12 KiB
Setting up Brocade ICX7150
Preparation
If you haven't already, visit the Brocade Overview page to download the latest guide package and get it ready to be served via TFTP - this unified package includes all the latest firmware, licenses, and documentation.
Connect to the serial/console port using a program like Putty (9600 8N1), then connect the management ethernet port to your network (do NOT use any of the regular switch ports yet). The management port is the one above the full size USB port.
Note: Aside from the usual RJ45 serial port, the ICX7150 also has a USB-C port. On this port, it has a built in USB to serial adapter, so you can plug the USB-C port directly into your PC, and it will then show up as a serial port. You will need to install the serial adapter driver from the USB-C Serial Driver folder.
Power on the switch while watching your serial terminal - start smashing the b key until you're dropped into the bootloader prompt, which looks like ICX7150-Boot> . If you missed the prompt and it boots the OS instead, pull power and try again.
Now at the boot prompt, we tell the switch to clear all current configs and old keys, so it boots into a fresh state:
factory set-default
To confirm this action, you must send CAPITAL Y - sending a lowercase y will just make it abort.
Now we need to give the bootloader a temporary IP on your network, as well as supply the IP of your TFTP server where it can find your files. Replace the example IPs with your own. This IP is only going to be used temporarily by the bootloader. We'll also tell it the filename & path of the firmware image. You should not need to alter this:
setenv ipaddr 192.168.1.50
setenv netmask 255.255.255.0
#tell the switch the IP of your tftp server:
setenv serverip 192.168.1.8
setenv image_name ICX7xxx/SPR08090m.bin
Now we can tell the bootloader to flash the 08090 image. This gets us to a known FI version that is capable of flashing the latest UFI versions of FastIron:
update_primary
After a couple minutes, it should complete. Now we clear the temporary IP, then reboot the switch into the OS:
setenv ipaddr
saveenv
reset
First Boot & Login
This first boot will take a few minutes - you'll see messages regarding a PoE firmware update taking place, and likely errors regarding boot-monitor mismatches and incompatible package versions - these are all expected and can be ignored. They will be remedied by the next reboot when the new bootloader is used. Hit enter and you should be given a login prompt. The default login is now:
user: super
pass: sp-admin
Once logged in, it will ask you to create a new password. Enter in a password you'll remember to login to the switch in the future. You should now be logged in and ready to configure the switch.
Initial Configuration
Now that it's booted into the full OS you may get TFTP timed out errors in the console, this is normal. just hit enter until they go away. We'll fix that in the next section. Now to make any changes we must enter the enable level:
enable
Now we enter the configure terminal level to make config changes:
configure terminal
Now we turn off the DHCP client, so it doesn't automatically grab an IP and look for a TFTP config (the cause of the earlier timeout messages):
ip dhcp-client disable
Now we give the switch its permanent IP address. By default, all ports are in VLAN 1, so it will behave like a typical switch. First we need to give VLAN 1 its own virtual interface:
vlan 1
router-interface ve 1
exit
Now we need to assign that virtual interface an address. Choose an IP that is unused in your subnet, and out of your DHCP server range (ping it first to be sure it's unused):
interface ve 1
ip address 192.168.1.50/24
exit
We'll also disable the phone-home SmartZone functionality. If you want to integrate this switch to appear in the web UI of an Unleashed AP or SmartZone account in the future, skip this step:
no sz registrar
sz disable
write mem
exit
Load The Latest UFI Image
Now that the switch has an IP address & is booted into v08090 (which is capable of flashing the new UFI format images), we can TFTP the latest stable FastIron version. First, move your ethernet cable from the dedicated management port, to any of the regular switch ports. Then, run the following. Like previous commands, replace the IP with the IP of your own TFTP server:
copy tftp flash 192.168.1.8 ICX7xxx/SPR08095dufi.bin primary
erase flash secondary
reload
The switch will reload, loading the new software. This boot will take some time as it flashes new PoE firmware, new UFI packages, a new bootloader, and copies itself to the secondary OS image slot. When you finally see the PoE update get to 100% and say:
PoE Info: PoE module 1 of Unit 1 initialization is done.
It is finally done, and you can hit enter to get a login prompt and continue to the next section.
Configuration Details
Now that all the updates are finished, we can log in using the super user and the password you created earlier in this guide. Once logged in, give the switch a name:
enable
configure terminal
hostname intertubes
Now tell it to generate an RSA keypair - this is the first step to enable SSH access:
crypto key zeroize
crypto key generate rsa modulus 2048
Security, Web UI, & SSH
By default, the switch now has the super user that we set a password for previously. We need to configure the switch to use this account to authenticate logins and web UI access:
aaa authentication web-server default local
aaa authentication login default local
We should also disable telnet as it's quite insecure:
no telnet server
You should now be able to SSH to the switch using the IP you assigned it earlier, and log in using the super user with the password you created. Then you can ditch the serial console cable and follow the rest of the guide over SSH. You can also access a very basic web UI (that I don't recommend using, really) at the same IP address. By default, the webserver is http only. If you want to disable the web server, just run:
no web-management http
If you would like to then turn on the webserver over https instead, run the following (skip this if you just want the webserver off totally):
crypto-ssl certificate generate
web-management https
Once you get an ssl-certificate creation is successful message in the console, you'll be able to access the web UI via https.
