ICX 150 Introduction

ICX 150
RUCKUS ICX Implementer
Course Introduction
Revision 2212

Welcome to the RUCKUS ICX 150 Implementer course.

Revision 2212 1‐1

ICX 150 Introduction

Legal Disclaimer
• All or some of the products detailed in this presentation may still be under development
and certain specifications, including but not limited to, release dates, prices, and product
features, may change. The products may not function as intended and a production version
of the products may never be released. Even if a production version is released, it may be
materially different from the pre‐release version discussed in this presentation.
• Nothing in this presentation shall be deemed to create a warranty of any kind,
either express or implied, statutory or otherwise, including but not limited to, any
implied warranties of merchantability, fitness for a particular purpose, or non‐infringement
of third‐party rights with respect to any products and services referenced herein.
• The RUCKUS, RUCKUS Wireless, RUCKUS logo, Big Dog
design, BeamFlex, ChannelFly, Xclaim, ZoneFlex and OPENG trademarks are registered in the
U.S. and other countries. RUCKUS
Networks, MediaFlex, FlexMaster, ZoneDirector, SpeedFlex, SmartCast, SmartCell, Dynamic
PSK, FastIron, ICX, Multi‐Chassis Trunking and relevant wired technologies are RUCKUS
trademarks worldwide. Other names and brands mentioned in this document or website
may be claimed as the property of others. 18‐1‐B

2 © 2022 CommScope, Inc.

Please take a moment to review our legal disclaimer, then advance to the next slide.

Revision 2212 1‐2

ICX 150 Introduction

• The ICX 150 Implementer course is an entry level,

self‐paced, training course that concentrates on
the Implementor functions within a network
environment focusing on the RUCKUS ICX series
of switches running 08.0.95g

• This course is for:

– Employees
– Partners
Course Overview – Systems Engineers (SEs)
– Customers

• Features and functions covered in this course

include, RUCKUS technologies, ICX hardware
architecture, software upgrades, basic CLI
configuration, layer 2 and 3 feature
configurations, device access and security, as
well as basic network design and troubleshooting

This training course concentrates on duties performed by network implementors within a

typical network environment and focuses on the RUCKUS ICX series of switches running
FastIron 8.0.95g.

Features and functions covered in this course include, RUCKUS technologies, ICX hardware
architecture, software upgrades, basic CLI configuration, Layer 2 and Layer 3 feature
configurations, device access and security, as well as basic network design and
troubleshooting.

Revision 2212 1‐3

ICX 150 Introduction

Course Objectives
After completing this course, attendees should be able to:
• Understand RUCKUS technologies and how to access the resources available
• Discuss the available ICX hardware models and their capabilities
• Understand stacking architecture, features, and configuration for RUCKUS ICX switches
• Describe basic Command Line Interface (CLI) usage for configuration, monitoring, and management of RUCKUS ICX
switches
• Describe the configuration and usage of different methods available for device management
• Use Authentication, Authorization, and Accounting (AAA) and Access Control Lists (ACLs) to secure a RUCKUS ICX
devices
• Configure network management protocols (SNMP) to monitor devices
• Describe the software upgrade process for RUCKUS ICX switches
• Understand services that can be utilized on RUCKUS ICX devices (such as NTP, SSH, L2 discovery, LLDP, and DHCP)
• Configure basic port settings as well as Layer 2 configurations (Virtual LANs and Link Aggregation Groups)
• Describe and configure Layer 2 redundancy features such as Spanning Tree Protocols (STP, RSTP, and MSTP)
• Describe the benefits of Multi‐Chassis Trunking
• Describe basic Layer 3 functionalities on RUCKUS ICX switches such as IP addressing, ARP, IP Routing, Virtual Ethernet
(VEs), VRF, VRRP‐E, and OSPF
• Describe Power over Ethernet (PoE) capabilities and configuration on RUCKUS ICX switches
• Understand foundational network design principals and perform basic troubleshooting

4 © 2022 CommScope, Inc.

After completing this course, attendees should be able to:

• Understand RUCKUS technologies and how to access the resources available
• Discuss the available ICX hardware and their capabilities
• Understand hardware features and configurations for RUCKUS ICX switches including
stacking
• Describe the Command Line (CLI) structure of RUCKUS ICX switches in terms of
privilege level, configurations, and monitoring
• Describe the methods available for device management including, the console port,
Telnet, SSH, and web management
• Use Authentication, Authorization, and Accounting (AAA) to secure RUCKUS ICX
switches
• Configure network management protocols for ICX monitoring
• Describe the software upgrade process for RUCKUS ICX switches
• Identify and configure services on RUCKUS ICX (such as NTP, SSH, L2 discovery, LLDP,
and DHCP)
• Configure Layer 2 Virtual LANs (VLANs) and Link Aggregation Groups (LAGs)
• Describe and configure Spanning Tree Protocol (STP) features supported on RUCKUS
ICX switches
• Understand the benefits of Multi‐Chassis Trunking (MCT)
• Describe the features and function of basic Layer 3 features (ARP, Static Routing,
Virtual Ethernet Interfaces (VEs), VRRP‐E, OSPF)
• Describe and configure the Power over Ethernet capabilities and perform
configurations on RUCKUS ICX switches
• Understand foundational network design principals and perform basic
troubleshooting

Revision 2212 1‐4

ICX 150 Introduction

Course Prerequisites
• The Routing and Switching Protocols (RSP‐100) course, or equivalent knowledge, is a prerequisite for this ICX‐
150 course
• Before taking this course, attendees should have foundational knowledge of:
– Network management protocols and their function including:
o Telnet/SSH
o SNMP

– Network features:
o Routing/switching
o IP Addressing and Subnetting
o VLAN
o Link aggregation (LAG)
o PoE

– Network protocols including:

o STP
o 802.1Q
o LACP
o 802.1X
o CDP/LLDP

5 © 2022 CommScope, Inc.

The prerequisites for this course include:

• The foundational knowledge of IP hardware and their designated roles in a network,

along with
• Network management protocols and their function such as Telnet or SSH, SNMP.
• A general understanding of Routing/switching along with specific functions such as
VLANs, IP Addressing, Link Aggregation (LAGs) and Power over Ethernet
• Knowledge of L2 protocols and functions such as Spanning Tree, VLAN tagging, Link
Aggregation Control Protocol, 802.1X security and neighbor discovery protocols like
Cisco Discovery Protocol or Link Layer Discovery Protocol.
• Foundational knowledge of the following network protocols:
• STP
• 802.1Q
• LACP
• 802.1X
• CDP/LLDP

This course does review the functions of these features and protocols, however it mainly
focuses on how to apply these configurations within RUCKUS ICX network environments.
This course does not provide the foundational detail on how these various protocols
operate, which is necessary for students to have a working understanding of topics
demonstrated. As such, the Routing and Switching Protocols (RSP‐100) course or equivalent
knowledge is required for this course.

Revision 2212 1‐5

ICX 150 Introduction

Course Presentations
• Course Introduction
• RUCKUS ICX Technologies
• Hardware Overview
• CLI Basics
• Software Upgrade & Licensing
• Access and Management
• Device Security and Monitoring
• Layer 2 Fundamentals
• ICX Services
• Layer 2 Redundancy
• Layer 3 Fundamentals
• ICX Stacking
• Power over Ethernet (PoE)
• Network Design and Troubleshooting
• RUCKUS FastIron 09.00.xx Features

6 © 2022 CommScope, Inc.

This course is composed of the following course presentations:

• Course Introduction
• RUCKUS ICX Technologies
• Hardware Overview
• CLI Basics
• Software Upgrade & Licensing
• Access and Management
• Device Security and Monitoring
• Layer 2 Fundamentals
• ICX Services
• Layer 2 Redundancy
• Layer 3 Fundamentals
• ICX Stacking
• Power over Ethernet (PoE)
• Network Design and Troubleshooting
• RUCKUS FastIron 09.00.xx Features

Revision 2212 1‐6

ICX 150 Introduction

End of: Course Introduction

ICX 150

This concludes the Course Introduction please move on to the next presentation to
continue this ICX Implementor course. Thank you.

Revision 2212 1‐7

ICX 150 Introduction

Revision 2212 1‐8

ICX 150 RUCKUS Technologies

RUCKUS Technologies

Revision 2212

In this presentation we will provide an overview of RUCKUS technologies and available

resources.

So, let’s get started.

Revision 2212 2‐1

ICX 150 RUCKUS Technologies

In this presentation, you will learn about:

• RUCKUS products overview
• RUCKUS resources
• RUCKUS technologies

Objectives

When you first start to learn about the RUCKUS product line, the range and diversity of
choices can seem confusing. It’s important to know the different hardware and software
options RUCKUS provides ensuring seamless integration of any implementations you many
be planning. In this presentation you will learn about the main RUCKUS products and
technologies, as well as additional tools.

Revision 2212 2‐2

ICX 150 RUCKUS Technologies

RUCKUS Products Overview

Let’s first take a look at RUCKUS products and solutions.

Revision 2212 2‐3

ICX 150 RUCKUS Technologies

RUCKUS SmartZone and Wireless Products

Controllers

SZ300 vSZ SZ144 Series ZoneDirector Unleashed Cloud Wi‐Fi

INDOOR AP High Density Enterprise Small Business

R7xx Series R6xx Series R5xx Series R3xx Series H5xx Series

OUTDOOR AP

44 © 2022 CommScope, Inc.

The RUCKUS SmartZone products are Wireless LAN Controllers that provide management
and control for RUCKUS ZoneFlex indoor and outdoor Access Points.

The RUCKUS controllers are:

• SmartZone 300 – can support up to 10,000 Access Points per node, and 30,000 in a
cluster, running SmartZone in High Scale mode.
• Virtual SmartZone (vSZ) – Virtualized versions of the SmartZone controllers, both
High Scale and Essentials.
• SmartZone 144 – can be used to manage networks up to 2,000 Access Points, 400
switches and 40,000 clients per controller. With Active‐Active clustering all members
(up to 4) of a cluster will actively manage up to 6,000 APs, 1,200 switches and
120,000 clients.
• ZoneDirector – focused on small to medium networks of up to 150 APs, 4,000 client
devices, and 256 WLANs. The ZoneDirector is not classed in the SmartZone product
line. It’s included here as it’s important to know that a ZoneDirector’s configuration
can be imported into a SmartZone controller.
• Unleashed – Offers management of a small group or organizations supporting of up
to 50 APs without the need of a dedicated controller. This is perfect for small
deployments in retail and small offices potentially supporting up to 1024 client
devices. Unleashed also has dedicated mobile apps to allow for easy provisioning
and management.
Notes continued on next slide…

Revision 2212 2‐4

ICX 150 RUCKUS Technologies

... Notes continued from previous slide

• Cloud ‐ RUCKUS Cloud Wi‐Fi simplifies deployment, monitoring and management of

your distributed wireless network.

Simply put, RUCKUS controllers manage our family of RUCKUS Access Points and switches
providing a solution for every deployment scenario from Small Business WLANs to mission‐
critical, high‐density carrier grade installations.

Indoor APs provide solutions for a wide range of environments including small offices to
large‐scale high‐density deployments such as stadiums. Each was designed to provide a
unique solution, providing the best technologies for high performance in the environments
where they are deployed.

RUCKUS Outdoor Access Points are used in a range of environments

• mounting and antenna options to suit your needs
• outdoor point‐to‐point bridges provide connectivity between remote sites

For a full overview of these RUCKUS products, please refer to the RUCKUS website at
support.ruckuswireless.com for more details.

Revision 2212 2‐5

ICX 150 RUCKUS Technologies

RUCKUS ICX 7000 Switch Portfolio – Overview

Aggregation / Core
Access / Aggregation ICX 7850
Premium
ICX 7750 Aggregation‐Core
Access Aggregation‐Core

ICX 7650
Premium
ICX 7550 Access‐Aggregation + Highest Performance
+ Highest Performance
+ MCT
Access‐Aggregation + MCT
ICX 7450 +
+ 10G/25G/40G/100G
Price/Performance

10G/40G Aggregation
Aggregation
Price/Performance

Access‐Aggregation + Medium‐to‐Large Core

ICX 7250 + 6.4 Tbps Switching
+ Capacity
ICX 7150 Access Higher Performance
+ 40G/100G Uplinks
Entry‐Level Access + Multigigabit 2.5/5/10G
+ 10G Aggregation

+ Higher Performance
+ Higher Performance
+ Hot‐swap PSU & Fans
+ Hot‐swap PSU & Fans
+ Higher Performance + L3: IPv4/IPv6, RIP, BGP,
+ L3: IPv4/IPv6, Multicast OSPF, VRRP, PIM, PBR,
+ L3: OSPF/VRRP/PIM/
+ 1G Aggregation VRF
PBR/VRF
+ High Availability + EEE + Multigigabit (2.5 GbE and
+ PoE/PoE+ or non‐PoE 2.5/5/10 GbE ports)
+ L3: OSPF/VRRP/PIM/PBR + 1G and 10G Aggregation
+ Z‐Series: Multigigabit (2.5 GbE)

Function and Scalability

6 © 2022 CommScope, Inc.

ICX multi‐purpose switches can be deployed standalone or stacked. Each was designed to
provide a unique function inside a network infrastructure with feature rich options and
performance.
Along with CLI configuration and management of the ICX switches, SmartZone can manage
the RUCKUS ICX switch family as well.

SmartZone release 6.0 offers Switch management features which include:

• Discovery and Inventory
• SNMP
• Monitoring
• Link discovery
• Software upgrades
• Backup and restore functions

SmartZone provides organizations the ability to proactively monitor the network and
perform network‐wide:
• Troubleshooting
• Generate traffic reports
• Visibility into network activity from the wireless edge to the core
• Centralized management of the entire family of RUCKUS switches and wireless
Access Points with a single easy to deploy management platform

Revision 2212 2‐6

ICX 150 RUCKUS Technologies

RUCKUS Cloud
https://ruckus.cloud/

77 © 2022 CommScope, Inc.

RUCKUS Cloud is an artificial intelligence (AI) enabled converged network management‐as‐

a‐service platform. Using a web‐based dashboard and/or native mobile application, IT can
effortlessly provision, manage, optimize, and troubleshoot high‐performance enterprise
wired and wireless networks. Using advanced AI and patented machine learning
techniques, RUCKUS Cloud enables IT to reduce unplanned downtime and troubleshoot
with speed and precision.

Revision 2212 2‐7

ICX 150 RUCKUS Technologies

RUCKUS Analytics
https://ruckus.cloud/analytics

88 © 2022 CommScope, Inc.

RUCKUS Analytics is a cloud service for network intelligence and service assurance. Powered by
machine learning and artificial intelligence, it gives IT comprehensive visibility into network
operations. This service accelerates troubleshooting and helps IT teams meet their network SLAs.
RUCKUS Analytics delivers powerful incident analytics, network health monitoring, advanced
client troubleshooting and more.

Revision 2212 2‐8

ICX 150 RUCKUS Technologies

Cloudpath Enrollment System

https://www.commscope.com/product‐type/enterprise‐networking/network‐access‐policy/network‐access/

99 © 2022 CommScope, Inc.

Many WLAN Administrators face the challenge of providing strong WLAN security, and for
many, the requirements of deployment can be complex and difficult.
Cloudpath is a security and policy management platform that offers control over users and
devices, and the provision of safe, secure WLAN access.

Revision 2212 2‐9

ICX 150 RUCKUS Technologies

SPoT ‐ Smart Positioning Technology LBS

https://www.commscope.com/product‐type/enterprise‐networking/location‐analytics/location‐analytics

10
10 © 2022 CommScope, Inc.

When commercial enterprises invest in WLAN deployments, they often want to maximize
their investment.

SPoT is RUCKUS’ Location Based Services (LBS) Solution. Data gathered in SPoT is used to
allow venues to understand the footfall traffic through their operational areas, and to
engage directly with customers.

Revision 2212 2 ‐ 10
ICX 150 RUCKUS Technologies

SmartCell Insight (SCI) – Big Data Wi‐Fi Analytics

https://www.commscope.com/product‐type/enterprise‐networking/network‐reporting/network‐reporting/

11
11 © 2022 CommScope, Inc.

RUCKUS SmartZone controllers provide a variety of reporting and reporting options for
Administrators. However, for very large‐scale deployments with hundreds, thousands, and
tens of thousands of APs, administrators often require a deeper level of information.

SmartCell Insight is designed for large‐scale service providers and integrators and provides
administrators the means to extract high‐level performance analytics and monitor Key
Performance Indicators (KPIs) for mission‐critical networks.

Revision 2212 2 ‐ 11
ICX 150 RUCKUS Technologies

Intangi Iris ‐ Configurator

• Create an account at: https://www.intangi.com/register.php
• Provides basic configurator functionality as well as advanced wired/wireless design
features
• Tool is FREE to any/all
channel partners
• Generate fast & accurate
Bill of Materials
• Selects products based
on “guided selling”
questions

12
12 © 2022 CommScope, Inc.

Iris software greatly improves the design, quotation, and proposal of complex products and
solutions, while delivering significant gains in productivity and accuracy.

Iris is a standalone Windows application that:

‐ Is designed for pre‐sales SE users
‐ Allows partners to generate BoMs fast and accurately
‐ Provides advanced technical power, port and multi‐site design capabilities
‐ Provides detailed product information
‐ Allows users to select a product based on “guided selling” questions via selectors
‐ Provides rules validation for designs (that is, right accessories, power cords, support,
etc.)
‐ Exports quotes and diagrams to Excel & Visio

Revision 2212 2 ‐ 12
ICX 150 RUCKUS Technologies

RUCKUS Mobile Apps

https://www.commscope.com/resources/apps/

RUCKUS SpeedFlex – Performance Testing

RUCKUS Cloud – Management

RUCKUS SPoT – Location Analytics

RUCKUS SWiPE ‐ Provisioning

13
13 © 2022 CommScope, Inc.

RUCKUS Mobile Apps are available for Apple and Android devices and provide a number of
options for managing your networks. Mobile Apps are dynamic and subject to frequent
updates, so please ensure you check the CommScope RUCKUS website for the latest
RUCKUS Mobile App offerings.

SpeedFlex ‐ Is a wireless performance testing tool. Based on the open‐source performance

test tool, Zap, this comprehensive, yet easy to use application from RUCKUS gives users a
simple way to collect site performance data.
RUCKUS Cloud ‐ Manage your RUCKUS wired and wireless networks on the go using
RUCKUS Cloud.

SPoT ‐ Generates operationally significant data that help businesses build an in‐depth
understanding of their venue and improve overall efficiency. Deployed on top of RUCKUS
WLANs, RUCKUS SPoT has flexible deployment options, doesn’t require any additional
hardware, and has unlimited scalability in the cloud.

SWiPE ‐ With RUCKUS Smart Wireless Installation & Provisioning Engine (SWIPE), you can
easily register the RUCKUS Access Points (APs) being managed by the RUCKUS SZ or vSZ.

Revision 2212 2 ‐ 13
ICX 150 RUCKUS Technologies

RUCKUS Resources

Let’s look at the resources available to help inform and guide as well as provide the latest
software of all product lines.

Revision 2212 2 ‐ 14
ICX 150 RUCKUS Technologies

Online Resources – Enterprise Networking Products

https://www.commscope.com/product‐type/enterprise‐networking

15
15 © 2022 CommScope, Inc.

The best place to research RUCKUS products is always the RUCKUS website:
https://www.commscope.com/product‐type/enterprise‐networking

Here you will find the most up to date information on all of our products.
You can also change the language of the website – selecting the globe icon will show the
available options.

Revision 2212 2 ‐ 15
ICX 150 RUCKUS Technologies

Online Resources ‐ ICX Ethernet Switch Portfolio

https://www.commscope.com/product‐type/enterprise‐networking/ethernet‐switches/

16
16 © 2022 CommScope, Inc.

By selecting one of the product categories, Ethernet Switches in this example, you will be
able to access and download more resources that give you more details on each of the
products including:
• Data Sheets
• At‐a‐Glance Sheets
Other resources will be available depending on the selection you choose.

Revision 2212 2 ‐ 16
ICX 150 RUCKUS Technologies

Online Resources ‐ Support

https://support.ruckuswireless.com/

17
17 © 2022 CommScope, Inc.

You can receive support documentation and firmware details on the RUCKUS support site.

Upgrade Guides, Warranty & RMA as well as Knowledge Bases and Forums are accessible
on the support page. You can navigate directly to the support page by using the URL:
https://support.ruckuswireless.com/

Resources will be available depending on the selection you choose.

Revision 2212 2 ‐ 17
ICX 150 RUCKUS Technologies

ICX Resources
• Grouping of the most common documentation for the ICX family of
switches supporting the given release
– Documents are broken into logical guides providing details on a specific
subject

– Examples:
 Layer 2 Features
 Command Reference
 Security
 Stacking
 Monitoring
 Management

• Release notes along with a Feature Support Matrix are included

18
18 © 2022 CommScope, Inc.

A Zip file is available for each release providing details of features that firmware provides.

It consists of a grouping of guides providing information of the features and their

configuration. Guides are broken into logical sections of the feature matrix of the release.
Each file included in the Zip is independently available on the RUCKUS website however
using the Zip provides most all the guides needed to deploy an ICX switch. The Release
Notes and Feature Support Matrix are also included.

Revision 2212 2 ‐ 18
ICX 150 RUCKUS Technologies

Online Training – Introduction to RUCKUS Products

https://www.commscope.com/support/training/

19
19 © 2022 CommScope, Inc.

The CommScope Training website offers a complete range of self‐study courses that allow
you to learn at your own pace. Registration is free.
https://commscope.com/support/training

Without a doubt, the best course with which to begin your journey is Introduction to
Ruckus Products. This dynamic course offers a complete overview of RUCKUS products and
technologies and is regularly updated to include new content.
Introduction to Ruckus Products is an essential course for RUCKUS internal staff, partners
and end users.

Revision 2212 2 ‐ 19
ICX 150 RUCKUS Technologies

RUCKUS Technologies

Let’s now take a look at the RUCKUS Technologies that provide superior performance and
solutions within a network environment.

Revision 2212 2 ‐ 20
ICX 150 RUCKUS Technologies

ICX Stacking Advantages

• Standard Ethernet cables (not proprietary)
• Long‐distance stacking—Up to 40 km*
• Up to 12 units per stack
• In Service Software Upgrade (ISSU)
• Hitless failover of management
• Simple setup and deployment
– Guided step‐by‐step walkthrough Why Do You Care?
• Greater scalability
– Zero Touch provisioning • Reduced costs
• No additional cost • Stacking cables
• Stacking modules/licenses
– No optional modules required • Simpler management
– No dedicated stacking‐only ports • Flexible deployment
• High availability
– No license add‐on required**
21
21 © 2022 CommScope, Inc.

Most switch vendors offer stacking with their access switches. We are the ONLY networking
vendor that offers stacking technology that makes managing your network “effortless”.

RUCKUS supports stacking up to 12 switches, which is higher than most other vendors.
Additionally, ISSU across a stack is supported, which allows for software upgrades to
switches in the stack, one at a time, limiting downtime.

RUCKUS stacking technology provides the reliability, performance, and ease of ownership
that customers demand.

* Certain ICX switches (ICX7550; ICX7650, ICX7750, and ICX7850) support long‐distance
stacking. For more information, refer to the RUCKUS Ethernet Optics Data Sheet and the
‘Stacking by Device’ section of the RUCKUS FastIron Stacking Configuration Guide, 08.0.95.

** Certain ICX switches require a 10‐Gbps license to support stacking.

Revision 2212 2 ‐ 21
ICX 150 RUCKUS Technologies

Stack Trunks

• Stack ports can be combined to form a single logical link (LAG/Trunk) to

stack members
– A trunk consists of multiple stacking ports and is treated as one logical link
– Provides more bandwidth and better resilience than individually connected ports

• Stack trunks can be used in linear or ring topologies

– Supported on all ICX 7000 Series switches
– Stacking trunks can be configured as part of the stack interactive‐
setup process

22
22 © 2022 CommScope, Inc.

Stack ports of the ICX switches can be configured as trunks acting as a single link known as
a stack trunk. This formation of a stack trunk not only provides link redundancy within a
stack port but also increases the bandwidth between the switch stack. Stack trunks can be
used in either a linear or ring topology switch stack and is supported on all the ICX 7000
series switches. Stack trunks can be configured independently or part of the interactive
setup process when forming the switch stack.

Revision 2212 2 ‐ 22
ICX 150 RUCKUS Technologies

Long‐Distance Stacking

• In a RUCKUS distributed chassis topology, members are physically separated

• Distance between stacking members depends on the ICX platform and type of
media used and can be up to 40Km

Optics and Cable Documentation:

www.ruckuswireless.com

23
23 © 2022 CommScope, Inc.

As we have seen, the distributed chassis architecture of the RUCKUS ICX switches allows
the components to be spread across the entire campus—due to the use of long‐distance
optical links—yet the whole system can be managed as a single entity.
Supported maximum distance depends on the platform or type of media used.
Supported optics and cables can be found in the RUCKUS Ethernet Optics Data Sheet, as
well as the documentation for each device, on our RUCKUS website at
https://support.ruckuswireless.com/.

Certain ports support Long‐Distance Stacking, and those details can be viewed in the
RUCKUS FastIron Stacking Configuration Guide, 08.0.95.

Revision 2212 2 ‐ 23
ICX 150 RUCKUS Technologies

ICX 7450 IPsec VPN Module

• One module per switch

• Multiple modules per stack for redundancy (1 active per stack)
• Hardware‐assisted AES‐128, AES‐256 and IKEv2 encryption
• Up to 20 IPsec tunnels per module
• 10Gbps total throughput, max 10G per tunnel
• FIPS certification and Suite‐B compliant
• Interoperates with any standard
IPsec implementation

24
24 © 2022 CommScope, Inc.

When installed, only one IPsec VPN module can be active. However, a second can be
installed for redundancy. It provides hardware assisted AES‐128, AES‐256, and IKEv2
encryption over up to 20 IPsec tunnels.

With 10Gbps of total throughput, it offers a maximum of 10G per tunnel.

The module is Federal Information Processing Standards (FIPS) certified and NSA Suite‐B
compliant. It is also capable of interoperating with any standard IPsec implementation.

Revision 2212 2 ‐ 24
ICX 150 RUCKUS Technologies

IPsec VPN Use Case 1

• Path isolation in a campus network for communities of interest

Headquarters Office:
IPSec Termination
Community C IPSec tunnel

ICX 7450 stacks in wiring closet Campus Network

with IPSec Service Module

25
25 © 2022 CommScope, Inc.

One use case for the IPsec VPN solution is to provide isolation between different
communities of interest in the campus network. This allows complete traffic separation
and security of traffic as it transits the infrastructure network, between the wiring closets
of each community and the headquarters office or core. This ensures no data capture
capability anywhere between the terminating endpoints of the individual IPsec tunnels.

Revision 2212 2 ‐ 25
ICX 150 RUCKUS Technologies

IPsec VPN Use Case 2

• ICX 7450 stacks in branch offices; IPSec termination in central office

Branch Offices:
ICX 7450 stacks with
IPSec Service Module

Central Office:
IPSec Termination

Public Network
IPSec tunnel enables secure
connectivity from branch to private
or public clouds

Branch offices need to access resources in

central site securely

26
26 © 2022 CommScope, Inc.

Another scenario is to provide secure transmission between remote branch offices and the
central office. Each branch office is capable of terminating an IPsec tunnel, thus securing
all data transmissions across a public network, whether that be a provider network or the
public Internet. Not only does this solution provide branch‐to‐central office (CO) security,
but also branch‐to‐branch security through the CO.

Revision 2212 2 ‐ 26
ICX 150 RUCKUS Technologies

Multi‐Chassis Trunking 162_MCT.png

• Provides switch‐level redundancy in addition to

the link‐level redundancy provided by LAGs
• Provides an active‐active connection of connected
devices for increased capacity and forwarding
• Expands the features of LAGs by:
– Eliminates single point of failure
– Integrated loop detection
– Easy deployment without fundamentally changing
the existing architecture
– Sub‐second failure detection and allocation of
traffic
• Currently supported on ICX 7650, 7750 and 7850

27
27 © 2022 CommScope, Inc.

MCT is an enhancement to Link Aggregation Control Protocol (LACP), IEEE standard

802.3ad and (802.1ax revision). MCT is supported on the ICX 7650, 7750, and 7850.

Other ICX however can be used to connect to the MCT cluster to provide device level
redundancy for its clients.

A regular trunk or LAG is a switch‐to‐switch link that provides redundancy.

A Multi‐Chassis Trunk is a trunk that initiates at a single MCT‐unaware switch and

terminates at two MCT‐aware switches that form one MCT logical switch.

From the diagram above, we can see that each of the MCT‐unaware switches on the left
have a trunk going to each of the MCT switches in the cluster. From the MCT logical
switches point of view, these trunks are a single trunk.

MCT is an Active‐Active network architecture that provides high availability, high reliability
and provides efficient utilization of bandwidth.

Compared to a regular trunk, which provides link‐level redundancy, the trunk is one‐to‐one
and if the switch goes down, then the whole connection is lost. In addition to port‐level
redundancy, MCT provides switch‐level redundancy by extending the trunk across two
switches providing higher availability.

Revision 2212 2 ‐ 27
ICX 150 RUCKUS Technologies

Virtual Router Redundancy Protocol ‐ Enhanced

• VRRP is a standard protocol that provides the ability to provide L3 IP

gateway redundancy for edge devices
– Secondary routers will monitor and take over routing if master gateway fails

• VRRP‐E is a RUCKUS enhanced version of VRRP that addresses the

limitations in the standard protocol
• Features VRRP‐E provide over VRRP:
– Default gateway is always pingable
 Even when master gateway fails secondary routers will respond to ICMP requests
– More granular control of track port management
 Unlike the standard, multiple track ports (uplinks) can be monitored
 Provides the ability to configure a failover when a threshold has been reached
– Additional security is available allowing MD5 authentication
28
28 © 2022 CommScope, Inc.

Virtual Router Redundancy Protocol provides failover protection of end devices IP gateway.
In the event of a failure of the gateway router other routers will take over and assume the
gateway routers duties. Virtual Router redundancy protocol enhanced is a RUCKUS
proprietary protocol that is an improvement over the VRRP standard providing improved
reliability and features to end devices.

NOTE: VRRP‐E is supported in the full Layer 3 code only. It is not supported in the base
Layer 3 code. VSRP can be used if full Layer 3 code is not installed.

Revision 2212 2 ‐ 28
ICX 150 RUCKUS Technologies

Unified Firmware Image Upgrade

• Unified FastIron Image (UFI) was introduced in 08.0.80 which simplifies the
upgrade process of ICX switches
– Combines both the FastIron application image and boot code along with the FI
signature
– Application image also now includes the PoE firmware
– The UFI is recommended for all image upgrades

• From 08.0.80, it is now possible to update all the necessary software

components in a setup using one command
• A stack can be upgraded using a UFI bundle, and all stack members are also
upgraded
• The manifest Image will use the UFI to upgrade images in future releases

29
29 © 2022 CommScope, Inc.

The UFI (which was introduced in 08.0.80) consists of the application image, the boot code
image, and the signature file, and can be downloaded in a single file. This provides the
ability to upgrade a FastIron switch with a single command simplifying the upgrade
process. Moving forward it is recommended to use the UFI process to upgrade images due
to the ease of use and the automation of code compatibility functions. Stacked switches
can also be upgraded using the UFI process which upgrades all switches in the stack.
Beginning with FastIron 08.0.90, any new ICX hardware platform (starting with the ICX
7850) will use only UFIs.

Revision 2212 2 ‐ 29
ICX 150 RUCKUS Technologies

Licensing
• Software licensing provides increased scalability and rapid deployment of
hardware
– Permanent license can be ordered pre‐installed in a RUCKUS device
– Ordered separately after delivery

• Self‐Authenticated Upgrade Licensing provides a “pay‐as‐you‐grow” capabilities

– SAU licensing allows you to upgrade or downgrade to a licensed feature set with a
single command
– SAU license options are dependent upon the switch model

• License options include:

– Ports on Demand (PoD)
– Layer 3 Base Features (L3‐BASE)
– L3 Premium Features (L3 PREM)
– Media Access Control Security (Prem‐MACsec)

30
30 © 2022 CommScope, Inc.

Flexible licensing options allow organizations to optimize network performance based on

specific requirements by simply applying a software license. This eliminates the need to
pull and replace hardware equipment but instead simply add license to your existing
devices as your network grows or to simply provide additional features that were not
previously needed. This makes network or infrastructure upgrades much easier and
decreases downtime required to make these changes.

Note: License options are not available on all switch types.

Refer to the Software Licensing Guide for specific license available for each switch.

Revision 2212 2 ‐ 30
ICX 150 RUCKUS Technologies

Attendees should now be able to:

• Describe RUCKUS product and services
• Understand and access RUCKUS resources
• Describe RUCKUS technologies

Summary

You should now be able to:

• Describe RUCKUS product and services
• Understand and access RUCKUS resources
• Describe RUCKUS technologies

Revision 2212 2 ‐ 31
ICX 150 RUCKUS Technologies

End of Presentation:
RUCKUS Technologies

Thank you

This completes the RUCKUS Technologies presentation.

Revision 2212 2 ‐ 32
ICX 150 ICX Hardware Overview

ICX Hardware Overview

Revision 2212

This presentation provides an overview of RUCKUS ICX Hardware.

Revision 2212 3‐1

ICX 150 ICX Hardware Overview

After completing this presentation, attendees

will be able to:
• Describe the different configurations available
with each ICX switch model, including:
‐ ICX 7150
‐ ICX 7250
‐ ICX 7450
Objectives ‐ ICX 7550
‐ ICX 7650
‐ ICX 7750
‐ ICX 7850
‐ ICX 8200
• Explain various capabilities supported by
RUCKUS ICX switches (such as, airflow reversal,
console connection, stacking, and cabling)

This presentation will describe the different hardware configurations available within the
ICX family covering all of the models.

Then, we will review some of the additional capabilities of ICX switches (including airflow
reversal, console connection, stacking, and cabling).

Revision 2212 3‐2

ICX 150 ICX Hardware Overview

ICX 7000 Product Family

Let’s start with a quick look at the hardware configuration for each switch in the ICX 7000
Series.

We will start with the entry‐level devices and work our way up to the high‐end products.

Revision 2212 3‐3

ICX 150 ICX Hardware Overview

ICX 7000‐Series – An Overview

Sw itch Capacity

4 © 2022 CommScope, Inc.

This table provides a high‐level overview of the hardware capacity and capabilities of each
ICX platform in the RUCKUS ICX 7000 series of switches.

Revision 2212 3‐4

ICX 150 ICX Hardware Overview

ICX 7000‐Series – An Overview (Contd.)

Key Features

5 © 2022 CommScope, Inc.

As the table continues, you may begin to understand why RUCKUS provides so many
versions of ICX switches. Each switch model has key features that bring a unique set of
capabilities.

Revision 2212 3‐5

ICX 150 ICX Hardware Overview

ICX 7000‐Series – An Overview (Contd.)

Key Features

6 © 2022 CommScope, Inc.

Here ends the overview of the ICX 7000‐series switches.

Revision 2212 3‐6

ICX 150 ICX Hardware Overview

ICX 8200 Product Family

Let’s introduce the ICX 8200 series product.

The ICX 8200 is a refresh family of compact switches and entry‐level switch solutions
targeted as a replacement for the ICX 7000 series of Access switches. The ICX 8200
provides cost reduction for the Gigabit Ethernet offering and enhances the overall ICX
product family with support for multigigabit Ethernet, PoE++ (802.3bt standard), and
25GbE configuration. Beginning with FastIron 10.0.0 release, seven unique models are
supported.

Revision 2212 3‐7

ICX 150 ICX Hardware Overview

ICX 8200 Series – An Overview

Access Switches

Capacity & Features ICX 8200‐C08PF ICX 8200‐24 ICX 8200‐48 ICX 8200‐24P ICX 8200‐48P ICX 8200‐48PF ICX 8200‐48PF2
Switching Capacity 248Gbps 296Gbps 248Gbps 296Gbps 296Gbps 296Gbps
10/100/1000Mbps RJ‐45 ports 8 24 48 24 48 48 48
1/10GbE SFP+ uplink/stack ports 2
1/10/25GbE SFP28 uplink/stack ports 4 4 4 4 4 4
PoE Power Budget (max) 124W 370W 370W 370W 370W 740W 740W with 1 PSU;
1440W with 2 PSUs
Switches Per Stack (max) 12 12 12 12 12 12 12
Stacking Bandwidth 20Gbps 100Gbps 100Gbps 100Gbps 100Gbps 100Gbps 100Gbps
Aggregate Stack Bandwidth 240Gbps 1.2Tbps 1.2Tbps 1.2Tbps 1.2Tbps 1.2Tbps 1.2Tbps
PoE+ ports 8 24 48 48 48
Long‐Distance Stacking       
sFlow       
Layer 3 features       
ISSU       
Hot Swap power supplies and fans 
Redundant Power 
EEE       
Unified Network Management Options SmartZone SmartZone SmartZone SmartZone SmartZone SmartZone SmartZone

8 © 2022 CommScope, Inc.

Beginning in 2023, several models of the ICX 8200 switch will be available (running
the FastIron 10.0.0 release).

Revision 2212 3‐8

ICX 150 ICX Hardware Overview

Hardware Overview
(Access‐Only Switches)

Now, lets take a deeper look at the hardware configuration for each switch in the ICX
product family.
We will start with the access switches.

RUCKUS access switches come in a broad range of gigabit and multigigabit switches
with 1/2.5/5/10 GbE downlinks and 10/40/100 GbE uplinks, including the ICX 7150, ICX
7250, ICX 7450, ICX 7550, and ICX 7650.

RUCKUS ICX access switches with PoE support offer standard PoE (802.3af; 15 watts), and
PoE+ (802.3at; 30 watts) sufficient to drive wireless access points, VoIP phones, video
cameras, lighting and other devices. Each ICX switch series offers sufficient power for even
the most densely populated environments, with PoE to all ports simultaneously with a
single power supply, and drive PoE+ (30 watts) to all ports with dual power supplies.

NOTE: The ICX 7250 is at End of Sale, but support will continue as required.

Revision 2212 3‐9

ICX 150 ICX Hardware Overview

ICX 7150 Series

Introducing the RUCKUS ICX 7150 series of access switches.

Revision 2212 3 ‐ 10
ICX 150 ICX Hardware Overview

ICX 7150 Series ‐ Overview

ICX 7150 Series Highlights

C08PT
C08P • High performance and port density
C12P
– 10GbE uplink options at the entry level
C10ZP
• High availability
– Redundant 10G Ethernet stack links
– Hitless stacking failover
– In Service Software Update (ISSU)
24F
24 • Advanced scalability and features
24P – L2 and L3 features including STP/RSTP/MSTP and OSPF
48 – sFlow for granular network traffic accounting
48P
48PF • Deployment flexibility
48ZP – Multiple SFP+ ports configurable for uplink
– Support for Stacking and EEE (except C08P)
– Compact models are fanless for quiet operation
– Optional fanless operation for 24P/48P (150W PoE budget)

11 © 2022 CommScope, Inc.

Let’s start with a look at the ICX 7150 series.

The ICX7150 comes in eight hardware configurations comprising the Compact models and
the 24‐/48‐port models. All hardware configurations provide:
• RJ‐45 Ethernet port for out‐of‐band network management (*except C08 and C08P)
• USB port for console management
• RJ‐45 port for serial console management (*except C08 and C08P)
• USB port for external file storage (*except C08 and C08P)
• Integrated or hot‐swappable fan (except Compact models)
• Integrated or hot‐swappable power supply (model‐dependent)

Now let’s take a closer look at each model.

Revision 2212 3 ‐ 11
ICX 150 ICX Hardware Overview

ICX 7150 Compact – Ports and Power Supplies

C08P C10ZP
1 5 6 11 12 13 14
C08PT 7
1 2 3

1 USB Type‐C console port 8 10/100/1000 Mbps RJ‐45 downlink ports

2 8× 10/100/1000 PoE+ ports 9 10/100/1000 Mbps RJ‐45 uplink ports

1
3 2× 1G SFP stacking/uplink ports 10 2× SFP+ stacking/uplink ports
C12P
5 6 8 9 10 4 AC power supply 11 6× PoE+ ports
7 5 RJ‐45 console port 12 2× PoH ports

6 RJ‐45 management port 13 2× multi‐gigabit ports

7 USB port 14 10GbE SFP+ stacking/uplink ports

12 © 2022 CommScope, Inc.

The ICX 7150 Compact comes in four hardware configurations.

All configurations are fanless for quiet operation and feature an integrated AC power
supply.

Model‐specific features:
• C08P: The fanless, compact 8‐port with PoE on all 8 ports, 2 ports of 10GbE for
uplink, as well as 2 additional ports with 1G copper uplinks
– 8x 10/100/1000 PoE+ ports, 2x 1G SFP uplink‐ports, 62W PoE budget, L2
(switch image only)
– Integrated power supply
– Introduced with FI 8.0.91

• C08PT: The fanless, compact 8‐port with PoE on all 8 ports, 2 ports of 10GbE for
uplink, as well as 2 additional ports with 1G copper uplinks
– 8x 10/100/1000 PoE+ ports, 2x 1G SFP uplink‐ports, 62W PoE budget, L2
(switch image only)
– Integrated power supply
– Introduced with FI 8.0.92
– Supports extended temperature locations (locations without temp controls)

Continued on next slide…

Revision 2212 3 ‐ 12
ICX 150 ICX Hardware Overview

Blank Notes Page

13 © 2022 CommScope, Inc

... Continued from previous slide

• C10ZP: The fanless, compact 10‐port with 90W PoE on all 10 ports
– Eight 2.5‐GbE and two 2.5/5/10‐GbE PoE/PoE+/PoH multi‐gigabit copper ports
(including two SFP+ 10‐GbE optical ports for stacking or uplink)
– Integrated power supply
– Introduced with FI 8.0.91

• C12P: The fanless, compact 12‐port with PoE on all 12 ports, 2 ports of 10 GbE for
uplink/stacking, as well as 2 additional ports with 1 G copper uplinks
– Twelve GbE (124 W) PoE+ ports (includes two 1‐GbE uplink ports and two SFP+
10‐GbE optical ports for stacking or uplink)
– Introduced with FI 8.0.60

Revision 2212 3 ‐ 13
ICX 150 ICX Hardware Overview

ICX 7150‐C08P/C08PT – LEDs

STATUS button is pushed to cycle through LEDs illuminate in Amber or Green

different interpretations of the Port to display status of the System,
LEDs, including: Link, Speed, Member ID, SW Update, Diagnostics, Cloud
and PoE status Management, and Power

Refer to the ICX 7150 Hardware Installation Guide for interpreting each of these LEDs
14 © 2022 CommScope, Inc.

The LEDs on the ICX 7150‐C08P and –C08PT switches provide valuable insight into the
operations of the switch.
Shown is an ICX 7150‐C08P (note that the ICX 7150‐C08P and –C08PT switches are
functionally identical; the only difference is the ICX 7150‐C08PT has a square‐cornered
IP30‐rated shell).

Located to the right of the USB Type‐A port is the Status LED section. The STATUS button
allows the user to cycle through the status (STAT) of each port link, port speed (SPD) of
each port link, and stack member ID (ID) of each port link. The PoE LED reflects whether
PoE is off, on, or in a fault condition.

Located to right of the Status LED section are additional LEDs to indicate the status of the
Operating System (SYST), a software update (UPDATE), diagnostic testing (DIAG), Cloud
management connection (CLD), and PSU health (PWR).

Full interpretation of each of these LEDs is available in the RUCKUS ICX 7150 Switch
Hardware Installation Guide, found on the RUCKUS Support website.

Revision 2212 3 ‐ 14
ICX 150 ICX Hardware Overview

ICX 7150‐C10ZP – LEDs

STATUS button is pushed to cycle through LEDs illuminate in Amber or Green

different interpretations of the Port to display status of the System,
LEDs, including: Link, Speed, Member ID, Stack (MS), SW Update, Diagnostics,
USB status, and PoE status Cloud Management, and Power

Refer to the ICX 7150 Hardware Installation Guide for interpreting each of these LEDs
15 © 2022 CommScope, Inc.

The LEDs on the ICX 7150‐C10ZP provide valuable insight into the operations of the switch.

Located to the right of the USB Type‐A port is the Status LED section. The STATUS button
allows the user to cycle through the status (STAT) of each port link, port speed (SPD) of
each port link, and stack member ID (ID) of each port link. The USB LED flashes when files
are being copied between the USB drive and the system FLASH. The PoE LED reflects
whether PoE is off, on, or in a fault condition.

Located to the left of the RJ‐45 management interface there are LEDs to indicate the status
of the Operating System (SYST), the Stack status if the unit is an active or standby member
of a stack (MS), a software update (UPDATE), diagnostic testing (DIAG), Cloud management
connection (CLD), and PSU health (PWR).

Full interpretation of each of these LEDs is available in the RUCKUS ICX 7150 Switch
Hardware Installation Guide, found on the RUCKUS Support website.

Revision 2212 3 ‐ 15
ICX 150 ICX Hardware Overview

ICX 7150‐C12P – LEDs

LEDs illuminate in Amber or Green

to display status of the System,
STATUS button is pushed to cycle through
Stack (MS), SW Update, Diagnostics,
different interpretations of the Port
Cloud Management, and Power
LEDs, including: Link, Speed, Member ID,
USB status, and PoE status

Refer to the ICX 7150 Hardware Installation Guide for interpreting each of these LEDs
16 © 2022 CommScope, Inc.

The LEDs on the ICX 7150‐C12P provide the same information as the ICX 7150‐C10ZP
switch that we just looked at.
On the 12‐port switch, the Status LED section is located above the RESET pinhole and RJ‐45
management interface.
Located above the console port interfaces are the system LEDs.

Full interpretation of each of these LEDs is available in the RUCKUS ICX 7150 Switch
Hardware Installation Guide, found on the RUCKUS Support website.

Revision 2212 3 ‐ 16
ICX 150 ICX Hardware Overview

ICX 7150 24x – Ports, Power Supplies, and Fans

24 1
24P 1 Type‐C USB console port
Front 2 RJ‐45 console port
2 3 5 6 7
4 3 RJ‐45 management port

4 Type‐A USB port

24F 1 5 24× 10/100/1000 Mbps RJ‐45 downlink ports

Front
6 2× 10/100/1000 Mbps RJ‐45 uplink ports
2 3 8 6 7 7 SFP+ stacking/uplink ports
4
8 24× 1 GbE SFP downlink ports

Rear 9 Fans
(all
models) 10 Power supply
9 10

17 © 2022 CommScope, Inc.

All RUCKUS ICX 7150 24‐port models provide on the front of the unit: one USB
Type‐C port and one RJ‐45 port for console management, one RJ‐45 Ethernet port
for out‐of‐band network management, and one Type‐A USB port for external file
storage. On the rear of the unit, all models provide fan exhaust and power supply.

The port capabilities on the front panel are model dependent:

• 24:
– 24× 10/100/1000 Mbps RJ‐45 downlink ports
– 2× 10/100/1000 Mbps uplink RJ‐45 ports
– 4× 1/10 GbE uplink/stacking SFP/SFP+ ports

• 24P:
– 24× 10/100/1000 Mbps RJ‐45 PoE+ downlink ports (370W PoE budget)
– 2× 10/100/1000 Mbps uplink RJ‐45 ports
– 4× 1/10 GbE uplink/stacking SFP/SFP+ ports
– Optional fanless operation

• 24F:
– 24× 1 GbE SFP downlink ports
– 2× 1 GbE uplink RJ‐45 ports
– 4× 1/10 GbE uplink/stacking SFP/SFP+ ports

Revision 2212 3 ‐ 17
ICX 150 ICX Hardware Overview

ICX 7150 48x – Ports, Power Supplies, and Fans

48 1 48ZP 1
48P
48PF
2 10 11 6
Front 2 4 5 6
3 3

48
Rear
7 8 9 9 7 8 8

48P
Rear 1 Type‐C USB port 7 RJ‐45 console port
9 7 8
2 RJ‐45 management port 8 Power supply

48PF 3 Type‐A USB port 9 Fans

Rear 4 48× 10/100/1000 Mbps RJ‐45 10 16× 2.5‐GbE RJ‐45 PoH ports
9 7 8 downlink ports

5 2× 10/100/1000 Mbps RJ‐45 11 32× 1‐GbE RJ‐45 PoE+ ports

uplink ports

6 SFP/SFP+ stacking/uplink ports 12 SFP+ stacking/uplink ports

18 © 2022 CommScope, Inc.

All RUCKUS ICX 7150 48‐port models provide on the front of the unit: one USB
Type‐C port for console management, one RJ‐45 Ethernet port for out‐of‐band
network management, and one Type‐A USB port for external file storage. On the
rear of the unit, all models provide an RJ‐45 console port and power supply.
Integrated fans are available on the 48P/PF models, while hot‐swappable fans are
available on the 48ZP.
Note: Fans and power supplies hot‐swappable only on the 48ZP model.

The port capabilities on the front panel are model dependent:

• 48:
– 48× 10/100/1000 Mbps RJ‐45 ports
– 2× 10/100/1000 Mbps uplink RJ‐45 ports
– 4× 1/10 GbE uplink/stacking SFP/SFP+ ports

• 48P:
– 48× 10/100/1000 Mbps RJ‐45 PoE+ ports (370W PoE budget)
– 2× 10/100/1000 Mbps uplink RJ‐45 ports
– 4× 1/10 GbE uplink/stacking SFP/SFP+ ports
– Optional fanless operation

• 48PF:
– 48×10/100/1000 Mbps RJ‐45 PoE+ ports (740W PoE budget)
– 2×10/100/1000 Mbps uplink RJ‐45 ports
– 4×1/10 GbE uplink/stacking SFP/SFP+ ports

Continued on next slide…

Revision 2212 3 ‐ 18
ICX 150 ICX Hardware Overview

Blank Notes Page

19 © 2022 CommScope, Inc

... Continued from previous slide

• 48ZP:
– 16× 100/1000 Mbps/2.5 Gbps RJ‐45 PoH, 802.3bt‐ready ports
– 32× 10/100/1000 Mbps RJ‐45 PoE+ ports (1,480W PoE budget with two power
supplies)
– 8× 1/10 GbE uplink/stacking SFP/SFP+ ports

Note: 7150‐24P and 48P models support optional fanless mode operations.
Using the chassis fanless command administrators can set the fan speed
to zero for quiet operation. When using this mode devices are limited to 150
Watts of power budget. If the device is currently using more than 150 Watts of
power, it needs to be reduced before fanless operation can be enabled.

Revision 2212 3 ‐ 19
ICX 150 ICX Hardware Overview

ICX 7150‐24x/48x – LEDs

STATUS button is pushed to cycle through
different interpretations of the Port
LEDs, including: Link, Speed, Member ID,
USB status, and PoE status
Models 24, 24F, and 48 have no PoE LED,
but the STATUS button and
remaining LEDs are the same as
the other 24/48‐port models
LEDs illuminate in Amber or Green
to display status of the System,
Stacking Mode (MS), SW Update,
Diagnostics, Cloud Management,
and Power

Refer to the ICX 7150 Hardware Installation Guide for interpreting each of these LEDs
20 © 2022 CommScope, Inc.

The STATUS button and LEDs on the ICX 7150 24‐port, 48‐port, and their PoE derivatives,
have the same usage and provide the same valuable insight as the Compact models:
STAT
SPD
ID
USB
PoE (not applicable to non‐PoE models)

The only difference is the placement on the front of the unit. Likewise for the system LEDs.

On the rear of the 48ZP switch (not shown), each fan assembly and each power supply unit
has its own status LED.

Full interpretation of the LEDs for all ICX 7150 devices can be found in the RUCKUS ICX 7150
Switch Hardware Installation Guide, found on the RUCKUS Support website.

Revision 2212 3 ‐ 20
ICX 150 ICX Hardware Overview

ICX 7250 Series

Introducing the RUCKUS ICX 7250 series of access switches.

Revision 2212 3 ‐ 21
ICX 150 ICX Hardware Overview

ICX 7250 ‐ Overview

ICX 7250 Series Highlights
• High performance and port density
– 4 models with 24 or 48 ports (2 models with PoE/PoE+)
– 24× or 48× 10/100/1000 Mbps RJ‐45 ports (with or without PoE+)
– 8× 10GbE SFP/SFP+ stacking/uplink ports
24
– Stack up to 12 units (any combination of switch versions
24P
• High availability
– Redundant 10G Ethernet stack links
48 – Hitless stacking failover
48P – Optional external PSU shelf (powers up to 16 ICX 7250 switches)

• Advanced scalability and features

– L2 and L3 features
– 1GbE uplink/stacking ports are upgradable to 10GbE

• Deployment flexibility
– SFP/SFP+ ports configurable for stacking or uplinks
– Support for EEE and OpenFlow 1.3

22 © 2022 CommScope, Inc.

All ICX 7250 models provide either 24 or 48 1Gbps Ethernet connectivity.

Each of the models is equipped with 8× 1/10G uplink/stacking ports for high throughput
stack capabilities.

Additionally, the “P” models provide PoE+ capabilities to supply current to many devices
including IP phones and Wi‐Fi access points. It delivers higher performance than the ICX
7150, with up to 8× 10GbE uplink ports, more Layer 3 features, and Energy‐Efficient
Ethernet.

The optional RUCKUS ICX‐EPS 4000 is an external power supply is also available to provide
redundant system power, as well as additional PoE power. While not hot‐swappable, you
can use any of the 4 external power supplies in it to provide backup power to up to 16
switches.

Revision 2212 3 ‐ 22
ICX 150 ICX Hardware Overview

ICX 7250 – Ports, Power Supplies, and Fans

24 1
24P 24
Front Rear
2 4 5 7 8 9
3
24P
48 1 48
48P Rear
7 8 9
Front
2 6 5 48P
3 Rear
7 8 9

1 Mini‐USB console port 4 24: 24× 10/100/1000 Mbps RJ‐45 ports 7 Fans
24P: 24× 10/100/1000 Mbps RJ‐45 PoE+ ports

2 RJ‐45 Management port 5 8× SFP or SFP+ uplink/stacking ports 8 External power supply connector
(covered when not in use)

3 USB Type‐A console port (for file transfer) 6 48: 48× 10/100/1000 Mbps RJ‐45 ports 9 Integrated AC power supply
48P: 48× 10/100/1000 Mbps RJ‐45 PoE ports

23 © 2022 CommScope, Inc.

All RUCKUS ICX 7250 models provide on the front of the unit: one Mini‐USB port for
console management, one RJ‐45 Ethernet port for out‐of‐band network
management, and one Type‐A USB port for external file storage. On the rear of the
unit, all models provide integrated fan, external power supply connector, and
integrated power supply.

The port capabilities on the front panel are model dependent:

• 24:
– 24× 10/100/1000 Mbps RJ‐45 ports
– 8× 1 GbE uplink/stacking ports (upgradable to 10 GbE)

• 24P:
– 24× 10/100/1000 Mbps RJ‐45 PoE+ ports (370 W PoE budget)
– 8× 1 GbE uplink/stacking ports (upgradable to 10 GbE)

• 48:
– 48× 10/100/1000 Mbps RJ‐45 ports
– 8× 1 GbE uplink/stacking ports (upgradable to 10 GbE)

• 48P:
– 48× 10/100/1000 Mbps RJ‐45 PoE+ ports (740 W PoE budget)
– 8× 1 GbE uplink/stacking ports (upgradable to 10 GbE)

Revision 2212 3 ‐ 23
ICX 150 ICX Hardware Overview

ICX 7250 – External Power Supply

RUCKUS ICX‐EPS 4000

• Supports up to four removable power supplies
(920 Watts each)

• Delivers additional power for up to 16 RUCKUS

One to Four
Power Supplies
ICX 7250 switches

• Provides system power redundancy to switches

• Provides increased PoE/PoE+ power budget to

enable additional ports on switches

24 © 2022 CommScope, Inc.

While the primary source of 12V power for an ICX 7250 device is the internal power supply,
the RUCKUS ICX‐EPS 4000 is designed to serve primarily as a backup source of 12V power.
Delivering additional power for up to 16 RUCKUS ICX 7250 switches, it can be used for both
system power redundancy and PoE/PoE+ power budget increase to enable additional ports.

Revision 2212 3 ‐ 24
ICX 150 ICX Hardware Overview

ICX 7250 – LEDs

• The ICX 7250 has System and Port‐level LED indicators
• System LEDs to indicate status of:
– Power Supply
– External Power Supply (EPS)
– Diagnostics
– Stacking Mode
– Uplink
– Downlink
– Stack Unit ID
• Port LEDs indicate:
– Valid link and TX/RX
– PoE status
Refer to the ICX 7250 Hardware Installation Guide for interpreting each of these LEDs
25 © 2022 CommScope, Inc.

The LEDs on the ICX 7250 provide valuable insight into the operations of the switch.

There are LEDs for power status, both local and power from an External Power Supply
(EPS). Note that only the ICX 7250‐48P supports connecting to two EPS devices and is the
only device with two EPS LEDs. Diagnostic LED indicates if the system is in diagnostic mode.
The remaining LEDs provide insight when the unit is operating in a stack. These indicate
Stacking Mode status, uplink and downlink port status, and the unit’s stack ID. You may
notice that there are only 10 LEDs but the 7250 has ability to have 12 units in a stack. In the
case of unit IDs higher than 10, the 10+ LED and the 1 or 2 LED will be lit, indicating unit ID
11 or 12, respectively.

In addition to these, LEDs on each port indicate link status, activity, and PoE status.

Full interpretation of each of these LEDs is available in the RUCKUS ICX 7250 Switch
Hardware Installation Guide, found on the RUCKUS Support website.

Revision 2212 3 ‐ 25
ICX 150 ICX Hardware Overview

ICX 8200 Series

Let’s introduce you to the RUCKUS ICX 8200 series of access switches. Beginning in
2023, several models of the ICX 8200 switch will be available (running the FastIron
10.0.0 release).

Revision 2212 3 ‐ 26
ICX 150 ICX Hardware Overview

ICX 8200 Series ‐ Overview

ICX 8200 Series Highlights
• High performance and port density
– All models: 1Gbps downlink/data ports
– 8‐port model: 2× 10GbE SFP+ uplink/stack ports
– 24‐/48‐port models: 4× 25GbE SFP28 uplink/stack ports
C08PF
24 • High availability
– Redundant Ethernet stack links
24P
– Hitless stacking failover
48
– Perpetual PoE and Fast Boot PoE
48P
– In Service Software Update (ISSU)
48PF
48PF2
• Advanced scalability and features
– Supports SAU for upgrade/downgrade of licenses
– L3 Premium features and Ports on Demand (PoD)
– sFlow for granular network traffic accounting
– In Service Software Update (ISSU)

• Deployment flexibility
– Multiple SFP ports configurable for uplink
– Supports Stacking and EEE
– Compact model is fanless for quiet operation

27 © 2022 CommScope, Inc.

First available with FastIron release 10.0.0, the ICX 8200 series of access switches is
initially available in seven hardware configurations. The ICX 8200 series is targeted to
replace the 7000‐series of access switches.

Models support:
• High performance and port density
– All models provide 1Gbps downlink/data ports
– 8‐port model provides 2× 10GbE SFP+ uplink/stack ports
– 24‐/48‐port models provide 4× 25GbE SFP28 uplink/stack ports

• High availability
– Redundant Ethernet stack links
– Hitless stacking failover
– Perpetual PoE (provides uninterrupted power to connected PD device even
when the PSE switch is booting)
– Fast Boot PoE (remembers the last PoE power settings and switches on
power the moment AC power is plugged in without waiting for the host
switch to boot up)
– In Service Software Update (ISSU)

Continued on next slide…

Revision 2212 3 ‐ 27
ICX 150 ICX Hardware Overview

Blank Notes Page

28 © 2022 CommScope, Inc

... Continued from previous slide

• Advanced scalability and features

– Self‐Authenticated Upgrade (SAU) method supported for upgrade or
downgrade of licenses
– Ports on Demand (PoD) for the uplink/stacking ports
– L3 Premium features such as OSPF‐v2, OSPF‐v3 (IPv6), VRRP, VRRPv3 (IPv6),
VRRP‐E, GRE, PBR, PIM‐SIM, PIM‐SSM, PIM‐DM, PIM Passive, VRF (IPV4 and
IPV6)
– sFlow for granular network traffic accounting
– In Service Software Update (ISSU)

• Deployment flexibility
– Multiple SFP ports configurable for uplink
– Stacking
– EEE
– Fanless compact model (C08PF) for quiet operation

Now let’s take a closer look at each model.

Revision 2212 3 ‐ 28
ICX 150 ICX Hardware Overview

ICX 8200‐C08PF – Ports and Power Supplies

2 1 Reset button

2 USB Type‐C console port

1 3 4 6 7 3 USB port (for external disk drive)

5 4 RJ‐45 management port

5 RJ‐45 console port

6 Slot 1: 8× 10/100/1000 Mbps RJ‐

45 PoE+ ports

7 Slot 2: 2× 1/10 Gbps SFP+

stacking/uplink ports

8 AC power supply
8

29 © 2022 CommScope, Inc.

The ICX 8200‐C08PF is a compact 8‐port device introduced with FI 10.0.0.

This hardware configuration is fanless for quiet operation, features an integrated AC power
supply accessible on the rear of the unit, and features a 124W PoE power budget.

The front of the device features one USB Type‐C port and one RJ‐45 port for console
management, one RJ‐45 Ethernet port for out‐of‐band network management, and
one Type‐A USB port for external file storage. The eight RJ‐45 copper PoE+ ports
support 10/100/1000 Mbps for downlink. The two SFP+ fiber ports support 10Gbps for
uplink/stacking.

Revision 2212 3 ‐ 29
ICX 150 ICX Hardware Overview

ICX 8200 C08PF – LEDs

STATUS button is pushed to cycle through LEDs illuminate in Amber or Green

different interpretations of the Port to display status of the System,
LEDs, including: Link, Speed, Member ID, Stack (Master), SW Update,
USB status, and PoE status Diagnostics, Cloud Management,
and Power

Refer to the ICX 8200 Hardware Installation Guide for interpreting each of these LEDs
30 © 2022 CommScope, Inc.

The LEDs on the ICX 8200‐C08PF reflect the operational status of the switch.

Located to the right of the USB‐C console port is the Status LED section. The STATUS button
allows the user to cycle through the status (STAT) of each port link, port speed (SPD) of
each port link, and stack member ID (ID) of each port link. The USB LED flashes when files
are being copied between the USB drive and the system FLASH. The PoE LED reflects
whether PoE is off, on, or in a fault condition.

Located to the right of the Status LED section are LEDs to indicate the status of the
Operating System (SYST), Stack membership (MSTR), a software update (UPDATE),
diagnostic testing (DIAG), management platform connection (CLD), and PSU health (PWR).

Full interpretation of each of these LEDs can be found in the RUCKUS ICX 8200 Switch
Hardware Installation Guide available on the RUCKUS Support website.

Revision 2212 3 ‐ 30
ICX 150 ICX Hardware Overview

ICX 8200‐24/24P – Ports, Power Supplies, and Fans

3
24
1 Type‐A USB port
24P 1
Front 2 Reset button
2 4 6 7 3 Type‐C USB console port
5
4 RJ‐45 management port

24 5 RJ‐45 console port

Rear 6 24: 24× 10/100/1000 Mbps RJ‐45 ports
24P: 24× 10/100/1000 Mbps RJ‐45 PoE+ ports
8 9
7 4× 1/10/25 GbE SFP28 stacking/uplink ports

8 Fan

24P 9 Power supply

Rear
8 9

31 © 2022 CommScope, Inc.

All RUCKUS ICX 8200 24‐port models provide on the front of the unit: one USB
Type‐C port and one RJ‐45 port for console management, one RJ‐45 Ethernet port
for out‐of‐band network management, and one Type‐A USB port for external file
storage. On the rear of the unit, all models provide fan exhaust and power supply.

The port capabilities on the front panel are model dependent:

• 24:
– 24× 10/100/1000 Mbps RJ‐45 downlink ports
– 4× 1/10 GbE uplink/stacking SFP28/SFP+ ports

• 24P:
– 24× 10/100/1000 Mbps RJ‐45 PoE+ downlink ports (370W PoE budget)
– 4× 1/10 GbE uplink/stacking SFP28/SFP+ ports

Revision 2212 3 ‐ 31
ICX 150 ICX Hardware Overview

ICX 8200‐48/48x – Ports, Power Supplies, and Fans

Front
View: 1 Type‐A USB port
48 1 5
2 Reset button
48P
48PF 3 RJ‐45 management port
48PF2 2 3 6 7 4 RJ‐45 console port
4
5 Type‐C USB console port

6 48: 48× 10/100/1000 Mbps RJ‐45 ports

48P: 48× 10/100/1000 Mbps RJ‐45 PoE+ ports
Rear 48PF: 48× 10/100/1000 Mbps RJ‐45 PoE+ ports
Views: 48PF2: 48× 10/100/1000 Mbps RJ‐45 PoE+ ports

48 7 4× 1/10/25 GbE SFP28 stacking/uplink ports

8 Fan
48P
9 Power supply

48PF

48PF2
8 9
32 © 2022 CommScope, Inc.

All RUCKUS ICX 8200 48‐port models provide on the front of the unit: one USB
Type‐C port and one RJ‐45 port for console management, one RJ‐45 Ethernet port
for out‐of‐band network management, and one Type‐A USB port for external file
storage.

The downlink/uplink port capabilities, as well as fan and power supply, are model
dependent:
• 48:
– 48× 10/100/1000 Mbps RJ‐45 downlink ports
– 4× 1/10 GbE uplink/stacking SFP28/SFP+ ports
– 1 integrated fan
– 1 integrated power supply

• 48P:
– 48× 10/100/1000 Mbps RJ‐45 PoE+ downlink ports (370W PoE budget)
– 4× 1/10 GbE uplink/stacking SFP28/SFP+ ports
– 2 integrated fans
– 1 integrated power supply

• 48PF:
– 48× 10/100/1000 Mbps RJ‐45 PoE+ downlink ports (740W PoE budget)
– 4× 1/10 GbE uplink/stacking SFP28/SFP+ ports
– 3 integrated fan
– 1 integrated power supply
Continued on next slide…

Revision 2212 3 ‐ 32
ICX 150 ICX Hardware Overview

Blank Notes Page

33 © 2022 CommScope, Inc

... Continued from previous slide

• 48PF2:
– 48× 10/100/1000 Mbps RJ‐45 PoE+ downlink ports (1480W PoE budget when
running 2 PSUs)
– 4× 1/10 GbE uplink/stacking SFP28/SFP+ ports
– 2× hot‐swappable fans
– 2× hot‐swappable power supplies

Revision 2212 3 ‐ 33
ICX 150 ICX Hardware Overview

ICX 8200‐24x/48x – LEDs

STATUS button is pushed to cycle through
different interpretations of the Port
LEDs, including: Link, Speed, Member ID,
USB status, and PoE status
Models 24 and 48 have no PoE LED,
but the STATUS button and
remaining LEDs are the same
across all 24/48‐port models
LEDs illuminate in Amber or Green
to display status of the Operating
System, Stacking Mode (MSTR),
SW Update, Diagnostics,
Cloud Management, and Power

Refer to the ICX 8200 Hardware Installation Guide for interpreting each of these LEDs
34 © 2022 CommScope, Inc.

The STATUS button and LEDs on the ICX 8200 24‐port, 48‐port, and their PoE derivatives,
have the same usage and provide the same valuable insight as the Compact models:
STAT
SPD
ID
USB
PoE (not applicable to non‐PoE models)
The only difference is the placement on the front of the unit.

The system LEDs located to the right of the Status LED section indicate Operating System
status, Stack membership, software update activity, diagnostic testing activity,
management platform connection, and PSU health.

Full interpretation of these LEDs can be found in the RUCKUS ICX 8200 Switch Hardware
Installation Guide available on the RUCKUS Support website.

Revision 2212 3 ‐ 34
ICX 150 ICX Hardware Overview

Hardware Overview
(Access/Aggregation Switches)

Now, lets take a look at the ICX switches that support access and aggregation: ICX 7450,
ICX 7550, and ICX 7650.

The ICX 7450 and 7650 are much the same; differences lie in switching capacity, number
and type of ports, stack bandwidth, MACsec availability, and network management options.
Refer to the tables in the first section of this module for those details.

The ICX 7550 is new as of FastIron release 8.0.95.

Revision 2212 3 ‐ 35
ICX 150 ICX Hardware Overview

ICX 7450 Series

First, let’s look at the RUCKUS ICX 7450 series of access/aggregation switches.

Revision 2212 3 ‐ 36
ICX 150 ICX Hardware Overview

ICX 7450 – Overview

ICX 7450 Highlights
• High performance and port density
– 5 models supporting 24/48 POE+ and 48‐port SFP
– 2× 40G QSPF+ stack connections, 80G stack bandwidth
– Stack up to 12 units (any combination of switch versions)
24
24 24P • High availability
24P – Hitless stacking failover and redundant 40G stack links
48 – Redundant hot‐swap load‐sharing power supplies and fans
48 48P – In Service Software Update (ISSU)
48P
• Advanced scalability and features
48F – L2 and L3 features
48F
• Deployment flexibility
– AC or DC power
– Flexible uplink modules
– Reversible front‐to‐back or back‐to‐front airflow
– 10G or 40GbE uplink and stacking options
– Support for EEE, MACsec, IPsec and OpenFlow 1.3

37 © 2022 CommScope, Inc.

The ICX 7450 delivers high performance and flexibility with a backbone of up to 40G. It can
serve as a high‐end access switch or as an aggregation device. Its unique design includes 3
modular slots (one accessible front the front panel and two accessible on the rear panel)
that can be used for 1G, 10G, or 40G uplink/stacking ports, or an IPsec VPN encryption
module (for added security).

The ICX 7450 also offers dual hot‐swap power supplies and fans, MACsec, Energy Efficient
Ethernet (EEE), and advanced Layer 3 features.

The ICX7450 comes in five basic configurations that are primarily differentiated based on
the port density (24 ports or 48 ports) and the PoE/PoH capabilities (with PoE/PoH and
without PoE).

Revision 2212 3 ‐ 37
ICX 150 ICX Hardware Overview

ICX 7450 – Ports, Power Supplies, and Fans

24 1 48F 1
24P Front
Front
2 4 5 2 7 5
3 3

48 1
48P
Rear
Front
2 6 5 8 9 8 10 10
3
1 RJ‐45 Management port 6 48: 48× 10/100/1000 Mbps RJ‐45 ports
48P: 48× 10/100/1000 Mbps RJ‐45 PoE+ ports
Note: Yellow‐highlighted ports support high‐power PoE (PoH)

2 USB Type‐A console port (for file transfer) 7 48F: 48× 100/1000 Mbps SFP ports

3 Mini‐USB console port 8 Fan

4 24: 24× 10/100/1000 Mbps RJ‐45 ports 9 2× Interface module or IPSec service module slots
24P: 24× 10/100/1000 Mbps RJ‐45 PoE+ ports
Note: Yellow‐highlighted ports support high‐power PoE (PoH)

5 Interface module or IPSec service module slot 10 Power supply

38 © 2022 CommScope, Inc.

All RUCKUS ICX 7450 models provide on the front of the unit: one Mini‐USB port for
console management, one RJ‐45 Ethernet port for out‐of‐band network
management, and one Type‐A USB port for external file storage. On the rear of the
unit, all models provide exhaust fans, power supplies, and slots for interface
modules or IPsec service modules. With two power supplies, the ICX 7450 attains a
1,500‐watt PoE budget.

The port capabilities on the front panel are model dependent:

• 24:
– 24× 10/100/1000 Mbps RJ‐45 ports (30W per port)

• 24P:
– 24× 10/100/1000 Mbps RJ‐45 PoE+ ports (up to 30W per port)
– 8× pre‐assigned ports (labeled in yellow) supporting PoH, IEEE 802.3bt‐ready
ports (up to 90W per port)

• 48:
– 48× 10/100/1000 Mbps RJ‐45 ports

• 48P:
– 48× 10/100/1000 Mbps RJ‐45 PoE+ ports (up to 30W per port)
– 8× pre‐assigned ports (labeled in yellow) supporting PoH, IEEE 802.3bt‐ready
ports (up to 90W per port)

Revision 2212 3 ‐ 38
ICX 150 ICX Hardware Overview

ICX 7450 Interface Modules

ICX7400‐1X40GQ ICX7400‐4X10GF ICX7400‐4X10GC ICX7400‐4X1GF

Bandwidth 80Gbps 80Gbps 80Gbps 8Gbps

Port Type 1× 40GbE QSFP+ 4× 10GbE SFP+ 4× 10GbE RJ‐45 4× 1GbE SFP
Front (24) or
Module Slot Front or Rear Front or Rear Front only
Rear (24/48)
Stacking (front)
Stacking (rear),
Function Uplink with MACsec Uplink Uplink
Uplink
LRM optic support

39 © 2022 CommScope, Inc.

There are several optional interface modules available specifically for the ICX 7450. They
offer 1, 10, or 40 Gigabit Ethernet connectivity options. Some have specific installation
location requirements that are based on interface type as well as location on the switch
(either on the front or the back of the unit). Two offer both stacking and uplink capabilities,
while the remaining two offer uplink only.

Revision 2212 3 ‐ 39
ICX 150 ICX Hardware Overview

ICX 7450 IPsec VPN Service Module

• Industry‐first hardware‐based IPsec
solution for stackable switch
• Flexible deployment, can encrypt traffic
from/to any stack port
• Rich feature set, including: IPv4 unicast,
OSPF, QoS, PBR, VRF, ACL and Jumbo
frames supported on IPsec tunnels
• Futureproofing via field‐upgradeable
FPGA based Packet Processor

40 © 2022 CommScope, Inc.

The ICX 7450 IPsec VPN service module (ICX7400‐SERVICE‐MOD) is the industry’s first
hardware‐based IPsec solution for a stackable switch.
It is capable of encrypting traffic to or from any stack port on the switch.
It supports a vast number of features over the IPsec tunnel, including: IPv4 unicast, OSPF,
QoS, PBR, VRF, ACL and Jumbo frames.

The module is future‐proofed by leveraging a field‐upgradeable Field Programmable Gate

Array (FPGA)‐based Packet Processor.

Revision 2212 3 ‐ 40
ICX 150 ICX Hardware Overview

ICX 7450 IPsec VPN Module (Cont’d)

• 1 module per switch ‐ Multiple modules per
stack for redundancy (1 active per stack)
• Hardware assisted AES‐128, AES‐256 and
IKEv2 encryption
• Up to 20 IPsec tunnels per module
• 10Gbps total throughput, max 10G per
tunnel
• FIPS certification and Suite‐B compliant
• Interoperates with any standard IPsec
implementation
41 © 2022 CommScope, Inc.

When installed, only one IPsec VPN module can be active. However, additional modules
can be installed for redundancy (up to three as there are three slots).
The IPsec VPN module provides hardware‐assisted AES‐128, AES‐256 and IKEv2 encryption
over up to 20 IPsec tunnels.

With 10Gbps of total throughput, it offers a maximum of 10G per tunnel.

The module is Federal Information Processing Standards (FIPS) certified and NSA Suite‐B
compliant.

It is also capable of interoperating with any standard IPsec implementation.

Revision 2212 3 ‐ 41
ICX 150 ICX Hardware Overview

ICX 7450 – LEDs

• The ICX 7450 has System and Port‐level LED indicators
• Front System LEDs:
– Power Supply 1
– Power Supply 2
– Diagnostics
– Stacking Mode
– Media Expansion Modules 2‐4
– Stack Unit ID
• Port LEDs:
– Valid link and TX/RX
– PoE status
Refer to the ICX 7450 Hardware Installation Guide for interpreting each of these LEDs
42 © 2022 CommScope, Inc.

The LEDs on the ICX 7450 provide the same insights to switch operations as the ICX 7250
switch.

On the front panel there is an LED for power status of each hot‐swappable power supply
and a diagnostic LED indicates if the system is in diagnostic mode. There are LEDs indicating
Media Expansion Modules in slots 2‐4. And the remaining LEDs provide insight when the
unit is operating in a stack. These indicate Stacking Mode status, uplink and downlink port
status, and the unit’s stack ID. Like with the 7250 when the unit ID is higher than 10, the
10+ LED and the 1 or 2 LED will be lit, indicating unit ID 11 or 12, respectively.
In addition to these, LEDs on each port indicate link status, activity and PoE status.

On the rear of the switch (not shown), each fan assembly and each power supply unit has
its own status LED. If equipped with expansion modules, each module has a link/activity
LED per port and a power LED on the lower right.

Full interpretation of each of these LEDs is available in the RUCKUS ICX 7450 Switch
Hardware Installation Guide, found on the RUCKUS Support website.

Revision 2212 3 ‐ 42
ICX 150 ICX Hardware Overview

ICX 7550 Series

Introducing the RUCKUS ICX 7550 series of access/aggregation switches.

Revision 2212 3 ‐ 43
ICX 150 ICX Hardware Overview

ICX 7550 Overview

ICX 7550 Series Highlights
• High performance and port density
– 24‐port and 48‐port models available supporting
1, 2.5/5/10 Gbps downlink
24F – Uplink/Stack ports: 10, 40, or 100 Gbps via expansion module

24 • High availability
– Hitless stack failover and redundant stack links
24P – Redundant hot‐swap load‐sharing power supplies and fans
– Hot insertion and removal of stacked units
24ZP – Layer 3 VRRP/VRRP‐E protocol redundancy
– In Service Software Update (ISSU)
48
• Advanced scalability and features
48F – Stack up to 12 units via 40G or 100G links (any port combo)
– Multi‐gig models: 802.3bt PoE (2000W PoE budget, 90W per port)
48ZP – L2 and advanced L3 features including RIP, OSPF, and BGP
– sFlow for granular network traffic accounting
48P
• Deployment flexibility
– AC or DC power
– Reversible front‐to‐back or back‐to‐front airflow
– Support for MACsec, EEE, and OpenFlow 1.3

44 © 2022 CommScope, Inc.

The ICX 7550 series of mid‐range stackable switches are purpose‐built to provide
wired connectivity at the edge of the
network for the latest generation Wi‐Fi 6 Access‐Points, delivering the premium
performance and scalability required for Wi‐Fi 6 deployments and beyond.

The ICX 7550 series was first supported on FastIron version 08.0.95.

The ICX 7550 series contains non‐PoE, Gigabit PoE, Multigigabit PoE, and Fiber
variants in both 24‐ and 48‐port platforms.
The models can all be seamlessly stacked together to cover a broad range of
deployment scenarios including gigabit or multigigabit network edge, 1/10 gigabit
fiber for network aggregation, fiber to the room, as well a smart building network
edge with a class leading 2000W PoE budget and up to 90W of power delivery per
port.

All of the ICX 7550 switches offer fully redundant, hot‐swappable load‐sharing AC or DC
power supplies and fans, as well as an expansion module slot.

Revision 2212 3 ‐ 44
ICX 150 ICX Hardware Overview

ICX 7550 – Ports, Power Supplies, and Fans (Front View)

1 1

24F 48F
2 4 5 3 2 4 5
1 1
24 48
24P 48P
6 4 5 6 4 5
1 1
24ZP 48ZP
7 8 4 5 7 8 4 5

1 Type‐C USB console port 4 24F/48F: 2× 40/100 GbE uplink/stacking ports 7 24ZP: 12× 1/2.5 GbE RJ‐45 ports
48ZP: 36× 1/2.5 GbE RJ‐45 ports

2 SFP+ ports (denoted by blue port labeling) 5 Expansion module slot (supports 1× 100GbE 8 Multi‐gig ports (denoted by blue port labeling)
24F: 24× 10 GbE SFP+ ports QSFP28 port, 2× 40GbE QSFP+ ports, or 4× 10GbE 24ZP: 12× 1/2.5/5/10 GbE RJ‐45 ports
48F: 12× 10 GbE SFP+ ports SFP+ ports) 48ZP: 12× 1/2.5/5/10 GbE RJ‐45 ports

3 48F: 36× 1 GbE SFP ports 6 24: 24× 10/100/1000 Mbps RJ‐45 ports
24P: 24× 10/100/1000 Mbps RJ‐45 PoE ports
48: 48× 10/100/1000 Mbps RJ‐45 ports
48P: 48× 10/100/1000 Mbps RJ‐45 PoE ports

45 © 2022 CommScope, Inc.

All RUCKUS ICX 7550 models provide on the front of the unit:
• One Type‐C USB port for console management
• Two 40/100 GbE uplink/stacking ports
• An expansion slot that supports a 4‐port SFP+ 10GbE module, a 2‐port QSFP+
40GbE module, or a 1‐port QSFP28 100GbE module for additional uplinks. If no
expansion module is installed, the empty slot must be covered using a filler
panel.

PoE models support up to a 2000W PoE budget and up to 90W of power delivery
per port. The downlink port capabilities differentiate the models:
• 24F:
– 24× 10GbE SFP+ ports

• 24:
– 24× 10/100/1000 Mbps RJ‐45 ports

• 24P:
– 24× 10/100/1000 Mbps RJ‐45 PoE ports
– All ports support Perpetual / Fast‐boot PoE

• 24ZP:
– 12× 1/2.5 GbE RJ‐45 PoE ports
– 12× 1/2.5/5/10 GbE RJ‐45 PoE ports
– All ports support Perpetual / Fast‐boot PoE and 802.3bt PoH (90W) (denoted
by the yellow bar in the port labeling) Continued on next slide…

Revision 2212 3 ‐ 45
ICX 150 ICX Hardware Overview

Blank Notes Page

46 © 2022 CommScope, Inc

... Continued from previous slide

• 48F:
– 48× 10 GbE SFP ports

• 48:
– 48× 10/100/1000 Mbps RJ‐45 ports

• 48P:
– 48× 10/100/1000 Mbps RJ‐45 PoE ports
– All ports support Perpetual / Fast‐boot PoE

• 48ZP:
– 36× 1/2.5 GbE RJ‐45 PoE ports
– 12× 1/2.5/5/10 GbE RJ‐45 PoE ports
– All ports support Perpetual / Fast‐boot PoE and 802.3bt (90W) (denoted by
the yellow bar in the port labeling)

Revision 2212 3 ‐ 46
ICX 150 ICX Hardware Overview

ICX 7550 – Ports, Power Supplies, and Fans (Rear View)

24 24P
48 48P
1 2 4 5 1 2 4 7
3 3

24F 6 24ZP 6
48F 48ZP
1 2 4 5 1 2 4 7
3 3

1 3× Fan assemblies 5 2× Power supply units (400W AC or DC)

2 RJ‐45 console port 6 External reference clock input

3 RJ‐45 management port 7 2× Power supply units (1200W AC)

4 USB Type‐A console port (for file transfer)

47 © 2022 CommScope, Inc.

All ICX 7550 switch models include:

• RJ‐45 console and out‐of‐band management ports.
• Fan assemblies that are dual redundant, hot‐swappable, and available as either
intake or exhaust airflow.
• Power supplies that are dual redundant, hot‐swappable, and available as either
intake or exhaust airflow. Non‐PoE switch models use 400W AC or DC power
supplies, while PoE switch models use 1200W AC power supplies.

The fiber models (24F and 48F) and the multi‐gigabit models (24ZP and 48ZP) also
provide an external reference clock input connector.

Revision 2212 3 ‐ 47
ICX 150 ICX Hardware Overview

ICX 7550 – LEDs (Front)

ICX 7550 LEDs and interpretations are the same on all models

STATUS button is pushed to cycle through LEDs light in Amber or Green to

the Port LEDs, including: display status of the System,
STAT, Speed, Member ID, Stacking Mode, SW Update,
USB status and PoE status Diagnostics, Cloud Management,
and Power
Refer to the RUCKUS ICX 7550 Hardware Installation Guide for interpreting each of these LEDs
48 © 2022 CommScope, Inc.

The LEDs on the ICX 7550 are very similar to the LEDs on the ICX 7150, 7650, and 7850
platforms. On the front of the switch are two sets of LEDs.
The status LED section on the upper left corner of the front panel contains a STATUS mode
button. Pressing the button cycles through various status LEDs (which illuminate green),
including:
• STAT ‐ status of port link and traffic activity
• SPD ‐ port link speed
• ID ‐ stack member ID
• USB ‐ USB file transfer activity
• PoE – PoE (this LED is available only on switch models supporting PoE: 24P, 24ZP, 48P,
and 48ZP)

Then there is a bank of green/amber LEDs that indicate the status of:
• SYS ‐ Operating System
• MS ‐ Stacking Mode status (if the unit is a member of a stack)
• UPDATE ‐ Software update
• DIAG – Diagnostics
• CLD ‐ Cloud management
• PWR1 – Power supply unit 1
• PWR2 – Power supply unit 2

Individual uplink/downlink and stacking ports have their own link/activity LEDs.
Full interpretation of each of these LEDs is available in the RUCKUS ICX 7550 Switch
Hardware Installation Guide, found on the RUCKUS Support website.

Revision 2212 3 ‐ 48
ICX 150 ICX Hardware Overview

ICX 7550 – LEDs (Rear)

• Rear‐Panel LEDs for models 24, 24F, 48, and 48F (400W AC PSU)
1 1 1 4 4

2 3

• Rear‐Panel LEDs for models 24P, 24ZP, 48P, and 48ZP (1200W AC PSU)
1 1 1 4 4

2 3

1 Fan assembly LED 2 Management port left LED: 3 Management port right LED: 4 PSU status LED
Port link/activity Port speed

Refer to the RUCKUS ICX 7550 Hardware Installation Guide for interpreting each of these LEDs

49 © 2022 CommScope, Inc.

Each fan assembly and each power supply unit has its own status LED. Although not shown,
the DC PSUs also have a status LED located near the connector.
The RJ‐45 management port has two LEDs: LED on left is for link/activity; LED on right is for
speed.

Full interpretation of each of these LEDs is available in the RUCKUS ICX 7550 Switch
Hardware Installation Guide, found on the RUCKUS Support website.

Revision 2212 3 ‐ 49
ICX 150 ICX Hardware Overview

ICX 7650 Series

Introducing the RUCKUS ICX 7650 series of access/aggregation switches.

Revision 2212 3 ‐ 50
ICX 150 ICX Hardware Overview

ICX 7650 Overview

ICX 7650 Series Highlights • High performance and port density
– 48ZP: 1, 2.5, 5 and 10G copper downlinks
– 48P: 10/100/1000 Mbps copper downlinks
– 48F: 1 and 10G fiber downlinks
– 10, 40, and 100G uplinks
48ZP • High availability
– Hitless stacking failover and redundant stack links
– Redundant hot‐swap load‐sharing power supplies and fans
48P – In Service Software Update (ISSU)

• Advanced scalability and features

– Stack up to 12 units via 40G or 100G links (any port combo)
48F – L2 and advanced L3 features including BGP and VRF
– sFlow for granular network traffic accounting

• Deployment flexibility
– AC or DC power
– PoE overdrive
– Reversible front‐to‐back or back‐to‐front airflow
– Support for MACsec256, EEE and OpenFlow 1.3

51 © 2022 CommScope, Inc.

The ICX 7650 can serve as a premium access switch or a medium core/aggregation switch.

There are three models in this family:

• ICX 7650‐48ZP, where the “Z” indicates is its compliance to the IEEE 802.3bz Multi‐
gigabit standard. It has 24× Multi‐gigabit 2.5/5/10G ports, each with PoE up to
90Watts (compatible with the 802.3bt standard, as well as compatible with 60W
PoE). Plus, an additional 24× 1G ports, with PoE+. Maximum 1500W PoE power
budget (two power supplies).
• ICX 7650‐48P that has 48× 1G ports with PoE+, 8 of those supporting up to 90W of
PoE power. Maximum 1500W PoE power budget (two power supplies).
• ICX 7650‐48F model offers a medium core/aggregation switch with fiber connectivity
via 24× 10G ports, plus 24× 1G ports.

All of the ICX 7650 switches offer fully redundant, hot‐swappable load‐sharing AC or DC
power supplies and fans.

Revision 2212 3 ‐ 51
ICX 150 ICX Hardware Overview

ICX 7650 – Ports, Power Supplies, and Fans

1 4
Rear
48ZP View

2 5 6 7 11 12 13 11 14 14
3
1 USB port 8 8× 10/100/1000Base‐T RJ‐45
ports supporting High PoE/PoH

2 Console port 9 24× SFP ports

1 4
48P 3 Management port 10 24× SFP+ ports

4 USB Type‐C console port 11 Fan

2 8 5 7
3 5 48ZP: 24× / 48P: 40× 12 2× 40GbE QSFP+ stacking/uplink
10/100/1000Base‐T RJ‐45 ports ports
supporting PoE/PoE+

1 4 6 24× 100M/1G/2.5G/5G/10G 13 2× 40/100 GbE QSFP28

Base‐T RJ‐45 (ports 25‐48 stacking/uplink ports
48F supporting High PoE/PoH)

2 9 10 7 7 Expansion Module (optional) 14 Power supply unit

(shown: ICX7650‐2X40GQ)
3
52 © 2022 CommScope, Inc.

All Ruckus ICX 7650 models offer one modular slot in the front for an uplink
expansion module, dual hot‐swappable load sharing power supplies, dual hot‐
swappable fan assemblies with reversible airflow options, one RJ‐45 Ethernet port
for out‐of‐band network management, one USB Type‐C port for console
management, one RJ‐45 port for serial console management, and one USB port for
external file storage.

Note: Expansion modules variants include a 4‐port SFP+ 10‐GbE module, a 2‐port
QSFP+ 40GbE module, and a 1‐port QSFP28 100‐GbE module. If no expansion
module is installed, the empty slot must be covered using a filler panel.

