monotux.tech

Ruckus ICX 7150-C12p Primer

networking, primer

I bought my ICX 7150-c12p before my EX2200-c12p, but it's PSU broke so it lived in a box until I could bother researching and buying a new PSU for it.

PSU replacement

The original PSU seems to be very easy to break - not sure if it's a PSU or a switch issue.

After some research I eventually concluded that the FSP200-P35-A54 (link to digikey.com) should be a nice PSU to try, as it would deliver more power than needed, even in a fanless environment.

Replacing the PSU was trivial - I just took the case apart, removed the original and placed the new one in it's place. The only caveat was that I had to invert the power cables to avoid frying the rest of the switch.

Internals after replacing PSU

The above is taken after inverting the power cable and replacing the PSU.

Configuration

As with the EX2200-c12p I've used a serial connection to configure the switch. There's a USB-C connection on the switch for management, which is handy. The webui is very…oldschool, which I guess some people will like. :-)

Basic settings

My 7150-c12p is running the routing firmware (as opposed to the switching-only firmware). I've been too lazy to change it or even update it yet.

I'm not using the dedicated management switch interface, as I don't have any OOB network to use with it.

  # Become a privileged user and enable the configuration mode
  enable
  config t

  # Enable PoE on all ports
  interface ethernet 1/1/1 to 1/1/12
  inline power
  exit

  # Show PoE statistics
  show inline power detail

  # Create a management vlan, add 1/1/6 untagged and tagged on 1/1/1
  vlan 3 name management-vlan
  untag ethernet 1/1/6
  tagged ethernet 1/1/1
  # Create a routed interface for this vlan
  router-interface ve 3
  exit

  # Configure routed interface for vlan 3
  interface ve 3
  ip address 192.168.3.2/24
  exit
  ip route 0.0.0.0/0 192.168.3.254
  ip dhcp-client disable

  vlan 150 name clients-vlan
  untag ethernet 1/1/2
  tagged ethernet 1/1/1

  # Enable spanning-tree for these vlans
  vlan 3 100 150 200 250
  spanning-tree 802-1w

LACP

Below creates a LACP interface. 1/2/1 and 1/2/2 are the non-PoE 'uplink' ports on the right hand side of the switch. I haven't tried creating a LACP interface on the SFP+ interfaces yet, but it Should Work™ as well.

It seems you can assign vlans to either all the LACP member ports, OR to the LACP interface itself. I haven't tried the latter (or both simultaneously) myself.

  lag uplag dynamic id 1
  ports ethernet 1/2/1 to 1/2/2

SNMP

I use SNMPv3 so the SNMPv2c is more or less untested. Being able to create views to limit what each SNMP group can see is nice!1

  ### version v2c
  # create a community string for read only usage
  snmp-server community hello-world-change-me-please ro

  ### version 3
  # create a group for read only access
  snmp-server group readers v3 priv read all
  # create a user, with sha & aes
  snmp-server user change-me-please readers v3 auth sha asdfasdf priv aes adsfasdf
  # only allow connections from one address for this user
  snmp-server host 192.168.3.1 version v3 auth change-me-please

Dual mode ports

When using a 'trunk' line from the switch to a computer, like my router, I set the interface on the switch in a dual mode configuration. I typically use an unique VLAN for each port as untagged, and then assign all other 'real' VLANs to the port - this way I don't really have a 'default' VLAN.

This is a quirk with the FastIron OS, you first have to assign the vlan as tagged to the port, then configure the interface as dual mode using the tagged interface again.

vlan 3113
tagged ethernet 1/1/11
exit
interface ethernet 1/1/11
dual-mode 3113

Making SSH work in 2023

I typically use the serial port for configuring this switch, but in case you want to use SSH you have to add some configuration to allow the old algorithms needed for this switch.

Host 192.0.2.1
        User root
        KexAlgorithms +diffie-hellman-group1-sha1
        HostKeyAlgorithms +ssh-rsa
        PubkeyAcceptedKeyTypes +ssh-rsa

Adding all tagged VLANs to an interface

I've used this switch for several years now, and today (2024-08-26) I just discovered that you can add all tagged VLANs to an interface:

enable
config t
interface eth 1/3/1
vlan-config add all-tagged

It seems this was included in firmware 8.0.50, so I haven't checked if my ICX6450-24p even got this handy feature or not, but at least it works on my ICX7150-C12P!

The only caveat is that this seems to be a one-time change, so if you add a new VLAN later on, you have to run vlan-config add all-tagged again.


1

One initial idea was to use this with my home automation software, so I can power cycle or schedule on/off times for PoE devies.