If you don't like the default super username, you can remove it, and create your own user account instead. Just replace customname and yourpasshere with your own values:
username customname password yourpasshere
no username super
For example, to create a user named root instead:
username root password secret123
no username super
You should now use this new user for all login duties.
OPTIONAL: Key Based SSH Access
If you wish to disable password-based SSH login and set up a key pair instead, follow this section. If not, skip it. Enable key login, and disable password login:
ip ssh key-authentication yes
ip ssh password-authentication no
Now we have to generate our key pair with puttygen on windows or ssh-keygen -t rsa on linux. The default settings of RSA @ 2048 bits works without issue. Generate the pair and save out both the public and private key.
Copy the public key file to your TFTP server. Then use the following command to import it into your switch:
ip ssh pub-key-file tftp 192.168.1.49 public.key
You shouldn't need to be told basic key management if you're following this section, but just in case - copy your private key to the proper location on the *nix machine you'll be SSH'ing from, or if you're on windows, load it using pageant. Now when you SSH to the switch, it will authenticate using your private key.
Saving & Conclusions
Whenever you make changes (like above) they take effect immediately, however they are not saved to onboard flash. So if you reboot the switch, they will be lost. To permanently save them to onboard flash, use the write memory command. Let's save all the changes we just made:
write memory
Your switch now has a basic configuration, as well as an IP address you can SSH to for further configuration. Here's some useful general commands:
Show chassis information like fan and temperature status:
show chassis
Show a table of all interfaces:
show interface brief
To show one interface in detail:
show interfaces ethernet 1/1/1
#Also works for virtual interfaces:
show interfaces ve 1
Give a port a friendly name:
interface ethernet 1/1/1
port-name freenas
exit
show interfaces brief ethernet 1/1/1
Show the running configuration:
show run
Show the system log:
show log
To remove configuration options, put a no in front of them at the appropriate CLI level:
no hostname intertubes
Tips
To exit the CLI level you are at, use exit. So assuming you are still at the configure terminal level, type the following to exit back to the enable level:
exit
Commands can also be shortened, as long as they are still unique. So to re-enter the configure terminal level, Instead of typing the entirety of configure terminal, the following will also work:
conf t
There is also tab help and completion. To see all the commands available at the current CLI level, just hit tab. To see the options available for a certain command, just type that command (like ip) then hit tab a couple times.
Advanced Configuration
Default Route & DNS
To give the switch a default route and a DNS server so it can reach external hostnames and IP's (to ping external servers or to update time via NTP etc), do the following. replace the IP with the IP of your gateway/router/etc. Assuming you are still at the configure terminal level:
ip dns server-address 192.168.1.1
ip route 0.0.0.0/0 192.168.1.1
NTP
To have the switch keep its time synced via NTP (so its logs make more sense), use the following. If you live in an area that doesn't use Daylight Savings, skip the clock summer-time command. Use tab completion for the timezone command to see what's available. The IP's in the following example are google's NTP servers and work well for most cases:
clock summer-time
clock timezone gmt GMT-05
ntp
disable serve
server 216.239.35.0
server 216.239.35.4
exit
SNMP
To quickly enable SNMPv2 (read only), follow the below. SNMP v3 is available but you'll have to refer to the included documentation:
snmp-server community public ro
Saving
If you made any of the above extra changes, remember they have not been saved to onboard flash yet. Do so:
write memory
SFP/Optics Information
Brocade does not restrict the use of optics by manufacturer, they'll take anything given it's the right protocol. However by default, optical monitoring information is disabled unless it sees Brocade or Foundry optics.
So if you want to see information like this :
telnet@Route2(config)#show optic 1/3/1
Port Temperature Tx Power Rx Power Tx Bias Current
+----+-----------+--------------+--------------+---------------+
5 32.7460 C -002.6688 dBm -002.8091 dBm 5.472 mA
Normal Normal Normal Normal
You'll need to pick up some official Brocade or Foundry optics on ebay, or buy some flashed optics from FiberStore. Regardless of what optics you have, you'll first need to enable optic monitoring in general by running optical-monitor at the configure terminal level.
Note: Starting in v8080 firmware and above, Ruckus added a command that enables optical monitoring details (like the above example) for non-brocade branded optics. It's not guaranteed to work with all optics, but should with most that conform to SFF-8472. Run the following to enable this:
enable
conf t
optical-monitor
optical-monitor non-ruckus-optic-enable
write mem
Licensing Info
ICX switches require license unlocks for 10gbE port functionality as well as some advanced software features. Thankfully, starting with the ICX7xxx series, Ruckus made the licenses honor-based. This means they can be freely unlocked on your switch. Just visit the ICX7xxx Licensing section to fully license and unlock your switch.