The ICX 7650 models can stack on 4×40G or 2×100G rear‐facing QSFP ports. These
ports can also be used as 2×40G uplinks when the switch is standalone.

The ICX7650 comes in three basic configurations:

• ICX 7650‐48ZP: 24× 10/100/1000 Mbps RJ‐45 PoE+ ports, 24× 100/1000 Mbps
2.5/5/10Gbps RJ‐45 PoE+/PoH/UPoE ports
• ICX 7650‐48P: 48× 10/100/1000 Mbps RJ‐45 ports (40 support PoE+, 8 support
PoE+, PoH, and UPoE)
• ICX 7650‐48F: 24× 1Gbps SFP ports, 24× 10Gbps SFP/SFP+ ports

Note: that PoE+ ports have orange port labeling, while PoH ports have yellow port labeling.

Revision 2212 3 ‐ 52
ICX 150 ICX Hardware Overview

ICX 7650 – LEDs

ICX 7650 LEDs and interpretations are similar to ICX 7150

STATUS button is pushed to cycle LEDs light in Amber or Green to

through the Port LEDs, including: display status of the System, Stacking
Link, Speed, Member ID, Mode, SW Update, Diagnostics, Cloud
USB status and PoE status Management, and Power

Refer to the RUCKUS ICX 7650 Hardware Installation Guide for interpreting each of these LEDs
53 © 2022 CommScope, Inc.

The LEDs on the ICX 7650 are very similar to the LEDs on the ICX 7150 and 7550 platforms.

On the front left there is a STATUS mode button. Pressing the button cycles through various
status LEDs (which illuminate green), including status of port link and traffic activity, port
link speed, stack member ID, USB file transfer activity, and PoE (except the 48F, which does
not utilize PoE).

Then there is a bank of green/amber LEDs that indicate the status of the Operating System,
the Stacking Mode status (if the unit is a member of a stack), software update, diagnostics,
cloud management, and power.

On the rear of the switch (not shown), each fan assembly, each power supply unit, and
each stack/uplink port has its own status LED.

Full interpretation of each of these LEDs is available in the RUCKUS ICX 7650 Switch
Hardware Installation Guide, found on the RUCKUS Support website.

Revision 2212 3 ‐ 53
ICX 150 ICX Hardware Overview

Hardware Overview
(Aggregation/Core Switches)

Now, let’s take a look at the ICX switches that support aggregation and core: ICX 7750 and
ICX 7850.

The ICX 7750 and 7850 are much the same; differences lie in switching capacity, number
and type of ports, stack bandwidth, MACsec availability, and network management options.
Refer to the tables in the first section of this presentation for those details.

Revision 2212 3 ‐ 54
ICX 150 ICX Hardware Overview

ICX 7750 Series

First, we will look the RUCKUS ICX 7750 series of aggregation/core switches.

Revision 2212 3 ‐ 55
ICX 150 ICX Hardware Overview

ICX 7750 ‐ Overview

ICX 7750 Series Highlights
• High performance and port density
48F – 3 models supporting 10G fiber and copper plus 40GbE QSFP+
– 6× QSFP+ 40GbE expansion module
– Up to 12× 40GbE QSPF+ stack connections, 480 Gbps stack
bandwidth
48C
• High availability
– Hitless stack failover and redundant 40G stack links
– Redundant hot‐swap load‐sharing power supplies and fans
26Q – In Service Software Update (ISSU)

• Advanced scalability and features

– Stack up to 12 units and 576 10G ports (any combination of port
types)
– L2 and advanced L3 features including VxLAN and MCT

Rear View • Deployment flexibility

(all – AC or DC power
models) – Reversible front‐to‐back or back‐to‐front airflow
– Support for OpenFlow 1.3

56 © 2022 CommScope, Inc.

The ICX 7750 is the first of our Aggregation and Core layer switches. It is designed to
compete in the data center and the campus aggregation and core market. The high‐
port density distributed‐chassis system architecture is one of the most important
features that makes the ICX 7750 such a robust asset in these network segments.

The ICX 7750 series highlights:

• 10GbE and 40GbE models
• 1RU form factor
• High Availability (HA) stacking technology provides chassis‐level reliability
• Hitless stack failover
• In‐Service Software Upgrade (ISSU)
• Hot‐swappable power supplies, fan trays
• Modular interface slot for an optional 6× 40G QSFP+ plug‐in module
• Density, physical, and logical redundancy
• Highly efficient cooling design
• Low‐latency, cut‐through routing, non‐blocking, scalable architecture

The ICX7750 is available in three basic configurations:

• ICX 7750‐48F: 48× 1/10GbE SFP+ ports and 6× 40GbE QSFP+ ports
• ICX 7750‐48C: 48× 1/10G RJ‐45 Base‐T ports and 6× 40GbE QSFP+ ports
• ICX 7750‐26Q: 26× 40GbE QSFP+ ports

Revision 2212 3 ‐ 56
ICX 150 ICX Hardware Overview

ICX 7750 – Ports, Power Supplies, and Fans

8
9
Rear
26Q View

1 2 3 6 7 7 10 11 7 7 6

1 Console port 7 Fan

48C 2 Reset button 8 Management port

3 26× QSFP+ 40GbE ports 9 USB port

1 2 4 3
4 48× 10G Base‐T RJ‐45 ports 10 2× HA ports

5 48× 10GbE SFP+ ports 11 Expansion Module (optional)

holds 6×40GbE QSFP+ ports

6 Modular Power Supply (AC/DC)

48F

1 2 5 3

57 © 2022 CommScope, Inc.

The ICX 7750 provides access to its console port and all interface ports on the front panel.

The back side of the ICX 7750 provides access to the two hot‐swappable load‐sharing
power supplies, 4 hot‐swappable fan assemblies, management port, USB port for external
file storage, two high‐availability ports for stacking, and the interface expansion module.

• ICX 7750‐26Q: 26× 40GbE QSFP+ ports that can be split into as many as 96×
10GbE SFP+ ports
• ICX 7750‐48C: 48× 1/10G RJ‐45 Base‐T ports and 6× 40GbE QSFP+ ports that
can each be split into four 10GbE SFP+ ports
• ICX 7750‐48F: 48× 1/10GbE SFP+ ports and 6× 40GbE QSFP+ ports that can
each be split into four 10GbE SFP+ ports

Revision 2212 3 ‐ 57
ICX 150 ICX Hardware Overview

ICX 7750 – LEDs

Front of unit Rear of unit

• System Status LEDs: • Management port status (two)
– Power Supply 1 – Management port 10/100 Mbps link/activity
– Power Supply 2 – Management port 1000 Mbps link/activity
– Stacking Mode
– Diagnostics
• HA port status (two)
– High Availability – Left LED reflects upper HA port link status
– Redundant – Right LED reflects lower HA port link status

• Stack unit ID display • Expansion module

– Power status (right side of module)
• Port Status LEDs
– Four per QSFP+ port (same as front on unit)
4×10/40GbE QSFP+ 1/10GbE RJ‐45 1/10GbE SFP+
• Power supply unit (one LED per power supply)
Upper port • Fan tray (one LED per fan tray)
Lower port

58 © 2022 CommScope, Inc.

The LEDs on the ICX 7750 provides valuable insight into switch operations.

On the front left on the unit is a panel of green/amber status LEDs:

• Power supply
• Stacking Mode status (if the unit is a member of a stack)
• Diagnostic mode
• High Availability operation
• Redundant power supplies and fans statuses

In addition to these, LEDs on each port indicate link and activity status.

The rear of the unit has LEDs reflecting

• Management port status (two)
• HA port status (two)
• Expansion module
• Power supply unit (one LED per power supply)
• Fan tray (one LED per fan tray)

These LEDs vary by model; for full interpretation of each of these LEDs, refer to the RUCKUS
ICX 7750 Switch Hardware Installation Guide, found on the RUCKUS Support website.

Revision 2212 3 ‐ 58
ICX 150 ICX Hardware Overview

ICX 7850 Series

Now we will look at the RUCKUS ICX 7850 series of aggregation/core switches.

Revision 2212 3 ‐ 59
ICX 150 ICX Hardware Overview

ICX 7850 ‐ Overview

ICX 7850 Series Highlights
• High performance and port density
– Up to 32× 40/100GbE ports per switch
– Up to 8× 40/100GbE QSFP uplink/stacking ports, 800 Gbps of
32Q stack bandwidth
– Switching capacity up to 6.4 Tbps

• High availability
– Hitless stack failover and redundant 10G and 40G stack links
– Redundant hot‐swap load‐sharing power supplies and fans
– In Service Software Upgrades (ISSU) for switch stacks

• Advanced scalability and features

– Stack up to 12 units (any combination of 7850 models)
– L2 and advanced L3 features (including BGP, VRRP, PBR, and VRF)
48F/FS – sFlow for granular network traffic accounting

• Deployment flexibility
– AC or DC power
– Reversible front‐to‐back or back‐to‐front airflow
– Support for OpenFlow 1.3
– 48FS: MACsec for data privacy; support for CWDM and LRM optics

60 © 2022 CommScope, Inc.

The ICX 7850 switches offer 40GbE and 100GbE for maximum performance in the
aggregation and core layers, as well as highly efficient top‐of‐rack switches in datacenters.
The 7850 family offers up to 32× 40/100 GbE ports per switch and up to 8× 100 GbE
stacking ports, resulting in 1.6 Tbps of stacking bandwidth per switch (bi‐directionally). The
ICX 7850 can deliver the performance and scalability required by future generations of
wireless access points, IoT, and mobile devices.
It provides highly efficient core switching with redundant, hot‐swappable power supplies
and fans, In‐Service Software Upgrades (ISSU), Multi‐Chassis Trunking (MCT) for core
failover with load‐balancing, and hitless stack insertion and removal.
ICX 7850 supports advanced IPv4 and IPv6 routing functionality including, BGP, OSPF, VRRP,
PIM, PBR, VRF.
The ICX 7850 comes in three models:
• ICX 7850‐48F: 48× 1/10/25GbE SFP28 ports and 8× 40/100GbE QSFP28 ports for
uplinks or stacking.
• ICX 7850‐48FS: 8× QSFP28 ports for 40/100GbE for stacking or uplinks and offers 48×
1/10GbE fiber SPF+ ports with support for Media Access Control Security (MACsec),
Long Reach Multimode (LRM) optics, and Coarse Wavelength Division Multiplexing
(CWDM) optics.
• ICX 7850‐32Q: 32× 40/100GbE QSFP28 ports and up to 8 of these ports can be used
for stacking. The QSFP28 ports are capable of native 40GbE or 100GbE Ethernet, or
may be broken out to 4× 10Gbps or 4× 25Gbps links to give up to 128× 10/25GbE
ports for server aggregation in a Data Center, or switch aggregation in the campus.

Revision 2212 3 ‐ 60
ICX 150 ICX Hardware Overview

ICX 7850 – Ports, Power Supplies, and Fans

3
48F
32Q 48FS
Front Front
1 4 5 3 8 9
2

Rear Rear

6 7 6 6 7 1 4 6
2

1 Console port 4 USB port (file transfer) 7 Fans

2 Management port 5 32× 40/100 GbE QSFP28 ports 8 48× 1/10 GbE SFP+ ports (MACSec capable)

3 USB Type‐C console port 6 Modular Power Supply (AC/DC) 9 8× 40/100 GbE QSFP28 stacking/uplink ports

61 © 2022 CommScope, Inc.

The ICX 7850‐38Q provides all of its interface ports on the front panel, while the rear
provides access to the two hot‐swappable load‐sharing power supplies and 6 hot‐
swappable fan assemblies with reversible airflow options.

The ICX 7850‐48F/FS models provide front‐panel access to the USB Type‐C console port and
the SFP and QSFP ports, while the rear provides access to the RJ‐45 console port, RJ‐45
management port, USB port for external file storage, two hot‐swappable load‐sharing
power supplies, and 5 hot‐swappable fan assemblies with reversible airflow options.

Revision 2212 3 ‐ 61
ICX 150 ICX Hardware Overview

ICX 7850 – LEDs

ICX 7850 LEDs and interpretations are similar to ICX 7150 and ICX 7650

STATUS button is pushed to cycle through LEDs light in Amber or Green to

the Port LEDs, including: display status of the System,
Status of Link and Traffic activity, Link Speed, Stacking Mode, SW Update,
Stack Member ID, and USB activity status Diagnostics, Cloud Management
and Power
Refer to the RUCKUS ICX 7850 Hardware Installation Guide for interpreting each of these LEDs
62 © 2022 CommScope, Inc.

The LEDs on the ICX 7850 are very similar to the LEDs on the ICX 7150, 7550, and 7650
platforms. On the front of the switch are two sets of LEDs.

On the left near the console port status LED section, there is a STATUS mode button.
Pressing the button cycles through various status LEDs (which illuminate green), including
status of port link and traffic activity, port link speed, stack member ID, and USB file
transfer activity.

Then there is a bank of green/amber LEDs that indicate the status of the Operating System,
the Stacking Mode status (if the unit is a member of a stack), software update, diagnostics,
cloud management, and power.

On the rear of the switch (not shown), each fan assembly and each power supply unit has
its own status LED. If equipped with a rear‐panel RJ‐45 management port, it has two LEDs:
LED on left is for link/activity; LED on right is for speed.

Full interpretation of each of these LEDs is available in the RUCKUS ICX 7850 Switch
Hardware Installation Guide, found on the RUCKUS Support website.

Revision 2212 3 ‐ 62
ICX 150 ICX Hardware Overview

Hardware Accessories and

Capabilities

Let’s now take a look at some of the ICX switch hardware accessories and capabilities.

Revision 2212 3 ‐ 63
ICX 150 ICX Hardware Overview

Interface Expansion Modules – ICX 7550/7650 (Optional)

ICX7650‐1x100GQ ICX7650‐2X40GQ ICX7650‐4x10GF

1× 100 GbE 2× 40 GbE 4× 10 GbE

Port Type QSFP28 QSFP+ SFP+

Module Slot Front Front Front

Function Uplink Uplink Uplink

Bandwidth 100 Gbps 80 Gbps 40 Gbps

64 © 2022 CommScope, Inc.

The ICX 7550 and 7650 models support an optional expansion module, available in 10, 40,
and 100 GbE connectivity options. All are installed in the front module slot of the switch
and provide uplink functionality only, as stacking is accomplished through the fixed ports
on the rear of the switch.

Revision 2212 3 ‐ 64
ICX 150 ICX Hardware Overview

Reset Button
Onboard factory reset button is recessed and labeled as RESET on all ICX switches. Examples:

7150‐C12P 7450‐48P 7650‐48ZP

7150‐48ZP 7550‐24ZP 7850‐48F

65 © 2022 CommScope, Inc.

All RUCKUS ICX switches contain a RESET button on the front panel. This is used to
physically reset the switch to factory default without management/CLI connection to
the switch. LEDs indicate each phase of the reset process.
The button is labeled and is usually located near the console/management/USB
ports. To avoid accidental pressing of the button, it is recessed and can only be depressed
with a small tool (like an unfolded paperclip). The functionality of this button was first
enabled with FastIron release 8.0.70.

Process overview:
1. Remove power from the switch.
2. Press and hold the RESET button while applying power to the switch. Wait for
system LEDs to flash amber.
3. Release the RESET button.
At this point the system will begin the factory reset. All system LEDs will blink green while
all the configuration data is being erased, returning the switch to its factory configuration.
The system LEDs will turn solid GREEN when the erase process is complete and then the
system will reload. When reload is complete, a steady green SYST LED indicates completion.
For full instructions, refer to the model‐specific RUCKUS ICX Switch Hardware Installation
Guide available on the RUCKUS Support website.

Note: You can also remotely perform the factory reset from the CLI. For instructions, see
the "erase system factory-default" command in the RUCKUS FastIron
Command Reference Guide.

Revision 2212 3 ‐ 65
ICX 150 ICX Hardware Overview

Reversible Airflow – ICX 7450, 7550, 7650, 7750, and 7850

• ICX 7450, 7550, 7650, 7750 and 7850 support reversable airflow options to support any
datacenter deployment

• Exhaust
– Standard airflow for pre‐configured versions of
the ICX 7450, 7550, 7650, 7750, and 7850
– Can be changed to Intake by swapping all PSUs
and fans
• Intake
– Option for ICX 7450, 7550, 7650, 7750, and 7850
– Can be changed to Exhaust by swapping all PSUs
and fans

• ICX 7150 and 7250 have fixed exhaust airflow

66 © 2022 CommScope, Inc.

Two airflow options are supported on the ICX 7450, 7550, 7650, 7750, and 7850. Air can
flow as exhaust, where air flows from the front of the unit to the back. Alternatively, it can
operate in intake mode where air flows from the back to the front.
It is important to note that the airflow must be consistent for all installed PSUs and fan
units, meaning they must all flow the same way.
Exhaust airflow PSUs and fans are labeled with a green, downward pointing arrow marked
with the letter “E”.
Intake airflow PSUs and fans are labeled with an orange, upward pointing arrow marked
with the letter “I”.
The ICX 7150 and 7250 switch are only offered with fixed power supplies and flow only in
exhaust mode (meaning, front to back).

Revision 2212 3 ‐ 66
ICX 150 ICX Hardware Overview

Console Ports – ICX 7150, 7550, 7650, and 7850

USB console port

RJ‐45 console port

• USB Type‐C and RJ‐45 ports on ICX 7150,

7550, 7650, and 7850
• Plug‐and‐Play
‐ Windows OS will install automatically
‐ MacOS will download the driver
• USB cable Type‐C to Type‐A
• Drivers for Windows, MacOS, and Linux
available from
https://support.ruckuswireless.com
67 © 2022 CommScope, Inc.

When establishing a first‐time connection to the switch, an onboard console port allows
you to configure and manage the switch using a third‐party terminal emulation application
from a workstation that is directly connected to the port.

The ICX 7150, 7550, 7650, and 7850 switches offer two console connection options.
1. Type‐C USB: This allows the use of a Type‐C to Type‐A cable to access the CLI. This
connection option requires a driver be installed that allows the USB port to operate as
a serial interface. The driver can be found online at https://support.ruckuswireless.com
2. RJ‐45: This provides for true serial connectivity, allowing connectivity to a serial
interface on the management device (typically a DB‐9 connector).

For usage, refer to the RUCKUS ICX 7xxx Switch Hardware Installation Guide applicable to
your switch model.

Revision 2212 3 ‐ 67
ICX 150 ICX Hardware Overview

Console Port – ICX 7250, 7450, and 7750

Serial console port

• Mini‐USB type connector on switch, but it is

actually a serial interface!

• Other end is an RJ‐45 connector and RJ‐45/DB‐

9F adapter

68 © 2022 CommScope, Inc.

The ICX 7250, 7450, and 7750 offer a Mini‐USB serial interface port for connecting to the
CLI. Each unit is shipped with a cable that connects to the switch interface, has an RJ‐45
connector that in‐turn connects to an adapter that modifies the RJ‐45 to a DB9 female
serial interface for connecting to your management device’s serial port.

Revision 2212 3 ‐ 68
ICX 150 ICX Hardware Overview

LED ON/OFF

Introduced with FI release 8.0.92, the LED ON/OFF feature allows you to
turn on all the port LEDs to display steady green, regardless of port status.

Highlights: CLI Examples:

Switch>enable
• Assists in finding one specific switch Switch#led ?
default turn on all port leds with default status
among many co‐located switches off turn off all port leds
on turn on all port leds
• Reduces light emission from switches |
<cr>
Output modifiers

mounted outside of an enclosed rack Switch#led on

Turning ON all port LEDs in green color
Switch#led off
• Supported on platforms where LED Turning OFF all port LEDs
Switch#led default
status mode is available Setting all port LEDs with default status

‐ FI v8.0.92: ICX 7150, 7650, and 7850

‐ FI v9.0.x: ICX 7550
For further details about the LED ON/OFF feature availability, usage, and considerations,
refer to the RUCKUS FastIron Monitoring Configuration Guide
69 © 2022 CommScope, Inc.

The LED ON/OFF functionality allows you to turn on or off all the port LEDs using the CLI in
configuration mode. Turning on all the port LEDs is helpful when looking for one switch
among many in the same location. Turning off all the port LEDs reduces light emissions
inside a rack or a room. This is supported on the 7150, 7550, 7650, and 7850 series of ICX
switches.

For further details about the LED ON/OFF feature availability, usage, and considerations,
refer to the RUCKUS FastIron Monitoring Configuration Guide.

Revision 2212 3 ‐ 69
ICX 150 ICX Hardware Overview

Stack Connections

Maximum
Maximum Number Maximum
Stack Link Maximum Links Per Distance
Platform of Switches in a Stack
Speeds Stack Trunk Between
Stack Bandwidth*
Switches
ICX 7150 12 10G 2× 10G 480Gbps 10 km

ICX 7250 12 10G 2× 10G 480Gbps 10 km

ICX 7450 12 10G or 40G 2× 10G or 2× 40G 1.9Tbps 10 km

ICX 7550 12 40G or 100G 2× 40G or 2× 100G 4.8Tbps 10 km

ICX 7650 12 40G or 100G 4× 40G or 2× 100G 4.8Tbps 40 km

ICX 7750 12 40G 12× 40G 11.5Tbps 40 km

ICX 7850 12 40G or 100G 8× 40G or 8× 100G 19.2Tbps 40 km

*Maximum Stack Bandwidth Calculation (bi‐directional)

Link speed × number of links per stack trunk × number switches in stack × Full Duplex
Example: ICX 7250: 10G × 2 × 12 × 2

70 © 2022 CommScope, Inc.

Each switch in the ICX 7000 family allows for 12 units in a stack. The various models provide
link speeds from 10 to 40 to 100Gbps. Each also has multiple connection options from
multiple 10G, 40G, or 100G ports dedicated to stacking. This allows for very high
throughput within the stack ranging between 480Gbps all the way up to 19.2Tbps.

The maximum bandwidth is calculated by multiplying the stack link speed times the
number of stack links, times the number of switches in the stack, times 2 due to the stack’s
full‐duplex operation.

We’ll look at stacking in more detail in the ICX Stacking presentation.

Refer to the FastIron Stacking Configuration Guide for planning, building, deploying, and
managing RUCKUS ICX switch stacks.

Revision 2212 3 ‐ 70
ICX 150 ICX Hardware Overview

RUCKUS Ethernet Optics

RUCKUS‐qualified optical transceivers are available for ICX switches.
Benefits include:
• Guaranteed compatibility with RUCKUS ICX switches
• Full compliance with industry standards
‐ 10G‐SFPP‐SR/LR
‐ 25G‐SFP28‐SR/LR
‐ 40G‐QSFP‐SR4/LR4
‐ 100G‐QSFP28‐SR4/LR4 1 SFP+ transceiver

• Factory‐tested to assure functionality and reliability

• Hot‐swappable flexibility in the field for greater ease and lower total cost of ownership
• Digital Optical Monitoring (DOM) support on RUCKUS optics
For a list of RUCKUS‐certified optics, their applicable ICX models, and their required FastIron software version,
refer to the RUCKUS Ethernet Optics Data Sheet
71 © 2022 CommScope, Inc.

RUCKUS offers a unique set of high‐performance, reliable, and cost‐effective optical

transceivers to help enterprises and service providers meet the challenges of diverse
network topologies. To ensure maximum quality, RUCKUS selects and tests the most
reliable, highest‐performing optical transceivers on the market, and then warrants their
availability, capacity, and performance in RUCKUS products.

RUCKUS optics are fully compliant with the industry standards displayed here and are
compliant with Restrictions on Hazardous Substances (RoHS), meeting RoHS 6 European
Union (EU) requirements.

Using RUCKUS optics also enables the support of Digital Optical Monitoring (DOM) on ICX
switches. DOM supports monitoring of optical output power, optical input power,
temperature, laser bias current, and transceiver voltage. This capability is only available
with RUCKUS optics.

It’s important to note that some optical transceivers apply to only specific ICX switches, and
some require a minimum FastIron software version to function correctly. Refer to the
RUCKUS Ethernet Optics Data Sheet for a complete listing of available optical accessories
(including key features, specifications, and ICX compatibility).

Revision 2212 3 ‐ 71
ICX 150 ICX Hardware Overview

Direct Attach Cables (DAC)

Direct Attach Cables allow connecting one switch to another switch

• Includes cable and SFP on each end (SFP‐SFP or QSFP‐QSFP)

• Less expensive alternative to optical transceivers + fiber
• Used for short distance, high‐speed Ethernet or stacking links
‐ Links within a single rack
‐ Links between racks in close proximity
• Types
‐ Passive Copper Cable
‐ Ac ve Copper Cable
‐ Active Optical Cable

For a list of RUCKUS‐certified optics, their applicable ICX models, and their required FastIron software version,
refer to the RUCKUS Ethernet Optics Data Sheet
72 © 2022 CommScope, Inc.

The ICX family of switches supports the use of Direct Attach Cables to link one switch to
another. The most typical use case is linking “stacked” switches (either within a single rack
or between racks that are very near each other). Direct Attach Cables come preassembled
with identical transceivers on each end (both ends must be the same form factor).

Direct Attach Cables are available in 10GbE (SFP+), 25GbE (SFP28), 40GbE (QSFP), and
100GbE (QSFP28) formats.

Note that the “DAC” initialism originally referred only to direct‐attach twinax copper cables.
However, Direct Attach Cables also include active optical cables (AOC) which utilize fiber
optic cabling instead of copper.

Revision 2212 3 ‐ 72
ICX 150 ICX Hardware Overview

Breakout Cables
Breakout cables allow the splitting of certain high‐speed ports into 4 lower‐speed
ports
• ICX 7550, 7750, 7850: 40GbE QSFP+ ports
can be split into 4× 10GbE SFP+ ports
(DAC, active copper for breakout links up to 5m
or active optical, breakout links up to 10m)

• ICX 7550 and 7850: 100GbE QSFP28 ports

can be split into 4× 25 GbE ports
(DAC, passive copper for breakout links up to 5m)

• ICX 7550 and 7750 require breakout ports to be placed into Store and Forward mode
• When employed, port numbering on the device changes
• A switch reload/reboot is required when enabled
• Breakout and Stacking are mutually exclusive

73 © 2022 CommScope, Inc.

The ICX 7550, 7750, and 7850 support the use of breakout cables that allow a single high‐
speed interface to be split into four separate interfaces. Note that support for ICX 7550
breakout is available in FI release 9.0.x and later.

On the ICX 7750, the 40GbE QSPF+ ports can be split into four 10GbE ports.

On the ICX 7550 and 7850, the QSFP28/QSFP+ ports that operate at 40GbE/100GbE,
respectively, can be split into four 10GbE and four 25GbE ports, respectively.

Before breakout ports can be created on ICX 7550 and ICX 7750 devices, the port
forwarding mode must be changed globally from cut‐through to store‐and‐forward. The
device must then be reloaded. This configuration is required to allow use of the breakout
functionality on those models, however the ICX 7850 is able to utilize breakout ports in cut‐
through forwarding mode. Once breakout mode is applied to ports, sub‐ports are created
on the device which can be configured the same way as any other physical interface. For
the system to manage these sub‐interfaces, the switch must be reloaded/rebooted
whenever breakout mode is enabled or disabled.

Revision 2212 3 ‐ 73
ICX 150 ICX Hardware Overview

Attendees should now be able to:

• Describe the different configurations
available with each ICX switch model,
including:
‐ ICX 7150
‐ ICX 7250
‐ ICX 7450
Summary ‐ ICX 7550
‐ ICX 7650
‐ ICX 7750
‐ ICX 7850
‐ ICX 8200
• Explain various capabilities supported by
RUCKUS ICX switches (such as, airflow
reversal, console connection, stacking, and
cabling)

You should now be able to:

• Describe the different configurations available with each ICX switch model
• Explain additional capabilities of ICX switches (including airflow reversal, console
connection, stacking, and cabling)

Revision 2212 3 ‐ 74
ICX 150 ICX Hardware Overview

End of Presentation:
ICX Hardware Overview

This concludes the ICX Hardware Overview presentation.

Revision 2212 3 ‐ 75
ICX 150 ICX Hardware Overview

Revision 2212 3 ‐ 76
ICX 150 CLI Basics

CLI Basics

Revision 2212

This module will cover the ICX CLI basic commands.

Revision 2212 4‐1

ICX 150 CLI Basics

After completing this module, attendees

should be able to:

• Explain the Command Line (CLI) structure of

ICX devices

• Manage device configuration files

Objectives
• Configure switch hostname, IP address, and
default gateway

• Configure interface settings including, name,

IP address, speed and duplex

• Use show commands to view switch

information

The objectives of this module include:

• Explaining the CLI structure of ICX devices
• Managing device configuration files
• Configuring global switch settings like hostname, IP address, and default gateway
• Configuring interface settings like name, IP address, and speed and duplex
• Finally, we'll look at using show commands to verify switch information

Revision 2212 4‐2

ICX 150 CLI Basics

CLI Overview

Let’s start with an overview of the CLI structure.

Revision 2212 4‐3

ICX 150 CLI Basics

Initial Startup – Factory Defaults

Beginning with software version 8.0.90, factory default ICX switches will start with:
• SSH enabled
• Local user account created for initial login
– SSH and local user accounts will be covered in detail in later modules
• By default, CLI, Web, and SSH require authentication before allowing access

Press Enter key to login

Default username and password is:
User Access Verification
super / sp‐admin
Please Enter Login Name: super
Please Enter Password: sp-admin
User login successful.

User ‘super’ login successful with default password. Please change the password.
Once logged in, you are
Enter the new password for user super: NewPa$$word
Enter the reconfirm password for user super: NewPa$$word required to change the
Password modified successfully for user super password for user: super
Authentication is enabled in the device for Console/WEB/SSH.
ICX7150-C12-Switch>

4 © 2022 CommScope, Inc.

Beginning with ICX software version 8.0.90, there has been a major change to the default
behavior of a factory defaulted switch. In previous releases, SSH was disabled and there
were no local user accounts required to login. In this release, SSH is enabled and because of
this a user account is required.

This impacts all enabled access methods on the switch, including console, web UI and SSH.
Note, starting with release 8.0.90 Telnet is disabled by default.

On initial boot and logon, you will be presented with a login prompt. The default username
is super and the password is sp‐admin. Once successfully logged in, you are required to
change the password for user: super. You must input the new password twice to ensure
accuracy.

Revision 2212 4‐4

ICX 150 CLI Basics

CLI Command Tree

User EXEC
• User EXEC level >
– Prompt: >
– View basic system info Privileged EXEC
– Verify connectivity (such as ping and traceroute) #

• Privileged EXEC level Global Configuration (CONFIG)

– Enter using the enable command (config)#
– Prompt: #
– Can be password protected
The CONFIG level contains sub‐
– View detailed information using show commands levels for configuring individual
– Execute system‐wide commands (boot system, reload) interfaces, VLANs, routing
protocols, and other configuration
• Configuration (CONFIG) level areas. The prompts for these levels
– Enter using the configure terminal command change to indicate the current
– Prompt: (config)# level.
– Make global or local system changes (VLANs, interfaces, etc.)
– Save changes using the write memory command

5 © 2022 CommScope, Inc.

Once logged into the ICX, you will see the commands in the CLI are organized into the
following levels:
First, we have User EXEC, this level (or mode) is indicated by the greater than sign (>), here
you can display information and perform basic tasks such as ping and traceroute.

Next, we move into the Privileged EXEC level using the enable command. This level is
indicated by the pound or number sign (#). Here, there are many more commands that can
be run along with the User EXEC commands.

The next level is configuration (or CONFIG), this level is indicated by the (config)#
prompt. Here you can make configuration changes to the device and they are put into the
running‐config file.

To save the changes across reboots, you need to save them to the startup‐config file using
the write memory command. The CONFIG level contains sub‐levels for individual ports,
VLAN’s, routing protocols, and other configuration areas.
Prompts for these levels will change to indicate the current level.

Revision 2212 4‐5

ICX 150 CLI Basics

CLI Prompts
Observe the prompt changes, which indicate the current status:
From the User EXEC level, enter
ICX7150-C12 Switch> enable to move to the Privilege EXEC
ICX7150-C12 Switch> level
ICX7150-C12 Switch> enable
From the Privilege EXEC
No password has been assigned yet... level, enter config
ICX7150-C12 Switch# terminal to move to the
global CONFIG level
ICX7150-C12 Switch# config terminal
ICX7150-C12 Switch(config)# interface ethernet 1/1/1
ICX7150-C12 Switch(config-if-e1000-1/1/1)# ?
acl-logging enable logging ofFrom the global
deny acl CONFIG
level, enter a sub
acl-mirror-port Set acl based inboundcommand mirroring
arp Assign IP ARP option to this interface
authentication Configure flexible authentication on
interface

6 © 2022 CommScope, Inc.

Here we see an example of how the prompt changes to indicate where you are in the CLI
structure.

We start at the User EXEC level as designated by the greater than sign (>). Next, we enter
the enable command and we get a message that no password has been assigned yet. We
will talk more about assigning passwords later in the course.

Once we enter the enable command, the prompt changes to the pound sign or number
sign, this puts us into Privileged EXEC level. To move into configuration level, we enter
config terminal. Note that, all of these commands can be shortened, for instance
you can use config t instead of the full command. We will discuss using abbreviated
commands later in this module.

Now that we are in CONFIG mode, we can go into a sublevel. Here we are going into the
interface configuration level for interface 1/1/1. As you can see the prompt changes to
show that you are now in the interface configuration level.

Revision 2212 4‐6

ICX 150 CLI Basics

CLI Prompts (cont.)

• Move back up the menu tree using exit

ICX7150-C12-Switch(config-if-e1000-1/1/1)# exit
ICX7150-C12-Switch(config)# exit
ICX7150-C12-Switch# exit
ICX7150-C12-Switch>

• Use end or Ctrl+z to return to # prompt from any lower level

• Use quit to return to > prompt from any lower level

7 © 2022 CommScope, Inc.

To go back and forth between the different levels, issue the exit command. This will
move you one level up the command hierarchy.

Pressing Ctrl‐Z or entering the end command will move the prompt to the Privileged EXEC
level (#) from any lower level.

Use the quit command to return to the User EXEC level from any lower level.

Revision 2212 4‐7

ICX 150 CLI Basics

CLI Command Properties

• CLI commands are not case sensitive

• The CLI accepts abbreviations for commands, as long as it is a unique string

– For example, for the show interfaces brief command use the abbreviation:

ICX7150-C12-Switch# sh int br

• Most commands only display feedback or error messages upon failure

• Most configuration commands have a [no] option to undo the configuration

ICX7150-C12-Switch(config)# no vlan 200

• Use up and down arrow keys for command memory recall

8 © 2022 CommScope, Inc.

Let’s take a look at the properties of the CLI commands.

First, the only time a CLI command is case‐sensitive is for passwords. The CLI does accept
abbreviated commands, as long as the string is unique. If a string is not unique you will get
an “ambiguous input” message. For instance, if you just enter the letter s, you will get the
Ambiguous input -> s message, because there is more than one command that
starts with the letter s.

Most commands will only give you an error message if the command is incorrect,
otherwise the system will take the command and display no message.

Additionally, most commands have a no option to undo the command. For instance, if you
create VLAN 200 and decide it is a mistake, just enter the no vlan 200 command.

To view previously used commands, use the up and down arrow keys. This is very helpful if
you are entering a command over and over, or making a small change to a previously
entered command.

Revision 2212 4‐8

ICX 150 CLI Basics

CLI Command Properties (cont.)

Certain commands, such as ping, reload, and debug, can only be

entered from the Privileged EXEC or User EXEC level, not the CONFIG level.

ICX7150-C12 Switch(config)# ping 8.8.8.8

Invalid input -> ping 8.8.8.8
Type ? for a list
ICX7150-C12 Switch(config)# exit
ICX7150-C12 Switch# ping 8.8.8.8
Sending 1, 16-byte ICMP Echo to 8.8.8.8, timeout 5000 msec, TTL 64
Type Control-c to abort
Reply from 8.8.8.8 : bytes=16 time=19ms TTL=54
Success rate is 100 percent (1/1), round-trip min/avg/max=19/19/19 ms.

9 © 2022 CommScope, Inc.

There are some commands, like ping and traceroute, that cannot be run from
CONFIG mode. You must exit to Privilege EXEC or User EXEC mode to run the command.

If a command cannot be run from a particular level, you will get an invalid input response
as we see here when we try to ping from the CONFIG mode. At this level in the hierarchy,
typing exit, end, or pressing Ctrl-Z will return to the Privileged EXEC prompt allowing
the command to be run.

Revision 2212 4‐9

ICX 150 CLI Basics

CLI Help
Use question mark (?) help to display available options at a CLI level. For example, to
view all available commands at the User EXEC level, enter a question mark (?). Pressing
the Tab key will also display available options.

ICX7150-C12-Switch> ?
enable Enter Privileged mode
exit Exit from EXEC mode
nslookup Nslookup Utility
ping Ping IP node
show Display system information
stop-traceroute Stop current TraceRoute
traceroute TraceRoute to IP Node

10 © 2022 CommScope, Inc.

To view all available commands at a certain level of the CLI, you can use question mark
help. Simply enter a ? or use the Tab key at the prompt.

The example here shows the available commands at the User EXEC level.

Revision 2212 4 ‐ 10
ICX 150 CLI Basics

CLI Help (cont.)

• Use a ? or the Tab key to view possible options for an individual command
ICX7150-C12-Switch# copy ?
disk0 From an external USB disk
flash From flash
https From https server
pdc PDC file
running-config From running config
scp From a scp file
startup-config From startup config
tftp From a tftp file

• Enter copy flash followed by a ?, or enter Tab, to view the next available options
ICX7150-C12-Switch# copy flash ?
disk0 To an external USB disk file
flash To flash memory
scp To a scp file
tftp To a tftp file

11 © 2022 CommScope, Inc.

You can also use question mark help to view the options for an individual command. For
example, to view the options for the copy command, enter the command followed by a
space then use a question mark.

You can then choose an option and use the question mark again to view available options.

This way you can work your way through the CLI without having to learn every available
command option.

Revision 2212 4 ‐ 11
ICX 150 CLI Basics

CLI Help (cont.)

To display a list of commands that begin with a particular string, add a ? at the end
of the string. For example, enter s? to view all commands starting with “s”.

ICX7150-C12-Switch# s?
show Display system information
skip-page-display Enable continuous display
ssh SSH by name or IP address / hostkeys
stack stacking runtime commands
stop-traceroute Stop TraceRoute operation
supportsave support save related

ICX7150-C12-Switch# st?
stack stacking runtime commands
stop-traceroute Stop TraceRoute operation
12 © 2022 CommScope, Inc.

You can also use a question mark to see a list of commands that start with a particular
letter.

For example, enter the letter s with a question mark. Note that there is no space between
the letter and the question mark. Adding additional characters further filters the available
commands, as shown when st? is typed.

Revision 2212 4 ‐ 12
ICX 150 CLI Basics

Managing the Configuration File

• Save changes from the running

configuration to the startup configuration
ICX7150-C12-Switch# write memory

• Display the running configuration

ICX7150-C12-Switch# show running-config

• Display the startup configuration

ICX7150-C12-Switch# show configuration

13 © 2022 CommScope, Inc.

Here we see the RAM and flash memory of the device. RAM is where the currently running
configuration file, referred to as “running‐config”, is stored. All real‐time changes to the
current running configuration file are kept here and are temporary in nature. If there is a
power failure, RAM is erased. Running the write memory command copies the contents
of the running‐config to the startup‐config in flash otherwise known as non‐volatile random
access memory (NVRAM) so that they are available when the system is reloaded.

Flash memory is where the startup configuration file is stored. This file is loaded into RAM
when the system boots or is reloaded. The configuration file in flash memory is changed by
executing the write memory command, or a file copy from a TFTP server.
You can view the contents of RAM using the show running-config command or view
the contents of the flash with the show configuration command. Note that the
files may not necessarily be the same since the running configuration may contain changes
that have not been saved to the startup configuration.

Revision 2212 4 ‐ 13
ICX 150 CLI Basics

Configuration File Management

• The running or startup configuration can be saved to and restored from an external
device

• Supported external methods are:

– USB
– HTTPS
– TFTP
– SCP

• File management options for ICX devices:

ICX7150-C12-Switch # copy startup-config tftp <tftp-ip-addr> <filename>
^ Uploads a copy of the startup configuration file from the ICX switch to a TFTP server

ICX7150-C12-Switch # copy running-config scp <scp-ip-addr> <filename>

^ Uploads a copy of the running configuration file from the ICX switch to an SCP server

ICX7150-C12-Switch # copy https startup-config <https-ip-addr> <filename>

^ Downloads a copy of the startup configuration file from an HTTPS server to the ICX switch
14 © 2022 CommScope, Inc.

For easy configuration management, all RUCKUS devices support both the download and
upload of configuration files between the devices and external servers on the network.
Supported external servers are:
• USB
• HTTPS
• TFTP
• SCP
The examples show variations of copying the startup‐config and the running‐config to/from
external servers.

Revision 2212 4 ‐ 14
ICX 150 CLI Basics

Erasing the Configuration File

• Erase the startup configuration and reload the device with a blank configuration

ICX7150-C12-Switch# erase startup-config

– This erases the startup‐config file stored in flash

– It does not change the running‐configuration stored in NVRAM

• In order to complete the restoration of an empty/factory configuration, the device

must be reset
ICX7150-C12-Switch# reload

– After reload, the startup‐config and running‐config will have the default/factory
configuration parameters

15 © 2022 CommScope, Inc.

If you want to erase the startup configuration on a device, effectively resetting the unit
back to factory defaults, issue the erase startup‐config command and then reload the
device. When the device boots up the configuration will revert back to the default
configuration.

When you execute the reload command, the system will prompt you for verification that
you want to reload to an empty configuration. After verification, the system will reset.

Be sure not to perform a write memory after erase startup-config, that will
end up rewriting the configuration to the file you just erased.

Note: Erasing the startup configuration differs from running the erase system
factory-default command. Erasing the startup configuration does not remove
system logs, core files, or licensing information.

Revision 2212 4 ‐ 15
ICX 150 CLI Basics

Basic Switch Configurations

Now that we’ve gone over the structure of the CLI and the navigational commands, let’s
start making some configurations.

Revision 2212 4 ‐ 16
ICX 150 CLI Basics

Hostname

• Configure a system name for the device using the hostname command at
the global CONFIG level
• The name can be up to 255 alphanumeric characters, if including a space
enclose in quotation marks
• The example changes the hostname to RUCKUS, from the default
hostname of ICX7150‐C12‐Switch

ICX7150-C12-Switch# config t
ICX7150-C12-Switch(config)# hostname RUCKUS
RUCKUS(config)#

17 © 2022 CommScope, Inc.

Let’s start by giving the device a hostname.

We use the config t command to move into CONFIG mode and use the hostname
command to assign the name. The name can be up to 255 alphanumeric characters.

This example changes the name of the device from the default of ICX7150‐C12‐Switch to
RUCKUS. Note that the prompt changes to the new hostname when the command is
entered.

Revision 2212 4 ‐ 17
ICX 150 CLI Basics

Port Numbering Format

• The port address format is stack_unit_ID/slot/port
– Stack_unit_ID – specifies the stack ID of the unit
For all ICX 7000 series switches valid stack unit IDs are 1 to 12

– Slot – specifies the slot number

Slot numbers vary by device type

– Port – specifies the port number in the slot

Port numbers vary by device type

• This example would target the interface configuration of Stack unit 3, in slot 3,
on port 1 of an ICX 7150‐C12P stack (3/3/1)
RUCKUS(config)# interface ethernet 3/3/1
RUCKUS(config-if-e1000-3/3/1)#

18 © 2022 CommScope, Inc.

ICX devices use the stack_unit_ID/slot/port format for port numbering. The stack_unit_ID
indicates where in the stack the unit sits. A device that is not participating in a stack uses
the ID of 1. If the unit is in a stack, the lowest ID available is assigned from the active
controller in the stack. For all ICX 7000 series switches valid stack unit IDs are 1 to 12.

Note: Stacking is covered in a separate presentation.

The slot number indicates which slot within the device the port is in. For instance, the 12‐
port ICX 7150‐C12P has three slots: Slot 1 has the 12 x 1 GbE ports, Slot 2 has 2 x GbE
copper ports that can be used for uplink, Slot 3 has 2 SFP+ ports that can be used for
stacking or uplink. Within the device OS you can also obtain module information which
correlates to the slot number. Running the show module command will list unit and
module numbers for the device.

Finally, the port is the port number in the slot. Remember, port numbers vary by device
type, so refer to the Hardware Installation Guide for your specific device.

Here we see an example of the port designation on a 3 node, 12‐port ICX 7150 stack. The
command entered at the CONFIG level is for port 3/3/1. That is stack unit 3, slot 3, port 1.

Revision 2212 4 ‐ 18
ICX 150 CLI Basics

Breakout Port Number and Configuration

• ICX 7750 and 7850 allow 40GbE ports to be split into 4x 10GbE ports using breakout cable
• ICX 7850 allows 100GbE port to be split into 4x 25GbE ports

• Configured with the breakout ethernet command

ICX7750-26Q# configure terminal
ICX7750-26Q(config)# breakout ethernet 1/1/11
• If port has any configuration, command is rejected
• Requires write memory and reload after enabling/disabling breakout mode

• Breakout ports are viewed and configured as sub‐ports

ICX7750-26Q# show interfaces brief | in 1/1/11
1/1/11:1 Up Forward Full 10G None No 1 0 cc4e.2439.3721
1/1/11:2 Up Forward Full 10G None No 1 0 cc4e.2439.3722
1/1/11:3 Up Forward Full 10G None No 1 0 cc4e.2439.3723
1/1/11:4 Up Forward Full 10G None No 1 0 cc4e.2439.3724
19 © 2022 CommScope, Inc.

The ICX 7750 and 7850 support the use of breakout cables that allows a single high‐speed
interface to be split into four separate interfaces.
On the ICX 7750, the 40 GbE QSPF+ ports can be split into 4x 10GbE ports.
On the ICX 7850, the QSFP28 ports that operate at 40GbE or 100GbE can be split into 4x
10GbE and 4x 25GbE ports, respectively.

This functionality is configured with the breakout command at the global configuration
level. This command requires that the port referenced does not have any configuration. If it
does, the breakout command will be rejected.
Executing this command requires the creation of sub‐ports on the device. Because of this,
the switch must be reloaded whenever breakout mode is enabled or disabled.

After enabling and resetting, breakout ports are configured and viewed in the same way as
regular Ethernet ports except they will be referenced as sub‐interfaces.
In the example you can see that when interface 1/1/11 was broken out, it created sub‐
interfaces 1/1/11:1 through 1/1/11:4.

Revision 2212 4 ‐ 19
ICX 150 CLI Basics

Enabling Ports
• By default, all interfaces on ICX devices are enabled

• To disable or enable a specific interface, or range of interfaces, use the

following commands:

RUCKUS(config)# interface ethernet 1/1/9

RUCKUS(config-if-e1000-1/1/9)# disable

RUCKUS(config)# interface ethernet 1/1/10 ethernet 1/1/15 ethernet

1/1/20
RUCKUS(config-mif-1/1/10,1/1/15,1/1/20)# enable

RUCKUS(config)# interface ethernet 1/1/1 to 1/1/8

RUCKUS(config-mif-1/1/1-1/1/8)# disable

20 © 2022 CommScope, Inc.

By default, all interfaces on ICX devices are enabled. If you need to disable a port, or range
of ports, enter the configuration level for the desired ports and enter the disable
command.

Notice how the prompt changes to show that you are in the sub‐configuration level for the
port or ports. If you then want to enable a port, use the enable command.
Port configurations can be applied to a single port, a list of specific ports or a range of
ports.
• A single port is configured by specifying only that port in the interface command.
– Example: interface ethernet 1/1/9
• A port list is configured by including multiple, single ports in a list.
– Example: interface ethernet 1/1/10 ethernet 1/1/15
ethernet 1/1/20
• A range of ports can be configured by using the keyword “to”. This is an inclusive list
of all ports from the first port listed to the last port listed.
– Example: interface ethernet 1/1/1 to 1/1/8

Revision 2212 4 ‐ 20
ICX 150 CLI Basics

Port Addressing
• RUCKUS ICX switches can operate as strictly Layer 2 or Layer 2/3 devices based on
firmware type: switch ‐or‐ router

• On Layer 2 switches, the IP address and default gateway are assigned globally, only one
per switch
– Addresses can be IPv4 or IPv6
Switch(config)# ip address 192.22.33.45/24
Switch(config)# ip default-gateway 192.22.33.1
Switch(config)# ipv6 address 2001:DB8:12D:1300:240:D0FF:FE48:1/64

• On Layer 3 switches, IP addresses are assigned per interface

– Addresses can be IPv4 or IPv6
Router(config)# interface ethernet 1/1/9
Router(config-if-e1000-1/1/9)# ip address 192.22.33.45/24
Router(config-if-e1000-1/1/9)# ipv6 address 2001:2000:F00D:1::1/64
21 © 2022 CommScope, Inc.

On a Layer 2 switch, the IP address and default gateway are assigned globally and are used
for management access through Telnet, SSH, or the Web GUI. Only one IPv4 and one IPv6
address can be assigned. If you try to add another address using the ip address or
ipv6 address command, the most recently entered address becomes the switch
address. Though, you can have both an IPv4 and an IPv6 address configured at the same
time.

Also, it is important to note that RUCKUS does support the use of CIDR notation for the
subnet mask, as well as the dotted‐decimal format.
ICX devices also have an out‐of‐band managed port that can be used for management
access. The management port is discussed later in this course.
For an ICX running Layer 3 routing code, each interface is assigned an IPv4 or IPv6 address
individually.

Note that interfaces can be multi‐netted, meaning they can be assigned more than one
IPv4 or IPv6 address. In fact, by default you can configure up to 24 IP addresses on each
interface.

Revision 2212 4 ‐ 21
ICX 150 CLI Basics

Port Naming
• Use a text string to identify a port with a meaningful name
• Assign a name to an individual port, or a group of ports
• Names can be assigned to physical ports, virtual interfaces, and loopback interfaces
• For example, assign a name to interface 1/1/1
RUCKUS(config)# interface ethernet 1/1/1
RUCKUS(config-if-e1000-1/1/1)# port-name PortToPC1
• Port names display in various CLI output including the running configuration and show
interfaces brief
RUCKUS(config)# show interfaces brief
Port Link State Dupl Speed Trunk Tag Pvid Pri MAC Name
1/1/1 Down None None None None No 1 0 0024.38b7.4f40 PortToPC1
1/1/2 Down None None None None No 1 0 0024.38b7.4f41
<Output Truncated>

22 © 2022 CommScope, Inc.

In many cases it is useful to assign a name to your ports so you know what they are used
for. Use the port-name command to assign a meaningful name to an individual port, or a
group of ports. Names can be assigned to physical ports, virtual interfaces, and loopback
interfaces. Port names can be up to 255 characters long and cannot contain any blanks. The
name can contain special characters, but if the name ends in a percentage sign (%), it is
dropped.

When configured, port names are displayed in show commands like show interfaces
brief, but only the first ten characters are displayed. However, the full name is displayed
in the running and startup configs.

Revision 2212 4 ‐ 22
ICX 150 CLI Basics

Speed & Duplex

RUCKUS(config-if-e1000-1/1/1)# speed-duplex ?
By default, all ICX copper 10-full 10M, full duplex
Ethernet interfaces are set to 10-half 10M, half duplex
100-full 100M, full duplex
auto‐negotiation. 100-half 100M, half duplex
1000-full 1G, full duplex
1000-full-master 1G, full duplex, master
1000-full-slave 1G, full duplex, slave
• Use the speed-duplex 100g-full 100G, full duplex
command to change the speed and 10g-full 10G, full duplex
duplex of the interface 10g-full-master 10G, full duplex, master
10g-full-slave 10G, full duplex, slave
2500-full 2.5G, full duplex
2500-full-master 2.5G, full duplex, master
• Use the no form of the command 2500-full-slave 2.5G, full duplex, slave
to restore the default 40g-full 40G, full duplex
5g-full 5G, full duplex
5g-full-master 5G, full duplex, master
5g-full-slave 5G, full duplex, slave
auto Autonegotiation
optic Speed will be set based on optic type

23 © 2022 CommScope, Inc.

Copper Ethernet ports are designed to auto‐sense and auto‐negotiate the speed and
duplex mode of the connected device. If the attached device does not support this
operation, you can manually enter the port speed to operate anywhere between 10 Mbps
and 10 Gbps, depending on the specific device. This configuration is referred to as force
mode. The default and recommended setting is auto for 10/100/1000 auto‐sense. Port
duplex mode and port speed are modified by the same command.

Note: Use care when configuring speed and duplex on a switchport as a misconfiguration
on one side of the link could result in connectivity issues and errors.

The speed-duplex optic command was added in FastIron 08095c. It is the default
configuration applied to all 10Gbps fiber interfaces from that release onward. It allows for
auto‐configuration of speed based on detected optic type. Therefore, if a 1Gbps optic is
inserted into the 10Gbps port, the port speed will be 1000. It will change to 10Gbps if a
10G optic is inserted.

Speed and Duplex Guidelines:

• Both ends of the link must be configured to operate at the same speed

• 2.5G and the 5G speeds are applicable only to Multi‐Gigabit ports

Continued on next slide…

Revision 2212 4 ‐ 23
ICX 150 CLI Basics

Blank Notes Page

24 © 2022 CommScope, Inc.

... Continued from previous slide

• For the RUCKUS ICX 7850‐48F, SFP28 ports are grouped into fours. For example, ports
1/1/1 to 1/1/4 are one group and ports 1/1/5 to 1/1/8 are another group, and so on.
All ports in a four‐port group must be configured to the same value. This restriction
does not apply if configuring values between 1G and 10G.

• When the speed-duplex optic command is used, ICX switches can

automatically set the port speeds based on the type of optics present.
For example, when 1G optics are installed on a 10G SFP+ port that is capable of
running at 1G, the speed should be automatically set to 1G. If a 10G optic is installed,
the port should revert back to its default of 10G. For Copper SFPs, auto‐negotiation is
applied as applicable. This is applicable for 10G fiber ports, and speed optic is the
default configuration for 8.0.95C and later.

Revision 2212 4 ‐ 24
ICX 150 CLI Basics

Displaying Switch Information

Now that we’ve made some configurations, let’s take a look at displaying the information.

Revision 2212 4 ‐ 25
ICX 150 CLI Basics

Show Commands

Show Command Description

version Software version and uptime
interfaces Interface status
statistics Interface statistics
poe Power over Ethernet capacity and usage, per port
ip IP information
span Spanning Tree information
mac-address MAC forwarding table
mac-address statistics Number of MACs learned per port
flash Flash memory images
vlan Configured VLANs
telnet IP address of active telnet sessions
lag Configured, active link aggregation groups
Technical details for help troubleshooting issues when
tech-support
working with technical support

26 © 2022 CommScope, Inc.

There are many show commands available on the ICX switches. The table displays a few of
the options and a brief description of some commonly executed show commands.

Revision 2212 4 ‐ 26
ICX 150 CLI Basics

Searching and Filtering CLI Output

• Use pipe “|” to modify the output of show commands according to operators:
– Begin – Display all output beginning with the first line that contains the matched text string
– Include – Display only lines that include the matched text string
– Exclude – Display only lines that to not include the matched text string

• Used for searching and filtering purposes

• Only one pipe allowed per command string
• Matching strings are case‐sensitive
• Examples:
show interfaces | include Up
show interfaces | begin 1/1/5
show interfaces | include Disable
show interfaces brief | exclude Down
27 © 2022 CommScope, Inc.

Searching and filtering using pipe “|” and its operators can save you time when searching
through long outputs of show commands.
The operators available are:
• Begin – Display all output beginning with the first line that contains the matched
text string
• Include – Display only lines that include the matched text string
• Exclude – Display only lines that to not include the matched text string

It is important to note that only one pipe can be used per command string, and that
searched strings are case‐sensitive.
For example, if you want to view ports that are active, use show interfaces |
include Up. If you want to view ports that are manually disabled, use show
interfaces | include Disable.

Revision 2212 4 ‐ 27
ICX 150 CLI Basics

Show Commands ‐ System Verification

• show chassis
– Displays system temperature, fans, power supplies, MAC address, etc.

• show module
– Displays the module type, status, number of ports, and MAC address

• show version
– Displays the software version that the device is currently running

28 © 2022 CommScope, Inc.

There are some useful commands for viewing overall system information.

The show chassis command displays the power supply and fan status, temperature
reading, and the MAC address of the system.

The show module command is very useful when trying to figure out which ports are in
which module (slot). It also displays the number of ports in the module and the starting
MAC of the ports in the module.

The show version command displays the software version and boot version running
on the device, any installed licenses, slot information, stack unit ID, and system uptime.

Revision 2212 4 ‐ 28
ICX 150 CLI Basics

Show Commands ‐ System Verification (cont.)

• show flash
– Displays the primary and secondary software codes stored in the flash memory
(versions and sizes)

• show memory
– Displays the amount of total/used/free DRAM

• show dir | show files

– Displays the contents of the system flash, including the size of files in bytes, amount
of flash available, and the amount taken by the primary and secondary images

• show dir disk0 | show files disk0

– Displays the contents of the USB flash drive and the amount of flash taken by each of
the files

29 © 2022 CommScope, Inc.

The show flash command displays the software versions loaded in the primary and
secondary flash partitions as well as the boot image installed. It also displays the amount of
free flash on the device.

The show memory command displays the amount of DRAM used and free on the device.

The show dir and show files commands will list the contents of system flash
including the size of primary and secondary images installed on the system.

The show dir disk0 and show files disk0 commands display the contents of
a connected USB flash drive. This is especially useful when upgrading the switch from the
USB drive.

Revision 2212 4 ‐ 29
ICX 150 CLI Basics

Show Configuration
Ruckus#show running-config
• Display the running configuration Current configuration:
!
ver 08.0.95gT213
Ruckus# show running-config !
stack unit 1
module 1 icx7150-c12-poe-port-management-module
module 2 icx7150-2-copper-port-2g-module
module 3 icx7150-2-sfp-plus-port-20g-module
stack-port 1/3/1
stack-port 1/3/2
!
!
• Display the startup configuration global-stp
!
!
!
Ruckus# show configuration vlan 1 name DEFAULT-VLAN by port
spanning-tree
!
vlan 10 name Isolated by port
tagged ethe 1/1/7
untagged ethe 1/1/8
!
aaa authentication web-server default local
• The example displays a partial aaa authentication login default local
enable aaa console
hostname RUCKUS
ip dns server-address 192.168.1.1(dynamic)
running configuration on an ICX ip route 0.0.0.0/0 192.168.1.1 distance 254 dynamic
!
no telnet server
7150‐C12 username super password .....
!
manager registrar
!
manager port-list 987
!
interface ethernet 1/1/9
ip address 192.168.1.21 255.255.255.0 dynamic
!
<Output Truncated>

30 © 2022 CommScope, Inc.

As previously mentioned, the ICX has a running configuration and a startup configuration.

The commands to view the configuration files are show running-config and show
configuration.

Here we see an example of the running configuration on a 12‐port ICX 7150. The output
has been truncated as these files can be rather long. But you can see here, starting from
the top, the software version, the stack unit ID, the modules installed, configured VLANs,
the hostname, and the IP address and default route configured on the device.

Revision 2212 4 ‐ 30
ICX 150 CLI Basics

Displaying Interfaces
The show interfaces brief command can be used to quickly check
port operational status.

Ruckus# show interfaces brief

Port Link State Dupl Speed Trunk Tag Pvid Pri MAC Name
1/1/1 Up Forward Full 1G None No 1 0 748e.f87b.fe40 Server
1/1/2 Up Blocked Full 1G None No 1 0 748e.f87b.fe41
1/1/3 Down None None None None No 1 0 748e.f87b.fe42
1/1/4 Disable None None None None No 1 0 748e.f87b.fe43
1/1/5 Up Forward Full 1G None No 1 0 748e.f87b.fe44 Router
<Output Truncated>
802.1q
Tagged
Current Link State Spanning Tree State: Speed & Yes or No
Up, Down, Forward, Listen, Duplex
Disabled Blocked, etc.

31 © 2022 CommScope, Inc.

When it comes to displaying interface information there is a brief command and a detailed
command. Here we see an example of the show interfaces brief command. This
allows you to quickly check the general status of all interfaces. Some of the details provided
include:
• Link – which is the physical connectivity state. Typical values range between
Up, Down and Disable.
• State – displays the Spanning Tree state for all Spanning Tree versions, 802.1D,
802.1w etc., here you might see states like Forward, Listen, Learning, or
Blocked.
• Tag – displays if the port is tagged 802.1Q or not. No means the port is
untagged.

The output also shows the MAC address of the port, the QoS priority, as well as the Pvid or
VLAN ID.

Revision 2212 4 ‐ 31
ICX 150 CLI Basics

Displaying Interface Details

Ruckus# show interfaces ethernet 1/1/1 Interface up/down status
GigabitEthernet1/1/1 is up, line protocol is up
Port up for 2 minute(s) 5 second(s)
Hardware is GigabitEthernet, address is 0024.38b7.7056 (bia 0024.38b7.7056)
Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx
Configured mdi mode AUTO, actual MDIX
PTP Feature Disabled
Speed and
Untagged member of L2 VLAN 1, port state is FORWARDING duplex
<Output Truncated> VLAN membership, STP state
MTU 1500 bytes
300 second input rate: 127536 bits/sec, 239 packets/sec, 0.16% utilization
300 second output rate: 37642168 bits/sec, 53507 packets/sec, 46.16% utilization
29939 packets input, 1992836 bytes, 0 no buffer
Received 0 broadcasts, 29 multicasts, 29910 unicasts Throughput
1826 input errors, 1826 CRC, 0 frame, 0 ignored statistics &
input and
0 runts, 0 giants
output errors
7032695 packets output, 615654919 bytes, 0 underruns
Transmitted 251641 broadcasts, 0 multicasts, 6781054 unicasts
0 output errors, 0 collisions
Relay Agent Information option: Disabled
32 © 2022 CommScope, Inc.

To view the details of an interface, use the show interfaces ethernet command
with the interface number. This output displays a lot of useful information including:
interface up/down status, VLAN membership with tagged or untagged status, the STP state,
and port MTU. Also shown are input/output throughput statistics (including utilization
percentage) and any input and output errors seen on the interface.

In the example output, we can see that there are Cyclic Redundancy Check (CRC) errors on
the port. CRC errors can often be caused by faulty hardware, such as cables, SFPs, switch
port or any other component of the physical connections.

Revision 2212 4 ‐ 32
ICX 150 CLI Basics

Displaying Interface Statistics

Use the show statistics command to view port statistics and detailed error counters
Ruckus# show statistics ethernet 1/1/1
Port 1/1/1 Counters:
InOctets 1992836 OutOctets 694011939
InPkts 29939 OutPkts 8021550
InBroadcastPkts 0 OutBroadcastPkts 266281
InMulticastPkts 29 OutMulticastPkts 0
InUnicastPkts 29910 OutUnicastPkts 7755269
InBadPkts 20119
InFragments 1707
InDiscards 0 OutErrors 0
CRC 20119 Collisions 0
InErrors 20119 LateCollisions 0
InGiantPkts 0
InShortPkts 1707
InJabber 0 OutDiscards 0
InFlowCtrlPkts 0 OutFlowCtrlPkts 0
InBitsPerSec 118088 OutBitsPerSec 40742424
InPktsPerSec 221 OutPktsPerSec 58810
InUtilization 0.15% OutUtilization 50.15%

33 © 2022 CommScope, Inc.

The show statistics command offers a more in‐depth look at the port statistics,
including detailed error counters. Sometimes it is necessary to reset the statistics for an
interface (or all interfaces) in order to flush stale errors and provide a more reliable look at
recent errors.

In our example, you would run clear statistics ethernet 1/1/1 to clear the
counters for this interface and then re‐run the show statistics ethernet 1/1/1 command
again after some traffic had passed to analyze the result.

Revision 2212 4 ‐ 33
ICX 150 CLI Basics

Attendees should now be able to:

• Explain the Command Line (CLI) structure of

ICX devices

• Manage device configuration files

Summary • Configure switch hostname, IP address, and

default gateway

• Configure interface settings including, name,

IP address, speed and duplex

• Use show commands to view switch

information

This concludes the CLI Basics module. You should now be able to:
• Explaining the CLI structure of ICX devices
• Managing device configuration files
• Configuring global switch settings like hostname, IP address, and default gateway
• Configuring interface settings like name, IP address, and speed and duplex
• Finally, we'll look at using show commands to verify switch information

Revision 2212 4 ‐ 34
ICX 150 CLI Basics

End of presentation:
CLI Basics

This concludes the CLI Basics presentation.

Revision 2212 4 ‐ 35
ICX 150 CLI Basics

Revision 2212 4 ‐ 36
ICX 150 Software Upgrade and Licensing

ICX Software Upgrade & Licensing

Revision 2212

Welcome to the presentation covering RUCKUS ICX software upgrades and licensing.

Revision 2212 5‐1

ICX 150 Software Upgrade and Licensing

After completing this presentation, you

should be able to:
• Discuss the resources and considerations
when upgrading an ICX switch
• Discuss the Software Image Files
• Describe the simplified upgrade process
Objectives
• Perform the process of verifying the current
software version
• Perform a software upgrade using both
legacy and Unified FastIron Image processes
• Describe and install Software Licensing

After completing this presentation, you’ll be able to:

• Discuss the resources and considerations when upgrading an ICX switch (including using
the RUCKUS ICX Target Path Selection Guide to find which software version is right for
your device)
• Discuss the Software Image files
• Describe the simplified upgrade process
• Perform the process of verifying the current software version
• Perform a software upgrade using both legacy and Unified FastIron Image processes
• Describe and install Software Licensing

Revision 2212 5‐2

ICX 150 Software Upgrade and Licensing

Upgrade Considerations

Let’s take a look at the different resources available to you regarding ICX software upgrade.

Revision 2212 5‐3

ICX 150 Software Upgrade and Licensing

Recommended Software
• Recommended Software is specified on the • Clicking the release link takes you to a
model‐specific webpages located at webpage where you can:
https://support.ruckuswireless.com/ – Access the Software Release Notes
Example: – Download the software .zip file
RUCKUS ICX 7550 Campus Switches

4 © 2022 CommScope, Inc

Multiple versions of FastIron software are available for download from

https://support.ruckuswireless.com/; however, RUCKUS identifies a recommended
software release for each ICX switch family.

The recommended release is based on these criteria:

• It is a release created primarily for stability and reliability
• It is not used for the support of any new hardware, although it may contain
reliability, availability, and serviceability (RAS) improvements and
enhancements
• It has been deployed in a sufficient number of end‐user production
environments for a specific period of time and has no known critical or
pervasive issues or defects

Clicking the software release hyperlink takes you to the Downloads webpage where you
can access the Release Notes and the software .zip file. Many of the file transfer processes
require the .zip file to be unzipped and placed on the server you intend to use to transfer
the software. We’ll discuss transfer options later in this presentation.

Revision 2212 5‐4

ICX 150 Software Upgrade and Licensing

Software Release Notes

• Every time you upgrade or • Software Release Notes contain

downgrade to a software version,
you must read the version‐specific
RUCKUS ICX FastIron Release Notes
information regarding:
– Supported devices, software
enhancements, and upgrade
filenames
– Changes in behavior and CLI
commands
– Resolved and Known issues in
the release

5 © 2022 CommScope, Inc

Before you upgrade or downgrade software on any RUCKUS ICX product, refer to the
release‐specific RUCKUS ICX FastIron Release Notes.

The Release Notes will show you the supported devices and new enhancements for the
release. It also provides upgrade filenames and pertinent information regarding changes in
behavior and CLI commands and known and resolved issues in the release.

Revision 2212 5‐5

ICX 150 Software Upgrade and Licensing

Software Upgrade Guide

The release‐specific Software Upgrade
Guide provides:
• A list of supported ICX products
• Software upgrade considerations and steps
for both standalone and stacked switches
• Software downgrade and recovery steps

RUCKUS recommends reviewing the

Software Upgrade Guide prior to
starting any software upgrade

6 © 2022 CommScope, Inc

When you are ready to upgrade your software, the release‐specific Software Upgrade
Guide provides:
• A list of supported ICX products
• Software upgrade considerations and steps for both standalone and stacked switches
• Software downgrade and recovery steps

The Software Upgrade Guide is available in the Documents tab for each ICX family on
https://support.ruckuswireless.com/.
RUCKUS recommends carefully reviewing the document prior to starting any software
upgrade.

Revision 2212 5‐6

ICX 150 Software Upgrade and Licensing

Software Image Files

Let’s take a look at the different software image files for RUCKUS ICX products.

Revision 2212 5‐7

ICX 150 Software Upgrade and Licensing

Unified FastIron Image (UFI)

• The UFI contains all component/package files within one file allowing a
single image download to update all necessary software components
• The UFI contains these components/packages:
– Application image
– Application image’s signature file
– U‐boot
– PoE firmware
– Python libraries
– HTTP package
– DHCP package
– <Any other package in future>

• All new hardware platforms introduced with FastIron releases 08.0.90 and later
support only the UFI upgrade process (for example, ICX 7550 and 7850)
8 © 2022 CommScope, Inc

FastIron release 8.0.80 introduced the Unified FastIron Image (UFI) which combines all the
necessary files together into one image file, simplifying the upgrade process with a single
command to ensure all files are upgraded uniformly on the switch. The UFI remains
supported moving forward with newer releases and eventually the legacy simplified
software upgrade option will be phased out.

It’s important to note that new hardware platforms introduced with software releases FI
8.0.90 and later (for example, ICX 7550 and ICX 7850), support only the UFI image upgrade
process and are not backwards compatible with previous software management solutions.

Any systems upgraded from 08.0.70 or earlier releases directly to 08.0.90 (manually or
using the manifest file) must be upgraded a second time using the UFI image. If the upgrade
is from 08.0.80, then use only the UFI image.

Beginning with the FastIron 08.0.90 release, UFI image copy is the recommended software
upgrade method for all ICX devices.

Revision 2212 5‐8

ICX 150 Software Upgrade and Licensing

Legacy Software Upgrade (Simplified Software Upgrade)

Legacy Simplified Software Upgrade process:

• Can be done through a single CLI command or through SNMP MIB set‐request
operations
• CLI copy command uses a single Manifest .txt file
– CLI command:
 Copies software image files to the specified flash partition (primary/secondary)
 Obtains software image files from the specified Manifest file

– Manifest File:
 Contains all boot, firmware, and application images, as well as signature files
 Specifies the directory path of all boot and application software images to be upgraded
 Contains images for both router and switch code (per ICX device family)
 Contains checks for the current image type installed on the switch to determine which code should be
installed

9 © 2022 CommScope, Inc

Prior to the introduction of the UFI in FI 8.0.80, a manifest file was used in a process known
as the Simplified Software Upgrade for switch software.
Each software release maintains its own version of the manifest file. The manifest file
contains all boot, firmware, and application images, as well as signature files. PoE firmware
is separate and has to be upgraded manually after the manifest upgrade. Because these are
still individual files there is still the possibility of a u‐boot and image software mismatch.
The Simplified Software Upgrade process uses a single CLI copy command and a manifest
file to perform the upgrade. The command allows for specification of where the upgrade
files should be installed (either in the primary or secondary flash partition); we’ll discuss
flash partitions later in this presentation.
When the copy command is run, the manifest file is checked for the correct keywords and
the command extracts the image name and location. The manifest file consists of images of
both router and switch type. Commands embedded in the manifest file check if the system
is running a router or a switch image, then copies the appropriate images onto the switch.
Note that the upgrade can be done using the CLI copy command or through SNMP MIB
set‐request operations.
The Simplified Software Upgrade process was an improvement over the original upgrade
process used in the early stages of the ICX platform; however, it did not eliminate the
possibility of mismatched files (which UFI eliminates).

Revision 2212 5‐9

ICX 150 Software Upgrade and Licensing

Legacy Software Migration (Excluding 7850)

• Application and U‐Boot image compatibility issue solved

– Prior legacy process led to the possibility of U‐Boot and Image software mismatch
– UFI process eliminates the mismatch issue due to the unified code

• Both legacy and UFI are available for the 8.0.90 release only
– Switches will not support full 8.0.90 functionality without UFI update
– Beyond 8.0.90, only a single release of a UFI image is available

• Upgrades from versions of software older than 8.0.80 require a two‐step

process

• Downgrade from UFI software to non‐UFI software ‐ Recommended to use

the manifest file process only
10 © 2022 CommScope, Inc

The previous 8.0.90 release provided support for both legacy and the newer UFI upgrade
process; however, the legacy release does not support the full functionality of the new
code. Therefore, it is important to treat the legacy code as more of a migration mechanism
to the UFI update process. More details about the legacy upgrade process and migration
steps will be discussed later in this presentation. If downgrading to code prior to 8.0.90,
RUCKUS recommends to only use the manifest file process for downgrading.

Revision 2212 5 ‐ 10
ICX 150 Software Upgrade and Licensing

ICX 7150, 7250 and 7450 Image Files

ICX 7150
Access • Both legacy and UFI images provide
ICX 7450 two software images for the
Access‐Aggregation
ICX 7150, 7250, and 7450 platforms
(Layer 2 or Layer 3)

• The file type is identified by the 3rd

letter in the file name
ICX 7250 UFI File Name (boot, image)
Access SPS08095gufi.bin (Layer 2)
SPR08095gufi.bin (Layer 3)

11 © 2022 CommScope, Inc

The ICX 7150, 7250, and 7450 switches use the same image files. The file type, either Layer
2 or Layer 3, is designated by “S” or “R” in the file name.

Revision 2212 5 ‐ 11
ICX 150 Software Upgrade and Licensing

ICX 7550 Image Files

• The UFI images provide two software
images for the ICX 7550 platform
(Layer 2 or Layer 3)
ICX 7550
Mid‐Range Access‐Aggregation
• The file type is identified by the 3rd
letter in the file name
UFI File Name (boot, image)
GZS08095gufi.bin (Layer 2)
GZR08095gufi.bin (Layer 3)

12 © 2022 CommScope, Inc

The ICX 7550 switch uses a unique image file. The file type, either Layer 2 or Layer 3 is
designated by “S” or “R” in the fie name.

Revision 2212 5 ‐ 12
ICX 150 Software Upgrade and Licensing

ICX 7650 Image Files

• Both legacy and UFI images provide
two software images for the
ICX 7650 platform (Layer 2 or Layer 3)
ICX 7650
Premium Access‐Aggregation
• The file type is identified by the 3rd
letter in the file name
UFI File Name (boot, image)
TNS08095gufi.bin (Layer 2)
TNR08095gufi.bin (Layer 3)

13 © 2022 CommScope, Inc

The ICX 7650 switch uses a unique image file. The file type, either Layer 2 or Layer 3 is
designated by “S” or “R” in the file name.

Revision 2212 5 ‐ 13
ICX 150 Software Upgrade and Licensing

ICX 7750 Image Files

• Both legacy and UFI images provide
two software images for the
ICX 7750 platform (Layer 2 or Layer 3)
ICX 7750
Aggregation‐Core
• The file type is identified by the 3rd
letter in the file name
UFI File Name (boot, image)
SWS08095gufi.bin (Layer 2)
SWR08095gufi.bin (Layer 3)

14 © 2022 CommScope, Inc

The ICX 7750 switch also uses a unique image file. Like the others, the file type is either
Layer 2 or Layer 3 is designated by “S” or “R” in the file name.

Revision 2212 5 ‐ 14
ICX 150 Software Upgrade and Licensing

ICX 7850 Image Files

• Single UFI image provides one
software image for the ICX 7850
platform (Layer 3)
ICX 7850
Aggregation‐Core
• The file type is identified by the 3rd
letter in the file name
UFI File Name (boot, image)
TNR08095gufi.bin(Layer 3)

15 © 2022 CommScope, Inc

And finally, the ICX 7850 has one image file which is router code; however, it is still
identified in the software file by the use of the “R” in the third position.
Because the ICX 7850 was introduced in UFI‐only release 8.0.90, separate boot code file is
not needed.

Revision 2212 5 ‐ 15
ICX 150 Software Upgrade and Licensing

Verify Current Software Version

Now that we have reviewed the different types of files, let’s take a look at how to verify the
software version running on a device.

Revision 2212 5 ‐ 16
ICX 150 Software Upgrade and Licensing

ICX Flash Partitions

• RUCKUS ICX devices have two flash memory modules:
– Primary flash ‐ The default local storage module for image files and configuration files
– Secondary flash ‐ A second flash storage module; example uses:
 To preserve one software image while testing another one
 To store redundant images for additional booting reliability

• It is best practice on switches in production to have the same image on both partitions
to ensure failover capabilities
• For immediate boot to a specific partition, from Privileged Exec mode issue command:
RUCKUS# boot system flash [primary | secondary]
Note: This does not get saved to startup config file
• For persistent boot flash preference, issue the boot command in Global Config mode
and save the config to memory
RUCKUS(config)# boot system flash [primary | secondary]
RUCKUS(config)# write memory
Note: Any future reboots will load from the configured partition
17 © 2022 CommScope, Inc

Two separate flash locations are available in the ICX switches, allowing switch boot from
the software that is stored in either location. This can provide redundancy in the switch
software and the ability to evaluate new software by uploading to one flash location and
booting from it. You then can easily revert back to the previous software by simply booting
the switch to the flash partition that contains the previous code.
ICX switches by default boot from the primary partition; however, you can prompt a switch
to boot from a specified flash (such as the secondary) by issuing the boot system
flash secondary command from Privileged Exec mode.

This will prompt the switch to immediately reload using the flash partition specified. Please
note that any future reboots of the switch will revert back to the default boot behavior
based on the configuration written to memory. To cause the switch to consistently boot
from a specific flash location, you need to configure the switch (from within Global Config
mode) using the boot system flash [primary | secondary] command,
then save the configuration to memory using the write memory command prior to any
reboot of the switch (otherwise, it will revert back to default behavior or its previous boot
configuration).

Revision 2212 5 ‐ 17
ICX 150 Software Upgrade and Licensing

Displaying Software Version

Use the show version command to view the current software version Boot partition

Image name

Version Number

Boot version
and file name

18 © 2022 CommScope, Inc

The show version output displays:

• Current software version
• Boot partition
• Image name that maps to the .bin file name (in this example, we see “SPS08095g”,
meaning that this ICX device is running Layer 2 Switch code obtained from the UFI
boot/image file SPS08095gufi.bin).
• Boot code version and file name (remember that these were embedded in the
SPS08095gufi.bin UFI file).
• Each module or slot (SL) in the device and its details (including any licenses installed on
the management module).

Revision 2212 5 ‐ 18
ICX 150 Software Upgrade and Licensing

Displaying Flash Versions

Use the show flash command to view which code file versions are installed in the flash partitions
Example 1: Primary and Secondary partitions have different switch code (useful to preserve one
software image while testing another one)
8.0.95gT211 L2 switch code
is installed in the primary
partition and 8.0.95dT211
L2 switch code is installed in
the secondary partition

Example 2: Primary and Secondary partitions have the same switch code (redundant images allow for
additional booting reliability in case one partition becomes corrupt)
8.0.95gT211 L2 switch code
is installed in both the
primary partition and in the
secondary partition

19 © 2022 CommScope, Inc

The show flash command displays both the primary and secondary partitions and the
version of software installed in each. The output also shows the amount of free flash on
the device.
Here we have examples showing:
• Different switch code (designated by the third letter (S) in the .bin file name) loaded on
the primary and secondary partitions to preserve a copy of pre‐existing code while new
code is being tested.
• The same switch code loaded on both partitions for redundancy.

Revision 2212 5 ‐ 19
ICX 150 Software Upgrade and Licensing

Software Upgrade

Next, we will look at software upgrade methods.

Revision 2212 5 ‐ 20
ICX 150 Software Upgrade and Licensing

Upgrade Transfer Options

• Software images can be uploaded and downloaded to all RUCKUS ICX devices using:
– TFTP (supports manifest)
– SCP
– HTTPS (FastIron release 8.0.80 or newer)
– USB module (supports manifest)

• Transfer of software images can be designated to the primary or secondary partition

• Flash image boot options:
– Download UFI image to primary, all the components will be updated for primary
Boot from primary: all the components installed with primary UFI image are applicable
– Downloaded UFI image to secondary, all the components will be updated for secondary
Boot from secondary: all the components installed with secondary UFI image are applicable

• Only one flash partition (and therefore image) is active at a given time

21 © 2022 CommScope, Inc

As we mentioned previously, many of the file transfer processes require the .zip file to be
unzipped and placed on the server you intend to use to transfer the software.

There are several different transfer methods that can be used to upgrade a switch.

• Trivial File Transfer Protocol (TFTP): Use TFTP to copy an image from a TFTP server onto
a flash module. TFTP can also utilize the Manifest.txt file for UFI upgrade.
• Secure Copy Protocol (SCP): Use SCP to copy images to and from a host.
• Hypertext Transfer Protocol Secure (HTTPS): Beginning with FastIron 08.0.80, you can
use HTTPS, which requires a server that supports HTTP over TLS.
• Universal Serial Bus (USB): Beginning with FastIron 08.0.30, you can use a USB device
that contains the appropriate files and is connected to a standalone unit or the active
controller in a stack to perform UFI and Manifest upgrades.

Using the legacy process, transfer options require the U‐Boot and image software to be
transferred separately. Moving forward, using the UFI process, all transfer options will
support a single command pointing to the single UFI file for the upgrade.
When transferring the software, you will specify the flash partition where the new code is
to be placed. Once downloaded, it is required that the switch be booted from the flash
where the new software is stored. Note that only one flash partition can be active and
switching between the two options requires a reload of the switch.

Revision 2212 5 ‐ 21
ICX 150 Software Upgrade and Licensing

Legacy Transfer Methods

Legacy (non‐UFI) transfer methods utilize the copy command to download two files (the
software image and the boot image) to the ICX device
Transfer
Commands
Method
1a) RUCKUS# copy tftp flash 10.177.16.144 SPR08080f.bin primary
…and…
1b) RUCKUS# copy tftp flash 10.177.16.144 spz10114.bin bootrom
TFTP
…or…

1) RUCKUS# copy tftp system-manifest 10.176.220.51 FI08080f_Manifest.txt primary

1a) RUCKUS# copy scp flash 10.176.132.132 SPR08080f.bin primary
SCP …and…
1b) RUCKUS# copy scp flash 10.176.132.132 spz10114.bin bootrom
HTTPS 1a) RUCKUS# copy https flash 10.176.132.132 SPR08080f.bin primary
[FastIron release …and…
08.0.80 and earlier] 1b) RUCKUS# copy https flash 10.176.132.132 spz10114.bin bootrom
1a) RUCKUS# copy disk0 flash SPR08080f.bin primary
USB …and…
1b) RUCKUS# copy disk0 flash spz10114.bin bootrom

22 © 2022 CommScope, Inc

As previously mentioned, upgrades from legacy (non‐UFI) code to new UFI code requires a
two‐step process, which we’ll describe soon.

This table reflects the copy commands needed to perform the first step on the two‐step
upgrade process. These commands copy the software image and the boot image to the ICX
device. The commands used will depend on your transfer method. All commands allow you
to select the flash partition you want to transfer the software to; note that in these
command examples, all transfers are being placed in the Primary partition. Copy to the
Secondary location will be discussed later in the process.

Revision 2212 5 ‐ 22
ICX 150 Software Upgrade and Licensing

UFI Transfer Methods

UFI transfer methods utilize the copy command to download a single file to
ICX flash memory
Transfer
Commands
Method
1a) RUCKUS# copy tftp flash 10.177.16.144 SPR08095ufi.bin primary
1b) RUCKUS# copy tftp flash 10.177.16.144 SPR08095ufi.bin secondary

TFTP …or…

1a) RUCKUS# copy tftp system-manifest 10.176.220.51 FI08095_Manifest.txt primary

1b) RUCKUS# copy tftp system-manifest 10.176.220.51 FI08095_Manifest.txt secondary
1a) RUCKUS# copy scp flash 10.176.132.132 SPR08095ufi.bin primary
SCP 1b) RUCKUS# copy scp flash 10.176.132.132 SPR08095ufi.bin secondary
HTTPS 1a) RUCKUS# copy https flash 10.176.132.132 SPR08095ufi.bin primary
[FastIron release
1b) RUCKUS# copy https flash 10.176.132.132 SPR08095ufi.bin secondary
08.0.80 and later]
1a) RUCKUS# copy disk0 flash SPR08095ufi.bin primary
USB 1b) RUCKUS# copy disk0 flash SPR08095ufi.bin secondary

23 © 2022 CommScope, Inc

The copy command syntax required to upgrade a switch depends on your transfer
method. All copy commands also allow you to select the flash partition you want to
transfer the software to. Note that in these command examples, the first command shown
places the UFI in the Primary partition as that is usually where a switch boots from, while
the second command shown places the UFI in the Secondary partition for redundancy.

Remember, the UFI image combines all software files needed, including the boot image
and all other software; therefore, only a single command pointing to the UFI file is needed.
For the UFI‐to‐UFI TFTP upgrade process (such as from 8.0.90 or later to 8.0.95), the
manifest file can be used as an alternative to the ufi.bin file.

Note: If you are upgrading from FastIron release 08.0.80 to release 08.0.90 or later,
RUCKUS recommends using SCP to transfer files.

Revision 2212 5 ‐ 23
ICX 150 Software Upgrade and Licensing

UFI‐to‐UFI Software Upgrade Overview

Process Flow
• UFI‐to‐UFI software upgrade minimally involves one copy
command and a system reboot
copy the 8095 UFI image
using your preferred
• Example: FastIron 08.0.90 to FastIron 08.0.95 upgrade transfer method to your
preferred flash partition
1. Copy the 08.0.95 UFI image (Primary or Secondary)
2. Reboot the system with 8.0.95 image
Boot from flash to new
1) RUCKUS# copy tftp flash 10.177.16.144 SPS0808095g.bin primary 8.0.95 UFI software
…or…
1) RUCKUS# copy tftp system-manifest 10.177.16.144 FI08095g_Manifest.txt primary Upgrade complete
…then…
2) RUCKUS# reload
Recommended:
copy image to other
flash for redundancy

24 © 2022 CommScope, Inc

As previously mentioned, the Unified FastIron Image (UFI) combines all software files
together into a single file, eliminating application and U‐Boot image compatibility issues
seen in the legacy upgrade process.

Migrating from one UFI image to another UFI image minimally requires only one copy
command. Let’s use the example of upgrading from FastIron 08.0.90 to FastIron 08.0.95.
Simply copy the 08.0.95 UFI to the primary flash partition using any transfer method, then
reboot the device.

Though not required, it’s suggested to use the copy flash flash command to copy
the new image to the secondary flash partition for redundancy.

Revision 2212 5 ‐ 24
ICX 150 Software Upgrade and Licensing

Legacy‐to‐UFI Software Upgrade

Process Flow
• Legacy (pre‐8.0.80 non‐UFI) to UFI software upgrade
involves a two‐step upgrade requiring an upgrade to Copy 8.0.80 legacy image using
preferred transfer method to
an interim release, then a second upgrade to the preferred flash (Primary or Secondary)
latest release
Boot from flash to new 8.0.80 legacy software
• Example: FastIron 08.0.70 to FastIron 08.0.95
upgrade Copy the 8.0.95 UFI software using
preferred transfer method to the
1. Download the 08.0.80f non‐UFI image and boot files same flash partition

2. Reboot the system with 8.0.80 image

Boot from flash to new 8.0.95 UFI software
3. Download 8.0.95 UFI image file
4. Reboot the system with 8.0.95 image Upgrade complete

Recommended:
copy image to other flash for redundancy

25 © 2022 CommScope, Inc

Migrating from a Legacy image to the UFI requires a two‐step process allowing you to use
the full potential of the UFI features. Let’s use the example of upgrading from FastIron
08.0.70 to FastIron 08.0.95.

1. Copy the 08.0.80f non‐UFI to the primary flash partition and reboot the device with the
08.0.80f image. Note: When performing legacy upgrade methods other than TFTP
(which supports the simplified manifest process) the software and boot file will need to
be uploaded independently. It is not always necessary to upgrade the boot code on the
device. Refer to the Software Release Notes for your specific version to see if the boot
code needs to be upgraded.
With the system now running the 08.0.80f image, save the running configuration to
startup configuration using the write memory command.
Upgrading to the interim software release is mandatory as it migrates the configured
Access Control list (ACL) configurations without sequence numbers to the new ACL
format. The system will otherwise lose the previously configured ACL configuration
without sequence numbers while upgrading from a non‐UFI version to a UFI version.

2. Copy the 08.0.95 UFI to the primary flash partition using the UFI transfer method and
reboot the device again. When upgrading to the UFI version, the boot image will be
upgraded automatically.

Though not required, it’s suggested to use the copy flash flash command to copy
the new image to the secondary flash partition for redundancy.

