `super` user and the password you created earlier in this guide. Once logged in, give the switch a name:
It is finally done, and you can hit enter to get a login prompt. Log back in using the `super` username, and the password you set for it earlier. Then, get back to the configuration CLI level:
```
enable
configure terminal
hostname intertubes
```
Now tell it to generate an RSA keypair - this is the first step to enable SSH access:
```
crypto key zeroize
crypto key generate rsa modulus 2048
configuration terminal
```
## Security, Web UI, & SSH
By default, the switch now has the `super` user that we set a password for previously. We need to configure the switch to use this account to authenticate logins and web UI access:
```
aaa authentication web-server default local
aaa authentication login default local
```
We should also disable telnet as it's quite insecure:
```
no telnet server
```
You should now be able to SSH to the switch using the IP you assigned it earlier, and log in using the `super` user with the password you created. Then you can ditch the serial console cable and follow the rest of the guide over SSH. You can also access a very basic web UI (that I don't recommend using, really) at the same IP address. By default, the webserver is http only. If you want to disable the web server, just run:
```
no web-management http
```
If you would like to then turn on the webserver over `https` instead, run the following (skip this if you just want the webserver off totally):
```
crypto-ssl certificate generate
web-management https
```
Once you get an `ssl-certificate creation is successful` message in the console, you'll be able to access the web UI via `https`.
## Further Configuration
If you don't like the default `super` username, you can remove it, and create your own user account instead. Just replace `customname` and `yourpasshere` with your own values:
```
username customname password yourpasshere
no username super
```
For example, to create a user named `root` instead:
```
username root password secret123
no username super
```
You should now use this new user for all login duties.
### OPTIONAL: Key Based SSH Access
If you wish to disable password-based SSH login and set up a key pair instead, follow this section. If not, skip it. Enable key login, and disable password login:
```
ip ssh key-authentication yes
ip ssh password-authentication no
```
Now we have to generate our key pair with [puttygen](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) on windows or ```ssh-keygen -t rsa``` on linux. The default settings of RSA @ 2048 bits works without issue. Generate the pair and save out both the public and private key.
Copy the public key file to your TFTP server. Then use the following command to import it into your switch:
```
ip ssh pub-key-file tftp 192.168.1.49 public.key
```
You shouldn't need to be told basic key management if you're following this section, but just in case - copy your private key to the proper location on the *nix machine you'll be SSH'ing from, or if you're on windows, load it using [pageant](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html). Now when you SSH to the switch, it will authenticate using your private key.
## Saving & Conclusions
Whenever you make changes (like above) they take effect immediately, however they are not saved to onboard flash. So if you reboot the switch, they will be lost. To permanently save them to onboard flash, use the `write memory` command. Let's save all the changes we just made:
```
write memory
```
Your switch now has a basic configuration, as well as an IP address you can SSH to for further configuration. Here's some useful general commands:
Show chassis information like fan and temperature status:
```
show chassis
```
Show a table of all interfaces:
```
show interface brief
```
To show one interface in detail:
```
show interfaces ethernet 1/1/1
#Also works for virtual interfaces:
show interfaces ve 1
```
Give a port a friendly name:
```
interface ethernet 1/1/1
port-name freenas
exit
show interfaces brief ethernet 1/1/1
```
Show the running configuration:
```
show run
```
Show the system log:
```
show log
```
To remove configuration options, put a ```no``` in front of them at the appropriate CLI level:
```
no hostname intertubes
```
## Tips
To exit the CLI level you are at, use `exit`. So assuming you are still at the ```configure terminal``` level, type the following to exit back to the ```enable``` level:
```
exit
```
Commands can also be shortened, as long as they are still unique. So to re-enter the configure terminal level, Instead of typing the entirety of ```configure terminal```, the following will also work:
```
conf t
```
There is also tab help and completion. To see all the commands available at the current CLI level, just hit tab. To see the options available for a certain command, just type that command (like ```ip```) then hit tab a couple times.
## Advanced Configuration
### Default Route & DNS
To give the switch a default route and a DNS server so it can reach external hostnames and IP's (to ping external servers or to update time via NTP etc), do the following. replace the IP with the IP of your gateway/router/etc. Assuming you are still at the ```configure terminal``` level:
```
ip dns server-address 192.168.1.1
ip route 0.0.0.0/0 192.168.1.1
```
### NTP
To have the switch keep its time synced via NTP (so its logs make more sense), use the following. If you live in an area that doesn't use Daylight Savings, skip the ```clock summer-time``` command. Use tab completion for the timezone command to see what's available. The IP's in the following example are google's NTP servers and work well for most cases:
```
clock summer-time
clock timezone gmt GMT-05
ntp
disable serve
server 216.239.35.0
server 216.239.35.4
exit
```
### SNMP
To quickly enable SNMPv2 (read only), follow the below. SNMP v3 is available but you'll have to refer to the included documentation:
```
snmp-server community public ro
```
### Saving
If you made any of the above extra changes, remember they have not been saved to onboard flash yet. Do so:
```
write memory
```
## SFP/Optics Information
Brocade does not restrict the use of optics by manufacturer, they'll take anything given it's the right protocol. However by default, optical monitoring information is disabled unless it sees Brocade or Foundry optics.
So if you want to see information like this :
```
telnet@Route2(config)#show optic 1/3/1
Port Temperature Tx Power Rx Power Tx Bias Current
+----+-----------+--------------+--------------+---------------+
5 32.7460 C -002.6688 dBm -002.8091 dBm 5.472 mA
Normal Normal Normal Normal
```
You'll need to pick up some official Brocade or Foundry optics on ebay, or buy some flashed optics from FiberStore. Regardless of what optics you have, you'll first need to enable optic monitoring in general by running `optical-monitor` at the `configure terminal` level.
**Note:** Starting in v8080 firmware and above, Ruckus added a command that enables optical monitoring details (like the above example) for non-brocade branded optics. It's not guaranteed to work with all optics, but should with most that conform to SFF-8472. Run the following to enable this:
```
enable
conf t
optical-monitor
optical-monitor non-ruckus-optic-enable
write mem
```
You now have a bare minimum setup on your switch, and the latest firmware. To continue with further configuration including securing and naming the switch, setting up SSH and Web UI access, PoE commands etc, please continue to the [ICX7xxx Series Config Page](icx7xxx-adv.html). Don't forget to return here when you're finished for the licensing info below, if you need it.
## Licensing Info
ICX switches require license unlocks for 10gbE port functionality as well as some advanced software features. Thankfully, starting with the ICX7xxx series, Ruckus made the licenses honor-based. This means they can be freely unlocked on your switch. Just visit the [ICX7xxx Licensing](7xxx.md) section to fully license and unlock your switch.