Revision 2212 5 ‐ 25
ICX 150 Software Upgrade and Licensing

Legacy‐to‐UFI Upgrade Example Using Manifest File

1. Upgrade to interim release 08.0.80f (contains both non‐UFI and UFI code)
A. Copy the 08.0.80f non‐UFI from the TFTP server into flash memory using CLI
RUCKUS# copy tftp system 10.176.220.51 FI08080f_Manifest.txt primary
You are about to download boot image and boot signature image as well,
ARE YOU SURE?(enter 'y' or 'n'): Error: Enter y/n or Y/N for confirmation
Y
RUCKUS# Flash Memory Write (8192 bytes per dot)
DOWNLOADING MANIFEST FILE Done.
Manifest upgrade in progress...
<Output truncated>
Copy ICX7150 from TFTP to Flash Done
Manifest image download is complete, please reload the system

B. Reboot the switch (required)

RUCKUS# write memory
RUCKUS# boot system flash primary

C. After reboot, ICX will now be on interim release 8.0.80f code (non‐UFI)
RUCKUS# show version
Copyright (c) 2017 Ruckus Wireless, Inc. All rights reserved.
UNIT 1: compiled on Apr 9 2019 at 03:20:17 labeled as SPR08080f
(29826604 bytes) from Primary SPS08080f.bin
SW: Version 08.0.80fT213
Compressed Boot-Monitor Image size = 786944, Version:10.1.14T215 (spz10114)
Compiled on Thu Nov 15 04:59:16 2018

26 © 2022 CommScope, Inc

We’ll step through the two‐step process in a little more detail now.

First step is to upgrade the primary flash partition to the interim software release 08.0.80f
(which contains both non‐UFI and UFI code).

1A. Copy the interim software release 08.0.80f code to the primary flash partition using
one of the Legacy transfer methods previously discussed.
In our example, we’re using TFTP to reflect using the single manifest file. When performing
legacy upgrade methods other than the TFTP manifest file process, the software and boot
files will need to be uploaded independently. It is not always necessary to upgrade the boot
code on the device. Refer to the Software Release Notes for your specific version to see if
the boot code needs to be upgraded.

1B. Reboot the device with the 08.0.80f image using the boot system flash
primary command.
With the system now running the 08.0.80f image, save the running configuration to startup
configuration using the write memory command.

1C. The show version command confirms that the 08.0.80f image is running. It’s
important to see that the built‐in upgrade process identified the switch software that was
previously running on the device and the manifest process upgraded accordingly to switch
software instead of router software. If router software were running on this device, it
would have updated using router software.

Revision 2212 5 ‐ 26
ICX 150 Software Upgrade and Licensing

Legacy‐to‐UFI Upgrade Example Using Manifest File (Cont.)

2. Upgrade to UFI release (for example, 08.0.95)

A. Copy the 08.0.95 UFI from the TFTP server into flash memory using CLI
RUCKUS# copy tftp system 10.176.136.210 FI08095_Manifest.txt primary
You are about to download boot image and boot signature image as well,
ARE YOU SURE?(enter 'y' or 'n'): Error: Enter y/n or Y/N for confirmation
Y
RUCKUS#Flash Memory Write (8192 bytes per dot)
DOWNLOADING MANIFEST FILE Done.
Manifest upgrade in progress...
<Output truncated>
Copy ICX7150 from TFTP to Flash Done
Manifest image download is complete, please reload the system

B. Save configuration and reboot the switch (required)

RUCKUS# write memory
RUCKUS# boot system flash primary

C. After reboot you will now be on current release 8.0.95 code (UFI)
RUCKUS# show version
Copyright (c) RUCKUS Networks, Inc. All rights reserved.
UNIT 1: compiled on May 6 2022 at 23:24:50 labeled as SPS08095g
(31457280 bytes) from Primary SPS08095g.bin(UFI)
SW: Version 08.0.95gT211
Compressed Primary Boot Code size = 786944, Version:10.1.24T225 (mnz10124)
Compiled on Thu Apr 21 06:08:52 2022

27 © 2022 CommScope, Inc

Second step is to upgrade the primary flash partition from the interim software release
08.0.80f (which contains both non‐UFI and UFI code) to the new 08.0.95 release (which
contains only UFI code).

2A. Copy the new software release 08.0.95 code to the primary flash partition.
In our example, we’re still using TFTP to reflect using the single manifest file.

2B. Reboot the device with the 08.0.95 image using the boot system flash
primary command and save the running configuration to startup configuration using the
write memory command.

2C. The show version command confirms that the 08.0.95 “switch” software image is
running.

Remember that when upgrading to the UFI version, the boot image will be upgraded
automatically. For redundancy, consider copying the new UFI to the secondary flash
partition.

Revision 2212 5 ‐ 27
ICX 150 Software Upgrade and Licensing

Legacy‐to‐UFI Software Upgrade – Upgrade Results

Use show flash to verify that the image and boot code has been successfully copied
RUCKUS# show flash
Stack unit 1:
NAND Type: Micron NAND 2GiB (x 1)
Compressed Pri Code size = 32454872, Version:08.0.95T211 (SPS08095.bin)
Compressed Sec Code size = 28584896, Version:08.0.70T211 (SPS08070.bin)
Compressed Pri Boot Code size = 786944, Version:10.1.24T225 (mnz10124)
Compressed Sec Boot Code size = 786432, Version:10.1.15T215 (mnz10115)
Code Flash Free Space = 1251205120

28 © 2022 CommScope, Inc

After the second upgrade step and boot you can issue the show flash command to
verify that the new software has been loaded into the partition you have chosen; in our
example, it’s the Primary partition.
Remember that there are now two boot code locations instead of the one that was used in
previous code, and there is a mismatch of code between the primary and secondary
locations.

Revision 2212 5 ‐ 28
ICX 150 Software Upgrade and Licensing

Partition Backup/Redundancy
• After the new software is running and verified on your device, issue the copy flash
flash primary | secondary command to copy to other flash partition
RUCKUS# copy flash flash secondary
Flash Memory Write (8192 bytes per dot)
RUCKUS#.........................................................................................................
<Output truncated>
Processing the bundle image...
Flashing application image to Secondary partition...

SYNCING IMAGE TO FLASH. DO NOT SWITCH OVER OR POWER DOWN THE UNIT(65536 bytes per dot)...
............................................................................
Flashing bootrom image to Secondary partition...
<Output truncated>
SYNCING IMAGE TO FLASH. DO NOT SWITCH OVER OR POWER DOWN THE UNIT(65536 bytes per dot)...
............

Copy Done

• Both partitions now reflect the new UFI code

RUCKUS# show flash
Stack unit 1:
NAND Type: Micron NAND 2GiB (x 1)
Compressed Pri Code size = 31457280, Version:08.0.95gT211 (SPS08095g.bin)
Compressed Sec Code size = 31457280, Version:08.0.95gT211 (SPS08095g.bin)
Compressed Pri Boot Code size = 786944, Version:10.1.24T225 (mnz10124)
Compressed Sec Boot Code size = 786944, Version:10.1.24T225 (mnz10124)
Code Flash Free Space = 1032966144

29 © 2022 CommScope, Inc

By default, switches are booted from the Primary partition, and that’s where our examples
have shown the new software image being uploaded. That means the Secondary partition
still contains the previous software image.

After your ICX device is running the new software and you’ve verified it’s running as
expected, you can copy the new image over to the Secondary partition using the copy
flash flash command, allowing for backup in case the Primary partition software
becomes corrupted. After the copy is completed, you can issue the show flash
command to verify the software is copied over to the secondary.

Revision 2212 5 ‐ 29
ICX 150 Software Upgrade and Licensing

Software Licensing

Our next topic is software licensing for ICX devices.

Revision 2212 5 ‐ 30
ICX 150 Software Upgrade and Licensing

SAU Software Licensing

Let’s first look at self‐authenticated upgrade software licensing for ICX devices.

Revision 2212 5 ‐ 31
ICX 150 Software Upgrade and Licensing

Self‐Authenticated Upgrade (SAU) Licensing

Software licensing provides increased scalability and rapid deployment of

hardware and software
• One or more valid software licenses are required to run licensed features on the device
– Permanent license can be ordered pre‐installed in a RUCKUS device from the factory
– Ordered and installed by customer separately after delivery

• Self‐Authenticated Upgrade Licensing

– Provides “pay‐as‐you‐grow” capabilities
– SAU licensing allows you to upgrade or downgrade to a licensed feature set with a single command

32 © 2022 CommScope, Inc

Licensing provides the convenient and budget‐friendly way of purchasing equipment with
advanced features sets that may or may not be used when deployed. As the network
changes or advances, these features might be needed and can be activated by use of a
license. These features include Ports on Demand (PoD), Layer 3 Base Features (L3‐BASE), L3
Premium Features (L3 PREM), and Media Access Control Security (Prem‐MACsec)
depending on the switch series. This is an upgrade option that does not require a pull‐and‐
replace process but rather the enabling of a license for the specific feature set.

Note: License options are not available on all switch types. Refer to the RUCKUS FastIron
Software Licensing Guide for specific license available for each switch.

Revision 2212 5 ‐ 32
ICX 150 Software Upgrade and Licensing

Licenses Available
License Install License Delete Default
Platform Licensed Feature Possible Packages
Options Options Package
ICX 7150‐24/48 L3 PREM, PoD 4x1g, 2x10g, 4x10gr 2x10g, 4x10gr 4x1G 4x1G, 2x10G, 4x10GR

ICX 7150‐48ZP L3 PREM, PoD 2x10g, 8x10gr 8x10gr 2x10G 2X10G, 8x10GR

ICX 7150‐C12P/C10ZP L3 PREM, PoD 2x1g, 2x10gr 2x10gr 2x1G 2x1G, 2x10GR

l3‐base, l3‐prem, l3‐base‐2x10G,

L3 PREM l3‐prem l3‐prem
ICX 7250 l3‐base l3‐prem‐2x10G, l3‐base‐8x10G,
PoD 2x10g, 8x10g 2x10g, 8x10g
l3‐prem‐8x10G

L3 PREM l3‐prem l3‐prem l3‐base, l3‐prem, l3‐base‐macsec,

ICX 7450 l3‐base
MACSec macsec macsec l3‐prem‐macsec
L3 PREM l3‐prem l3‐prem l3‐base, l3‐prem, l3‐base‐macsec,
ICX 7550 l3‐base
MACSec macsec macsec l3‐prem‐macsec
L3 PREM l3‐prem l3‐prem l3‐base, l3‐prem, l3‐base‐macsec,
ICX 7650 l3‐base
MACSec macsec macsec l3‐prem‐macsec
ICX 7750 L3 PREM L3 PREM L3 PREM l3‐base l3‐prem
l3‐base, l3‐prem, l3‐base‐macsec,
ICX 7850 L3 PREM, MACSec l3‐prem, macsec l3‐prem, macsec l3‐base
l3‐prem‐macsec

33 © 2022 CommScope, Inc

Software licensing enables premium features in the software, such as premium Layer 3
features.

Most switch families have multiple licenses that can be applied, allowing for specific
advanced features or capabilities. Once a package is chosen (fulfilling the environment’s
requirements) it can be installed on the switch and used immediately. Switches can have
unique license requirements, so please refer to the RUCKUS FastIron Software Licensing
Guide for additional license information (including stacking ports and limitations).

Revision 2212 5 ‐ 33
ICX 150 Software Upgrade and Licensing

Licensing Rules

The following licensing rules apply to all ICX devices that support Self‐
Authenticated Upgrade (SAU) software licensing:
• A license is not tied to a specific device; it can be removed from one device and
redeployed on another device
• More than one license can be installed per device concurrently
• Licensed features can be activated prior to obtaining a valid license and used for
a trial period of 45 days, based on an agreement to obtain a license
– Trial licenses for all licensed features are built into the device
– More than one trial license can be in effect at the same time, but each trial license must apply to a
unique licensed feature
– Enabling any licensed feature will activate a 45‐day trial period
– A trial license cannot replace or supersede a normal license

34 © 2022 CommScope, Inc

The Self‐Authenticated Upgrade process allows for many of the license options to be
reused by removing the feature from one switch and redeploying it in another switch. This
is convenient when replacing a failed switch or if a switch is being repurposed. Licensed
features can be installed prior to the purchase of a license; however, it will be considered a
temporary/trial license until the valid license is purchased and applied to the switch. As
mentioned, many switch families have multiple license options and all can be installed on
the switch at the same time; however, you will receive an error if the same license is
applied providing the same enablement of a feature or feature set.

Revision 2212 5 ‐ 34
ICX 150 Software Upgrade and Licensing

Installing an SAU Software License

• Enter the license install perpetual command, followed by the unit

number and the purchased license name
Syntax: license {delete|install} perpetual [unit id] [license name]
RUCKUS# license install perpetual 1 4x10gr

• Add the license serial number to the switch license installed

Syntax: license set serial [unit ID] [switch type] [license serial number]
RUCKUS# license set serial 1 icx7150 PR24235324

• You can confirm the license is installed (Priv Exec mode)

RUCKUS# show license installed
Unit License Name L3 Prem PoD Speed Ports MACsec SerialNo(L3/ICX7150) SerialNo(PoD/MACsec)
1 2X10GR Yes Yes 10G 2 NA PR24235324 NA

35 © 2022 CommScope, Inc

Introduced in FastIron release 8.0.80, SAU software license installation can be

performed using a CLI session with your switch.

Issue the license install perpetual command to add the feature to the
switch. The example installs a perpetual 4X10GR license on unit 1 (unit refers to
which unit ID in a stack config; if switch is not part of a stack config, then unit is 1).
As you can see in the syntax this command allows for deleting a license from a
switch. You’ll be prompted to accept an end‐user license agreement. The EULA is
available for viewing at
https://webresources.ruckuswireless.com/pdf/eula/icx_fastIron_software_eula.pdf.

Next, you can add the Certificate of Entitlement (CoE) serial number to the switch
using the license set serial command shown.
After these two steps are completed, run the show license installed
command to display the license name and the CoE serial number.

Revision 2212 5 ‐ 35
ICX 150 Software Upgrade and Licensing

Installing Purchased Software

License

Now let’s look at the process for installing a purchased software license for ICX
devices.

Here are a few Software Licensing terms that we’ll use throughout this section:
• Activation Code: A unique key, along with the serial number, used to generate
a CoE on the RUCKUS Support site; delivered in an email message after the
order is placed
• Certificate of Entitlement (CoE): The proof‐of‐purchase certificate issued by
RUCKUS when a license is purchased
• Licensed feature: Any hardware or software feature or set of features that
require a valid software license to operate

Revision 2212 5 ‐ 36
ICX 150 Software Upgrade and Licensing

Licensing Configuration Tasks

The following tasks must be performed in the following order

1. Order the desired license

2. Retrieve the serial number of your RUCKUS device (using the show version
command) and the license Activation Code (delivered by email)

3. Log in to the RUCKUS Support portal (https://support.ruckuswireless.com) to

generate the Certificate of Entitlement (CoE)

4. Install the SAU license on the RUCKUS device, and optionally add the CoE serial
number to the device

5. Verify that the license is installed (using the show license command)

37 © 2022 CommScope, Inc

To obtain a valid license, it will need to be ordered; this purchase results in an activation
code being sent to you. Next you will access the RUCKUS Support portal
(https://support.ruckuswireless.com) and obtain a Certificate of Entitlement which will tie
to the serial number of the switch. This CoE will contain a serial number that references
this association of license and switch, allowing you to proceed with the install of the SAU
license and adding the CoE serial number into the switch. You can then verify the install and
be able to verify the feature is enabled.

Revision 2212 5 ‐ 37
ICX 150 Software Upgrade and Licensing

Generating a Certificate of Entitlement (CoE)

The following procedure demonstrates how to generate a CoE:

1. Log into the RUCKUS support portal at https://support.ruckuswireless.com/ and

select Activate Purchase

38 © 2022 CommScope, Inc

As previously mentioned, when you purchase a license, your Activation Code is issued by
RUCKUS and is sent to you in an email message within minutes after the order is placed.
This Activation Code and the ICX switch serial number are needed to create the Certificate
of Entitlement (CoE).

After your activation code is received, you will proceed to the RUCKUS Support site at
support.ruckuswireless.com. Log in and then click on the Activate Purchase link on the
right side of the page.

Revision 2212 5 ‐ 38
ICX 150 Software Upgrade and Licensing

Generating a Certificate of Entitlement (CoE) (Cont.)

2. Enter the Activation Code received by email, and click Validate

DVW-01945912-YAK-GEM-BUS

3. Software license details appear

A. Accept the terms and conditions
B. Click Activate Purchase

39 © 2022 CommScope, Inc

The site will prompt you for your activation code which you can validate to ensure the
activation code enables the license ordered. Once verified, you’ll be prompted to accept
the terms and conditions and activate the purchased license. Upon activation, a certificate
of entitlement will be generated containing a license serial number. This serial number will
be entered when the license is being enabled on the switch via the Associating Your
License With Your Product web GUI window or via CLI.

Revision 2212 5 ‐ 39
ICX 150 Software Upgrade and Licensing

Associating Your License With Your Product

4. Step 1 of 2: Enter the serial number of the ICX device, and click Validate Serial
Number

FEA1234S08R

40 © 2022 CommScope, Inc

The site will prompt you for your activation code which you can validate to ensure the
activation code enables the license ordered. Once verified, you’ll be prompted to accept
the terms and conditions and activate the purchased license. Upon activation, a certificate
of entitlement will be generated containing a license serial number. This serial number will
be entered when the license is being enabled on the switch.

Revision 2212 5 ‐ 40
ICX 150 Software Upgrade and Licensing

Associating Your License With Your Product (Cont.)

5. Step 2 of 2: Click Register Device & Bind To License

41 © 2022 CommScope, Inc

Review the device information.

If the information is incorrect, click Change Serial Number, re‐enter the serial number of
the device, and review the information again.
If the information is correct, click Register Device & Bind To License. The screen will
refresh; you will see the License Status displayed as Pending and you’ll see a Pending
License button. When the license is available, the License Status displayed as Active, and
the Pending License button is replaced by a Download button.

Revision 2212 5 ‐ 41
ICX 150 Software Upgrade and Licensing

Displaying License Features

Use CLI to display installed licenses

RUCKUS# show license

Unit License Name L3 Premium Port Speed Upgrade Speed Ports MACsec
1 2X10GR Yes Yes 10G 2 NA

RUCKUS# show version

Copyright (c) RUCKUS Networks, Inc. All rights reserved.
UNIT 1: compiled on May 6 2022 at 23:24:50 labeled as SPS08095g
(31457280 bytes) from Primary SPS08095g.bin(UFI)
SW: Version 08.0.95gT211
Compressed Primary Boot Code size = 786944, Version:10.1.24T225 (mnz10124)
Compiled on Thu Apr 21 06:08:52 2022

HW: Stackable ICX7150-C12-POE

==========================================================================
UNIT 1: SL 1: ICX7150-C12-2X10GR POE 12-port Management Module
Serial #:FEK3237N0B4
Software Package: BASE_SOFT_PACKAGE
Current License: 2X10GR
P-ASIC 0: type B160, rev 11 Chip BCM56160_B0
==========================================================================
<Output truncated>

42 © 2022 CommScope, Inc

Once a license is loaded, you can use the show license command to view a list of
installed licenses.
Information provided in the show license output indicates if the license is a combo
license or for a specific feature. The output includes:
• The name of the license installed and for what unit
• Features of the license
• If it is a port speed license it will indicate what speed it provides
• The number of ports it is good for

The current license is also reflected in the show version output.

Revision 2212 5 ‐ 42
ICX 150 Software Upgrade and Licensing

Ports on Demand (PoD) Licensing (ICX 7150/7250)

• Ports on Demand (PoD) enables a 1Gbps port to be upgraded to a speed of 10Gbps
• PoD licensing is available for the RUCKUS ICX 7150 and 7250 devices in order to
support stacking (which requires 10Gbps speed)
• To upgrade the port speed:
1. Install the SAU PoD license
2. Configure the new port speed

43 © 2022 CommScope, Inc

An ICX 7150 and ICX 7250 must have a Ports on Demand (PoD) license installed to join a
stack because the minimum speed for ICX stacking ports is 10Gbps. A PoD license must be
obtained and installed on a port before it can be upgraded to 10Gbps. After the license is
installed, then the new link speed and mode must be manually set on the port.

Let’s take a look at an example.

Revision 2212 5 ‐ 43
ICX 150 Software Upgrade and Licensing

Installing PoD License and Configuring Port Speed

1. Generate the CoE for the PoD license you want
2. Install the SAU PoD license on the device
3. Insert the 10Gbps optical transceiver
4. Enter the speed-duplex command on a single, multiple, or an interface range
RUCKUS(config)# interface ethernet 1/2/2
RUCKUS(config-if-e10000-1/2/2)# speed-duplex 10g-full

5. Enter the write memory command to save the configuration

6. Enter the show pod command to display the PoD license configurations for all PoD ports on the switch
RUCKUS# show pod
Unit-Id: 1
PoD license capacity: 8
PoD license capacity used: 1
PoD-ports Lic-Available Lic-Used
1/2/1 Yes no
1/2/2 Yes Yes
1/2/3 Yes no
1/2/4 Yes no
1/2/5 Yes no
1/2/6 Yes no
1/2/7 Yes no
<Output truncated>
44 © 2022 CommScope, Inc

Here’s an example of installing a PoD license on an ICX device and then configuring the new
link speed and mode.

To upgrade the ports from 1Gbps to 10Gbps speed, perform these following steps.
1. Generate the CoE for the desired PoD license via the RUCKUS Support portal
(support.ruckuswireless.com).
2. Install the SAU PoD license on the ICX device. We’ve discussed installing an SAU License
previously in this presentation.
3. Physically insert the 10Gbps optical transceiver into the ICX port slot.
4. In Configuration mode, enter the speed-duplex 10g-full command on a single
interface, multiple interfaces, or an interface range on the ICX.
RUCKUS(config)# interface ethernet 1/2/2
RUCKUS(config-if-e10000-1/2/2)# speed-duplex 10g-full

Note: If the speed-duplex 10g-full command fails, a syslog message is

generated and displayed. The command will fail if there is no license available for the
port. The following example is a syslog message generated informing you about the
failure.
SYSLOG: <14>Jul 31 00:33:46 10.20.147.22 PoD: No license
present for port 1/2/2

5. Enter the write memory command to save the configuration.

Continued on next slide…

Revision 2212 5 ‐ 44
ICX 150 Software Upgrade and Licensing

Blank Notes Page

45 © 2022 CommScope, Inc

... Continued from previous slide

Result: The ports are automatically configured to 10Gbps speed.

Note: If you enable the port to 10Gbps speed, then subsequently enter the no speed‐
duplex command, the port continues to run at 10Gbps speed until the device reboots.
When the device reboots, the port reverts to 1Gbps speed.

Refer to the RUCKUS FastIron Software Licensing Guide and the RUCKUS FastIron Command
Reference Guide for complete details regarding available PoD licenses, installing the license,
and port configuration.

Revision 2212 5 ‐ 45
ICX 150 Software Upgrade and Licensing

Attendees should now be able to:

• Discuss the resources and considerations
when upgrading an ICX switch

• Discuss the Software Image Files

• Describe the simplified upgrade process

Summary
• Perform the process of verifying the current
software version

• Perform a software upgrade using both

legacy and Unified FastIron Image processes

• Describe and install Software Licensing

This concludes the Software Upgrade and Licensing presentation. You should now be able
to:
• Discuss the resources and considerations when upgrading an ICX switch (including using
the RUCKUS ICX Target Path Selection Guide to find which software version is right for
your device)
• Discuss the Software Image files
• Describe the simplified upgrade process
• Perform the process of verifying the current software version
• Perform a software upgrade using both legacy and Unified FastIron Image processes
• Describe and install Software Licensing

Revision 2212 5 ‐ 46
ICX 150 Software Upgrade and Licensing

End of Presentation:
Software Upgrade & Licensing

Thank You

This completes the presentation on software upgrade and licensing. Thank you.

Revision 2212 5 ‐ 47
ICX 150 Device Access & Management

Device Access & Management

Revision 2212

This module will introduce you to ICX device access and management.

Revision 2212 6‐1

ICX 150 Device Access & Management

After completing this module, you will be able

to:

• Describe the different methods available for

device connection including the console port,
Telnet, SSH, and Web management access

• Describe the function of the management port

Objectives
• Know how to create local user accounts and
passwords

• Describe and configure Simple Network

Management Protocol (SNMP)

• Explain SmartZone and RUCKUS Cloud ICX

Management functions

After completing this module, you will be able to:

• Describe the different methods available for device connection including the console
port, Telnet, SSH, and Web management access.
• Describe the function of the management port
• Know how to create local user accounts and passwords,
• Describe and configure Simple Network Management Protocol (SNMP)
• Explain ICX management using SmartZone or RUCKUS Cloud and describe their
capabilities

Revision 2212 6‐2

ICX 150 Device Access & Management

Access Management

Now let’s discuss access management on the ICX.

Revision 2212 6‐3

ICX 150 Device Access & Management

Access Management

There are several methods which can be used to access ICX devices:
• Serial console port
• Telnet
• SSH (Secure Shell)
• Web management GUI
• SNMP‐based management applications
• RUCKUS SmartZone and RUCKUS Cloud SmartZone
• RUCKUS Unleashed

Unleashed

RUCKUS Cloud

4 © 2022 CommScope, Inc.

There are several methods available to access ICX devices. You can use the serial console
port, Telnet, Secure Shell (SSH), or the Web management GUI.
Management applications that run SNMP version 1, 2, or 3 can also be used.
RUCKUS SmartZone, RUCKUS Cloud and RUCKUS Unleashed also include capabilities that
allow ICX switches to be managed. These RUCKUS products have been traditionally used to
manage RUCKUS Access Points, however recent versions of these services include the
ability to apply configurations to ICX devices within the application UI, as well as access
device CLI sessions directly.

Revision 2212 6‐4

ICX 150 Device Access & Management

Console Connection

• ICX devices have the following console ports

– ICX 7150, 7550, 7650 and 7850 – USB Type‐C & RJ‐45
– ICX 7450 and 7750 – Mini‐USB & RJ‐45
• Use the provided console cable to connect to a PC running terminal
emulation software

– Session parameters should be set to:

o Baud rate: 9600 bps
o Data bits: 8
o Parity: None
o Stop bits: 1
o Flow control: None

5 © 2022 CommScope, Inc.

Different ICX families of switches have different types of console ports. Within the 7000
series, you will find both mini‐USB serial ports and USB‐C ports. Most ICX platforms ship
with a DB9‐RJ45 serial console cable, however depending on the model you may receive a
USB console cable. Check the hardware datasheets for the model and SKU you are
interested in, to determine which cable will be provided.

Regardless of the ICX model, the connection parameters for the console sessions are the
same: the baud rate should be 9600 bits per second, the data bits are 8, the stop bit is 1,
and parity and flow control should be set to none.

Revision 2212 6‐5

ICX 150 Device Access & Management

Remote Access Options

• Telnet access to CLI
– NOT secure – plain text login & activity
– Can open multiple sessions
– Disabled by default in 8.0.90, enabled prior
• SSH access to CLI
– Secure – encrypted login and activity
– Can open multiple sessions
– Recommended method for CLI access
– Enabled by default in 8.0.90, disabled prior
• Web management GUI (Web GUI)
– HTTP/HTTPS access
– Secure when using HTTPS encrypted login
and activity
– Can open multiple read‐only sessions

6 © 2022 CommScope, Inc.

For remote access, you have three options:

The first method is a Telnet session. It is important to note that Telnet is not secure. It uses
plain text to transport both username and password information, as well as command
activity. Starting in release 8.0.90, Telnet is disabled by default. In previous versions it was
enabled by default.

The second method is Secure Shell (SSH). SSH provides a secure, encrypted connection for
both login and command activity. RUCKUS recommends that you use SSH for remote CLI
access. Starting in release 8.0.90, SSH is enabled by default. In previous versions it was
disabled by default.

The third method is to use HTTP or HTTPS to access the Web management GUI (Web GUI).
When using HTTPS, your connection to the GUI is encrypted, so it provides the same
security benefits as SSH does for the CLI.

Revision 2212 6‐6

ICX 150 Device Access & Management

Management IP Address

• On Layer 2 switches, the management IP address and the default gateway

are assigned globally, only one per switch
For example:
Switch(config)# ip address 192.22.33.45/24
Switch(config)# ip default-gateway 192.22.33.1

• On Layer 3 switches, each IP address is assigned at the interface level, not

at the global level
– The IP address of any interface on the router can be used for management
For example:
Router(config)# interface ethernet 1/1/9
Router(config-if-e1000-1/1/9)# ip address 192.22.33.45/24

7 © 2022 CommScope, Inc.

When setting the management IP address on a Layer 2 switch, the address is configured
globally using the ip address command, or for IPv6, using the ipv6 address
command.
Also, the default gateway can be set globally. You can configure an IPv4 and an IPv6 address
for management access.
On a Layer 3 switch running router code, each interface can be assigned an IPv4 and/or
IPv6 address, and any of the interfaces can be used for management.
Optionally, the ICX devices have an out‐of‐band management port which we will discuss on
the next slide.

Revision 2212 6‐7

ICX 150 Device Access & Management

Management Port
• ICX devices have an out‐of‐band management port (OOB) to manage devices without
interfering with in‐band ports
• Can be used for remote management, as well as downloading images and
configurations
• The following command configures the management port
– The management port number is always 1
Ruckus(config)# interface management 1

• Within a stack unit only one OOB port is active at a time (active controller)
• In prior releases (FI 08.0.40 and earlier) the OOB management port could not be a
member of any VLAN and creating a management VLAN would disable the OOB port.
However as of FI 08.0.50, if a management VLAN is configured the OOB port is
automatically part of the management VLAN (treated as an untagged port).

8 © 2022 CommScope, Inc.

The management port is an out‐of‐band port that customers can use to manage their
devices without interfering with the in‐band ports. The management port is widely used to
download images and configurations, for Telnet sessions, and for Web management. Use
the interface management 1 command to configure the port. The management
port is always numerically 1.

The following rules apply to management ports:

• Only packets that are specifically addressed to the management port MAC
address or the broadcast MAC address are processed by the Layer 2 switch or
Layer 3 switch. All other packets are filtered out.
• A packet received on the management port is not sent to any in‐band ports,
and no packets received on in‐band ports are sent to a management port.
• As of FastIron 08.0.50 OOB management ports are automatically untagged if a
management VLAN is configured.

Revision 2212 6‐8

ICX 150 Device Access & Management

Enabling & Displaying Telnet

• Enable Telnet from global CONFIG mode

Ruckus(config)# telnet server
• Disable Telnet
Ruckus(config)# no telnet server
• Display Telnet configuration and connections
Ruckus(config)# show telnet
Telnet server status: Enabled
Telnet connections (inbound):
1 established, client ip address 192.168.1.200, user is super,
privilege super-user using vrf default-vrf.

19 second(s) in idle
<Output Truncated>
• Optional features such as authentication retries, listening port, and idle
timeouts can be configured
9 © 2022 CommScope, Inc.

In previous releases the Telnet server is enabled by default. Beginning with release 8.0.90,
the Telnet server is disabled by default. The command to enable Telnet is telnet
server. This is entered in the global CONFIG mode. Use the no form of the command to
disable Telnet.
Remember to save your changes to the startup‐configuration using the write memory
command.
The show telnet command will show you the status of Telnet, the number of
connections, and client connection information.

Revision 2212 6‐9

ICX 150 Device Access & Management

SSH Support
• SSHv2 server and client functions can be performed on ICX devices

• Implementation of SSHv2 server supports four kinds of user authentication:

– DSA challenge‐response authentication
– RSA challenge‐response authentication
– Password authentication (simple request for single password)
– Interactive‐authentication (can require an arbitrary number of pieces of information from the user)

• Default SSH authentication type is RSA with 2048‐bit modulus

• Restrictions of the above authentication types as well as access filtering can be

specified

• Optional features such as authentication retries, listening port and idle timeouts
can be configured
10 © 2022 CommScope, Inc.

ICX devices support SSHv2. The implementation of SSH server supports three kinds
of user authentication:
• DSA (Digital Signature Algorithm) challenge‐response authentication, where a
collection of public keys are stored on the device. Only clients with a private
key that corresponds to one of the stored public keys can gain access to the
device using SSH server.
• RSA (Rivest‐Shamir‐Adleman) challenge‐response authentication, where a
collection of public keys are stored on the device. Only clients with a private
key that corresponds to one of the stored public keys can gain access to the
device using SSH server.
• Password authentication, where users attempting to gain access to the device
using an SSH client are authenticated with passwords stored on the device or
on a TACACS+ or RADIUS server.
• Interactive‐authentication can be used in scenarios where users are issued
challenge‐response questions, these could include username and password as
well as RSA token ID
You can adjust the following SSH server settings on the device:
• Number of SSH server authentication retries
• User authentication method the device uses for SSH server connections
• Whether or not the device allows users to log in without supplying a password
• Port number for SSH server connections
• SSH server login timeout value (by default 120 seconds)
• A specific interface to be used as the source for all SSH server traffic from the
device
• Maximum idle time for SSH server sessions (by default SSH sessions will time
out after 5 minutes)
• Disable 3‐DES support

Revision 2212 6 ‐ 10
ICX 150 Device Access & Management

Enable/Disable SSH

• SSH can be disabled at the Global CONFIG level:

– Syntax: crypto key zeroize [rsa | dsa]
– Use rsa or dsa to delete a specific key. If not specified, both are deleted.

• SSH can be re‐enabled with:

– Example: Ruckus(config)# crypto key generate rsa modulus 2048
– Syntax: crypto key generate [ dsa | rsa [ modulus key-size ] ]
– Modulus: 1024 or 2048

11 © 2022 CommScope, Inc.

Beginning with release 8.0.90, the SSH server is enabled on an ICX device by default. The
default authentication type is RSA with 2048 bit modulus. The SSH server can be disabled
by entering the crypto key zeroize command at the global CONFIG level.

If disabled, SSH can be re‐enabled using the crypto key generate command
followed by the algorithm (DSA or RSA) and the modulus, which can be 1024 bits or 2048
bits.

Revision 2212 6 ‐ 11
ICX 150 Device Access & Management

SSH Authentication
• Authentication takes place by either sharing the generated key, or by client
password challenge
– Password challenge requires that AAA be configured for “local” login, and a
matching username and password created on the device. The following is the
default configuration in release 8.0.90:
Ruckus# show run | include aaa
aaa authentication web-server default local
aaa authentication login default local

Ruckus# show run | include username

username super password .....

– Additional users can be configured with the following command:

Ruckus(config)# username icx-admin priv 0 password Testpwd

12 © 2022 CommScope, Inc.

Authentication takes place by either sharing the generated key, or by client password
challenge. On an ICX running firmware version 8.0.90 and later, booted from a factory
default configuration, the user super is created. The default password for this user is sp‐
admin. This password is required to be changed on initial login to the device. The show
run output here shows that the web‐server and device login now require a local user
account to permit access. There is also a username entry for the default username of
super.

In releases prior to 8.0.90, the password challenge method required you to manually
configure AAA for “local” login, as well as configure a matching username and password on
the device. Users are created at the global CONFIG level.

In the example shown in the final output, a user named icx‐admin with a privilege level and
password of “Testpwd” have been defined. Note that the privilege of 0 creates a Super
User account. We will discuss privilege levels later in the presentation.

Revision 2212 6 ‐ 12
ICX 150 Device Access & Management

Displaying SSH Configuration

Use the show ip ssh config command to verify SSH configuration
Ruckus(config)# show ip ssh config Default SSH Port
SSH server : Enabled and authentication
SSH port : tcp\22
Host Key : RSA 2048
Encryption : aes256-cbc, aes192-cbc, aes128-cbc, aes256-
ctr, aes192-ctr, aes128-ctr, 3des-cbc
Permit empty password : No
Authentication methods : Password, Public-key, Interactive
Authentication retries : 3 Authentication
Login timeout (seconds) : 120
Idle timeout (minutes) : 5 methods configured
Strict management VRF : Disabled
SCP : Enabled
SSH IPv4 clients : All
SSH IPv6 clients : All
SSH IPv4 access-group : 12 ACL 12 is configured and
SSH IPv6 access-group : applied to SSH access
SSH Client Keys :
Client Rekey : 0 Minute, 0 KB
Server Rekey : 0 Minute, 0 KB

13 © 2022 CommScope, Inc.

The show ip ssh config command displays the status of the SSH server, either
enabled or disabled, as well as the TCP port being used. The default SSH port is 22.

Next, you will see the type of host key being used, the default is RSA 2048, and the types of
encryption being used. This example shows all the default encryption types.
Then we see the authentication information, including the methods being used, and the
number of retries. Also shown are any IPv4 or IPv6 ACLs applied to SSH access. Here we see
ACL 12 has been applied.

Revision 2212 6 ‐ 13
ICX 150 Device Access & Management

Web Management

• By default, HTTP access to the Web GUI is enabled on all ICX devices

• HTTP access can be disabled:

Ruckus(config)# no web-management http

• For enhanced security HTTPS can be enabled (recommended)

Ruckus(config)# web-management https

• Web management can be limited only to specific VLAN

Ruckus(config)# web-management enable vlan 10
– The example limits web access to VLAN 10
14 © 2022 CommScope, Inc.

By default, HTTP access to the Web GUI is enabled. This method of management can be
disabled with the no web-management http command.

We recommend that you enhance security if you are going to utilize Web Management and
enable HTTPS access using the same web-management command followed the https
parameter.

Additionally, Web GUI access can be restricted to a specific VLAN with the web-
management enable vlan command followed by the VLAN ID, which will be the only
VLAN to allow access.

Revision 2212 6 ‐ 14
ICX 150 Device Access & Management

Web Management Configuration

• With the 8.0.90 release, by default, the Web GUI uses local user accounts
for access

• The following is the default configuration:

Ruckus# show run | include aaa

aaa authentication web-server default local
aaa authentication login default local

Ruckus# show run | include username

username super password .....
username icx-admin password .....
15 © 2022 CommScope, Inc.

Beginning with release 8.0.90, the default method of accessing the Web GUI is logging in
with the default user: super. As you can see in the output AAA authentication is enabled for
the web‐server and uses local accounts. The second output shows the default user that is
configured on a factory default ICX. Additional local users can be created to allow other
forms or access. Local users will be covered later in this presentation.

Revision 2212 6 ‐ 15
ICX 150 Device Access & Management

Using the Web Management Interface

R: 0 Be sure to reference the RUCKUS FastIron Web Management

G:178
B:80 Interface User Guide for your release for a full list of features,
#00B250 capabilities, and limitations.
16 © 2022 CommScope, Inc.

Once configured, administrators can utilize the Web Management Interface to view device
information and statistics, as well as make configuration changes. However, be aware that
the configuration options available via Web Management are typically a limited subset of
the configuration options that you would have when accessing devices via command line.
Make sure to reference the FastIron Web Management Interface User Guide for your
release to understand the limitations.

Revision 2212 6 ‐ 16
ICX 150 Device Access & Management

Privilege EXEC Passwords

• By default, passwords are not assigned to the Privileged EXEC (enable) level
– Allowing super‐user access to all commands and settings
• Four levels of authorization can be assigned to a user’s Privileged EXEC access
– Permissions depend on which password is entered
• The four levels are:
– Super User: Complete read and write access to the system
o Generally reserved for system administration
o This is the only level that that allows password configuration
o Must be set before any other passwords can be set
– Port Configuration: Read and write access for interface configuration but not for global parameters
o The user can also use show commands
– Read‐only: Access to Privileged EXEC mode, but only with read access
o No configuration is allowed at this access level
– Cloud User: Read‐only access to show commands. Used in RUCKUS Cloud ICX Management
o The user can use show commands such as show logging

17 © 2022 CommScope, Inc.

By default, the CLI Privilege EXEC mode is not protected by passwords. Do not confuse this
with device authentication. Device authentication allows you to communicate with the CLI
in User EXEC mode. The enable password is used to restrict what you can do once you have
access. To secure enable access, you need to assign passwords. There are four types of
passwords that can be created, each giving different levels of access. The four levels are
Super User, Port Configuration, Read‐Only, and Cloud‐Only. Super User can be considered
administrative access, with complete read and write access to the system. This is the only
level that that allows password configuration, and it must be set before any other
passwords can be created.
• Port Configuration allows for read and write access for interface configuration but
not for global parameters. This user can also use show commands.
• Read‐only allows access to Privileged EXEC mode, but only with read access.
• Cloud User allows for use of show commands, including logging commands. This is
not unlike read‐only access previously described and is used in cases of cloud
management.

Revision 2212 6 ‐ 17
ICX 150 Device Access & Management

Configuring Privilege EXEC Passwords

• Passwords may be up to 60 characters in length and are case sensitive, for example:
– Super User
Ruckus(config)# enable super-user-password AdM1naCCe$$
– Port Configuration
Ruckus(config)# enable port-config-password P0rta((es$
– Read‐only
Ruckus(config)# enable read-only-password Re@daC(e$s
– Cloud‐only
Ruckus(config)# enable cloud-only-password Cl0ud@cce55
• If a password has not been set, a warning is displayed
RUCKUS> enable
No password has been assigned yet...
Syntax: enable [super-user-password | read-only-password | port-config-
password | cloud-only-password] <text>
18 © 2022 CommScope, Inc.

Passwords can be up to 60 characters long and are case sensitive. Here we have examples
of each type of password. Once a password, or passwords, are configured and you go from
User EXEC mode to Privilege EXEC mode using the enable command, you will be prompted
for a password. And depending on which password you enter, you will be provided with
that type of access. If a password has not been created, you will see a message that no
password has been assigned yet.

Syntax: enable [super-user-password | read-only-password | port-

config-password] <text>

Revision 2212 6 ‐ 18
ICX 150 Device Access & Management

User Access Control

• Up to 32 local user accounts can be created to allow access to management functions
including:
– Telnet and SSH connections
– Web management GUI
– SNMP access

• You can assign a username a password, or use the nopassword parameter when
creating the user account

• A Privilege EXEC level can be assigned for each user account

–0 = Super User
– 4 = Port Configuration
– 5 = Read‐only
– 6 = Cloud‐User
Ruckus(config)# username PortConfig privilege 4 password KLMpwd
Ruckus(config)# username No-Changes privilege 5 nopassword
19 © 2022 CommScope, Inc.

The system also allows for the creation of up to 32 local user accounts.
Usernames can be up to 48 characters in length. Local user accounts provide greater
flexibility for controlling management access to RUCKUS devices than do management
Privilege EXEC (enable) passwords and SNMP community strings. You can continue to use
the Privilege EXEC passwords and the SNMP community strings as additional means of
access authentication.

You can assign each user a password using the password parameter followed by the
password string. Passwords can be up to 48 characters.
You can also use the nopassword parameter to allow the user to log in without providing
a password. Optionally, you can assign each username a Privilege EXEC level as discussed
previously. If a privilege level is not specified, the user defaults to Super User.

Revision 2212 6 ‐ 19
ICX 150 Device Access & Management

Controlling Access

• Use the following commands to restrict SNMP, Telnet, SSH or Web GUI
access to a single IP address:

Ruckus(config)# snmp-client 209.157.22.14

Ruckus(config)# telnet client 209.157.22.26
Ruckus(config)# ssh client 209.157.22.27
Ruckus(config)# web-client 209.157.22.12

• Or use the all-client command to restrict access for all of the above

Ruckus(config)# all-client 209.157.22.69

20 © 2022 CommScope, Inc.

Once remote access is enabled for SNMP, Telnet, SSH, or the Web GUI, you can restrict
access to a specific IP addresses. Enter up to 10 different IP addresses per service. You must
enter the command for each address. Optionally, you can use the all-client command
to restrict access for all four services.

Note: Beginning with FastIron 08.0.60 administrators can specify management services to
exclude from inband or out‐of‐band ports. From global config issue the management
exclude command followed by which service you want to exclude followed by the
interface type inband or oob. Service options include:

‐all
‐http (router image only)
‐ipv6ra
‐ntp (router image only)
‐ssh (router image only)
‐telnet (router image only)

Syntax: management exclude [all | http | ipv6ra | ntp | ssh |

telnet] [inband | oob]

Revision 2212 6 ‐ 20
ICX 150 Device Access & Management

Access Filtering
• Telnet, SSH and SNMP access can be limited to specific client source IP
addresses using Access Control Lists (ACL)

– Create an ACL
RUCKUS(config)# ip access-list standard 19
RUCKUS(config-std-ipacl-19)# permit host 10.157.10.26 log
RUCKUS(config-std-ipacl-19)# deny 10.157.10.0 0.0.0.255 log
RUCKUS(config-std-ipacl-19)# deny 10.157.20.0/24 log
RUCKUS(config-std-ipacl-19)# permit any

– Apply the ACL to access service or port

RUCKUS(config)# interface ethernet 1/1/1
RUCKUS(config-if-e1000-1/1/1)# ip access-group 19 in
RUCKUS(config)# ssh access-group 19
RUCKUS(config)# snmp-server community private rw 12
21 © 2022 CommScope, Inc.

You can also limit access to the remote access services using a Standard ACL.
First create the ACL with the IP addresses or subnets you want to restrict access to, then
apply the ACL to the service (SSH, Telnet, SNMP, or Web GUI).
Remember that ACLs have an implicit deny at the end, dropping packets that do not match
the previous permit statements.

In this example, we have configured the deny statement with the log parameter allowing
us to capture any attempts from unauthorized client source addresses.

Revision 2212 6 ‐ 21
ICX 150 Device Access & Management

Password Recovery

• Recovering from a lost password requires direct access to the serial port
and a system reset
– This procedure can only be accomplished from the console port

• To recover from a lost password:

1. Start a CLI session over the serial interface on the device, and reload the
device by cycling its power
2. From the CLI established session you will see the initial boot sequence
during system startup
3. Enter “b” to enter the boot monitor mode

22 © 2022 CommScope, Inc.

Recovering from a lost password requires direct access to the console port and a system
reset. To recover from a lost password, start a CLI session over the console interface, and
manually power‐cycle the device. From the CLI established session you will see the initial
boot sequence during system startup. Enter “b” to enter the boot monitor mode.

Revision 2212 6 ‐ 22
ICX 150 Device Access & Management

Password Recovery (cont.)

4. Enter no password at the prompt
ICX7150-Boot> no password
OK! Skip password check when the system is up.
– This command will bypass the system password check once and cannot be
abbreviated (this will not erase any existing passwords)
5. Boot the system
ICX7150-Boot> boot
device 0 offset 0x0, size 0xc0000
BOOTING image from Primary
<Output Truncated>
RUCKUS>
6. Once the console prompt reappears, enter configuration mode and assign a
new password
7. Save the new password using write memory
23 © 2022 CommScope, Inc.

At the boot monitor prompt, enter the no password command. This command will
bypass the system password check once and cannot be abbreviated (this will not erase any
existing passwords).

Next, issue the boot command. Once the console prompt reappears, enter global CONFIG
mode and assign a new password. Finally, use the write memory command to save the
new password. If you do not save the new password, the next login session will revert to
the old password.

Note: In releases prior to 8.0.90 it is necessary to indicate which flash to boot from with
the boot system flash [primary | secondary] command.

Revision 2212 6 ‐ 23
ICX 150 Device Access & Management

Simple Network Management

Protocol (SNMP)

Our next topic is Simple Network Management Protocol (or SNMP).

Revision 2212 6 ‐ 24
ICX 150 Device Access & Management

SNMP Management Applications

• ICX devices can be managed by the RUCKUS SmartZone Network Controller,

RUCKUS Cloud, or third‐party management applications which support SNMP
v1/v2 or SNMPv3
• SNMP v1/v2c, prior to release 8.0.90
– By default, when an ICX device is configured as an SNMP server, the read‐only (RO)
community string is set to public
– Read‐write (RW) access is only permitted when a RW community string is explicitly
configured
– Multiple read‐only and read‐write community strings can be created
• SNMP v1/v2c, release 8.0.90 (and later) defaults
– By default, the SNMP server is enabled
– There are no pre‐configured community strings
– Multiple read‐only and read‐write community strings can be created
25 © 2022 CommScope, Inc.

ICX devices can be managed by the RUCKUS SmartZone network controller or third‐party
management applications as long as they support SNMP version 1, 2, or 3. SNMP is a set of
protocols for managing complex networks. SNMP sends messages called protocol data
units (PDUs), to different parts of a network. SNMP‐compliant devices, called agents, store
data about themselves in Management Information Base (MIBs) and return this data to the
SNMP requesters. MIBs for RUCKUS ICX products can be found within the RUCKUS FastIron
MIB Reference Guide at support.ruckuswireless.com

SNMPv1 or v2 uses a community‐based security approach with different community strings

(think passwords) for read‐only and read‐write access.
You can assign other SNMP community strings and indicate if the string is read‐only or
read‐write. Community strings can be configured as encrypted or clear. By default, the
string is encrypted.

Note: ICX management using the SmartZone Network Controller was first introduced in
SmartZoneOS 5 and ICX firmware version 08.0.80.

Note: As of December 2022, ICX management using the RUCKUS Cloud requires a
minimum ICX firmware version of 08.0.90d.

Revision 2212 6 ‐ 25
ICX 150 Device Access & Management

SNMP Management Applications (cont.)

• SNMPv3
– Defined in RFCs 3411 to 3415
– More secure than SNMPv1 and SNMPv2c
– Provides secure access to devices by authenticating and encrypting packets
over the network
– The security features provided in SNMPv3 include:
o Encryption of protocol data units (PDUs)
o Authentication of the users sending the PDUs
o Specify users access to tables in a read‐only, read‐write, or notify role
o The creation of views and associating user groups to various views
o Communication with both authentication and encryption

26 © 2022 CommScope, Inc.

SNMP version 3 made significant improvements in security and manageability by

introducing three major concepts:
• The first is the User‐Based Security Model or USM. Instead of having generic
group keys as with version 2, version 3 allows you to define individual
username/password combinations for user authentication. You can optionally
enable encryption. The standard also defines timeliness checks. Since SNMP
messages are often time‐critical, making sure that messages are current is
important for accuracy of information.
• The second is the Transport Security Model or TSM which uses the Public Key
Infrastructure for access authentication and encryption. PKI uses certificates to
identify devices, and those certificates must be generated and managed by a
Certificate Authority. TSM provides the same benefits as USM, using
certificates rather than username/password strings.
• Finally, version 3 introduced the concept of View‐Based Access Control. The
administrator can group specific MIB objects into views, then use groups to
define who can access a view or set of views. For each group, you can specify
an action of read‐write or read‐only.

Revision 2212 6 ‐ 26
ICX 150 Device Access & Management

SNMPv1/v2 Configuration

We’ll begin with the configuration of SNMPv1/v2.

Revision 2212 6 ‐ 27
ICX 150 Device Access & Management

Configuring SNMP v1/v2

• Configure SNMP by configuring community strings

– Strings can be up to 32 characters
– Specify whether the string is read‐only (ro) or read‐write (rw)

• Examples:
– Configure the read‐only community string of lookaccess
Ruckus(config)# snmp-server community lookaccess ro

– Configure a read/write community string of allaccess

Ruckus(config)# snmp-server community allaccess rw

28 © 2022 CommScope, Inc.

To configure version 1 and 2, you need to set up community strings using the snmp-
server community command, followed by the community string which can be up to
32 characters long. Then, specify if the string is read‐only using the ro parameter, or read‐
write using the rw parameter.

Beginning with release 8.0.90, there are no default read‐only or read‐write community
strings. You can configure as many read‐only and read‐write community strings as you
need. The number of strings you can configure depends on the memory available on the
device. There is no practical limit.

Note: SNMP server is enabled by default, but there are no community strings configured.
As such there will be no SNMP v1/2 access to the device until strings are created.

Revision 2212 6 ‐ 28
ICX 150 Device Access & Management

SNMP Server Parameters

• Specify an SNMP trap receiver

– Host that receives SNMP notifications of events
Ruckus(config)# snmp-server host 10.2.2.2 version v2c community

• Traps for specific events can be disabled

Ruckus(config)# no snmp-server enable traps trap_name

• Change the holddown time for SNMP traps

– The delay after startup before an ICX device begins sending traps, allowing L2/L3
protocol convergence
Ruckus(config)# snmp-server enable traps holddown-time time
DECIMAL <1..600> Seconds
– Default: 60 seconds

29 © 2022 CommScope, Inc.

You can specify a trap receiver to ensure that all SNMP traps sent by the RUCKUS device go
to the same host, or multiple hosts, on the network.

This is done with the snmp-server host command. In the command you specify a
host, the SNMP version and additional information specific to the version selected.
All traps are enabled by default. However, specific traps can be disabled, if desired. Specific
traps are disabled with the no snmp-server enable traps command, followed by
the desired trap to be disabled. The traps vary based on whether the device is running
switch or router code.

Finally, you can modify the holddown timer for traps to be sent after the device starts up.
This allows the configured Layer2 and Layer3 protocols to converge before traps are sent.
This is meant to allow network stability before sending messages to remote devices. To
adjust the holddown timer from the default of 60 seconds use the snmp-server
enable traps holddown-time command followed by the time in seconds, ranging
from 1 to 600 seconds.

Note: When you have a stack of eight or more units, you must increase the trap hold‐down
time from the default (60 seconds) to five minutes (300 seconds). This will prevent the loss
of initial boot traps.

Details about all of the configurable options for each of these commands can be found in
the RUCKUS FastIron Management Configuration Guide.

Revision 2212 6 ‐ 29
ICX 150 Device Access & Management

Displaying SNMP Settings

Ruckus(config)# show snmp server
Status: Enabled
Contact: TAC Support 1-800-555-4357
Location:
Community(ro): ..... Configured community
Community(rw): .....
Max Ifindex per module: 64 strings are encrypted
Traps
Cold start: Enable
Link up: Enable
Link down: Enable
Authentication: Enable
Power supply failure: Enable
Fan failure: Enable
Fan speed change: Enable Default trap status
Module inserted: Enable
Module removed: Enable
Redundant module state change: Enable
Temperature warning: Enable
STP new root: Enable
STP topology change: Enable
MAC notification: Enable Configured trap receivers
MAC-AUTH notification: Enable
VSRP: Enable
MRP: Enable
UDLD: Enable
link-oam: Enable
syslog: Disable
entity-cfg-change: Enable
Total Trap-Receiver Entries: 1
Trap-Receiver IP-Address Version Port-Number Comm-or-Security
1 10.255.243.60 v1 162 .....

30 © 2022 CommScope, Inc.

Use the show snmp server command to view if community strings are configured.
Remember community strings are encrypted by default, so it will likely only display as dots,
unless you have utilized the enable password-display command. You can also
see a list of all traps. This example is of from an ICX device running switch code. Different
traps will be included in the router codes. You can also see any IP addresses of trap
receivers, if they are configured.

Revision 2212 6 ‐ 30
ICX 150 Device Access & Management

SNMPv3 Configuration

Now we will look at configuring SNMP version 3.

Revision 2212 6 ‐ 31
ICX 150 Device Access & Management

SNMPv3 Configuration Steps

1. Define engine ID (optional, otherwise default ID will be used)

2. Create Views
• Include or exclude OIDs for MIB objects
3. Create Groups
• Assign views to groups
• Authentication method
• Encryption
4. Define Users
• Assign to group
• Authentication method
• Encryption

32 © 2022 CommScope, Inc.

To configure SNMP version 3, follow these steps:

1. First, you can optionally define a non‐default engine ID.
2. Then, create your views. You need to have a MIB browser or a list of OIDs available
in order to configure the views. Note: To obtain a listing of OIDs for ICX devices,
consult the RUCKUS FastIron MIB Reference Guide for your specific release.
3. Next, create the groups and assign the views you want available to each group.
4. Finally, define the SNMP users. You can use both the User‐based Security Model and
the Transport Security Model. You’ll need to define the authentication method,
optionally enable encryption, and assign the user to a group.

Revision 2212 6 ‐ 32
ICX 150 Device Access & Management

Define Engine ID

• During system start up, a default engine ID is generated

Ruckus(config)# show snmp engineid
Local SNMP Engine ID: 800007c703d4c19e1f31db
Engine Boots: 32
Engine time: 57498
Engine uptime: 1 hour(s) 35 minute(s) 49 second(s)

• Use the following command to change the default engine ID, used by
SNMPv3
– The local parameter indicates that engine ID to be entered is the ID of this device,
representing an SNMP management entity
Ruckus(config)# snmp-server engineid local 800007c70300e05290ab60

33 © 2022 CommScope, Inc.

A default engine ID is generated during system startup. To determine the default engine ID
of the device, enter the show snmp engineid command and find the line that begins
with “Local SNMP Engine ID”.

Once you have located the engine ID, use the snmp-server engineid local
command reconfigure it. The engine ID must be entered as HEX with an even number of
characters.

It is important to note that if the engine ID is changed after users have been created, those
users must be reconfigured after setting the new engine ID.

Revision 2212 6 ‐ 33
ICX 150 Device Access & Management

Creating Groups, Users, and Views

The OID structure is a tree. If you include an object with sub‐branches,

those sub‐branches will also be included in the view

SNMP MIB Object Tree

View name:
All IP Information

View name:
All Interface
Information

View name:
Traffic Counters

34 © 2022 CommScope, Inc.

Let’s look at how users, groups, and views fit together.

A view is a list of SNMP Object Identifiers, or OIDs. The administrator determines which of
the OIDs to place into a view.

The OID structure is a tree, so if you include an object with sub‐branches, those sub‐
branches will also be included in the view.

The understanding of SNMP OIDs is critical to the implementation of SNMP v3, but OIDs
are an advanced topic and therefore beyond the scope of this course.

Revision 2212 6 ‐ 34
ICX 150 Device Access & Management

Defining Views

• SNMP views are named groups of

MIB objects, associated with users
to allow limited access for viewing, View (Support1)
modification of SNMP statistics, Include system
Exclude system.2
and system configuration
• Configure SNMP views, using
the following commands:

Ruckus(config)# snmp-server view Support1 system included

Ruckus(config)# snmp-server view Support1 system.2 excluded

Syntax: [no]snmp-server view viewname mib_tree {included |

excluded}

35 © 2022 CommScope, Inc.

SNMP views are named groups of MIB objects to be associated with users to allow limited
access for viewing and modifying SNMP statistics and system configuration.
To create a view, use the snmp-server view command followed by the viewname
and mib_tree parameters.

The viewname is what you want to name the view administratively, while the MIB subtree
parameter can be specified as a name or as an OID. The MIB subtree defined will target a
specific set of objects, you then specify if you want to included or exclude the MIB in the
view.

If you include a tree, but do not want some of the objects (or branches) within that tree,
you can use the excluded parameter for those objects.

Revision 2212 6 ‐ 35
ICX 150 Device Access & Management

Defining Groups

• Groups map users to views Group: Read All

– For each group, you can configure NetAdmins
Write View
a read view, a write view, or both View (Support1)
– Users mapped to a group will use Include system
Exclude system.2
the views for access control
• Configure an SNMP group,
using the following command

Ruckus(config)# snmp-server group NetAdmins v3 auth read all

write Support1

Syntax: [no] snmp-server group groupname { v1 | v2c | v3 { auth | noauth |

priv } } [ access {standard-ACL-id | ipv6 ipv6-ACL-name } ] [ read
viewname ] [ write viewname ]

36 © 2022 CommScope, Inc.

A group is a list of views. You can have one or more views per group, and you can use the
same view in multiple groups.
The v1 , v2c , or v3 parameter indicates which version of SNMP is used. In most cases,
you will be using v3, since groups are automatically created in versions 1 and 2 through
community strings.

The auth or noauth parameter determines whether or not authentication will be

required to access the supported views. If auth is selected, then only authenticated
packets are allowed to access the view. Selecting noauth means that no authentication is
required to access the specified view. Selecting priv means that an authentication
password will be required from the users.

The access standard-ACL-id parameter is optional. It allows incoming SNMP

packets to be filtered based on the standard ACL attached to the group. IPv6 ACLS can be
applied with the ipv6 ipv6-ACL-name option.

The read viewname or write viewname parameter is optional. It indicates that

users who belong to this group have either read or write access to the MIB. The
viewname variable is the name of the view to which the SNMP group members have
access. If no view is specified, then the group has no access to the MIB. The value of
viewname is defined using the snmp-server view command discussed previously.
The SNMP agent comes with the default view of all, which provides access to the entire
MIB; however, it must be specified when creating the group. The all view also allows
SNMPv3 to be backwards compatible with SNMPv1 and 2.

Revision 2212 6 ‐ 36
ICX 150 Device Access & Management

Defining Users

• Create SNMP users and map the user Group: Read All
to the group NetAdmins
– Define the type of authentication for Write View
View (Support1)
SNMP access Include system
User
– Specify the type of encryption to encrypt Exclude system.2
the privacy password
Users (bob)
– Users mapped to a group will use the
views for access control
• Configure an SNMP user, using the following command
Ruckus(config)# snmp-server user bob NetAdmins v3 access
2 auth md5 bobmd5 priv des bobdes

Syntax: [no] snmp-server user name groupname v3 [ [ access standard-ACL-

id ] [ [ encrypted ] [auth md5 md5-password | sha sha-password ] [
priv [ encrypted ] des des-password-key | aes aespassword-key ] ] ]

37 © 2022 CommScope, Inc.

The next step is to create SNMP users and map them to the groups. Use the snmp-
server user command followed by the username and the groupname, and the v3
parameter.

The access standard-ACL-id parameter is optional. It indicates that incoming

SNMP packets are filtered based on the ACL attached to the user account.

The encrypted parameter means that the MD5 or SHA password will be a digest value.
MD5 has 16 octets in the digest. SHA has 20. The digest string must be entered as a
hexadecimal string. In this case, the agent need not generate an explicit digest. If the
encrypted parameter is not used, the user is expected to enter the authentication
password string for MD5 or SHA. The agent will convert the password string to a digest, as
described in RFC 2574.

The auth md5 or sha parameter is optional. It defines the type of encryption that the
user must have to be authenticated.

The md5-password and sha-password define the password the user must use to be
authenticated. These password have a minimum of 8 characters.

The priv [encrypted] parameter is optional after you enter the MD5 or SHA
password. The priv parameter specifies the encryption type (DES or AES) used to
encrypt the privacy password. If the encrypted keyword is used, either enter des
followed by a 16‐octet DES key in hexadecimal format, or enter aes followed by the AES
password key.

Revision 2212 6 ‐ 37
ICX 150 Device Access & Management

ICX Management with

SmartZone and RUCKUS Cloud

Finally, let’s discuss ICX management within RUCKUS SmartZone and RUCKUS Cloud.

Revision 2212 6 ‐ 38
ICX 150 Device Access & Management

ICX Management with SmartZone Overview

• Single pane of glass
– On‐site (or hosted) management solution designed for managing the ICX 7000‐series
switches
– Modelled after SZ‐based controller solution of RUCKUS APs

• ICX devices can onboard to the controller based on DHCP discovery or

manual configuration

• Key Features
– Switch inventory and management – Switch Config file – Backup & Restore
– Switch Firmware updates – Clustering and High availability
– Automated Switch configurations – Stack creation
– Network health monitoring & alarms
39 © 2022 CommScope, Inc.

RUCKUS SmartZone provides a single pane of glass view for managing RUCKUS ICX switches
and access points. Within SmartZone, ICX management is UI driven and designed to
provide the same look and feel as Access Point Management, helping to bridge the gap
between administrators who are familiar with managing access points but maybe not
switches. An ICX device can discover the SmartZone network controller though automated
methods or manual configuration. Once onboarded, SmartZone can monitor, manage and
configure ICX devices. Beginning with SmartZone 6.0 ICX devices with non‐default
configurations can also be onboarded.

Some of the key features include:

• Switch inventory and management
• Performing Switch firmware updates
• Automated switch configurations
• Network health monitoring & alarms
• Switch Config file – Backup & Restore
• Clustering and High availability
• Hierarchical switch groups
• And more

Revision 2212 6 ‐ 39
ICX 150 Device Access & Management

Connecting to SmartZone Network Controller

• ICX connects to SmartZone using one of the following methods:
– Switch Registrar discovery
– Learned through DHCP Option 43
– Statically configured active (or backup) list of SmartZone network controllers

• Configuration commands
– Active List of SmartZone controllers
Ruckus(config)# manager active-list IP-address1 [IP-address2] [IP-address3]
– Backup List of SmartZone controllers
Ruckus(config)# manager backup-list IP-address1 [IP-address2] [IP-address3]
– Disable SmartZone management
Ruckus(config)# manager disable
– Disconnect from current SmartZone controller
For more information about ICX management in
Ruckus# manager disconnect
SmartZone check out the RASZA 220 ICX Management
SZ Disconnect initiated…
course in CommScope University.
40 © 2022 CommScope, Inc.

The ICX switch will attempt SmartZone discovery via the following methods:
• Switch Registrar discovery
• SmartZone IP addresses received through DHCP Option 43
• SmartZone IP addresses configured on the ICX switch using the manager
active-list or manager backup-list commands

We’re not going to outline the rules for each of these discovery methods within this
course. For more information on the discovery processes, requirements, and configurations
check out our RASZA 220 ICX Management track on CommScope University. In that course
we go through onboarding of ICX devices as well as management capabilities in SmartZone
6.0.

You can manually configure an active list of SmartZone controllers with the manager
active-list command followed by up to three SmartZone controller IP addresses. You
can optionally define a backup List of SmartZone controllers with the manager backup-
list command followed by up to three SmartZone controller IP addresses. Backup
addresses are only attempted after active addresses have failed.
You can disable SmartZone management completely with the manger disable
command.
And you can disconnect from the currently connected SmartZone controller with the
manager disconnect command. This would be used in cases where you change
which controller you want managing the ICX device. Also note that the manager
disconnect command is run from privileged EXEC mode, not global config like the
others.

NOTE: On ICX 7250, 7450 and 7750 models you must run the non-tpm-switch-cert-
validate command before your device will onboard to SmartZone.

Revision 2212 6 ‐ 40
ICX 150 Device Access & Management

Displaying SmartZone Connection Status

Ruckus# show manager status
============ MGMT Agent State Info ===================
Config Status: None Operation Status: Enabled
State: SSH CONNECTED Prev State: SSH CONNECTING Event: NONE
SWR List : None
Active List : 192.168.1.52, 192.168.1.51
DHCP Option 43 : No
DHCP Opt 43 List : None
DNS Entry : No
DNS IP : None
Backup List : None
Merged List : 192.168.1.52, 192.168.1.51
Switch registrar host: sw-registrar.ruckuswireless.com
Switch registrar discovery retry count: 551

SZ IP Used : 192.168.1.51
Port List : 987
Query Status : Response Received

SSH Tunnel Status - :

Tunnel Status : Established
CLI IP/Port : 127.255.255.253/42023
SNMP IP/Port : 127.255.255.254/37722
Syslog IP/Port : 127.0.0.1/20514
HTTP SERVER IP/Port: 127.255.255.252/51568
HTTP CLIENT IP/Port: 127.0.0.1/5080
Timer Status : Not Running
41 © 2022 CommScope, Inc.

The show manager status command displays various details about the management
connection. This includes the state, highlighted here. It also shows all known SmartZone
controllers, whether learned through statically defined active and standby lists, as well as
any learned through DHCP option 43. Lastly, it shows the status of all of the tunnels used to
manage the ICX device.

Revision 2212 6 ‐ 41
ICX 150 Device Access & Management

ICX Management with RUCKUS Cloud Overview

• Cloud‐hosted management solution designed for managing the ICX 7000‐

series switches

• As of creation of this presentation (December 2022) RUCKUS Cloud

supports onboarding ICX devices with existing configurations

• Key Features
– Switch inventory and management – Stack management
– Automated Switch configurations – CLI configuration changes
– Network health monitoring & alarms
– Client Visibility

42 © 2022 CommScope, Inc.

RUCKUS Cloud also provides a single pane of glass view for managing RUCKUS ICX switches
and access points. At the time of creating this course, RUCKUS Cloud supports onboarding
of ICX devices with existing configurations. It is worth mentioning that there is not 100%
feature parity between SmartZone and Cloud when it comes to ICX management. With
each Cloud release more features are being added. Reference the latest RUCKUS Cloud User
Guide for supported ICX firmware and models, as well as RUCKUS Cloud features and
capabilities.

Some of the key features include:

• Switch inventory and management
• Automated switch configurations
• Network health monitoring & alarms
• Client visibility
• Stack management
• CLI Configuration changes

Revision 2212 6 ‐ 42
ICX 150 Device Access & Management

Connecting to RUCKUS Cloud

• RUCKUS Cloud requires ICX devices to have internet connectivity to the

cloud instance for your region
– Regions include US, EU and APAC
– Firewalls must be open to Region URLs and TCP ports for HTTPs and SSH

• Supported platforms include ICX 7150, 7550, 7650, and 7850 running
8.0.90d or later (as of December 2022)

• Serial number of ICX is required

• Cloud connection status can be obtained via LED indicator or use of

show manager status For more information on ICX management in RUCKUS
commands Cloud check out the CLD 200 ‐ RUCKUS Cloud Online
Training in CommScope University.
43 © 2022 CommScope, Inc.

Connection of an ICX switch into RUCKUS Cloud requires the target switch to have internet
connectivity. If you have firewalls or ACLs configured, you must ensure that region‐specific
Cloud URLs and the required ports for Cloud management are open. The Cloud instance
then only needs the serial number of the device to begin the process.

As of December 2022, RUCKUS Cloud supports ICX 7150, 7550, 7650, and 7850 devices
running FastIron 8.0.90d or later. Note: As we said previously, devices with existing
configurations can also be onboarded to the Cloud.

Once onboarded, connection status can be checked with use of the show manager
status command as well as visual LED indicators.

For additional details on RUCKUS Cloud ICX management capabilities, check out
CommScope University and view the CLD 200 RUCKUS Cloud online training where we go
through onboarding of ICX devices as well as provide an overview on management
capabilities.

Revision 2212 6 ‐ 43
ICX 150 Device Access & Management

You should now be able to:

• Describe the different methods available for

device connection including the console port,
Telnet, SSH, and Web management access

• Describe the function of the management port

Summary • Know how to create local user accounts and

passwords

• Describe and configure Simple Network

Management Protocol (SNMP)

• Explain SmartZone and RUCKUS Cloud ICX

Management functions

You should now be able to:

• Describe the different methods available for device connection including the console
port, Telnet, SSH, and Web management access.
• Describe the function of the management port
• Know how to create local user accounts and passwords
• Describe and configure Simple Network Management Protocol (SNMP)
• Explain ICX management using SmartZone or RUCKUS Cloud and describe their
capabilities

Revision 2212 6 ‐ 44
ICX 150 Device Access & Management

End of presentation:
Device Access & Management

This is the end of the Device Access and Management presentation.

Revision 2212 6 ‐ 45
ICX 150 Device Access & Management

Revision 2212 6 ‐ 46
ICX 150 Device Security and Monitoring

ICX Device Security & Monitoring

Revision 2212

This presentation will cover ICX device security and monitoring.

Revision 2212 7‐1

ICX 150 Device Security and Monitoring

After completing this presentation, you will be able

to:

• Use Authentication, Authorization, and Accounting

(AAA), RADIUS and TACACS+ to secure an ICX device

• Enable 802.1X to provide port‐based network access

control using authentication
Objectives • Configure Dynamic ARP Inspection to allow valid ARP
requests and responses

• Utilize Access Control Lists to limit IP and MAC traffic

• View system log (Syslog) messages to monitor an ICX

device

• Collect all files needed for technical support

After completing this presentation, you will be able to:

• Use Authentication, Authorization, and Accounting (AAA), RADIUS and TACACS+ to
secure an ICX device
• Enable 802.1X to provide port‐based network access control using authentication
• Configure Dynamic ARP Inspection on Ethernet ports
• Utilize Access Control Lists to limit IP and MAC traffic on interfaces
• View system log (Syslog) messages to monitor an ICX device
• Collect a show tech-support or supportsave file

Revision 2212 7‐2

ICX 150 Device Security and Monitoring

Device Security

Let’s start with a look at device security.

Revision 2212 7‐3

ICX 150 Device Security and Monitoring

Authentication, Authorization, and Accounting (AAA)

AAA is a term for a framework of intelligently controlling access to computer
resources, enforcing policies, and auditing usage

• Authentication provides a way of identifying a user

– The AAA server compares a user's authentication credentials with the user
credentials stored in a database
– If the credentials match, the user is granted access
– If the credentials differ, authentication will fail, and network access is denied

• Authorization maintains what a user is allowed to do

• Accounting is a method of tracking user behavior

4 © 2022 CommScope, Inc.

AAA is a term for a framework of intelligently controlling access to computer resources,

enforcing policies, and auditing usage generally using a remote server running the RADIUS
or TACACS/TACACS+ protocol.
Authentication provides a way of identifying a user, typically by having the user enter a
unique, valid username and password before access is granted.

Revision 2212 7‐4

ICX 150 Device Security and Monitoring

Factory Default Authentication Behavior

• The following configuration is present in the factory default configuration of an
ICX switch running release 08.0.95g
aaa authentication web-server default local
aaa authentication login default local
enable aaa console
no telnet server
username super password ******* (default = sp‐admin)
• aaa authentication – Specifies a service and methods for authenticating
access to that service
– Services include web management interface (web-server) and Telnet/SSH access
to CLI (login)
– Method is local (local username) for both
• enable aaa console – Ensures console port requires authentication
• no telnet server – Disables the Telnet server
• username – Sets user and password allowed authentication access

5 © 2022 CommScope, Inc.

The configuration displayed here is present in the factory default configuration of an ICX
switch running release 8.0.95g.

The aaa authentication command specifies a service and methods for

authenticating access to that service. These services include web management interface
(web-server) and Telnet/SSH access to CLI (login).
The enable aaa console command ensures console port requires authentication.

The no telnet server command disables the Telnet server.

The username command defines the username and password for a local user
account that is allowed authentication access.

Revision 2212 7‐5

ICX 150 Device Security and Monitoring

AAA Configuration
• The AAA process can be configured to use these authentication
methods/servers
– RADIUS
– TACACS or TACACS+
– Local user accounts
– Enable (Privilege EXEC level)
– Line (Telnet)
– None

• Authentication servers are required to be configured on the ICX if used for AAA
services

RUCKUS(config)# radius-server host 10.157.22.99

RUCKUS(config)# tacacs-server host 10.94.6.161
6 © 2022 CommScope, Inc.

The AAA process can be configured to use these authentication methods/servers:

• For the RADIUS server, you also must identify the server to the device using the
radius-server command.
• For a TACACS/TACACS+ server, you can use either parameter. You also must identify
the server to the device using the tacacs-server command.
• You configure a local username and password on the device. Local usernames and
passwords are configured using the username command.
• Enable (Privilege EXEC Level) gives you super‐user control. You would use the
password you configured on the device. The enable password is configured using the
enable super-user-password command.
• Line (Telnet): For Telnet access, you must enable the authentication by entering the
enable telnet authentication command, then set the password for Telnet access by
entering the enable telnet password command.
• None: Means no authentication is used. The device automatically permits access.

Authentication servers are required to be configured if used for AAA services. Here we can
see the commands to configure the RADIUS and TACACS server IP addresses.

Continued on next slide…

Revision 2212 7‐6

ICX 150 Device Security and Monitoring

... Continued from previous slide

RADIUS stands for Remote Authentication Dial‐in User Service, and is a client/server
protocol that runs in the application layer, using UDP as transport. The Remote Access
Server, the Virtual Private Network server, the Network switch with port‐based
authentication, and the Network Access Server, are all gateways that control access to the
network, and all have a RADIUS client component that communicates with the RADIUS
server.

TACACS stands for Terminal Access Controller Access‐Control System, commonly used in
Unix networks, and is a remote authentication protocol used to communicate with a
remote authentication server.

TACACS+ offers multiprotocol support, such as IP and AppleTalk. Normal operation fully
encrypts the body of the packet for more secure communications. It is not backwards
compatible with TACACS. It is a Cisco proprietary enhancement to the original TACACS
protocol, and has, for all intents and purposes, replaced TACACS.

Revision 2212 7‐7

ICX 150 Device Security and Monitoring

AAA Methodology
• Authentication methods can be listed in order of preference
– If a remote server is not available, the next method will be attempted

• Use the login parameter to use AAA authentication for access by either console or
Telnet
– Try the TACACS+ server, then the local database, then allow access
RUCKUS(config)# aaa authentication login default tacacs+ local none
RUCKUS(config)# enable telnet authentication

• Use the enable parameter to use AAA authentication for access to the Privilege
EXEC level of the CLI
– Try the RADIUS server, then the local user database
RUCKUS(config)# aaa authentication enable default radius local

8 © 2022 CommScope, Inc.

Up to seven authentication methods can be configured and are considered in the order
they are listed. If the first authentication method is successful, the software grants access
and stops the authentication process. If the access is rejected by the first authentication
method, the software denies access and stops checking. However, if an error occurs with
an authentication method, the software tries the next method on the list, and so on.

For example, if the first authentication method is the TACACS+ server but the link to the
server is down, the software will try the next authentication method in the list. If an
application method is working properly but the password (and username, if applicable) is
not known to that method, this is not a system error. The authentication attempt stops,
and the user is denied access.

Once AAA authentication preferences are configured they can be applied to an access
method. In addition to the examples shown here, AAA can be used for SNMP, 802.1X and
Web GUI access.

Use the commands aaa authentication snmp-server default,

aaa authentication dot1x default and aaa authentication
web-server default followed by the desired authentication methods.

You should exercise great caution when configuring authentication method lists. It is
possible to lock yourself out from access to the switch if each of the methods in the list are
not properly configured.

Revision 2212 7‐8

ICX 150 Device Security and Monitoring

IEEE 802.1X

Next, we will take a look at port security using the IEEE 802.1X standard.

Revision 2212 7‐9

ICX 150 Device Security and Monitoring

802.1X Overview

• Designed to provide port‐based network access control at the network edge

– Network access is blocked until client credentials are provided to authentication
server

• 802.1X Highlights:
– 802.1x compliant client devices provide username/password
o Able to grant non‐compliant/headless devices access based on IP, MAC address or subnet
– Dynamic VLAN assignment
– Restrict client to specific VLAN on authentication failure

• The ICX implementation of 802.1X supports the following RFCs:

– RFC 2284 PPP Extensible Authentication Protocol (EAP)
– RFC 2865 Remote Authentication Dial In User Service (RADIUS)
– RFC 2869 RADIUS Extensions
10 © 2022 CommScope, Inc.

ICX devices support the IEEE 802.1X standard for authenticating devices attached to LAN
ports. Using 802.1X port security, you can configure a device to grant access to a port based
on information supplied by a client to an authentication server.

When a user logs on to a network that uses 802.1X port security, the RUCKUS device grants
(or does not grant) access to network services after the user is authenticated by an
authentication server. The user‐based authentication in 802.1X provides an alternative to
granting network access based on a user's IP address, MAC address, or sub network.

Extensible Authentication Protocol On the LAN (or EAPOL), encapsulates the Extensible
Authentication Protocol (EAP) for delivery on the Ethernet network. EAP is the protocol
used by 802.1X for authentication communication and is referenced in RFC 2284.

Revision 2212 7 ‐ 10
ICX 150 Device Security and Monitoring

802.1X Operation
• Device roles in an 802.1X configuration:
– Client/Supplicant Port Access Entity (PAE) – Network client device requiring access
– Authenticator PAE – RUCKUS ICX switch
– Authentication Server – RADIUS server

• Using Extensible Authentication Protocol over LAN (EAPOL):

– Clients provide authentication credentials to authenticator
– Authenticator sends credentials to authentication server for validation
– If authenticated, network access is granted to the client

• Controlled and uncontrolled ports

– Uncontrolled ports allow EAPOL message exchange during authentication, no user
traffic
– Controlled ports allow user traffic after successful authentication

11 © 2022 CommScope, Inc.

A physical port on the device using 802.1X has two virtual access points: a controlled port
and an uncontrolled port. The controlled port provides full access to the network. The
uncontrolled port provides access only for EAPOL traffic between the client and the
authentication server. When a client is successfully authenticated, the controlled port is
opened to the client.

Before a client is authenticated, only the uncontrolled port on the authenticator is open.
The uncontrolled port allows only EAPOL frames to be exchanged between the client and
the authentication server. The controlled port is in the unauthorized state and allows no
traffic to pass through.

During authentication, EAPOL messages are exchanged between the supplicant and the
authenticator Port Access Entity (PAE), and RADIUS messages are exchanged between the
authenticator PAE and the authentication server which is a RADIUS server.

If the client is successfully authenticated, the controlled port becomes authorized, and
traffic from the client can flow through the port normally.

Revision 2212 7 ‐ 11
ICX 150 Device Security and Monitoring

802.1X Example
• Supplicant PAE
– Supplies client information to Authenticator
PAE using EAP encapsulated in EAPOL

• Authenticator acts as a client to the RADIUS

authentication server

• RADIUS server authenticates user

– On success, port transitions to Controlled
o User traffic flows
– On failure, port remains Uncontrolled
o User traffic still blocked
12 © 2022 CommScope, Inc.

Here we see 802.1X device roles and how they communicate.

When the client initiates network access, credentials are passed to the ICX switch
encapsulated in EAP over LAN (EAPOL) messages.

The authenticator uses RADIUS messages to pass this information to the authentication
server, which determines whether the client can access services provided by the
authenticator.

The RADIUS server authenticates the client.

If the client is successfully authenticated, the port transitions to a Controlled port.

If authentication fails, or when the client logs off, the port becomes unauthorized again and
transitions to Uncontrolled, (not shown), allowing EAPOL messages but no user traffic.

RUCKUS's 802.1X implementation also supports dynamic VLAN assignment. If one of the
attributes in the Access‐Accept message sent by the RADIUS server specifies a VLAN
identifier, and this VLAN is available on the RUCKUS device, the client's port is moved from
its default VLAN to the specified VLAN. When the client disconnects from the network, the
port is placed back in its default VLAN.

When a client that supports 802.1X attempts to gain access through a non‐802.1X‐enabled
port, it sends an EAP start frame to the RUCKUS device. When the device does not respond,
the client considers the port to be authorized, and starts sending normal traffic.

Revision 2212 7 ‐ 12
ICX 150 Device Security and Monitoring

802.1X Configuration for Supplicant PAE

• Identify the RADIUS server to the RUCKUS device
RUCKUS(config)# radius-server host 10.157.22.99 auth-port 1812
acct-port 1813 default key mirabeau dot1x

Syntax: radius-server { hostip-addr | ipv6-addr | server-name }

[ auth-port num | acct-port num |default ] [ key string ]
[ dot1x ]

• Assign the authentication method

RUCKUS(config)# aaa authentication dot1x default radius

• Enable 802.1X on switch and specify ports

RUCKUS(config)# authentication
RUCKUS(config-authen)# dot1x enable
RUCKUS(config-authen)# dot1x enable ethernet 1/1/11 to 1/1/16

13 © 2022 CommScope, Inc.

To enable 802.1X, configure the RADIUS servers being used for authentication. Provide the
IP address and the authentication port for the server, the default port is 1812. Also specify
the default RADIUS key string followed by the dot1x parameter. The RADIUS key is
configured globally using the radius-server key command followed by a 1‐32
character string.

Then configure the AAA authentication parameters for 802.1X, the default method is
RADIUS.

Finally, configure 802.1X on the Ethernet interfaces by accessing the authentication

configuration sub‐level, enabling dot1x globally, then enable the desired interface or range
of interfaces.

Revision 2212 7 ‐ 13
ICX 150 Device Security and Monitoring

Access Control Lists

Now we will look at Access Control Lists.

Revision 2212 7 ‐ 14
ICX 150 Device Security and Monitoring

Access Control Lists (ACLs) Overview

• Access Control Lists (ACLs) permit or deny packets according to defined rules.
Once defined, ACLs are applied to an interface
– Standard ACLs – filter packets based on source addressing
– Extended ACLs – filter packets based on source and destination as well as port
parameters

• ACLs include the following benefits:

– Providing security and traffic management
– Monitoring network and user traffic
– Reducing demand on network resources by classifying traffic
– Protecting against denial of service (DoS) attacks

• ICX ACLs are programmed into the Content Addressable Memory (CAM)
– Packets are permitted or denied in the hardware
– No requirement to send the packets to the CPU for processing
15 © 2022 CommScope, Inc.

We mentioned one type of Access Control List (ACL) when we discussed securing
access to your ICX device in the Access and Management Presentation. In that
example we were defining a standard ACL which uses source IP addresses to define
which clients we would permit to access a certain service. Once an ACL is defined, it
can be applied to an interface (or VLAN), and new to FastIron 08.0.95, even to CPU
Control traffic. The application of ACLs to CPU Traffic is however beyond the scope
of this course, look to the FastIron 08.0.95 Security Configuration Guide for more
details.

As you learned in the Routing and Switching Protocol course (RSP‐100) there are
two types of IP ACLs, Standard and Extended. While both differ in capabilities, they
both permit or deny packets according to rules included within them.
When a packet is received or sent, the device compares its header fields against the
rules in applied ACLs. This comparison is done according to a rule sequence, which
you can specify. Based on the comparison, the device either forwards or drops the
packet.

ACLs include the following benefits:

• Providing security and traffic management
• Monitoring network and user traffic
• Saving network resources by classifying traffic
• Protecting against denial of service (DoS) attacks

Because applied ACLs are programmed into the Content Addressable Memory
(CAM), packets are permitted or denied in the hardware, without sending the
packets to the CPU for processing.
Revision 2212 7 ‐ 15
ICX 150 Device Security and Monitoring

General Guidelines for Using ACLs

• By default, all packets are allowed on an ICX switch

• When an ACL is applied to an interface, all traffic not explicitly permitted is

denied/blocked

• When a packet is received or sent, the device compares its header fields against
the rules in applied ACLs
– Comparison follows a specified rule sequence
o The sequence of rules in an ACL is critical
o The first rule that matches the traffic stops further processing of the packet
– Based on the comparison, the device either forwards or drops the packet

• There is an implicit deny all statement at the end of each ACL

– All traffic not specifically permitted will be automatically denied
16 © 2022 CommScope, Inc.

The default action when no ACLs are configured on a device is to permit all traffic.
However, once you configure an ACL and apply it to a port, the default action for
that port is to deny all traffic that is not explicitly permitted on the port:
• If you want to tightly control access, configure ACLs consisting of permit
entries for the access you want to permit. The ACLs implicitly deny all other
access.
• If you want to secure access in environments with many users, you may want
to configure ACLs that consist of explicit deny entries, and then add an entry
to permit all access to the end of each ACL. The software permits packets that
are not denied by the deny entries.

Note: In FastIron 08.0.95 you cannot create ACLs from the web‐interface.

Revision 2212 7 ‐ 16
ICX 150 Device Security and Monitoring

IPv4 ACLs

• There are two naming types for IPv4 ACLs:

– Numbered ACLs
o You can assign numbers 1 through 99 to standard numbered IPv4 ACLs
o You can assign numbers 100 through 199 to extended numbered IPv4 ACLs
– Named ACLs, which must begin with an alphabetical character

• How to configure and apply IPv4 ACLs:

1. Create the ACL, using the ip access-list command
2. Define permit and deny rules using the sequence command when necessary
3. Apply the ACL to one or more interfaces, using the ip access-group
command

17 © 2022 CommScope, Inc.

As we said previously, standard ACLs filter exclusively on source addresses. The default
action is to deny all traffic that has not been explicitly permitted. Permitted or denied
packets can be sent to the system log.

Extended ACLs permit or deny traffic according to source and destination addresses, as well
as other parameters, including:
• Port name or number
• Protocol (for example, TCP or UDP)
• TCP flags

In ICX release 8.0.95, there are two naming types for IPv4 standard and extended ACLs that
be configured; numbered and named.

Standard numbered ACLs can be in the numerical range of 1‐99. Extended numbered ACLs
can be in the numerical range of 100‐199. If the number selected is outside of this range of
the selected type when configuring, an error will be generated.

Named ACLs allow you to configure a user‐friendly name for the ACL. Named ACLs must
begin with an alphabetic character.
While ACLs can be used for many purposes, the basic process of configuring and applying
ACLs is to create the ACL globally, then assign it to one or more interfaces.

Revision 2212 7 ‐ 17
ICX 150 Device Security and Monitoring

IPv6 ACLs
• IPv6 ACLs enable traffic filtering based on the following information:
– IPv6 protocol
– Source IPv6 address
– Destination IPv6 address
– IPv6 message type
– Source TCP or UDP port (if the IPv6 protocol is TCP or UDP)
– Destination TCP or UDP port (if the IPv6 protocol is TCP or UDP)

• No concepts of standard or numbered ACLs for IPv6

– All IPv6 ACLs are essentially named, extended ACLs filtering on source and destination
information

• IPv6 ACLs have 3 implicit rules at the end of every list:

– permit icmp any any nd‐na: Allows ICMP neighbor discovery acknowledgements
– permit icmp any any nd‐ns: Allows ICMP neighbor discovery solicitations
– deny ipv6 any any: Denies IPv6 traffic

18 © 2022 CommScope, Inc.

The default action for IPv6 ACLs is the same as we stated earlier. When no IPv6 ACLs are
configured on an interface, we permit all traffic. However, once you configure an IPv6 ACL
and apply it to an interface, the default action for that interface is to deny all traffic that is
not explicitly permitted on the interface.

Like IPv4 ACLs, IPv6 ACLs can filter on Source Address, Destination Address, as well as
source or destination port and also include the ability to filter based on IPv6 protocol and
message type.
Unlike IPv4 ACLs there are no concepts of standard and extended ACLs for IPv6 ACLs,
essentially all IPv6 ACLs are named ACLs filtering on the information we just mentioned.

IPv6 ACLs have the following concluding implicit rules:

• permit icmp any any nd‐na: Allows ICMP neighbor discovery acknowledgements.
• permit icmp any any nd‐ns: Allows ICMP neighbor discovery solicitations.
• deny ipv6 any any: Denies IPv6 traffic. You must enter permit ipv6 any any as the last
statement in the access list if you want to permit IPv6 traffic that was not denied by
the previous statements.

NOTE: In an IPv6 ACL, if you do not override the implicit deny ipv6 any any rule, make sure
to include rules that permit the IPv6 link‐local address and the global unicast address.
Otherwise, routing protocols such as OSPF will not work. To view the link‐local address, use
the show ipv6 interface command.

Revision 2212 7 ‐ 18
ICX 150 Device Security and Monitoring

Configuring and Applying IPv4 Standard ACLs

• Enter the ip access-list standard command to create the ACL

RUCKUS(config)# ip access-list standard 19
RUCKUS(config-std-ipacl-19)#
Syntax: [no] ip access-list standard { acl-num | acl-name }

• For each rule, enter the deny or permit command, specifying the needed
parameters:
RUCKUS(config-std-ipacl-19)# permit host 10.157.10.26 log
RUCKUS(config-std-ipacl-19)# deny 10.157.10.0 0.0.0.255 log
RUCKUS(config-std-ipacl-19)# deny 10.157.20.0/24 log
RUCKUS(config-std-ipacl-19)# permit any
Partial Syntax: [ permit | deny ] { S_IPaddress [ mask ] | host S_IPaddress | any } [ log ] [ mirror ]

• Apply the ACL to an interface:

RUCKUS(config)# interface ethernet 1/1/1
RUCKUS(config-if-e1000-1/1/1)# ip access-group 19 in
Syntax: [no] ip access-group { acl-num | acl-name } { in | out }
19 © 2022 CommScope, Inc.

To create a Standard IPv4 ACL, get into global config mode, then enter the ip access-
list standard acl-id command (acl‐id is a number from 1‐99). Once you are in
the Standard IPv4 ACL configuration sub‐menu, you can begin to utilize deny/permit
syntax to define your rule.

The S_IPaddress parameter specifies the source IP address or hostname for the policy. If
you want the policy to match on all source addresses, enter any.

The mask parameter specifies the portion of the source IP host address to match against.
The mask is a four‐part value in dotted‐decimal notation (IP address format) consisting of
ones and zeros. Using wildcard mask formatting, zeros in the mask mean the packet’s
source address must match the S_IPaddress. Ones mean any value matches.
For example, the S_IPaddress and mask values 10.157.10.0 0.0.0.255 mean that all hosts in
the Class C sub‐net 10.157.10.x match the policy.

If you prefer to specify the mask value in Classless Interdomain Routing (CIDR) format, you
can enter a forward slash after the IP address, then enter the number of significant bits in
the mask. For example, you can enter the CIDR equivalent of “10.157.20.0/24, which is the
equivalent of the wildcard mask “10.157.20.0 0.0.0.255” .

The host option indicates the source IP address is a host address. When used, the system
automatically applies a 0.0.0.0 (or /32) mask to the S_IPaddress.

Revision 2212 7 ‐ 19
ICX 150 Device Security and Monitoring

Adding Statements to Existing ACLs

• Based on the ACL configured on the previous slide, only one host on the
10.157.10.0/24 subnet will be permitted
• What if you wanted to allow another host? Would adding the following
statement to the existing ACL work?
10.157.10.0/24 Subnet
RUCKUS(config)# ip access-list standard 19
RUCKUS(config-std-ipacl-19)# permit host 10.157.10.45 log

Host
10.157.10.45

Host
10.157.10.26

20 © 2022 CommScope, Inc.

Based on the standard ACL configuration applied on the last slide, we are allowing only one
host from the 10.157.10.0 network. However, what happens when we want to allow
another host from that network. Let’s add another permit entry to the ACL and discuss.

Revision 2212 7 ‐ 20
ICX 150 Device Security and Monitoring

Sequence Matters
• After the change shown on the previous slide is applied our ACL is configured as:
RUCKUS(config)# show ip access-lists 19
Standard IP access list 19: 5 entries
10: permit host 10.157.10.26 log
20: deny 10.157.10.0 0.0.0.255 log
30: deny 10.157.20.0 0.0.0.255 log
40: permit any
50: permit host 10.157.10.45 log

• The filter at sequence 20 will match and deny the packet before sequence 50
• Statements can be removed from an ACL by identifying the sequence number
RUCKUS(config)# ip access-list standard 19
RUCKUS(config-std-ipacl-19)# no sequence 50

• Statements can be added to ACLs between existing statements with sequence command
RUCKUS(config)# ip access-list standard 19
RUCKUS(config-std-ipacl-19)# sequence 15 permit host 10.157.10.45 log

21 © 2022 CommScope, Inc.

We talked earlier about how the sequence of rules within an ACL is critical to its operation
and now we get to see an example of that. We can of course, specify and modify the
sequence in which ACL rules are applied to traffic. But by default, the order in which ACL
rules run is determined by the sequence in which they are added to the ACL.

Beginning with FastIron 08.0.50 sequence numbers are automatically added to existing ACL
rules in the following manner:
• The first rule within each ACL is numbered 10.
• The sequence number for each succeeding rule is incremented by 10.
In new ACLs that you create, specifying rule sequence numbers is optional. If they are not
specified, they are assigned automatically in the previously mentioned order.
Sequence numbers have the following advantages:
• If you need a new rule to run between existing rules, you assign the new rule a
sequence number between those two rules.
• New rules are implemented seamlessly, with no need to re‐apply ACLs.
• If you delete a rule, there is no need to re‐apply the ACL.

If you add a rule to an ACL without specifying its sequence, the rule is added at the end of
the list and is automatically assigned the next multiple of 10 as its sequence number. So in
our case the new rule we added is listed as sequence 50. However, remember that we said
ACLs process on first match, so the host that we intended to permit is still going to match
the deny rule in sequence 20. We will actually need to remove the permit host
10.157.10.45 rule 50 from this ACL , using the no sequence command within the access
list configuration context. We will reintroduce the permit statement with a sequence
number of 15 to have it placed correctly within our ACL.

Revision 2212 7 ‐ 21
ICX 150 Device Security and Monitoring

Displaying ACLs
After reconfiguring, our permit statement is inserted between sequence 10 and 20:
RUCKUS(config)# show ip access-lists 19
Standard IP access list 19: 5 entries
10: permit host 10.157.10.26 log
15: permit host 10.157.10.45 log
20: deny 10.157.10.0 0.0.0.255 log
30: deny 10.157.20.0 0.0.0.255 log
40: permit any

22 © 2022 CommScope, Inc.

Displaying the access‐list will confirm resequencing of the statement:

RUCKUS (config)# show ip access-lists 19
Standard IP access list 19: 5 entries
10: permit host 10.157.10.26 log
15: permit host 10.157.10.45 log
20: deny 10.157.10.0 0.0.0.255 log
30: deny 10.157.20.0 0.0.0.255 log
40: permit any

For details of commands for displaying IPv4 ACLs, refer to the following commands in the
RUCKUS FastIron Command Reference Guide:
• show ip access-list accounting
• show ip access-list named-acl
• show ip access-lists

Revision 2212 7 ‐ 22
ICX 150 Device Security and Monitoring

Resequencing ACLs
• Sequence numbers can be reverted back to sequence‐numbering‐by‐tens
• Use the regenerate-seq-number command within the access‐list
configuration context

ICX(config)# ip access-list standard 19

ICX(config-std-ipacl-19)# regenerate-seq-number
ICX(config-std-ipacl-19)# show ip access-list 19
10: permit host 10.157.10.26 log
20: permit host 10.157.10.45 log
30: deny 10.157.10.0 0.0.0.255 log
40: deny 10.157.20.0 0.0.0.255 log
50: permit any
23 © 2022 CommScope, Inc.

If you prefer the sequence numbers to revert back to sequence‐numbering‐by‐tens, you

can regenerate them with the regenerate-seq-number command within the access‐
list configuration context.

Revision 2212 7 ‐ 23
ICX 150 Device Security and Monitoring

Extended ACLs

• Extended ACLs permit or deny traffic according to source and destination

addresses, as well as other parameters
– For example, in an extended ACL, you can also filter by one or more of the following
parameters:
o Port name or number
o Protocol (for example, TCP or UDP)
o TCP flags

• There are two types of IPv4 extended ACLs:

– Numbered ACLs
o You can assign numbers 100 through 199 to extended numbered IPv4 ACLs
– Named ACLs, which must begin with an alphabetical character

24 © 2022 CommScope, Inc.

Extended ACLs filter traffic according to source and destination addresses, as well as other
parameters. The default action is to deny all traffic that has not been explicitly permitted.
Permitted or denied packets can be referenced in the system log.

In ICX release 8.0.95, there are two types of IPv4 extended ACLs that be configured,
numbered and named.
Numbered extended ACLs can be in the numerical range of 100‐199. If the number selected
is outside of this range when configuring an extended ACL, an error will be generated.

Named ACLs allow you to configure a user‐friendly name for the ACL. Named ACLs must
begin with an alphabetic character.

While ACLs can be used for many purposes, the basic process of configuring and applying
ACLs is to create the ACL globally, then assign it to one or more interfaces.

Revision 2212 7 ‐ 24
ICX 150 Device Security and Monitoring

Configuring Extended ACLs

• Enter the ip access‐list extended command to create the ACL
RUCKUS(config)# ip access-list extended block_telnet
RUCKUS(config-ext-ipacl-block_telnet)#
Syntax: [no] ip access-list extended { acl-num | acl-name }

• For each rule, enter the deny or permit command, specifying the needed
parameters:
RUCKUS(config-ext-ipacl-block_telnet)# deny tcp host 209.157.10.26 any eq
telnet log
RUCKUS(config-ext-ipacl-block_telnet)# permit ip any any

Basic Syntax: [ permit | deny ] { tcp | udp } { S_IPaddress [ mask ] | host

S_IPaddress | any } { D_Ipaddress [ mask ] | host D_IPaddress | any } [
log ] [ mirror ]

25 © 2022 CommScope, Inc.

The commands in this example configure an extended ACL named block_telnet. The ACL
blocks telnet traffic (eq telnet) from the host with IP address 209.157.10.26. The second
entry allows all other traffic types to pass through.

Revision 2212 7 ‐ 25
ICX 150 Device Security and Monitoring

Extended ACL Protocols

• Extended ACLs let you filter packets based on protocols
• You can either specify a protocol number (from 0 through 255) or a supported
protocol name, for example:
Protocol
Protocol Acronym Protocol Number
Internet Control Message Protocol ICMP 1

Internet Group Management Protocol IGMP 2

Open Shortest Path First OSPF 89

Transmission Control Protocol TCP 6

User Datagram Protocol UDP 17

• Different protocols allow unique filtering options

– TCP/UDP – Allow filtering of port numbers with comparison operators (=, >, <, ≠, and
range)
– ICMP – Allows filtering on specific ICMP numbers and types
26 © 2022 CommScope, Inc.

Extended ACLs allow you to filter packets by protocol which can be done by
specifying a protocol by name or by protocol number (0 through 255).

Once you have selected the protocol for the rule, depending on your selection, you
will have additional filtering options for that specific protocol. For instance, if you
specified the TCP or UDP protocol in your extended ACL, you would additionally be
able to filter on port numbers (as well as some well‐known named ports) for UDP or
TCP. If you specify the ICMP protocol, you would additionally be able to filter on
ICMP message types.

The permit and deny commands for Extended ACL have many parameters. Refer
to the FastIron Command Reference Guide for complete syntax, parameter
definitions, usage guidelines, and examples.

Revision 2212 7 ‐ 26
ICX 150 Device Security and Monitoring

Extended ACL Example

RUCKUS(config)# interface ethernet 1/1/2

RUCKUS(config-if-e1000-1/1/2)# ip access-group block_telnet in

RUCKUS # show ip access-lists block_telnet

Extended IP access list block_telnet: 2 entries
10: deny tcp host 10.157.10.26 any eq telnet log
20: permit ip any any
27 © 2022 CommScope, Inc.

Here we see how the traffic is affected by the ACL. Telnet from the denied host is filtered at
the interface while all other traffic types from the host, or any host on the port, is
permitted. This is because we applied the extended ACL to the interface using the ip
access-group block_telnet in command

The show ip access-lists <named-acl> command is used to view standard

and extended named ACLs on an ICX switch.

Revision 2212 7 ‐ 27
ICX 150 Device Security and Monitoring

IPv6 ACL Configuration

• Enter the ipv6 access-list command to create the ACL
RUCKUS(config)# ipv6 access-list ipv6_test
RUCKUS(config-ipv6-access-list ipv6_test)#

Syntax: [no] ipv6 access-list acl-name

• For each rule, enter the deny or permit command, specifying the needed
parameters:
RUCKUS(config-ipv6-access-list ipv6_test)# deny tcp host 2001:DB8:e0bb::2 any eq telnet
RUCKUS(config-ipv6-access-list ipv6_test)# permit ipv6 any any

Basic Syntax: [ permit | deny ] {ipv6_protocol } { S_IPaddress [ mask ] | host S_IPaddress | any
} { D_Ipaddress [ mask ] | host D_IPaddress | any } [ log ] [ mirror ]

• Apply the ACL to an interface with ipv6 access-group command

RUCKUS(config)# interface eth 1/1/1
RUCKUS(config-if-e1000-1/1/1)# ipv6 access-group ipv6_test in
Syntax: [no] ipv6 access-group acl-name { in | out }
28 © 2022 CommScope, Inc.

We mentioned IPv6 ACLs previously. They can be created with the ipv6 access-list
command and then applied to an interface using the ipv6 access-group command.

The IPv6 protocol can be one of the following well‐known names or any IPv6 protocol
number from 0 through 255:
• Authentication Header (AHP) protocol
• Encapsulating Security Payload (ESP)
• Internet Control Message Protocol (ICMP)
• Internet Protocol Version 6 (IPv6)
• Stream Control Transmission Protocol (SCTP)
• Transmission Control Protocol (TCP)
• User Datagram Protocol (UDP)

For TCP and UDP, you also can specify a comparison operator and port name or number.
For example, you can configure a policy to block web access to a specific website by
denying all TCP port 80 (HTTP) packets from a specified source IPv6 address to the website
IPv6 address.
IPv6 ACLs also provide support for filtering packets based on DSCP.

Revision 2212 7 ‐ 28
ICX 150 Device Security and Monitoring

MAC Access Control Lists (ACLs) Overview

• MAC ACLs replace MAC filtering commands beginning in FastIron 08.0.95

– The mac filter and mac filter-group commands are deprecated in this
release. Pre‐08.0.95 configurations using the above commands will be migrated to
MAC ACLs upon upgrading to 08.0.95

• MAC ACLs are defined using source and/or destination MAC addressing as well
as an optional Ethertype
– By default, traffic is permitted when no MAC ACLs are defined
– When a MAC ACL is applied, only devices specifically permitted are granted access
unless a permit any any statement is applied
– MAC ACLs are applied to physical ports, LAGs, and VLANs
– MAC ACLs cannot filter Layer 2 control traffic (spanning‐tree, LACP, etc.)

29 © 2022 CommScope, Inc.

FastIron 08.0.95 introduces MAC ACLs which replace MAC filtering in previous
FastIron releases. It is important to note while the mac filter and mac
filter-group commands are deprecated in the 08.0.95 release, any prior
releases that had these configurations will be migrated to MAC ACLs automatically
when upgrading to FI 08.0.95 (or beyond). Be sure to check out the FastIron
Software Upgrade Guide for your specific targeted release for additional details.

MAC ACLs are implemented much like IP ACLs in that they deny or permit access to
physical interfaces (including LAG interfaces) as well as VLANs. They utilize source
and/or destination MAC addressing, and optionally an Ethertype, to define access
to the port or VLAN. They cannot however filter Layer 2 control protocols like
spanning‐tree or LACP.

Also, like IP ACLs, MAC ACL filtering is performed in hardware on RUCKUS ICX
devices. By default, when no MAC ACL is defined all traffic is permitted. When a
MAC ACL is created and applied to a port the filter will drop traffic that does not
match an explicit permit filter unless an explicit permit any any statement is added
to the end of the rule.

Revision 2212 7 ‐ 29
ICX 150 Device Security and Monitoring

MAC ACL Commands

RUCKUS(config)# mac access-list AllowList
RUCKUS(config-macl-AllowList)# deny 1111.2222.3333 ffff.ffff.ffff 4444.5555.6666 ffff.ffff.ffff
RUCKUS(config-macl-AllowList)# deny any 6666.7777.8888 ffff.ffff.0000
• Can match on source and
RUCKUS(config-macl-AllowList)# permit any any destination MAC and
Ethertype
• Valid Ethertypes in HEX are
RUCKUS(config)# mac access-list WoLDeny 600 through ffff
RUCKUS(config-macl-WoLDeny)# deny any any ether-type 0842
• MAC ACLs cannot be applied
to OOB Management port
RUCKUS(config)# interface ethernet 1/1/1
• MAC ACLs can be applied on
RUCKUS(config-if-e1000-1/1/1)# mac access-group AllowList in tagged ports
• MAC ACLs apply to both
RUCKUS(config)#interface e 1/1/1 to 1/1/24 switched and routed traffic
RUCKUS(config-mif-1/1/1-1/1/24)# mac access-group WoLDeny in but are INBOUND only
Syntax: permit | deny { { source_mac_address [ source_mask ] } | any } {
destination_mac_address [ destination_mask ] } | any } [ ether-type ether_type_value ] [
log ] [ mirror ]

30 © 2022 CommScope, Inc.

To create a MAC ACL, issue the mac access-list command followed by a

name. Names must begin with an alphabetic character and can be no longer than
47 characters. Once within the MAC ACL configuration submode, you can create
filter statements to permit or deny traffic based on source MAC, Destination MAC,
or Ethertype, as we discussed previously. The source and destination MAC field can
be configured with a specific individual MAC as shown in the first deny command,
or it can be specified as any to match all MACs as we’re seeing in the second deny
command.

In our example, the first deny command in our MAC ACL will deny a source device
with the MAC of 1111.2222.3333 from accessing a destination of 4444.5555.6666.

The second deny command is denying any source MAC from accessing a range of
destination of MACs, this is achieved by changing the variable mask on the
destination MAC entry.

In our example, the variable mask for the destination MAC is ffff.ffff.0000, which
means that any source MAC attempting to access any destination that matches the
first four octets of the MAC Address that has been defined, in this case 6666.7777,
will be denied. The variable mask can be specified with hexadecimal numbers 0
through f, and as we can see ffff.ffff.ffff is used when we want to perform an exact
match.

Continued on next slide…

Revision 2212 7 ‐ 30
ICX 150 Device Security and Monitoring

... Continued from previous slide

In the second example, we have an access list denying any MAC sources or
destination when the Ethertype matches 0842, or in this case Wake‐on‐LAN. The
valid ranges for Ethertype are 600 through ffff.

Once a MAC Access list has been created, it can be applied to an interface using the
mac access-group command, followed by the keyword in, which indicates
that the MAC ACL is applied to inbound traffic. From this context you can also
optionally specify logging parameters.

Revision 2212 7 ‐ 31
ICX 150 Device Security and Monitoring

MAC ACL Commands (Cont.)

RUCKUS(config)# show mac access-lists brief

Total ACL count= 2 • show mac access-lists brief

Total ACL filter count= 4
– List all MAC ACLs displaying number
ACL Name Filters Bindings(In) Bindings(Out) Acc of bindings and accounting status
• show mac access-lists or show
=========== ======= ============ ============= === running-configuration access-
AllowList 3 1 0 dis list
WoLDeny 1 0 0 dis – Display configuration for MAC ACLs

RUCKUS(config)# show mac access-lists bindings • show mac access-lists

bindings
ACL Name Bind If Dir – Display where specific MAC ACLs are
applied
====================== ===================== ===
AllowList eth 1/1/1 in

32 © 2022 CommScope, Inc.

Once MAC ACLs have been defined you can utilize show commands to obtain
information about their use.

The show mac access-lists brief command provides a summary of all MAC
ACLs configured on the system by name. It displays how many filter statements are
applied to each ACL, how many bindings there are for a particular ACL, as well as
the accounting status.

For a detailed look at the filter statements applied to the ACL you can utilize the
show mac access-lists command as well as the show running-
configuration command. The show mac access-lists bindings
command will display a list of MAC ACLs and to which interface(s) they are bound.

Revision 2212 7 ‐ 32
ICX 150 Device Security and Monitoring

Device Monitoring

Now we will take a look at some system monitoring tools, including system logging, show
tech, and supportsave.

Revision 2212 7 ‐ 33
ICX 150 Device Security and Monitoring

System Logging (Syslog) Overview

• RUCKUS ICX switches maintain local Syslog database which can be viewed
using the show logging command

• By default, local Syslog database is erased on system reboot or power loss

• By default, the local Syslog database retains 4000 messages

– Can be changed from 1 to 4000 messages, which will require the ICX to be
reloaded

RUCKUS(config)# logging buffered 1000

RUCKUS(config)# logging persistence
RUCKUS(config)# write memory
RUCKUS(config)# exit
RUCKUS# reload
34 © 2022 CommScope, Inc.

Devices write messages to a local system log (Syslog), which by default stores 4000
messages. Older messages will be flushed to make room for new messages (FIFO).

You can change the number of messages the Syslog buffer can store and the value range is
1 to 4000 messages. If you make a change to the Syslog buffer, you must save the
configuration and reload the device for the change to take effect.

If you decrease the size of the buffer, the software clears the buffer before placing the
change into effect.

If you increase the size of the Syslog buffer, the software will clear some of the older locally
buffered Syslog messages.

The logging persistence command is used to ensure syslog message persist after a soft
reboot (ie; reload). However, if the device loses power or is power cycled the syslog
messages are cleared regardless of logging persistence.

Note: If logging persistence is enabled and you load a new software image on the device,
you must first clear the log if you want to reload the device.

Revision 2212 7 ‐ 34
ICX 150 Device Security and Monitoring

Remote Syslog Servers

• Defined in RFC 5424, Syslog can send event messages to a remote logging
server using UDP port 514, by default

• Sending to a remote server ensures logging events are saved, even after a
system reboot

• For example, log messages may be sent to a Syslog server at IP address

10.255.252.10
RUCKUS(config)# logging host 10.255.252.10

• Up to six external servers can be configured

• Messages are written to the local Syslog and the configured remote servers
35 © 2022 CommScope, Inc.

You can specify the IP address or host name of up to six external Syslog servers. When you
specify a Syslog server, the RUCKUS device writes the messages to both the local system log
and to the Syslog server.

Using a Syslog server ensures that the messages remain available even after a system
reload. The local Syslog is cleared during a system reload or reboot, but the Syslog
messages sent to the Syslog server remain on the server.

Revision 2212 7 ‐ 35
ICX 150 Device Security and Monitoring

Real‐Time Display of Syslog Events

• Enable real‐time display of Syslog messages to the serial console
RUCKUS(config)# logging console
– Enter no logging console to turn it off
• Both logging console and terminal monitor commands are
required to monitor on Telnet and SSH
– Command is a toggle, enter terminal monitor to turn logging on
RUCKUS# terminal monitor
Syslog trace was turned ON
SYSLOG: <9>device, Power supply 2, power supply on left connector, failed
SYSLOG: <14>device, Interface ethernet 6, state down
SYSLOG: <14>device, Interface ethernet 2, state up
– Enter terminal monitor again to turn logging off
RUCKUS# terminal monitor
Syslog trace was turned OFF
36 © 2022 CommScope, Inc.

To view a real‐time display of Syslog messages on your console, use the logging
console command at the CONFIG level.

To turn this feature off, use no logging console command.

If you are logged in remotely using SSH or Telnet, you will not see the Syslog messages on
your screen. To see the messages, you need to configure the logging console
command and then run the terminal monitor command at the Privilege EXEC level.
This only applies to the current active Telnet or SSH session. It does not affect any other
active session.

To stop seeing Syslog messages on your screen, simply enter the terminal
monitor command again.

Revision 2212 7 ‐ 36
ICX 150 Device Security and Monitoring

Disabling Message Levels

• Message levels have the following values in order of severity:
– Alerts (A) – Errors (E)
– Critical (C) – Informational (I)
– Debugging (D) – Notifications (N)
– Emergencies (M) – Warnings (W)

• The example shows that all levels are being logged

RUCKUS# show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Buffer logging: level ACDMEINW, 3 messages logged
level code: A=alert C=critical D=debugging M=emergency E=error
I=informational N=notification W=warning
• Individual message levels can be disabled
RUCKUS(config)# no logging buffered informational
– The example disables informational (I) messages
– Message levels are disabled on an individual basis
– Changes also apply to messages sent to external Syslog servers
37 © 2022 CommScope, Inc.

RUCKUS software writes syslog messages at the following severity levels:

• Emergencies
• Alerts
• Critical
• Errors
• Warnings
• Notifications
• Informational
• Debugging

In the show logging command output you can see that all levels are being logged, as
designated by the first letter of each level, such as "A" for Alerts.

You can disable specific message levels using the no logging buffered command
followed by the desired level. The example disables informational messages from being
logged. These changes also apply to messages sent to the external Syslog servers.

Revision 2212 7 ‐ 37
ICX 150 Device Security and Monitoring

Show Tech‐Support

Next, we will take a look at collecting technical support data using the show tech-
support command.

Revision 2212 7 ‐ 38
ICX 150 Device Security and Monitoring

show tech-support Output

• The show tech-support command displays the following

information:

– Header for all the show commands
– Running configuration
– Image version
– Port status
– Port counters
– Static and dynamic log buffers
– dm statistics
– Boot, monitor, and system
– Registers information
– Possible stack trace
39 © 2022 CommScope, Inc.
– Active stack (if applicable)
– Last packet (Application Data)
– Possible data structure
– MCT cluster details
– License details
– Stacking information
– Dot1x
– DHCP snooping
– SSH
– System Health

When contacting RUCKUS Technical Support (TAC) with an issue, the first thing they
will ask for is the “show tech” output. The show tech-support command displays
the output of several show commands at once. This output can then be sent to
RUCKUS TAC. The output from this command varies depending on the device
configuration. The default information includes:

• Header for all the show commands

• Running configuration
• Image version
• Port status
• Port counters
• Static and dynamic log buffers
• dm statistics
• Boot, monitor, and system
• Registers information
• Possible stack trace
• Active stack (if applicable)
• Last packet (Application Data)
• Possible data structure
• MCT cluster details
• License details
• Stacking information
• Dot1x
• DHCP snooping
• SSH
• System Health

Revision 2212 7 ‐ 39
ICX 150 Device Security and Monitoring

show tech-support Example

RUCKUS# show tech-support
==========================================================================
BEGIN : show running-config
The start of each show
CONTEXT : CONSOLE#0 : CONFIG
TIME STAMP : 23:10:57.051 GMT+00 Tue Jan 04 2000 command output is
HW/SW INFO : ICX7150-C12-POE/SPS08090 designated by BEGIN:
==========================================================================
Current configuration:
!
<Output Truncated>
==========================================================================
TIME STAMP : 23:10:57.072 GMT+00 Tue Jan 04 2000 The end of each show
END : show running-config command output is
TIME TAKEN : 12702394 ticks (12702394 nsec) designated by END:
==========================================================================
<Output Truncated>

40 © 2022 CommScope, Inc.

The format of the show tech-support output is modified to include a header for each of the
subcommands which gets called from the CLI to help in automated parsing and lookup of the
output. The header contains the following keywords:
• BEGIN ‐ which indicates the start of the subcommand output. If the command is an internal
command, a textual description of the command is displayed.
• CONTEXT ‐ indicates where the subcommands are executed (INTERNAL, MP, MP‐OS, LP, or
LP‐OS).
• TIME‐STAMP ‐ A time stamp, with millisecond granularity, helps in determining the time
difference between separate runs of the same command.
• HW/SW INFO ‐ Indicates the hardware and software version information of the device.
The footer contains the following information:
• TIME STAMP ‐ A time stamp, with millisecond granularity, helps to determine
the time difference between separate runs of the same command.
If NTP or local clock is not set on a device, then header displays Epoch time in
the TIMESTAMP field. Epoch time is a universal time which starts from Jan 1,
1970. Therefore, for Linux platforms, the Epoch time format is 00:00:00.000
GMT+00 Thu Jan 01 1970. For non‐Linux platforms, the Epoch time format is
Jan 01 00:00:00.000.
• END ‐ Indicates the sub‐command which has completed execution.
• TIME TAKEN ‐ Indicates the total time taken in nanoseconds for the command
execution.
In addition to the header, the show clock command is run at the beginning and the end of the
show tech for elapsed time calculation.

Revision 2212 7 ‐ 40
ICX 150 Device Security and Monitoring

show tech-support Options

• There are several command options that can be included to focus the output
of show tech-support

show tech-support [ acl | cluster | cpu | l2 | l3 { ipv4-

uc | ipv6-uc } | license | memory | multicast |
multicast6 | openflow | packet-loss | poe | stack ]

For example, the packet-loss option can be used to add packet statistic debug
information to the output

RUCKUS# show tech-support packet-loss

41 © 2022 CommScope, Inc.

Additional options can be added to the show tech output that may be specifically
related to the type of issue you are collecting data for. These include:
• acl – Generates system and debugging information specific to ACL configurations and
counters.
• cluster – Generates system and debugging information specific to cluster
configurations.
• cpu – Generates CPU‐related information.
• license – Generates license‐related information.
• l2 – Generates system and debugging information specific to Layer 2 configurations.
• l3 – Generates system and debugging information specific to Layer 3 configurations.
• memory – Generates memory‐related information of the device.
• multicast – Generates system and debugging information specific to Layer 2 and
Layer 3 multicast configurations.
• multicast6 – Generates system and debugging information specific to Layer 2 and
IPv6 Layer 3 multicast configurations
• openflow – Displays Openflow related details.
• packet‐loss – Generates packet statistics‐related debugging information.
• poe – Generates system and debug information related to Power over Ethernet
configurations.
• stack – Generates system and debugging information specific to stacking
configurations.

Revision 2212 7 ‐ 41
ICX 150 Device Security and Monitoring

SupportSave

When the information in the show tech-support is not enough to identify the issue,
TAC may have you run a SupportSave.

Revision 2212 7 ‐ 42
ICX 150 Device Security and Monitoring

Supportsave

• Supportsave is useful when collecting a large amount of debug

information for troubleshooting purposes
– Often requested by RUCKUS technical support when troubleshooting an issue
• Advantages over a show tech-support
– Allows you to add custom commands (show or debug) to collect specific data
that is not included in show tech-support
– Allows the transfer of collected data to an external server such as a Trivial File
Transfer Protocol (TFTP) server
• If you add a large number of custom commands to the supportsave
command, it may collect a large amount of data
– Try not to collect a supportsave during peak network activity

43 © 2022 CommScope, Inc.

Another useful troubleshooting tool is Supportsave. By default, the supportsave

command collects the same information found in the show tech-support command,
but it allows you to add custom show and debug commands to collect specific data not
found in a show tech-support.

If you add a large number of custom commands to the supportsave command, it may
greatly increase the file size. If possible, do not collect the Supportsave during peak
network activity.
When supportsave is executed, it collects all the required logs and information and
saves it to an external TFTP server.
On an ICX stack, you do not need to run the supportsave command on each of the
members in a stack, you only need to run it from the active controller. The active controller
will collect logs from all stack members and send them to the TFTP server.

Revision 2212 7 ‐ 43
ICX 150 Device Security and Monitoring

Supportsave
• Supportsave parameters
supportsave [all | os | platform | l2 | l3 | custom | core |
system | infra] [display | tftp_server_IP]
tftp_server_relative_pathname [user_tag]

• Specify which logs to collect

– all ‐ all related log files
– os ‐ operating system (OS) related information
– platform ‐ platform related information
– l2 ‐ Layer 2 related information
– l3 ‐ Layer 3 related information

• Specify output destination (display or TFTP server)

• Options include
– user_tag – a string to uniquely identify the supportsave file
– tftp_server_IP – TFTP server where logs are uploaded
44 © 2022 CommScope, Inc.

As previously mentioned, by default, the Supportsave collects the same information found
in the show tech-support, but it can be customized to collect even more by
specifying which logs or customer commands to collect. By using the custom parameter,
you can enter a list of custom command data to collect.

A few of the different log types are listed here; for a full list, please refer to the ICX
documentation on the RUCKUS website.

Once you have specified the logs and command information to collect, you can use the
user_tag parameter to name the Supportsave file and specify the IP address of the TFTP
server.

Revision 2212 7 ‐ 44
ICX 150 Device Security and Monitoring

Supportsave Limitations

• Only one supportsave command can be executed at a time

• When supportsave is being collected, other CLI commands cannot be

invoked during that session
– Other CLI sessions can be used to execute other commands

• Use supportsave show to view the status of the file collection

• Use supportsave cancel to terminate the file capture

45 © 2022 CommScope, Inc.

At any given time, only one Supportsave command can be run. If you have a Telnet session
and run the supportsave command you will see a progress bar indicating the progress
of the file collection. Once the Supportsave command is invoked, the Telnet session is
blocked for other commands. However, other Telnet sessions to the same switch can be
used to execute commands.

The supportsave show command gives the status of the file collection, and
supportsave cancel will terminate file capture.

Revision 2212 7 ‐ 45
ICX 150 Device Security and Monitoring

You should now be able to:

• Use Authentication, Authorization, and
Accounting (AAA), RADIUS and TACACS+ to
secure an ICX device

• Enable 802.1X to provide port‐based network

access control using authentication

Summary • Configure Dynamic ARP Inspection to allow valid

ARP requests and responses

• Utilize Access Control Lists to limit IP and MAC

traffic

• View system log (Syslog) messages to monitor

an ICX device

• Collect files needed for technical support

This concludes the Device Security and Monitoring presentation. You should now be
able to:
• Secure an ICX device using AAA
• Configure 802.1x on Ethernet interfaces
• Configure DAI on Ethernet interfaces
• Describe the different levels of Syslog messages
• Allow or deny traffic on interfaces based on IP and MAC ACL rules
• Explain the difference between Show Tech‐support and Supportsave files

Revision 2212 7 ‐ 46
ICX 150 Device Security and Monitoring

End of presentation:
Device Security & Monitoring

Thank you

This is the end of the Device Security and Monitoring presentation.

Revision 2212 7 ‐ 47
ICX 150 Device Security and Monitoring

Revision 2212 7 ‐ 48
ICX 150 Layer 2 Fundamentals

Layer 2 Fundamentals

Revision 2212

In this presentation we will discuss Virtual LANs, VE interfaces, and Link Aggregation
Groups as well as outline the considerations and configurations on RUCKUS ICX devices.

So, let’s get started

Revision 2212 8‐1

ICX 150 Layer 2 Fundamentals

After completing this module, you should be

able to:

• Configure VLANs and associate tagged and

untagged ports

• Describe Virtual Routing Interfaces (VE ports)

Objectives
• Describe Link Aggregation Groups and the
supported types on ICX devices

• Configure LAGs on ICX devices

• Explain how to effectively manage LAGs along

with member ports of a LAG

After completing this module, you should be able to:

• Configure VLANs and associate tagged and untagged ports
• Describe Virtual Routing Interfaces (VE ports)
• Describe Link Aggregation Groups and the supported types on ICX devices
• Configure LAGs on ICX devices
• Explain how to effectively manage LAGs along with member ports of a LAG

Revision 2212 8‐2

ICX 150 Layer 2 Fundamentals

VLAN Configuration

We’ll start with how to configure VLANs on the RUCKUS ICX devices.

Revision 2212 8‐3

ICX 150 Layer 2 Fundamentals

VLANs
• ICX devices support port‐based, private,
and dynamic MAC‐based VLANs

– The Default VLAN is 1

For more details on ICX VLANs, please
refer to the RUCKUS FastIron Layer 2
Switching Configuration Guide, on:
support.ruckuswireless.com.
– By default, all interfaces belong to VLAN 1
– The Default VLAN can be changed using the
command:
default-vlan-id vlanid
• VLAN ID range is 1 to 4095
– Reserved VLANs: 4087 and 4090 are RUCKUS
internal, and VLAN 4094 for Single STP.
VLANs 4091 and 4092 are also reserved for
internal use, but can be remapped

4 © 2022 CommScope, Inc.

ICX devices support port‐based, private, and dynamic MAC‐based VLANs. By default, VLANs
are port‐based and this presentation focuses on port‐based VLANs.

For more details on ICX VLANs, please refer to the RUCKUS FastIron Layer 2 Switching
Configuration Guide, at support.ruckuswireless.com

On all ICX devices, VLAN 1 is considered the Default VLAN and it is a port‐based VLAN. The
Default VLAN is always untagged and cannot be tagged on any interfaces. When an
interface is untagged in another VLAN it is removed automatically from the Default VLAN.

All ports start out as members of VLAN 1. The Default VLAN can be changed using the
default‐vlan‐id command. Valid VLAN IDs are 1 through 4095, though some IDs are
reserved. VLAN ID 4094 is reserved for Single Spanning Tree, and VLANs 4087, 4090, 4091,
and 4092 are reserved for RUCKUS internal functions. VLANs 4091 and 4092 can be
remapped with the use of the reserved-vlan-map command.

Note:
4087 is reserved for MSTP Control
4090 is reserved for default ARP
4091 is reserved for CPU
4092 is reserved for all ports
4094 is reserved for single instance STP

Revision 2212 8‐4

ICX 150 Layer 2 Fundamentals

VLANs with 802.1Q Tagging

• VLAN tagging allows multiple VLANs to span
switches over a single physical link
– When VLANs span multiple switches, a trunk data
link is required between the switches providing VLAN
tagging

• Provides VLAN membership information within

the frame when forwarded to other devices

Example Configuration:
RUCKUS2(config)# vlan 10 name GRAY
RUCKUS2(config-vlan-10)# tagged ethernet 1/1/9
RUCKUS2(config-vlan-10)# vlan 20
RUCKUS2(config-vlan-20)# tagged ethernet 1/1/9

5 © 2022 CommScope, Inc.

VLAN tagging is necessary when VLAN traffic is forwarded on the same link between two
switches known as a trunk. Frames moving between switches are tagged so that the next
switch in the traffic flow path knows the destination VLAN of the frame.

Any part of the network that is or needs to be VLAN‐aware will include VLAN tags. The
VLAN tag represents the VLAN membership of the frame's port or the port/protocol
combination, depending on whether the network uses port‐based or port‐and‐protocol‐
based VLAN classification.

The VLAN ID that is in the tag enables each device that receives the frame to determine
which VLAN the frame belongs to. Each frame must be distinguishable as being within
exactly one VLAN.
A port that is a member of only one VLAN, like a end device port, can be associated with a
VLAN however it is added as untagged. We will discuss untagged ports next.

Creating VLANs is done at the global CONFIG level using the vlan command followed by a
VLAN ID. Again, valid IDs are from 1 to 4095. Optionally, you can configure a name for each
VLAN using the name parameter. VLAN names can be up to 32 characters long, and can
include spaces (but the name must be put in double quotation marks).

The next step is to add the ports to the VLAN as either tagged or untagged. Here we have
added ethernet interface 1/1/9 as tagged to both VLAN 10 and VLAN 20. Notice that VLAN
10 was configured with a name, but VLAN 20 was not. Remember, VLAN names are
optional.

Revision 2212 8‐5

ICX 150 Layer 2 Fundamentals

VLANs without 802.1Q Tagging

Without VLAN tagging, when multiple VLANs are configured on a
switch:
• Each VLAN requires dedicated uplinks to forward traffic
between switches
• Bandwidth on the dedicated ports might not be fully utilized
• Higher cost due to port requirements Untagged VLAN
Association
• Impossible if a high number of VLANs
are configured
Example Configuration:
RUCKUS2(config)# vlan 10 Untagged VLAN
Association
RUCKUS2(config-vlan-10)# untagged ethernet 1/1/9
RUCKUS2(config-vlan-10)# vlan 20
RUCKUS2(config-vlan-20)# untagged ethernet 1/1/12
RUCKUS2(config-vlan-20)# vlan 4
RUCKUS2(config-vlan-4)# untagged ethernet 1/1/12
Error! Port 1/1/12 is already untagged member of non default VLAN 20

6 © 2022 CommScope, Inc.

It is possible for connected switches to have a port associated with a single VLAN which will
send and receive packets with no tag. When doing so, these are considered untagged
frames and the end device is unaware of its VLAN association and simply forwards and
receives untagged frames.

For consistency of untagged VLANs between two devices, directly connected interfaces
should be configured with the same VLAN ID, so that traffic associated with those ports
remains consistent. Optionally if you want to make a VLAN migration, each end can be
associated with different VLANs. Because the VLAN ID is not being included in the frames
that are being forwarded, each device will simply associate the incoming traffic to the VLAN
the incoming port is assigned to.

As you can see by this example, each VLAN requires a dedicated uplink which is not very
efficient, it is impossible to scale a large number of VLANs as you will run out of ports, and
in most cases the ports are under‐utilized. To set an interface as untagged, navigate to the
VLAN configuration context, then use the untagged command specifying the port that
that you want to set as untagged for this VLAN.

Notice in this example, we have two VLANs (10 and 20), being applied to two different
interfaces which are being added as untagged. This is because only one VLAN can be
associated as untagged on an interface otherwise you will receive an error as we see when
trying to apply Interface 12 as an untagged member of VLAN 4.

Revision 2212 8‐6

ICX 150 Layer 2 Fundamentals

Mixed VLAN Traffic (tagged/untagged)

• Ports are members of the default VLAN (default VLAN 1)
• Ports can be an untagged member of 1 VLAN and a tagged member of one or more VLANs
• Ports when assigned as tagged in a VLAN will remain untagged in its current VLAN
assignment
– Port has to be exclusively removed as an untagged member of a VLAN to drop untagged frames

RUCKUS(config-vlan-20)#vlan 10
e 1/1/3
RUCKUS(config-vlan-10)#untagged e 1/1/3
Added untagged port(s) ethe 1/1/3 to port-vlan 10.
RUCKUS(config-vlan-10)#vlan 20
RUCKUS(config-vlan-20)#tagged e 1/1/3
Added tagged port(s) ethe 1/1/3 to port-vlan 20
RUCKUS(config-vlan-20)#vlan 1
RUCKUS(config-vlan-1)#no untagged e 1/1/4
Error! Port 1/1/4 is member of default VLAN only.
Cannot remove

7 © 2022 CommScope, Inc.

Configuring an interface to be a tagged member of a non‐default VLAN allows it to accept

VLAN tagged frames. Any untagged frames received on the interface are still accepted and
forwarded within its default VLAN membership.

When an untagged membership of an interface is removed from a non‐default VLAN, the

interface will be added back to the default VLAN as an untagged interface.

Additionally, an interface will be moved to the default VLAN when the last non‐default
VLAN is disassociated from the interface (tagged or untagged). In order for an interface to
be removed from the default VLAN it has to be associated with a non‐default VLAN first
otherwise you will receive an error when trying to remove it from its default VLAN as
shown.

An interface should be a member of at least one VLAN at any given time.

Revision 2212 8‐7

ICX 150 Layer 2 Fundamentals

Creating Multiple VLANs

You can specify the VLAN number and range using the to keyword between two num options
that specify the VLAN ID
– To create a continuous range of VLANs, enter command such as the following.
RUCKUS(config)# vlan 2 to 7
RUCKUS(config-mvlan-2-7)#

– Discontinuous VLANs
RUCKUS(config)# vlan 2 4 7
RUCKUS(config-mvlan-2*7)#

– Continuous and discontinuous VLANs together

RUCKUS(config)# vlan 2 to 7 20 25
RUCKUS(config-mvlan-2*25)#

8 © 2022 CommScope, Inc.

Similar to configuring a range of interfaces, VLANs can be configured independently or as a

range of VLANs if needed. The Multi‐range VLAN feature allows you to create and configure
up to 1024 VLANs by entering a single command. Here are a few examples.

Revision 2212 8‐8

ICX 150 Layer 2 Fundamentals

Virtual Routing Interfaces

• Integrated Switch Routing (ISR)
– Ability to route between VLANs with virtual routing interfaces (VEs)
• Virtual Interfaces (VE) are logical routing interfaces used to route L3 protocol traffic
between VLANs
– Configure a VE on each VLAN that needs routing capabilities
• Routing parameters are configured on the VE, allowing for routing outside the local
switch
– Parameters include:
o IPv4/v6 addresses
o Static routing associated with the VE (next‐hop)
o Routing protocols such as OSPF providing
dynamic routing to and from the VLAN
o L3 redundancy protocols such as
VRRP/VRRP‐E

– It is required that the switch run ICX routing software

for this feature to work
9 © 2022 CommScope, Inc.

RUCKUS allows the ability to route between VLANs which is called Integrated Switch
Routing (or ISR).

ISR enables VLANs configured on the ICX to forward traffic between VLANs by routing
traffic using Layer 3 interfaces. ISR eliminates the need for an external router by routing
between VLANs internally using virtual routing interfaces known as Virtual Ethernet or VEs.

In this scenario routing between VLANs requires each VE to belong to a different Layer 3
subnet, which is associated to each VLAN you want to route packets. Routing parameters,
including, next‐hop static routing, routing protocols, and Layer 3 redundancy protocols can
be configured on the VE. We will outline creation of VE interfaces in an upcoming
presentation, however, know that the VLAN must exist before a VE can be created.

Revision 2212 8‐9

ICX 150 Layer 2 Fundamentals

Link Aggregation Groups (LAG)

Our next topic is Link Aggregation Groups, or LAGs.

Revision 2212 8 ‐ 10
ICX 150 Layer 2 Fundamentals

Link Aggregation Groups (LAG)

Link Aggregation Groups (LAG) allow the combining of multiple Ethernet links into a
larger logical trunk.

• The switch treats the LAG as a single logical link

• The benefits of link aggregation:
– Increased bandwidth (The logical bandwidth can be dynamically changed as the demand changes)
– Increased availability
– Load sharing
– Rapid configuration and reconfiguration

• LAG member ports must connect to the same adjacent switch

– LAG requirements may vary for different platforms, such as the number of links in the LAG, specific port
boundaries, etc.
– Always check what is supported at both ends

11 © 2022 CommScope, Inc.

Link Aggregation Groups or LAGs have many names, such as trunks, NIC teaming, and port
channels.

LAGs allow the combining of multiple Ethernet links into a larger logical trunk. This provides
benefits to the link by increasing its overall bandwidth, increasing stability of the overall
link since it is not dependent on just a single port’s health which also provides increased
failure protection.

In a LAG, individual port members can fail but do not cause traffic interruption since other
remaining healthy port members can still forward traffic.
For ports to participate in a LAG, the physical links must have similar characteristics and
must connect to the same adjacent switch or group of switches represented as one like in a
stack.

The requirements for LAGs vary for different platforms, such as the number of members in
the LAG, specific port boundaries, etc., always check what is supported on the devices on
both ends of the LAG.

Revision 2212 8 ‐ 11
ICX 150 Layer 2 Fundamentals

LAG Creation Rules

• A port can only be a member of a single LAG (dynamic, static, or keep‐alive)
• All ports in the LAG must be identical with respect to:
– VLAN tag type (untagged and tagged)
– Configured port speed and duplex
– Operational port speed and duplex (Note: LAGs can be created with ports of different speeds, but the speed of the least
capable port will need to be set for all ports)
– No Layer 3 configurations (Note: Layer 3 configuration can be applied to the virtual LAG interface)
– ACL configurations
• Remote device LAG configuration must support the same number of links
• LAGs are supported on 1, 2.5, 5, 10, 40, and 100 Gbps ports
• Port assignments do not need to be consecutive (ex: can use ports 1, 2, and 4)
• LAG ports must connect to the same physical or logical end device

12 © 2022 CommScope, Inc.

There are several rules for creation of LAGs. Shown here is a highlight of some of the rules
in software release 08.0.95.

• A port can only be a member of a single LAG (of any type) at any given time.
• All ports in the LAG must have the same VLAN configurations (both tagged an untagged).
They should have the same configured port speed and duplex, as well as the same
operational speed and duplex. That is not to say that all ports of the LAG need to be the
same type. You can have 1 Gbps ports and 10 Gbps ports in a LAG, but the 10 Gbps ports
will need to be configured to operate at 1 Gbps. Additionally, the ports must have no
applied Layer 3 configurations and if ACL configurations exist on the ports, it must
match.
• Other rules include The remote device needing to supporting the same number of links
that you are trying to include in the LAG.
• Supported LAG ports for ICX include 1, 2.5, 5, 10, 40, and 100 Gbps ports.
• Port assignments don’t need to be consecutive, but if you are building a new
configuration it is best practice for them to be.

…Continued on next slide

Revision 2212 8 ‐ 12
ICX 150 Layer 2 Fundamentals

Blank Notes Page

<continued from previous slide…>

• The LAG ports must connect to the same physical or logical end device. So either from
switch to switch like we displayed earlier or between two stacks of switches or even
other logical devices such as devices configured with multi‐chassis trunking.

For a full list of LAG formation rules consult the RUCKUS FastIron Layer 2 Switching
Configuration Guide for your release.

Revision 2212 8 ‐ 13
ICX 150 Layer 2 Fundamentals

LAG Creation Rules (cont.)

• RUCKUS provides support for static and dynamic LAGs on the same switch

• All member ports of the LAG are treated as secondary ports

– Physical ports can be added or removed from the LAG without tearing down the LAG
– A mode called LAG virtual interface is introduced and the properties of the LAG can be modified using the
respective commands in the LAG virtual interface mode (similar to an Ethernet interface)
– LAG virtual interface is automatically created when a LAG is configured
– The first physical port added to the LAG becomes the MAC provider for the LAG virtual interface

14 © 2022 CommScope, Inc.

ICX devices support the use of static and dynamic LAGs on the same device, which we’ll
discuss in the next slide. It is also important to know that physical ports of a LAG are
treated as secondary ports. This means that rather than configuration being applied to
those physical ports, rather they inherit their configurations from the LAG virtual interface.

Revision 2212 8 ‐ 14
ICX 150 Layer 2 Fundamentals

LAG Types
ICX devices support the following LAG types:

• Dynamic LAG – uses Link Aggregation Control Protocol (LACP), to maintain aggregate links
over multiple ports
– LACP PDUs are exchanged between ports on each device to determine if the connection is still
active
– LAG shuts down ports whose connection is no longer active

• Static LAG – groups are manually‐configured aggregate links containing multiple ports

• Keep‐alive LAG – a single LACP port connection

– Preferred method for detecting unidirectional links across multi‐vendor devices instead of link
keep‐alive (UDLD)
– If the connection is no longer active, the ports are blocked

15 © 2022 CommScope, Inc.

ICX devices support three types of LAGs.

The first is a Dynamic LAG: – a dynamic LAG uses the Link Aggregation Control Protocol
(LACP) to maintain aggregate links over multiple ports. LACP PDUs are exchanged between
ports on each device to determine if the connection is still active. The LAG shuts down
ports whose connection is no longer active.

The second is a Static LAG. In a static LAG, groups are manually‐configured aggregate links
containing multiple ports.

The third type of LAG is a Keep‐alive LAG: this type of LAG is a single LACP port connection
which is based on a standard rather than on a proprietary solution. It is the preferred
method for detecting unidirectional links across multi‐vendor devices instead of link keep‐
alive (UDLD). If it is determined that the connection is no longer active, the ports are
blocked.

This presentation focuses on the configuration of static and dynamic LAGs.

Revision 2212 8 ‐ 15
ICX 150 Layer 2 Fundamentals

Dynamic LAG
• Dynamic link aggregation uses Link Aggregation Control Protocol (LACP), IEEE
standard 802.1AX
– Used to control the bundling of several physical ports to form a single logical link

• LACP allows a device to negotiate an automatic bundling of links by sending

Link Aggregation Control Protocol Data Units (LACP PDUs) to a directly
connected device
– Both devices must be configured to use LACP

16 © 2022 CommScope, Inc.

Dynamic LAGs use the IEEE 802.1AX standard for link aggregation. LACP is a mechanism for
allowing ports on both sides of a redundant link to communicate to form a LAG, also
known as a trunk.

When link aggregation is enabled on a group of ports, and the LAG type is configured as
Dynamic, LACP will be used to negotiate with the remote end device ensuring proper
configuration of each port member (including verifying the physical ports are properly
connected, configured, and operational). In order to utilize Dynamic LAGs, both ends of the
LAG must support (and be configured to use) LACP.

RUCKUS ports follow the same configuration rules for dynamically created aggregate links
as they do for statically configured LAGs.

Revision 2212 8 ‐ 16
ICX 150 Layer 2 Fundamentals

Static LAGs
• A static LAG does not use LACP and essentially enables the ports to join a port
channel

• Static configuration is used when connecting to another switch or device that

does not support LACP

• When using a static configuration, a cabling or configuration mistake by either

end of the LAG could go undetected and thus cause undesirable network
behavior

17 © 2022 CommScope, Inc.

Static LAGs do not use a protocol to establish the connection like LACP, instead they are
manually‐configured aggregate links containing multiple ports and assumes that the ports
on the remote end are properly configured. This can lead to possible problems like wrong
ports connected between the devices etc. since there is no verification process taking
place.

Static configuration is useful when connecting to another switch or device that does not
support LACP. Because a static LAG does not use LACP, it essentially forces the ports to join
a port channel, and the links come up automatically regardless of a configuration mistake.

Revision 2212 8 ‐ 17
ICX 150 Layer 2 Fundamentals

ICX LAG Specifications

ICX switches provide a large number of LAGs that can be configured on a switch
or a switch stack with up to 16 port members per LAG

Model Maximum number of LAGs Valid number of ports in a group

Static LACP
ICX 7850
ICX 7750
1 to 16
ICX 7650
256 256 NOTE: The RUCKUS ICX device can scale up to a
ICX 7550
maximum of 2048 LAG ports
ICX 7450
ICX 7250
1 to 8
RUCKUS ICX 7150 can scale up to 1024 LAG ports
ICX 7150 128 128
and is also limited to the number of ports on the
device

18 © 2022 CommScope, Inc.

ICX switches provide a large number of LAGs that can be configured on a switch or a switch
stack with up to 16 port members per LAG on all but ICX 7150 switches.

Revision 2212 8 ‐ 18
ICX 150 Layer 2 Fundamentals

LAG Configuration

Now that we understand the benefits and the need for LAGs, let’s take a look at the LAG
configuration.

Revision 2212 8 ‐ 19
ICX 150 Layer 2 Fundamentals

LAG Configuration Overview

The following configuration procedures are used to configure a LAG:

1. Create a Link Aggregation Group (static, dynamic, keep‐alive)

2. Add Ports to the LAG
3. Configure properties of the LAG on the LAG virtual interface (vLAG)
4. Configure optional LAG parameters

Optional LAG parameters include:

LAG Threshold (Static only)‐ Defines how many members ports must be operational, if not met entire LAG is disabled
LACP Timeout (for Dynamic and Keep‐alive types) ‐ Specifies the port timeout as short (3 seconds), or long (90 seconds)
LACP Operational mode ‐ Active (default) actively negotiates LACP, while passive only listens

20 © 2022 CommScope, Inc.

The configuration of a LAGs starts with creating a Link Aggregation Group and identifying if
it will be a dynamic, static or a keep-alive configured LAG.

Next the LAG port members will be identified. Once the first port is associated with the
LAG it is automatically deployed and the LAG virtual interface is automatically created. As a
result you can now navigate to the newly created virtual LAG interface and configure
parameters which are applied to all port members of the LAG.

Additional parameters that pertain to the LAG formation can also be configured. Since
these are optional, we’re going to briefly explain them instead of showing the associated
configurations.

…Continued on next slide

Revision 2212 8 ‐ 20
ICX 150 Layer 2 Fundamentals

Blank Notes Page

<continued from previous slide…>

LAG Thresholds are an optional configuration which apply to static LAGs only. This enables
an administrator to specify the minimum number of links within the LAG that should be
operational before the entire LAG is disabled.

LACP Timeouts are optional configurations that apply to dynamic and keep‐alive LAGs. You
can choose to configure a short timeout or a long timeout as needed. This defines how
long the LAG is willing to wait on LACPDU messages before a timeout occurs, this can also
impact re‐establishing connections. By default if no LACP timeout method is specified it will
operate based on IEEE standards and start with short timeouts, moving to long timeouts
once the LAG is operational.

LACP Operational mode applies only to dynamic LAGs. By default the operational mode is
active, meaning that the LAG will actively negotiate LACPDUs, if set to passive (using the
lacp-mode passive command) the LAG will only participate in LACP if it has an active
partner.

Revision 2212 8 ‐ 21
ICX 150 Layer 2 Fundamentals

LAG Configuration Steps – Create the LAG

1. Create a LAG by giving it a name and defining it as static, dynamic or keep‐alive
RUCKUS(config)# lag blue1 dynamic id auto

Syntax: [no] lag <name> [static | dynamic | keep-alive] [id <number/auto>]

• The ID parameter is optional, value is 1 to 256

• The LAG ID can be automatically generated and assigned to a LAG using the auto option
• LAG IDs are unique for each LAG configured on the switch
2. Add ports to the LAG
RUCKUS(config-lag-blue1)# ports ethernet 1/1/9 to 1/1/11
LAG blue1 deployed successfully!

• All port parameters must match for ports to be added to the LAG
• Upon the addition of the first physical port to a LAG, a LAG virtual interface is automatically
created and is available for user configuration
22 © 2022 CommScope, Inc.

The configuration of a LAG starts with defining a name for the LAG followed by the keyword
dynamic or static, which denotes the type of LAG you are configuring, followed by id
and the id value. The auto parameter is optional and creates an id automatically.

This example creates a LAG named “blue1” as dynamic, but it could easily be configured as
static using the static keyword since they are configured in the same manner. The
maximum length for a LAG name is 64 characters. The name can have spaces if you enclose
the name in quotations.

The LAG ID is optional, and valid IDs are 1 to 256. If you do not specify a LAG ID, the system
generates one automatically when the auto option is used. LAG IDs are unique for each
LAG in the local system, if you enter a duplicate ID, you will receive an error, and be told the
next available ID: Error: LAG id 123 is already used. The next
available LAG id is 2.

The second step is to add your ports to the LAG, using the ports ethernet command.
As mentioned previously, all port parameters must match for the ports to be successfully
added to the LAG.

Revision 2212 8 ‐ 22
ICX 150 Layer 2 Fundamentals

LAG Configuration Steps – Configure the virtual interface

3. Accessing the LAG interface allows you to enter the LAG virtual interface mode. The
ID was selected in Step 1, if auto was used the output of show lag will display
the LAG ID

RUCKUS(config)# interface lag 1

RUCKUS(config-lag-if-lg1)#

• You can configure the properties of the LAG on the LAG virtual interface
– Changes made to the LAG virtual interface are propagated to all port members in the LAG

• Examples of Layer 2 LAG configurations:

RUCKUS(config-lag-if-lg1)# spanning-tree 802-1w admin-pt2pt-mac
RUCKUS(config-lag-if-lg1)# spanning-tree root-protect
RUCKUS(config-lag-if-lg1)# speed-duplex 10g-full

23 © 2022 CommScope, Inc.

The third step is to enter the LAG virtual interface and configure LAG parameters.

All configurations are done on the LAG virtual interface are then applied to all member
ports in the LAG. When viewing the running configuration, it will show the LAG virtual
interface similar to physical Ethernet ports in the configuration.

Static LAGs are configured in the same manner as shown including port membership and
layer 2 options.

Note: For a complete list of configurations that can be used under the LAG virtual interface,
refer to the RUCKUS FastIron Layer 2 Switching Configuration Guide.

Revision 2212 8 ‐ 23
ICX 150 Layer 2 Fundamentals

LAG Virtual Anchor Speed

• When ports are added to a LAG without manually configured speed:
– LAG detects operational speed of first LAG member to reach “UP” state and uses detected
speed as LAG anchor speed
o Note: anchor speed can change depending on port bring‐up sequence
– Configuration speed will be compared when port is added to a LAG against LAG’s anchor
speed
– LAG ports which come up with different operational speed as compared to LAG anchor
speed will be error disabled with reason: lag-operSpeed-mismatch

• Error disabled LAG port can be recovered using below methods,

– Configuring auto error disable recovery for lag‐operSpeed‐mismatch reason
– Disable and Re‐enabling the LAG interface
– Applying an explicit speed configuration for LAG interface It is a good practice to manually
set speed of LAG under the vLAG
interface if possible.

24 © 2022 CommScope, Inc.

When a LAG moves to an operational state it will establish an anchor speed which is
chosen by the first physical port operation speed. It is important to note that if member
ports are not manually set to the same port speed (not their capable speed) the anchor
speed can change based on the first operationally up port in the LAG.

The reset of the anchor speed could potentially cause ports of the LAG to become error
disabled if a member is not capable of the anchor speed. Therefore, it is a good practice to
manually set speed of LAG under the vLAG interface establishing the expected anchor
speed of the LAG.

When ports have been disabled because of an anchor speed issue, the ports will show a
reason of lag-operSpeed-mismatch. To recover a port that has been disabled you
can configure auto‐recovery with the errdisable recovery command specifying the
cause as lag-operspeed-mismatch, you can disable/enable the LAG interface, or you
can explicitly apply the correct speed configuration to the LAG interface.

Revision 2212 8 ‐ 24
ICX 150 Layer 2 Fundamentals

LAG Speed Configuration

• To ensure LAG speed consistency between disable state and reboots:
– Manually configure the vLAG port with a set speed which is applied to all members
RUCKUS(config-lag-if-lg1)# speed-duplex 1000-full
RUCKUS(config-lag-if-lg1)# write memory

– The configured speed will become the anchor speed for the LAG
– Error message will be created if speed configured is not supported by at least one of
the physical interfaces under LAG

• Port will be ERR-DISABLED if it cannot support the configured speed

RUCKUS(config-lag-if-lg1)# show interface ethernet 2/1/3
GigabitEthernet2/1/3 is ERR-DISABLED (lag-operSpeed-mismatch), line protocol is down
Port down for 55 second(s)
Hardware is GigabitEthernet, address is cc4e.246c.d7a9 (bia cc4e.246c.c982)
Configured speed auto, actual unknown, configured duplex fdx, actual unknown
Configured mdi mode AUTO, actual unknown
25 © 2022 CommScope, Inc.

As we just talked about, by default, the LAG anchor speed is determined by the operational
speed of the first port that comes online in the LAG. When devices are rebooted or links
are reset, the anchor speed can change and might not remain what it was and
subsequently cause links to become disabled.

In this example we are manually setting the LAG anchor speed under the vLAG interface.
Once configured the LAG speed will be consistent lowering the chance that member ports
will become error disabled due to an anchor speed mismatch.

Revision 2212 8 ‐ 25
ICX 150 Layer 2 Fundamentals

Adding LAG to VLAN

• VLAN association is applied to Virtual LAG interface
RUCKUS(config)# vlan 100
RUCKUS(config-vlan-100)# untagged lag 1
Added untagged port(s) lag lg1 to port-vlan 100

• VLAN membership configured on vLAG is applied to all port members

RUCKUS# show interface e 1/1/9
GigabitEthernet1/1/9 is up, line protocol is up
<Output Truncated>
Untagged member of L2 VLAN 100, port state is FORWARDING
<Output Truncated>

• VLAN membership configuration is not allowed on physical port members

RUCKUS(config-vlan-100)# tagged e 1/1/9
Error - Vlan 100 Operation on Lag 1 Secondary port 1/1/9 is not Allowed.

26 © 2022 CommScope, Inc.

A LAG can be associated to a VLAN by specifying the LAG ID as either tagged or untagged
from within the VLAN. Once the VLAN is added to the LAG it is dynamically applied to all
physical port members of the LAG. Member ports will reflect the VLAN membership when
displaying the physical port details. If VLAN membership is applied to port members you
will receive an error, the membership must be applied at the virtual LAG interface.

Revision 2212 8 ‐ 26
ICX 150 Layer 2 Fundamentals

Disabling and Naming Physical Ports Within a LAG

• You can disable an individual port within a LAG using the disable command within
the LAG configuration
RUCKUS(config)# lag blue1 dynamic id 1
RUCKUS(config-lag-blue1)# disable ethernet 1/1/9

• Configuration to physical member interfaces is disabled

• Attempts to enter into the physical port changes to LAG configuration context
RUCKUS(config)# int e 1/1/9 Attempting to access the physical LAG
RUCKUS(config-lag-if-lg1)# interface will place you into the LAG
configuration context!

• Assigning a name to a physical port within a LAG

• Use the port-name command within the LAG configuration as shown in the following
RUCKUS(config)# lag blue1 dynamic id 1
RUCKUS(config-lag-blue1)# port-name "RUCKUS lag 1/3" ethernet 1/1/9
RUCKUS(config-lag-blue1)# port-name "RUCKUS lag 2/3" ethernet 1/1/10
RUCKUS(config-lag-blue1)# port-name "RUCKUS lag 3/3" ethernet 1/1/11
27 © 2022 CommScope, Inc.

Disabling of an individual port member within a LAG is performed under the LAG
configuration using the disable ethernet command. Ports disabled in this manner
are still LAG port members however are not forwarding data for the given LAG. Enabling of
the physical port in the LAG can be achieved using the enable ethernet command as
well.

It is important to understand that attempting to access the physical port configuration of

any of the LAG port members will re‐direct you to the virtual LAG interface context. From
the virtual LAG interface context entering a disable command will disable the entire LAG.
Since there is no warning that the configuration context changed it’s important to pay close
attention to ensure you don’t accidently disable the entire LAG when you meant to disable
a single port.

Once a physical port is a member of a LAG, configuration on the individual port is very
limited. Therefore any configuration applied to the physical port is accomplished under the
LAG including naming of the physical port.

The name can be up to 255 characters long, port names with spaces must be enclosed
within double quotation marks.

Revision 2212 8 ‐ 27
ICX 150 Layer 2 Fundamentals

Renaming an Existing LAG

• Changing the name of an existing LAG will not cause any impact on the functionality
of the LAG
• Rename the LAG using the update-lag-name command within the LAG
configuration mode
• New name provided must be unique and unused
• LAG configuration mode will exit after successful name update
RUCKUS(config)# lag blue1 dynamic id 1
RUCKUS(config-lag-blue1)# update-lag-name blue
Lag blue1 is updated to new name blue
RUCKUS(config)#

28 © 2022 CommScope, Inc.

Naming and identifying LAG and ports are very important and sometimes name change is
required. ICX devices allow this without having to disable or recreate the LAG by using the
update-lag-name command. Enter into the lag under its current name and issue this
command to update the lag name to your preference.

Revision 2212 8 ‐ 28
ICX 150 Layer 2 Fundamentals

Removing Ports From an Existing LAG

Removing a physical port from an existing LAG
RUCKUS(config)# lag blue static id 1
RUCKUS(config-lag-blue)# no ports ethernet 1/1/9
Success - Port 1/1/9 is disabled automatically to avoid potential loop

Note: When you remove a port from a deployed LAG, the physical port is disabled
automatically

29 © 2022 CommScope, Inc.

Other LAG maintenance might require you to remove physical ports from an existing LAG
which can be performed while the LAG is still deployed. Using the no ports ethernet
command under the LAG configuration mode allows the port to be removed. To eliminate
the possibility of loops in the environment the removed port is immediately disabled. There
are circumstances where removing a port from a LAG might fail, for instance if removing
the port would cause the LAG to fall below a configured LAG threshold.

Also new ports can be added to an existing LAG as well, however keep in mind that for it to
properly function it has to meet the requirements of the LAG as discussed earlier. These
include VLAN membership and speed to name a few.

Revision 2212 8 ‐ 29
ICX 150 Layer 2 Fundamentals

Displaying LAG Information

• Use the show lag lag_name command to view LAG configuration and
status
RUCKUS# show lag blue
<Truncated Output>
=== LAG "blue" ID 1 (dynamic Deployed) ===
LAG Configuration:
Ports: e 1/1/9 to 1/1/11
Port Count: 3
Lag Interface: lg1
Trunk Type: hash-based
LACP Key: 20001
Deployment: HW Trunk ID 1
Port Link State Dupl Speed Trunk Tag Pvid Pri MAC Name
1/1/9 Up Forward Full 1G 1 No 1 0 d4c1.9e95.a678 RUCKUS lag 1/3
1/1/10 Up Forward Full 1G 1 No 1 0 d4c1.9e95.a678 RUCKUS lag 2/3
1/1/11 Up Forward Full 1G 1 No 1 0 d4c1.9e95.a678 RUCKUS lag 3/3
Port [Sys P] [Port P] [ Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope]
1/1/9 1 1 20001 Yes L Agg Syn Col Dis No No Ope
1/1/10 1 1 20001 Yes L Agg Syn Col Dis No No Ope
1/1/11 1 1 20001 Yes L Agg Syn Col Dis No No Ope
Partner Info and PDU Statistics
Port Partner Partner LACP LACP
System ID Key Rx Count Tx Count
1/1/9 1-c0c5.20a4.5247 20001 20 19
1/1/10 1-c0c5.20a4.5247 20001 17 16
1/1/11 1-c0c5.20a4.5247 20001 13 13
30 © 2022 CommScope, Inc.

The show lag command can be used with or without a specific LAG name. If you do not
reference a specific LAG, the system will display information for each LAG configured.
Some important things to note in the output are:
• Whether the LAG is deployed, and whether it is dynamic or static. For example, the
output here shows the LAG as (dynamic deployed). Next, you can see the ports in
the LAG and their status.
• Note the Link, is it Up or Down? And the Layer 2 state, is it Forwarding or Blocking?
• Also we can determine the LACP status of each port in the LAG
• Under Partner Info and PDU Statistics you want to see the Partner's MAC, and the LACP
receive and transmit counters incrementing.
• You can also use the brief option with the show lag command to provide high level
information on all the LAGs configured on the switch.

…Continued on next slide

Revision 2212 8 ‐ 30
ICX 150 Layer 2 Fundamentals

<continued from previous slide…>

Port Information:
Sys P ‐ System Priority
Port P ‐ Port Priority
Key ‐ LACP key
Act ‐ Identifies if ports are set to LACP Active (Yes) or Passive (No)
Tio ‐ Timeout set to long (L) (default) or short (S)
Agg ‐ Is the port set to aggregation mode Yes (Agg) No (No)
Syn ‐ Is port in sync with what is being advertised in received LACP frames Yes
(Syn) No (No)
Col ‐ Collecting traffic received on port Yes (Col) No (No)
Dis ‐ Sending traffic on the port Yes (Dis) No (No)
Def ‐ Is port using received LACP PDU parameters (No) or default (admin
defined) (Yes) parameters
Exp ‐ Is port in expired state Yes/No
Ope ‐ LACP port states
• Dwn ‐ Down (not active port in the LAG)
• Ina ‐ Port is transitioning to Ope state
• Ope ‐ Operational

Revision 2212 8 ‐ 31
ICX 150 Layer 2 Fundamentals

Displaying LAG Virtual Interface

Use the show interface lag # command to view port status
RUCKUS# show interface lag 1
Lag lg1 is up, line protocol is up
Configured speed 3G, actual 3G, configured duplex fdx, actual fdx
Untagged member of L2 VLAN 1, port state is Forward
BPDU guard is Disabled, ROOT protect is Disabled, Designated protect is Disabled
STP configured to ON, priority is level0, mac-learning is enabled
Openflow is Disabled, Openflow Hybrid mode is Disabled
Mirror disabled, Monitor disabled
Mac-notification is disabled
VLAN-Mapping is disabled
Member of active trunk ports 1/1/9,1/1/10,1/1/11,lg1, Lag Interface is lg1
Member of configured trunk ports 1/1/9,1/1/10,1/1/11,lg1, Lag Interface is lg1
No port name
300 second input rate: 20464 bits/sec, 15 packets/sec, 0.00% utilization
300 second output rate: 208 bits/sec, 0 packets/sec, 0.00% utilization
17133 packets input, 2760671 bytes, 0 no buffer
Received 14335 broadcasts, 2740 multicasts, 58 unicasts
0 input errors, 0 CRC, 0 frame, 0 ignored
0 runts, 0 giants
270 packets output, 35858 bytes, 0 underruns
Transmitted 0 broadcasts, 270 multicasts, 0 unicasts
0 output errors, 0 collisions
Relay Agent Information option: Disabled

32 © 2022 CommScope, Inc.

The show interface lag command shows the LAG virtual interface operational state
similar to a physical interface output. Details include VLAN membership, STP status, trunk
membership and port statistics. Statistics displayed are a collection of all port members
therefore if errors are displayed the show command can be issued on each physical port
member to see which might be causing errors.

Revision 2212 8 ‐ 32
ICX 150 Layer 2 Fundamentals

You should now be able to:

• Configure VLANs and associate tagged and

untagged ports

• Describe and configure Virtual Routing

Interfaces (VE ports)
Summary
• Describe Link Aggregation Groups and the
supported types on ICX devices

• Configure LAGs on ICX devices

• Explain how to effectively manage LAGs

along with member ports of a LAG

This concludes the presentation on VLANs and Link Aggregation Groups. You should now be
able to:
• Configure VLANs and associate tagged and untagged ports
• Describe and configure Virtual Routing Interfaces (VE ports)
• Describe Link Aggregation Groups and the supported types on ICX devices
• Configure LAGs on ICX devices
• Explain how to effectively manage LAGs along with member ports of a LAG

Revision 2212 8 ‐ 33
ICX 150 Layer 2 Fundamentals

End of presentation:
Layer 2 Fundamentals

This completes the RUCKUS Layer 2 Fundamentals presentation.

Revision 2212 8 ‐ 34
ICX 150 ICX Services

ICX Services

Revision 2212

In this presentation we’ll discuss some of the services that can be utilized on RUCKUS ICX
devices.

Revision 2212 9‐1

ICX 150 ICX Services

After completing this module, you will be able

to:
• Identify Network Time Protocol (NTP) modes of
operation
• Perform basic NTP configuration
• Configure Secure Shell (SSH)
• Identify, enable and configure supported Layer 2
discovery protocols
Objectives • Implement LLDP, LLDP‐MED and verify its
configuration
• Configure Dynamic Host Control Protocol
including:
– DHCP Server
– DHCP Relay
– DHCP Options
– DHCP Snooping
– IP Source Guard

After completing this module, you will be able to:

• Identify Network Time Protocol (NTP) modes of operation
• Perform basic NTP configurations
• Configure Secure Shell (SSH) on ICX devices
• Identify, enable and configure supported Layer 2 discovery protocols
• Implement LLDP, LLDP‐MED and verify their configurations
• Configure the following Dynamic Host Control Protocol features on ICX
–DHCP Server
–DHCP Relay
–DHCP Options
–DHCP Snooping
–IP Source Guard

Revision 2212 9‐2

ICX 150 ICX Services

Network Time Protocol (NTP)

We learned about Network Time Protocol or NTP, in the Routing and Switching Protocol
course (RSP‐100). In this section we’ll discuss it’s configuration on RUCKUS ICX devices.

Revision 2212 9‐3

ICX 150 ICX Services

Network Time Protocol (NTP) on ICX

• FastIron 08.0.95 utilizes NTPv4
– NTPv3 and SNTP are made obsolete with NTPv4
– NTP versions 1 and 2 are not supported in this release
• NTP uses UDP port 123 for server/peer communication
• NTP configurations can utilize both IPv4 and IPv6 addressing
• ICX devices can operate in the following NTP Modes:
– Client – obtains time for itself, does not provide time updates
– Server – can act as time source as other devices (as secondary only)
– Master – can provide time to devices based on own local clock, when its own synchronization is lost
– Peer – devices which have been configured as mutual backups for each other
– Broadcast Server/Client – as a server can send time updates to broadcast addresses, while clients can help
calculate network delay for broadcast sources
• ICX devices can act as secondary time servers operating as stratum 2 to 15 only.

4 © 2022 CommScope, Inc. © 2022 CommScope, Inc. 4

Maintaining accurate time within your network is important as it will help provide accurate
timestamps for event messages and logs. We’ll discuss the commands used for NTP within
ICX deployments, however a good practice is to make sure that servers, storage, clients,
and other network devices are all properly synchronized as well.

ICX hardware running FastIron 08.0.95 can use NTPv4 to synchronize the local system clock
on the device to a Coordinated Universal Time (UTC). When using NTP, it is recommended
that you maintain time synchronization with at least four external NTP servers to ensure
that the time within your network is current.

NTPv4 obsoletes NTP version 3 as well as Simple Network Time Protocol and this FastIron
release does not support the use of NTP Version 1 or 2.

NTP is using UDP Port 123 for the server and peer communications and can be configured
with IPv4 or IPv6 addressing.

…Continued on next slide

Revision 2212 9‐4

ICX 150 ICX Services

<continued from previous slide…>

In this release we support the following NTP Modes:

Client – Uses NTP responses from one or more servers to calibrate its own device clock, but
does not provide its own time updates.

Server – Allows ICX devices to provide NTP time updates to other network devices.

Master – Builds on the above allowing the ICX device to continue to provide NTP to clients
using its local clock, even when it has lost synchronization of its time source.

Peer – Allows groups of devices to operate as mutual backups for each other and can
operate in symmetric active and symmetric passive modes. In active mode NTP packets are
observed from known/configured peers. In passive mode NTP packets are dynamically
learned from unconfigured peers.

Broadcast – When in broadcast server mode the device will send time updates to a
broadcast address. Using broadcasts can reduce the amount of NTP traffic on networks with
many NTP clients. When operating in Broadcast Client mode devices listen to NTP broadcast
packets and send a brief exchange between itself and the server to calculate network delay
of these communications.

With regard to NTP Server mode, ICX devices can only operate as secondary server, not
primary. ICX device can utilize stratum 2 to 15 (not 1).

NTP uses the concept of a stratum to describe how many NTP hops away a machine is from
an authoritative time source. Devices running NTP automatically choose the lowest stratum
number that it is configured to communicate with using NTP as its time source.

Revision 2212 9‐5

ICX 150 ICX Services

Basic NTP Configuration

Ensure your device time is within 1000 seconds of UTC
Ruckus1# clock set 14:30:00 10-26-22 before enabling NTP
Ruckus1(config)# ntp Enables NTP on the device (both client and server)
Ruckus1(config-ntp)#
Ruckus1(config-ntp)# server time.nist.gov
Ruckus1(config-ntp)# server time.google.com
Ruckus1(config-ntp)# server ntp.ruckuswireless.com Defines NTP server associations
Ruckus1(config-ntp)# server pool.ntp.org

Once servers are configured, associations can be displayed with the show ntp associations command

* synced, # selected, + candidate, - outlayer, x falseticker, ~ configured, **More characters in domain name

6 © 2022 CommScope, Inc. © 2022 CommScope, Inc. 6

By default, NTP services are not enabled on ICX devices. Before enabling NTP, you must use
the clock set command to set the time on your device to within 1000 seconds of the
Coordinated Universal Time. From configuration mode, issuing the command ntp will take
you into the NTP sub configuration and will enable both NTP server and client modes on
the device.

We then need to further define the NTP servers to use for synchronization. These servers
can be specified with the hostnames or IP addresses, however when using hostnames you
will need to make sure DNS is configured properly on your devices.

You can view the servers associated with your device using the show ntp
associations command. This will allow the administrator to verify the status of each
server, see its reference clock, view when the device last received an NTP packet from this
server in seconds (when column), as well as the round‐trip delay for the server and other
information.

Revision 2212 9‐6

ICX 150 ICX Services

Basic NTP Configuration (cont.)

Reference Clock
Ruckus1(config-ntp)# show ntp status
Clock is synchronized, stratum 2, reference clock is 216.239.35.4
precision is 2**-16
reference time is 3875796592.1566096431 (18:09:52.1566096431 GMT+00 Wed Oct 26 2022)
clock offset is -9.6690 msec, root delay is 44.2267 msec
root dispersion is 12.6607 msec, peer dispersion is 0.1106 msec
system poll interval is 64, last clock update was 25 sec ago
NTP server mode is enabled, NTP client mode is enabled When server mode is enabled
NTP master mode is disabled, NTP master stratum is 8 other devices can point to this
NTP is not in panic mode device as a time source

Ruckus1(config-ntp)# disable serv

RUCKUS1(config-ntp)# show ntp status
Clock is synchronized, stratum 2, reference clock is 216.239.35.4
precision is 2**-16
reference time is 3875797027.2463667118 (18:17:07.2463667118 GMT+00 Wed Oct 26 2022)
clock offset is -16.2241 msec, root delay is 44.3333 msec
root dispersion is 22.2221 msec, peer dispersion is 0.0076 msec
system poll interval is 64, last clock update was 109 sec ago
NTP server mode is disabled, NTP client mode is enabled
NTP master mode is disabled, NTP master stratum is 8
NTP is not in panic mode
7 © 2022 CommScope, Inc. © 2022 CommScope, Inc. 7

On the previous slide we issued the ntp command and mentioned how that command
enabled both the NTP client and server services on our ICX.

Using the show ntp status command we can obtain more information about our
current reference clock, which as shown in the output from the association command, is
our ntp.ruckuswireless.com server and we can see the server, client and master status for
the NTP services on this device.

With the NTP server mode enabled, this ICX device will be able to provide NTP updates to
other devices that point to it. If you want to disable the ability of the ICX to be a time
source, you must issue the disable serv command from the ntp configuration menu.

After entering the disable serv command, you can run the show ntp status
command again to see that the server mode is disabled, but the client mode is enabled.
The ICX itself will continue to get time updates from the configured devices, but it will not
provide NTP services to other devices.

Revision 2212 9‐7

ICX 150 ICX Services

Secure Shell (SSH)

In this section we will review Secure Shell as the preferred secure method to access your
RUCKUS ICX device.

Revision 2212 9‐8

ICX 150 ICX Services

Secure Shell (SSH) on ICX

• SSH2 is enabled by default and listens on TCP port 22
– Supported public key algorithms are ssh‐dss and ssh‐rsa
– Supported encryption methods are 3des‐cbc , aes128‐cbc , aes192‐cbc, aes256‐cbc, aes128‐ctr, aes192‐ctr
and, aes256‐ctr
– Public‐key, Password, and Interactive authentication methods are enabled by default

• If SSH is not enabled, use the crypto key generate command to generate a key pair
Ruckus1(config)# crypto key generate rsa modulus 2048
Ruckus1(config)#
Creating RSA key pair, please wait...

RSA Key pair is successfully created

• The command crypto key zeroize will remove all host keys and disable SSH on the
device

9 © 2022 CommScope, Inc.

Secure Shell, otherwise known as SSH, allows administrators to establish secure, remote
connections to devices that they manage. ICX devices, by default support the use of SSH to
establish remote connections. Unlike telnet, which is not enabled by default and provides
no security, SSH provides an encrypted connection to the device using the SSH2 protocol.

RUCKUS ICX devices are compatible with all versions of the SSH2 protocol and will
negotiate which version of SSH2 to use when establishing a client session. The highest
version supported between the client and the ICX device is used. Supported SSH2 client
applications include SecureCRT 5.2.2, Putty 0.62 and OpenSSH 4.3p2.

So as we said, SSH is enabled by default on FastIron releases 08.0.90 and later. If needed
SSH can be enabled on ICX with the use of the crypto key generate command from
within configuration mode. In the example shown we have chosen to specify the key as RSA
2048. If we only executed the crypto key generate command with no additional syntax the
key pair would have been created based on DSA 1024. Issuing the command crypto
key zeroize will remove the host keys and disable SSH on the device.

Revision 2212 9‐9

ICX 150 ICX Services

SSH Configuration Overview

Use the command show ip ssh config to display the status of SSH on the ICX
Ruckus1(config)# show ip ssh config
SSH server : Enabled
SSH port : tcp\22
Host Key : RSA 2048
Encryption : aes256-cbc, aes192-cbc, aes128-cbc, aes256-ctr, aes192-ctr,
aes128-ctr, 3des-cbc
Permit empty password : No
Authentication methods : Password, Public-key, Interactive
Authentication retries : 3
Login timeout (seconds) : 120
Idle timeout (minutes) : 5
SCP : Enabled
SSH IPv4 clients : All
SSH IPv6 clients : All
SSH IPv4 access-group :
SSH IPv6 access-group :
SSH Client Keys :
Client Rekey : 0 Minute, 0 KB
Server Rekey : 0 Minute, 0 KB

10 © 2022 CommScope, Inc. © 2022 CommScope, Inc. 10

To display the current configuration of SSH on your device run the command show ip
ssh config. This will display the status of the SSH Server service, its configured port,
the configured host key algorithm and bit length, as well as the encryption types
supported, authentication methods supported as well as any SSH client keys.

Revision 2212 9 ‐ 10
ICX 150 ICX Services

Optional SSH Configuration Parameters

• User authentication method – Default password, public‐key, and interactive are used

• SSH authentication retries – Default 3 retries are attempted (can be 1 through 5)

• Key exchange method – ICX SSH2 implementations offer diffie‐hellman‐group14‐sha1 and diffie‐hellman‐
group1‐sha1. Diffie‐hellman‐group14‐sha1 is given priority, but can fallback to the other method unless the
method is removed

• Empty password logins – By default empty passwords are not allowed, if empty password logins are enabled
any SSH client can log in without being prompted for a password

• Login timeout ‐ Default 120 seconds, if no client response after 120 seconds the SSH server disconnects

• Max idle time – Default times out after 5 minutes of inactivity (range is 0 which is disabled, up to 240 minutes)

• SSH rekey – Disabled by default, enables active sessions to be rekeyed after a time limit or data limit

11 © 2022 CommScope, Inc. © 2022 CommScope, Inc. 11

SSH parameters can be adjusted from their default configurations by specifying the option
after the ip ssh command from configuration mode.

Revision 2212 9 ‐ 11
ICX 150 ICX Services

Connect using SSH

Ruckus1(config)# show ip ssh sessions

SSH server status: Enabled

SSH copy-received-cos status: Disabled

SSH Sessions used by SZ will not be displayed.

SSH connections:

SSH connections (inbound):

1 established, client ip address 192.168.1.60, server hostkey RSA, user is super, privilege super-user

using vrf default-vrf.

3 second(s) in idle

2 closed

<Output truncated>

12 © 2022 CommScope, Inc. © 2022 CommScope, Inc. 12

Now that we know SSH is running and which port it is running on we can utilize a
supported SSH2 client to remotely access our ICX device. In the example shown we have
targeted our device @ 192.168.1.21 and specified the connection type as SSH using TCP
port 22. The client then directs us to enter the username and password for our device and
once we complete that successfully we have a secure remote connection to the device.

The show ip ssh sessions command will display a list of inbound and outbound
SSH connections on the device. Here we can see the session 1 entry which includes our
client IP, the key type used as well as the user account that was specified in the
password/interactive authentication method.

Revision 2212 9 ‐ 12
ICX 150 ICX Services

Connect using SSH (cont.)

Ruckus1# ssh 192.168.1.20
User name:jesse
SSH@Ruckus1# show ip ssh sessions
SSH server status: Enabled Password:
SSH copy-received-cos status: Disabled Connecting to remote host......
SSH Sessions used by SZ will not be displayed.
SSH connections: SSH@ICX-7150_20>
SSH connections (inbound):
1 established, client ip address 192.168.1.60, server hostkey RSA, user is super, privilege super-
user
using vrf default-vrf.
you are connecting to this session
7 second(s) in idle
<Output Truncated>
SSH connection (outbound):
11 established, server ip address 192.168.1.20, from Console session, , server hostkey DSA, privilege
super-user
using vrf default-vrf.
20 second(s) in idle
<Output Truncated>

13 © 2022 CommScope, Inc. © 2022 CommScope, Inc. 13

Not only can we utilize client applications to make SSH connections, we can also make SSH
connections to other devices from within the ICX.

This SSH client capability works with both IPv4 and IPv6 addressing through either in‐band
or out‐of‐band management ports, but ONLY when SSH is enabled on the device. When we
issue the show ip ssh sessions command we can see connection 11 listed as the
outbound connection that we made to 192.168.1.20 using DSA, as that is what the remote
end was capable of.

Revision 2212 9 ‐ 13
ICX 150 ICX Services

Discovery Protocols

In this section we will outline the Layer 2 discovery protocols supported on RUCKUS ICX
devices.

Revision 2212 9 ‐ 14
ICX 150 ICX Services

Cisco Discovery Protocol (CDP)

First starting with Cisco Discovery Protocol (CDP).

Revision 2212 9 ‐ 15
ICX 150 ICX Services

Cisco Discovery Protocol (CDP)

• CDP packets are used by Cisco devices to advertise themselves to other Cisco
devices

• By default, RUCKUS ICX devices forward these packets without examining them
– CDP v1 and CDP v2 are supported on ICX

• CDP packet interception on RUCKUS ICX is disabled by default

– Interception can be enabled globally, then disabled per interface
– If CDP interception is enabled ICX will drop the CDP packets

• ICX implementations will commonly use the standards based IEEE 802.1AB Link
Layer Discovery Protocol (LLDP)

16 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

Cisco Discovery Protocol (CDP) is a proprietary protocol used on Cisco devices allowing
them to exchange information about their connected neighbors. By default, RUCKUS ICX
devices will allow CDP to flow through the network and perform no interception of the CDP
packets.

ICX devices can intercept and display the contents of the CDP packets, however when this
is performed the CDP packets are then dropped by the ICX and are no longer forwarded
through the ICX.

Interception of CDP is enabled globally and can then be disabled per interface.

ICX implementations will commonly use the standards‐based Link Layer Discovery Protocol
(LLDP), which we will discuss later in this presentation.

Revision 2212 9 ‐ 16
ICX 150 ICX Services

CDP Configuration and Show Commands

• To globally enable CDP issue cdp run from configuration mode
Ruckus1# configure terminal
Ruckus1(config)# cdp run

• To disable/enable at an interface level

Ruckus1(config)# interface e 1/1/3
Ruckus1(config-if-e1000-1/1/3)# no cdp enable
Ruckus1(config-if-e1000-1/1/3)# cdp enable

• Display CDP information using Foundry Discovery Protocol (FDP) commands

Ruckus1(config)# show fdp interface
Ruckus1(config)# show fdp neighbors
Ruckus1(config)# show fdp traffic

17 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

Administrators can enable CDP interception globally by issuing cdp run from a
configuration prompt. CDP can then be disabled and re‐enabled per interface with the use
of cdp enable commands.

To display information from the CDP packets that have been intercepted, we utilize Foundry
Discovery Protocol (FDP) show commands. FDP is also a proprietary discovery protocol
which we’ll discuss in the next section.

Revision 2212 9 ‐ 17
ICX 150 ICX Services

Foundry Discovery Protocol (FDP)

Next we’ll discuss legacy Foundry Discovery Protocol (FDP).

Revision 2212 9 ‐ 18
ICX 150 ICX Services

Foundry Discovery Protocol (FDP)

• FDP is disabled by default
– Devices in this default state or that do not support FDP, pass these updates through the
device at Layer 2

• FDP provides neighbor discovery of directly connected devices by sending Layer 2

frames to MAC address 00‐00‐00‐CC‐CC‐CC

• Periodically advertises information including the following:

– Hostname (device ID)
– Product platform and capability
– Software version
– VLAN and Layer 3 protocol address information of the port sending the update. IP, IPX, and
AppleTalk Layer 3 information is advertised
– Intercepts and displays the contents of CDP packets
19 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

Foundry Discovery Protocol (FDP) is another proprietary protocol and it can be used by
RUCKUS devices to advertise information about themselves to other RUCKUS devices. FDP
is still not preferred over the use LLDP in ICX implementations, and like CDP, it is disabled by
default.

Also like CDP, FDP is enabled globally and can disabled per interface.

Revision 2212 9 ‐ 19
ICX 150 ICX Services

FDP Configuration and Show Commands

• To globally enable CDP issue fdp run from configuration mode
Ruckus1# configure terminal
Ruckus1(config)# fdp run

• To disable/enable at an interface level

Ruckus1(config)# interface e 1/1/3
Ruckus1(config-if-e1000-1/1/3)# no fdp enable
Ruckus1(config-if-e1000-1/1/3)# fdp enable

• Display FDP information using show commands

Ruckus1(config)# show fdp interface
Ruckus1(config)# show fdp traffic
Ruckus1(config)# show fdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
(*) indicates a CDP device

Device ID Local Interface Holdtm Capblty Platform PortID

-------------- --------------- ------ ------- --------- ------
ICX-7150_20 ethernet1/1/9 150 Switch ICX7150-C12 ethernet1/1/9
ICX-7150_20 ethernet1/1/10 150 Switch ICX7150-C12 ethernet1/1/10

20 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

As we said, FDP is enabled globally by issuing fdp run from configuration mode. FDP can
then be disabled and re‐enabled per interface with the use of fdp enable commands.

FDP show commands are then used to display details of information learned through FDP
discovery.

Revision 2212 9 ‐ 20
ICX 150 ICX Services

Link Layer Discovery Protocol (LLDP)

Finally we’ll outline the recommend and most widely used discovery protocol Link Layer
Discovery Protocol (LLDP).

Revision 2212 9 ‐ 21
ICX 150 ICX Services

Link Layer Discovery Protocol (LLDP)

Supported features of LLDP on ICX include :
• Discover of other stations in the same LAN segment
– Network Inventory (including multi‐vendor environments)
– Can detect speed and duplex mismatches simplifying troubleshooting
– Discover devices with misconfigured or unreachable IP addresses

• Network Management
– Supports network management tools in multivendor environments
– Supports discovery of accurate physical network topologies including connecting ports
– Enables discovery of stations in multi‐vendor environments
– Provides device details including model number, version of hardware type, and operating system
– Provides capabilities, such as switch, router, or WLAN access point

• Accessible using a management protocol such as the Simple Network Management Protocol (SNMP) or CLI
– Data gathered on a ICX device is stored in a standard Management Information Base (MIB)
– Accessible by a Network Management System (NMS)

22 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

Link Layer Discovery Protocol is a vendor neutral protocol that allows LLDP enabled
network devices to share their capabilities with other devices in the network. RUCKUS ICX
devices support many of the features that LLDP provides including station discovery,
Network management as well as Media Endpoint Discovery (MED) attribute
advertisements. As a result, directly connected devices can be discovered and recorded by
LLDP advertisements in a multi vendor environment. LLDP information is stored in a
Management Information Base which can be accessed with SNMP using a Network
Management System

This aids in topology mapping and troubleshooting along with inventory. End devices can
benefit from LLDP as well with advertisement of MED attributes allowing the successful
onboarding of end devices providing emergency service information and VLAN assignment.
We’ll discuss Media Endpoint Discovery later in this presentation.

Revision 2212 9 ‐ 22
ICX 150 ICX Services

LLDP Operating Modes and TLV Types

• LLDP supports the following operating modes on physical interfaces:1
– Transmit and Receive LLDP information (System default)
– Transmit LLDP information only
– Receive LLDP information only

• Supported Type Length Value (TLV) types:2

– Basic Management (Management address, port description, system capabilities, system description
and, system name)
o Mandatory (Chassis ID, Port ID, Time to Live)
– Organizationally‐specific (802.1 and 802.3)
o Port VLAN ID
o VLAN name
o MAC/PHY configuration/status
o Link aggregation
o Maximum frame size
o Power through MDI

23 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

By default, RUCKUS ICX devices will transmit and receive LLDP information. However, the
operating mode can be configured for transmit only or receive only.

Devices transmitting LLDP do so by sending LLDP Data Units or LLDPDUs to other receiving
devices. These 1500 byte packets contain Type Length Values (TLVs). These TLVs have
mandatory pieces of information that they must include, and TLVs that could be optionally
included. The mandatory TLVs on RUCKUS ICX are Chassis ID, Port ID and Time to Live.
These TLVs fall within the Basic Management type and there are additional Basic
Management TLVs that can be included such as management address, port description, as
well as system name, and system capabilities.

There are also Organizationally‐specific TLVs that can be provided. RUCKUS ICX supports
the Organizationally‐specific TLVs shown.

So as we said, only the Mandatory TLVs must be included within the LLDPDUs. However,
RUCKUS ICX devices by default include all of the TLVs shown except, for the those we are
highlighting in yellow. The highlighted TLVs are not included by default, but can be included
by the administrator.

…Continued on next slide

Revision 2212 9 ‐ 23
ICX 150 ICX Services

<continued from previous slide…>

Footnote 1:
Transmit mode: An LLDP agent initiates the transmission of LLDP packets whenever the
transmit countdown timing counter expires, or whenever LLDP information has changed.
When a transmit cycle is initiated, the LLDP manager extracts the MIB objects and formats
this information into TLVs. The TLVs are inserted into an LLDPDU, addressing parameters are
prepended to the LLDPDU, and the information is sent out LLDP‐enabled ports to adjacent
LLDP‐enabled devices.
Receive mode: When an LLDP agent receives LLDP packets, it checks to ensure that the LLD
PDUs contain the correct sequence of mandatory TLVs, then validates optional TLVs. If the
LLDP agent detects any errors in the LLDPDUs and TLVs, it drops them in software. TLVs that
are not recognized but do not contain basic formatting errors, are assumed to be valid and
are assigned a temporary identification index and stored for future possible alter retrieval
by network management. All validated TLVs are stored in the neighbor database.

Footnote 2:
Type‐Length‐Value (TLV) object allows protocols to forward optional information within its
protocol communication method. Not only does this provide an ability for a protocol to
quickly adapt to new features a node that does not recognize the TLV information can skip
the TLV information and still parse the remaining information. Each LLDPDU consists of an
untagged Ethernet header and a sequence of short, variable length information elements
known as type/length/value (TLVs). The management address is an IPv4 address that can
be used to manage the device. If no management address is explicitly configured to be
advertised, the ICX device will use the first available IPv4 address configured on the
following types of interfaces, in the following order of preference:
• Physical port on which LLDP will be transmitting the packet
• Loopback interface
• Virtual routing interface (VE)
• Router interface on a VLAN of which the port is a member
• Other physical interface

If no IP address is configured, the port’s current MAC address will be advertised. To

advertise the IPv4 management address, enter the lldp advertise management-
address ipv4 command.

Ruckus1(config)# lldp advertise management-address ipv4

10.157.2.1 ports ethernet x/x/x

Other TLVs can be disabled or specified to the admin preference. Refer to the RUCKUS
FastIron Management Configuration Guide for specific configuration needs.

Revision 2212 9 ‐ 24
ICX 150 ICX Services

LLDP Considerations
• Cisco Discovery Protocol (CDP) and Foundry Discovery Protocol (FDP) run
independently of LLDP
• These discovery protocols can run simultaneously on the same device

• LLDP packets have the standard Multicast Destination MAC address

(01:80:c2:00:00:0e) and are sent with highest priority (7)

• By default, the ICX device limits the number of neighbors per port to four

• LLDP advertisements are limited to a single 1500 byte packet

25 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

We previously mentioned both CDP and FDP discovery protocols and it is important to
know that LLDP runs independently of either of them. However, CDP and FDP can be run
simultaneously on a device that is running LLDP.

LLDP packets are sent to the Multicast Destination MAC address of 01:80:c2:00:00:0e and
are marked with Quality of Service (QoS) priority of 7. By default, ICX devices are limited to
discovering up to 4 neighbors per port, while the maximum number of neighbors per
device is 2,048.

And if you will recall as we said in the previous slide, those LLDP advertisements are limited
to 1500 byte packets.

Note: If the advertisements by the neighbor exceed the maximum value of the neighbor
per port or if it exceeds the maximum neighbors configured at the global level then the
new advertisements will be dropped. ICX devices stagger transmission of LLDP packets on
different ports to minimize any high‐usage spikes to the CPU. To change the maximum
number of neighbors for which LLDP data is retained for the entire system, use the lldp
max‐total‐neighbors command at the global config prompt. Default LLDP neighbors per
device is 392 and the configurable range is range of 16 to 8192. To change the maximum
number of LLDP neighbors per port, use the LLDP max-neighbors-per-port
command. Default per port is 4 and the configurable range is 1 to 64. LLDP typically
uses Ethernet to forward its LLDPPDUs. The Ethernet type used for LLDP is 0x88cc

Revision 2212 9 ‐ 25
ICX 150 ICX Services

LLDP Configuration
• Disabling LLDP (enabled by default)
Ruckus1(config)# no lldp run

• Re‐enable LLDP
Ruckus1(config)# lldp run

• Disabling specific ports from LLDP using the default (send/receive) mode
Ruckus1(config)# no lldp enable ports ethernet 1/1/1

• Enabling transmit or receive mode only1

Ruckus1(config)# no lldp enable ports ethernet 1/1/4 1/1/5 1/1/6
Ruckus1(config)# lldp enable transmit ports ethernet 1/1/4 1/1/5
Ruckus1(config)# lldp enable receive ports ethernet 1/1/6

26 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

By default, LLDP is enabled on ICX devices and it operates in both transmit and receive
modes.

You can globally disable LLDP by issuing the command no lldp run from configuration
mode. It can be re‐enabled by issuing lldp run.

You can disable specific LLDP ports with the use of the no lldp enable ports
ethernet x/x/x command

Specify the lldp operating mode at an individual port level by first disabling lldp on the port,
then using lldp enable transmit [or] receive commands followed by the
port that you wish to change the mode of. There are optional LLDP configuration
parameters that we’re not going to explicitly cover here, additional information on LLDP
configurations can be found in the RUCKUS FastIron Management Configuration Guide for
your release

Continued on next slide…

Revision 2212 9 ‐ 26
ICX 150 ICX Services

<continued from previous slide…>

Footnote 1: Ports enabled for LLDP using the default mode requires removing ports from
the default before placing them in transmit or receive mode.
By default, RUCKUS devices do not accept tagged LLDP packets from other vendor devices.

To enable support for tagged LLDP packets:

Ruckus1(config)# lldp tagged-packets process
When enabled, the device accepts incoming LLDP tagged packets if the VLAN tag
matches with a configured VLAN on the port, the default VLAN for a tagged port.

Specify the maximum number of LLDP neighbors per device:

Ruckus1(config)# lldp max-total-neighbors 500
This example changes the maximum number of LLDP neighbors for the entire device
to 500.

Specify the maximum number of LLDP neighbors per port:

Ruckus1(config)# lldp max-neighbors-per-port 6
This example changes the maximum number of LLDP neighbors per port to 6.

Revision 2212 9 ‐ 27
ICX 150 ICX Services

LLDP Default Behavior

28 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

Here we outline LLDP defaults for the FastIron 08.0.95 release.

Note: LLDP pass‐through feature for 802.1X configured ports is no longer supported
to conform with the IEEE standard (802.1AB‐2016).

Revision 2212 9 ‐ 28
ICX 150 ICX Services

LLDP‐ Media Endpoint Discovery (MED)

• Extension to LLDP
– Enables advanced LLDP features
– Discovery between Network Connectivity devices
and media Endpoints
o Example: IP telephones, softphones, VoIP gateways
and conference bridges

• Benefits:
– Vendor‐independent management capabilities
o Enables different IP telephony systems to interoperate
– Automatic deployment network policies
o Layer 2 and Layer 3 QoS policies and Voice VLANs
– Supports E‐911 Emergency Call Services (ECS) for IP
telephony
– Collects Endpoint inventory information
– Network troubleshooting
o Helps to detect improper network policy configuration

29 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

Media Endpoint Discovery (MED) is an extension to LLDP that enables advanced

features in Voice over IP networks. As we learned previously, LLDP enables
discovery between network devices. LLDP‐MED enables network devices to discover
endpoints such as IP Phones or Softphones, VoIP Gateways, and conference bridges.

LLDP‐MED classes specifiy an Endpoint type and its capabilities. An Endpoint can
belong to one of three LLDP‐MED class types:
• Class 1 (Generic endpoint) ‐ A Class 1 Endpoint requires basic LLDP discovery
services, but does not support IP media nor does it act as an end‐user
communication appliance. A Class 1 Endpoint can be an IP communications
controller, other communication‐related server, or other device requiring basic
LLDP discovery services.
• Class 2 (Media endpoint) ‐ A Class 2 Endpoint supports media streams and may
or may not be associated with a particular end user. Device capabilities include
media streaming, as well as all of the capabilities defined for Class 1 Endpoints. A
Class 2 Endpoint can be a voice/media gateway, conference, bridge, media server,
etc.
• Class 3 (Communication endpoint) ‐ A Class 3 Endpoint supports end user IP
communication. Capabilities include aspects related to end user devices, as well
as all of the capabilities defined for Class 1 and Class 2 Endpoints. A Class 3
Endpoint can be an IP telephone, softphone (PC‐based phone), or other
communication device that directly supports the end user.

Discovery services defined in Class 3 include location identifier (ECS/E911)

information and inventory management.
The LLDP‐MED device class is advertised when LLDP‐MED is enabled on a port.
Revision 2212 9 ‐ 29
ICX 150 ICX Services

LLDP MED Considerations

• LLDP‐MED is enabled by default

• LLDP‐MED attributes are sent when both, LLDP is enabled, and LLDP‐MED
capabilities TLVs are also advertised (lldp advertise med-capabilities
configuration is applied by default)

• LLDP‐MED can only be enabled on ports that are operating in LLDP transmit
and receive mode

• LLDP‐MED can be disabled at a port level

Ruckus1(config)# no lldp advertise med-capabilities ports ethernet 1/1/3
Warning: Configured MED TLVs will not be sent unless the med-capabilities TLV is
enabled

30 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

LLDP‐MED is enabled by default assuming:

• LLDP is running
• The med‐capabilities TLV is being advertised on the port
• The port is not operating in only LLDP transmit only or only LLDP receive only mode

All of the above conditions are met by default in FastIron 08.0.95

To disable LLDP‐MED on an individual port you can utilize the no lldp advertise
med-capabilities command.

Revision 2212 9 ‐ 30
ICX 150 ICX Services

Verify LLDP‐MED
Ruckus1(config)# show lldp local-info ports ethernet 1/1/6
Local port: 1/1/6
+ Chassis ID (MAC address): d4c1.9e95.a670
+ Port ID (MAC address): d4c1.9e95.a675
+ Time to live: 120 seconds
+ System name: Ruckus1
<Output Truncated>
+ 802.3 Power via MDI: PSE port, power enabled, class 0
Power Pair : A (not controllable)
+ Link aggregation: not capable
+ Maximum frame size: 1522 octets
+ MED capabilities: capabilities, networkPolicy, location, extendedPSE
MED device type : Network Connectivity
+ MED Extended Power via MDI
Power Type : PSE device
Power Source : Unknown Power Source
Power Priority : Low (3)
Power Value : 0.0 watts (PSE equivalent: 0 mWatts)
+ Port VLAN ID: 1
+ Management address (IPv4): 192.168.1.21

31 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

You can verify the configured LLDP‐MED TLVs per‐port using the show lldp local-
info command. Highlighted here we can see the advertised MED information. We will
discuss additional LLDP show commands later in this presentation.

Revision 2212 9 ‐ 31
ICX 150 ICX Services

LLDP MED Configuration Options

• Fast‐start‐repeat‐count
– Enables a Network Connectivity Device to initially advertise itself at a faster rate (in
seconds) for a specified time when an LLDP‐MED Endpoint has been newly detected
• Location‐id
– Enables the RUCKUS device to set the physical location that an attached Class III Endpoint
will use for location‐based applications
• Network‐policy
– Defines an Endpoint VLAN configuration (VLAN type and VLAN ID) and associated Layer 2
and Layer 3 priorities that apply to a specific set of applications on a port
Ruckus1(config)# lldp med ?
fast-start-repeat-count Specify the LLDP-MED fast start transmit count
location-id Define an LLDP-MED location ID
network-policy Define an LLDP-MED network policy

32 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

LLDP MED enhancements provide onboarding assistance and information to end devices by
utilizing configurable fast start repeat count, location‐id, and network policy options

Fast start repeat: Allows for a more frequent advertisements, allowing connecting devices
to receive the information they need to successfully onboard on the network, by default 3
seconds for newly connected endpoints. To set (in seconds) the amount of time you want
the switch to send higher frequency of packets use the global command lldp med
fast-start-repeat-count <amount in seconds 1-10>

Location‐id: Plays an important part for emergency services. This feature is important for
applications such as IP telephony, for example, where emergency responders need
to quickly determine the physical location of a user in North America that has just
dialed 911. We can configure a location based on the perspective of either the client,
dhcp‐server or a network element that is closest to the client device.

Network policy: Defines an Endpoint VLAN configuration (VLAN type and VLAN ID)
and associated Layer 2 and Layer 3 priorities that apply to a specific set of
applications on a port.

Syntax: lldp med network‐policy application application‐type tagged vlan vlan‐id priority priority‐
value dscp dscp‐value ports { all | [ ethernet unit/slot/port [ to unit/slot/port ] ... ] }
lldp med network‐policy application application‐type untagged dscp dscp‐value ports { all | [
ethernet unit/slot/port [ to unit/slot/port ] ... ] }
lldp med network‐policy application application‐type priority‐tagged priority priority‐value dscp
dscp‐value ports { all | [ ethernet unit/slot/port [ to unit/slot/port ] ... ] }

Revision 2212 9 ‐ 32
ICX 150 ICX Services

LLDP MED Location ID

• Defining a location ID
– Extension enables the RUCKUS device to set the physical location that an attached
Class III Endpoint will use for location‐based applications
– For each port, you can define one or more of the following location ID formats:
o Geographic location (coordinate‐based)
o Civic address
o Emergency Call Services (ECS) Emergency Location Identification Number (ELIN)

• To configure a civic address‐based location for LLDP‐MED within the global

configuration mode use:
Ruckus1(config)# lldp med location-id civic-address refers-to client
country US elem 1 CA elem 3 "Sunnyvale“ elem 6 “350 W Java Dr" elem 24
94089 elem 27 5 elem 28 151 elem 29 office elem 23 "John Doe"
33 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

The MED location ID as we said is helpful to provide a physical location to emergency

services when 911 is dialed in North America from a Class 3 endpoint.

Locations can be defined per port and can be applied as either:

‐A Geographic location (as longitude, latitude and altitude)
‐A civic address which can include (Country, State, City, Street, Floor, Postal Code, Office
Number, Location Type, and Name)
‐Or as a Emergency Location Identification Number (ELIN) which is a ten digit direct inward
dial (DID) number which has a known location. When calling emergency services this ELIN
takes the place of the caller's telephone number.

…Continued on next slide

Revision 2212 9 ‐ 33
ICX 150 ICX Services

<continued from previous slide…>

Note: Elements are attributes that are defined in the civic address. Each element value is
associated with a specific element of the address. Graphic location addressing is associated
with a lat/long attribute with additional values shown below.
Ruckus1(config)# lldp med location-id coordinate-based
latitude 41.87884 resolution 18 longitude 87.63602 resolution
18 altitude floors 103 resolution 30 wgs84

The above configuration shows the following:

Latitude is 41.87884 degrees north (or 41.87884 degrees) ‐ Longitude is 87.63602
degrees west (or 87.63602 degrees)
The location is inside a structure, on the 103rd floor
The WGS 84 map was used as the basis for calculating the location

The Emergency Call Service (ECS) location is used specifically for Emergency Call Services
applications.

Ruckus1(config)# lldp med location-id ecs-elin 4083335745

To display the conferred ECS details use the show lldp local-info command.

+ MED Location ID
Data Format: ECS ELIN
Value : 4083335745

Revision 2212 9 ‐ 34
ICX 150 ICX Services

Defining an LLDP‐MED Network Policy

• Network policies apply to applications that have specific real‐time network policy
requirements, such as interactive voice or video services
– Intended to run on links between Network Connectivity devices and Endpoints
– Can provide VLAN assignment as well as priority settings for an end device

• To define an LLDP‐MED network policy for an Endpoint:

Ruckus1(config)# lldp med network-policy application voice tagged vlan 99
priority 3 dscp 22 port e 1/1/6

• The network policy advertisement will appear similar to the following on the remote device,
and in the CLI display output on the RUCKUS ICX
Ruckus1# show lldp local-info
+ MED Network Policy
Application Type : Voice
Policy Flags : Known Policy, Tagged
VLAN ID : 99
L2 Priority : 3
DSCP Value : 22
35 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

LLDP‐MED network policies define an endpoint’s VLAN configuration and associated Layer 2
and Layer 3 priorities that apply to specific applications on a port.

These policies should be applied on ports that are directly connected to the endpoint.

In this example configure we have defined a application policy that is tagging voice
application traffic in VLAN 99 and giving it a Layer 2 QoS priority of 3 and a DSCP value of
22. We can then see how this Network Policy is viewed from the TLV perspective.

Revision 2212 9 ‐ 35
ICX 150 ICX Services

LLDP Show Commands

You can use the following CLI show commands to display information about LLDP settings and
statistics:
• show lldp – Displays a summary of the LLDP configuration
• show lldp local-info – Port detail of LLDP advertisements to be transmitted
• show lldp statistics – Displays LLDP global and per‐port statistics
• show lldp neighbors – Displays a list of the current LLDP neighbors
• show lldp neighbors detail – Displays the details of the latest advertisements received
from LLDP neighbors

Clearing LLDP statistics

Ruckus1# clear lldp statistics

Clearing LLDP Neighbors

Ruckus1# clear lldp neighbors ports e 1/1/1

36 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

Several show commands are available providing a command line look at the information
obtain via LLDP

• show lldp – displays a summary of the LLDP configuration on the device

• show lldp local‐info – shows per port detail of TLVs that are configured to be advertised
• show lldp statistics – displays global and per port counters for transmitted and received
LLDPDUs
• show lldp neighbors – lists current LLDP neighbors, which port they were discovered on
and which port you are connected to
• show lldp neighbors details – displays advertisements received from lldp neighbors

LLDP statistics can be cleared globally or per‐port with the clear lldp statistics
command. LLDP neighbor discovery will clear automatically when the port is disabled and
the neighbor information ages out, issuing the clear lldp neighbors command will
manually clear the neighbor entry.

Revision 2212 9 ‐ 36
ICX 150 ICX Services

LLDP Statistics
Ruckus1# show lldp statistics
Last neighbor change time: 1 day(s) 3 hour(s) 34 minute(s) 12 second(s) ago

Neighbor entries added : 67

Neighbor entries deleted : 61
Neighbor entries aged out : 40
Neighbor advertisements dropped : 0

Port Tx Pkts Rx Pkts Rx Pkts Rx Pkts Rx TLVs Rx TLVs Neighbors

Total Total w/Errors Discarded Unrecognz Discarded Aged Out
1/1/1 308290 308277 0 0 308277 0 1
1/1/2 308303 308287 0 0 308287 0 2
1/1/3 308288 308301 0 0 308301 0 0
1/1/4 279732 0 0 0 0 0 0
1/1/5 154233 0 0 0 0 0 0
1/1/6 279737 0 0 0 0 0 0
1/1/7 28562 0 0 0 0 0 0
1/1/8 0 0 0 0 0 0 0
1/1/9 278955 0 0 0 0 0 0
1/1/10 0 0 0 0 0 0 0
< Output Truncated>
37 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

The Table below describes the fields above in more detail.

Revision 2212 9 ‐ 37
ICX 150 ICX Services

LLDP Neighbors and TLV Advertisements

Ruckus1# show lldp neighbor
Lcl Port Chassis ID Port ID Port Description System Name
1/1/1 903a.721c.10a0 903a.721c.10a0 eth0 RUCKUS-1-R510
1/1/2 94f6.6518.16f0 94f6.6518.16f0 eth0 RUCKUS-2-R510
1/1/3 903a.721c.0e50 903a.721c.0e50 eth0 RUCKUS-3-R510

LLDP TLVs advertised by the RUCKUS device

• When LLDP is enabled on a global basis, the RUCKUS device will automatically advertise the
following information, except for the features noted:
• General system information: • 802.1 capabilities:
– Management address – VLAN name (not automatically advertised)
– Port description – Untagged VLAN ID
– System capabilities • 802.3 capabilities:
– System description (not automatically advertised) – Link aggregation information
– System name – MAC/PHY configuration and status
– Maximum frame size
– Power‐via‐MDI information (not automatically advertised)
38 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

We previously discussed the LLDP TLVs that are mandatory as well as which TLVs are
advertised by default on RUCKUS ICX. We are showing those again here as they are
important. We are also displaying the output of the show lldp neighbor command.
The TLVs listed here will with shared with those devices.

The Below Table describes the fields above in more detail.

Revision 2212 9 ‐ 38
ICX 150 ICX Services

LLDP Neighbors Detail

Ruckus1# show lldp neighbors detail
Local port: 1/1/9
Neighbor: c0c5.20a4.524f, TTL 119 seconds
+ Chassis ID (MAC address): c0c5.20a4.5247
+ Port ID (MAC address): c0c5.20a4.524f
+ Time to live: 120 seconds
+ System name: ICX-7150_20
+ Port description : "GigabitEthernet1/1/9"
+ System capabilities : bridge
Enabled capabilities: bridge
+ 802.3 MAC/PHY : auto-negotiation supported, but disabled
Operational MAU type : 1000BaseT-FD
+ 802.3 Power via MDI: PSE port, power enabled, class 0
Power Pair : A (not controllable)
+ Link aggregation: not capable
+ Maximum frame size: 1522 octets
+ Port VLAN ID: 1
+ Management address (IPv4): 192.168.1.20

Ruckus1# sh lldp neighbors detail ports e 1/1/6

Local port: 1/1/6
Neighbor: bc5f.f44c.44d4, TTL 3261 seconds
+ Chassis ID (MAC address): bc5f.f44c.44d4
+ Port ID (MAC address): bc5f.f44c.44d4
+ Time to live: 3601 seconds

+ 802.3 MAC/PHY : auto-negotiation enabled

Advertised capabilities: 1000BaseT-FD
Operational MAU type : Other
+ MED capabilities: capabilities
MED device type : Endpoint Class I

39 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

The show lldp neighbors detail command allows us to see the TLV information
we have received from connected LLDP neighbors.

As you recall we have the mandatory TLVs of Chassis ID, Port ID and Time to Live, which we
see for our neighbor on port 1/1/9.

We can also see some additional TLV information about this device. We can see that is it
named ICX‐7150_20 and that we are connected to it’s port 1/1/9. This port is capable of
automatically negotiating port speed, but in this case it has been disabled and we’re
operating at 1000‐full duplex. This port is configured for VLAN 1 the management address
of the remote device is 192.168.1.20

If the remote device were configured with LLDP‐MED those TLVs would display in this
output as shown in our example of port 1/1/6.

Revision 2212 9 ‐ 39
ICX 150 ICX Services

Limiting LLDP Advertisements

• Using the show lldp local-info command displays the details of the Link
Layer Discovery Protocol (LLDP) advertisements on a per port basis
• LLDP Advertisements can be limited by port using the no lldp advertise
command Note: Many LLDP TLVs are advertised by default and will need to be explicitly disabled
Examples:
Ruckus1(config)# no lldp advertise ?
link-aggregation Advertise 802.3 link aggregation information
mac-phy-config-status Advertise 802.3 MAC/PHY configuration/status
management-address Advertise a management address
max-frame-size Advertise 802.3 maximum frame size
med-capabilities Advertise LLDP-MED capabilities
med-location-id Advertise LLDP-MED location id information
med-network-policy Advertise LLDP-MED network policy information
med-power-via-mdi Advertise LLDP-MED power-via-MDI information
port-description Advertise port description
port-id-subtype Advertise advertise lldp port id subtype
port-vlan-id Advertise 802.1 port untagged VLAN id (PVID)
power-via-mdi Advertise 802.3 power-via-MDI information
system-capabilities Advertise system capabilities
system-description Advertise system description
system-name Advertise system name
vlan-name Advertise 802.1 VLAN name
40 © 2022 CommScope, Inc. © 2022 CommScope, Inc.

While the show lldp local-info command displays the LLDP TLVs being advertised,
administrators can control what they want to advertise (except for those mandatory TLVs).
Using the no lldp advertise command you can choose which TLVs to omit at a port‐
level.

For a full list of LLDP advertising control options refer to the RUCKUS FastIron Management
Configuration Guide. Note that many of these are advertised automatically therefore will
need to be disabled on ports you do not want the information shared. Below is an example
of disabling of the system name being advertised on Ethernet 1/1/2.

Ruckus1(config)# no lldp advertise system-name ports e 1/1/2

Ruckus1(config)# show lldp local-info ports e 1/1/1 to 1/1/2

Local port: 1/1/1
+ Chassis ID (MAC address): 609c.9fe6.0858
+ Port ID (MAC address): 609c.9fe6.0858
+ Time to live: 120 seconds
+ System name : "Ruckus1"
+ Port description : "GigabitEthernet1/1/1"
<Output Truncated>
Local port: 1/1/2
+ Chassis ID (MAC address): 609c.9fe6.0858
+ Port ID (MAC address): 609c.9fe6.0859
+ Time to live: 120 seconds
+ Port description : "GigabitEthernet1/1/2"
<Output Truncated>

Revision 2212 9 ‐ 40
ICX 150 ICX Services

Dynamic Host Configuration

Protocol (DHCP)

The Dynamic Host Configuration Protocol (DHCP) is based on the Bootstrap Protocol
(BOOTP) and provides several configuration parameters stored in DHCP server
databases to DHCP clients upon request.

Revision 2212 9 ‐ 41
ICX 150 ICX Services

DHCP Overview
Dynamic Host Configuration Protocol (DHCP)

• Allows automatic configuration of network clients

• Assigns leased or permanent IP address to client systems

• Delivers host‐specific configuration parameters to network clients, including:

– Default router
– DNS server RUCKUS ICX devices support both DHCPv4 (IPv4) as well
as DHCPv6 (IPv6) configurations. This presentation
– Domain name focuses on the IPv4 implementation of DHCP.
– TFTP server For more information on DHCPv6 configurations
reference the RUCKUS FastIron DHCP Configuration Guide
– Boot file specific to your release.

42 © 2022 CommScope, Inc.

DHCP enables the automatic configuration of client systems. DHCP removes the
need to configure devices individually. Clients can set network properties by
connecting to the DHCP server instead. This protocol consists of two components; a
protocol to deliver host‐specific configuration parameters from a DHCP server to a
host, and a mechanism to allocate leased or permanent IP addresses to hosts. DHCP
is built on a client‐server model, where designated DHCP server hosts allocate
network addresses and deliver configuration parameters to dynamically configured
hosts.

Revision 2212 9 ‐ 42
ICX 150 ICX Services

DHCP Relay

Clients that have a routed boundary between them and their DHCP server require the use
of a DHCP Relay. In this section we’ll take about how DHCP Relay is used to help DHCP
requests make it to their destinations.

Revision 2212 9 ‐ 43
ICX 150 ICX Services

DHCP Relay – Helping DHCP at Layer3

• By default, Layer 3 devices do not pass DHCP requests
DHCP
between subnets Server
10.1.5.25

• DHCP Relay solves this with ip helper-address IP Helper Address e7 Router

10.1.5.25

• Helper address on interface e12 forwards DHCP request e12

to server
L2 Switch

• Request is stamped with incoming gateway interface

address, allowing server to choose correct address pool
DHCP
Request
• Source IP received at the DHCP server will be the
helper’s interface facing the server
– Port e7 in the example DHCP Client

44 © 2022 CommScope, Inc.

DHCP clients cannot, by default, communicate with DHCP servers that are separated
by a Layer 3 boundary without the help of a DHCP Relay. It is not reasonable to
expect that there will be Layer 2 connection to a DHCP server for each and every
subnet in a large network. Instead, a DHCP relay is configured on the Layer 3
boundary. This IP helper address will then forward those DHCP client requests to a
DHCP server that clients would not otherwise be able to reach.

The following parameters control the Layer 3 switch forwarding of BootP and DHCP
requests:
• Helper address ‐ The BootP/DHCP server IP address. You must configure the helper
address on the interface that receives the BootP/DHCP requests from the client, in
this example e12. The Layer 3 switch cannot forward a request to the DHCP server
unless you configure a helper address.
• Gateway address ‐ The Layer 3 switch places the IP address of the interface that
received the BootP/DHCP request in the request packet Gateway Address field
(sometimes called the Router ID field). When the server responds to the request, the
server sends the response as a unicast packet to the IP address in the Gateway
Address field. (If the client and server are directly attached, the Gateway ID field is
empty, and the server replies to the client using a unicast or broadcast packet,
depending on the server.)
By default, the Layer 3 switch uses the lowest‐numbered IP address on the interface
that receives the request as the Gateway address. You can override the default by
specifying the IP address you want the Layer 3 switch to use.

Revision 2212 9 ‐ 44
ICX 150 ICX Services

DHCP Relay Configuration

• Up to 16 Server IP addresses can be configured on an interface (router code)
– Can be configured on a physical or VE interface
– ICX devices require a number identifying the server being configured (1 through 16)

Ruckus1(config)# interface ethernet 1/1/12

Ruckus1(config-if-e10000-1/1/12)# ip helper-address 1 10.1.5.25

Syntax: [no] ip helper‐address address‐number [ ip‐address [ unicast ] ]

• Additional parameters can be specified, including:

– ICX reply to client can contain server as source, instead of ICX interface
– Maximum hop count can be adjusted

45 © 2022 CommScope, Inc.

To forward a client broadcast request for a UDP application when the client and server are
on different networks, you must configure a helper address on the interface connected
towards the client.

Specify the server IP address or the subnet directed broadcast address of the server's IP
subnet as the helper address. You can configure up to 16 helper addresses on each
interface. You can configure a helper address on an Ethernet port or a virtual interface.

The commands in the example above add a helper address for server 10.95.7.6 to the port.
If the port receives a client request for any of the applications that the Layer 3 switch is
enabled to forward to, the Layer 3 switch forwards the client request to the server.

Revision 2212 9 ‐ 45
ICX 150 ICX Services

DHCP Relay Options

• By default, when DHCP replies are sent to the client from the helper router, the
source address is the router interface facing the client
– You can configure the helper to use the DHCP server IP instead with the ip helper‐use‐
responder‐ip command

Ruckus1(config)# ip helper-use-responder-ip

• By default, a DHCP helper forwards a DHCP request if its hop count is four or less
– Requests with a hop count greater than four are discarded
– The maximum hop count can be modified with the bootp‐relay‐max‐hops command

Ruckus1(config)# bootp-relay-max-hops 10

Syntax: [no] bootp‐relay‐max‐hops max‐hop*

*max‐hop value range: 1 ‐ 15

46 © 2022 CommScope, Inc.

Changing the DHCP reply source address ‐ You can configure the device so that a
BOOTP/DHCP reply to a client contains the server IP address as the source address
instead of the router IP address with the ip helper-use-responder-ip
command in the global configuration context.

Changing the maximum number of hops to a BootP relay server ‐ Each router that forwards
a BootP/DHCP packet increments the hop count by one. Routers also discard a forwarded
BootP/DHCP request instead of forwarding the request if the hop count is greater than the
maximum number of BootP/DHCP hops allowed by the router.

By default, a RUCKUS Layer 3 switch forwards a BootP/DHCP request if its hop count is four
or less but discards the request if the hop count is greater than four. You can change the
maximum number of hops the Layer 3 switch allows to a value from 1 through 15.

Revision 2212 9 ‐ 46
ICX 150 ICX Services

DHCP Server

In this section we’ll outline how to utilize RUCKUS ICX devices to provide DHCP addressing
to clients.

Revision 2212 9 ‐ 47
ICX 150 ICX Services

DHCP Server
• All ICX devices can be configured as a DHCP server
– FastIron 08.0.95 can support up to 500 DHCP Clients
– FastIron 09.0.10a can support up to 3000 DHCP Clients

• Capable of providing IP address and several configuration parameters to clients

• Clients can include:

– Wireless access points
– IP phones
– Desktop computers
– Networking devices

• Available options enhance device operation without manual, individual configuration

48 © 2022 CommScope, Inc.

In the previous section we talked about DHCP Servers from the perspective of a
Windows or Linux server running DHCP services. However, ICX devices can also
provide DHCP Server functionality.

We provided an overview of DHCP in the Routing and Switching Protocols – RSP 100
course, but we’ll briefly recap here. DHCP is a protocol used to dynamically assign
IP address to devices in the network. Again, if you think about that larger network
deployment with hundreds or thousands of clients all needing IP connectivity your
options are 1.) Statically configure IP addresses on each and every client, which by
the way is a manual process. Or 2.) Utilize a DHCP server to assign addresses to
requesting clients automatically based on a pool of addresses that the administrator
has already defined.

…Continue on next slide

Revision 2212 9 ‐ 48
ICX 150 ICX Services

<continued from previous slide…>

DHCP is crucial if the subnet has more devices than available IP addresses. DHCP
allocates temporary or reserved network IP addresses to clients. When a client
requests the use of an address for a time interval, the DHCP server guarantees not
to reallocate that address within the requested time and tries to return the same
network address each time the client makes a request. The period of time for which
a network address is allocated to a client is called a lease. The client may extend the
lease through subsequent requests. When the client is done with the address, the
address can be released back to the server. By asking for an indefinite lease, clients
may receive a permanent assignment.

DHCP clients can be IP phones, desktops, or network devices. The clients can be connected
directly or through other networks using relays as we discussed earlier. The DHCP server
provides additional information as well, such as the DNS server name.

DHCP Server services are disabled by default on all FastIron devices.

Revision 2212 9 ‐ 49
ICX 150 ICX Services

DHCP Server Considerations

• DHCP Server is supported in both Layer 2 and Layer 3 software

• If running DHCP Server services on an ICX stack, the stack mac command must
be used to define the MAC address of the stack so that it does not change in
the event of a switchover/failover

• If any addresses from the defined pool are used (for example, by the DHCP
server itself or a TFTP server), you must exclude those addresses from the pool

• Ensure DHCP clients do not send DHCP request packets that exceed a
Maximum Transmission Unit (MTU) of 1500 bytes
50 © 2022 CommScope, Inc.

When configuring DHCP Server services on a RUCKUS ICX device consider the following:

• DHCP Server is supported on both Layer 2 and Layer 3 software images.

• Special consideration should be made to DHCP servers running on ICX stacks. The stack
mac command must be used to configure the MAC address, so that the MAC addresses
do not change in the event of a switchover or failover. If stack mac is not configured,
the MAC address/IP address pair assigned to a DHCP client will not match after a
switchover or failover.
• If any addresses from the defined DHCP Pool are used (for example, by the DHCP Server
itself) they should be excluded from the pool
• RUCKUS ICX devices do not support DHCP packets with an MTU larger than 1500 bytes

Revision 2212 9 ‐ 50
ICX 150 ICX Services

DHCP Server Configuration

Follow these steps to enable the server and configure the pool scope

• Enable the DHCP server

Ruckus1(config)# ip dhcp-server enable
Syntax: [no] ip dhcp‐server enable

• Create an address pool

Ruckus1(config)# ip dhcp-server pool Building6
Syntax: [no] ip dhcp‐server pool name

• Configure pool IP address scope

Ruckus1(config-dhcp-Building6)# network 172.16.1.0/24
Syntax: network subnet/mask

51 © 2022 CommScope, Inc.

Before you can configure the various DHCP server options, you must create an
address pool on your ICX device.
The first step is to enable the DHCP server with the ip dhcp-server enable
command. Note: If DHCP client services are enabled they must be disabled before
running this command

Next, create a server pool with the ip dhcp-server pool command, which
puts the administrator into he DHCP pool configuration context. From here you can
configure several optional parameters.

If the pool will provide IP addresses to clients, the scope of IP addresses must be
defined with the network command.

Revision 2212 9 ‐ 51
ICX 150 ICX Services

DHCP Server Configuration – Pool and Lease Settings

• Exclude used address from scope
Ruckus1(config-dhcp-Building6)# excluded-address 172.16.1.1 172.16.1.3
Syntax: excluded‐address { address | address‐low address‐high }

• Static IP mapping
Ruckus1(config-dhcp-Building6)# static-mac-ip-mapping 172.16.1.44 0010.9400.0005
Success - Entry Added into Lease Binding Database IP :172.16.1.44 MAC :0010.9400.0005
Syntax: static‐mac‐ip‐mapping ip‐address mac‐address

• Lease settings
Ruckus1(config-dhcp-Building6)# lease 0 4 0
Syntax: lease days hours minutes

• Deploy the address pool

Ruckus1(config-dhcp-Building6)# deploy
Syntax: deploy

52 © 2022 CommScope, Inc.

You can exclude a single address or a range of addresses from the address pool. This
is accomplished with the excluded-address command from the pool
configuration context. In this example we have excluded a range of 3 addresses
172.16.1.1.1, 1.2 and 1.3.

You can also statically assign a specific IP address within the pool to a specific client
with the use of static mac to ip mappings. This configuration is useful when you
want to have selected clients assigned with particular IP addresses from the pool.
Whenever a DHCP discover message is received from these clients, their MAC
address is identified and based on the static mapping, the IP address will be
assigned.

The lease duration for assigned IP addresses can be modified from the default of 1
day with the lease command. The range available is from 1 to 8 days. You can set
the lease duration for just days, just hours, just minutes or any combination. In the
example shown we’ve changed the lease duration to 4 hours. The lease duration
should be configured to match the environment. For instance, if the network sees
heavy use from devices that are only in the area for a short period of time the lease
duration should not be several days. The IP pool would be quickly exhausted by
devices that are no longer in the network.

Once the address pool is configured, it must be deployed with the deploy
command.

Revision 2212 9 ‐ 52
ICX 150 ICX Services

Viewing and Clearing DHCP Server leases

• View DHCP bindings for all pools
Ruckus1# show ip dhcp-server binding
Bindings from all pools:
IP Address Client-ID/ Lease expiration Type
Hardware address

172.16.1.29 0010.9400.0005 000d:00h:00m:00s Automatic

172.16.1.4 bc5f.f44c.44d4 000d:03h:59m:00s Automatic

• Clear an address from the pool

Ruckus1# clear ip dhcp-server binding 172.16.1.4
Syntax: clear ip dhcp‐server binding ipaddress [or] * to delete all lease entries

53 © 2022 CommScope, Inc.

You can view active DHCP leases on the ICX by issuing the show ip dhcp-
server binding command. Output will display the IP and MAC address
association as well as the lease expiration for each entry.

To manually clear an entry from the lease table issue the clear ip dhcp-
server binding command followed by the IP address you wish to clear,
specifying an asterisk * clears all entries.

Revision 2212 9 ‐ 53
ICX 150 ICX Services

DHCP Options
• DHCP options allow DHCP servers to pass additional configuration parameters
to clients

• Common options include:

– Default router (default gateway)
– DNS server
– Host name
– Domain name

• DHCP options are not validated by the DHCP server.

54 © 2022 CommScope, Inc.

A client that obtains an IP Address from DHCP can also be provided additional
configuration parameters or DHCP Options. These options can include a default
router (client gateway) address, DNS server addressing as well as a hostname.

The number of options that can be passed to the client is limited by the size of the
ACK packet. It is recommended that you configure essential options only for the
specific DHCP server address pool.

The following options (if configured) are prioritized, with additional options added
as needed:
• 3 ‐ Router Option
• 6 ‐ Domain Name Server
• 12 ‐ Hostname
• 15 ‐ Domain name
• 66 ‐ TFTP server hostname or IP address
• 67 ‐ Boot file name
• 60 ‐ Vendor‐Specific Information

DHCP options are not validated by the DHCP server. You must ensure the values are
configured correctly.

For a complete list of DHCP Options reference the RUCKUS FastIron DHCP
Configuration Guide for your release.

Revision 2212 9 ‐ 54
ICX 150 ICX Services

DHCP Options Configuration

Options are defined with the DHCP pool: The show ip dhcp-server address-pools
command will display information about configured
pools, including configured options.
• Default router
Ruckus1(config-dhcp-Building6)# option 3 ip 172.16.1.1
Syntax: option 3 ip router‐ip

• Domain name
Ruckus1(config-dhcp-Building6)# option 15 ascii ruckuswireless.com
Syntax: option 15 ascii domain‐name

• DNS servers
Ruckus1(config-dhcp-Building6)# option 6 ip 172.16.1.2 172.16.1.3
Syntax: option 6 ip server‐ip‐address …

• NTP servers
Ruckus1(config-dhcp-Building6)# option 42 ip 172.16.1.44
Syntax: option 42 ip server‐ip‐address …
55 © 2022 CommScope, Inc.

Once you have determined which DHCP options to provide as well as the values associated
with the options, they are defined within the DHCP pool.

Specify the option number followed by the required values for the option. In the examples
shown we are providing a default route, domain name, DNS servers as well as NTP server
address. Notice that the addressing used in these options was either previously excluded
from the pool or statically assigned.

Using the show ip dhcp-server address-pools command will display all of the
pool configurations including configured DHCP options.

Revision 2212 9 ‐ 55
ICX 150 ICX Services

DHCP Vendor Specific Information ‐ SmartZone

• DHCP options 60 and 43 allow identification of vendor‐specific clients and provide
them with vendor‐specific information
– Option 60 defines the vendor type and configuration value
– Option 43 defines vendor specific information
o If option 60 is configured, the vendor specific information (defined in option 43) is only returned to
clients that match that configured vendor type configuration value
o If option 60 is not configured, the vendor specific information is sent to all clients

• In this example, a client in this pool that identifies as “RUCKUS CPE” (option 60), will
be sent additional information (option 43) to direct that device to the RUCKUS
SmartZone network controller for management
Ruckus1(config-dhcp-Building6)# option 60 ascii “RUCKUS CPE”
Ruckus1(config-dhcp-Building6)# option 43 hex 060b31302e31302e31302e3130
Translates to 10.10.10.10
56 © 2022 CommScope, Inc.

RUCKUS devices running as DHCP servers can be configured with option 43 and
option 60. Configuring the DHCP option 60 helps to identify the incoming DHCP
client. If the vendor class identifier (VCI) advertised by the DHCP client matches
with the DHCP server, the server makes a decision to exchange the vendor‐specific
information (VSI) configured as part of DHCP option 43.

When option 60 is defined ICX DHCP servers can recognize the DHCP client device
using the VCI and pass specific option 43 information to this device type only.
However, the DHCP server can be configured to always pass additional information
using option 43 (regardless of the client) when option 60 is not defined.

In summary:
• Option 60 defines the vendor type and configuration value.
• Option 43 defines vendor specific information.
• If option 60 is configured, the vendor specific information (defined in option
43) is returned to clients that provide the appropriate vendor type and
configuration value.
• If option 60 is not configured, the vendor specific information is sent to all
clients.

Revision 2212 9 ‐ 56
ICX 150 ICX Services

DHCP Snooping

RUCKUS ICX devices can protect themselves from rouge DHCP servers that attempt to pass
unwanted responses. This is accomplished with DHCP Snooping which we’ll talk about in
this section.

Revision 2212 9 ‐ 57
ICX 150 ICX Services

DHCP Snooping Overview

• DHCP snooping enables the device to filter untrusted DHCP packets in a subnet which can:
– Protect from rogue DHCP servers
– Prevent malicious user posing as a DHCP server sending false DHCP server reply packets
– Can stop unauthorized DHCP servers connected to the network (personal home routers)

Untrusted Trusted Untrusted Untrusted Trusted

Ports Port Port Port Port

DHCP Request
DHCP Reply
Rogue Rogue Trusted
DHCP Server DHCP Server DHCP Server
58 © 2022 CommScope, Inc.

DHCP snooping enables the RUCKUS device to filter untrusted DHCP packets in a
subnet. DHCP snooping can ward off man in the middle attacks, such as a rogue
DHCP server sending false DHCP server reply packets with the intention of
misdirecting other users. DHCP snooping can also stop unauthorized DHCP servers
and prevent errors stemming from user misconfiguration of DHCP servers.

DHCP snooping is often used with Dynamic ARP Inspection, which you learned
about previously, as well as IP Source Guard.

When enabled on a VLAN, DHCP snooping stands between untrusted ports (those
connected to host ports) and trusted ports (those connected to DHCP servers). A
VLAN with DHCP snooping enabled forwards DHCP request packets from clients and
discards DHCP server reply packets on untrusted ports. DHCP server reply packets
on trusted ports to DHCP clients are forwarded.

In the example, we show a client broadcasting a DHCP request which will be heard by all
DHCP servers. The rogue DHCP servers will attempt to reply, however because their ports
are untrusted, their DHCP replies will be blocked. The known DHCP server’s interface is
explicitly trusted so its reply will not be filtered.

Revision 2212 9 ‐ 58
ICX 150 ICX Services

DHCP Snooping Configuration

• DHCP Snooping is disabled by default
– When enabled all ports are untrusted by default

• Snooping is enabled on a per VLAN basis

Ruckus1(config)# ip dhcp snooping vlan 100 to 150 160 170 to 200
Syntax: [no] ip dhcp snooping vlan vlan‐id [ to vlan‐id … ]

• Change trust setting on interface connected toward DHCP server

Ruckus1(config)# interface ethernet 1/1/1
Ruckus1(config-if-e10000-1/1/1)# dhcp snooping trust
Syntax: [no] dhcp snooping trust

Note: To allow DHCP snooping in releases prior to FastIron 08.0.95, you had to first enable support for ACL filtering based
on VLAN membership or VE port membership using the enable acl‐per‐port‐per‐vlan command. In the FastIron 08.0.95
release, all ports are enabled with per‐port‐per‐vlan by default and this command has been deprecated.

59 © 2022 CommScope, Inc.

DHCP snooping is disabled by default on ICX devices. It is enabled per VLAN, after
which the trust setting of ports connected to a DHCP server must be changed to
trusted. DHCP packets for a VLAN with DHCP snooping enabled are inspected.

NOTE: To run DHCP snooping in releases prior to FastIron 08.0.95, you had to first
enable support for ACL filtering based on VLAN membership or VE port membership
with the enable acl-per-port-per-vlan command. In the FastIron
08.0.95 release all ports are enabled with per‐port‐per‐vlan by default and the
aforementioned command has been deprecated.

Enable DHCP snooping on a VLAN with the ip dhcp snooping vlan

command. Then, change the trust setting of the ports that are connected to the
DHCP server to be trusted at the interface configuration level with the dhcp
snooping trust command.

NOTE: DHCP snooping is disabled by default and the trust setting of ports is
untrusted by default. DHCP snooping must be enabled on the client and the DHCP
server VLANs.

Revision 2212 9 ‐ 59
ICX 150 Device Security and Monitoring

Dynamic ARP Inspection

Now that we’ve discussed DHCP Snooping, lets talk about Dynamic ARP Inspection or DAI.

Revision 2212 7 ‐ 60
ICX 150 Device Security and Monitoring

Dynamic ARP Inspection Overview

• The RUCKUS ICX can be configured to inspect and keep track of Dynamic Host
Configuration Protocol (DHCP) assignments
• Dynamic ARP Inspection (DAI) allows only valid ARP requests and responses to
be forwarded
– Can prevent common man‐in‐the‐middle (MiM) attacks such as ARP cache poisoning
– Disallows misconfiguration of client IP addresses

• A RUCKUS device on which DAI is configured does the following:

– Intercepts and inspects all ARP requests and responses received on untrusted ports
– Verifies that each of the intercepted packets has a valid IP‐to‐MAC address binding
before updating the local ARP table, or before forwarding the packet to the
appropriate destination
– Drops invalid ARP packets
61 © 2022 CommScope, Inc.

For enhanced network security, you can configure the RUCKUS ICX device to inspect
and keep track of Dynamic Host Configuration Protocol (DHCP) assignments.

Dynamic ARP Inspection (DAI) enables the RUCKUS device to intercept and examine
all ARP request and response packets in a subnet and discard packets with invalid
IP‐to‐MAC address bindings. DAI can prevent common man‐in‐the‐middle (MiM)
attacks, such as ARP cache poisoning, and disallows misconfiguration of client IP
addresses.

DAI allows only valid ARP requests and responses to be forwarded and supports
Multi‐VRFs with overlapping address spaces.

Revision 2212 7 ‐ 61
ICX 150 Device Security and Monitoring

How DAI Works

• When you enable DAI on a VLAN, by default, all member ports are
untrusted
– You must manually configure trusted ports
• ARP packets on untrusted ports are inspected against the switch’s local ARP
table and the DHCP Snooping table
• Status of each ARP entry is either valid or pending
– Valid ‐ The mapping is valid,
and the port is resolved
– Pending ‐ Normal dynamic
ARP entries before they are
resolved
o Their status changes to valid
when they are resolved, and
the port is mapped

62 © 2022 CommScope, Inc.

When you enable DAI on a VLAN, by default, all member ports are untrusted. You
must manually configure trusted ports. In a typical network configuration, ports
connected to host ports are untrusted. You configure ports connected to other
switches or routers as trusted.

DAI inspects ARP packets received on untrusted ports, as shown in the diagram. DAI
carries out the inspection based on IP‐to‐MAC address bindings stored in a trusted
binding database. For the RUCKUS device, the binding database is the ARP table and
the DHCP snooping table, which supports DAI, DHCP snooping, and IP Source
Guard. To inspect an ARP request packet, DAI checks the source IP address and
source MAC address against the ARP table. For an ARP reply packet, DAI checks the
source IP, source MAC, destination IP, and destination MAC addresses. DAI forwards
the valid packets and discards those with invalid IP‐to‐MAC address bindings.
When ARP packets reach a trusted port, DAI lets them through, as shown here.
DAI uses the IP‐to‐MAC mappings in the ARP table to validate ARP packets received
on untrusted ports. DAI relies on the following entries:
• Dynamic ARP ‐ Normal ARP learned from trusted ports.
• Static ARP ‐ Statically configured IP/MAC/port mapping.
• Inspection ARP ‐ Statically configured IP‐to‐MAC mapping, where the port is
initially unspecified. The actual physical port mapping will be resolved and
updated from validated ARP packets.
• DHCP‐Snooping ARP ‐ Information collected from snooping DHCP packets
when DHCP snooping is enabled on VLANs. DHCP snooping entries are stored
in a different table and are not part of the ARP table.

Revision 2212 7 ‐ 62
ICX 150 Device Security and Monitoring

DAI Configuration

• DAI is enabled on per VLAN basis

RUCKUS(config)# ip arp inspection vlan 100 to 150 160 170 to 200
Syntax: [no] ip arp inspection vlan vlan-id [ to vlan-id … ]

• Identify the trusted interfaces, then enable trust on the ports

RUCKUS(config)# interface ethernet 1/1/1
RUCKUS(config-if-e10000-1/1/1)# arp inspection trust
Syntax: [no] arp inspection trust

• If static IP addresses operate on VLANs with DAI configured, static

inspection entries must be configured
RUCKUS(config)# arp 10.20.20.12 0000.0002.0003 inspection

63 © 2022 CommScope, Inc.

When configuring Dynamic ARP Inspection, you must first configure static ARP or
static inspect ARP entry for hosts configured with a static IP address. Otherwise,
when DAI checks ARP packets from these hosts against entries in the ARP table, it
will not find any entries for them, and the RUCKUS device will not allow or learn
ARP from an untrusted host.
Next, you enable Dynamic ARP Inspection on a configured VLAN with the ip arp
inspection vlan command.

Note: Any interfaces associated with that VLAN will have any existing ARP entries flushed.

Finally, you change the trust setting of the ports that will be allowed to bypass DAI
to trusted at the interface configuration level with the arp inspection trust
command.

You can manually configure a static IP address entry into the DAI table entry.

Revision 2212 7 ‐ 63
ICX 150 ICX Services

IP Source Guard

In this section we’ll talk about IP Source Guard.

Revision 2212 9 ‐ 64
ICX 150 ICX Services

IP Source Guard Overview

• Prevents IP traffic from unknown hosts on untrusted interfaces

• Uses the DHCP snooping binding database to validate traffic

• When first enabled, only DHCP is allowed until valid IP addresses are learned
from DHCP snooping

• Can be enabled per port, per VLAN, per port/per VLAN

• DHCP Snooping: Protects integrity of DHCP Servers
– Dynamic ARP Inspection: Discards invalid ARP requests
o IP Source Guard: Filters all IP packets until validated against DHCP Snooping table

65 © 2022 CommScope, Inc.

As we learned previously, Dynamic ARP inspection can be used to prevent ARP spoofing. It
does this by inspecting ARP packets, only allowing ARP requests from trusted ports, or
devices with valid DHCP snooping binding table entries. IP Source Guard can be used to
prevent IP spoofing. It leverages DHCP snooping to determine if a client has valid IP
addresses and if so, the system will allow IP traffic for that client.

The RUCKUS implementation of the IPSG technology supports configuration on a port and
specific VLAN memberships on a port.

When IPSG is first enabled, only DHCP packets are allowed, while all other IP traffic is
blocked. IP Source Guard allows IP traffic when the system learns valid IP addresses. The
system learns of a valid IP address from DHCP snooping. When a new IP source entry
binding on the port is created or deleted, an access‐list with a permit filter for the IP
address is added or deleted. By default, if IPSG is enabled without any IP source binding on
the port, an ACL that denies all IP traffic is loaded on the port.

Revision 2212 9 ‐ 65
ICX 150 ICX Services

IP Source Guard (IPSG) Features and Limitations

• Supported on LAG interfaces
• Enabled on tagged or untagged ports
• No longer configured on VE (configuration moved to VLAN)
• Can be enabled on up to 511 VLANs
• IPSG and Dynamic ACLs cannot exist on same port
• Number of supported IPSG entries depends on hardware (TCAM)
• When enabling IPSG in topologies that have DHCP clients, you must also
enable DHCP Snooping
– If you do not enable snooping, all IP traffic including DHCP packets are blocked
• When enabling IPSG in topologies that do not have DHCP clients, IP source
binding must be created for each client
– If you do not create source bindings, data packets are blocked
66 © 2022 CommScope, Inc.

This slide lists some of the features and limitations of IP Source guard in the FastIron
08.0.95 release. For a complete list please reference the RUCKUS FastIron DHCP
Configuration Guide for your release.

Revision 2212 9 ‐ 66
ICX 150 ICX Services

IP Source Guard Configuration

• To configure IP Source Guard on specific ports:
Ruckus1(config)# interface ethernet 1/1/1
Ruckus1(config-if-e10000-1/1/1)# source-guard enable
• To configure IP Source Guard on port range:
Ruckus1(config)# interface ethernet 1/1/1 to 1/1/10
Ruckus1(config-mif-1/1/1-1/1/10)# source-guard enable
• To configure IP Source Guard on all ports on a VLAN
Ruckus1(config)# vlan 12
Ruckus1(config-vlan-12)# untagged ethernet 1/1/5 to 1/1/8
Ruckus1(config-vlan-12)# tagged ethernet 1/1/23 to 1/1/24
Ruckus1(config-vlan-12)# source-guard enable

67 © 2022 CommScope, Inc.

IP Source guard can be enabled on a single port or a range of ports within the same
hardware module, as well as at a VLAN level using the commands shown.

Revision 2212 9 ‐ 67
ICX 150 ICX Services

IP Source Guard Configuration (cont.)

• To configure IP Source Guard on specific ports in a VLAN
Ruckus1(config)# vlan 12
Ruckus1(config-vlan-12)# untagged ethernet 1/1/5 to 1/1/8
Ruckus1(config-vlan-12)# tagged ethernet 1/1/23 to 1/1/24
Ruckus1(config-vlan-12)# source-guard enable ethernet 1/1/8 ethernet 1/1/23

• To create IP Source Guard static binding

Ruckus1(config)# ip source binding 10.10.10.1 ethernet 1/1/1 vlan 2

68 © 2022 CommScope, Inc.

From the VLAN context you can also specify which individual VLAN ports should run source
guard as opposed to enabling it for the entire VLAN.

It may be necessary to include a static IP binding to allow client data traffic that would
otherwise be blocked. This can be achieved with the ip source binding command,
specifying the IP address, ethernet port and optionally the VLAN. If no VLAN is specified,
the binding would apply to all VLANs associated to the physical port.

Revision 2212 9 ‐ 68
ICX 150 ICX Services

Attendees should now be able to:

• Identify Network Time Protocol (NTP) modes
of operation
• Perform basic NTP configurations
• Configure Secure Shell (SSH) on ICX devices
• Identify, enable and configure supported
Layer 2 discovery protocols
Summary • Implement LLDP, LLDP‐MED and verify its
configuration
• Configure Dynamic Host Control Protocol on
ICX including:
– DHCP Server
– DHCP Relay
– DHCP Options
– DHCP Snooping
– IP Source Guard

Attendees should now be able to:

• Identify Network Time Protocol (NTP) modes of operation
• Perform basic NTP configurations
• Configure Secure Shell (SSH) on ICX devices
• Identify, enable and configure supported Layer 2 discovery protocols
• Implement LLDP, LLDP‐MED and verify their configurations
• Configure the following Dynamic Host Control Protocol features on ICX
–DHCP Server
–DHCP Relay
–DHCP Options
–DHCP Snooping
–IP Source Guard

Revision 2212 9 ‐ 69
ICX 150 ICX Services

End of presentation:
ICX Services

This is the end of the presentation on ICX Services.

Revision 2212 9 ‐ 70
ICX 150 Layer 2 Redundancy

Layer 2 Redundancy

Revision 2212

This presentation focuses on Layer 2 redundancy protocols, specifically Spanning Tree

Protocol (STP) and Multi‐Chassis Trunking (MCT).

Let’s get started

Revision 2212 10 ‐ 1
ICX 150 Layer 2 Redundancy

After completing this module, you will be

able to:
• Identify supported Spanning Tree Protocols
• Configure Spanning Tree and Rapid Spanning
Tree
• Identify RUCKUS enhanced features to
Spanning Tree
Objectives • Understand Multiple Spanning Tree (MSTP)
802.1s and its purpose
• Describe the benefits of Multi‐Chassis
Trunking (MCT)
• Understand and discuss MCT terminology

After completing this module, you will be able to:

• Identify supported Spanning Tree Protocols
• Configure Spanning Tree and Rapid Spanning Tree
• Identify RUCKUS enhanced features to Spanning Tree
• Describe Multiple Spanning Tree (MSTP) 802.1s and its purpose
• Describe the benefits of Multi‐Chassis Trunking (MCT)
• Understand and discuss MCT terminology, as well as use commands to display
MCT operational status

Revision 2212 10 ‐ 2
ICX 150 Layer 2 Redundancy

Spanning Tree Protocols

We’ll start with Spanning Tree Protocol.

Revision 2212 10 ‐ 3
ICX 150 Layer 2 Redundancy

Spanning Tree Protocol Overview 153_spanning‐tree.png

• All Spanning Tree standards are incorporated into IEEE 802.1Q‐

2014
– Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP),
Multiple Spanning Tree Protocol (MSTP)
• IEEE 802.1D, original standard for Spanning Tree (STP)
• Purpose of STP
– Spanning Tree uses an algorithm to ensure a loop‐free topology by
enabling a single path through any physical arrangement of
switches. It detects redundant links, blocks redundant links, and
allows for failover to redundant links. STP creates a loop‐free
topology without disconnecting or disabling interfaces
• Rapid Spanning Tree (RSTP) (802.1w)
– An evolution of 802.1D
– Provides rapid convergence and takes advantage of
Spanning Tree’s point‐to‐point wiring configuration
– Backward compatible with 802.1D
• Multiple Spanning Tree (802.1s)
– Allows multiple VLANs to be managed by a single STP instance
4 © 2022 CommScope, Inc.

In 2014, the three main types of Spanning Tree, 802.1D (the original specification), 802.1w
(Rapid Spanning Tree), and 802.1s (Multiple Spanning Tree) were all incorporated into the
802.1Q‐2014 specification. The original specifications are still commonly used when
comparing the functionality of one version against another.

Regardless of the version being used, the purpose of Spanning Tree is the same. Spanning
Tree uses an algorithm to ensure a loop‐free topology by enabling a single path through any
physical arrangement of switches. It detects redundant links, blocks redundant links, and
allows for failover to redundant links. STP creates a loop‐free topology without
disconnecting or disabling interfaces.

Rapid Spanning Tree Protocol (RSTP) is seen as an evolution of the original standard. RSTP
uses most of same terminology as 802.1D, and most of the parameters have been left
unchanged so that users familiar with 802.1D can rapidly configure RSTP comfortably.

RSTP is backward compatible to 802.1D in order to interoperate with legacy bridges on a

per‐port basis. In a mixed environment, the benefits that RSTP introduces are dropped.
RSTP provides rapid convergence and takes advantage of Spanning Tree's point‐to‐point
wiring configuration. Failure in one forwarding path does not affect other forwarding paths.
RSTP improves the operation of Spanning Tree while maintaining backward compatibility.

Then we have Multiple Spanning Tree (MSTP) which allows multiple VLANs to be managed
by a single STP instance and supports per‐VLAN Spanning Tree. As a result, several VLANs
can be mapped to a reduced number of Spanning Tree instances. This ensures a loop‐free
topology for one or more VLANs that have similar Layer 2 characteristics and provides the
added benefit of reduced resource usage in hardware.

Revision 2212 10 ‐ 4
ICX 150 Layer 2 Redundancy

Default STP Settings

• Default Spanning Tree configuration for ICX devices
– Switch code – 802.1D enabled globally
– Router code – 802.1D enabled on default VLAN

• Newly configured VLANs in switch code will have 802.1D enabled by default

• 802.1w (RSTP) can be enabled per VLAN, or per interface

• Supported STP enhancements:

– Single Instance Spanning Tree (SSTP)
– Root Guard
– BPDU Guard
– STP Protect
– 802.1D Fast Port Span
– 802.1D Fast Uplink Span
5 © 2022 CommScope, Inc.

By default, RUCKUS ICX devices running Layer 2 code have 802.1D enabled globally,
whereas, devices running Layer 3 code have 802.1D enabled on the default VLAN. To
migrate to RSTP for faster recovery, you can enable RSTP on a per‐VLAN, or per‐port basis.
When you create a port‐based VLAN, the new VLAN STP state is the same as the
default STP state on the device due to the same default values being applied.

ICX devices support enhancements made to STP including, Single Instance Spanning Tree
(SSTP), Root Guard, BPDU Guard, STP protect, 802.1D Fast Port Span, and 802.1D Fast
Uplink Span . We will be discussing these features throughout this module.

Revision 2212 10 ‐ 5
ICX 150 Layer 2 Redundancy

Per‐VLAN Spanning Tree 153_PVST.png

• STP uses Bridge Protocol Data Units (BPDUs) for operation

– Pass from switch to switch, building and maintaining the tree

• Devices run Per‐VLAN Spanning Tree (PVST)

• Each VLAN maintains its own STP instance

– PVST treats each VLAN as a separate network
– On switch code, 802.1D is enabled on all added VLANs
o Each device has a default VLAN (VLAN 1) with 802.1D enabled

• Commands can be run per VLAN:

– show 802-1w detail vlan 2
– show 802-1w detail vlan 33

6 © 2022 CommScope, Inc.

Spanning Tree uses Bridge Protocol Data Units (BPDUs), for operation. These are the frames
that pass from switch to switch, building and maintaining the tree for a given VLAN. By
default, RUCKUS ICX devices run PVST on each VLAN when they are created.

Per‐VLAN Spanning Tree (PVST) is an enhancement to single instance of STP which allows
each VLAN create a different tree within the network. Meaning that PVST maintains a
Spanning Tree instance for each VLAN configured and enables a link to be forwarding for
some VLANs, but blocked others. Because PVST treats each VLAN as a separate network, it
can load balance Layer 2 traffic by forwarding some VLANs on one trunk, and other VLANs
on another trunk without causing a Spanning Tree loop.

Revision 2212 10 ‐ 6
ICX 150 Layer 2 Redundancy

Spanning Tree Protocol

802.1D

Let’s take a look at configuring the original 802.1D standard.

Revision 2212 10 ‐ 7
ICX 150 Layer 2 Redundancy

Enabling STP (802.1D)

• You can enable or disable STP on the following levels:

• All ports in a port‐based VLAN

Ruckus(config)# vlan 222
Ruckus(config-vlan-222)# no spanning-tree

• On an individual port
Ruckus(config)# interface e 1/1/1
Ruckus(config-if-e1000-1/1/1)# no spanning-tree

8 © 2022 CommScope, Inc.

As we previously mentioned, 802.1D is configured by default on VLAN 1 (default) on all ICX

devices running Layer 2 and Layer 3 firmware.

Enabling or disabling 802.1D is performed within the VLAN as shown here and will apply to
all ports that belong to that VLAN. If you want to disable STP on an interface you can do so
within the interface configuration context. Be aware that port settings override VLAN global
settings. Thus, you can enable or disable STP on a specific port however it effects all
spanning tree instances for all VLANs it may be a member of. Therefore caution should be
taken to ensure a loop is not created.

Revision 2212 10 ‐ 8
ICX 150 Layer 2 Redundancy

802.1D Show Commands

Ruckus‐03

Ports 5 and 7 are redundant links between switches with STP 1/1/5 1/1/7 Root
enabled on VLAN 222
VLAN 222

Ruckus-04# show span vlan 222

STP instance owned by VLAN 222 1/1/5 1/1/7

Global STP (IEEE 802.1D) Parameters:

Ruckus‐04
VLAN Root Root Root Prio Max He- Ho- Fwd Last Chg Bridge
ID ID Cost Port rity Age llo ld dly Chang cnt Address
Hex sec sec sec sec sec
222 8000cc4e24c0deb0 4 1/1/5 9c40 20 2 1 15 14 58 609c9fe60858
Port STP Parameters:
Port Prio Path State Fwd Design Designated Designated
Num rity Cost Trans Cost Root Bridge
Hex
1/1/5 80 4 FORWARDING 3 0 8000cc4e24c0deb0 8000cc4e24c0deb0
1/1/7 80 4 BLOCKING 2 0 8000cc4e24c0deb0 8000cc4e24c0deb0

Syntax: show span [number] | designated-protect | fast-uplink-span | pvst-mode | root-protect | detail [number]
| vlan [vlan-id]
9 © 2022 CommScope, Inc.

Use the show span command to view details of 802.1D spanning tree. If you do not
specify a VLAN, the output will show the details for each VLAN on the switch that has
spanning tree enabled.

In this example: the show output is from switch Ruckus‐04 and displays the root bridge
(Ruckus‐03) along with the local bridge priority (in HEX) along with its ID. We changed
Ruckus‐04 bridge priority to 40000 (9c40 is 40,000 in HEX) from the default of 32768,
which caused it not to become the root bridge. Additionally, each port and its STP state
along with the designated root and bridge are displayed as well. Because of the redundant
links between these two bridges, port 1/1/5 is Forwarding, and 1/1/7 is Blocking.

The Syntax is shown to see the granular output you can receive from this command.

Revision 2212 10 ‐ 9
ICX 150 Layer 2 Redundancy

802.1D Show Commands (cont.)

Ruckus-04# show span detail vlan 222 ethernet 1/1/5
Port 1/1/5 is FORWARDING
Port - Path cost: 4, Priority: 128, Root: 0x8000cc4e24c0deb0
Designated - Bridge: 0x8000cc4e24c0deb0, Interface: 0, Path
cost: 0
Active Timers - Message age: 0
BPDUs - Sent: 281, Received: 1335

Ruckus-04# show span detail vlan 222 ethernet 1/1/7

Port 1/1/7 is BLOCKING
Port - Path cost: 4, Priority: 128, Root: 0x8000cc4e24c0deb0
Designated - Bridge: 0x8000cc4e24c0deb0, Interface: 2, Path
cost: 0
Active Timers - Message age: 0
BPDUs - Sent: 274, Received: 1433
10 © 2022 CommScope, Inc.

Use the show span detail command with a specific VLAN and port number to view
even more STP information including, the port's priority, and number of BPDUs sent and
received.

Because the Ruckus‐03 switch is the root bridge there are many more BPDUs received than
sent. Once the topology is established, only if a failure, a change in the topology or bridge
priority change would cause these BPDUs to possibly to be sent by this interface.

Revision 2212 10 ‐ 10
ICX 150 Layer 2 Redundancy

Additional STP Configurations

• When non‐default VLANs are created each can have their own bridge priority
– Can allow each VLAN to have a different root bridge forming its own topology (different blocked/forwarding ports)
– Change bridge priority per VLAN
Ruckus-04(config)# vlan 222 Path cost value
Ruckus-04(config-vlan-222)# spanning-tree priority 40000 • A 10 Mbps link has a cost of 100
• Can also change the port priority and path cost • A 100 Mbps link has a cost of 19
• A 1 Gbps link has a cost of 4
– Allowing the administrator to influence path selection
• A 10 Gbps link has a cost of 2
Ruckus(config)# vlan 10
Ruckus(config-vlan-10)# spanning-tree ethernet 1/1/1 path-cost 15 priority 64

• Fast Port Span allows for fast convergence on client ports

– Enabled by default on ICX; performs STP convergence in 4 seconds
• Fast Uplink Span allows for fast convergence on switch to switch links
– Not enabled by default; links move to forwarding state within 1 second
– Recommended only for use on switches at the edge of the network

11 © 2022 CommScope, Inc.

We are going to briefly summarize some of the additional configurations that can be
applied to 802.1D spanning tree instances.

Changing the STP bridge priority on an ICX device, increases its possibility to becoming the
root bridge for a given VLAN. Because this is performed on a per VLAN basis, it allows
different bridge priorities to be set on each configured VLAN. Using this we can create
diverse bridge elections thus causing each VLANs layer 2 topology to form different paths.
This not only allows better utilization of the redundant links but provides balance of the
traffic over more links.

The bridge with the lowest value has the highest priority, thus setting a bridge to zero will
cause it to have the highest priority.

Administrators can influence link selection within the spanning tree topology by configuring
path‐cost values. This specifies the path cost added to received BPDUs which calculate the
path to the root bridge. STP prefers the path with the lowest cost. You can specify a value
from 0 ‐ 65535. The default depends on the port type:
• A 10 Mbps link has a cost of 100
• A 100 Mbps link has a cost of 19
• A 1 Gbps link has a cost of 4
• A 10 Gbps link has a cost of 2

…Continued on next slide

Revision 2212 10 ‐ 11
ICX 150 Layer 2 Redundancy

Blank Notes Page

<continued from previous slide…>

Shown are the default “short” path cost values and as you can see they provide values for
interfaces up to 10 Gbps. When designating path‐cost administrators can also specify long
values between 1 and 200,000,000. This provides more granularity to differentiate higher
speed ports (40G, 100G) into path selection. Note: You should not mix short and long
values in your environment.

Fast Port Span is used in 802.1D only, and allows faster convergence on ports that are
attached to end stations. This should only be enabled on client ports as they do not present
the potential to cause a Layer 2 loop.

The Fast Uplink Span feature enhances STP 802.1D performance for wiring closet
switches with redundant uplinks.
You can use the Fast Uplink Span feature to decrease the convergence time for the
uplink ports to another device to just one second.

More detail on configurations and options of Spanning Tree 802.1D can be found in
the RUCKUS FastIron Layer 2 Switching Configuration Guide as well as within the
Routing and Switching Protocols (RSP‐100) course in CommScope University.

Revision 2212 10 ‐ 12
ICX 150 Layer 2 Redundancy

Rapid Spanning Tree Protocol (RSTP)

802.1w

In this section we’ll take a look at Rapid Spanning Tree.

Revision 2212 10 ‐ 13
ICX 150 Layer 2 Redundancy

162_rstp‐config.png

RSTP Configuration
• Enable RSTP:
Ruckus1(config-vlan-2)# spanning-tree 802-1w

• Define instance and port priorities:

Ruckus1(config-vlan-2)# spanning-tree 802-1w priority 4096 hello-time 3 max-age 10
Ruckus1(config-vlan-2)# spanning-tree 802-1w e 1/1/9 priority 16

• Define port parameters/function:

Ruckus1(config-vlan-2)# span 802-1w e 1/1/4 admin-edge-port
Ruckus1(config-vlan-2)# span 802-1w e 1/1/9 admin-pt2pt-mac
Ruckus1(config-vlan-2)# span 802-1w e 1/1/10 admin-pt2pt-mac

14 © 2022 CommScope, Inc.

Because RSTP is disabled by default, you must enable it on a per‐VLAN or per‐port basis. In
the example shown the administrator is enabling RSTP on VLAN 2. This includes all ports
that are a member of VLAN 2 regardless of the Global configuration.

To influence the root bridge election the administrator can configure a bridge priority to a
lower priority value. The default bridge priority for RSTP is 32768. These examples set the
RSTP instance for VLAN 2 to a priority of 4096, as well as configuring a hello‐time of 3
(default 2) and a max‐age of 10 (default 20). The hello‐time is the time between hello
messages in seconds and the max‐age is the time period in seconds that the device will
wait for a hello before initiating a topology change.

The second configuration specifies the RSTP priority for port e 1/1/9, which we’re setting to
16 (the default is 128). Setting the priorities of 4096 and 16, vastly improve the possibility
of this switch becoming the root bridge for this VLAN and port 1/1/9 becoming the root
port.

Edge ports are ports of a bridge that connect to end workstations or computers. Edge ports
assume the Designated port role and do not anticipate any incoming BPDU activity. Setting
a port as an edge port in RSTP eliminates a port flapping to cause any topology change
events to take place since RSTP does not consider edge ports in the Spanning Tree
calculation. Use the admin-edge-port command to configure a port as an edge port.
…Continued on next slide

Revision 2212 10 ‐ 14
ICX 150 Layer 2 Redundancy

Blank Notes Page

<continued from previous slide…>

To take advantage of the fast convergence time of RSTP, ports between switches should be
explicitly configured as point‐to‐point links using the admin-pt2pt-mac command. The
point‐to‐point link configuration increases the speed of re‐convergence by allowing
the local switch to know this is a single connection to another switch. This
parameter, however, does not auto‐detect whether or not the link is a physical
point‐to‐point link

Ports in the Discarding state are equivalent to the 802.1D Blocking state. The switch on the
right shown here received BPDUs on ports 1/1/9 and 1/1/10 and was configured with
default values for bridge and port priorities. This means that the device on the left would
win the root election based on its lower priority and become the root bridge for VLAN 2.
The port priority for port 1/1/9 on the root bridge had been set to 16 as well (default 128),
the connected port (1/1/9) on the other switch goes into the Forwarding state, while port
1/1/10 goes into the Discarding state as it is not defined as the root port.

Revision 2212 10 ‐ 15
ICX 150 Layer 2 Redundancy

162_rstp‐config.png

RSTP Running Configuration

Running configuration of Ruckus1
vlan 2 by port
tagged ethe 1/1/9 to 1/1/10
untagged ethe 1/1/4
spanning-tree 802-1w
spanning-tree 802-1w hello-time 3 max-age 10 priority 4096
spanning-tree 802-1w ethe 1/1/4 admin-edge-port
spanning-tree 802-1w ethe 1/1/9 priority 16 admin-pt2pt-mac
spanning-tree 802-1w ethe 1/1/10 admin-pt2pt-mac

Running configuration of Ruckus2

vlan 2 by port
tagged ethe 1/1/9 to 1/1/10
spanning-tree 802-1w
!

16 © 2022 CommScope, Inc.

Here we’re showing the overall RSTP configurations that were created for VLAN 2 within
this environment. With the commands from the previous slide applied to Ruckus1, it will
become the root bridge because we did not define a bridge priority lower than 4096 on
Ruckus2.

Remember the default priority is 32,768 and the lower priority is wins. We have also
defined port specific parameters for Ruckus1 including the port priority we talked about
previously on 1/1/9, you can see that configuration here combined with the admin‐pt2pt‐
mac designation.

Revision 2212 10 ‐ 16
ICX 150 Layer 2 Redundancy

802.1w Show Commands

Ruckus1(config)#show 802-1w
IEEE 802-1w is not configured on port-vlan 1
--- VLAN 2 [ STP Instance owned by VLAN 2 ] ----------------------------
Bridge IEEE 802.1W Parameters:
Bridge Bridge Bridge Bridge Force tx
Identifier MaxAge Hello FwdDly Version Hold
hex sec sec sec cnt
1000d4c19e95a670 10 3 15 Default 3
RootBridge RootPath DesignatedBri- Root Max Fwd Hel
Identifier Cost dge Identifier Port Age Dly lo
hex hex sec sec sec
1000d4c19e95a670 0 1000d4c19e95a670 Root 10 15 3
Port IEEE 802.1W Parameters:
<--- Config Params --><-------------- Current state ----------------->
Port Pri PortPath P2P Edge Role State Designa- Designated
Num Cost Mac Port ted cost bridge
1/1/4 128 20000 F T DESIGNATED FORWARDING 0 1000d4c19e95a670
1/1/9 16 20000 T F DESIGNATED FORWARDING 0 1000d4c19e95a670
1/1/10 128 20000 T F DESIGNATED FORWARDING 0 1000d4c19e95a670

17 © 2022 CommScope, Inc.

The show 802-1w command (or show 8 for short) displays all RSTP information per
VLAN. Important things to note in this output, are the Bridge Identifier, which is the MAC
address of this bridge, and the Root Bridge Identifier which is the MAC address of the root
bridge. Also the bridge priority has been lowered from the default value to the value of
4096 as shown in the previous slide. The first 4 numeric values in the bridge identifier
(1000) show the bridge priority displayed as hexadecimal. 1000 in hexadecimal is 4096.

In this example, the MACs for both the bridge and root bridge identifier are the same,
which means that this is the root bridge. Other devices within this RSTP instance will
display their own unique bridge identifier, but will show this same root bridge identifier.

Also shown is the state of each port. In this case, all ports are Designated and Forwarding.
Also notice the P2P MAC, and the Edge Port values are either “T” for true, or “F” for false,
meaning the admin-pt2pt-mac parameter, or the admin-edge-port parameter is
configured for the port.

Each port has a priority and designated cost associated with it. The priority of port 1/1/9 is
16 causing it to be preferred over other ports to other switches while the other ports have
the default priority of 128.

Revision 2212 10 ‐ 17
ICX 150 Layer 2 Redundancy

Multiple Spanning Tree (MSTP)

802.1s

Our next topic is 802.1s, or Multiple Spanning Tree (MSTP).

Revision 2212 10 ‐ 18
ICX 150 Layer 2 Redundancy

Multiple Spanning Tree Protocol Overview

• 802.1s defines an extension to the RSTP protocol

• Provides scaling of spanning tree

– Improves STP management by grouping multiple VLANs with similar layer 2 topologies
together
o Conserves switch resources allowing a reduced number of spanning‐tree instances known as
Internal Spanning Tree (IST)
– Isolates failures by limiting the STP topology change notifications within an STP group
instance/region
– Utilizes RSTP features allowing for fast convergence

• Multiple spanning‐tree regions

– ICX switches support up to 16 spanning tree instances in an MSTP enabled bridge

• VLAN 4092 is reserved for instance 0, the Internal Spanning Tree (IST)
19 © 2022 CommScope, Inc.

We talked earlier in the presentation about how you can enable instances of Spanning tree
per VLAN and then configure priorities for each instance, setting root and port priorities so
that each VLAN can form its own tree, using (preferably) different links, which helps load
balance the traffic. However, when scaling this out to a large number of VLANs it becomes
resource intensive for the switches to maintain the overhead of maintaining those separate
trees.

Multiple Spanning Tree Protocol (MSTP), is defined in IEEE standard 802.1s. It provides the
ability to associate multiple VLANs with the same topology together into one instance of
STP. Not only does this reduce the resource requirement in a switch, is also provides an
effective way to deploy STP in a large scale, such as with an ISP or large layer 2 network.
Other advantages of MSTP include isolating link failures and reducing change notifications
within a “region”. This cuts down on the advertisement of topology change notification
within the STP instance instead of the whole STP environment.

The RUCKUS implementation supports up to 16 Spanning Tree instances in an MSTP

enabled bridge which means that it can support up to 16 different Layer 2 topologies.
The Spanning Tree algorithm used by MSTP is RSTP which provides quick convergence.
VLAN 4092 is reserved for instance 0, which is the Internal Spanning Tree (IST) instance. We
will discuss the IST on the next slide.

Revision 2212 10 ‐ 19
ICX 150 Layer 2 Redundancy

802.1s Key Terms and Concepts

• Common Spanning Tree (CST)
– Assumes one Spanning Tree instance for the entire bridged network regardless of
the number of VLANs
– In MSTP, a region appears as a virtual bridge that runs CST

• Internal Spanning Tree (IST)

– An MSTP bridge must handle at least these two instances:
o One IST (instance 0)
o One or more MSTIs (Multiple Spanning Tree Instances)
– Instance 0 extends CST inside the MST region
– IST always exists if the switch runs MSTP
– Within each MST region, MSTP maintains multiple Spanning Tree instances
o All switches in that region must run RSTP

20 © 2022 CommScope, Inc.

Here are some of the key terms and concepts of MSTP.

First is Common Spanning Tree (or CST). CST is defined as one Spanning Tree instance for
the entire bridged network regardless of the number of VLANs. In MSTP, a region appears
as a virtual bridge that runs in the CST.
Next, we have the Internal Spanning Tree (or IST) which extends the CST into the region.

An MSTP bridge must handle at least these two instances: one IST and one or more
Multiple Spanning Tree Instances (MSTIs). RUCKUS's MSTP implementation allows for up to
16 instances within each region.
The IST is always instance 0, which leaves 15 MSTIs which can be numbered from 1 to
4094.

An older switch that only supports 802.1D may be added as a part of the CST but not inside
a region; RSTP must be run within a region.

Revision 2212 10 ‐ 20
ICX 150 Layer 2 Redundancy

802.1s Key Terms and Concepts (cont.)

• Multiple Spanning Tree Instance (MSTI)
– The MSTI is identified by an MSTid value between 1 and 4094

• Common and Internal Spanning Trees (CIST)

– CIST is a collection of the ISTs in each MSTP region, and the CST that interconnects
the MSTP regions and single spanning trees

• MSTP Regions
– Clusters of bridges that run multiple instances of the MSTP protocol
– Multiple bridges detect that they are in the same region by exchanging their
configuration information
– One or more VLANs can be mapped to one MSTP instance, but a VLAN cannot be
mapped to multiple MSTP instances

21 © 2022 CommScope, Inc.

Each instance of Multiple Spanning Tree is identified by an MST identifier (MSTid). Valid
MSTids are between 1 and 4094.

Then we have the Common and Internal Spanning Tree (or CIST) which is the collection of
the ISTs in each region and the CST that interconnects the regions and single Spanning
Trees.

MSTP regions are clusters of bridges that run multiple instances of the MSTP protocol.
Multiple bridges detect that they are in the same region by exchanging their configurations,
which includes, their instance to VLAN mapping, name, and revision‐level. Therefore, if you
need to have two bridges in the same region, make sure these configurations match.

It is important to note that one or more VLANs can be mapped to one MSTP instance (IST
or MSTI), but a VLAN cannot be mapped to multiple MSTP instances.

More information about Multiple Spanning Tree can be found in the RUCKUS FastIron Layer
2 Switching Configuration Guide as well as within the Routing and Switching Protocols
Course (RSP‐100) in CommScope University.

Revision 2212 10 ‐ 21
ICX 150 Layer 2 Redundancy

STP Protect and BPDU Guard

©22
2022 CommScope, Inc.

In this section we’ll discuss how to safeguard your Spanning Tree instance and ensure
expected operation.

Revision 2212 10 ‐ 22
ICX 150 Layer 2 Redundancy

STP Protect (STP, RSTP and MSTP)

• BPDUs enforce the STP domain borders helping keep the topology predictable
– Disabled by default, STP Protect is enabled at a port level
Ruckus(config)# interface ethernet 1/1/2
Ruckus#(config-if-e1000-1/1/2)# stp-protect

– When enabled, port will drop STP BPDUs received from devices at the other end of the link,
but it will allow BPDUs being sent from this port

– Prevents end stations from initiating or participating in STP topology changes

– Limited to scenarios where ports need to actively ignore incoming BPDUs while also
keeping the protected port online

23 © 2022 CommScope, Inc.

We talked a little bit about spanning tree and how it utilizes BPDUs to build and change STP
topologies earlier in this presentation. In an STP environment, switches, end stations, and
other Layer 2 devices use BPDUs to exchange information that STP uses to determine the
best path for data flow.

We’re now going to briefly mention STP Protect so that folks don’t confuse it with BPDU
Guard, which is another means of limiting BPDUs that we’ll discuss in an upcoming slide.

STP Protect is disabled by default on ICX devices, it can be enabled at a port level. STP‐
protect enabled ports will drop all incoming BPDUs received from end devices. However,
this port will be able to send outgoing BPDUs.

This effectively prevents the end device from participating in spanning tree or making
topology changes (that is, taking over as root bridge) while still keeping the port enabled.
STP protect is something used in very specific cases where perhaps a BPDU will be received
on the port, but the port needs to remain online.

Revision 2212 10 ‐ 23
ICX 150 Layer 2 Redundancy

BPDU Guard (STP, RSTP and MSTP)

• BPDU enforces the STP domain borders helping keep the topology predictable
– Removes a node that reflects BPDUs back in the network eliminating the ability to
participate in STP
– Disallows rogue switches to be attached and start participating in STP
– It is a best practice to enable BPDU Guard on these edge ports

• BPDU Guard disables an interface that receives BPDUs

Ruckus(config)# interface 1/1/1

Ruckus(config-if-e1000-1/1/1)# stp-bpdu-guard

• BPDU Guard disables the port by putting it into an Errdisable state

– Log messages and a console messages are displayed

24 © 2022 CommScope, Inc.

Disabled by default, BPDU Guard, is an enhancement, which removes a node that reflects
BPDUs back into the network. It enforces the STP domain borders and keeps the active
topology predictable by not allowing any network devices behind a BPDU Guard‐enabled
port to participate in STP.

In most instances, it is not necessary for a connected device, such as an end station, to
initiate or participate in Spanning Tree topology changes. Therefore, you can enable BPDU
Guard on the port to which the end station is connected. If a BPDU is detected on a BPDU
Guard enabled port, it will be shut down and put it into an Errdisable state.

Think about a scenario where an end user facing ports are not running BPDU guard. Now
imagine a user bringing in a random switch that is also running spanning tree and
connecting it to this port for their uplink. In this case BPDU guard would not only catch it, it
would disable the port, log the event and place an event notification in the CLI for the
administrator to see. It is a best practice to enable this on those user facing ports.

BPDU guard is supported on tagged ports as long as it is tagged on both sides to the
same VLAN.

Revision 2212 10 ‐ 24
ICX 150 Layer 2 Redundancy

How BPDU Guard Works 162_BPDU‐guard.png

• The port goes to Errdisable state, ensuring network stability

– If no recovery interval is set the port will have to be manually reenabled to recover:
Ruckus(config)# interface 1/1/1
Ruckus(config-if-e1000-1/1/1)# disable
Ruckus(config-if-e1000-1/1/1)# enable

– A recovery interval can be globally configured to allow for auto recovery of port
Ruckus(config)# errdisable recovery cause bpduguard
Ruckus(config)# errdisable recovery interval 20 (seconds)

Root Bridge

3
Port State
1/1/1 Errdisable
Edge port with BPDU Guard enabled 1/1/1
1 2
Rogue BPDUs

25 © 2022 CommScope, Inc.

In our example, BPDU Guard is enabled on the edge port to prevent BPDUs coming from a
rogue switch that has been attached. When BPDUs are received on a BPDU Guard‐enabled
port, the port goes to Errdisable state. The port can be brought out of the Errdisable state
by either manually disabling and re‐enabling the port, or by configuring the errdisable
recovery cause bpduguard command, along with a errdisable recovery
interval.

In this example we set the interval to 20 seconds. Now, after 20 seconds, the port will be
put back in action, however unless we’ve stopped the rogue switch connected to port
1/1/1, the port will become disabled again.

The BPDU guard status can be displayed with the command:

device# show stp-bpdu-guard

Revision 2212 10 ‐ 25
ICX 150 Layer 2 Redundancy

Spanning Tree Root Guard (STP, RSTP and MSTP)

• Ensures that the L2 topology does not change with the introduction of a STP
device on an edge port

• Superior BPDUs received from a Root Guard enabled port

– Port transitions to a ROOT-INCONSISTENT state
– Port is set to blocking/discarding
– Triggers Syslog message and SNMP trap
– No further traffic will be forwarded on the port

• Once the port stops receiving superior BPDUs, Root Guard reverts the port
back to a forwarding state using the STP algorithm

• Root Guard should be configured on all ports where the root bridge should not
appear
26 © 2022 CommScope, Inc.

Spanning Tree Root Guard can be used to predetermine the location of the root bridge and
prevent rogue or unwanted switches from becoming the root bridge.
When Root Guard is enabled on a port, it keeps the port in a Designated role. If the port
receives a superior BPDU, it puts the port into a ROOT‐INCONSISTANT state and triggers a
log message and an SNMP trap.

The ROOT‐INCONSISTANT state is equivalent to the BLOCKING state in 802.1D and to the
DISCARDING state in 802.1w. No further traffic is forwarded on this port. Once the port
stops receiving superior BPDUs, Root Guard automatically sets the port back to Learning,
and eventually to a Forwarding state. Root Guard should be configured on the perimeter
ports of the network where the root bridge should not appear, rather than configuring it in
the core.

Revision 2212 10 ‐ 26
ICX 150 Layer 2 Redundancy

STP Root Guard – Configuration and How it Works

• Configuring root guard
Ruckus(config)# interface ethernet 1/1/1
Ruckus(config-if-e10000-1/1/1)# spanning-tree root-protect

• When the port is put into ROOT‐INCONSISTANT state, data traffic is not
forwarded Root Bridge

3
Port State
1/1/1 Root Inconsistent
Edge port with Root Guard enabled 1/1/1
1 2
BPDUs with superior Bridge ID

27 © 2022 CommScope, Inc.

Here we see how Root Guard works.

First, Root Guard is enabled on an edge port.

Next the new switch is connected to the edge and begins sending BPDUs into the network,

Then Root Guard detects the BPDUs and sets port 1/1/1 to ROOT‐INCONSISTANT. This halts
traffic and prevents the BPDUs from entering the network and, potentially, forcing an
election.

Revision 2212 10 ‐ 27
ICX 150 Layer 2 Redundancy

Multi‐Chassis Trunking (MCT)

Our next Layer 2 redundancy protocol is RUCKUS’s Multi‐Chassis Trunking, or MCT.

Revision 2212 10 ‐ 28
ICX 150 Layer 2 Redundancy

Multi‐Chassis Trunking 162_MCT.png

• Currently supported on ICX 7650, 7750, and 7850

• Expands the features of LAGs by:
– Eliminates single point of failure
o Providing switch level redundancy in addition to the link
level redundancy provided by LAGs
– Providing an active‐active connection for increased
capacity and forwarding
– Making the topology loop‐free without Spanning Tree

• Other features:
– Integrated loop detection, which allows all links to be
active
– Easy deployment without fundamentally changing the
existing architecture
– Sub second failure detection and allocation of traffic

29 © 2022 CommScope, Inc.

Multi‐Chassis Trunking (MCT) enables administrators to connect two RUCKUS ICX 7650,
7750 or 7850 devices together to form a single logical unit called a “Cluster”. This concept
of more than one device forming a logical unit isn’t unique as we can implement stacking
for up to 12 ICX devices to form a logical unit as well. What does make MCT unique is that
it’s a highly available, load‐balanced, active‐active network architecture which utilizes
higher end aggregation and core devices (7650, 7750 and 7850) to create these clusters at
the distribution or core layers in the network.

In the example shown we can see the benefits of connecting devices to this cluster using
link aggregation. The two switches on the right are running MCT in a cluster, with two MCT‐
unaware devices connected using LAGs on the left. This allows us to utilize all links in the
topology without the need for spanning‐tree.

A Multi‐Chassis Trunk is a dynamic LAG that initiates at a single MCT‐unaware switch and
terminates at two MCT‐aware switches that form one MCT logical switch (Cluster). From
the MCT cluster’s point of view, these links are a single trunk. As we said MCT is an Active‐
Active network architecture. It provides high availability, high reliability and provides
efficient utilization of bandwidth. In addition to port‐level redundancy, MCT provides
switch‐level redundancy by extending the trunk across two switches providing high
availability.

Revision 2212 10 ‐ 29
ICX 150 Layer 2 Redundancy

Multi‐Chassis Trunking (cont.) 162_MCT2.png

• MCT is compatible with standard LAG operations

– Any device that supports IEEE 802.1AX can be used at the edge

• Edge devices:
– Are transparent to the MCT protocol
– Can be 3rd party vendor devices with
LAG support

30 © 2022 CommScope, Inc.

Devices that connect into the MCT Cluster are transparent to the MCT peers and protocol.
An edge device can be any RUCKUS, or 3rd party device that supports static LAG
configuration, or the LACP 802.1AX standard.

Revision 2212 10 ‐ 30
ICX 150 Layer 2 Redundancy

MCT Terminology
• RBridge ‐ any device involved in the MCT cluster including peer or client

• RBridgeID ‐ unique ID assigned to each MCT peer and client

• MCT Peers:
– Pair of physical switches which act
as one logical switch
– Edge switches or servers are connected
via a LAG
– LAGs are spread across the MCT pair

• MCT Keep‐alive VLAN ‐ A VLAN

configured to provide alternate
communication between MCT peers during ICL/CCP failure
31 © 2022 CommScope, Inc.

So now that we know what MCT is and what it can provide, let’s break down some
of the terminology used when discussing the inner workings of an MCT
deployment. We are not going to walk through MCT configuration, or go in depth to
explain its operation in this course, but knowing these terms will give administrators
foundational knowledge.

An RBridge is any device involved in the MCT cluster, including peer or client. Each RBridge
in the cluster has a unique ID.

The RBridgeID is a value assigned to MCT cluster devices and clients that uniquely identifies
them and helps associate the source MAC address with an MCT device. Cluster RBridgeIDs
cannot conflict with any client RBridgeID. Client RBridgeIDs should match between cluster
peers on the same common client.

MCT Peers are a pair of physical switches which act as one logical switch. Edge switches or
servers are connected via a LAG. LAGs are spread across the MCT pair. The MCT Keep‐alive
VLAN is a VLAN configured to provide alternate communication between MCT peers during
ICL/CCP failure.

Revision 2212 10 ‐ 31
ICX 150 Layer 2 Redundancy

MCT Terminology (cont.)

• Inter‐Chassis Link (ICL) ‐ a single‐port or multi‐port, 1 GbE, 10 GbE, or 40 GbE static LAG
between two MCT cluster devices to communicate data flow and control messages between
them
• Cluster Communication Protocol (CCP) ‐ protocol used between MCT aware devices
• MAC Database Update Protocol (MDUP) ‐ control plane protocol
used to sync MAC entries between
MCT cluster peers
• Customer Client Edge Port (CCEP) ‐
ports on a cluster switch connecting it
with cluster client
• Customer Edge Port (CEP) ‐ a regular non‐MCT port on
an MCT cluster switch

32 © 2022 CommScope, Inc.

Within the MCT Cluster we have several types of ports and protocols that we utilize for
operations.

The ICL is the Inter‐Chassis Link between MCT logical peers. On ICX devices this must be a
static LAG. This link provides data flow and control messages between the MCT peers.
These are CCP which is Cluster Communication Protocol based on TCP. The other is the
MAC Database Update Protocol (MDUP). An ICL can be a single link, but preferably it should
be a LAG to provide port level redundancy and higher bandwidth for cluster
communication.

The role of Cluster Communication Protocol (CCP) is to provide reliable, point‐to‐point

transport of cluster communication and sync between MCT peers. CCP works on TCP port
4175. Applications such as MAC Database Updates (which we’ll talk about next), use CCP to
synchronize the MAC tables between MCT peers. Applications (MAC Manager, STP, etc.) can
register with CCP dynamically. Since CCP protocol is based on TCP, an IP address is needed
for CCP to function. Peer nodes exchange session parameters (ClusterID, RBridgeID, Keep
Alive time, Hold time, Fast failover). Once a keep alive message is exchanged, CCP will
migrate into an UP state.

…Continued on next slide

Revision 2212 10 ‐ 32
ICX 150 Layer 2 Redundancy

Blank Notes Page

<continued from previous slide...>

MDUP or MAC Database Update Protocol, is used to sync MAC addresses between the MCT
Peers. This synchronization is occurring over the ICL, and as such, the ICL ports should not
be untagged members of any VLAN. The ICL is a tagged Layer 2 link, which carries packets
for multiple VLANs.

A Customer Client Edge Port (CCEP) is a physical port on one of the MCT cluster switches
that is a member of the LAG interface to the MCT client. Ultimately another physical port of
the LAG will also be connected to other switch in the MCT cluster.

CEP ports, or Customer Edge Ports are ports that do not benefit from the MCT features.
However these ports still provide connectivity to the network.

Revision 2212 10 ‐ 33
ICX 150 Layer 2 Redundancy

MCT Operation
Active‐Active Topology, all nodes and all links forwarding traffic

Traffic is forwarded
2 On SW1 local
MCT LAG

MCT Pair Traffic is forwarded based on

1
the hashing algorithm of the
SW1 edge switch

Server B
MAC B

Client A
MAC A

SW2
4 Traffic load balanced Learned MAC A
by the hashing 3 On SW1 is
algorithm on communicated to SW2 across Traffic is forwarded on
5
the server NIC ICL SW2 local MCT LAG
Ethernet Traffic
Ethernet Link

34 © 2022 CommScope, Inc.

Let's take a look at MCT in action. In the example shown here, Client A is initiating a
conversation with Server B. The Client A edge switch will employ a hashing algorithm to
determine which egress port to use for forwarding the frame.

Once received at an MCT peer (SW1 in the example) the frame is forwarded out of the
egress port connected to the Server B switch. Simultaneously, SW1 will share the
information for Client A's MAC address with SW2 over the ICL.

The response from Server B to Client A is handled in the same way. The Server B switch will
deploy a hashing algorithm to determine the egress port for forwarding (in this case the
link to SW2). SW2 will forward out the local link towards Client A while simultaneously
providing Server B's MAC information to SW1 over the ICL.

Revision 2212 10 ‐ 34
ICX 150 Layer 2 Redundancy

MCT Operation (cont.)

Fast failover regardless of the failure type (link/module/node) due to detection at the physical level

Link failure detected

MCT Pair 1
at the access switch

SW1

Server B
MAC B

Client A
MAC A

SW2

2 Access switch hashing algorithm

moves traffic to the remaining
MCT switch has already
3 link of the LAG
learned MAC‐B address
so can forward traffic
without disruption Normal Traffic Path
Ethernet Link
Alternate Traffic Path

35 © 2022 CommScope, Inc.

Now we see a link failure occurring between the Client A switch and MCT peer, SW1.

The link failure forces the Client A switch to forward traffic over the only remaining link
(connecting to SW2).

SW2 will forward the traffic out of its local Server B interface.

The return traffic from Server B to Client A is not impacted by this link failure because the
return traffic can be passed over the ICL link and then forwarded to client A from the SW2
connection.

Revision 2212 10 ‐ 35
ICX 150 Layer 2 Redundancy

MCT Show Commands

Now that we’ve seen how MCT operates, let’s take a look at the show commands to verify
it is functioning.

Revision 2212 10 ‐ 36
ICX 150 Layer 2 Redundancy

Displaying MCT Configuration

Display cluster configuration
MCT1# show cluster MCT config
cluster MCT 1
rbridge-id 1
session-vlan 150
icl ICL ethernet 1/1/1
peer 1.1.1.2 rbridge-id 2 icl ICL
deploy
client Client1
rbridge-id 100
client-interface ethernet 1/1/3
deploy
client Client2
rbridge-id 200
client-interface ethernet 1/1/5
deploy
37 © 2022 CommScope, Inc.

Once the cluster is configured, you can use the show cluster <cluster ID>
config command to view the configuration. Remember to make sure each client and the
cluster are deployed.

Revision 2212 10 ‐ 37
ICX 150 Layer 2 Redundancy

Display MCT Cluster

Display cluster information
MCT1(config)# show cluster 1
Cluster MCT 1
=============
Rbridge Id: 1, Session Vlan: 150
Cluster State: Deploy
Client Isolation Mode: Loose
Member Vlan Range: 2
ICL Info:
---------
Name Port Trunk
ICL 1/1/1 1
Peer Info:
----------
Peer IP: 10.1.1.2, Peer Rbridge Id: 2, ICL: ICL
KeepAlive Interval: 10 , Hold Time: 90, Fast Failover
Active Vlan Range: 2
Last Reason for CCP Down: Not Down
Peer State: CCP Up (Up Time: 2 days: 1 hr: 6 min:48 sec)
Client Info:
------------
Number of Clients configured: 2
Name Rbridge-id Config Port Trunk FSM-State
Client1 100 Deployed 1/1/3 2 Up
Client2 200 Deployed 1/1/5 3 Up

38 © 2022 CommScope, Inc.

The show cluster command displays a lot of useful information including this peer’s
RBridgeID, the Session VLAN, and the cluster state, which is Deploy. It also shows the ICL
port number and the peer information. Notice that the Peer State is CCP Up. At the
bottom of the output, are the clients. Notice that they are Deployed.

Revision 2212 10 ‐ 38
ICX 150 Layer 2 Redundancy

Displaying Client Information

MCT1# show cluster MCT client

Client Info: Client Ports

and Trunk ID
------------
Number of Clients Configured: 2
Name Rbridge-id Config Port Trunk FSM-State
Client1 100 Deployed 1/1/3 2 Up
Client2 200 Deployed 1/1/5 3 Up

Finite State
Configured clients by name Machine
State of the client, status
and RBridgeID
deployed or undeployed

39 © 2022 CommScope, Inc.

The show cluster client command displays the client information including the
client name, RBridgeID, state, primary port, number of ports in the LAG connected to the
client and the FSM‐State. The FSM‐State displays status of the Finite State Machine (FSM).
Valid states are:
• Up – CCEP ports on both MCT peers are up.
• Local Up – CCEP ports are up on local MCT peer, but down on remote peer.
• Remote Up – CCEP ports are down on local MCT peer, but up on remote peer.
• Admin Up – CCEP ports on both MCT peers are enabled and deployed but down.

Revision 2212 10 ‐ 39
ICX 150 Layer 2 Redundancy

Displaying Client Information

Display client details by client name or RBridgeID
MCT1# show cluster MCT client Client2
Cluster MCT 1
============= Cluster Information including,
Rbridge Id: 1, Session Vlan: 150 RBridgeID, Session VLAN,
Cluster State: Deploy and Member VLANs
Client Isolation Mode: Loose
Member Vlan Range: 2
Client Info:
------------ Client Information
Client: Client2, rbridge-id: 200, Deployed including, RBridgeID,
Client Port: 1/1/5, Trunk Id :3 client ports, and state
Client portmask: ethe 1/1/5
State: Up
Number of times Local CCEP down: 0
Number of times Remote CCEP down: 0 Client
Number of times Remote Client undeployed: 0 statistics
Total CCRR packets sent: 2
Total CCRR packets received: 1

40 © 2022 CommScope, Inc.

Display more client details using the show cluster command followed by the cluster
name and client name. Here we see the cluster information, as well as the client
information and statistics.

Revision 2212 10 ‐ 40
ICX 150 Layer 2 Redundancy

Displaying CCP Information

Display a list of peers
• You can also specify a peer by IP address to view information specific to that peer

MCT1# show cluster MCT ccp peer

PEER IP ADDRESS STATE UP TIME
--------------- ------------- --------------
10.1.1.2 OPERATIONAL 0 days: 2 hr:25 min:16 sec

Peers by address State, none or operational

Refer to the RUCKUS Networks Multi‐Chassis Trunking (MCT) Essentials Guide for more information on
MCT topologies and configurations.

41 © 2022 CommScope, Inc.

To display a list of cluster peers, use the show cluster ccp peer command with the
cluster name. Here we see that the peer at IP address 10.1.1.2 is operational, and the
amount of time the peer has been up.

The information provided in this presentation regarding MCT is only minimally touching the
capabilities and benefits of MCT.

Additional information about MCT topologies and their associated configurations can be
found in the RUCKUS Networks Multi‐Chassis Trunking (MCT) Essentials Guide
(https://support.ruckuswireless.com/documents/2681‐bpg‐ruckus‐networks‐multi‐chassis‐
trunking‐essentials) as well as the RUCKUS FastIron Layer 2 Switching Configuration Guide
both of which can be found at support.ruckuswireless.com

Revision 2212 10 ‐ 41
ICX 150 Layer 2 Redundancy

Attendees should now be able to:

• Identify supported Spanning Tree Protocols
• Configure Spanning Tree and Rapid Spanning
Tree
• Identify RUCKUS enhanced features to
Spanning Tree
• Understand Multiple Spanning Tree (MSTP)
Summary 802.1s and its purpose
• Describe the benefits of Multi‐Chassis
Trunking (MCT)
• Understand and discuss MCT terminology

This concludes the Layer 2 Redundancy presentation. You should now be able to:
• Identify supported Spanning Tree Protocols
• Configure Spanning Tree and Rapid Spanning Tree
• Identify RUCKUS enhanced features to Spanning Tree
• Describe Multiple Spanning Tree (MSTP) 802.1s and its purpose
• Describe the benefits of Multi‐Chassis Trunking (MCT)
• Understand and discuss MCT terminology
• Display MCT operational status

Revision 2212 10 ‐ 42
ICX 150 Layer 2 Redundancy

End of presentation:
Layer 2 Redundancy

This completes the layer 2 redundancy presentation.

Revision 2212 10 ‐ 43
ICX 150 Layer 2 Redundancy

Revision 2212 10 ‐ 44
ICX 150 Layer 3 Fundamentals

Layer 3 Fundamentals

Revision 2212

Welcome to the presentation on fundamental Layer 3 functions on ICX devices.

Revision 2212 11 ‐ 1
ICX 150 Layer 3 Fundamentals

After completing this presentation, you will

be able to:
• Identify Layer 3 interface types
• Apply IP address configurations
• Utilize Layer 3 features
– ARP
– Static Routes
Objectives
– Route only
• Configure Virtual Route Forwarding (VRF) for
management traffic
• Perform basic VRRP‐E and OSPF
configurations

After completing this presentation, you should be able identify the various Layer 3 interface
types found on RUCKUS ICX devices and apply basic IP address configurations to physical
interfaces. You should be able to utilize ICX commands to perform static routing, observe
address resolution protocol and perform route only configurations. We will discuss Virtual
Route Forwarding and show how VRF configurations for Management traffic are applied.
We’ll finish up by walking through Virtual Router Redundancy Protocol and Open Shortest
Path First protocol discussing features, considerations, and basic configurations of each.

Revision 2212 11 ‐ 2
ICX 150 Layer 3 Fundamentals

IP Addressing

We’ll begin by discussing IP address types found on RUCKUS ICX devices and demonstrate
how to configure them.

Revision 2212 11 ‐ 3
ICX 150 Layer 3 Fundamentals

Layer 3 Interfaces
• Layer 3 addresses can be applied to:
– Physical
– Virtual Ethernet (VE)
– Loopback
– GRE tunnels
– VRIDs (VRRP/VRRP‐E)

• Multiple IP subnets can be assigned to a single interface (multi‐netted)

– Configured IP addresses are not replaced when an additional address is configured
in a different subnet

• A secondary IP addresses within the same subnet can be added to a interface

with the secondary parameter
4 © 2022 CommScope, Inc.

Layer 3 IPv4 and IPv6 addresses can be assigned to each of the interface types
shown here. On these interfaces, multiple IP addresses can be assigned. The
function of assigning IP addresses for multiple subnets on a single interface is
referred to as “multi‐netting”. There are limits to how many IP addresses can be
assigned to a single interface, but the limit is based on hardware platform.

When IP addresses are configured in Layer 3 firmware on an interface, any existing

IP addresses are not removed. Unused/undesired IP addresses must be manually
removed.
If there is a need to assign an interface with two IP addresses from the same
subnet, the secondary parameter must be used when defining the second IP
address.

NOTE: By default, all physical and virtual routing interfaces configured on the device use
the base MAC address of the device or the configured stack MAC address. This is used as
the source MAC by routing protocols and other IP related communications (ARP, Neighbor
Discovery, etc). You can specify a different MAC address for each physical or virtual routing
interface. To specify the MAC address for routing interfaces, enter commands such as the
following.

ICX(config)# interface ve 1000

ICX(config-vif-1000)# ip-mac aaaa.bbbb.cccc
ICX(config-vif-1000)# interface ethernet 1/1/13
ICX(config-if-e1000-1/1/13)# ip-mac 1234.5678.9abc
Syntax: [no] ip‐mac mac‐addr

Revision 2212 11 ‐ 4
ICX 150 Layer 3 Fundamentals

IPv4 Addressing
• IPv4 addresses are defined with the ip address command within the interface
configuration context
– Either dotted decimal or CIDR notation can be used for subnet mask

ICX-Router(config)# interface ethernet 1/1/1

ICX-Router(config-if-e10000-1/1/1)# ip address 10.45.6.1 255.255.255.0
or
ICX-Router(config-if-e10000-1/1/1)# ip address 10.45.6.1/24
Syntax: [no] ip address { ip‐address mask | ip‐address/mask } [ secondary ]

• Delete an IPv4 address, enter the no ip address command

ICX-Router(config-if-e10000-1/1/1)# no ip address 10.45.6.1
ICX-Router(config-if-e10000-1/1/1)# no ip address *

5 © 2022 CommScope, Inc.

RUCKUS Layer 3 devices support Internet Protocol version 4 (IPv4) and IPv6. IP support on
RUCKUS Layer 2 switches consists of host services and functionality to support
management access and access to a default gateway.

All RUCKUS IPv4 addresses can be configured and displayed in two formats:
• Classical subnet format with the IP address and subnet mask in dotted decimal
format.
• Classless Interdomain Routing (CIDR) format with the IP address in dotted decimal
but followed by a forward slash and a number representing the subnet mask.
You can use either format when configuring IP address information. IP addresses are
displayed in classical subnet format by default, but you can change the display format to
CIDR.

To remove an IP address from an interface, the no ip address command is used. No

subnet mask is needed to remove IP address from interface. Additionally, you can remove
all IP addresses assigned to an interface with the * option.
While not shown on the slide, you can replace the primary IP address assigned to an
interface by appending replace to the end of the ip address command. This
will in affect remove the primary IP address that is in the same subnet as the
address being added. This is supported on a router image only and does not allow
the changing of the subnet mask.

ICX-Router(config)# interface ethernet 1/1/1

ICX-Router(config-if-e1000-1/1/1)# ip address 10.45.6.100/24 replace

Revision 2212 11 ‐ 5
ICX 150 Layer 3 Fundamentals

IPv6 Addressing
• IPv6 capabilities are globally enabled with the ipv6 unicast-routing command
– IPv6 traffic forwarding can be disabled globally by using the no ipv6 unicast-routing
command

• Must be explicitly enabled on interfaces that forward IPv6 traffic

• When configuring a global or unique local IPv6 unicast address

– IPv6 is also enabled on the interface
– Options for the low‐order 64 bits:
o A manually configured interface ID
o An automatically computed EUI‐64 interface ID
– To automatically generate a link‐local IPv6 address on an interface, you must explicitly
enable IPv6
o Link‐local addresses can be manually assigned

6 © 2022 CommScope, Inc.

You learned about IPv6 addressing and address classes in the Routing and Switching
Protocols (RSP‐100) course. On RUCKUS ICX devices to forward IPv6 traffic on a
router interface, the interface must have an IPv6 address, or IPv6 must be enabled.

By default, an IPv6 address is not configured on a router interface. You must enable
IPv6 and configure an IPV6 address to forward IPv6 traffic on a router interface.
If you choose to configure a global or unique local IPv6 address for an interface,
IPv6 is also enabled on the interface. Further, when you configure a global IPv6
address, you must decide on one of the following in the low‐order 64 bits:
• A manually configured interface ID
• An automatically computed EUI‐64 interface ID

If you prefer to assign a link‐local IPv6 address to the interface, you must specifically
enable IPv6 on the interface, which causes a link‐local address to be automatically
computed for the interface. If preferred, you can override the automatically
configured link‐local address with an address that you manually configure.

Revision 2212 11 ‐ 6
ICX 150 Layer 3 Fundamentals

Configuring Global or Unique Local IPv6 Unicast Address

• Manually configured interface

ICX-Router(config)# interface ethernet 1/1/3

ICX-Router(config-if-e10000-1/1/3)# ipv6 address 2001:DB8:12D:1300:240:D0FF:FE48:4672/64

• Automatically computed EUI‐64 Interface ID

ICX-Router(config)# interface ethernet 1/1/4

ICX-Router(config-if-e10000-1/1/4)# ipv6 address 2001:DB8:12D:1800::/64 eui-64

Syntax: [no] ipv6 address ipv6‐prefix [ eui‐64 ]

ipv6‐prefix ‐ Specifies the IPv6 prefix address in the format X:X::X:X/M
eui‐64 ‐ Configures the global address with an EUI‐64 interface ID in the low‐order 64 bits
7 © 2022 CommScope, Inc.

Configuring a global or unique local IPv6 address on an interface does the following:
• Automatically configures an interface ID (a link‐local address), if specified
• Enables IPv6 on that interface

Additionally, the configured interface automatically joins the following required

multicast groups for that link:
• Solicited‐node multicast group FF02:0:0:0:0:1:FF00::/104 for each unicast
address assigned to the interface.
• Solicited‐node for subnet anycast address for each unicast assigned address
• Solicited‐node for anycast address FF02:0:0:0:0:1:FF00::0000
• All‐nodes link‐local multicast group FF02::1
• All‐routers link‐local multicast group FF02::2

The neighbor discovery feature sends messages to these multicast groups.

Revision 2212 11 ‐ 7
ICX 150 Layer 3 Fundamentals

Configuring a Link‐local IPv6 Address

• Enabling IPv6 on an interface without configuring a global or unique local unicast
address
– Auto‐assigned link‐local address
ICX-Router(config)# interface ethernet 1/1/3
ICX-Router(config-if-e10000-1/1/3)# ipv6 enable
Syntax: [no] ipv6 enable

– Manually assigned link‐local

ICX-Router(config)# interface ethernet 1/1/4
ICX-Router(config-if-e10000-1/1/4)# ipv6 address FE80::240:D0FF:FE48:4672 link-local
Syntax: [no] ipv6 address ipv6‐address link‐local

• When multiple VLANs share a port or VE, manually assigned link‐local addresses
should be used
– All physical and VE interfaces share the same MAC address, resulting in duplicate link‐local
addresses

8 © 2022 CommScope, Inc.

Link‐local addresses can be assigned manually or automatically. When the ipv6 enable
command is used on interface, IPv6 is enabled on the interface and specifies that the
interface is assigned an automatically computed link‐local address. The link-
local keyword indicates that the ICX device interface should use the manually
configured link‐local address instead of the automatically computed link‐local
address.

NOTE: When configuring VLANs that share a common tagged interface with a
physical or Virtual Ethernet (VE) interface, RUCKUS recommends that you override
the automatically computed link‐local address with a manually configured unique
address for the interface. If the interface uses the automatically computed address,
which in the case of physical and VE interfaces is derived from a global MAC
address, all physical and VE interfaces will have the same MAC address.

Revision 2212 11 ‐ 8
ICX 150 Layer 3 Fundamentals

IPv6 Anycast Addresses

• An anycast address is allocated from the unicast address space

• The anycast keyword allows the device to recognize the assigned address as an
anycast address

ICX-Router(config)# interface loopback 2

ICX-Router(config-lbif-2)# ipv6 address 2001:db8::6/128 anycast
Syntax: [no] ipv6 address ipv6‐prefix anycast

9 © 2022 CommScope, Inc.

In IPv6, an anycast address is an address for a set of interfaces belonging to

different nodes. Sending a packet to an anycast address results in the delivery of the
packet to the closest interface configured with the anycast address.

An anycast address looks similar to a unicast address, because it is allocated from

the unicast address space. If you assign the same IPv6 unicast address to multiple
nodes, it is an anycast address. Use the anycast option when defining an IPv6
address on an interface to classify the address as anycast.

IPv6 anycast addresses are described in detail in RFC 1884. Refer to RFC 2461 for a
description of how the IPv6 Neighbor Discovery mechanism handles anycast
addresses.

Revision 2212 11 ‐ 9
ICX 150 Layer 3 Fundamentals

IPv4 and IPv6 on Same Interface

• ICX can support both IPv4 and IPv6 addresses (dual‐stacking) on the same
interface
• This is necessary when you want the interface to be send and receive both
IPv4 and IPv6 protocols

ICX-Router (config)# ipv6 unicast-routing

ICX-Router (config)# interface ethernet 1/3/1
ICX-Router (config-if-e1000-1/3/1)# ip address 10.168.1.1/24
ICX-Router (config-if-e1000-1/3/1)# ipv6 address 2001:db8:12d:1300::/64 eui-64

10 © 2022 CommScope, Inc.

A router interface can be configured to support both the IPv4 and IPv6 protocol
stacks.

Each router interface that sends and receives both the IPv4 and IPv6 traffic must be
configured with an IPv4 address and an IPv6 address. In this example, IPv6 is
globally enabled, an IPv4 address and an IPv6 address are configured for a specific
interface.

Revision 2212 11 ‐ 10
ICX 150 Layer 3 Fundamentals

Virtual Routing Interfaces

We touched briefly on Virtual Routing Interfaces in the Layer 2 presentation, in this section
we’ll explore VE configurations on ICX.

Revision 2212 11 ‐ 11
ICX 150 Layer 3 Fundamentals

Virtual Routing Interfaces

• ICX devices use a Logical routing interface to route Layer 3 protocol traffic
between VLANs
– Configure a virtual routing interface on each VLAN that needs routing capabilities

• Routing parameters are configured on the virtual routing interfaces allowing

for routing outside the local switch
– These parameters can include:
o IPv4/v6 addresses Routing
o Static routing associated with the VE interface
eth1/1/1 ve10 ve2 ve20
(next hop)
o Routing protocols such as OSPF providing
dynamic routing to and from the VLAN
VLAN VLAN VLAN
o Layer 3 redundancy protocols such as 10 2 22
VRRP/VRRP‐E

12 © 2022 CommScope, Inc.

A virtual interface is a logical port associated with a Layer 3 Virtual LAN (VLAN)
configured on a Layer 3 switch. You can configure routing parameters on the virtual
interface to enable the Layer 3 switch to route protocol traffic from one Layer 3
VLAN to the other, without using an external router.

You can configure IP routing interface parameters on a virtual interface, including:

• Configuring IPv4 and IPv6 addresses
• Configure static routing which points to a VE as the next‐hop
• Configure and enable dynamic routing protocols, including OSPF and BGP
• Configure Layer 3 gateway redundancy protocols such as VRRP and VRRP‐E

Revision 2212 11 ‐ 12
ICX 150 Layer 3 Fundamentals

Configuring Routable VLANs

• Configure port‐based VLAN
– Associate Tagged and/or untagged ports
– Define Virtual Interface (VE)
ICX-Router(config)# vlan 10
ICX-Router(config-vlan-10)# tagged e 1/1/1 to 1/1/10
Added tagged port(s) ethe 1/1/1 to 1/1/10 to port-vlan 10.
ICX-Router(config-vlan-10)# router-interface ve 10

• Configure the virtual Ethernet (VE) interface

– Assign an IP address
ICX-Router(config)# interface ve 10
ICX-Router(config-vif-10)# ip address 10.1.1.1/24
ICX-Router(config-vif-10)# ipv6 address 2001:db8:12d:1011::/64 eui-64
– Optionally configure routing protocols
13 © 2022 CommScope, Inc.

Routing between VLANs is accomplished by defining a virtual router interface and assigning
an IP address to the virtual interface. Hosts within the subnet set their default gateway to
the IP address that has been assigned to the virtual interface.
A virtual Ethernet (VE) interface can be configured on a VLAN with the router-
interface ve command. While ports are not required to be assigned to the VLAN to
configure the VE, the IP interface will not transition to an UP state until ports are added and
devices are connected.

The configuration parameters for VE interfaces are the same as when you configure a
physical interface for routing. ICX devices use the lowest MAC address on the device (the
MAC address of port 1/1) as the MAC address for all ports within all virtual routing
interfaces you configure on the device. However, this MAC can be changed using the ip-
mac command while in the interface’s configuration context.

Revision 2212 11 ‐ 13
ICX 150 Layer 3 Fundamentals

Configuring Routable VLANs (cont.)

ICX-Router(config)# vlan 2
ICX-Router(config-vlan-2)# untag ethernet 1/1/11 to 1/1/16
ICX-Router(config-vlan-2)# router-interface ve 2

ICX-Router(config-vlan-2)# interface ve 2
ICX-Router(config-vif-2)# ip address 192.123.2.1/24
ICX-Router(config-vif-2)# ipv6 address 2001:db8:12d:2::/64 eui-64
Not required
to match
ICX-Router(config-vif-10)# vlan 22 (but should)
ICX-Router(config-vlan-22)# untag ethernet 1/1/17 to 1/1/24
ICX-Router(config-vlan-22)# router-interface ve 20

ICX-Router(config-vlan-22)# interface ve 20
ICX-Router(config-vif-22)# ip address 192.123.22.1/24
ICX-Router(config-vif-2)# ipv6 address 2001:db8:12d:22::/64 eui-64

14 © 2022 CommScope, Inc.

Here we have examples adding additional VLANs and VEs. In VLAN 2, router interface VE 2
is created and in VLAN 22, VE 20 is created. Notice that VLAN 22 does not have the same ID
value as its router interface (VE20). These are two values are not required to match
however it is a best practice to do so.

The graphic shows that, upon creation, each of these virtual interfaces, as well as the
physical interface configured earlier are “connected” to the same routing engine of the
switch. This allows local routing between devices that are connected to these interfaces
(virtual and physical) to communicate, as long as those devices are properly configured
themselves.

Revision 2212 11 ‐ 14
ICX 150 Layer 3 Fundamentals

Interface and VEs in IP Route Table

If the interfaces with IP addresses configured are up, their routes will be present in the
IP route table
• A tagged or untagged port member of a VLAN must be up in order for the VE interface in
the same VLAN to be up

ICX-Router# show ip route

Total number of IP routes: 4
Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
Destination Gateway Port Cost Type Uptime
1 10.1.1.0/24 DIRECT ve 10 0/0 D 1m59s
2 10.168.1.0/24 DIRECT e 1/1/1 0/0 D 2m53s
3 192.123.2.0/24 DIRECT ve 2 0/0 D 0m38s
4 192.123.22.0/24 DIRECT ve 20 0/0 D 0m4s

15 © 2022 CommScope, Inc.

In the example shown we can see we have 4 routes, 3 of which will forward traffic using
VEs 2, 10, and 20.

Revision 2212 11 ‐ 15
ICX 150 Layer 3 Fundamentals

Layer 3 Features

In this section we’ll discuss Address Resolution Protocol (ARP) and outline some basic
routing configurations on RUCKUS ICX.

Revision 2212 11 ‐ 16
ICX 150 Layer 3 Fundamentals

Address Resolution Protocol (ARP)

• ARP is a Layer 2 (L2) protocol used to determine a MAC address when only an L3 IP
address is known
– Each device caches any discovered MAC addresses in a table
o The table is a mapping of IP addresses to MAC addresses
o Addresses are typically cached for 10 minutes by default

• To display the ICX ARP caching table

ICX-Router# show arp
Total number of ARP entries: 3
Entries in default routing instance:
No. IP Address MAC Address Type Age Port Status
1 10.25.224.1 02e0.526a.3e3e Dynamic 0 1/1/1 Valid
2 10.25.224.2 001b.ed0c.c200 Dynamic 2 3/1/13 Valid
3 10.25.224.3 001b.ed0f.bc00 Dynamic 0 1/1/22 Valid

17 © 2022 CommScope, Inc.

If a host wants to send a message to some other device on the LAN and knows its
destination IP address, the host must discover the Ethernet MAC address of the target. This
requirement occurs because Ethernet hardware does not understand IP protocols or IP
addresses. The destination IP address is associated with a MAC address belonging to the
target and is present on the LAN.

Before sending an IP packet, the host must send a broadcast message onto the LAN using
ARP to discover the MAC address of its intended target. The switch or router that has that
MAC address in its tables can now send its IP packet to the destination. The host’s
operating system also stores the newly discovered MAC address in a table (the result is
cached). This table of mappings from IP addresses to MAC addresses is retained and
consulted multiple times, so the ARP discovery procedure only has to be performed if the
ARP cache does not have an entry.

To ensure the accuracy of the ARP table, each dynamic entry has its own age timer. The
timer is reset to zero each time the Layer 3 switch receives an ARP reply or ARP request
containing the IP address and MAC address of the entry. If a dynamic entry reaches its
maximum allowable age (by default 10 minutes), the entry times out and the software
removes the entry from the table. Static entries do not age out and can be removed only by
the administrator

NOTE: Host devices connected to an ICX 7750 that also have a valid IP address and reply
periodically to the ARP request are not timed out, even if no traffic is destined for the
device. This behavior is restricted to only ICX 7750 devices.

Revision 2212 11 ‐ 17
ICX 150 Layer 3 Fundamentals

Static ARP Entries

• Static entries are useful in cases:
– Pre‐configure ARP entries
– Prevent entries from aging out
– Help speed access for frequently used servers/hosts

ICX-Router(config)# arp 10.53.4.2 1245.7654.2348 ethernet 1/1/2

Syntax: [no] arp ip‐address mac‐address { ethernet unit/slot/port | lag lag‐id | inspection }
• The ethernet unit/slot/port option specifies the port number attached to the device that
has the MAC address of the entry
• The lag lag‐id option specifies the LAG interface attached to the device that has the MAC
address of the entry
• The inspection option is related to the Dynamic ARP Inspection (DAI) feature which will be
covered in another section of this course

18 © 2022 CommScope, Inc.

Static ARP entries are added to the ARP cache when they are configured. Static ARP entries
are useful in cases where you want to pre‐configure an entry for a device that is not
connected to the Layer 3 switch, or you want to prevent a particular entry from aging out.

RUCKUS Layer 3 switches have a static ARP table, in addition to the regular ARP cache.
Unlike static ARP entries, dynamic ARP entries are removed from the ARP cache if the ARP
aging interval expires before the entry is refreshed. Static entries do not age out, regardless
of whether the RUCKUS device receives an ARP request from the device that has the entry
address.

Enter the following command to create a static ARP entry in the ARP cache and notice the
options that can be applied.

NOTE: You cannot create static ARP entries on a Layer 2 switch.

Revision 2212 11 ‐ 18
ICX 150 Layer 3 Fundamentals

Route‐only
• By default, RUCKUS Layer 3 devices support Layer 2 switching

• Layer 2 switching can be disabled globally or on individual ports with the route‐only
command

• The route‐only feature can be configured globally, causing all ports to disable Layer 2
switching functionality
ICX-Router(config)# route-only

• Then, individual ports can be configured to allow Layer 2 switching functionality

ICX-Router(config)# interface ethernet 1/1/17 to 1/1/18
ICX-Router(config-mif-1/1/17-1/1/18)# no route-only

– These ports will now allow layer 2 switching between them and could still support Layer 3
forwarding with a VE interface

19 © 2022 CommScope, Inc.

By default, RUCKUS Layer 3 devices support Layer 2 switching. If you want to disable
Layer 2 switching, you can do so globally or on individual ports, depending on the
version of software your device is running.

Be aware of the following restrictions and limitations when disabling Layer 2

switching:
• Enabling or disabling Layer 2 switching is supported in Layer 3 software images
only with the use of the route-only command
• RUCKUS ICX devices support disabling Layer 2 switching at the interface
configuration mode as well as the global configuration mode
• Enabling or disabling Layer 2 switching is not supported on virtual interfaces

The system will allow you to enable any L2 (switching protocols) even if route-only is
configured, but they will not work. Any protocol that needs to be switched in the same
broadcast domain will not work if route-only is configured.

Revision 2212 11 ‐ 19
ICX 150 Layer 3 Fundamentals

Displaying the IPv4 Route Table

ICX-Router# show ip route
Total number of IP routes: 4
Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
Destination Gateway Port Cost Type Uptime
1 10.1.1.0/24 DIRECT ve 10 0/0 D 1m20s
2 10.45.6.0/24 DIRECT e 1/1/1 0/0 D 5m16s
3 192.123.2.0/24 DIRECT ve 2 0/0 D 2m4s
4 192.123.22.0/24 DIRECT ve 20 0/0 D 0m35s

• Destination — The destination network and network mask of the route

• Gateway — The next‐hop router
• Port — The local router port used to send packets to the destination route
• Cost — The route's cost or metric
• Type — The source of the learned route
• Uptime – Length of time each route has been up
20 © 2022 CommScope, Inc.

Here is an example of an entry in the IP route table. It is displayed when the show
ip route command is executed.
Each IP route table entry contains the destination IP address and subnet mask and
the IP address of the next‐hop router interface to the destination. Each entry also
indicates the port attached to the destination or the next‐hop to the destination,
the route IP metric (cost), and the type. The type column indicates how the IP route
table received the route.
The route type, can be one of the following:
• B ‐ The route was learned from BGP.
• D ‐ the destination is directly connected to this RUCKUS device.
• R‐ The route was learned from RIP.
• S ‐ The route is a static route.
• * ‐ The route is a candidate default route.
• O ‐ The route is an OSPF route. Unless you use the OSPF option to display the
route table, 'O' is used for all OSPF routes.

The Uptime column indicates how long each specific network route has been up.

Revision 2212 11 ‐ 20
ICX 150 Layer 3 Fundamentals

Displaying the IPv6 Route Table

ICX-Router# show ipv6 route
IPv6 Routing Table - 3 entries:
Type Codes - B:BGP C:Connected L:Local O:OSPF R:RIP S:Static
BGP Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
STATIC Codes - d:DHCPv6 v:Inter-VRF
Type IPv6 Prefix Next Hop Router Interface Dis/Metric Uptime
C 2001:db8:12d:2::/64 :: ve 2 0/0 1h35m
C 2001:db8:12d:22::/64 :: ve 20 0/0 1h35m
O 2001:DB8::2/128 fe80::2e0:52ff:fe91:bb37 ethe 1/3/2 110/1 19h58m

• Type — The source of the learned route

• IPv6 Prefix — The destination network and network mask of the route
• Next Hop Router — The next‐hop router
• Interface — The local router port used to send packets to the destination route
• Dis/Metric — The route’s administrative distance and metric value
21 © 2022 CommScope, Inc.

Here is an example of an entry in the IPv6 route table. It is displayed when the show
ipv6 route command is executed.
Each IPv6 route table entry contains the destination IP address and subnet mask
and the IP address of the next‐hop router interface to the destination. Each entry
also indicates the port attached to the destination or the next‐hop to the
destination, the route IP metric (cost), and the type. The type column indicates how
the IP route table received the route.
The route type, can be one of the following:
• C ‐ the destination is directly connected to this RUCKUS device
• S ‐ The route is a static route
• R‐ The route was learned from RIPng
• O ‐ The route is an OSPFv3 route. Unless you use the OSPF option to display
the route table, 'O' is used for all OSPF routes.
• B ‐ The route was learned from BGP4

Revision 2212 11 ‐ 21
ICX 150 Layer 3 Fundamentals

Learning IP Routes
• Routing tables are populated with:

– Directly connected routes — The networks that are directly connected to the router
are always known and added to the routing table
o A router knows a network is reachable because it has an interface in the address range

– Static routes — Manually configured on the router

o Network Administrator instructs a router to send packets for remote network to another
neighboring router

– Dynamic routes — A routing protocol populates routes it has learned from other
routers
o A router learns of remote networks from a neighboring router

22 © 2022 CommScope, Inc.

The IP route table contains paths to IP destinations.

The IP route table can receive the paths from the following sources and it can contain
leaked routes as well (from other VRFs).
• A directly‐connected destination, which means there are no router hops to the
destination
• A static IP route, which is a user‐configured route
• A route learned through dynamic routing protocols, including:
– RIP
– OSPF
– BGP

The IP route table contains the best path to a destination:

• When the software receives paths from more than one of the sources listed above,
the software compares the administrative distance of each path and selects the path
with the lowest administrative distance. The administrative distance is a protocol‐
independent value from 0 through 255.
• When the software receives two or more best paths to a destination network and the
paths have the same metric (cost), the software can load share traffic among the
paths based on destination host or network address (based on the configuration and
the Layer 3 device model).

Revision 2212 11 ‐ 22
ICX 150 Layer 3 Fundamentals

Static Routes
• A static route is created manually by a network administrator and is locally
significant
• Each router in a data path needs a next‐hop route to reach the destination
Router A Router B Router C
10.1.2.2/30 10.1.1.2/30

192.168.1.0/24 10.1.2.1/30 10.1.1.1/30 172.16.1.0/24

Generic Configuration Example

Router_A(config)# ip route 172.16.1.0/24 10.1.2.1
Router_B(config)# ip route 172.16.1.0/24 10.1.1.1
Router_B(config)# ip route 192.168.1.0/24 10.1.2.2
Router_C(config)# ip route 192.168.1.0/24 10.1.1.2

23 © 2022 CommScope, Inc.

A static route is a route manually created by a network administrator to instruct a router

how to reach a particular remote network. A local next‐hop IP address or a local outgoing
interface number can be used in the static route configuration. Static routes (when no
routing protocols are used) are only applicable to the router they are configured on. This
means that static routes are likely required on all routers in a data path to allow end‐to‐end
communications.

To reach a destination network that is not directly connected to the local router, routing is
needed. Static routes will be removed from the route table if: the next‐hop interface
or route pointing towards the next‐hop IP address are offline. In the example shown
static routes are configured for the routers to allow connectivity between the two hosts on
the remote networks. However, this does not mean that all devices in the data path can
reach each other. With only the configuration information provided, Router A is incapable
of communicating directly with Router C. For Router A to communicate with Router C,
Router A would require a static route to the 10.1.1.0/30 network and Router C would
require a static route to 10.1.2.0/30.

Revision 2212 11 ‐ 23
ICX 150 Layer 3 Fundamentals

Default Routes
A default route is used when an explicit route to a destination network is not known

• Default routes are last in the order of execution of the routing table and can be dynamically learned by a
routing protocol
• To configure a static default route:
Router_A(config)# ip route 0.0.0.0/0 156.10.20.21
Router_A(config)# ip route 0.0.0.0/0 10.1.2.1 distance 115

Syntax: [no] ip route dest‐ip‐addr next‐hop‐addr [ metric ] [ distance distance ] [ name string ] [ tag tag ]

24 © 2022 CommScope, Inc.

You can manually create a static default route that the router uses if there are no
other routes to a destination network.

To configure a static default route, use the ip route command with 0.0.0.0 0.0.0.0 as the
destination route and network mask followed by a valid next‐hop address.
device(config)# ip route 0.0.0.0 0.0.0.0 10.24.4.1

This example on the slide configures two different default routes however the second has a
higher administrative distance. If both routes are available, the first will be preferred
because of its more favorable Administrative Distance (default 1). If the first route becomes
unavailable the second route will then be placed into the routing table allowing for an
alternate path as a default route.

Revision 2212 11 ‐ 24
ICX 150 Layer 3 Fundamentals

Default Route in IP Routing Table

The default route is always displayed first in the IP routing table, as it is the least specific
ICX-Router# show ip route
Total number of IP routes: 5
Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
STATIC Codes - v:Inter-VRF
Destination Gateway Port Cost Type Uptime
1 0.0.0.0/0 10.45.6.2 e 1/1/1 1/1 S 0m3s
2 10.1.1.0/24 DIRECT ve 10 0/0 D 17m20s
3 10.45.6.0/24 DIRECT e 1/1/1 0/0 D 21m16s
4 192.123.2.0/24 DIRECT ve 2 0/0 D 18m4s
5 192.123.22.0/24 DIRECT ve 20 0/0 D 16m35s

• Default Route (explicitly defined with a next hop gateway – ex; ip route 0.0.0.0/0 10.45.6.2)
• Default Network Route (when defined, if no default route exists, default network route will be used along with its next
hop gateway – ex; ip default-network 10.1.1.0)

25 © 2022 CommScope, Inc.

If you configure 10.1.1.0/24 as a candidate default network route and IP route table
does not contain an explicit static default route (0.0.0.0/0), the software uses the
default network route along with it’s next hop gateway as the default gateway. If a
topology change occurs and as a result the default network route's next hop
gateway changes, the software can still use the default network route.

However, if a default route is configured, the default network will only be used if
the default route becomes invalid and is removed from the IP routing table.

Revision 2212 11 ‐ 25
ICX 150 Layer 3 Fundamentals

Management Virtual Routing

and Forwarding (VRF)

In this section we’ll explore Virtual Routing and Forwarding (VRF) introducing the concept
of separate route tables from the perspective of Management traffic.

Revision 2212 11 ‐ 26
ICX 150 Layer 3 Fundamentals

Management VRF Overview

• Isolates management traffic from the network data traffic
• Management traffic is only sent on OOB management port and any interfaces with
vrf forwarding for management VRF
• The management VRF is supported by the following management applications:
– SNMP server
– SNMP trap generator
– Telnet server
– SSH client
– SSH server
– Telnet client
– RADIUS client
– TACACS+ client
– TFTP
– SCP
– Syslog

27 © 2022 CommScope, Inc.

Virtual routing and forwarding (VRF) allows routers to maintain multiple routing tables and
forwarding tables on the same router. If you think about how Layer 2 VLANs separate
broadcast domains on a device, VRFs similarly provide logical separation of Layer 3
networks on a device. You can create many VRFs on a router and each VRF will maintain
their own routing table. You can then associate routes, routing protocols, as well as virtual
and physical interfaces to the VRF.

A management VRF is used to provide secure management access to the device by

sending inbound and outbound management traffic through the VRF specified as a
global management VRF and through the out‐of‐band management port.

By default, the inbound traffic is unaware of VRF and allows incoming packets from
any VRF, including the default VRF. Outbound traffic is sent only through the default
VRF. The default VRF consists of an out‐of‐band management port and all the link
ports that do not belong to any other VRFs.

Any VRF, except the default VRF, can be configured as a management VRF. When a
management VRF is configured, the management traffic is allowed through the
ports belonging to the specified VRF and the out‐of‐band management port. The
management traffic through the ports belonging to the other VRFs and the default
VRF are dropped, and the rejection statistics are incremented.

A list of management applications that support Management VRF are shown here.

Revision 2212 11 ‐ 27
ICX 150 Layer 3 Fundamentals

Configuring Management VRF for OOB Interface

• Create non‐default VRF
ICX-Router(config)# vrf mgmt-vrf
ICX-Router (config-vrf-mgmt-vrf)# rd 1:1
ICX-Router (config-vrf-mgmt-vrf)# address-family ipv4
ICX-Router (config-vrf-mgmt-vrf-ipv4)# exit

• Define it as the management VRF

ICX-Router(config)# management-vrf mgmt-vrf

• Enable VRF forwarding on OOB Management interface

ICX-Router(config)# interface management 1
ICX-Router (config-if-mgmt-1)# vrf forwarding mgmt-vrf
Warning: All IPv4 and IPv6 addresses (including link-local) on this interface have
been removed
ICX-Router (config-if-mgmt-1)# ip address 192.168.10.22/24

28 © 2022 CommScope, Inc.

The basic configuration of a management VRF is as follows.

‐Create a VRF, in this case we have named it mgmt-vrf

‐Assign a route distinguisher (each VRF requires a unique route distinguisher). In this case
we’re using 1:1, check the command syntax for configuration options, however know that
once created the RD cannot be changed or deleted, you must delete the VRF
‐Specify which type of addressing the VRF will support (in this case IPv4)
‐Assign the newly created VRF as the management VRF
‐Configure the management interface, placing it into the management VRF, as well as
assign it an IP address

NOTE: The mgmt‐vrf would need to have proper routes in its table for reachability. This can
be checked with show ip route vrf mgmt-vrf

Revision 2212 11 ‐ 28
ICX 150 Layer 3 Fundamentals

Configuring Management VRF for VLAN Interface

• Create non‐default VRF
• Define it as the management VRF
• Configure VLAN for management use

device(config)# vlan 10 name MGMT

device(config-vlan-10)# tag e 1/1/12
device(config-vlan-10)# router-interface ve 10
device(config-vlan-10)# interface ve 10
device(config-vif-10)# vrf forwarding mgmt-vrf
Warning: All IPv4 and IPv6 addresses (including link-local) on this
interface have been removed
device(config-vif-10)# ip address 10.255.10.12/24
device(config-vif-10)# exit

29 © 2022 CommScope, Inc.

In this example, we are creating a VE interface on VLAN 10 and associating the newly
created VE 10 to the management VRF (mgmt‐vrf). This is assuming that we’ve already
performed the configuration of the Management VRF (mgmt‐vrf) as previously shown.

Revision 2212 11 ‐ 29
ICX 150 Layer 3 Fundamentals

Virtual Router Redundancy

Protocol Extended (VRRP‐E)

Virtual Router Redundancy Protocol Extended (VRRP‐E) as the name suggests extends the
capabilities of Virtual Router Redundancy Protocol (VRRP). In this section we’ll outline the
operations and considerations for it’s use on RUCKUS ICX devices.

Revision 2212 11 ‐ 30
ICX 150 Layer 3 Fundamentals

Virtual Router Redundancy Protocol Extended

VRRP‐E is a RUCKUS proprietary version of the VRRP protocol that overcomes limitations in the standard protocol

• No default owner and all routers start as backup

– All members have a configurable priority unlike VRRP
– The router with the highest active priority becomes the master
– If there is a tie for highest priority, the router with the highest interface IP address becomes master

• The Virtual IP (VIP) is not owned by any members of the VRRP‐E instance
– There is no concept of an owner of the VIP, as a real interface IP is not used
– The elected master hosts the VIP address and responds to ICMP requests

• More granular control of track port management

– Multiple track ports can be monitored providing thresholds on a member

• Security is available allowing MD5 authentication

• VRRP‐Ev2 – IPv4 Implementation

• VRRP‐Ev3 – IPv6 Implementation

31 © 2022 CommScope, Inc.

We outlined Virtual Router Redundancy Protocol in the Routing and Switching Protocols
(RSP‐100) course. In this section we’re going show configurations on ICX that are related to
VRRP‐E, which is the RUCKUS proprietary extended version of the standards based VRRP
Protocol.

Before we get into that lets explain what makes VRRP‐E different from the standards based
VRRP implementation. With VRRP‐E all routers are backup for any given Virtual Router ID
(VRID), the VRRP‐E members can have a configured priority and the highest priority will
become the VRRP‐E master. The elected master device will respond to communications
with the associated virtual IP.

VRRP‐E also has more options to control track ports, which influences VRRP‐E priority. With
VRRP‐E you can track multiple interfaces to influence priorities and you can secure VRRP‐E
using MD5 authentication.

…Continued on next slide

Revision 2212 11 ‐ 31
ICX 150 Layer 3 Fundamentals

<continued from previous slide…>

NOTE: VRRP standard was established in RFC 3768 however was updated by RFC 5798 in
2010 to include IPv6 addressing.

NOTE: VRRP‐E is supported in the full Layer 3 code only. It is not supported in the base Layer
3 code.
Virtual Router Redundancy Protocol Enhanced (VRRP‐E)
• All routers are backups for a given Virtual Router ID (VRID). The router with the highest
priority becomes master. If there is a tie for highest priority, the router with the highest IP
address becomes master. The elected master owns the virtual IP address and answers
ICMP and ARP requests.
• VRRP‐E uses UDP to send hello messages in IP multicast messages. The hello packets use
the interface's actual MAC address and IP address as the source addresses. The
destination MAC address is 01‐00‐5E‐00‐00‐02, and the destination IP address is 224.0.0.2
(the well‐known IP multicast address for all routers). Both the source and destination UDP
port number is 8888. VRRP‐E messages are encapsulated in the data portion of the
packet.
• The virtual IP (VIP) must be an unique IP address on the same subnet where VRRP‐E is
enabled.
• VRRP‐E uses the interface's actual MAC address as the source MAC address for VRRP‐E
Advertisements. A virtual MAC address is used for the gateway or VIP address on the
client subnet. The virtual MAC address is 02‐E0‐52‐<hash‐value>‐<vrid> where the <hash‐
value> is a two‐octet hex hash value of the Virtual IP Address and <vrid> is the Virtual
Router ID value.

Revision 2212 11 ‐ 32
ICX 150 Layer 3 Fundamentals

VRRP‐E Requirements
To correctly configure VRRP‐E on RUCKUS ICX consider:
• ICX switch must be running full layer 3 routing code

• The VRRP‐E virtual router IP address must be in the same subnet as a real IP address assigned to a
physical interface
– Must not be the same as any of the actual IP addresses on any router interface
– Configuring VRRP‐E uses the same task steps for all devices; there are no differences between master and
backup device configuration

• Router configured with the highest active priority assumes the master role

• VRRP‐E is not supported on non‐RUCKUS devices and does not interoperate with standards‐based
VRRP sessions

• Virtual router IDs can range from 1‐255

• Up to 16 VRRP‐E instances can be configured

33 © 2022 CommScope, Inc.

Requirements for configuration of VRRP‐E include

‐Making sure that the ICX is running Layer 3 firmware

‐Virtual IP addresses need to be in the same subnet as IP addresses assigned on the
physical VRRP‐E interface
‐The VRRP‐E router with the highest active priority will become master
‐VRRP‐E is not support on non‐RUCKUS devices and cannot operate with standards based
VRRP
‐Virtual Router IDs can be configured in a range from 1 to 255, however only 16 instances
can be configured max

NOTE: Only one protocol (VRRP/VRRP‐E) can be enabled at a time on RUCKUS ICX devices.

Revision 2212 11 ‐ 33
ICX 150 Layer 3 Fundamentals

VRRP‐E Master Selection

All VRRP‐E routers start as backup and send hello messages to determine the
master router
– Router with the highest VRRP‐E priority becomes master
– Master sends hellos as a keep‐alive and responds to ARP and ICMP requests
(i.e. ping)

34 © 2022 CommScope, Inc.

As we said previously, when using VRRP‐E all configured routers start in backup mode for
each VRRP instance. Hello’s are sent and received to decide who has the highest priority.
Once the highest priority router for that instance has been identified, it transitions to the
Master role, and continues to send hello messages to inform the other backup routers of
its status. Backup routers will use the received hello message as a keep alive message and
will also continue to monitor the priority of the Master router.

If the backup router does not receive a hello message from the current Master router
before the keep alive timer expires it will take over the Master role and begin sending out
its own hello messages. In addition, if at any time the priority received from the Master
router is lower that its own current priority it will begin sending its own hello messages
indicating it has a higher priority and will then migrate to the Master role as well. Anytime
there is a transition of the Master role the new Master will send out a gratuitous ARP
updating the inline switch tables of the new virtual MAC location.

No matter what router is Master it will respond to ICMP requests from hosts.

Revision 2212 11 ‐ 34
ICX 150 Layer 3 Fundamentals

VRRP‐E Instance

35 © 2022 CommScope, Inc.

In this example we have enabled VRRP‐E on both routers (Router A and Router B) and
configured them with a matching Virtual Router ID (VRID). On router A however we will
configure its priority higher than router B to ensure it becomes the master of this VRRP‐E
instance. If the priorities happen to be set the same or not set at all (default 100) on both
routers the router with the highest physical IP address configured would become the
master of this VRRP‐E instance. (It is suggested to always configure unique priorities to
ensure expected behavior.)

Revision 2212 11 ‐ 35
ICX 150 Layer 3 Fundamentals

Multiple VRRP‐E Instance on Routers

36 © 2022 CommScope, Inc.

Expanding on the previous example, we have configured Router A and Router B to load
balance as well as provide redundancy to the hosts using VRRP‐E. The load balancing is
accomplished by creating two unique VRRP‐E groups. Each group has its own virtual IP
address and VRID. The clients in the bottom left subnet point to virtual IP address of VRID 2
as their default gateway and the bottom right clients subnet points to the virtual IP address
of VRID 1 as their default gateway.

This potentially enables outbound traffic for each subnet to be forwarded by a different
router if the VRRP‐E instances are configured to establish the unique paths.

Take note of the priorities of each VRRP‐E instances. Router A is still master of VRID 1.
However we have configured Router B as the Master of VRID 2. As a result Router B will
forward the traffic for 10.2.1.0/24 subnet while Router A forwards for the 10.1.1.0/24
subnet allowing for the outgoing traffic to be balanced between the two routers.

Revision 2212 11 ‐ 36
ICX 150 Layer 3 Fundamentals

VRRP‐E Failover

Dead interval
Default: 3x Hello interval
Configurable backup: 1‐84 seconds

Hello interval
Default: 1 second
Configurable: 1‐84 seconds

37 © 2022 CommScope, Inc.

In the event of a router failure the backup router for the VRRP‐E instance will stop receiving
hellos from the Master causing its dead interval to expire and will migrate to the Master
role and take over the duties of forwarding traffic and responding to host requests.

Hello interval: The number of seconds or milliseconds between Hello messages from the
Master to the Backups for a given VRID. The interval can be from 1 through 84 seconds ( 1
second default) for VRRP‐Ev2.

Dead interval: The number of seconds or milliseconds a Backup waits for a Hello message
from the Master for the VRID before determining that the Master is no longer active. The
default for VRRP‐Ev2 is three times the configured hello time plus skew time.

NOTE: The hello and dead intervals must be set to the same values on both owner
and backup devices for the same VRID.

Revision 2212 11 ‐ 37
ICX 150 Layer 3 Fundamentals

VRRP‐E Track Port Monitoring

Track port failure causes track priority to be subtracted from configured backup
priority
– Each track port failure causes the tracking value to be subtracted (possibly
multiple times)
Backup priority ‐ (failed track ports x track port priority) = current priority
VRRP‐E RouterB VirtualRouter VRRP‐E RouterA Configured priority 115
VRID 1 VRID 1 VRID 1
2 track port failure ‐20
Backup
Master Virtual IP 10.1.1.1 Master
Backup
Priority 100 Virtual MAC to 02‐EO‐52‐A3‐23‐01 Priority
Priority115
105
95 Current priority 95

Configured priority 115

1 track port failure ‐10
Current priority 105
IP: 10.1.1.2 IP: 10.1.1.3
Track Port Priority 10

Host 1
Default Gateway
10.1.1.1

38 © 2022 CommScope, Inc.

When track port priorities are configured under the VRRP‐E instance any failed track
port will cause its priority will be decremented from the configured priority.
Depending on the VRRP‐E configuration this could cause a migration of the Master
duties to another router.

In a situation where only one track port fails you might not want to migrate to a
different router. VRRP‐E has the option to allow for one track port to fail and still
allow the original master to remain. However, you can configure in such a way that
if two track ports fail then switchover would take place. This is an advantage over
the VRRP standard by providing more flexibility in controlling when a failover would
take place.

If a failover occurs, once the new master is selected it sends out a gratuitous ARP
updating the virtual MAC location forcing any inline switches in the VRRP‐E
environment to update their MAC tables.

Revision 2212 11 ‐ 38
ICX 150 Layer 3 Fundamentals

Configuring VRRP‐E

In this section we’ll explore the configurations for VRRP‐E on RUCKUS ICX devices.

Revision 2212 11 ‐ 39
ICX 150 Layer 3 Fundamentals

Configuring VRRP‐E
• Configuring VRRP‐E virtual router
RouterA(config)# router vrrp-extended Physical Interface IP
RouterA(config-vrrpe-router)# interface ethernet 1/1/1 (same subnet as VRID IP)
RouterA(config-if-e1000-1/1/1)# ip address 10.1.1.3/24
VRID Virtual IP
RouterA(config-if-e1000-1/1/1)# ip vrrp-extended vrid 1
RouterA(config-if-e1000-1/1/1-vrid-1)# backup priority 115 track-priority 10
RouterA(config-if-e1000-1/1/1-vrid-1)# ip-address 10.1.1.1
RouterA(config-if-e1000-1/1/1-vrid-1)# track-port ethernet 1/1/16
RouterA(config-if-e1000-1/1/1-vrid-1)# track-port ethernet 1/1/17
RouterA(config-if-e1000-1/1/1-vrid-1)# track-port ethernet 1/1/18
RouterA(config-if-e1000-1/1/1-vrid-1)# activate
VRRPE router 1 for this interface is activating

• RouterB’s configuration is similar to RouterA

40 © 2022 CommScope, Inc.

VRRP‐E is configured in the order described below, which corresponds to the commands
shown above:
• VRRP‐E is enabled globally on RouterA
• CLI context is changed to interface e 1/1/1
• Interface e 1/1/1 is configured with an IP address
• VRRP‐E VRID 1 is set on e 1/1/1, which moves into VRID configuration context
• Backup Priority is set to 115 and Track Priority is set to 10
• The IP address for VRID 1 is specified
• The track port is defined
• the VRID is activated
• The router sends out a gratuitous ARP indicating its MAC address and VRID’s IP

Configuration Rules for VRRP‐E:

• The router interfaces in a VRID must be in the same IP subnet (physical interfaces and
virtual IP)
• The hello interval must be set to the same value on all the VRRP‐E enabled devices
• The dead interval must be set to the same value on all the Layer 3 Switches
• The track priority for a VRID must be lower than the VRRP‐E priority

RouterB configuration will be similar to Router A

…Continued on next slide

Revision 2212 11 ‐ 40
ICX 150 Layer 3 Fundamentals

<continued from previous slide…>

VRID 1 RouterB
RouterB(config)# router vrrp-e
RouterB(config-vrrpe-router)# inter e1/1/2
RouterB(config-if-e1000-1/1/2)# ip addr 10.1.1.2/24
RouterB(config-if-e1000-1/1/2)# ip vrrp-e vrid 1
RouterB(config-if-e1000-1/1/2-vrid-1)# backup priority 100 track-
priority 10
RouterB(config-if-e1000-1/1/2-vrid-1)# ip-add 10.1.1.1
RouterB(config-if-e1000-1/1/2-vrid-1)# track-port e 1/1/12
RouterB(config-if-e1000-1/1/2-vrid-1)# track-port e 1/1/13
RouterB(config-if-e1000-1/1/2-vrid-1)# track-port e 1/1/14
RouterB(config-if-e1000-1/1/2-vrid-1)# advertise backup
RouterB(config-if-e1000-1/1/2-vrid-1)# activate
VRRPE router 1 for this interface is activating

VRID 2 RouterA
RouterA(config)# inter e1/1/2
RouterA(config-if-e1000-1/1/2)# ip addr 10.2.1.2/24
RouterA(config-if-e1000-1/1/2)# ip vrrp-e vrid 2
RouterA(config-if-e1000-1/1/2-vrid-2)# backup priority 100 track-
priority 10
RouterA(config-if-e1000-1/1/2-vrid-2)# ip-add 10.2.1.1
RouterA(config-if-e1000-1/1/2-vrid-2)# track-p e 1/1/16
RouterA(config-if-e1000-1/1/2-vrid-2)# track-p e 1/1/17
RouterA(config-if-e1000-1/1/2-vrid-2)# track-p e 1/1/18
RouterA(config-if-e1000-1/1/2-vrid-2)# activate
VRRP-E router 2 for this interface is activating

VRID 2 RouterB
RouterB(config)# inter e1/1/1
RouterB(config-if-e1000-1/1/1)# ip addr 10.2.1.3/24
RouterB(config-if-e1000-1/1/1)# ip vrrp-e vrid 2
RouterB(config-if-e1000-1/1/1-vrid-2)# backup priority 115 track-
priority 10
RouterB(config-if-e1000-1/1/1-vrid-2)# ip-add 10.2.1.1
RouterB(config-if-e1000-1/1/2-vrid-1)# track-port e 1/1/12
RouterB(config-if-e1000-1/1/2-vrid-1)# track-port e 1/1/13
RouterB(config-if-e1000-1/1/2-vrid-1)# track-port e 1/1/14
RouterB(config-if-e1000-1/1/2-vrid-1)# advertise backup
RouterB(config-if-e1000-1/1/1-vrid-2)# activate
VRRP-E router 2 for this interface is activating

Revision 2212 11 ‐ 41
ICX 150 Layer 3 Fundamentals

Verify VRRP‐E Configuration — Master

RouterA# show ip vrrp-extended
Total number of VRRP-Extended routers defined: 1
Interface ethernet 1/1/1
auth-type no authentication Elected master due to higher
VRID 1 priority
state master
administrative-status enabled
priority 115 Configured priority
current priority 115
track-priority 10 Priority in use
backup-hello-interval 60 sec
hello-interval 1000 msec Configured dead‐interval. 0
dead-interval 0 msec
current dead-interval 3500 msec
= not configured and default
preempt-mode true value 3.5 sec is being used
accept-mode disabled
virtual ip address 10.1.1.1 Dead‐interval in use
virtual mac address 02e0.522f.2701
advertise backup: disabled Virtual IP and MAC
next hello sent in 00:00:00.1
backup router 10.1.1.2 expires in 00:02:37.9
track-port 1/1/16(up) 1/1/17(up) 1/1/18(up) Backup router advertisement
short-path-forwarding disabled
activate-backup: disabled
Track‐ports state are up

42 © 2022 CommScope, Inc.

The show ip vrrp-extended command provides a look at the VRID master/backup

status, configured and current priorities, track port status as well as other configurations.

Here we can see that this device is master for VRID 1 as its current priority is 115, which is
higher than the backup devices priority of 100. Our track priority is 10 and we are
monitoring three links. If only a single link fails it will not change this devices master status.
However the loss of two links would make the priority 95 and at that point the backup
device would become master.

…Continued on next slide

Revision 2212 11 ‐ 42
ICX 150 Layer 3 Fundamentals

<continued from previous slide…>

State: This device VRRP state for the VRID. The state can be one of the following:
• initialize – The VRID is not enabled (activated). If the state remains “initialize” after you
activate the VRID, make sure that the VRID is also configured on the other routers and that
the routers can communicate with each other.
NOTE: If the state is initialize and the mode is incomplete, make sure you have specified the
IP address for the VRID.
• Standby – This device is a backup for the VRID.
• Master – This device is the master for the VRID.

Administrative‐status: The administrative status of the VRID. The administrative status can be
one of the following:
• disabled – The VRID is configured on the interface but VSRP or VRRP‐E has not been
activated on the interface.
• enabled – VSRP has been activated on the interface.

Priority: The device preference for becoming the master for the VRID. During negotiation, the
backup with the highest priority becomes the master. If two or more backups are tied with the
highest priority, the backup interface with the highest IP address becomes the master for the
VRID.

Current priority: The current VRRP or VRRP‐E priority of this Layer 3 Switch for the VRID. The
current priority can differ from the configured priority (see the row above) for the following
reasons:
• The VRID is still in the initialization stage and has not become a master or backup yet. In this
case, the current priority is 0.
• The VRID is configured with track ports and the link on a tracked interface has gone down.

Hello‐interval: The number of seconds between hello messages from the master to the
backups for a given VRID.

Dead‐interval: The configured value for the dead interval. The dead interval is the number of
seconds a backup waits for a hello message from the master for the VRID before determining
that the master is no longer active. If the master does not send a hello message before the
dead interval expires, the backups negotiate (compare priorities) to select a new master for the
VRID. NOTE: If the value is 0, then you have not configured this parameter.

Current dead‐interval: The current value of the dead interval. This is the value actually in use
by this interface for the VRID. NOTE: This field does not apply to VRRP owners.

Continued on next slide…

Revision 2212 11 ‐ 43
ICX 150 Layer 3 Fundamentals

<continued from previous slide…>

Preempt‐mode: Whether the backup preempt mode is enabled. NOTE: This field does not
apply to VRRP owners.

Virtual ip address: The virtual IP addresses that this VRID is backing up.

Advertise‐backup: The IP addresses of backups that have advertised themselves to this Layer 3
Switch by sending hello messages. NOTE: hello messages from backups are disabled by default.
You must enable the hello messages on the backup for the backup to advertise itself to the
current master.

Next hello sent in <time>: How long until the backup sends its next hello message. NOTE: This
field applies only when this Layer 3 Switch is the master and the backup is configured to send
hello messages (the advertise backup option is enabled).

Track port: The interfaces that the VRIDs interface is tracking. If the link for a tracked interface
goes down, the VRRP or VRRP‐E priority of the VRID interface is changed, causing the devices to
renegotiate for master. NOTE: This field is displayed only if track interfaces are configured for
this VRID.

Short path forwarding: Allows RUCKUS devices to bypass the VRRP‐E master router and
directly forward packets to their destination through interfaces on the VRRP‐E backup
router. This is called short‐path forwarding. A backup router participates in a VRRP‐E
session only when short‐path forwarding is enabled.

Activate backup: This is a command issued within the router VRRP‐E stanza causing the router
to change the current VRRP‐E priority to 1 causing it to relinquish its master duties. This allows
for ISSU servicing and should be removed once the upgrade is complete. Because it is a
configuration command it will need to be removed from the config using the no activate
backup command.

Revision 2212 11 ‐ 44
ICX 150 Layer 3 Fundamentals

Verify VRRP‐E Configuration ‐ Backup

RouterB# show ip vrrp-extended
Total number of VRRP-Extended routers defined: 1
Interface ethernet 1/1/2
auth-type no authentication Backup state due to lower
VRID 1
priority
state backup
administrative-status enabled
priority 100
current priority 100 Configured priority
track-priority 10
backup-hello-interval 60 sec
hello-interval 1000 msec Master router IP
dead-interval 0 msec
current dead-interval 3600 msec
preempt-mode true
accept-mode disabled Amount of time until dead
virtual ip address 10.1.1.1 interval expires
virtual mac address 02e0.522f.2701
advertise backup: enabled
next hello sent in 00:00:04.0
master router 10.1.1.3 expires in 00:00:02.9 Track‐ports state are up
track-port 1/1/12(up) 1/1/13(up) 1/1/14(up)

45 © 2022 CommScope, Inc.

Here we see the show ip vrrp‐extended output from the perspective of the backup. Again,
we can see the current state, configured and current priority as well as track port status.

Revision 2212 11 ‐ 45
ICX 150 Layer 3 Fundamentals

VRRP‐E Considerations
Consider the following rules when configuring an instance of VRRP‐E

• The VIP cannot be configured on any interfaces

• The Hello and dead interval must be set to the same value on configured devices

• The track priority must be lower than the VRRP‐E backup priority

• The same VRID must not be used across IPv6 VRRP‐E and IPv4 VRRP‐E if they are in
the same broadcast domain

• All configuration is removed from running config if the protocol VRRP‐E is removed
using the no router vrrp‐extended command

46 © 2022 CommScope, Inc.

When managing VRRP‐E configurations, keep the following rules in mind.

‐The address of the virtual interface cannot be used on physical interfaces.

‐The hello and dead intervals must match between master and backup devices.
‐Any track port priority values defined, must be lower than the backup priority.
‐The configured VRID values cannot be used across IPv4 and IPv6 if they are in the same
broadcast domain.
‐Finally, executing the no router vrrp-extended command will remove all VRRP‐E
configuration.

Revision 2212 11 ‐ 46
ICX 150 Layer 3 Fundamentals

Open Shortest Path First (OSPF)

Open Shortest Path First (OSPF) is a link‐state, dynamic routing protocol, that that is used
to send routing updates to other OSPF routers. Whereas we talked about static routing,
which is a very manual process. OSPF can decided which path in the network is best for any
given network. In this section we’ll give an overview of OSPF and then show it’s
configuration on RUCKUS ICX devices.

Revision 2212 11 ‐ 47
ICX 150 Layer 3 Fundamentals

OSPF Overview
• OSPF is a robust Interior Gateway Protocol (IGP) for medium to large networks

• Route topology database is created based on Shortest Path First (SPF)

algorithm—Dijkstra’s algorithm

• Link state routing protocol

• Route metric is based on aggregated link cost

• OSPF version supported:

– OSFPv2 – Exchanges IPv4 network prefixes
– OSPFv3 – Exchanges IPv6 network prefixes
48 © 2022 CommScope, Inc.

Open Shortest Path First (OSPF) is a link‐state routing protocol. Each OSPF device originates
link‐state advertisement (LSA) packets to describe its link information. These LSAs are
flooded throughout the OSPF area. The flooding algorithm ensures that every device in the
area has an identical database. Each device in the area then calculates a Shortest Path Tree
(SPT) that shows the shortest distance to every other device in the area, using the topology
information in the Link State database.
OSPF Version 2 (OSPFv2) supports the exchange of IPv4 network prefixes.
OSPF Version 3 (OSPFv3) supports the exchange of IPv6 prefixes, which functions
similarly to OSPFv2, for IPv4 prefixes, except for the following enhancements:
• Ability to configure several IPv6 addresses on a device interface. (While
OSPFv2 runs per IP subnet, OSPFv3 runs per link. In general, you can configure
several IPv6 addresses on a router interface, but OSPFv3 forms one adjacency
per interface only, using the link local address of the interface as the source
for OSPF protocol packets. On virtual links, OSPFv3 uses the global IP address
of the egress interface as the source. OSPFv3 imports all or none of the
address prefixes configured on a router interface. You cannot select the
addresses to import.)
• Ability to run one instance of OSPFv2 and one instance of OSPFv3 concurrently
on a link.
• Support for IPv6 link‐state advertisements (LSAs).

NOTE – Although OSPFv2 and OSPFv3 function in a similar manner, RUCKUS has
implemented the user interface for each version independently of the other.
Therefore, any configuration of OSPFv2 features will not affect the configuration of
OSPFv3 features and vice versa.

Revision 2212 11 ‐ 48
ICX 150 Layer 3 Fundamentals

OSPF Support
• ICX switches support the following types of LSAs
• Type 1 – Router LSA
• Type 2 – Network LSA
• Type 3 – Summary LSA
• Type 4 – Autonomous system (AS) summary LSA
• Type 5 – AS external LSA
• Type 7 – Not‐So‐Stubby Area (NSSA) external LSA
• Type 8 – Link LSA (OSPFv3)
• Type 9 – Intra‐Area Prefix LSA (OSPFv3)
– Also used for Graceful Restart (OSPFv2 and OSPFv3)

• Area Types:
– Normal, Stub, Not‐So‐Stubby Area (NSSA), Totally Stub
49 © 2022 CommScope, Inc.

Link State Advertisements are exchanged between adjacent OSPF routers and
contain link‐state and routing information. We discussed LSA types in the Routing
and Switching Protocols (RSP‐100) course however in terms of RUCKUS ICX devices
we support the following (as described in RFC 2328 and 3101):
• Router LSA (Type 1)
• Network LSA (Type 2)
• Summary LSA (Type 3)
• Autonomous system summary LSA (Type 4)
• AS external LSA (Type 5)
• Not‐So‐Stubby Area (NSSA) external LSA (Type 7)
• Grace LSAs (opaque LSA type 9)

Communication among areas is provided by means of link state advertisements

(LSAs). The LSAs supported for each area type are as follows:
• Backbone (area 0) supports LSAs 1, 2, 3, 4, and 5.
• Non‐backbone area supports LSAs 1, 2, 3, 4, and 5.
• Stub area supports LSAs 1, 2, and 3.
• Totally stubby area (TSA) supports LSAs 1 and 2, and also supports a single LSA
3 per ABR, advertising a default route.
• Not so stubby area (NSSA) supports LSAs 1, 2, 3, and 7.
• LSAs 8 and 9 are link‐local, not area‐wide.

Revision 2212 11 ‐ 49
ICX 150 Layer 3 Fundamentals

Router ID Requirement
• Routing protocols use a single value to identify devices
– It is recommended to configure the Router ID to improve troubleshooting and device identification

• If no Router ID is configured, an ICX device uses the following to select a router ID:
– IP address configured on the lowest numbered loopback interface (loopback 1 > loopback 2)
– If there is no loopback interface configured the lowest numbered IP interface address on the device is used
(10.255.1.1 > 172.16.1.1)
– Designated Router (DR) and Backup Designated Router (BDR) are elected with the highest router ID becoming DR

• Router ID always uses the same format as an IPv4 address

– Even when used in IPv6‐only environments

• Layer 3 ICX switches use the same router ID for both OSPF and BGP4

Router(config)# ip router-id 10.157.22.26

50 © 2022 CommScope, Inc.

Although a Layer 3 device may have multiple IP addresses configured on different

interfaces, some routing protocols require a single, unique identifier for each router in the
network. This is what the router ID is for.

In most configurations, a Layer 3 device has multiple IP addresses, usually configured on

different interfaces. As a result, a Layer 3 device’s identity to other devices varies
depending on the interface to which the other device is attached. Some routing protocols,
including Open Shortest Path First (OSPF) and Border Gateway Protocol version 4 (BGP4),
identify a Layer 3 device by a unique identifier, which is often derived from just one of the
IP addresses configured on the Layer 3 device, regardless of the interfaces that connect
between the Layer 3 devices. This unique identifier is the router ID.

The router ID on a RUCKUS layer 3 switch, where an explicit router ID has not been
configured, is one of the following:
• If the router has loopback interfaces, the default router ID is the IP address
configured on the lowest numbered loopback interface configured on the Layer 3
device. For example, if you configure loopback interfaces 2 and 3 as follows, the
default router ID is 10.4.4.4:
Loopback interface 2, 10.4.4.4/24
Loopback interface 3, 10.1.1.1/24
• If the device does not have any loopback interfaces, the default router ID is the
lowest numbered IP interface configured on the device.
Unless a router ID is explicitly configured, a reload of the device may result in new router ID
being used. Based on example here, if Loopback 1 is configured. On the next reboot, the
router ID of the device will use the address of Loopback 1.

Revision 2212 11 ‐ 50
ICX 150 Layer 3 Fundamentals

OSPF Basic Configuration Overview

To implement OSPFv2 and/or OSPFv3

• Enter the router ospf and/or ipv6 router ospf command in global
configuration mode to enable OSPF on the device

• Assign the areas to which the device will be attached

• Assign individual interfaces to an OSPF area

• Optionally, assign a virtual link to any Area Border Router (ABR) that does not have a
direct link to the OSPF backbone area

• Optionally, change any desired default settings

51 © 2022 CommScope, Inc.

RUCKUS ICX switches allow the running of both OSPFv2 and OSPFv3 at the same time. This
is due to the independent configuration methods for each. Therefore, any configuration
of features for one version will not affect the configuration of the other.

As with all IPv6 features, the ipv6 unicast-routing command must be executed
prior to configuring any protocols that support the exchange of IPv6 addresses.

In most cases, the features described in the material can be used in both OSPFv2 and
OSPFv3 with minor changes in command syntax. The OSPFv3 versions of commands and
options available for them are available in the RUCKUS FastIron Layer 3 Routing
Configuration Guide.

Revision 2212 11 ‐ 51
ICX 150 Layer 3 Fundamentals

OSPF Areas
• OSPF areas can be identified by either number or in dotted decimal (IPv4 address)
format
– By default, an area is normal unless identified otherwise
– Each interface on a router can support only one area

• Area can be configured as:

– Normal area
Router(config-ospf-router)# area 0
– Stub Area
Router(config-ospf-router)# area 40 stub
– Not‐So‐Stubby‐Area (NSSA)
Router(config-ospf-router)# area 10.1.1.1 nssa
– Totally Stubby Area
Router(config-ospf-router)# area 255 stub no-summary

52

OSPF Areas are configured by issuing the area command, then specifying either a number
or dotted decimal and area type.

In the examples shown you can see that normal areas are created by default, whereas stub,
not so stubby, and totally stubby areas are identified with additional commands

If you specify a number, the number can be from 0 ‐ 2,147,483,647.

• Normal ‐ OSPF routers within a normal area can send and receive External Link State
Advertisements (LSAs).
• Stub ‐ OSPF routers within a stub area cannot send or receive External LSAs. In addition,
OSPF routers in a stub area must use a default route to the area’s Area Border Router
(ABR) or Autonomous System Boundary Router (ASBR) to send traffic to any external
routes that exist outside of the area.

Continued on next slide…

Revision 2212 11 ‐ 52
ICX 150 Layer 3 Fundamentals

<continued from previous slide…>

• NSSA ‐ The ASBR of an NSSA can import external route information into the area. Additional
options are available.
ASBRs redistribute (import) external routes into the NSSA as type 7 LSAs. Type‐7 External
LSAs are a special type of LSA generated only by ASBRs within an NSSA, and are flooded to
all the routers within only that NSSA.
• ABRs translate type 7 LSAs into type 5 External LSAs, which can then be flooded
throughout the AS. You can configure address ranges on the ABR of an NSSA so that the
ABR converts multiple type‐7 External LSAs received from the NSSA into a single type‐5
External LSA.
• When an NSSA contains more than one ABR, OSPF elects one of the ABRs to perform the
LSA translation for NSSA. OSPF elects the ABR with the highest router ID. If the elected
ABR becomes unavailable, OSPF automatically elects the ABR with the next highest router
ID to take over translation of LSAs for the NSSA. The election process for NSSA ABRs is
automatic.
• Totally Stubby – When an area is identified as a totally stubby area the ABR will stop sending
summary LSAs (type 3 LSAs) into the area. Instead it will send one summary LSA which is a
default route.

Revision 2212 11 ‐ 53
ICX 150 Layer 3 Fundamentals

OSPF Basic Configuration Steps

On each router:
e1 e1
• Enable OSPF globally
Router_B(config)# router ospf
Router A Router B

• Configure an OSPF area

Router_B(config-ospf-router)# area 0

• Assign an IP address to the interface

Router_B(config-ospf-router)# interface e 1/1/1
Router_B(config-if-e1000-1/1/1)# ip address 172.16.1.2/24

• Assign interfaces to an area

Router_B(config-if-e1000-1/1/1)# ip ospf area 0
54 © 2022 CommScope, Inc.

In the example shown we have already configured Router A and are now configuring
neighboring Router B. The basic OSPF configuration steps for this device are as follows:

‐First from configuration mode enter router ospf which places you into the ospf router
CLI context
‐Next specify an area, in this case we are setting up our backbone area so we have entered
the command area 0
‐With the area defined, we move to the interface configuration and apply an ip
address
‐Once the interface address has been added we attach the interface to the OSPF area that
we previously created as shown here.

NOTE: If the device is acting as an ABR, all areas in which the ABR is participating need to
be configured.

Continued on next slide…

Revision 2212 11 ‐ 54
ICX 150 Layer 3 Fundamentals

<continued from previous slide…>

NOTE: When an interface is assigned to an area, the subnets assigned to that interface are
included in OSPF LSAs and OSPF hello messages are sent on each subnet, by default.
You can configure and save the following OSPF changes without resetting the system:
• All OSPF interface‐related parameters (for example: area, hello timer, router dead time
cost, priority, re‐transmission time, transit delay)
• All area parameters
• All area range parameters
• All virtual‐link parameters
• All global parameters
• Creation and deletion of an area, interface or virtual link
• Changes to address ranges
• Changes to global values for redistribution
• Addition of new virtual links

Revision 2212 11 ‐ 55
ICX 150 Layer 3 Fundamentals

OSPF Cost Metric

Cost (metric): Indicates the overhead required to send a packet across an
interface
• Default cost is calculated by dividing reference‐bandwidth, 100 Mbps by default, by
the link speed
– 10 Mbps = 10
– 100 Mbps = 1
– 1 Gbps = 1
Link Cost = _Reference‐Bandwidth_
– 10 Gbps = 1 Link Speed (Mbps)
– 100 Gbps = 1

• Reference bandwidth can (and should) be modified

56 © 2022 CommScope, Inc.

Each interface on which OSPFv2 is enabled has a cost associated with it. The device
advertises its interfaces and their costs to OSPFv2 neighbors. For example, if an interface
has an OSPFv2 cost of ten, the device advertises the interface with a cost of ten to other
OSPFv2 routers.
By default, an interface’s OSPFv2 cost is based on the port speed of the interface. The cost
is calculated by dividing the reference bandwidth by the port speed. The default reference
bandwidth is 100 Mbps, which results in the following default costs:
• 10 Mbps port = 10
• All other port speeds = 1
You can change the reference bandwidth. The following formula is used to calculate the
cost:
Cost = reference‐bandwidth/interface‐speed
The bandwidth for interfaces that consist of more than one physical port is calculated as
follows:
• LAG group ‐ The combined bandwidth of all the ports.
• Virtual interface ‐ The combined bandwidth of all the ports in the port‐based VLAN
that contains the virtual interface.
The default reference bandwidth is 100 Mbps. You can change the reference bandwidth to
a value from 1—4294967.
If a change to the reference bandwidth results in a cost change to an interface, the device
sends a link‐state update to update the costs of interfaces advertised by the device.

Revision 2212 11 ‐ 56
ICX 150 Layer 3 Fundamentals

OSPF Cost Metric (cont.)

• As a best‐practice the default reference bandwidth should be the same for all routers
in the network

• For networks with interfaces over 100 Mbps, it is recommended to modify the
reference bandwidth

• To change the default reference bandwidth (in Mbps):

Router_B(config)# router ospf
Router_B(config-ospf-router)# auto-cost reference-bandwidth 40000

• To manually assign a cost to an interface:

Router_B(config-ospf-router)# int ethernet 1/1/2
Router_B(config-if-e1000-1/1/2)# ip ospf cost 100

57 © 2022 CommScope, Inc.

The chart below lists the recommended reference-bandwidth setting for routers
based on the routers highest interface speed on your devices. For routers with mixed
10/100/1000/10,000 Mbps Ethernet ports the recommended reference‐bandwidth is set
equal to the highest‐speed network link in Mbps. In this example we have 40 Gbps
interfaces on our devices so we are going to set the reference bandwidth to 40000.

Link Speed Reference‐Bandwidth

100 Mbps or lower 100 Mbps (Default )
1 Gbps 1000 Mbps
10 Gbps 10000 Mbps
40 Gbps 40000 Mbps
100 Gbps 100000 Mbps
Also note we can manually assign an OSPF cost at an interface level, which will override the
cost calculation of the reference bandwidth for that interface.

If you specify the cost for an individual interface, the cost you specify overrides the cost
calculated by the software.

Revision 2212 11 ‐ 57
ICX 150 Layer 3 Fundamentals

Redistribution
• Allows routes learned from other mechanisms and protocols to be advertised into
OSPF
– Connected interfaces
– Static routes
– Dynamic routing protocols

• Redistribution for ICX devices:

Router_B(config)# router ospf
Router_B(config-ospf-router)# redistribute ?
bgp Border Gateway Protocol (BGP)
connected Connected
rip Routing Information Protocol (RIP)
static Static routes

• Redistribution of external routes into OSPF automatically makes the router an ASBR
58 © 2022 CommScope, Inc.

The redistribute command under the routing protocol configuration context allows
routes learned from other mechanisms to be advertised into the OSPF protocol.
Redistribution enables one routing protocol to learn and advertise routes that exist under
some other process. The other process could be another dynamic routing protocol
(another instance of the same routing protocol or a different routing protocol), static
routes, or directly connected interfaces on which no routing protocol has been enabled.

For example, the redistribute rip command under the router‐ospf configuration
takes RIP routes and sends them out as OSPF LSAs.

OSPF does not include directly connected networks in routing updates. The redistribution
connected command takes those directly connected routes and sends them out as OSPF
LSAs.

Revision 2212 11 ‐ 58
ICX 150 Layer 3 Fundamentals

Originate A Default Route with OSPF

• A static default route with redistribute static will not propagate 0.0.0.0/0 into
OSPF

• The default‐information originate

command is used to propagate
default routes into OSPF

Router_B(config-ospf-router)# default-information-originate

59 © 2022 CommScope, Inc.

We talked about adding connected routes and static routes into OSPF, but what if we need
to include a static default route? ICX devices do not automatically advertise the default
route into OSPF, unless the default-information-originate command has been
specified. Once enabled ICX devices will advertise the default route into OSPF, even if route
redistribution is not enabled.

NOTE: A statically configured default route also requires default‐information‐originate in

order to propagate the route into OSFP. The redistribute static command does
not apply to the statically configured default route.
Other examples of default‐information‐originate are:
Router(config-ospf-router)# default-information-originate route-map
defaultToOspf
Router(config-ospf-router)# default-information-originate always
Router(config-ospf-router)# default-information-originate metric 200

In the above example, default‐information‐originate is enabled with the route-map

parameter for the first CLI and then the always and metric is appended to the existing
configuration. The running configuration of the above three split commands would be as
follows:
Router(config-ospf-router)# default-information-originate always
metric 200 route-map defaultToOspf
Syntax: [no] default‐information‐originate [ always ] [ metric metric ] [ metric‐type
{ type1 | type2 } ] [ route‐map name ]

NOTE: The always parameter will advertise a default route even when one is not statically
configured. This may result in routing issues and problems with other routing protocols.

Revision 2212 11 ‐ 59
ICX 150 Layer 3 Fundamentals

OSPF External Metric

• OSPF external routes are advertised with two possible metrics:
– Type 1: Cost is calculated by adding the external cost metric to the internal link costs
– Type 2: Cost is calculated using only the external cost metric, no internal link costs are
added
o Type 2 is the default metric type for ICX ASBRs

Router_B(config)# router ospf

Router_B(config-ospf-router)# metric-type type1
Router A Router B Router C

External Link Link Cost = 10 External Link Link Cost = 10

Cost=2 Cost=2 Router C – IP Route Table
10.10.10.0/24 20.20.20.0/24 Network Cost
Redistributed w/ Redistributed w/ 10.10.10.0/24 2
Type 2 metric Type 1 metric
20.20.20.0/24 12

60 © 2022 CommScope, Inc.

By default, RUCKUS ICX Autonomous System Boundary Routers (ASBRs) advertise external
routes with a Type 2 metric.

In the graphic above, Router A (the ASBR) is advertising the external 10.10.10.0/24 network
with a Type 2 metric. Router B is advertising the 20.20.20.0/24 network with a Type 1
metric. Both external routes are assigned an external link cost of 2 when advertised. For
the route with a Type 1 metric, each router will add the OSPF link cost before inserting it
into the IP routing table. The route with a Type 2 metric does not have the internal link
costs added to the metric.

It is also important to note that a Type 1 external route is always preferred over a Type 2
external route, regardless of the cost.

Revision 2212 11 ‐ 60
ICX 150 Layer 3 Fundamentals

OSPF Show Commands

In this section we outline some of the available show commands which can be used to
validate the operation status of OSPF on RUCKUS ICX devices.

Revision 2212 11 ‐ 61
ICX 150 Layer 3 Fundamentals

OSPF Show Commands

OSPFv2 Command OSPFv3 Command Displays

show ip route
show ip ospf route
show ip ospf database
show ip ospf area
show ip ospf neighbor
show ip ospf interface
show ip ospf config
show ipv6 route All learned routes
show ipv6 ospf route Only routes learned by OSPF
show ipv6 ospf database Link state database
show ipv6 ospf area OSPF area information
show ipv6 ospf neighbor Neighbor information
show ipv6 ospf interface Area ID and adjacency info
show ipv6 ospf config General OSPF configuration information

62 © 2022 CommScope, Inc.

Once OSPF configurations have been applied you can utilize show commands to get
information and status of OSPF operation as we’ll show in the upcoming slides.

NOTE: OSPFv3 show commands are also available as you see here using ipv6 within the
command. Example: show ipv6 route
show ip route – displays routes, use show ip ospf route to display only OSPF routes
show ip ospf route – route tables can be extremely long; this command allows you
to see only OSPF routes; especially important if doing redistribution of other routing
protocols, like BGP
show ip ospf database – displays link state database; used for troubleshooting
corrupted databases, a possible problem with large OSPF implementations
show ip ospf area – displays type of area (Normal, Stub, NSSA). NSSA is Not So
Stubby Area. Used when troubleshooting neighbor problems when converting stub area to
normal or vice versa. All routers in an area must be configured for the same area type.
show ip ospf neighbor – common command used when troubleshooting OSPF
neighbor problems. Tells you the current neighbor state.
show ip ospf interface ‐ displays area ID and adjacency information on a per
interface basis. Gives more detail than show ip ospf neighbor.
show ip ospf border-routers ‐ shows router’s that are ABRs or ASBRs.
show ip ospf config ‐ displays only the OSPF part of your startup‐config.

Revision 2212 11 ‐ 62
ICX 150 Layer 3 Fundamentals

Display OSPF Interface Information

Use the show ip ospf interface brief command to quickly see status of
OSPF connections

Router_B# show ip ospf interface brief

Number of Interfaces is 5

Interface Area IP Addr/Mask Cost State Nbrs(F/C)

e 1/1/1 0 10.168.1.1/24 1 DR 1/1
e 1/1/17 0 10.1.1.1/24 1 BDR 1/1
e 1/1/8 0 192.123.2.1/24 1 BDR 1/1
e 2/1/22 0 192.123.22.1/24 1 BDR 1/1
e 3/1/24 0 192.123.44.1/24 1 BDR 1/1

Router B

63 © 2022 CommScope, Inc.

The show ip ospf interface brief command will display interfaces configured
for OSPF as well as the associated area, IP address and cost. More details about OSPF
interfaces can be gathered from the show ip ospf interface command, without
the brief option. These details are useful if you are inspecting a particular OSPF interface. In
most cases the brief option is used to provide a quick view of all OSPF interfaces.

Revision 2212 11 ‐ 63
ICX 150 Layer 3 Fundamentals

Display OSPF Interface Information

Router_B# show ip ospf interface

e 1/1/1 admin up, oper up, ospf enabled, state up
IP Address 172.16.1.2, Area 0
State BDR, Pri 1, Cost 1, Options 2, Type broadcast Events 13
Timers(sec): Transit 1, Retrans 5, Hello 10, Dead 40
DR: Router ID 172.16.4.9 Interface Address 172.16.1.1
BDR: Router ID 172.16.1.2 Interface Address 172.16.1.2
Packets Received Packets Sent
Hello 83769 83755
Database 3 3
LSA Req 1 0
LSA Upd 438 439
LSA Ack 438 438
Neighbor Count = 1, Adjacent Neighbor Count = 1
Neighbor: 172.16.1.1 [id 172.16.4.9] (DR)
In-Use Authentication: None, Key: None, Key-Id: None

64 © 2022 CommScope, Inc.

The above slide displays output from show ip ospf interface executed on
Router_B. This output is displaying the e 1/1/1 interface. We can see that this interface is
part of Area 0 and that it is a backup designated router (BDR). We talked previously about
the DB/BDR election, when we talked about the router ID configuration. In the example
shown we have not manually configured the router ID on either of these devices and so the
default process has elected the DR.

As we said the router ID is either the address of the lowest numbered loopback on a
device, however if no loopback is configured the lowest numbered IP address configured is
used. In this case Router_B only has the address 172.16.1.2 and so that is it’s router ID.
When compared to Router_A there is both an interface address as well as the Lb1
(loopback 1) address configured.

If there were several loopbacks configured on Router_A it would use the loopback with the
lowest number (1 in this case) and since we have a loopback it will use that as the router ID
for this device, so Router_A has an ID of 172.16.4.9. When these routers compare their
router IDs Router_A wins the election because its router ID is the highest.

Revision 2212 11 ‐ 64
ICX 150 Layer 3 Fundamentals

Examining OSPF Link‐State Database

• LSAs populating the OSPF Database can be viewed using the following command:
Router# show ip ospf database

• Specific LSA types can also be displayed

Example:
Router# show ip ospf database external-link-state
Index Aging LS ID Router Netmask Metric Flag
1 83 192.168.60.80 10.3.3.1 fffffff8 8000000a b500 0.0.0.0
2 83 192.168.60.72 10.3.3.1 fffffff8 8000000a b500 0.0.0.0
3 83 192.168.60.64 10.3.3.1 fffffff8 8000000a b500 0.0.0.0
4 108 192.168.90.0 10.3.3.1 ffffff80 8000000a b500 0.0.0.0
5 83 192.168.60.120 10.3.3.1 fffffff8 8000000a b500 0.0.0.0
6 83 192.168.60.112 10.3.3.1 fffffff8 8000000a b500 0.0.0.0
7 83 192.168.60.104 10.3.3.1 fffffff8 8000000a b500 0.0.0.0
8 83 192.168.60.96 10.3.3.1 fffffff8 8000000a b500 0.0.0.0

65 © 2022 CommScope, Inc.

The OSPFv2 show ip ospf database command is very robust and provides several
options to look at specific information related to the OSPF link‐state database. These
include:
• database‐summary – Displays how many link state advertisements (LSAs) of each
type exist for each area, as well as total number of LSAs.
• external‐link‐state – Displays information by external link state, i.e.
redistributed routes.
• link‐state – Displays networks originated within the OSPF domain.
• grace‐link‐state – Displays LSAs generated as part of the graceful restart
process.

Revision 2212 11 ‐ 65
ICX 150 Layer 3 Fundamentals

Display OSPF Neighbor Information

• To display useful information about an OSPF neighbor, use the show ip ospf neighbor
command
• Displays neighbor specific information including:
– OSPF priority
– Adjacency state and role
– IP address OSPF messages originate from
– Router‐ID
– Number of state change events

Local Info Neighbor Info

66 © 2022 CommScope, Inc.

The above slide is a report from show ip ospf neighbor executed on Router B. The following
are the descriptions of the fields:
• Port: The port through which the Layer 3 Switch is connected to the neighbor
• Address: The IP address of this Layer 3 Switch’s interface with the neighbor
• Pri: The OSPF priority of the neighbor. The priority is used during election of the
Designated Router (DR) and Backup Designated Router (BDR)
• State: The state of the conversation between the Layer 3 Switch and the neighbor,
and the title of the neighbor. The state field can have one of the following values:
Down, Init, 2‐way, ExStart, Exchange, Loading, Full. The neighbors title field can be:
DR, BDR or other
• Neigh Address: The IP address of the neighbors connected interface
• Neigh ID: The neighbors router ID
• Ev: The number of times a neighbor’s state has changed
• Opt: The sum of the option bits in the Options field of the Hello packet. This
information is used by RUCKUS technical support
• Cnt: The number of LSAs that were retransmitted
• Bfd‐State: The state of Bidirectional Forwarding Detection (BFD) for OSPF

Syntax: show ip ospf neighbor [ extensive | num | router-id A.B.C.D ]

Revision 2212 11 ‐ 66
ICX 150 Layer 3 Fundamentals

Now that you have completed this

presentation you should be able to:
• Identify Layer 3 interface types
• Apply IP address configurations
• Utilize Layer 3 features
– ARP
– Static Routes
Objectives
– Route only
• Configure Virtual Route Forwarding (VRF) for
management traffic
• Perform basic VRRP‐E and OSPF
configurations

Now that you have completed this presentation you should be able identify the various
Layer 3 interface types found on RUCKUS ICX devices and apply basic IP address
configurations to physical interfaces. You should be able to utilize ICX commands to
perform static routing, observe address resolution protocol and perform route only
configurations.

You should be able to understand and apply VRF configurations to management traffic, as
well as perform basic configurations for VRRP‐E and OSPF and utilize show commands to
verify operation.

Revision 2212 11 ‐ 67
ICX 150 Layer 3 Fundamentals

End of Presentation:
Layer 3 Fundamentals

This is the end of the presentation on Layer 3 fundamentals for ICX devices.

Revision 2212 11 ‐ 68
ICX 150 ICX Stacking Technology

ICX Stacking Technology

Revision 2212

This presentation focuses on RUCKUS stacking technology using the different ICX switches.

Revision 2212 12 ‐ 1
ICX 150 ICX Stacking Technology

After completing this presentation,

attendees should be able to:
• Describe what stacking is and its benefits
• Describe stacking topologies and
architecture

Objectives • Understand notable stacking features

• Explain how to configure stacking using the
interactive‐setup utility
• Display stack information after the stack is
formed
• Explain how to replace and add stack units

After completing this presentation, attendees should be able to:

• Describe stacking technology and its benefits
• Describe stacking topologies and architecture
• Understand notable stacking features (including long‐distance stacking and hitless
stacking)
• Explain how to configure stacking using the interactive‐setup utility
• Display stack information after the stack is formed
• Explain how to replace and add stack units

Revision 2212 12 ‐ 2
ICX 150 ICX Stacking Technology

What is Stacking?

Let’s start with a high‐level overview of what stacking is, its benefits, and some features.

Revision 2212 12 ‐ 3
ICX 150 ICX Stacking Technology

What is a “Stack”?

A stack is a group of devices that operate as a single logical chassis to simplify

management and enhance performance and scalability.
• A RUCKUS ICX stack contains 2 to 12 units configured in a ring or linear topology
• All RUCKUS model families support stacking, but the units in a stack must be from the
same model family (for example, various models from the ICX 7550 family)
• The members of a stack must be running the same version of FastIron software
• The members of a stack may be located close together or physically separated

4 © 2022 CommScope, Inc.

What is a stack?

A stack is a group of RUCKUS ICX devices that operate as a single logical chassis to simplify
management and enhance performance and scalability.

A RUCKUS ICX stack contains up to 12 units from the same model family. For
example, you can have a stack consisting of different models of ICX 7550 switch.
The members of a stack may be physically close together or separated (by up to 10
kilometers), but all members of a stack must be running the same version of
FastIron software.

Revision 2212 12 ‐ 4
ICX 150 ICX Stacking Technology

Stacking Benefits

Some of the benefits and features of stacking:

• No additional hardware cards or software licenses needed (although 1Gbps models
require a 10Gbps license to support stacking)
• Scalability up to 12 switches providing high port‐density per stack
• Trunk‐able stacking ports
• Single point of management
• Ring and linear topologies supported
• Standards‐based dual‐purpose stacking/uplink ports
• Stack over long distances using standard Ethernet optics
• Packet switching in hardware between ports on stack units
• Interactive‐setup utility to make stacking configuration easy and secure
• Protocols operate on a stack in the same way as on a chassis‐based system

5 © 2022 CommScope, Inc.

Some features and benefits of stacking:

• Stacking on ICX devices does not require any additional hardware cards, nor any
stacking‐specific software licenses. However, since stacking requires 10Gbps ports,
1Gbps switches (certain ICX 7150 and ICX 7250 models) require a 10Gbps port
license first be installed so that the ports can be upgraded to 10Gbps before joining a
stack.
• Scalability up to 12 switches providing high port‐density per stack
• Trunk‐able stacking ports
• Single point of management (including In Service Software Update)
• Ring and linear topologies supported
• Standards‐based dual‐purpose stacking/uplink ports
• Stack over long distances using standard Ethernet optics
• Packet switching in hardware between ports on stack units
• Interactive‐setup utility to make stacking configuration easy and secure
• Protocols operate on a stack in the same way as on a chassis‐based system

We’ll take a closer look at most of these features in this presentation.

Revision 2212 12 ‐ 5
ICX 150 ICX Stacking Technology

Stacking Topologies and

Architecture

Now that you know what stacking is, let’s discuss stack topologies and architecture.

Revision 2212 12 ‐ 6
ICX 150 ICX Stacking Technology

Supported Stacking Topologies

Let’s look at the supported stacking topologies.

Revision 2212 12 ‐ 7
ICX 150 ICX Stacking Technology

Stacking Topologies

• Linear topology
– End units of the stack use
one stack port, leaving the
other port for data

• Ring topology
– RUCKUS‐recommended topology
for redundancy and resiliency
– All stack units must have
two stacking ports

8 © 2022 CommScope, Inc.

This slide shows the two supported topologies for a traditional stack. They are the linear
and ring.

In the linear topology, each switch connects to the next switch through a single cable
connection between their stack ports until the last unit has been linked with the one before
it. The end units use only one stacking direction. This topology does not have full
redundancy.

In a ring topology, an extra cable is connected between the top and bottom switches
forming a “ring” or “closed‐loop.” The closed‐loop cable ensures all stack members have
two stacking directions and provides a redundant path for the stack link, so if one link fails,
stack communications can be maintained.

Ring is the RUCKUS‐recommended topology because it offers the best redundancy and the
most resilient operation. Unicast switching follows the shortest path in a ring topology.
When the ring is broken, the stack recalculates the forwarding path and then resumes the
flow of traffic within a few seconds.

The upstream stack unit is connected to the first stacking port on the Active controller. The
downstream stack unit is connected to the second stacking port on the Active controller.

Revision 2212 12 ‐ 8
ICX 150 ICX Stacking Technology

Trunked Stacking
• Stacking trunks can be configured to increase stacking bandwidth and provide better
resiliency

• Traffic is load‐balanced to the trunk ports

• As long as one port of the trunk is connected,

communication between the neighboring units
will continue

• If one stacking port on a trunk goes down:

– No stack election or topology changes occur
– Traffic interruption should be in the sub‐second range

• Stacking trunks range in size from 2‐6 ports, depending on switch model
9 © 2022 CommScope, Inc.

A stack‐trunk increases the stacking port bandwidth up to 400Gbps, depending on switch

model, and provides better resilience than a single port‐to‐port link. As long as at least one
port on the trunk is connected, communication between the neighboring units will work.
Traffic is load‐balanced to the trunk ports.

When only one stacking port on a trunk goes down, no stack election or topology changes
should occur. The resulting traffic interruption time should be in the sub‐second range as
the system detects that the port is down and re‐programs hardware.
Stacking trunks range in size from 2‐6 ports, depending on switch model and other factors,
which will be discussed later in this presentation.

Revision 2212 12 ‐ 9
ICX 150 ICX Stacking Technology

Trunked Stacking (Cont.)

Two‐unit linear‐topology trunk

ICX 7150
Example
• Uses all ports in the trunk to reach the other
unit (bi‐directional forwarding)

• Allows for multiple trunks depending on

ICX 7250
number of stacking ports supported Example

• Provides the same redundancy as a two‐unit

ring due to trunk load balancing
ICX 7550
Example
• Doubles the bandwidth of the stacking ports
between two units
Refer to the RUCKUS FastIron Stacking Configuration Guide
for details on two‐unit linear‐topology trunk configuration ICX 7850
Example

10 © 2022 CommScope, Inc.

The two‐unit linear‐topology trunk capability was introduced with FastIron release 08.0.90.
All ICX switch families support a linear‐topology trunk in a two‐unit stack.
A two‐unit stack can form a linear‐topology trunk containing all stacking ports, instead of
dividing the ports into the two directions of a ring topology. The linear‐topology trunk
provides the same redundancy as a two‐unit ring because of trunk load balancing.
Furthermore, a linear‐topology trunk doubles the bandwidth of the stacking ports between
two units.
As a comparison:
• Two‐unit ring topology ‐ unidirectional forwarding, meaning only one direction is used
even though there are two paths for a unit to reach the other unit
• Two‐unit linear‐topology trunk ‐ bi‐directional forwarding, meaning the trunk uses all of
its ports to reach the other unit

Note that a linear‐topology trunk cannot co‐exist with another stack‐port or stack‐trunk in
the same unit, meaning:
• If you configure a linear‐topology trunk, the original stack‐port or stack‐trunk
configuration is removed.
• If a unit has a linear‐topology trunk and you configure a stack‐port or stack‐trunk, the
linear‐topology trunk is removed.

Refer to the RUCKUS FastIron Stacking Configuration Guide for details on two‐unit linear‐
topology trunk configuration (https://support.ruckuswireless.com).

Revision 2212 12 ‐ 10
ICX 150 ICX Stacking Technology

Long‐Distance Stacking

• Distance between stack units is extended when using appropriate optics:

– Up to 10 kilometers
– Up to 40 kilometers

• Supported on all ICX switch families

11 © 2022 CommScope, Inc.

A distributed‐chassis topology utilizing long‐distance stacking offers the ability to house

stacking units in geographically separate locations, like different buildings, as shown here.
Long‐distance stacking is supported on all ICX switch families.

Potential distances between stack units vary by ICX device, stack port optic, and the
connector cables used. For example, stacking ports using 100G QSFP28‐LR4‐LP‐10KM
optics can be separated by up to 10 kilometers, while stacking ports using 40G QSFP‐ER4
optics can be separated by up to 40 kilometers.

The same fiber optic transceiver model (for example, 40G QSFP‐ER4) must be used on both
ends of a connection.

Refer to the RUCKUS Ethernet Optics Data Sheet and the RUCKUS FastIron Stacking
Configuration Guide for complete long‐distance stacking specifications per ICX series and
per optical device.

Revision 2212 12 ‐ 11
ICX 150 ICX Stacking Technology

Stacking Cables & Optics

• Each ICX model supports different optics and cables for long‐distance and short‐
distance stacking

• Refer to these documents (available on https://support.ruckuswireless.com)

RUCKUS Ethernet Optics Data Sheet

For the latest information on ICX optics and cable support for stacking

RUCKUS FastIron Features and Standards Support Matrix

For the latest information on supported stacking features per ICX switch family

12 © 2022 CommScope, Inc.

For the most up‐to‐date information on ICX optics and cable support for stacking, refer to
the RUCKUS Ethernet Optics Data Sheet
(https://support.ruckuswireless.com/documents/2656‐ruckus‐ethernet‐optics‐data‐sheet).
Here you will find:
• Full details and guidelines on identifying the specific optics supported by, and any
restrictions that may apply to, individual product lines
• Minimum software requirements for optical support on RUCKUS ICX switches

Revision 2212 12 ‐ 12
ICX 150 ICX Stacking Technology

Stack Architecture

Now that we have gone over the hardware components of stacking, let’s take a look at the
architecture of stacking.

Revision 2212 12 ‐ 13
ICX 150 ICX Stacking Technology

Stack Roles

• Active controller
– Stack member with highest priority, handles stack management
– Console redirection from all units to Active controller

• Standby controller
– Stack member with 2nd‐highest priority
– Will take over the Active controller duties if Active controller fails

• Member
– Unit in the stack that is neither Active nor Standby controller
– Eligible for election to Standby or Active controller if necessary

14 © 2022 CommScope, Inc.

Switches in a stack have one of the following roles:

• The active controller is the stack member with highest priority, and it handles all
stack management through its console. Configuration of all stack units is directed
from the active controller.
• The standby controller is the stack member with 2nd‐highest priority. The standby
takes over the active controller duties if the active controller fails.
• Member units are neither active nor standby controllers, but they are eligible for
election to standby or active if necessary.

Revision 2212 12 ‐ 14
ICX 150 ICX Stacking Technology

Active Controller
The active controller handles all stack management
including:
• SW image downloads to stack members CLI
Active Controller
CLI
Config
• Controlling the console Config
FDB
SWFDB
image
• Building and propagating the Forwarding Database SW image

(FDB) to all stack members

• Configuring all system and interface‐level features
• Pushing configuration to each stack member
• Synchronizing runtime configuration to the
standby controller
• Sending incremental CLI changes to the
standby controller
• Ensuring the standby controller receives a copy
of all control packets and protocols running on
the active controller

15 © 2022 CommScope, Inc.

The responsibility of the active controller is to handle all stack management including:
• Downloading software images to all stack members and controlling the console for the
entire stack. All stack configuration is done from the active controller, including all
system‐level and interface‐level features. The active controller then pushes the
configuration to each stack member.
• The active controller builds and propagates the Forwarding Database (FDB) to all stack
members, synchronizes runtime configurations to the standby controller, and sends
incremental CLI changes to the standby controller.
• The active controller also ensures that the standby controller receives a copy of all
control packets and protocols running on the active controller.

Revision 2212 12 ‐ 15
ICX 150 ICX Stacking Technology

Stack Unit Assignment

• During the ‘active controller’ election process,
switches are assigned a switch ID automatically
– Switch ID does not designate physical switch
position in the stack

• Valid switch ID numbers are 1 through 12

• Switches that receive a different switch ID from

the default of 1, reload and take the newly
assigned ID

• Switch IDs can be pre‐assigned or renumbered

using the stack interactive-setup
command

16 © 2022 CommScope, Inc.

During the ‘active controller’ election process, switches are assigned a switch ID. This ID
does not designate the physical position of the switch in the stack; it is just an identifier. All
ICX switch families use switch IDs from 1 through 12.

By default, all switches have the ID of 1. Switches that receive a different ID from the active
controller will reload and take the newly assigned ID.
Switch IDs can be pre‐assigned or renumbered using the stack interactive-setup
command.

Revision 2212 12 ‐ 16
ICX 150 ICX Stacking Technology

Notable Stacking Features

RUCKUS ICX Stacking is supported by two primary feature sets:

• Stacking
• Hitless Stack Failover / Hitless Stack Switchover
each of which comprise various functionalities.

The RUCKUS FastIron Stacking Configuration Guide details all feature‐related improvements
and impacts to stacking.
The RUCKUS FastIron Features and Standards Support Matrix shows feature applicability
per ICX family.

Here, we’ll provide a brief look at a few functionalities.

Revision 2212 12 ‐ 17
ICX 150 ICX Stacking Technology

Hitless Stacking
• A FastIron high‐availability feature set that ensures sub‐second or no loss of data traffic during
the following events:
– Stack failover
– Stack switchover
– Stack trunk failover
– Stack topology changes

• Events not supported by hitless stacking:

– Unit ID change (during stack formation or unit renumbering)
– Stack merge
– Software upgrade

• Upon failure of the Active controller, the Standby controller takes over the active role and the
system continues to forward traffic seamlessly

• Enabled by default as of software version 8.0.20, but can be disabled and re‐enabled

18 © 2022 CommScope, Inc.

Hitless stacking is a high‐availability feature set that is available when the hitless‐failover
functionality is enabled.
The feature set ensures sub‐second or no loss of data traffic during events such as failover,
switchover, priority change, and role change. During such events, the Standby controller
takes over the active role, and the system continues to forward traffic seamlessly, as if no
failure or topology change has occurred. In software releases that do not support hitless
stacking, or if hitless stacking is disabled, events such as these could cause most of the
units in a stack to reset, affecting data traffic.

Hitless stacking is supported on ICX units in a traditional stack and is enabled by default
beginning with FastIron software version 8.0.20. Hitless stacking can be disabled.

A hitless stacking failover is an automatic, forced switchover of the Active controller and
Standby controller because of a failure or abnormal termination of the Active controller.

A hitless stacking switchover is a manually‐controlled (CLI‐driven) or automatic switchover

of the active controller and standby controller without reloading the stack and without any
packet loss to the services and protocols that are supported by hitless stacking.

Revision 2212 12 ‐ 18
ICX 150 ICX Stacking Technology

Manual Hitless Stack Switchover

• Use the stack switch-over command to manually switch over from the
Active controller to the Standby controller without reloading the stack

• There is no packet loss to the services and protocols supported by hitless

stacking

• A manual switchover could also be accomplished by lowering the priority of the

active controller

19 © 2022 CommScope, Inc.

When hitless‐failover is enabled, a switchover can be manually activated by entering the

stack switch-over command. Note that if the no hitless-failover
enable command has been entered, meaning hitless failover/stacking is disabled, then
the stack switch-over command is not allowed.

Alternatively, a switchover can be manually activated by lowering the priority of the Active
controller to a value lower than the priority of the current Standby controller.

Revision 2212 12 ‐ 19
ICX 150 ICX Stacking Technology

Valid‐Stack‐Port Sets
• Beginning with FI release 8.0.90, stacking ports cannot be chosen arbitrarily
• Valid‐stack‐port sets define the starting ports in each direction of a stack or stack trunk
• Each ICX model has a specific valid‐stack‐port set which may change depending on
model and/or operating mode. Examples:
ICX 7750 (all models) ICX 7850‐32Q
Valid‐stack‐port set: x/2/1, x/2/2 Valid‐stack‐port set: x/3/1, x/3/5

x/2/1
x/3/1 x/3/5

x/2/2

ICX 7650 (when rear ports are operating in default 100Gbps mode)
Valid‐stack‐port set: x/3/1, x/3/2

x/3/2 x/3/1

20 © 2022 CommScope, Inc.

In previous releases of ICX firmware, you had some flexibility in determining which ports
could be used for stacking. However, to maximize stack functionality, FastIron release
8.0.90 introduced the concept of valid‐stack‐ports. These ports pre‐define the single stack
ports (one in each direction) or the first port in a stack trunk.

Because of the flexibility and variance of ICX switch models, each may have one or more
combinations of valid‐stack‐ports. Here, we show just a few examples of potential valid‐
stack‐port pairs. Refer to the RUCKUS FastIron Stacking Configuration Guide for your
software release to confirm valid‐stack‐port pairs on your ICX switches.

Revision 2212 12 ‐ 20
ICX 150 ICX Stacking Technology

Support for Zero Stack‐Port/Stack‐Trunk Configuration

• FastIron 08.0.95c and later releases remove the system requirement for stack‐
port and stack‐truck configuration when stacking is not enabled on the switch.

• When stacking is not enabled, stack ports can be reconfigured as data/uplink

ports

• If a switch contains no 'stack‐port' or 'stack‐trunk' configuration, then the

stack enable command will error. You must first configure at least one
stack‐port or stack‐trunk before issuing the stack enable command.

• A new out‐of‐the‐box switch, or an existing switch having the

erase startup-configuration and reload commands run, have no
startup configuration. After reload, the configuration of these “clean” units
contains two default stack‐ports, but stacking is not enabled (‘stack enable’ is
not present in the configuration).
21 © 2022 CommScope, Inc.

Beginning with FastIron release 08.0.95c, there is no longer a requirement for designated
stack‐ports or stack‐trunks to be present when stacking is not enabled.
When stacking is not enabled, then by design, all ports can be used as data ports. Ports
configured as stacking ports/trunks can be reconfigured as data/uplink ports. Commands
used for port reconfiguration differ per ICX model; refer to the RUCKUS FastIron Stacking
Configuration Guide for model‐specific information.

To enable stacking, you must first configure ports in the switch’s valid‐stack‐port set using
the stack‐port or stack‐trunk command; otherwise, the stack enable command will result
in an error. Note that every ICX stackable platform has one or more valid‐stack‐port sets
that define the available stack‐ports or stacking trunks.

Revision 2212 12 ‐ 21
ICX 150 ICX Stacking Technology

Stack Formation

22

Let’s look at the ways you can form ICX stacks.

Revision 2212 12 ‐ 22
ICX 150 ICX Stacking Technology

Stack Formation Methods

1. Stack interactive‐setup utility
– The stack interactive-setup utility gives you control over the design of your stack topology
– Provides security through password verification
– Can discover new units and new links between existing units
– Member units must be pre‐connected

2. Stack zero‐touch provisioning

– Equivalent to selecting option 2 of stack interactive-setup, but all suggested topology values are
automatically accepted
– All member units must have no startup or running configuration
– Member units must be pre‐connected

3. Manual stack configuration

– Configure stacking on each unit individually and enable stacking
– ID assignment is determined by the sequence in which you physically connect the units

Refer to the RUCKUS FastIron Stacking Configuration Guide for detailed stack construction procedures.
Refer to the RUCKUS FastIron Command Reference Guide for command syntax, usage guidelines, and examples.

23 © 2022 CommScope, Inc.

There are three ways to form a stack.

The first is the interactive‐setup utility which we will be focusing on in this presentation.
Using the interactive‐setup tool gives you control over the design of your stack topology
without having to apply configuration changes to each unit in the stack. This method also
provides security preventing unauthorized devices from accessing or joining a stack. The
standalone switch where the stack interactive-setup command is run becomes
the Active controller for the stack.
The second method is stack zero‐touch provisioning. When you enable stack zero‐touch
provisioning on a pre‐cabled stack of switches, the unit you start the provisioning on
becomes the Active controller and the rest of the stack forms automatically. This method
requires that you start with clean units (except for the Active controller), that do not
contain startup or running configurations, and that the devices are pre‐connected. This
method performs the same activity as selecting option 2 of the stack interactive‐setup
utility where all default suggestions are accepted automatically without administrative
input. The switch where the stack zero-touch-enable command is run becomes
the Active controller.
The third method is manual stack configuration. With this method, you configure every unit
individually, and enable stacking on each unit. Once the units are physically connected to
each other, they will automatically operate as a stack. Using this method, the unit with the
highest priority becomes the Active controller, and ID assignment is determined by the
sequence in which you physically connect the units.
continued on next slide…

Revision 2212 12 ‐ 23
ICX 150 ICX Stacking Technology

Blank Notes Page

continued from previous slide…

We’ll take a brief look at each method in this presentation; but refer to the RUCKUS
FastIron Stacking Configuration Guide for details and examples of each of these stack
construction methods. Refer to the RUCKUS FastIron Command Reference Guide for
command syntax, usage guidelines, and examples.

Revision 2212 12 ‐ 24
ICX 150 ICX Stacking Technology

Stack Interactive‐Setup

Now, we’ll take a look at stack formation using stack interactive‐setup.

Revision 2212 12 ‐ 25
ICX 150 ICX Stacking Technology

Prerequisites to Using the Interactive‐Setup Utility

Sample Stack Topology using ICX 7650 switches

Stack formation steps using the Interactive‐Setup utility:

1. Connect the ICX devices using the stacking ports and cables.
2. Power on the units.
3. Connect your console via SSH to each of the switches planned for inclusion in the stack. You will
need to be able to run commands on all devices.
4. Enter the show stack and the show running-config commands on each ICX device to
check the current software and configuration.
All ICX devices planned for a stack must be of the same ICX family (such as ICX 7650),
running the same type of firmware (router or switch) and same firmware version, and must
be “clean” units (having no startup configuration nor runtime configuration)
26 © 2022 CommScope, Inc.

We’ve provided a sample stack topology graphic for reference as we step through
formation of a new stack using the interactive‐setup utility. In our example, we are using
ICX 7650 switches. There are a few things to do prior to running the utility.
First, you need to physically connect the devices using the correct stacking ports and
cables. The upstream stack unit is connected to the first stacking port on the ICX switch
intended to be the Active controller (Device 1 in our topology). The downstream stack unit
is connected to the second stacking port on the Active controller. Connection
requirements:
• Only a port in a valid‐stack‐port set can be connected.
• The connections must form a contiguous stack‐trunk even if there are "holes" in the
connections.
• The connecting ports must not have data port configuration.
Then you need to power on the units.
Connect your console via SSH to each of the switches planned for inclusion in the stack. For
simplicity, consider using a client that allows you to simultaneously log into multiple
devices using a single client interface (such as, MTPuTTY).
Run the show stack and show running-config commands on all devices to
verify their configurations. All ICX devices must be in the same family and run the same
firmware type and version. And remember, only “clean” units (having no startup
configuration or runtime configuration) can be stacked. If you need to erase old
configuration information, enter the erase startup-config command and reset
the unit without entering the write memory command.

Revision 2212 12 ‐ 26
ICX 150 ICX Stacking Technology

Prerequisites to Using the Interactive‐Setup Utility (Cont.)

5. Define the stack unit and stack‐ports on the intended Active controller for the stack

ICX7650-1(config)#stack unit 1
ICX7650-1(config-unit-1)#stack-port 1/3/1
ICX7650-1(config-unit-1)#stack-port 1/3/3 } Define ports using model‐applicable
default valid‐stack‐port pairs

6. Enable stacking on the intended Active controller

ICX7650-1(config-unit-1)#stack enable
Success - Enable stacking. This unit actively participates in stacking

27 © 2022 CommScope, Inc.

The next step is to define the stack unit, stack ports, and stack trunks only on the intended
Active controller for the stack. In Global Config mode, enter:
• stack unit command to define the ID for the stack that will be formed
• stack-port command to define each stack port (use the valid‐stack‐port pairs
defined in the RUCKUS FastIron Stacking Configuration Guide)
• stack-trunk command (only if trunks are desired on the intended Active controller)
Note: Do not pre‐define stack ports and trunks on the other devices intended for the stack;
the utility auto‐discovers all correctly cabled ports and trunks.
Remember, our example is using ICX 7650 devices. By default, the ICX 7650 stacking ports
are 100Gbps. If we were going to keep that speed, then our CLI for the first device would
simply look like:
ICX7650-1(config)#stack unit 1
ICX7650-1(config-unit-1)#stack-port 1/3/1
ICX7650-1(config-unit-1)#stack-port 1/3/3

But for our example, we’ve decided to reconfigure the stack port speed to 40Gbps on all
devices. Meaning, before we define the stack ports and trunks, we must run the rear-
module stack-40g command, followed by the write memory and reload
commands on all the devices. Note that an ICX 7650 device with startup‐config flash using
40Gbps stacking ports, but no other configuration, is treated as a clean unit. After the
speed is redefined and the devices have reloaded, you may run the stack unit and
stack-port commands on the intended Active controller.
Now enter the stack enable command at the Global CONFIG level on the intended
Active controller.

Revision 2212 12 ‐ 27
ICX 150 ICX Stacking Technology

Using the Interactive‐setup Utility

7. On the intended Active controller, run the stack interactive-setup

command (Privileged EXEC mode).
ICX7650-1# stack interactive-setup
You can abort stack interactive-setup at any stage by <ctrl-c>
0: quit
1: change stack unit IDs
2: discover and convert new units (no startup-config flash) to members
3: discover and convert existing/new standalone units to members
2&3 can also find new links and auto-trunk or convert chain(s) to ring.
Please type your selection: 2
Probing topology to find clean units...
T=16m10.7: Sending probes to ports: u1: 1/3/1 1/3/3,

A proprietary discovery protocol begins the discovery process in both upstream and
downstream directions.

28 © 2022 CommScope, Inc.

The stack interactive‐setup is a utility that walks you through creating and modifying ICX
switch stacks. The stack interactive‐setup process can be initiated by a standalone switch or
by the Active controller of an existing stack. In this example, the process is initiated by a
standalone switch.

When the utility is launched, you are given four options:

• Option 0 allows you to quit the utility with no changes
• Option 1 allows the changing stack unit IDs on an existing device within an operational
stack
• Option 2 allows the discovery and conversion of new “clean” ICX devices into stack
members (use this option to create a new stack)
• Option 3 allows the discovery and conversion of existing or new standalone units into
stack members (use this option to add members to an existing stack)

Both options 2 and 3 are a capable of discovering new links, automatically configuring
stack‐trunks, and converting from a linear topology to a ring topology.
In this example we will choose option 2 to discover new units with no configuration. Probes
will be sent out of the configured stack‐ports to discover stack‐capable devices. After the
units are discovered, the topology will appear onscreen.

Revision 2212 12 ‐ 28
ICX 150 ICX Stacking Technology

Automatic Detection of Stack Ports and Trunks

Trunks are automatically detected during the stack interactive‐setup discovery

process
• Single stack ports are identified by two dash symbols “--”
• Stack trunks are identified by a two equal symbols “==“

1/3/3 1/3/1
| |
| |
3/1 3/3
+---+ +---+ +---+ +---+
|#1 |3/3 3/1|#2 |3/3 3/1|#3 |3/3 3/1|#4 |
+---+ +---+ +---+ +---+

29 © 2022 CommScope, Inc.

When defined stack ports and stack trunks connections are part of valid‐stack‐port pairings,
the system automatically detects them during the discovery process and configures them
appropriately in the stack topology.

Single stack links are identified by two dashes (‐‐) and stack trunks between units are
identified by two equal signs (==). We’ve color‐coded them for you in this topology
example.

Revision 2212 12 ‐ 29
ICX 150 ICX Stacking Technology

Using the Interactive‐setup Utility – Accept the Topology

7. The example discovers a stack with a ring topology, enter y to accept the topology
Existing stack: ============================================================
+---+
3/1| 1 |3/3
+---+
Horizontal bars link to discovered units. Vertical bars link to stack units.
Chain #0: ==================================================================
#1: icx7650-48f-sf-port-management d4c1.9e14.3ac3
#2: icx7650-48f-sf-port-management d4c1.9e14.46df
#3: icx7650-48zp-port-management d4c1.9e14.793f
#4: icx7650-48f-sf-port-management d4c1.9e14.410f
1/3/3 1/3/1
| |
| |
3/1 3/3
+---+ +---+ +---+ +---+
|#1 |3/3--3/1|#2 |3/3==3/1|#3 |3/3--3/1|#4 |
+---+ +---+ +---+ +---+
Discovered 1 chain/ring
Chain #0: Do you want to select this chain? (enter 'y' or 'n’): y

30 © 2022 CommScope, Inc.

After the probes are sent, a topology will be discovered and displayed for you.

First, it displays the unit where the stack interactive-setup command was run as
the “Existing stack”. The device number (1) appears inside the square and its configured
stack ports appear on each side of the square.

Next, it shows the discovered units. They are listed in the order they were discovered and
are given a number that will be referenced throughout the rest of the interactive‐setup
process. It also displays the specific device model and MAC address.
Beneath that is displayed the physical topology. At the top of this topology are the ports of
the discovering device. Then each connection is drawn out and labeled, detailing all of the
connecting ports between each discovered switch. Notice the numbering of each unit
corresponds with the numbered list above.
If the topology matches your intended design, select “y” for yes. If it does not match, check
the physical connection between devices to make sure they are connected properly.

Revision 2212 12 ‐ 30
ICX 150 ICX Stacking Technology

Using the Interactive‐setup Utility – Accept or Assign Unit IDs

8. Accept or define unit IDs

 You can accept the default unit IDs, or you can change them here Suggested stack unit number
 Pressing the Enter key accepts the suggested default

#1: icx7650-48f-sf-port d4c1.9e14.3ac3, type an ID (No: 0, default: 5): [Enter]

#2: icx7650-48f-sf-port d4c1.9e14.46df, type an ID (No: 0, default: 4): [Enter]
#3: icx7650-48zp-port d4c1.9e14.793f, type an ID (No: 0, default: 3): [Enter]
#4: icx7650-48f-sf-port d4c1.9e14.410f, type an ID (No: 0, default: 2): [Enter]

Device discovery order

You selected 4 unit(s): #1: ID=5, #2: ID=4, #3: ID=3, #4: ID=2,

Links U1--U2, #=1: 3/1--3/3

Links U2--U3, #=2: 3/1--3/3
Links U3--U4, #=2: 3/1--3/3 3/2--3/4
Links U4--U5, #=1: 3/1--3/3
Links U5--U1, #=1: 3/1--3/3
<Output Truncated>

31 © 2022 CommScope, Inc.

You are now given the option to accept the suggested new stack unit numbers. This
proceeds in the same sequence as the discovery process, beginning with the first
discovered unit (#1). Pressing the Enter key accepts each suggested ID. If you do not
accept the numbers, the system prompts you to enter different IDs, warns you that
changing the IDs manually may modify the stack configuration, and recommends that you
save the configuration and reload it after the stack is ready.
In our example, we accepted the default stack ID numbers.
Note that the Active controller is automatically assigned ID=1, so it does not appear here to
be accepted or changed.

After IDs are selected, notice the correlation between the discovered unit number and the
ID assigned (for example, discovered unit #1 is assigned unit ID 5).

Next, a summary topology is displayed, again indicating the ID each discovered unit will
take on and indicating all of the links connecting each of the units together.

Revision 2212 12 ‐ 31
ICX 150 ICX Stacking Technology

Using the Interactive‐setup Utility – Accept Topology

9. Review and accept the topology
#4 #3 #2 #1
+---+ +---+ +---+ +---+ +---+
-3/1| 1 |3/3--3/3| 2 |3/1--3/3| 3 |3/1==3/3| 4 |3/1--3/3| 5 |3/1-
| +---+ +---+ +---+ +---+ +---+ |
| |
|---------------------------------------------------------------|
<Output Truncated>
Proceeding will produce the above topology. Do you accept it? (enter 'y' or 'n'): y
stack interactive-setup discovers 4 unit(s) and sends stack-port/trunk to chain 0:
#4 d4c1.9e14.410f U2, D0: 3/1, D1: 3/3
#3 d4c1.9e14.793f U3, D0: 3/1 to 3/2, D1: 3/3
#2 d4c1.9e14.46df U4, D0: 3/1, D1: 3/3 to 3/4
#1 d4c1.9e14.3ac3 U5, D0: 3/1, D1: 3/3

The stack topology matches

our physical stack

32 © 2022 CommScope, Inc.

Next, the full graphical view of the topology is displayed. This topology includes all
units in the discovered stack, all ports connecting them, and whether those
connections are stack‐ports or stack‐trunks.

Then the interactive‐setup utility will ask if you would like to begin the process of
producing the new stack. Select “y” for yes, if you accept.

You will be shown one final summary and the stack information will be pushed to all
of the member units. The units will all reset and join the stack upon bootup.

Revision 2212 12 ‐ 32
ICX 150 ICX Stacking Technology

Stack Formation
10. Once the unit IDs are assigned, the Active controller is elected, the stack is formed, and a
Standby controller is designated
T=1d3h54m32.2: Election, I d4c1.9e14.7fc9 was alone --> active, ID=1, pri=128, 2U(1-2), A=u1,
nbr#=1 0,reason: u2: enable,
T=1d3h54m38.8: Election, I d4c1.9e14.7fc9 was active, no change, ID=1, pri=128, 5U(1-5), A=u1,
nbr#=4 4,reason: u3: enable,
Detect stack member 3 POE capable
Debug: May 14 00:28:11 Detect stack unit 3 has different startup config flash, will synchronize it
Debug: May 14 00:28:11 Detect stack unit 5 has different startup config flash, will synchronize it
T:1d3h54m40.3: Done hot swap: active controller u1 sets u3 to Ready.
T:1d3h54m40.3: Done hot swap: active controller u1 sets u5 to Ready.
<Output Truncated>
Debug: May 14 00:28:18
Config changed due to add/del units. Do write mem if you want to keep it
PoE Info: PoE module 1 of Unit 3 on ports 3/1/1 to 3/1/48 detected. Initializing....
PoE Info: PoE module 1 of Unit 3 initialization is done.
T=1d3h55m42.6: Assigned unit 2 to be standby
Debug: May 14 00:29:16 T=1d3h55m44.6: start running config sync to standby u2
Debug: May 14 00:29:17 T=1d3h55m45.3: Running config sync to standby u2 is complete
ICX7650-1# write memory
33 © 2022 CommScope, Inc.

Now that IDs have been assigned, the Active controller is elected and the stack is formed.
You can see here that the Active controller has a stack ID of 1 and a default priority of 128.

You then see messages indicating detection of stack units as they finish reloading and join
the stack. This includes messaging indicating the need to synchronize the startup‐config
and SSH RSA host keys.

The last phase of the process of building a new stack is choosing the Standby controller. In a
new stack, it should always be stack unit 2, and the running config will be synchronized to it
from the Active controller. Be sure to save the configuration with the write memory
command when stack formation is complete.

Revision 2212 12 ‐ 33
ICX 150 ICX Stacking Technology

Displaying Stack Information

The show stack command displays stack topology information
ICX7650-1# show stack
T=1d3h59m11.2: alone: standalone, D: dynamic cfg, S: static
ID Type Role Mac Address Pri State Comment
1 S ICX7650-48ZP active d4c1.9e14.7fc9 128 local Ready
2 S ICX7650-48F standby d4c1.9e14.410f 0 remote Ready
3 S ICX7650-48ZP member d4c1.9e14.793f 0 remote Ready
4 S ICX7650-48F member d4c1.9e14.46df 0 remote Ready
5 S ICX7650-48F member d4c1.9e14.3ac3 0 remote Ready
Stack Unit ID
active standby
+---+ +---+ +---+ +---+ +---+
-3/3| 1 |3/1--3/3| 2 |3/1--3/3| 3 |3/1==3/3| 4 |3/1--3/3| 5 |3/1-
| +---+ +---+ +---+ +---+ +---+ |
| -- represents stack‐port cnx == represents stack‐trunk port cnx |
|---------------------------------------------------------------|
Standby u2 - protocols ready, can failover
Role history: N: standalone, A: active, S: standby, M: member
U1: N->A
Current stack management MAC is d4c1.9e14.7fc9
Rear-module: config = oper = stack-40g
Stack ports are operating at 40G.

34 © 2022 CommScope, Inc.

You can display information about any and all of the members in a traditional stack by
entering show commands from the Active controller console. If you enter show
commands from the console port of a unit that is not the Active controller, the information
may not be displayed correctly.

The show stack command displays general information about a traditional stack,
including the stack topology. You can also view additional information using the detail
parameter.

You can see here that stack ID 1 is the Active controller with a priority of 128, and stack ID 2
is the Standby. The output also shows the topology of the stack including the connections
between each unit.

The stack unit ID is shown in the box and the slot/port of the connection is on either side of
the ID. Remember, this ID is of the individual unit within the stack; it is not to be confused
with the numerical ID of the stack as a whole (which was defined in our example using the
stack unit 1 command). Double hyphens (‐‐) designate single port connections, and
double equal signs (==) designate trunk port connections.

Revision 2212 12 ‐ 34
ICX 150 ICX Stacking Technology

Want to see the full end‐to‐end demonstration of

the interactive stack formation that we just
described?
Click here to watch the “How to Configure RUCKUS
ICX Stacking on FastIron v08095” video located on
the RUCKUS Networks Education YouTube channel.
Demonstration
Video

A video demonstration of our example interactive stack formation is available on the

RUCKUS Networks Education channel on YouTube.
RUCKUS Networks Education channel URL:
https://www.youtube.com/@RUCKUSEducationCommScope
Video URL: https://www.youtube.com/watch?v=DtGE7EnDJRI

Revision 2212 12 ‐ 35
ICX 150 ICX Stacking Technology

Stack Zero‐Touch Deployment

36

Now, we’ll discuss the second method of stack formation, zero‐touch deployment.

Revision 2212 12 ‐ 36
ICX 150 ICX Stacking Technology

Zero‐Touch Stack Deployment

• Zero‐touch stack deployment highlights:

– Works with “clean” ICX units only (no startup‐config can be present)
– Performs stack formation, new link discovery, and new unit discovery

• Essentially performs stack interactive-setup option 2 but with no user

intervention (uses default selections)

• Follow the same prerequisite tasks as stack interactive‐setup

– Connect devices
– Power on devices
– SSH to all devices
– Confirm all units are clean (no start‐up or running configurations)
– Define stack unit, stack ports, and stack trunks
– Enable stacking on unit intended to be the Active controller

37 © 2022 CommScope, Inc.

The Zero‐touch deployment utility essentially performs stack interactive‐setup utility option
#2, but with no user intervention and automatically applies the default selections.

The Zero‐touch deployment only works with “clean” ICX units that have no startup‐config
present (meaning, no startup nor running configuration). If a candidate device contains a
startup‐config, enter the erase startup-config command in Privileged‐EXEC
mode, and reset the device to convert it to a clean unit.
Note that an ICX 7650 device with startup‐config flash using 40‐Gbps stacking ports, but no
other configuration, is treated as a clean unit.

The initial setup tasks you follow are the same as for the stack interactive‐setup method:
• Connect devices
• Power on devices
• On the unit intended to be the Active controller, enable stacking and configure stack‐
ports (if necessary)

Revision 2212 12 ‐ 37
ICX 150 ICX Stacking Technology

Zero‐Touch Deployment – Start Process

• Start the stack zero‐touch process on the intended Active controller

ICX7750-48F Router# configure terminal
ICX7750-48F Router(config)# stack zero-touch-enable

• The Active controller discovers the new units and reloads them as stack
members.

• Zero‐touch stacking probes are sent every three minutes, so it may be necessary
to wait a few minutes for it to initialize.

• Results of the stack formation process appear on‐screen so you can monitor
(but not interact with) the stack formation

38 © 2022 CommScope, Inc.

The Zero‐touch stacking process is initiated with the stack zero-touch-enable

command from the global Configuration mode. This process sends probes down stack‐
ports every three minutes; therefore, it may be necessary to wait for feedback that it is
discovering stack units.

Keep in mind, there is no user intervention during this process. Whatever is discovered is
automatically configured, so it is critical to ensure all cables between devices are
connected properly before starting the zero‐touch process.

Once units are discovered, information will begin displaying on the console (similar to the
stack interactive‐setup utility but without any user prompts). The process is complete
when the output displays synchronization to the standby unit.

Revision 2212 12 ‐ 38
ICX 150 ICX Stacking Technology

Zero‐Touch Deployment – Check Status

Use the show stack zero-touch status command:

• Check status of stack zero‐touch provisioning
• See the reason for a unit not being discovered during zero‐touch provisioning

ICX7750-48F Router# show stack zero-touch status

I cannot be discovered by stack zero-touch or interactive-setup option 2.
reason: has stack enable
configuration
I can be discovered by stack interactive-setup option 3.
Will clean up in 89.4 sec. Sent last keep-alive 581.1 sec ago.
zero-touch-enable and stack enable are configured. Have done 1 probes
ZTP has converted 0 new units to members.
*** ZTP is going on for 0m0s. state=start. Will trigger again 3 min after done
ZTP postponed due to topology changes: 0
My MAC used in image copy is 748e.f8f9.636e.
ACL #=0, ind=0

39 © 2022 CommScope, Inc.

You can use the show stack zero-touch status command to check status of
stack zero‐touch provisioning or learn the reason for a unit not being discovered
during zero‐touch provisioning.

Revision 2212 12 ‐ 39
ICX 150 ICX Stacking Technology

Zero‐Touch Deployment – Results

Display zero‐touch deployment results using the show stack command

ICX7750-48F Router# show stack
T=15m2.5: alone: standalone, D: dynamic cfg, S: static
ID Type Role Mac Address Pri State Comment
1 S ICX7750-48XGF active cc4e.246d.9e00 128 local Ready
2 D ICX7750-26QXG standby cc4e.2439.3700 0 remote Ready
3 D ICX7750-48XGC member cc4e.2439.1a00 0 remote Ready

active standby
+---+ +---+ +---+
=2/1| 1 |2/4--2/1| 2 |2/4--2/4| 3 |2/1=
| +---+ +---+ +---+ |
| |
|-------------------------------------|
Standby u2 - Learn other units for 66 sec, protocols may not be ready in 4 s.
Role history: N: standalone, A: active, S: standby, M: member
U1: N->A

Current stack management MAC is cc4e.246d.9e00

The physical stack

topology looks like this

40 © 2022 CommScope, Inc.

The show stack command displays the completed stack with all discovered units, stack‐
ports, and stack‐trunks. This was all created without any user intervention after entering
the stack zero-touch-enable command. The graphic shows you what the physical
topology for this stack looks like.

Revision 2212 12 ‐ 40
ICX 150 ICX Stacking Technology

Zero‐Touch Deployment – Disable Upon Completion

• After validating the configuration, save the the new stack configuration
ICX7750-48F Router# write memory

• The zero‐touch process will continue running every three minutes as long as
it is enabled

• After discovery completes and the stack is created, disable the feature by
entering the no zero-touch-enable command
ICX7750-48F Router(config)# no stack zero-touch-enable

41 © 2022 CommScope, Inc.

You must use the write memory command after running stack zero‐touch provisioning
to save the learned configuration.

Remember that this process sends probes down stack‐ports every three minutes. RUCKUS
recommends that you disable stack zero‐touch provisioning after all new units and
connections are discovered and stack formation is complete. Keeping the utility enabled
does no harm, but the probes that occur every three minutes add processing overhead.

Revision 2212 12 ‐ 41
ICX 150 ICX Stacking Technology

Manual Deployment

Lastly, we’ll explore manual stack formation.

Revision 2212 12 ‐ 42
ICX 150 ICX Stacking Technology

Manual Deployment
• Example Usage: If you are connecting standalone units that have been individually
configured for stacking and want unit IDs to be assigned based on physical sequence
• Manual configuration process overview:
1. Ensure the candidate devices do not have stacking cables connected
2. Power on the devices
3. Configure the Active controller by assigning the highest priority (for example, 255) to the unit,
enabling stacking, and writing to memory (saving the configuration)
4. Configure the Standby controller by defining the stack unit’s suggested ID and assigning a lower
priority (for example, 240) to the unit, enabling stacking, and writing the config to memory
5. Configure each subsequent member unit individually by defining each stack unit’s suggested ID and
enabling stacking
6. Connect the devices in a stack topology
Result: The active controller retains its ID. The rest of the units are assigned unique ID
numbers depending on the sequence in which you connected them.
43 © 2022 CommScope, Inc.

As the name implies, manual stack configuration means you configure every unit
individually and enable stacking on each unit. Once the units are connected together, they
automatically operate as a stack. The unit with the highest priority becomes the active
controller, and ID assignment is determined by the sequence in which you physically
connect the units.

When would you want to manually configure a stack instead of using one of the previously
mentioned utilities? If you are connecting units that have been individually configured for
stacking and want unit IDs to be assigned based on physical sequence, you may want to
configure the stack manually.

We’ve provided an overview of the task steps here. Refer to the RUCKUS FastIron Stacking
Configuration Guide for detailed stack construction procedures.

Revision 2212 12 ‐ 43
ICX 150 ICX Stacking Technology

Stack Unit Addition &

Replacement

44

Lastly, we will provide an overview of adding and replacing units in a stack.

As always, refer to the release‐appropriate documentation for complete details:

• RUCKUS FastIron Stacking Configuration Guide for details and examples of each of these
tasks/procedures
• RUCKUS FastIron Command Reference Guide for command syntax, usage guidelines, and
examples

Revision 2212 12 ‐ 44
ICX 150 ICX Stacking Technology

Adding a New Unit to a Stack

• Install a new unit in a stack using stack interactive-setup

• This method can be applied to clean units (option 2) or units that have existing
configurations (option 3)

1. Connect the new unit to the stack by cabling the appropriate stacking ports

2. Run stack interactive-setup on the Active controller, and assign an ID to

the new unit
 The Active controller resets the new unit
 The new unit reboots and joins the stack

3. Enter the write memory command on the Active controller

45 © 2022 CommScope, Inc.

You can add, remove, or replace stack units interactively using interactive‐setup or
manually using static configuration. We’ll focus on the interactive method. Remember, the
stack interactive‐setup command provides two options; option 2 is used to discover clean
units, while option 3 can discover clean or non‐clean units.
1. Connect the new unit to the stack by connecting the appropriate stacking ports.
2. Run stack interactive-setup on the Active controller and assign an ID to
the new unit. The active controller resets the new unit.
3. Once the new unit boots and joins the stack, enter the write memory command
on the active controller.

Revision 2212 12 ‐ 45
ICX 150 ICX Stacking Technology

Replacing a Stack Unit

Stack unit replacement methods:

• Automatic discovery and replacement (no CLI commands)
When to use this method:
– Only one unit is being replaced
– The unit being replaced has a static configuration
– The unit being replaced is not the Active controller
– The new replacement is a clean unit of the same model
– The physical modules of the new replacement unit match only one provisional configuration (a stored
configuration without a physical unit present)
• Stack interactive‐setup utility
When to use this method:
– Multiple units are being replaced simultaneously
– The replacement is not a clean unit
– You do not want the Active controller to trigger an automatic replacement
– The physical modules of the replacement unit match more than one provisional configuration
46 © 2022 CommScope, Inc.

There are two ways to replace a stack unit.

• Automatic discovery and replacement (without CLI interaction). This method

works only when replacing a single unit having a static configuration with a clean,
identical hardware unit. Since the static configuration remains after the old unit
is removed, the new unit will inherit the config.
You simply disconnect the old unit from the stack and connect the new unit to
the stack using the same stacking ports as the old unit. If the replacement unit
configuration matches the configuration retained on the Active controller, the
Active controller resets the new unit. The new unit becomes a member and joins
the stack, and the stack keeps its original topology.

• Entering the stack interactive‐setup command. This method allows you to control
the unit addition into the stack and allows replacing multiple units and non‐clean
units.
You simply disconnect the old unit from the stack and connect the new unit to
the stack using the same stacking ports as the old unit. Enter the stack
interactive-setup command on the Active controller. Select interactive‐
setup option 2 if the replacement unit is a clean unit; select interactive‐setup
option 3 if the replacement unit contains configuration. Stack interactive‐setup
suggests an ID based on matching the new unit with the pre‐existing static
configurations for the stack. You can overwrite the suggested ID by entering the
ID of the old unit. The active controller resets the unit and it joins the stack.

Revision 2212 12 ‐ 46
ICX 150 ICX Stacking Technology

Attendees should now be able to:

• Describe what stacking is and its benefits
• Describe stacking topologies and
architecture
• Understand notable stacking features
Summary • Explain how to configure stacking using the
interactive‐setup utility
• Display stack information after the stack is
formed
• Explain how to replace and add stack units

This concludes the Stacking presentation. You should now be able to:
• Describe stacking technology and its benefits
• Describe stacking topologies and architecture
• Understand notable stacking features (including long‐distance stacking and hitless
stacking)
• Explain how to configure stacking using the interactive‐setup utility
• Display stack information after the stack is formed
• Explain how to replace and add stack units

Revision 2212 12 ‐ 47
ICX 150 ICX Stacking Technology

End of Presentation:
ICX Stacking Technology

Thank You

This concludes the presentation on ICX Stacking.

Revision 2212 12 ‐ 48
ICX 150 Power Over Ethernet

Power over Ethernet

Revision 2212

In this presentation we will discusses Power over Ethernet (PoE), and how to configure PoE
on the different RUCKUS ICX devices.

So, let’s get started.

Revision 2212 13 ‐ 1
ICX 150 Power Over Ethernet

After completing this presentation, you will

be able to:

• Describe the function of Power over

Ethernet (PoE)

• Understand the PoE capabilities of each

Objectives RUCKUS ICX family

• Configure PoE on RUCKUS ICX switches

• Change the various features offered on an

ICX PoE interface

• Display PoE information

After completing this presentation, you will be able to:

• Describe the function of Power over Ethernet (PoE)
• Understand the PoE capabilities of each RUCKUS ICX family
• Configure PoE on RUCKUS ICX switches
• Change the various features offered on an ICX PoE interface
• Display PoE information

Revision 2212 13 ‐ 2
ICX 150 Power Over Ethernet

PoE Overview

Let’s take a look at PoE.

Revision 2212 13 ‐ 3
ICX 150 Power Over Ethernet

PoE Overview
• Power over Ethernet (PoE) is the method for delivering electrical power, as
well as data, to remote devices such as VoIP phones, video cameras, and APs
• RUCKUS ICX switches have embedded PoE technology, and are considered
power‐sourcing equipment (PSE)
• A PSE is the source of power, or the device that integrates the power onto
the network
• A powered device (PD), is an Ethernet device that requires power and is
situated on the end of the cable opposite the PSE

4 © 2022 CommScope, Inc.

Power over Ethernet is a method whereby power is transmitted to Ethernet‐connected

equipment from a central switch.
By using the existing CAT 5 (or better) cabling, the need for AC power (and wiring costs) can
be eliminated. The switch is also able to control power distribution to the powered devices
allowing sophisticated uninterruptible power management for vital systems.
RUCKUS ICX switches offer PoE technology and are what we call power‐sourcing
equipment, or PSEs. The devices being powered by the switch are called powered devices,
or PDs. PDs can include devices like VoIP telephones, security cameras and wireless access
points.

Revision 2212 13 ‐ 4
ICX 150 Power Over Ethernet

PoE IEEE Specifications

• RUCKUS PoE devices are compliant with the IEEE 802.3 standards:
– 802.3af (PoE) ‐ defines PoE Type 1 and provides 15.4 watts (44 to 50 volts)
from the power‐sourcing device
– 802.3at 2009 (PoE+) ‐ defines PoE Type 2 and provides 30 watts (52 to 55
volts) from the power‐sourcing device
– 802.3bt (PoE++) ‐ defines PoE Types 3 and PoE Type 4, known as 60 watt and
90 watt types from the power‐sourcing device

• RUCKUS PoE devices support auto‐discovery to detect if a PD is 802.3af,

802.3at, or 802.3bt compatible

• RUCKUS devices that support PoH allocate 95 watts for PoE+, High PoE,
and PoH PDs
5 © 2022 CommScope, Inc.

RUCKUS PoE devices are compliant with both the 802.3af and 802.3at specifications. The
802.3af specification defined the original standard for delivering power over the existing
network cabling infrastructure, providing up to 15.4 watts (44 to 50 volts) of power to
powered devices.
In 2009, the 802.3at specification expanded the standard to support higher power levels
for more demanding powered devices. 802.3at provides 30 watts (52 to 55 volts) to the
powered devices.
In 2018, the 802.3bt standard was expanded to support even greater power levels, which
provides 60 watts for High PoE devices, and 95 watts for Power over HDBase‐T (or PoH).
The RUCKUS ICX 7150‐48ZP and ICX 7450, ICX 7550, and ICX 7650 switches provide support
for the 802.3bt standard. 802.3bt Type 3 (PoE++) offers 60 watts at the PSE and 51 watts at
the PD and Type 4 (PoE++) offers 90 watts at the PSE and 71 watts at the PD.

Except where noted, we will be using the term PoE to refer to PoE, PoE+, and High PoE. PoE
autodiscovery is a detection mechanism that identifies if an installed device is 802.3af,
802.3at, or 802.3bt compatible. When you plug a device into an interface that is capable of
providing inline power, the autodiscovery mechanism detects whether or not the device
requires power and how much power is needed.

Revision 2212 13 ‐ 5
ICX 150 Power Over Ethernet

ICX PoE Products

Let’s review the ICX PoE product details.

Revision 2212 13 ‐ 6
ICX 150 Power Over Ethernet

RUCKUS ICX PoE Switches – ICX 7150

ICX 7150 Series
• 7150‐C12P 12× PoE/PoE+ ports

• 7150‐24P 24× PoE/PoE+ ports

• 7150‐48P 48× PoE/PoE+ ports

• 7150‐48PF 48× PoE/PoE+ ports

• 7150‐48ZP 32× PoE/PoE+ ports

plus 16× PoH/PoE/PoE+
PoE capable ports designated by orange
PoH capable ports designated by yellow 802.3bt‐ready ports

7 © 2022 CommScope, Inc.

The RUCKUS ICX series of switches offers several different PoE configurations. PoE models
are designated by the letter “P” appearing after the numeric port value in the model‐type,
for example ‐48PF.
The ICX 7150‐C12P provides a fanless 12‐port option with PoE support on the copper
interfaces with a 124 W PoE Budget.
The ICX 7150 also has 24‐port (‐24P) and 48‐port (‐48P) options with PoE support on the
copper interfaces with a 370 W PoE Budget.
The ICX 7150‐48PF has 48‐ports with PoE support on the copper interfaces with a 740 W
PoE Budget.
The 7150‐48ZP has 32 ports with PoE+ support on the copper interfaces and 16 ports
providing PoH 802.3bt support.
‐ Provides a 1480 W PoE Budget when using 2 PSUs.
‐ Class 4 PoE+ power (30 watts) to every port and PoH power (90 watts) on eight dedicated
ports.
All ICX switches providing 802.3bt ports (90 W per port) are compatible with
PoE/PoE+/Cisco uPoE

For more details, refer to the most current revisions of the RUCKUS ICX 7150 Switch
Hardware Installation Guide and the RUCKUS ICX 7150 Data Sheet.

Revision 2212 13 ‐ 7
ICX 150 Power Over Ethernet

RUCKUS ICX PoE Switches – ICX 7250

ICX 7250‐24P and ICX 7250‐48P

• PoE/PoE+ support on all ports of 24‐port
and 48‐port PoE models
8

8 © 2022 CommScope, Inc.

The ICX 7250 has 24‐port and 48‐port options with PoE support on the copper interfaces
with 370W and 740W budget, respectively.

For more details, refer to the most current revisions of the RUCKUS ICX 7250 Switch
Hardware Installation Guide and the RUCKUS ICX 7250 Data Sheet.

Revision 2212 13 ‐ 8
ICX 150 Power Over Ethernet

RUCKUS ICX PoE Switches – ICX 7450

ICX 7450‐24P, ICX 7450‐48P

• PoE/PoE+ support on all ports of 24‐port
and 48‐port PoE models
• 8× PoH ports highlighted in yellow

9 © 2022 CommScope, Inc.

The ICX 7450 also has 24‐port and 48‐port options with PoE support on the copper
interfaces. It offers PoH support on the 8 ports highlighted in yellow on the switch. Both
provide 1500W AC / 516W DC PoE budget when using two power supplies.

For more details, refer to the most current revisions of the RUCKUS ICX 7450 Switch
Hardware Installation Guide and the RUCKUS ICX 7450 Data Sheet.

Revision 2212 13 ‐ 9
ICX 150 Power Over Ethernet

RUCKUS ICX PoE Switches – ICX 7550

ICX 7550‐24P, ICX 7550‐48P

• PoE/PoE+ support on all ports of 24‐port
and 48‐port PoE models

ICX 7550‐24ZP, ICX 7550‐48ZP

• PoE/PoE+ support on all ports on the 24‐port
and 48‐port models
• 24× 802.3bt ports up to 90W per port
• Up to 2000W PoE budget on both models

10 © 2022 CommScope, Inc.

The ICX 7550 family includes four PoE models, ‐24P, ‐48P, ‐24ZP, and ‐48ZP. Both the
‐24P and ‐48P models offer PoE and PoE+ on all copper interfaces.

The ICX 7550‐24ZP offers:

‐ 12‐port 10/100/1000 Mbps/2.5 Gbps 802.3bt POE
‐ 12‐port 100/1000 Mbps/2.5/5/10 Gbps 802.3bt POE
‐ 24 x 802.3bt ports, up to 90W per port, up to 2000W PoE budget

The ICX 7550‐48ZP offers:

‐ 36‐port 10/100/1000 Mbps/2.5 Gbps 802.3bt POE
‐ 12‐port 100/1000 Mbps/2.5/5/10 Gbps 802.3bt POE
‐ 48 x 802.3bt ports, up to 90W per port, up to 2000W PoE budget

Two power supplies are required to maximize available PoE ports.

For more details, refer to the most current revisions of the RUCKUS ICX 7550 Switch
Hardware Installation Guide and the RUCKUS ICX 7550 Data Sheet.

Revision 2212 13 ‐ 10
ICX 150 Power Over Ethernet

RUCKUS ICX PoE Switches – ICX 7650

ICX 7650‐48P, ICX 7650‐48ZP

• Both provide 48 x PoE/PoE+ ports
• 8× PoH/802.3bt ready ports on the ‐48P
• 24× PoH/802.3bt ready ports on the ‐48ZP

PoH Capable

11 © 2022 CommScope, Inc.

Finally, we have the ICX 7650‐48P and ICX 7650‐48ZP which provide 48 PoE+ ports but also
designates ports for PoH support. The 7650‐48P provides 8 PoE/+/PoH ports and the 7650‐
48ZP provides 24 PoE/+/PoH ports. Both provide 1500 W PoE Power budget when using
two power supplies.
As you can see, the ICX 7750 and ICX 7850 are not included in the PoE product portfolio.
This is because these switches are RUCKUS’s aggregation and core products where PoE is
not utilized.

For more details, refer to the most current revisions of the RUCKUS ICX 7650 Switch
Hardware Installation Guide and the RUCKUS ICX 7650 Data Sheet.

Revision 2212 13 ‐ 11
ICX 150 Power Over Ethernet

PoE Specifications

Now we will explore PoE Specifications and more.

Revision 2212 13 ‐ 12
ICX 150 Power Over Ethernet

PoE Delivery Methods

There are two methods for delivering PoE as defined in the 802.3af and
802.3at specifications
• Endspan ‐ used by RUCKUS PoE devices, delivers power through the Ethernet
ports on a power‐sourcing device, or PSE
– Power and data signals travel along the same pairs of wires at different frequencies
Non‐POE
Switch

Switch with Power over Ethernet ports IP Phone

Midspan
Power

• Midspan ‐ power is supplied by an

intermediate power‐sourcing device
placed between the switch and the PD Access Point

13 © 2022 CommScope, Inc.

There are two methods for delivering PoE as defined in the 802.3af and 802.3at
specifications. The first is Endspan, endspan devices (in this example a RUCKUS ICX switch
that is PoE capable) deliver power through the Ethernet ports to the PDs. Here, power and
data signals travel along the same pairs of wires at different frequencies
In the Midspan method, power is supplied by an intermediate power‐sourcing device
placed between the switch and the PD. Here, power travels on the unused spare pairs of
wires, while data travels on the other wire pairs.
ICX switches support PoE on 10, 100, and 1000 Mbps along with multi‐gigabit ports, some
with PoH up to 90 Watt capabilities.

Revision 2212 13 ‐ 13
ICX 150 Power Over Ethernet

PoE Types
Type 1
Commonly known as: PoE
Standard: IEEE 802.3af
Maximum power provided: 15.4W
Type 2
Commonly known as: PoE+, PoE Plus
Standard: IEEE 802.3at
Maximum power provided: 30W
Type 3
Commonly known as: 4‐pair PoE, 4P
PoE, PoE++, UPOE
Standard: IEEE 802.3bt
Maximum power provided: 60W
Type 4
Commonly known as: higher‐power
PoE, POH
Standard: IEEE 802.3bt
Maximum power provided: 100W

• Classes 5 ‐ 8 utilize all four twisted pairs to provide power

• Backwards compatibility to existing PDs are supported with Type 3 / Type 4 PSEs
– Traditional 2 pair
– Uses all four pairs reducing loss of power on the cable

14 © 2022 CommScope, Inc.

The latest revision of the IEEE standard of power transfer of low voltage over Ethernet is
known as 802.3bt. The previous PoE Standards known as 802.3af (2003) introduced 13W to
network devices. 802.3at increased the power up to 25.5W delivery. The 802.3bt standard
increases the power significantly by providing devices up to 71.3W at the PD by utilizing all
four pairs of the Ethernet connection.

The newly introduced Type 3 and Type 4 PSEs still provide backwards compatibility to PDs;
however, they may utilize 4 pairs to deliver the lower power to PDs, which can lower cable
losses to half the normal loss.

PoE Type 1 uses two pairs for power delivery to many lower‐powered devices. Common
Type 1 devices include VoIP phones, sensors, minimal antenna APs and simple IP cameras.
PoE Type 2 provide devices additional power that can not be handled by the Type 1
standard. Type 2 is backwards compatible but provides needed power to devices including
multifunction IP cameras capable of Pan, Tilt, and Zoom (PTZ) features, higher antenna APs
and minimal LCD displays.
PoE Type 3 uses all four twisted pairs in the Ethernet cable supplying the needed power to
PoE devices including videoconferencing appliances, remote switches, APs requiring high
power and automated entry management devices.
PoE Type 4 also uses all four pairs in the cable to power high‐consumption PDs such as
laptops along with large displays including TVs as well as cameras that deploy fans or
heaters.

Revision 2212 13 ‐ 14
ICX 150 Power Over Ethernet

PoE Power Classes

• PoE autodiscovery is a detection mechanism that identifies whether an

installed PD is 802.3af, 802.3at, or 802.3bt compatible
– A power class identifies the maximum power consumption of a PD will receive
from the PSE
– PSEs perform power classification by inducing a specific voltage to the PD and
measuring the current consumption
o Power classes include any power loss through the cables

• PDs that do not support classification are assigned class 0 (UnknownClass)

15 © 2022 CommScope, Inc.

PoE autodiscovery is a detection mechanism that identifies whether an installed PD is

802.3af, 802.3at, or 802.3bt compatible. A power class identifies the maximum power
consumption of a PD and the maximum power it should receive from the PSE.
PSEs perform power classification by inducing a specific voltage to the PD and measuring
the current consumption. Power classes include any power loss through the cables.

PDs that do not support classification are assigned class 0 (UnknownClass).

Adding to the four existing classes (1‐4), four new classes (5‐8) are introduced in 802.3bt,
providing a total of eight different classes. Many of the RUCKUS PoE switches, however, still
allocate power using classes 1‐4. The ICX 7150‐48ZP and all PoE models of the ICX 7550
support classes 1‐8.
Specific class allocations can be configured on ICX interfaces allowing for greater control of
PoE budget and power consumption.

Revision 2212 13 ‐ 15
ICX 150 Power Over Ethernet

PoE Power Classes for PSEs

• Here we see the different Power (watts) from Power‐Sourcing Device

power classes and the Power Class

IEEE 802.3af
(Standard PoE)
IEEE 802.3af
(PoE+)
IEEE 802.3bt
(PoE++)
Power over
HDBaseT (PoH)
respective power
0 15.4 15.4 15.4 15.4
consumption needs 1 4 4 4 4

2 7 7 7 7

3 15.4 15.4 15.4 15.4

• ICX power management 4 N/A 30 30 Default is 60. If PoE
is enhanced to enable the overdrive is
enabled, up to 95W
port and power up the is supported.

legacy PD or Class 1, Class 2, 5 N/A N/A 45 N/A

or Class 3 PDs even if the 6 N/A N/A 60

(65 if overdrive is
N/A

enabled).
available power is less
7 N/A N/A 75 N/A
than 30W. 8 N/A N/A 90 N/A

16 © 2022 CommScope, Inc.

The table shows the different power classes along the left and their respective power
consumption needs.
ICX power management is enhanced to enable the port and power up the legacy PD or
Class 1, Class 2, or Class 3 PDs even if the available power is less than 30W.

Revision 2212 13 ‐ 16
ICX 150 Power Over Ethernet

PoE Firmware Files And Features (FI 08.0.70)

PoE devices require specific PoE firmware

• Beginning with FI 08.0.70 release, a unified PoE firmware is used across supported devices
• During PoE firmware installation power to the connected PDs is disabled until update is complete
Feature ICX 7150 ICX 7250 ICX 7450 ICX 7550 ICX 7650
Auto PoE firmware upgrade 8.0.70 8.0.70 8.0.70 8.0.95 8.0.70

PoE enabled by default 8.0.70 8.0.70 8.0.70 8.0.95 8.0.70

8.0.61
Power over HDBaseT (PoH) No 8.0.20 8.0.95 8.0.70
Z Series Only
8.0.61
uPoE No 8.0.20 8.0.95 8.0.70
Z Series Only

PoE+ (802.3at) 8.0.60 8.0.30 8.0.20 8.0.95 8.0.70

PoE (802.3af) 8.0.60 8.0.30 8.0.20 8.0.95 8.0.70

Detection of PoE power requirements advertised through CDP 8.0.60 8.0.30 8.0.20 8.0.95 8.0.70

Maximum power level for a PoE power‐consuming device for

8.0.60 8.0.30 8.0.20 8.0.95 8.0.70
LLDP‐MED or CDP

Power class for PoE power‐consuming device 8.0.60 8.0.30 8.0.20 8.0.95 8.0.70

Power limit per port 8.0.60 8.0.30 8.0.20 8.0.95 8.0.70

17 © 2022 CommScope, Inc.

PoE compatibility and features are unique to each switch depending on the software
release it is running. Traditional updates to software can require an additional PoE firmware
to be updated depending on the release however with the new ICX Unified FastIron Image
the individual PoE firmware is no longer required but rather included in the UFI file.
When updating the firmware on any ICX switch, always refer to the latest release notes to
learn if there are any considerations for the PoE firmware update.

Revision 2212 13 ‐ 17
ICX 150 Power Over Ethernet

Unified FastIron Image (UFI) Firmware and PoE

New image format introduced in FI Release 8.0.80 known as Unified FastIron
Image (UFI)
• Combines both the FastIron application image and boot code
• PoE Firmware is bundled as part of the application image
– No longer its own image and does not need to be upgraded independently

• UFI bundle contains these components/packages

1. Application image
2. Application image’s signature file
3. U‐boot
4. Python libraries
5. HTTP package
6. DHCP package
7. <Any other package in future>
18 © 2022 CommScope, Inc.

As mentioned, the UFI file now includes all necessary files including the PoE application
image ensuring that the UFI software you are using has the correct PoE firmware allowing
you to take advantage of all the PoE capabilities of the ICX switch.

Revision 2212 13 ‐ 18
ICX 150 Power Over Ethernet

PoE Configuration

Now let’s take a look at the configuration of PoE.

Revision 2212 13 ‐ 19
ICX 150 Power Over Ethernet

Enabling/Disabling PoE

• All PoE capable ports are enabled by default introduced in FI 08.0.70 Release

• To enable/disable a port to provide inline power at the interface configuration:

Ruckus(config)# interface ethernet 1/1/1

Ruckus(config-if-e1000-1/1/1)# inline power

Ruckus(config)# interface ethernet 1/1/1

Ruckus(config-if-e1000-1/1/1)# no inline power

• It is best practice to disable inline power on ports where it is not needed

– Limiting power on PoH capable ports is recommended if PoH devices are not
deployed on the port
20 © 2022 CommScope, Inc.

PoE is enabled by default as of FI 08.0.70.

Ports can be enabled and disabled using the [no] inline power command.

It is a best practice to only provide PoE features on interfaces where it is required.

Depending on the number of PoE‐configured interfaces that have powered devices
connected, CPU utilization will increase slightly, though typically PoE does not affect the
functionality of other features on the switch. More details on disabling the PoH capabilities
will be discussed later in this presentation.

Revision 2212 13 ‐ 20
ICX 150 Power Over Ethernet

Power Levels for PoE Interfaces

• By default, ICX PoE devices budget 15.4W for PoE ports, 30W for PoE+
ports, and 95W for PoH ports

• The maximum amount of power that the switch will supply at each port
can be manually configured
– Power class
– Maximum power level
o Cannot configure both on the same interface

• Setting the power level on a port does not take power loss during
transmission into consideration

21 © 2022 CommScope, Inc.

When a power consuming device or PD is attached to a PoE capable port the RUCKUS ICX
will perform an initial discovery of the PD capabilities and budget the port with either 15.4,
30 or 95 Watts depending on the PD. Because of this default budget allocation, it is a good
practice to set the power levels to what the devices require for operation. Recall that this
value will be reduced by any power loss through the cables.

If desired, there are two methods that you can use to manually configure the maximum
amount of power that the RUCKUS PoE device will supply on the RJ‐45 port.

Revision 2212 13 ‐ 21
ICX 150 Power Over Ethernet

PSE to PD Power Allocation Process

• Type 1
• Type 1 PDs • 802.3af
• Powered at physical layer with single event classification • 2‐pair
• Max 12.95 Watts
• Type 2 PDs • Type 2
• Can obtain power at the physical layer with 2‐event classification • 802.3at
• By communication over layer 2 discovery protocols • 2‐pair
• Type 2 PDs must support both methods of power allocation • Max 25.5 Watts
• Type 3
• Type 3 and 4 PDs • 802.3bt
• 2 or 4‐pair
• PSE and PDs in this class utilizing over 30 Watts of power must advertise
their support for 4‐pair PoE and will then need to perform validation of • Max 51 Watts
both pair sets • Type 4
• PSE’s supporting Type 3 and 4 must support full physical layer allocation. • 802.3bt
LLDP can still be used by PDs for more granular classification • 4‐pair
• Physical classification is performed by using up to 5‐event classification • Max 71.3 Watts

22 © 2022 CommScope, Inc.

How power is initially allocated to a PD depends on the type of PD. The intricate details
around how devices perform this detection is way beyond the scope of this presentation,
but we want to at least make you aware that this is occurring and outline at a high level
what is happening.

Earlier in this presentation we talked about the 4 types (standards) and identified 8 classes
among these types. PD’s, access points in our case, will fall into one of those 4 Types based
on their requirements for full functionality.

Typically performed at the physical layer, a class event occurs when a PD is connected to a
PSE. The PSE applies a voltage level and the PD responds with a predetermined current
draw indicating the class signature. Depending on the Type, several of these measurements
can be necessary over a certain time period to identify the classification signature of the
PD.

Connecting a Type 1 AP into a PSE will trigger a single event classification at the physical
layer in which the PSE will send electrical signals to the PD and measure the response. The
response returned indicates the classification needed for this AP. A single measurement is
sufficient for a Type 1 PD.

PDs requiring Type 2 classification can utilize 2 event classification to obtain a power class,
or they can utilize a single event classification followed by use of Link layer discovery
protocols.

PDs requiring either Type 3 or 4 classification can utilize up to 5 classification events to

determine the PDs classification signature.

Revision 2212 13 ‐ 22
ICX 150 Power Over Ethernet

Configuring Power Classes

• To set the power class for a port, use the power-by-class command at
the interface level

Ruckus(config)# interface ethernet 1/1/1

Ruckus(config-if-e1000-1/1/1)#inline power power-by-class <tab>
DECIMAL 1 - 8 i.e Class1, Class2, Class3,...,Class8 (Class5 to 8 valid for
BT modules only)

Ruckus(config-if-e1000-1/1/1)# inline power power-by-class 3

23 © 2022 CommScope, Inc.

You can use the power-by-class command to set the desired power class per
interface, or range of interfaces, thus configuring the amount of power sent to the attached
PD.
Power classes 5 – 8 are only valid for ports that support 802.3bt, which includes specific
ports on the ICX 7150‐48ZP and all ICX 7550 PoE models.

Note: For PoH ports, the range is 1000‐95000mW. By default, maximum range is 60000mW
and in PoE overdrive mode up to 95000mW is supported. We will discuss the overdrive
feature later in this presentation.

Revision 2212 13 ‐ 23
ICX 150 Power Over Ethernet

PoE Power Levels

• The RUCKUS PoE device will adjust the power on a port only if there are
available power resources

• If power resources are insufficient, the following message will display on

the console and in the Syslog:

PoE: Failed power allocation of 30000 mwatts on port

1/1/21. Will retry when more power budget.

24 © 2022 CommScope, Inc.

There are two ways to configure the power level for a PoE power consuming device,
configuring a power class, or configuring a maximum power limit. Both of these values
cannot be configured on the same port.

The RUCKUS PoE device will adjust the power on a port only if there are available power
resources. If power resources are not available, a message displays on the console and in
the Syslog that PoE failed the power allocation for a specific port. It also states that it will
try to allocate power again when more power budget is available.

Revision 2212 13 ‐ 24
ICX 150 Power Over Ethernet

Configuring Maximum Power Limit

• Configure the maximum power level for a PoE port
– This example configures inline power on interface 1/1/1, and sets the maximum
power level to 14,000 milliwatts (14 watts)
Ruckus# configure terminal
Ruckus(config)# interface ethernet 1/1/1
Ruckus(config-if-e1000-1/1/1)# inline power power-limit 14000

• Maximum power limit values in mWatts (value is adjusted to nearest multiple of 5):
– PoE ‐ 1000 through 15,400, the default is 15,400
– PoE+ ‐ 1000 through 30,000, the default is 30,000
– PoE++/PoH ‐ 1000 through 95,000, the default is 95,000
– BT ‐ 1000 up to 120,000

• Configuring a power level higher than the default, could damage the PD

25 © 2022 CommScope, Inc.

The second way to configure the power level, is to set a maximum power level using the
inline power power-limit <power level> command. The <power
level> variable is the maximum power level in number of milliwatts. The following
values are supported:
• PoE – Enter a value from 1000 through 15400. The default is 15400.
• PoE+ – Enter a value from 1000 through 30000. The default is 30000.
• PoE++/PoH – Enter a value from 1000 through 95000. The default is 95000.
• BT – Enter a value from 1000 through 120000.

The example enables inline power on interface 1/1/1 and sets the PoE power level to
14,000 milliwatts (14 watts).
Note: Setting a power level higher than what the attached PD can support could damage
the device.

Revision 2212 13 ‐ 25
ICX 150 Power Over Ethernet

PoE Overdrive
• PoE Overdrive is not part of the IEEE standard (RUCKUS proprietary
enhancement)
• Allows the Class 0 and Class 4 PDs to negotiate for power greater than the
30‐watt allocation
802.3af 802.3at PoE+
– PoE overdrive is a per port AP (PoE) (PoE+) Overdrive
UPOE
PoH
configuration and can be (PoE+)
Model Class 0, Class 4, (PoE+) 95W
60W
configured on a range of ports: 1, 2, 3 30W 45W
2‐Pair 2‐Pair 2‐Pair 4‐Pair 4‐Pair
R730 ‐ Yes Yes Yes Yes
– PoE overdrive on PoE+ ports 1

is available only for RUCKUS PDs R720 Yes Yes Yes Yes Yes
1
R710 Yes Yes ‐ ‐ ‐
1
R610 Yes Yes ‐ ‐ ‐
R510 Yes ‐ ‐ ‐ ‐

26 © 2022 CommScope, Inc.

PoE Overdrive feature allows the Class 0 and Class 4 PD to negotiate for greater power. The
inline power overdrive command allows RUCKUS PDs to negotiate for power
greater than 30‐watts on PoE+ ports and greater than 60‐watts on PoH ports.
The maximum power that can be processed based on LLDP‐MED negotiation is limited to
the hardware capability of the PSE. If the PD negotiates for more power than the hardware
limit, the PSE allocates only up to the hardware capability of the PSE.
PoE overdrive on PoE+ ports is available only for RUCKUS PDs.

Footnote 1: Reduced set of operating characteristics

Revision 2212 13 ‐ 26
ICX 150 Power Over Ethernet

PoE Overdrive (cont.)

• PoE overdrive is disabled by default

• When RUCKUS PDs negotiate for power greater than the 30W allocation
on a PoE+ port that supports overdrive through LLDP‐MED messages,
overdrive is automatically enabled
– When the port mode dynamically changes to overdrive mode, the power is cycled
(off and on) on that port.

• To avoid power cycle, manually apply the inline power overdrive

configuration on the port before connecting the PD.

Ruckus(config)# interface ethernet 1/1/1 to 1/1/5

Ruckus(config-mif-1/1/1-1/1/5)# inline power overdrive

27 © 2022 CommScope, Inc.

PoE overdrive is disabled by default. When RUCKUS PDs negotiate for power greater than
30‐watt allocation on PoE+ ports that support overdrive through LLDP‐MED messages, PoE
overdrive gets automatically enabled and will be displayed in the configuration. When the
port mode dynamically changes to overdrive mode, the power is cycled (off and on) on the
port. To avoid a PD reload, manually apply the inline power overdrive
configuration on the port before connecting the PD. PoE overdrive is a per port
configuration and can be configured on a range of ports.

When the PD that requires overdrive is disconnected, the port mode changes back to non‐
overdrive mode. If the port mode dynamically changes to overdrive mode, the inline power
overdrive configuration is not displayed in the running configuration.

Revision 2212 13 ‐ 27
ICX 150 Power Over Ethernet

PoE Overdrive (cont.)

Overdrive can be configured on PoE and PoH ports as shown

Overdrive ‐ Max
Overdrive ‐ Max Power
ICX Platforms PoH Ports PoE+ Ports Power
Capability
• https://ruckus‐support.s3.amazonaws.com/private/documents/3484/icx7550‐ Capability
installguide.pdf?AWSAccessKeyId=AKIAJM3QLNNKLOV235TQ&Expires=1668402960&Signature=WWVwaMHFREaMAGI%2B6EnjY38h0i4%3D
ICX 7450 (all PoE SKUs) 1 to 8 9 to 48 NA
9 to 48
ICX 7650‐48P 1 to 8
By default, the value is 60, but Only RUCKUS PDs
ICX 7150‐48ZP 1 to 16 with overdrive, it is 95W. 17 to 48 can go up to
ICX 7650‐48ZP 25 to 48 1 to 24 45W.
ICX 7150‐C10ZP 7 to 10 1 to 6
ICX 7150‐24P, ICX 7150‐
48P, ICX 7150‐C12P, ICX All PoE ports N/A
None
7150‐Co8, ICX 7250‐24P,
ICX 7250‐48P
ICX 7550‐24P / ‐48P None Up to 24 / 42 ports 24/48
ICX 7550‐24ZP / ‐48ZP Up to 20 / 19 ports Up to 24 / 41 ports 24/48

28 © 2022 CommScope, Inc.

By default, the initial power allocation is 60W on PoH port and 30W on PoE+ port. With PoE
overdrive configuration, the initial power allocation is 95W on PoH ports and 30W on PoE+
ports. When the PD that requires overdrive is disconnected, the port mode changes back to
non‐overdrive mode. If the port mode dynamically changes to overdrive mode, the inline
power overdrive configuration is not displayed in the running configuration.

For more details, refer to the most current revision of the RUCKUS ICX 7550 Switch
Hardware Installation Guide and the RUCKUS ICX 7550 Data Sheet.

Revision 2212 13 ‐ 28
ICX 150 Power Over Ethernet

PoE Power Priority Configuration

• Power priority can be configured in the event that power is not available to
provide power to all PoE enabled ports:
– Priorities are set per port
– Higher priority ports are allocated power first
– Priority values:
o 3 ‐ Low priority
o 2 ‐ High priority
o 1 ‐ Critical priority

• Configure the power priority for a PoE port

– This example enables inline power on interface 1/1/1 and sets the inline power
priority to high (2)

Ruckus(config)# interface ethernet 1/1/1

Ruckus(config-if-e1000-1/1/1)# inline power priority 2

29 © 2022 CommScope, Inc.

In a configuration where PoE power consuming devices collectively have a greater demand
for power than the PoE power supply or supplies can provide, the ICX PoE switch must
place the PoE ports that it cannot power in standby or denied mode (waiting for power)
until the available power increases. The available power increases when one or more PoE
ports are powered down, or, if applicable, when an additional PoE power supply is installed
in the switch.

When PoE ports are in standby or denied mode and the switch receives additional power
resources, by default, the device will allocate newly available power to the standby ports in
priority order, with the highest priority ports first, followed by the next highest priority
ports, and so on.

Within a given priority, standby ports are considered in ascending order, by slot number
then by port number, provided enough power is available for the ports.
For example, PoE port 1/1/1 should receive power before PoE port 1/2/1. However, if PoE
port 1/1/1 needs 12 watts of power and PoE port 1/2/1 needs 10 watts of power, and 11
watts of power become available on the device, the device will allocate the power to port
1/2/1 because it does not have sufficient power for port 1/1/1.
Use the inline power priority command to set a priority for a port. The priority
values are 1 to 3, with 1 being the highest or most critical. Invoke write mem to save
your changes.

Revision 2212 13 ‐ 29
ICX 150 Power Over Ethernet

Enabling PoE on LAG Ports

ICX switches support PoE on LAG ports

• Apply inline power to a member port with a specific power class
Ruckus(config)# inline power ethernet 1/1/1 power-by-class 3

• Configure another member port with default config

Ruckus(config)# inline power ethernet 1/1/2

• Configure another member port with a power priority

Ruckus(config)# inline power ethernet 1/1/3 priority 2

• Configure another member port, specifying a maximum power level

Ruckus(config)# inline power ethernet 1/1/4 power-limit 12000

• Configure overdrive support on a member port

Ruckus(config)# inline power ethernet 1/1/1 overdrive
30 © 2022 CommScope, Inc.

PoE is available on LAG ports using the inline power ethernet command, this
command is done in global CONFIG mode.
Once a LAG is created and deployed, you can enable inline power on each secondary port
in the LAG. Each port can be configured with different power settings.
The example here, configures inline power on first port 1/1/1, with a power class of 3.
Next, the secondary ports are configured. Notice that each port is configured differently.
The first option, configures secondary port 1/1/2 with the default inline power settings, as
no other power parameters are set.
The second option, configures secondary port 1/1/3 with a power priority of 2.
And the third option, configures secondary port 1/1/4 with a maximum power level of
12000 mWatts.
The last overdrive entry allows RUCKUS PDs to negotiate for power greater than 30‐watt
allocation on PoE+ ports and greater than 60‐watt on PoH ports. Make sure to invoke
write mem to save your changes.

Revision 2212 13 ‐ 30
ICX 150 Power Over Ethernet

Support for PoE Legacy Devices

• Legacy devices are devices that are not compliant with 802.3af or 802.3at

• Support for legacy power‐consuming devices is not enabled by default

• To enable support on a non‐stacked switch, configure at the global level:

Ruckus(config)# legacy-inline-power

• On a stacked device, configure at the stack unit level:

Ruckus(config)# stack unit 2
Ruckus(config-unit-2)# legacy-inline-power

31 © 2022 CommScope, Inc.

RUCKUS PoE devices do not automatically support legacy PDs that are not compliant with
802.3af and 802.3at. If desired, you can enable support for legacy PoE power consuming
devices on a global basis or at the stack unit level.

To enable support for legacy power consuming device after it has been disabled, enter the
legacy-inline-power command.

You can view the running configuration to see if support for PoE legacy devices is enabled
or disabled.

Revision 2212 13 ‐ 31
ICX 150 Power Over Ethernet

Configuring Fast Boot & Perpetual PoE

• Enabling the Fast Boot and Perpetual PoE feature will keep the PDs
powered even when the switch software is not ready
– All the ports which are powered are kept powered while the switch is reloading
– New PDs connected during reload, will not get powered

• To implement this high‐availability feature, use the inline power poe-

ha command at the interface level:
ICX7550-48P Router(config-if-e1000-1/1/1)#inline power poe-ha

• Invoke write mem to make this change permanent

32 © 2022 CommScope, Inc.

New in FI 8.0.95, Fast Boot & Perpetual PoE features keep the PDs powered even when the
switch software is not ready. All the ports which are currently powered are kept powered
while the switch is reloading. Any new PDs connected during switch reload, will not receive
powered until the switch is operational. This feature is useful for the PDs that do not
require data connectivity, such as lighting solutions. A write memory is required to
permanently save this configuration change.

Revision 2212 13 ‐ 32
ICX 150 Power Over Ethernet

PoE Command Output

Let’s explore ICX PoE command output.

Revision 2212 13 ‐ 33
ICX 150 Power Over Ethernet

Displaying PoE Information

Use the show inline power command to view PoE operational information
RUCKUS# show inline power
Total PoE power supply capacity, and available power
Power Capacity: Total is 1630000 mWatts. Current Free is 1568400 mWatts.

Power Allocations: Requests Honored 28 times

Port Admin Oper ---Power(mWatts)--- PD Type PD Class Pri Fault/

State State Consumed Allocated Error
-----------------------------------------------------------------------------
1/1/1 On On 10485 15400 4P-IEEE Class 5 3 n/a
1/1/2 On On 4105 15400 2P-IEEE Class 3 3 n/a
1/1/3 On On 2052 15400 2P-IEEE Class 3 3 n/a
1/1/4 On On 3272 15400 2P-IEEE Class 3 3 n/a
1/1/5 On Off 0 0 n/a n/a 3 n/a
<Truncated Output>
-----------------------------------------------------------------------------
Total 19,914 61,600 Type of PD connected,
Is PoE enabled (on) or and maximum amount of
disabled (off) on the port Milliwatts allocated to the port, and current power the PD can receive
milliwatts the PD is consuming
34 © 2022 CommScope, Inc.

Use the show inline power command to view PoE operational information.
The output shows a lot of useful information including:
• The total PoE power supply capacity and available power
• The status of each PoE port, and if it is configured for PoE.
• The Power (in milliwatts), being allocated to the port, and how many milliwatts the PD is
consuming.
• And finally, the type of PD connected, is it an 802.3af or 802.3at device, and what power
class does the PD support.

Revision 2212 13 ‐ 34
ICX 150 Power Over Ethernet

Displaying PoE Power Supply Details

• Use the show inline power detail command to view detailed information for the PoE power supplies
RUCKUS# show inline power detail

Power Supply Data On unit 1:

++++++++++++++++++
PoE power supply
details, including PoE
Power Supply Data:
++++++++++++++++++
firmware version
Power Supply #1:
Max Curr: 15.1 Amps
Voltage: 54.0 Volts
InputVoltage: 119.0 Volts
Capacity:
PoePower:
815 Watts
815 Watts
Admin-On – ports enabled for inline power
Admin-Off – ports not enabled for line power
General PoE Data:
+++++++++++++++++ Oper-Off – ports not receiving inline power
Firmware Version Off-No-PD – ports where no PDs are connected
----------------
01.54.0
<Output Truncated>
Cumulative Port State Data
+++++++++++++++++++++++++++
#Ports #Ports #Ports #Ports #Ports #Ports #Ports
Admin-On Admin-Off Oper-On Oper-Off Off-Denied Off-No-PD Off-Fault Number of ports per
-------------------------------------------------------------------------
24 0 4 20 0 20 0 PoE priority, and total
Cumulative Port Power Data: number of watts
+++++++++++++++++++++++++++
consumed by PDs
#Ports #Ports #Ports Power Power
Pri: 1 Pri: 2 Pri: 3 Consumption Allocation
-----------------------------------------------
0 0 24 21.193 W 61.600 W

35 © 2022 CommScope, Inc.

Using the detail parameter with the show inline power command displays even
more PoE information, including details about the PoE power supplies, as well as the
current PoE firmware running on the switch.

The output also shows the number of ports enabled for inline power, and the power
consumption and allocation of the total number of ports.

Revision 2212 13 ‐ 35
ICX 150 Power Over Ethernet

You should now be able to:

• Describe the function of Power over

Ethernet (PoE)

• Understand the PoE capabilities of each

RUCKUS ICX family
Summary
• Configure PoE on RUCKUS ICX switches

• Change the various features offered on an

ICX PoE interface

• Display PoE information

This concludes the Power Over Ethernet presentation. You should now be able to:
• Describe the function of Power over Ethernet (PoE)
• Understand the PoE capabilities of each RUCKUS ICX family
• Configure PoE on RUCKUS ICX switches
• Change the various features offered on an ICX PoE interface
• Display PoE information

Revision 2212 13 ‐ 36
ICX 150 Power Over Ethernet

End of presentation:
Power over Ethernet

Thank you

This is the end of the Power over Ethernet presentation.

Revision 2212 13 ‐ 37
ICX 150 Power Over Ethernet

Revision 2212 13 ‐ 38
ICX 150 Design, Implementation, and Troubleshooting

Design, Implementation, & Troubleshooting

Revision 2212

Welcome to the presentation on design, implementation, and troubleshooting.

Revision 2212 14 ‐ 1
ICX 150 Design, Implementation, and Troubleshooting

After completing this presentation, you will

be able to:
• Perform tasks in network design planning
– Identify requirements
– Site Survey
– Installation
– Testing
Objectives – Documentation
• Utilize basic troubleshooting commands
– Identify Layer 1 and 2 problems
• Troubleshoot LAG, VLAN, and Spanning Tree

After completing this presentation, you will be able to identify and perform tasks
associated with network design:

‐This includes understanding customer requirements

‐Performing site surveys to understand the physical environment
‐Having an overall plan when it comes time for installation
‐Executing pre‐defined tests post installation
‐and making sure documentation is turned over to the customer once the installation is
completed

We then discuss basic troubleshooting of Layer 1 and Layer 2 using show commands. We’ll
present a VLAN tagging scenario and identify improper configurations. Finally we outline
commands that can be utilized to obtain the status of LAG connections and Spanning Tree
Protocols.

Revision 2212 14 ‐ 2
ICX 150 Design, Implementation, and Troubleshooting

Designing Wired Networks

We will begin by discussing considerations that should be made when designing wired
networks.

Revision 2212 14 ‐ 3
ICX 150 Design, Implementation, and Troubleshooting

Gather Requirements, Validate, and Document

• Network requirements
– Client and drop counts
– Infrastructure hardware support (APs, VOiP phones, controllers, firewalls, servers)
– Applications in use

• Site Survey
– Cabling Infrastructure (Cat5/Cat6/Fiber)
– Understanding of existing network (If applicable)
o Legacy devices / Interoperability
– Layer 2 configurations (VLANs, Subnets, etc)
– Layer 3 configurations (routes, site connections, multicast, ACLs)

• Revisit requirements and adjust as needed

4 © 2022 CommScope, Inc.

Before a network design can exist, before switch models are selected, purchased, installed
and configured there are several pieces of information that should fit into an overall plan
for the specific network that intended to be deployed.

It begins with defining the requirements for the network. This is often outlined in
documentation between network design engineers, network administrators and other
business stakeholders. The aim of this task is to understand how the network is intended to
be used. The requirements need to define how many clients and port locations are needed
and the type of clients or devices that will be connected. This goes beyond how many
switchports you need for the design, it will help you understand if those ports need to
provide PoE, or if they need to provide multi‐gigabit speeds. What other types of
infrastructure components does the network need to support? Does the customer have
controllers, firewalls, or servers in this location?

It is also important to understand what applications they intend to utilize. Do they have
application data streaming from client to server internally in the network? Are applications
hosted in the cloud streaming over the internet? Is there traffic that needs to be
prioritized?

…Continued on next slide

Revision 2212 14 ‐ 4
ICX 150 Design, Implementation, and Troubleshooting

FULL NOTES
PAGE

<continued from previous slide…>

A look at the physical space should be conducted to understand what (if any) existing
devices and cabling infrastructure may be reused. This could include identifying existing
network switches and routers as well as defining what roles they will perform. You also
need to identify any existing cabling in the facility, including fiber connectivity between
data closets. If there is existing cabling, what type is it? Does it meet the new
requirements? Is it in good condition? If new runs are needed, how many and where?

Information gathering should also include obtaining any existing network configurations
such as, Layer 2, Layer 3, ACLs, and Multicast configurations. If none currently exist pre‐
planning these configurations should be performed based on customer requirements.

Over the course of information gathering and planning discussions variables will change.

As requirements change, whether they expand or decrease in scope, the design documents
need to change as well. Defining and re‐defining the information gathered will eventually
lead to how the network is expected to look and function.

Revision 2212 14 ‐ 5
ICX 150 Design, Implementation, and Troubleshooting

Ports, Power Budgeting, and Cables

RUCKUS ICX 7550 48ZP
• Port Types Needed? • Dual 1200 Watt power supplies
– Copper Gigabit, Multi‐Gigabit, 10/40/100 Gigabit Fiber • 2000 Watts total PoE budget
• 90 Watts per port

• Power over Ethernet Budget

– Single or Dual Power Supplies
– Per‐Port power RUCKUS R850
– Overall Budget Available Consumes 16.1 Watts of
– Device Power Requirements power idle, 31 Watts of
power with max
– Redundancy connections
• Cable types needed to support connectivity and power requirements
– Ethernet (Cat5e/Cat6/Cat6a)
– Fiber (mode type/connectors)

6 © 2022 CommScope, Inc.

Once the overall requirements have been identified, the information can be used to
determine the number and types of switch ports needed. What speeds do the connected
devices need to support and what media type is needed?

You should also now be able to determine how much power budget should be available per
data closet for PoE connected devices. These requirements are guiding factors in switch
model selection.

The PoE budget requirements are driven by the types of devices supplied power by the
switch, which can include phones, security cameras and of course wireless access points.
The amount of power required for each of those devices not only depends on device type
and model, but also enabled features on those devices.

For instance, a RUCKUS R850 Access Point will consume 16.1 Watts of power with full radio
chain usage (8x8), Zigbee/BLE enabled, 1Gbps and 5Gbps ethernet ports enabled, as well
as USB enabled. That however is based on an idle access point with no clients. The Max
power consumption is 31 Watts. Understanding the requirements of the powered devices
is critical to being able to accurately calculate a budget.

Lets consider the RUCKUS ICX 7550‐48ZP as an example. This switch model supports dual
1200 Watt power supplies (running at 240V) with a PoE budget of 2000 Watts. This specific
model also supports up to 90 Watts per port (802.3bt). This means that in terms of power
availability we could support an R850 connected to each of the 48 ports as that would only
equal 1488 Watts.
…Continued on next slide

Revision 2212 14 ‐ 6
ICX 150 Design, Implementation, and Troubleshooting

<continued from previous slide…>

If we had selected a switch model that was only capable of running 802.3at (PoE+), we
would be able to power our R850’s up, but we would run into issues if they began to run at
full capacity because PoE+ only supports 30 Watts per port (not 31 Watts like this AP
requires). Note that the 48ZP switch we’re showing only has 36 multi‐gig ports. So 12 of
our APs in this scenario would be limited to 1Gbps only as well.

Make no mistake, it would be a bad idea to connect 48 APs to a single switch considering
maximum cabling distances, wireless coverage areas, and uplink bottlenecks. We use that
example to point out that part of network design is having to balance PoE loads on devices.
The design should also consider the dual power supplies we mentioned. If you lose a single
power supply, how will that impact your powered devices? If you had a conservative power
budget (unlike our example), it is possible losing a single power supply would not disrupt
connected devices. How far should the redundancy go?

Datasheets are a great source of information when it comes to power availability,

requirements and device options. Anyone designing a network should be familiar with
most of the information provided on datasheets for products used within their designs.

Lastly you need to make sure that whether you are using existing cabling or creating new
runs, the cable types used match the requirements for the deployment and potential future
use. This not only includes the media type, but any optics that may be required.

Revision 2212 14 ‐ 7
ICX 150 Design, Implementation, and Troubleshooting

Building a New Network

Core Problems:
• Complex network
architecture, with
too many layers and
inactive links
Aggregation
• Many points of
management
• High upfront and
maintenance costs
• Underutilized chassis
Access • Forklift upgrades
only

8 © 2022 CommScope, Inc.

Traditionally, networks were deployed using chassis at the core, aggregation and access
layers. These networks tended to be large with many points of management.
Chassis are inherently big, bulky, and require a large up‐front investment. Typically, they
had unused capacity for anticipated growth.

Maintenance was difficult and expensive and upgrades were expensive as well. Once
maximum capacity was reached, upgrades could only be done through forklift upgrades.

Revision 2212 14 ‐ 8
ICX 150 Design, Implementation, and Troubleshooting

Benefits of fixed port switches at the access layer

Core
Benefits:
• Scale‐out, “pay
as you grow”
Aggregation
networking
• Greater
scalability
• Flexible network
deployment
options
Access
• Lower power
consumption

9 © 2022 CommScope, Inc.

Enterprises are now commonly deployed using stackable switches at the access layer. They
offer more flexibility and can be deployed exactly where they are needed.

RUCKUS has been a pioneer in delivering fixed port switches with open standards and
multi‐vendor support. The fixed‐port and stackable design of the RUCKUS ICX switches,
provides the flexibility that allows users to pay‐as‐you‐grow, with market‐leading
performance.

Customers can purchase what they need today and know that they will be able to easily
add ports on demand or additional switches, without requiring a forklift upgrade.

Revision 2212 14 ‐ 9
ICX 150 Design, Implementation, and Troubleshooting

Fixed Switches with Collapsed Aggregation & Core

Benefits:
• Lower up‐front
capital investment
• Scale‐out, “pay as
you grow”
Core & networking
Aggregation • Increased
scalability
• Distributed chassis
with long distance
stacking
Access
• Reduced power,
cooling and
footprint

10 © 2022 CommScope, Inc.

The RUCKUS distributed chassis technology collapses the aggregation and core layers using
the RUCKUS ICX 7750 and 7850 switches. These aggregation/core switches deliver industry‐
leading 10 GbE, 40 GbE and 100 GbE port densities, advanced high‐availability capabilities,
and flexible stacking architecture, making it the most robust aggregation and core
distributed chassis switch offering for enterprise LANs. In addition to rich Layer 3 features,
both of these switch models scale to a 12‐unit distributed chassis stack or a Multi‐Chassis
Trunking (MCT) topology.

Though stacking distances depend on the ICX platform, optics, and cables used, the ICX
7750 and 7850 can form a distributed chassis spanning up to 40 kilometers.

Revision 2212 14 ‐ 10
ICX 150 Design, Implementation, and Troubleshooting

Install and Deploy

• Project planning
– Project management teams
– Coordination of hardware delivery and staging
– Kick‐off meetings with contractors and vendors

• Physical site access

– Multiple vendor access coordination
– Site should be aware of arrival ahead of time

• Customer change management

– Identify change window requirements early

11 © 2022 CommScope, Inc.

Once the requirements have been identified and defined there are additional
considerations that need to be made before the installation phase can begin. Project
milestones for each task should be established with project management teams tracking
progress. There are several aspects of a project that these teams can help identify and
manage. For instance, imagine a large deployment with thousands of APs. These APs will
likely be received in multiple batches. When they are received, they may need to be staged.
Do the APs arrive directly to the site from the supplier? Should they arrive to a central site?
Will they need to be staged, labeled and then sent to an installer?

It is also a good idea for the contractors, vendors, project managers and other interested
parties to have kick‐off meetings to identify any unanswered questions and ensure
everyone understands the timelines and goals.

Another consideration is access to the physical sites for installation. Often times there will
be multiple vendors or contractors providing services for the network installation. Ensuring
these teams have proper access to facilities and materials is important.

Finally, does the customer utilize change management? If so you will need to work to
obtain a maintenance window for any work that may be impactful to the existing network.
Change windows should be identified early on. Failure to do so could impact the timeline
and ultimately budget for the project.

Revision 2212 14 ‐ 11
ICX 150 Design, Implementation, and Troubleshooting

Test and Turn Up

• Tests defined as part of scope

• Cable testing
• Hardware testing (wired and wireless)
• Wireless survey
• Onsite engineers monitoring network operations during workday

12 © 2022 CommScope, Inc.

Once the network has been installed you must ensure proper operation prior to turning it
over to the customer. Ideally, test requirements are identified as part of the initial
discussions prior to network planning. Testing can include validation of installed or existing
cable infrastructure. Testing of hardware operation under expected load (wired and
wireless). If wireless was deployed, or even changed, a physical site survey of the wireless
network should be performed to ensure intended coverage.

Load testing may not always be possible without actual clients. Manytimes engineers are
on‐site after deployment, during the customer’s workday to ensure proper functionality.

Revision 2212 14 ‐ 12
ICX 150 Design, Implementation, and Troubleshooting

Documentation Turnover

Documentation should include:

• Test results
– Performance tests/validations
– Wireless site surveys

• Drawings
– Physical layout (data
facilities, cable runs, AP placement)
– Logical device connectivity (data facility/rack layout)

• Device configurations
– Switch, Router, Firewall, Controller, etc

13 © 2022 CommScope, Inc.

Providing documentation to the customer at the end of the project is crucial to ensure
proper future operation and assist with troubleshooting efforts.

Documentation includes results of performance tests and wireless site survey results. It
should include site drawings for cable layouts, data facility locations as well as logical
device connectivity.

Providing copies of the deployed configurations to the customer will help prevent
prolonged impact in the event that a device needs to be restored.

Revision 2212 14 ‐ 13
ICX 150 Design, Implementation, and Troubleshooting

Basic Wired Troubleshooting

Next we’ll discuss some basic wired troubleshooting commands and examples of how and
when you should use them.

Revision 2212 14 ‐ 14
ICX 150 Design, Implementation, and Troubleshooting

Troubleshooting with CLI

• Narrow down issue and gather data using feature/function specific commands
• show commands provide valuable insight
– Displays a variety of configuration and statistical information about devices

Layer Functions Verification/solution Methods

1‐ Physical Physical connectivity show module
show running-config
show interface
show statistics
2‐ Data Link ARP resolving accurately show arp
MAC address tables accurate show mac-address
Ethernet connectivity/switching
3 ‐ Network Logical addressing, Routing and show <protocol> interfaces brief
Encapsulation, OSPF, BGP show route-map

15 © 2022 CommScope, Inc.

When troubleshooting Layer 1‐3, consider the OSI model as a framework for verification.
Ensure that Layer 1 and 2 elements are functioning as intended before verifying Layer 3
operations. Verify Layer 3 before troubleshooting at Layers 4 through 7.

Consider verifying these operations at each layer of the OSI model.

Layer 1 – Physical – Ethernet connectivity. Also consider the switched network environment
between devices and if the devices are running switch or router code
Layer 2 – Data Link – Ethernet connectivity, ARP resolving accurately, MAC address tables
accurate
Layer 3 – Network – Real IP to VIP mapping is accurate. Consider routed paths between the
device and remote servers and clients
The steps in this model are:
• Collect available information and analyze the symptoms of issue
• Localize the problem to within a single network segment, a single complete module or
unit, or to a single user
• Isolate the trouble to specific hardware or software within the unit, module, or user’s
network account
• Locate and correct the specific problem
• Verify that the problem has been solved

Revision 2212 14 ‐ 15
ICX 150 Design, Implementation, and Troubleshooting

Troubleshooting Steps (Layer 1)

• Layer 1 issues that should be checked include:
– Bad, missing, or mis‐wired cables (especially with static LAGs)
o Check optical or SFPs for failure using optical monitoring options
– Bad ports
o Verify the port has not become disabled due to monitoring such as UDLD, Port Flap Dampening, Keep‐alives, LFS
o Test cable and check the switch port LEDs to ensure that layer 1 is functioning correctly
– Power failure
o Verify that power supplies are up and heathy
 PoE issues could be caused by secondary power supply failure
– Device problems
o ICX module or SFP failure or possible breakout port issues

• Possible Layer 1 configuration issues

– Port/speed & type must be the same
– Fiber mismatch (transmit/receive)

16 © 2022 CommScope, Inc.

It is important to begin your troubleshooting efforts at Layer 1, moving up the layers after
the lower level troubleshooting has been performed. This has been proven to be the best
troubleshooting method as it not only provides a consistent process, but also allows
administrators to narrow their troubleshooting efforts. As you advance to additional layers,
the troubleshooting can begin to target specific issues that might be only affecting a
specific traffic flow or protocol.

Revision 2212 14 ‐ 16
ICX 150 Design, Implementation, and Troubleshooting

Host Connectivity Issues (Layer 1)

• Use the show interface ethernet command
– Errors such as collisions can indicate speed/duplex mismatch between attached devices

• Use the show statistics command to check whether there are CRC errors
transmitted or received on the interface
– Errors of this nature are usually the result of physical problems such as bad cable or NIC

• The show rmon statistics ethernet command provides additional interface

statistics for promiscuous traffic on an interface
RUCKUS1(config)#show rmon statistics ethernet 1/3/1
Ethernet statistics 129 is active, owned by monitor
Interface 1/3/1 (ifIndex 129) counters
Octets 1556878
Drop events 0 Packets 8945
Broadcast pkts 7861 Multicast pkts 1018
CRC align errors 0 Undersize pkts 0
Oversize pkts 0 Fragments 0
Jabbers 0 Collisions 0

Packet size counters

64 724 65 to 127 1592
128 to 255 6268 256 to 511 80
512 to 1023 234 1024 to 1518 47

17 © 2022 CommScope, Inc.

Before verifying VLAN functionality and Layer 2 troubleshooting in general, it is important

that Layer 1 is functioning properly. Check port LEDs to ensure the port is up.

For connectivity and throughput issues within a VLAN, it is important to check the switch’s
interface and interface statistics. The show interface command can also to be used to check
port utilization. A port oversaturated with traffic will affect throughput and proper host
connectivity.

Use show rmon statistics command to view count information on multicast and broadcast
packets, total packets sent, undersized and oversized packets, CRC alignment errors,
jabbers, collision, fragments and dropped events is collected for each port on a ICX Layer 2
Switch or Layer 3 Switch. The statistics group collects statistics on promiscuous traffic
across an interface. The interface group collects statistics on total traffic into and out of the
agent interface. No configuration is required to activate collection of statistics for the Layer
2 Switch or Layer 3 Switch. This activity is by default automatically activated at system start‐
up.

Syntax: show rmon statistics [ethernet <unit/slot/port>]

Revision 2212 14 ‐ 17
ICX 150 Design, Implementation, and Troubleshooting

Troubleshooting Steps (Layer 2)

Common Layer 2 issues:

• Stuck/incorrect MAC move

– Migrating MACs can sometimes be “stuck” (verification of correct binding required)

• Missing or wrong VLANs

– Transient switch might not have all necessary VLANs configured
– Tagged/untagged misconfiguration

• Wrong VLAN setting on access ports

– Port might be in wrong VLAN/subnet

• Missing or misconfigured tagged ports

– VLAN packets are being dropped due to incorrect tagging or VLAN association on a port

• Spanning tree port states and data path

– Port might be in error‐disabled state, due to events such as BPDU guard

18 © 2022 CommScope, Inc.

When a MAC move occurs due to end host roaming via AP or because of failover, the ICX
management software should move the MAC address from the old port to the
specified new port it has learned in its forwarding table.
It is good practice to look at the mac table to ensure that the MAC to port binding is
accurate and that the frames for that host is accurate. Occasionally due to certain
circumstances this process does not take place or the MAC address remains bound
to the original port. In this event the MAC needs to be removed using a manual
process. Other common Layer 2 issues revolve around VLAN configurations.
It is common to see misconfigurations on transient switches that do not have all of
the proper VLANs configured, or even the wrong tagging applied. We’ll walk
through checking VLAN configurations later in this presentation.

Revision 2212 14 ‐ 18
ICX 150 Design, Implementation, and Troubleshooting

Clear MAC Options

• Check that the learned MAC address entries are correct in the MAC address table
– Stuck MAC may require clearing

• MAC addresses that can be removed:

– All MAC address entries
– All MAC address entries for a specified Ethernet port
– All MAC address entries for a specified VLAN
– All specified MAC address entry in all VLANs

• If the clear mac-address command is used, the MDB (MAC database) and FDB
(forwarding database) are rebuilt for those cleared using standard MAC learning and
unknown unicast flooding processes

• To remove entries for the MAC address 0000.0080.00d0 in all VLANs, enter the following:
RUCKUS1# clear mac-address 0000.0080.00d0
Syntax: clear mac‐address [ mac‐address | ethernet unit/slot/port | lag lag‐id | vlan vlan‐id ]
19 © 2022 CommScope, Inc.

There are several options for clearing MAC addresses on RUCKUS ICX hardware using the
clear mac‐access command. You can clear:
‐All MAC entries for the entire switch
‐All MACs for a specific ethernet port (or lag)
‐All MACs for a specific VLAN
‐Or you can specify a MAC to clear, which you would want to do if you were trying to clear
a stuck MAC
If you enter clear mac‐address without any parameter, the software removes all MAC
address entries.
Specifying a mac‐address will remove that specific MAC address from all VLANs. Specify the
MAC address in the following format: HHHH.HHHH.HHHH.
Use the ethernet unit/slot/port parameter to remove all MAC addresses for a specific
Ethernet port.
Use the vlan‐id parameter to remove all MAC addresses for a specific VLAN.
When a MAC move occurs due to end host roaming via AP or because of failover, the ICX
management software should move the MAC address from the old port to the
specified new port it has learned in its forwarding table. It is good practice to look
at the mac table to ensure that the MAC to port binding is accurate and that the
frames for that host are accurate. Occasionally due to certain circumstances this
process does not take place or the MAC address remains bound to the original port.
In this event the MAC needs to be removed using a manual process.

Note: Static MAC entries are not removed.

Revision 2212 14 ‐ 19
ICX 150 Design, Implementation, and Troubleshooting

Helpful Layer 2 Discovery Tools

• Leverage Layer 2 neighbor discovery protocols to:
– Map out network topology
– Verify correct wiring
– Discover possible loops in the environment
– Verify correct data path flows

• Enable Link Layer Discovery Protocol (optionally Foundry Discovery Protocol)

on all devices to verify topology and connectivity
RUCKUS1(config)# lldp run
or
RUCKUS1(config)# fdp run
• Both commands when run in global config enable all ports for send/receive
discovery packets
20 © 2022 CommScope, Inc.

Leverage Layer 2 discovery protocols such as LLDP to map out and verify device
connectivity. Using commands such as show lldp neighbors and show lldp
neighbors detail you can see connected devices at a port level and get details
regarding their capabilities and configuration.

Note: By default, LLDP is enabled.

Revision 2212 14 ‐ 20
ICX 150 Design, Implementation, and Troubleshooting

Troubleshooting With ICMP

• Internet Control Message Protocol provides an effective way to test L3 connectivity within a
network
– Address Resolution Protocol table within the ICX maps an IP address to MAC address
RUCKUS1# ping 10.1.1.1
Sending 1, 16-byte ICMP Echo to 10.1.1.1, timeout 5000 msec, TTL 64
Type Control-c to abort
Reply from 10.1.1.1 : bytes=16 time=1ms TTL=64
Success rate is 100 percent (1/1), round-trip min/avg/max=1/1/1 ms.

Syntax: ping { ip‐addr | host‐name | vrf vrf‐name | ipv6 [ ipv6‐addr | host‐name | vrf vrf‐name ] [ outgoing‐interface type
number ] } [ source ip‐addr ] [ count num ] [ timeout msec ] [ ttl num ] [ size num ] [ quiet ] [ numeric ] [ nofragment ] [ verify ] [ data 1‐to‐4‐byte‐hex ] [ brief [ max‐print‐per‐sec number ] ]

• Occasionally IP‐to‐MAC mapping can be incorrect or needs to be cleared due to changes in

the network
– Clearing of ARP entries can be done on an individual interface or for a specific IP address

RUCKUS1# clear arp 10.1.1.1

– Static ARP entries are not removed
o To remove a static ARP entry, it must be deleted in configuration
21 © 2022 CommScope, Inc.

Issuing the ping command followed by a host‐name or IP address administrators can verify
IP connectivity directly from ICX switches. It should be noted that on devices running Layer
3 code the ping command will use the default VRF if no VRF has been specified.

Much like MAC addresses can be cleared from the MAC table, IP addresses can be cleared
from the ARP table using the clear arp command. Entries for a specific ethernet, LAG,
or VE interface can be removed. You can also choose to clear dynamic or pending ARP
entries. You can also target a single IP address to clear as well. Note however, that any
statically defined ARP entries can only be removed by removing the associated
configuration.

Static ARP entries binding an IP to a MAC can be configured using the ARP command.

Syntax: clear arp ip‐address mac‐address { ethernet unit/slot/port | lag lag‐id | inspection }

Revision 2212 14 ‐ 21
ICX 150 Design, Implementation, and Troubleshooting

Verify VLAN Information and Configuration

• If hosts within the same VLAN cannot communicate, verify their VLAN
membership and configuration
– Use the show vlan command to verify switch port access membership

PORT-VLAN 10, Name [None],

Untagged Ports: (U1/M1)
Tagged Ports: (U1/M1) 2 12

e 1/1/2 e 1/1/12 e 1/1/11 e 1/1/12 e 1/1/11 e 1/1/12 e 1/1/11 e 1/1/8

10.2.1.12 10.2.1.20

In this scenario the user is not able to reach its destination which is within the
same subnet. With current information provided, what might be the problem?
22 © 2022 CommScope, Inc.

We have four switches that are connected linearly, with one PC on each end. These PCs are
within the same subnet and are expected to be able to communicate.

As shown here the access port of the host at 10.2.1.12 is configured as a tagged port,
although the host is not sending tagged frames. This causes the host frames to either be
placed in the default VLAN of that port or to be dropped.

In our case VLAN 1 is still the default VLAN and is where untagged traffic on this port will be
placed.

Revision 2212 14 ‐ 22
ICX 150 Design, Implementation, and Troubleshooting

Verify VLAN Information and Configuration

• If hosts within the same VLAN cannot communicate, verify their VLAN
membership and configuration
– Use the show vlan command to verify switch port access membership

PORT-VLAN 10, Name [None],

Untagged Ports: (U1/M1) 2
Tagged Ports: (U1/M1) 12

e 1/1/2 e 1/1/12 e 1/1/11 e 1/1/12 e 1/1/11 e 1/1/12 e 1/1/11 e 1/1/8

10.2.1.12 10.2.1.20

With port 1/1/2 configured as untagged in VLAN 10, the frames from the PC on
the left will be placed into the correct VLAN.
23 © 2022 CommScope, Inc.

Now with VLAN 10 reconfigured, untagged frames coming from 1/1/2 are correctly placed
into VLAN 10. Once we make port 1/1/2 untagged in VLAN 10, it is removed as untagged on
the default VLAN.

Revision 2212 14 ‐ 23
ICX 150 Design, Implementation, and Troubleshooting

Verify VLAN Information and Configuration

• If hosts within the same VLAN cannot communicate, verify their VLAN
membership and configuration
– Use show vlan command to verify switch port access membership
– Verify proper tagged/untagged assignments to adjacent switches

PORT-VLAN 10, Name [None], PORT-VLAN 10, Name [None], PORT-VLAN 10, Name [None],
Untagged Ports: (U1/M1) 2 Untagged Ports: (U1/M1) Untagged Ports: (U1/M1) 11
Tagged Ports: (U1/M1) 12 Tagged Ports: (U1/M1) 11 12 Tagged Ports: (U1/M1) 12

e 1/1/2 e 1/1/12 e 1/1/11 e 1/1/12 e 1/1/11 e 1/1/12 e 1/1/11 e 1/1/8

10.2.1.12 10.2.1.20

With current information provided, what might be the problem now?

24 © 2022 CommScope, Inc.

However, we still need to verify the entire data path for this VLAN to ensure all switches
along the path are correctly configured for successful delivery of the frame.

When ports along the path remove the VLAN tag the receiving switch must have its port
set up as an access port associated with that VLAN. Mismatch port types
(tagged/untagged) along the path can cause frames to be dropped or to be placed in the
wrong VLAN.

Revision 2212 14 ‐ 24
ICX 150 Design, Implementation, and Troubleshooting

Verify VLAN Information and Configuration

• If hosts within the same VLAN cannot communicate, verify their VLAN
membership and configuration
– Use the show vlan command to verify switch port access membership
– Verify proper tagged/untagged assignments to adjacent switches

PORT-VLAN 10, Name [None], PORT-VLAN 10, Name [None], PORT-VLAN 10, Name [None],
Untagged Ports: (U1/M1) 2 Untagged Ports: (U1/M1) Untagged Ports: (U1/M1)
Tagged Ports: (U1/M1) 12 Tagged Ports: (U1/M1) 11 12 Tagged Ports: (U1/M1) 11 12

e 1/1/2 e 1/1/12 e 1/1/11 e 1/1/12 e 1/1/11 e 1/1/12 e 1/1/11 e 1/1/8

10.2.1.12 10.2.1.20

Tagging both ports 11 and 12 in VLAN 10 on the third switch will allow the
tagged VLAN 10 frames to be sent to the fourth switch.

25 © 2022 CommScope, Inc.

In this case we have corrected the mismatched tagging on the third switch, both ports 11
and 12 are now tagged.

Revision 2212 14 ‐ 25
ICX 150 Design, Implementation, and Troubleshooting

Verify VLAN Information and Configuration

• If hosts within the same VLAN cannot communicate, verify their VLAN
membership and configuration
– Use the show vlan command to verify switch port access membership
– Verify proper tagged/untagged assignments to adjacent switches
– Confirm VLAN continuity along data path
PORT-VLAN 10, Name [None], PORT-VLAN 10, Name [None], PORT-VLAN 10, Name [None], PORT-VLAN 11, Name [None],
Untagged Ports: (U1/M1) 2 Untagged Ports: (U1/M1) Untagged Ports: (U1/M1) Untagged Ports: (U1/M1) 8
Tagged Ports: (U1/M1) 12 Tagged Ports: (U1/M1) 11 12 Tagged Ports: (U1/M1) 11 12 Tagged Ports: (U1/M1) 11

e 1/1/2 e 1/1/12 e 1/1/11 e 1/1/12 e 1/1/11 e 1/1/12 e 1/1/11 e 1/1/8

10.2.1.12 10.2.1.20

With current information provided, what might be the problem now?

26 © 2022 CommScope, Inc.

VLAN continuity is important to deliver the frame to its destination in most all cases. Each
switch along the path needs to have the correct VLAN ID configured and the proper ports
are associated in either tagged or untagged depending on its position on its path. In this
case we have the right ports with the correct tags, but it is the incorrect VLAN.

Revision 2212 14 ‐ 26
ICX 150 Design, Implementation, and Troubleshooting

Verify VLAN Information and Configuration

• If hosts within the same VLAN cannot communicate, verify their VLAN
membership and configuration
– Use the show vlan command to verify switch port access membership
– Verify proper tagged/untagged assignments to adjacent switches
– Confirm VLAN continuity along data path
PORT-VLAN 10, Name [None], PORT-VLAN 10, Name [None], PORT-VLAN 10, Name [None], PORT-VLAN 10, Name [None],
Untagged Ports: (U1/M1) 2 Untagged Ports: (U1/M1) Untagged Ports: (U1/M1) Untagged Ports: (U1/M1) 8
Tagged Ports: (U1/M1) 212
12 Tagged Ports: (U1/M1) 11 12 Tagged Ports: (U1/M1) 11 12 Tagged Ports: (U1/M1) 11

e 1/1/2 e 1/1/12 e 1/1/11 e 1/1/12 e 1/1/11 e 1/1/12 e 1/1/11 e 1/1/8

10.2.1.12 10.2.1.20

With VLAN 10 configured on each switch, as well as the proper tag or

untagged port assignments, the PC on the left can communicate with the PC
on the right.
27 © 2022 CommScope, Inc.

Once we have a contiguous VLAN from source to destination we can perform VLAN
communication of the member devices that belong to the same Layer 3 subnet.

Revision 2212 14 ‐ 27
ICX 150 Design, Implementation, and Troubleshooting

Troubleshooting VLANs Summary

• Problems seen are mostly configuration errors

• Use these commands to verify the configuration:

show vlan
show running-config

• Use these commands to verify traffic loss between hosts:

show interface ethernet unit/slot/port
show statistics brief
show rmon statistics
ping <host>

28 © 2022 CommScope, Inc.

Commands such as show vlan or show running-config can help you determine
VLAN configurations. You can then utilize commands previously shown to verify traffic and
connectivity between hosts.

Revision 2212 14 ‐ 28
ICX 150 Design, Implementation, and Troubleshooting

Troubleshooting LAG/LACP Issues

In this section we’ll look at troubleshooting Link Aggregation Groups focusing on

Dynamically created LAGs.

Revision 2212 14 ‐ 29
ICX 150 Design, Implementation, and Troubleshooting

Link Aggregation Groups

• Improperly formed/deployed or malfunctioning LAGs can cause:
– High CPU
– Loops
– Packet loss
– Forwarding issues

• LAG requirements may vary for different vendors and platforms

– Consult LAG formation rules of platforms participating in LAG
– Verify what is supported at both ends:
o Number of links in the LAG
o Specific port boundaries
o Timers (short/long)

30 © 2022 CommScope, Inc.

Improperly configured LAGs can cause issues within your network. When possible, create
Dynamic LACP based LAGs as they provide some stability by being able to exchange
information over the ports to determine their connection status. Dynamic LAGs have the
ability to shut down ports that are no longer active.

You also must be aware of the rules for LAG creation for BOTH sides of the LAG. When
we’re talking about forming a switch to switch LAG and both devices are the same model
type, running the same firmware there will be less to consider. Alternatively, when trying to
create a LAG between a switch and server you have to ensure that you are looking at the
requirements for both sides.

Revision 2212 14 ‐ 30
ICX 150 Design, Implementation, and Troubleshooting

Troubleshooting LAGs
• Whether it’s a static or dynamic LAG, it is important to configure port groups
that are the same number of ports set to the same speed at both ends
– Individual interfaces can only be members of a single LAG

• Troubleshoot Layer 1 to rule out physical issues first:

– Check members port health by using show interface and show statistics
commands1
o If any member ports are experiencing errors it can cause packet loss and may cause
flapping
o Verify that port members are not taking errors within the LAG causing an overall
degradation
– Check if member ports are up or down and the Layer 2 state is in forwarding and not
blocking
– Check optical monitoring for any alarms or warnings

31 © 2022 CommScope, Inc.

When configuring a LAG (either static or dynamic) you must ensure that you are utilizing
the same number of ports on both ends of the LAG, and, that they are the same configured
speeds. Remember that a single interface can only be a member of a single LAG.

When troubleshooting LAG issues always start at Layer 1 to rule out any port specific
issues. Are the ports healthy? Are there errors on any of the associated interfaces? Are
there member interfaces that are down or otherwise blocked? If the LAGs are formed over
fiber connections you can also utilize optical monitoring commands to check that power
levels are within operating range.

Footnote 1: Each port in the LAG will operate at the speed of the slowest link. For example,
if one LAG is created with 2 ports and one port is running at 1 Gbps and the other is
running at 100 Mbps; each link will run at 100 Mbps. This behavior will occur if the ports
are configured to auto, and negotiate to different speeds.

Revision 2212 14 ‐ 31
ICX 150 Design, Implementation, and Troubleshooting

Troubleshooting LAG Considerations

• Other things to consider:
• Verify LAG ports are configured correctly and is enabled on both devices1
• Common issue with newly deployed LAGs is that one end was not configured or incorrect ports configured
• Manually set the speed at the LAG layer (LAG virtual anchor speed) to avoid ports being error disabled
• Individual ports within a LAG can be disabled in configuration causing the port not to be active in a LAG

• Verify LAG threshold is configured properly and is being met2

• If a threshold was configured make sure there are either enough ports active to meet the minimum requirement

• Verify LACP timers match3

• The original IEEE specification says that the state machine starts with a short timeout and moves to a long timeout after
the LAG is established
• Some vendors only use a short timeout value

• General troubleshooting commands for LAGs:

show lag show interface ethernet <unit/slot/port>
show interface lag show statistics brief
show interface lag <id> show cpu
32 © 2022 CommScope, Inc.

Once Layer 1 conditions have been verified you can start to look specifically at the LAG
configuration to ensure that it is enabled and configured properly on both sides. It is not
uncommon for one side to be incorrectly configured or have the wrong ports defined in the
LAG. This is common when you have two administrative teams each configuring a side of
the LAG (network side / server side). Within the LAG configuration you should manually set
the speed for the LAG, this is known as the virtual anchor speed. Every member of the LAG
should be capable of this anchor speed and it should be defined based on the lowest
capable port speed.

If a LAG threshold has been defined you must ensure it was defined properly and that the
defined value is being met, remember when a threshold is defined a LAG not meeting the
threshold will be disabled.

You should then validate that the LACP timer values match between devices. RUCKUS ICX
devices start with a short timeout value and then transition to a long timeout once the LAG
is established. If timers have been manually specified, or if one end of the LAG has a
requirement to specify a timer value then all values should match on both sides.

...Continued on next slide

Revision 2212 14 ‐ 32
ICX 150 Design, Implementation, and Troubleshooting

FULL NOTES
PAGE

<continued from previous slide…>

Footnote 1: If the incorrect ports are configured, port members will act independently and
may cause loops and possibly STP port blocking. Make sure both platforms have the correct
ports configured in the LAG. To ensure LAG speed consistency between disable state and
reboots, manually configure the vLAG port with a set speed which is applied to all
members using:
RUCKUS(config-lag-if-lg1)# speed-duplex 1000-full

Footnote 2:. If there are not enough ports to meet the threshold the LAG will not be active.
device(config)# lag blue static
device(config-lag-blue)# ports ethernet 1/3/1 to 1/3/4
device(config-lag-blue)# trunk-threshold 3

Footnote 3: If you specify neither long nor short, the state machine operates based on the
standard IEEE specification as its default behavior.

Revision 2212 14 ‐ 33
ICX 150 Design, Implementation, and Troubleshooting

Verifying LACP Operation

Verify the LACP status of the member ports
RUCKUS1# show lag blue Ports are set to LACP? Timeout set
<Truncated Output> Active (Yes) or Passive (No) long (L) (default) or short (S)
=== LAG "blue" ID 1 (dynamic Deployed) ===
LAG Configuration:
Ports: e 1/1/10 e 1/1/11 Ports set to aggregation mode
Port Count: 2 Yes (Agg) No (No)
Lag Interface: lg1
Trunk Type: hash-based
LACP Key: 20001
Deployment: HW Trunk ID 1
Port Link State Dupl Speed Trunk Tag Pvid Pri MAC Name LACP port states:
1/1/10 Up Forward Full 1G 1 No 100 0 609c.9fe6.0e48 bluelag Dwn ‐ not a LAG active port
1/1/11 Up Forward Full 1G 1 No 100 0 609c.9fe6.0e48 bluelag Ina ‐ transitioning to Ope
Port [Sys P] [Port P] [ Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope] state
1/1/10 1 1 20001 Yes L Agg Syn Col Dis No No Ope Ope ‐ Operational
1/1/11 1 1 20001 Yes L Agg Syn Col Dis No No Ope
Partner Info and PDU Statistics
Port Partner Partner LACP LACP Is port in expired state
System ID Key Rx Count Tx Count Yes/No
1/1/10 65535-0011.32a0.e8a1 9 48045 1309850
1/1/11 65535-0011.32a0.e8a1 9 48043 1309839
Port in sync with what is being Collecting traffic received Sending traffic on the port Port using received LACP PDU
received in LACP frames Yes (Col) No (No) Yes (Dis) No (No) parameters (No) or default
Yes (Syn) No (No) (admin defined) (Yes)

34 © 2022 CommScope, Inc.

With the show lag command you can verify LACP values to determine LAG functionality.

In the example shown we can see that ports 10 and 11 are configured as a dynamic LAG
giving us 2 Gbps of bandwidth capacity. We can see the LACP key that is exchanged by LAG
members. We can see that both ports are up, active and forwarding at 1G.

The colored LACP information provides additional detail about the status. Both ports are
actively sending/receiving LACPDUs, they are configured for long timeouts, both ports are
in aggregation mode and are sending traffic. The most important state here is under the
Ope field where we can see both ports in a operational state.

…Continued on next slide

Revision 2212 14 ‐ 34
ICX 150 Design, Implementation, and Troubleshooting

FULL NOTES
PAGE

<continued from previous slide…>

LACP configurations are identified as follows:

Sys P ‐ System Priority
Port P ‐ Port Priority
Key ‐ LACP key
Act ‐ Identifies if ports are set to LACP Active (Yes) or Passive (No)
Tio ‐ Timeout set to long (L) (default) or short (S)
Agg ‐ Is the port set to aggregation mode Yes (Agg) No (No)
Syn ‐ Is port in sync with what is being advertised in received LACP frames
Yes (Syn) No (No)
Col ‐ Collecting traffic received on port Yes (Col) No (No)
Dis ‐ Sending traffic on the port Yes (Dis) No (No)
Def ‐ Is port using received LACP PDU parameters (No) or default (admin
defined) (Yes) parameters
Exp ‐ Is port in expired state Yes/No
Ope ‐ LACP port states:
• Dwn ‐ Down (not active port in the LAG)
• Ina ‐ Port is transitioning to Ope state
• Ope ‐ Operational

Revision 2212 14 ‐ 35
ICX 150 Design, Implementation, and Troubleshooting

Troubleshooting Spanning Tree

In this section we’ll outline some Spanning Tree show commands and discuss how to use
them to resolve Spanning Tree issues.

Revision 2212 14 ‐ 36
ICX 150 Design, Implementation, and Troubleshooting

Troubleshooting Spanning Tree

Useful commands:
– show span
– show 802-1w
– show log
– show interface brief
– show interface <port#>
– show cpu tasks
– show mac-address
– show arp

For detailed command syntax refer to the RUCKUS FastIron Command Reference Guide
which can be found on https://support.ruckuswireless.com/documents/3450‐fastiron‐08‐0‐
95‐ga‐command‐reference‐guide

37 © 2022 CommScope, Inc.

The following commands provide insight into spanning tree configurations and operations.
We outlined the show span and show 802‐1w commands in the Layer 2 redundancy
presentation, refer back to that presentation for a refresher on those commands and their
output. For more detail on all of these commands, refer to the RUCKUS FastIron Command
Reference Guide for your software release.

Revision 2212 14 ‐ 37
ICX 150 Design, Implementation, and Troubleshooting

Spanning Tree – Common Issues

• Loop in network with no STP deployed
– Lack of spanning tree provides no loop detection mechanism

• Route‐only on interface
– BPDU’s will not be processed by a port in route‐only mode

• Spanning Tree BPDU guard configured on aggregation or core layers

– Prevents proper spanning tree operation

• CPU over‐utilization on switches

– BPDUs may not be sent out before max‐age timer expires

• RSTP slow re‐convergence between switches

– admin-pt2pt-mac not configured between switches
– One of the two switches are not compatible or configured for RSTP

38 © 2022 CommScope, Inc.

If Spanning Tree (or other equivalent loop avoidance protocols) is not configured, Layer 2
loops can easily occur. There are common issues that can affect and impede the
performance and normal operation of the Spanning Tree protocol.

If STP ports are configured for half duplex because the auto‐negotiation handshake didn’t
work, STP BPDUs may be lost due to collisions. Use the show interface or show
interface brief command to make sure all ports are in full‐duplex mode.

If a Layer 3 device is running route‐only (either globally or on an individual interface), MAC

learning and Layer 2 forwarding are prevented. As a result, STP BPDUs or any Layer 2 traffic
will not be forwarded.

STP protection features like BPDU guard should only be configured on the edge ports and
never on trunks or on uplinks to other switches.

If the switch CPU is too busy (due to another process) to respond or send BDPUs, STP may
reconverge. Slow reconvergence between switch links can be due to admin‐pt2pt‐mac
configurations not being present on those links or it could be that one of the switches does
not support (or it not configured for) RSTP.

Revision 2212 14 ‐ 38
ICX 150 Design, Implementation, and Troubleshooting

Spanning Tree – Logging

Use the show log command to display recent STP events
•

Switch# show log

Syslog logging: enabled (0 messages dropped, 0 flushes, 30 overruns)
Buffer logging: level ACDMEINW, 362 messages logged
level code: A=alert C=critical D=debugging M=emergency E=error
I=informational N=notification W=warning
<Output Truncated>
Dynamic Log Buffer (4000 lines):
Nov 3 20:14:05:I:STP: VLAN 2 Port 1/1/10 Bridge TC Event (DOT1wTransition)
Nov 3 20:14:05:I:STP: VLAN 2 Port 1/1/10 STP State -> FORWARDING (DOT1wTransition)
Nov 3 20:14:05:I:STP: VLAN 1 Port 1/1/10 Bridge TC Event (FwdDlyExpiry)
Nov 3 20:14:05:I:STP: VLAN 1 Port 1/1/10 STP State -> FORWARDING (FwdDlyExpiry)
Nov 3 20:13:55:I:Security: running-config was potentially changed by super from console
Nov 3 20:13:50:I:STP: VLAN 2 Port 1/1/10 STP State -> LEARNING (DOT1wTransition)
Nov 3 20:13:50:I:STP: VLAN 1 Port 1/1/10 STP State -> LEARNING (FwdDlyExpiry)
Nov 3 20:13:43:I:PORT: 1/1/11 enabled by super from console session.
Nov 3 20:13:34:I:STP: VLAN 1 Port 1/1/9 STP State -> BLOCKING (MakeBlking)
Nov 3 20:13:34:I:STP: VLAN 1 New RootPort: 1/1/10 (RootSelection)
Nov 3 20:13:34:I:STP: VLAN 2 Port 1/1/10 STP State -> BLOCKING (DOT1wTransition)
Nov 3 20:13:34:I:STP: VLAN 1 Port 1/1/10 STP State -> LISTENING (MakeFwding)
Nov 3 20:13:34:I:System: Interface ethernet 1/1/10, state up
<Output Truncated>

39 © 2022 CommScope, Inc.

The show log output is also a good way to see recent STP events. In this output we can
determine a few things. Port 1/1/10 is forwarding traffic for both VLAN 1 and VLAN 2. It
also appears that VLAN 1 is running 802.1D spanning tree (FwdDlyExpiry) while VLAN 2 is
running 802.1W rapid spanning‐tree (DOT1wTransition).

Revision 2212 14 ‐ 39
ICX 150 Design, Implementation, and Troubleshooting

Real‐time Troubleshooting Tools

Here we’ll briefly talk about real‐time troubleshooting that can be performed on ICX
devices.

Revision 2212 14 ‐ 40
ICX 150 Design, Implementation, and Troubleshooting

Live Troubleshooting
• Root cause cannot always be determined by the use of statistics
– Live trace of traffic and processes is necessary to further diagnose issues

• Three possible tools:

– Supportsave
o Allows for the collecting logs from the driver, internal libraries, and firmware

– Debug
o Must know the category of the problem to use this effectively – OSPF, STP, LACP, etc.

– Mirror port
o Allows to capture packets for review using an analyzer
o Requires 3rd party capture tool (Wireshark is common option)

41 © 2022 CommScope, Inc.

Statistical analysis coupled with live troubleshooting is often necessary to fully diagnose an
issue. We’re only going to outline the use of Supportsave in this implementer level
presentation. However you should know that debug typically needs to be explicitly enabled
during live analysis and disabled again when complete. Depending on what you are trying
to debug there will different debug commands used and different levels of debug messages
(from informational to critical).

There is also the concept of port mirroring where you duplicate traffic on one port (monitor
port) and send it to another port (mirror port) for analysis. The client traffic on the port you
are analyzing (monitor port) is not affected by the mirroring process. A protocol analyzer is
hen connected to the mirror port to allow for the inspection of the duplicated traffic.

Revision 2212 14 ‐ 41
ICX 150 Design, Implementation, and Troubleshooting

Supportsave

Of the previously mentioned tools, for this course we will further outline the use of the
supportsave command.

Revision 2212 14 ‐ 42
ICX 150 Design, Implementation, and Troubleshooting

Supportsave
• Utility for collecting logs from the driver, internal libraries, and firmware
• Logs can be sent to technical support1
– Collection of relevant information of different categories as shown below:

o All* ‐ collects os,platform,l2,l3,core & system logs
o Core ‐ collects core & system log files
o Infra ‐ collects infrastructure related
o L2 ‐ collects layer 2 related
o L3 ‐ collects layer 3 related
o OS ‐ collects os related
o Platform ‐ collects platform related
o Spx ‐ collects spx related
o System ‐ collects generic system related
o Custom ‐ collects custom commands
o Add_cust_cmd ‐ add a custom option command
o Del_cust_cmd ‐ delete a custom option command
o List_cust_cmd ‐ lists all stored custom commands

• The supportsave command has the following advantages over the show tech-support command:2
– Allows you to add additional commands to collect additional data
– Allows transfer of the collected data to an external server such as Secure Copy (SCP)

* RUCKUS recommends to use all to collect complete logs

43 © 2022 CommScope, Inc.

We touched on the supportsave command in a previous presentation, so we’ll only briefly

mention it again. Administrators may need to obtain additional targeted information to
provide to technical support engineers. The supportsave all command can be used to
obtain a collection of all logs or specific logs, within a single command. These logs are sent
directly from the device to a TFTP or SCP server. Administrators using supportsave can also
add up to 32 custom CLI commands to be gathered at runtime.

When executing the supportsave command, wait for the command to finish processing
before entering additional CLI commands. The time it takes for supportsave to complete
depends on the number of collections plus any custom CLI output that has been requested.
Once the command has completed the requested output will be available on the remote
destination in a compressed archive file.

Footnote 1: The supportsave is an important utility for collecting logs from the driver,
internal libraries, and firmware. The collected logs are shared with the technical support
personnel for investigating issues seen on the device. It is recommended to use the all
variable to collect complete logs. There are many variables when it comes to support save
so refer to the FastIron debug command reference guide for more details.

Footnote 2: It is a best practice to create a healthy baseline supportsave of your network

environment to be used as a comparison when trying to diagnose network issues and
periodically update it according to the change management cycle of your network. Up to
date supportsaves can provide critical information to help quickly resolve network outages.

Revision 2212 14 ‐ 43
ICX 150 Design, Implementation, and Troubleshooting

Now that you have completed this

presentation you should be able to:
• Perform tasks in network design planning
– Identify requirements
– Site Survey
– Installation
– Testing
Summary – Documentation
• Utilize basic troubleshooting commands
– Identify Layer 1 and 2 problems
• Troubleshoot LAG, VLAN, and Spanning Tree

You should now be able to identify and perform tasks associated with network design:

This includes identifying customer requirements. Performing site surveys of the physical
environment. Having an overall plan for installation and then executing pre‐defined tests
post installation. We also discussed the importance of turning documentation over to the
customer once the installation is completed

We then discussed basic troubleshooting of Layer 1 and Layer 2 using show commands. We
presented a VLAN tagging scenario and identified improper configurations. Finally we
outlined commands that can be utilized to obtain the status of LAG connections and
Spanning Tree Protocols.

Revision 2212 14 ‐ 44
ICX 150 Design, Implementation, and Troubleshooting

End of Presentation:
Design, Implementation, &
Troubleshooting

This is the end of the presentation on design, implementation and troubleshooting.

Revision 2212 14 ‐ 45
ICX 150 Design, Implementation, and Troubleshooting

Revision 2212 14 ‐ 46
ICX 150 FI 09.0.xx Features

FastIron 09.0.xx Features

Revision 2212

This presentation will provide an overview new hardware and a subset of software features
introduced in the FastIron 09.0.xx releases.

Revision 2212 15 ‐ 1
ICX 150 FI 09.0.xx Features

After completing this presentation, you will

be able to:

• Identify the new ICX 7850 hardware and

features

Objectives • Describe:
– 1Gbps breakout ports
– Configuration archive, reload and rollback services
– Copying UFI and manifest files to a USB
– Flexlink L2 redundancy protocol

• View and manage ICX products using the

Web UI

After completing this presentation, you will be able to Identify some of the features and
enhancements related to the FastIron 9.0.10 release including:
• New ICX 7850 hardware and features
• You will be able to describe:
– 1Gbps breakout ports
– Configuration archive, reload and rollback services
– The process of copying UFI and manifest files to a USB
– Flexlink L2 redundancy protocol
• As well as how to view and manage ICX products using the updated FI 9.x Web UI

Revision 2212 15 ‐ 2
ICX 150 FI 09.0.xx Features

FastIron 09.0.10a Minimum Requirement

Before upgrading to FastIron 9.x please

review support.ruckuswireless.com to
determine the appropriate version of 9.0.xx
for your device, and be sure to review the
release notes

3 © 2022 CommScope, Inc.

If you are considering an upgrade to FastIron 9.x check out our the
support.ruckuswireless.com site to determine the correct version for your hardware. At the
time this presentation was created, version 09.0.10a is the minimum available for
download.

Once you’ve determined your specific release candidate be sure to review the review the
release notes to confirm specific features, hardware support and other upgrade
information.

Revision 2212 15 ‐ 3
ICX 150 FI 09.0.xx Features

Hardware

Let’s take a look at a new ICX 7850 hardware model for FastIron 9.x.

Revision 2212 15 ‐ 4
ICX 150 FI 09.0.xx Features

Expanding the ICX 7850 Family – ICX7850‐48C

ICX 7850 Current Family

ICX7850‐32Q Aggregation/Core/Spine Switch ICX7850‐48C

48 × 1G/10G RJ45 ports; 8 x 40G/100G QSFP28 ports
Top of Rack Data Center
ICX7850‐48F Aggregation/Core/Leaf Switch
High Performance Workstation interconnect‐aggregation
10G Copper Wiring Closet Aggregation

ICX7850‐48FS Secure Aggregation/Core/Leaf Switch

5 © 2022 CommScope, Inc.

FastIron 09.0.xx provides support for the new ICX7850‐48C core/aggregation switch. This
new model enhances the existing line of ICX7850 fiber port switches with a model that
includes 48 1G/10G copper ports.

Note: Support for the ICX7750 family of switches has been discontinued in FI 09.0.xx.

Revision 2212 15 ‐ 5
ICX 150 FI 09.0.xx Features

ICX7850 Model Comparisons

Key Features ICX7850‐48C ICX7850‐32Q ICX7850‐48F ICX7850‐48FS
Media Type Copper/Fiber Fiber Fiber Fiber

1588 N/A Available NA Available

SyncE N/A Available on 32 Ports NA Available on First 12 ports

Uplink Support 8×100G QSFP28 8×100G QSFP28 8×100G QSFP28 8×100G QSFP28

Stacking Support Up to 8×100G/40G Up to 8×100G/40G Up to 8×100G/40G Up to 8×100G/40G

User ports 48×1G/10G Up to 32×100G/40G 48× 2.5G/10G/1G 48×1G/10G

Yes, on 10G-capable ports

MACsec No No No
(128/256-bit)

PSU type RPS19; RPS19DC RPS19; RPS19DC RPS19; RPS19DC RPS19; RPS19DC

System power if 2 × PSU are System power if 2 × PSU are System power if 2 × PSU are System power if 2x PSU are
Redundancy
installed installed installed installed

Yes, if 5 × fan tray are installed Yes, if 6 × fan tray are installed Yes, if 5 × fan tray are installed Yes, if 5 × fan tray are installed
Fan Redundancy
(Allow 1 fan failed) (Allow 1 fan failed) (Allow 1 fan failed) (Allow 1 fan failed)

6 © 2022 CommScope, Inc.

Here we see a side‐by‐side comparison of the different ICX7850 models and features with
the new model offering 48 × 10G/1G copper ports.

Revision 2212 15 ‐ 6
ICX 150 FI 09.0.xx Features

Software Features and

Enhancements to FI 09.0.xx

Let’s look at some of the software features and enhancements available in FastIron 9.0.xx

Revision 2212 15 ‐ 7
ICX 150 FI 09.0.xx Features

1Gbps Breakout Ports

First, we will explore the 1G Breakout port feature.

Revision 2212 15 ‐ 8
ICX 150 FI 09.0.xx Features

1Gbps Breakout
• Enables 10Gbps breakout ports to be configured into 1Gbps ports dynamically
– This feature is only supported on the ICX 7850 and ICX 7550 switches
– A reload is required to set the breakout on the interface, however broken out ports can have their
speeds set to 1Gbps without additional reload
– 1G breakout ports are supported by a limited set of optics

• Each breakout port works according to its configured speed setting; however, not all the
breakout ports need to be configured at the same speed
• 1Gbps breakout:
ICX# configure terminal
ICX(config)# breakout ethernet 1/2/1
ICX(config)# exit
ICX# write memory
ICX# reload
<truncated output. . .>
ICX (config)# interface ethernet 1/2/1:2

9 © 2022 CommScope, Inc.

The 1Gbps feature allows the resulting 10Gbps breakout ports (broken from a 40Gbps port)
to be configured into 1Gbps ports dynamically. While the initial configuration of the
breakout does require a reload, subsequent speed changes to the broken out ports will not.
This feature is only supported on the ICX 7850 and ICX 7550 switches and is supported by a
limited set of optics. The 1Gbps breakout feature does not require all the breakout ports to
be configured at the same speed, such that each breakout port works according to its
configured speed setting. The breakout port is shown as subport ‘:2’ on the 1/2/1 interface.

Note: 7750 models do require slot 2 to be configured for 1‐Gbps uplink mode before
configuring the 1G breakout ports, meaning the ports cannot be configured as stack ports
and still utilize 1G breakout.

For more details on Breakout ports, refer to the RUCKUS FastIron Management
Configuration Guide, 09.0.10.

For more details regarding Optics, refer to the RUCKUS Ethernet Optics Data Sheet.

Revision 2212 15 ‐ 9
ICX 150 FI 09.0.xx Features

Configuration Archive, Reload & Roll Back

We will explore a few configuration management features.

Revision 2212 15 ‐ 10
ICX 150 FI 09.0.xx Features

Configuration Archive Files

• With FI 09.0.xx, all ICX switches and routers can manage multiple configuration files
in flash
– Provides the flexibility to save multiple configuration files and to change the system
configuration as needed
– Archive naming convention requires archive names to be prefixed with a pre‐defined
string of 'ICX7K_ARCHIVE’ followed by a numeric value 00‐99
– Archives can be created, copied, deleted, renamed, and compared

• The maximum number of archive files that can be stored on an ICX is 100,
this value is configurable, with a minimum value of 5

• To change the number of archive files to 25

ICX#cfg-archive management archive-size 25

11 © 2022 CommScope, Inc.

With FI 09.0.xx, all ICX switches and routers can manage multiple configuration files in flash
known as archive files. This provides the flexibility to save multiple configuration files and
change the system configuration as needed. The archive naming convention requires the
archive filename to be prefixed with a predefined case‐sensitive string of
ICX7K_ARCHIVE_ followed by numeric value ranging from 00 to 99 (two digits are
required). The maximum number of archive files that can be stored is 100, and the
minimum configurable value is five. The example shows the archive value being set to 25
files.

For more details, refer to the RUCKUS FastIron Management Configuration Guide, 09.0.10.

Revision 2212 15 ‐ 11
ICX 150 FI 09.0.xx Features

Create Configuration Archives

• Create an archive file by copying the running config

ICX# cfg-archive management copy-running-config ICX7K_ARCHIVE_01

create ICX7K_ARCHIVE_01 from the running configuration

• Create an archive file by coping the startup‐config.txt to an archive file

ICX#cfg-archive management copy /fast_iron/startup-config.txt to ICX7K_ARCHIVE_02

copy /fast_iron/startup-config.txt to ICX7K_ARCHIVE_02
startup-config.txt is copied to ICX7K_ARCHIVE_02

12 © 2022 CommScope, Inc.

You can create an archive file of either the running‐config or the startup‐config using the
cfg-archive management command.

Revision 2212 15 ‐ 12
ICX 150 FI 09.0.xx Features

Comparing Configuration Files

• You can view the contextual differences between the running‐config and a
specified archive file, in this example the files are identical

ICX# cfg-archive management compare-running-config ICX7K_ARCHIVE_02

compare ICX7K_ARCHIVE_02 with the running configuration
It may take time to get the result. Please wait patiently
The running-config and ICX7K_ARCHIVE_02 are same.

13 © 2022 CommScope, Inc.

It is possible to view the differences between the running configuration and a specified
archive file. In the example, the two configurations are contextually identical.

Revision 2212 15 ‐ 13
ICX 150 FI 09.0.xx Features

Comparing Configuration Archive Files

• You can view the contextual differences between two archive files and the
comparison output is prefixed with '+' or '‐’.

ICX#cfg-archive management compare-archives ICX7K_ARCHIVE_01 with ICX7K_ARCHIVE_03

compare ICX7K_ARCHIVE_01 with ICX7K_ARCHIVE_03
It may take time to get the result. Please wait patiently.
--- baseline
+++ comparison
+ 1: aaa authentication login default local
+ 2: hostname ICX

14 © 2022 CommScope, Inc.

Here we see the comparison of two archive files. The primary difference is that the
hostname value was changed to “ICX” and captured in ICX7_ARCHIVE_03. That
difference is noted in the last line of the output preceded with a “+”.

Revision 2212 15 ‐ 14
ICX 150 FI 09.0.xx Features

Configuration Reload
• The system can be reloaded with a specific configuration archive

ICX#cfg-archive management reload-with-archive pri ICX7K_ARCHIVE_01

** Reload from Primary partition with an archive ICX7K_ARCHIVE_1 **
About to reload with the archive.
!!! Warning !!! Reloading will cause the current running configuration
to be lost if not archived.
Are you sure you want to reload? (enter 'y' or 'n’):

15 © 2022 CommScope, Inc.

The system can be reloaded using a specific archived configuration file. In this example,
ICX7K_ARCHIVE_01 will be loaded into the primary partition. As part of this process,
you will be prompted to confirm that you want to reload the system.

Revision 2212 15 ‐ 15
ICX 150 FI 09.0.xx Features

Configuration Archive Roll Back

• Provides the capability to revert or roll back to a previous configuration if the
changed running configuration is not saved to the non‐volatile memory within
a predefined time
– Reminds the administrator that the running configuration has been changed and
those changes have not been saved
– The write memory command must be issued before the timer expires, or the
system will reload automatically using the golden archive

• The archive auto‐revert feature needs to be enabled to take effect:

ICX#cfg-archive revert enable

Auto-revert - Activated

16 © 2022 CommScope, Inc.

The auto‐revert feature provides the ability to roll back to a previous known‐good
configuration if the changed running configuration is not saved to the non‐volatile memory
within a configurable predefined time period. This can act as a fail‐safe mechanism for
administrators who are managing systems in remote environments or dark datacenters. If
the write memory command is not issued before the timer expires, the system will reload
automatically using the known‐good archive.

Revision 2212 15 ‐ 16
ICX 150 FI 09.0.xx Features

Copy UFI and Manifest from flash to USB

We will look at the new CLI to copy the UFI and Manifest from flash to USB.

Revision 2212 15 ‐ 17
ICX 150 FI 09.0.xx Features

Copy UFI and Manifest from Flash to USB

• ICX supports the ability to copy the UFI Image and Manifest package from
system flash to a USB using the CLI
– Can make a backup of the UFI or manifest package to a USB prior any upgrade
– The resulting USB can be used to recover that same ICX, or used to deploy a new
switch of the same model

• During a system manifest package copy from flash to the USB, the system will
automatically copy the manifest file, UFI Image, UFI Signature and
configuration file

• With a manifest package copy, only one current running image type per
platform, either routing or switching, can be stored on the USB at any time,
any subsequent copy from flash to USB will override the existing image on the
USB
18 © 2022 CommScope, Inc.

ICX platforms support the ability to copy the UFI image and manifest package from the
system flash to a USB using the CLI. You can make a backup of the current running‐config
and FastIron image onto a USB. The resulting USB can be used to recover that same ICX or
used to deploy new switches of the same model. The system will copy the manifest files,
UFI image, UFI signature and configuration file during a manifest package copy from flash
to the USB. With the manifest package copy, only one current running image type per
platform, either routing or switching, can be stored on the USB at a time.

For more details, refer to the RUCKUS FastIron Management Configuration Guide, 09.0.10.

Revision 2212 15 ‐ 18
ICX 150 FI 09.0.xx Features

Copy UFI and Manifest from Flash to USB

• To copy the primary partition's UFI image to USB and view the file
ICX#copy flash disk0 ufi-primary Pri9010UFI.bin
Parameter Validation Successful
UFI Image Upload to USB started
UFI Image Upload to USB Done
UFI Image Upload Complete

ICX# show files disk0

F 90634558 Pri9010UFI.bin
D 32768 [----] disk0/System Volume Information
<Output Truncated>
90634558 bytes 1 File(s) in disk0

1.8G bytes Free in disk0

19 © 2022 CommScope, Inc.

Here we see the copy command to copy the primary partition’s UFI image from flash to the
USB followed by the display of contents of the USB after the copy is complete.

The manifest file can also be copied onto the USB, building on the above example:

ICX#copy flash disk0 system-manifest

Parameter Validation Successful
USB Manifest Upload in progress...
Manifest file Upload to USB Done
Signature Upload to USB started
Application exception

ICX# show files disk0

F 90634558 Pri9010UFI.bin
F 184 FI09010_Manifest.txt
D 32768 [----] disk0/ICX7150
D 32768 [----] disk0/System Volume Information

90634742 bytes 2 File(s) in disk0

1.8G bytes Free in disk0

Revision 2212 15 ‐ 19
ICX 150 FI 09.0.xx Features

Flexlink

We will look at the Layer 2 Flexlink feature.

Revision 2212 15 ‐ 20
ICX 150 FI 09.0.xx Features

Flexlink
• Flexlink is a RUCKUS proprietary link redundancy feature that provides
Layer 2 resilience
– It is an alternative to Spanning Tree Protocol (STP) as it provides link redundancy
and faster network convergence than STP and its variants, RSTP and MSTP
– Provides immediate convergence the moment a link goes down
– Typically, it is deployed at the access layer where the switch has dual uplinks to
the aggregation/distribution layer
– No configuration is required on the adjacent peer switch or backup interface
– This RUCKUS L2 implementation will work with other network vendors switches

• Preemption can be configured to designate the preferred interface for

forwarding traffic

21 © 2022 CommScope, Inc.

Flexlink is a RUCKUS proprietary link redundancy feature that provides Layer 2 resiliency. It
is an alternative to Spanning Tree Protocol (STP) as it provides link redundancy and faster
network convergence than STP and its variants, RSTP and MSTP. It provides immediate
convergence the moment a link goes down. Typically, it is deployed at the access layer
where the switch has dual uplinks to the aggregation/distribution layer. No configuration is
required on the adjacent peer switch or backup interface. This RUCKUS L2 redundancy
implementation will work with other network vendors switches.

Preemption can be configured to designate the preferred interface for forwarding traffic.
When the active link fails, the backup will take over and forward the traffic. By default, the
preemption mode is "off". When preemption is configured to “forced” mode, the
configured active interface will have precedence to forward the traffic.

For more details, refer to the RUCKUS FastIron L2 Switching Configuration Guide, 09.0.10.

Revision 2212 15 ‐ 21
ICX 150 FI 09.0.xx Features

Flexlink Configuration
• Configure eth 1/1/1 as the active link and Lag 10 as the backup

ICX#conf terminal
ICX(config)#interface e 1/1/1
ICX(config-if-e1000-1/1/1)#flexlink backup lag 10
ICX(config-if-e1000-1/1/1)#flexlink preemption forced
ICX(config-if-e1000-1/1/1)#flexlink preemption delay 30

22 © 2022 CommScope, Inc.

Here we can see that Flexlink is configured on eth 1/1/1 as the active link and Lag 10 as the
backup link. In this example, preemption is enabled as ‘forced’. When the link status of the
configured active interface comes back up after a failover, it preempts the current active
link (configured backup interface) and takes over traffic forwarding. Additionally, a time
delay of 30 seconds has been set. This time period must expire before the backup link
(configured active) can preempt the current active interface and take over traffic
forwarding.

Revision 2212 15 ‐ 22
ICX 150 FI 09.0.xx Features

Flexlink Considerations
• A maximum of 32 Flexlink instances can be configured
• Flexlink is supported on LAG interfaces
• Flexlink is supported in a stacking configuration
– Flexlink interfaces must be part of the same VLAN domain
– The addition and deletion of Flexlink interfaces on the VLAN must be organized as a port pair
• The forwarding state of the Flexlink interfaces are controlled by Flexlink feature, so other Layer2 features cannot co‐
exist on those interfaces, such as:
– Spanning Tree Protocol (STP)
– Per‐VLAN protocols (MRP, VSRP)
– Private VLAN (PVLAN)
– Port MAC security (PMS)
– Protected ports
– Flexible Authentication
– Loop detection
• ACL configurations can be applied, but ingress or egress traffic on the backup link will not take effect

23 © 2022 CommScope, Inc.

• A maximum of 32 Flexlink instances can be configured

• Flexlink is supported on LAG interfaces
• Flexlink is supported in a stacking configuration
– Flexlink interfaces must be part of the same VLAN domain
– The addition and deletion of Flexlink interfaces on the VLAN must be organized
as a port pair
• The forwarding state of the Flexlink interfaces are controlled by Flexlink feature, so other
Layer2 features cannot co‐exist on those interfaces. The following features cannot be
enabled on Flexlink interfaces:
– Spanning Tree Protocol (STP)
– Per‐VLAN protocols (MRP, VSRP)
– Private VLAN (PVLAN)
– Port MAC security (PMS)
– Protected ports
– Flexible Authentication
– Loop detection
• ACL configurations can be applied, but ingress or egress traffic on the backup link will
not take effect

Revision 2212 15 ‐ 23
ICX 150 FI 09.0.xx Features

Secure Wipe

Let’s explore the new Secure Wipe security feature.

Revision 2212 15 ‐ 24
ICX 150 FI 09.0.xx Features

Secure Wipe
• The Secure Wipe feature securely erases the flash contents permanently as
per DoD 5220.22‐M standards and then reinstalls the ICX device

• This process involves overwriting the previously stored data on hard disk or
solid‐state storage with a specific binary patterns repeatedly through a
specific number of passes, followed by verification at the end of the final pass

• There three different types of secure wipes:

– Single Pass: Overwrites all addressable locations with a random bit pattern
– 3‐Pass (DoD 5220.22‐M [E]): Overwrites with specific binary patterns repeatedly
through three passes followed by verification
– 7‐Pass (DoD 5220.22‐M [ECE]): Overwrites with specific binary patterns repeatedly
through seven passes followed by verification
25 © 2022 CommScope, Inc.

Secure Wipe securely erases the flash contents by overwriting the previously stored data
on hard disk or solid state storage with a specific binary patterns repeatedly through a
specific number of passes, followed by verification at the end of the final pass to achieve
DoD 5220.22‐M standards.

There are three different levels of secure wipe, Single pass, triple pass and seven pass.

Only a user with Super User level privileges can perform secure wipe, and it cannot be
initiated from an SSH and Telnet session.

For more details, refer to the RUCKUS FastIron Management Configuration Guide, 09.0.10.

Revision 2212 15 ‐ 25
ICX 150 FI 09.0.xx Features

09.0.xx Web UI

We will take a brief look at the new Web user interface.

Revision 2212 15 ‐ 26
ICX 150 FI 09.0.xx Features

Web User Interface Enhancements

• The 09.0.xx web UI has a new look and feel and allows users to manage and
monitor a single RUCKUS device or a group of RUCKUS devices
• The UI can be accessed from a management IP using a web browser using an
HTTPs or HTTP connection
• Supported web browser include:
– Google Chrome
– Mozilla Firefox
– Microsoft Edge
– Safari
– Chromium
– Opera

27 © 2022 CommScope, Inc.

The 09.0.xx web user interface has a new look and feel and allows users to manage and
monitor a single RUCKUS device or a group of RUCKUS devices. The UI can be accessed by
entering the management IP into a web browser. Both HTTPs or HTTP are supported, and
with an FI 9.0.xx firmware upgrade, HTTPS will be enabled by default. TLS versions 1.1 and
1.2 are supported.

The Supported web browsers include Google Chrome, Mozilla Firefox, Microsoft Edge,
Safari, Chromium, and Opera .

For more details, refer to the RUCKUS FastIron Web Management Interface User Guide,
09.0.10.

Revision 2212 15 ‐ 27
ICX 150 FI 09.0.xx Features

Dashboard
• The UI is divided into three panes which provide elements to display device
information, perform administrative tasks, and monitor configuration status

28 © 2022 CommScope, Inc.

The Web Management Interface is divided into three panes which provide various user
interface elements to display device information, perform administrative tasks, and
monitor configuration status. Along the left you can see the menu and sub‐menu items
showing administrative tasks. On the top right is the header pane. From the header pane
you can manage device reloads, write memory, launch a CLI session and display current
logged‐in user information. The main pane displays configuration details, configuration
options, charts, stack units, ports, and chassis panels, tables, lists, and miscellaneous
information specific to the selected menu item.

Revision 2212 15 ‐ 28
ICX 150 FI 09.0.xx Features

SupportSave
• A SupportSave collects logs from different ICX modules that can be useful
when troubleshooting an issue
• A SupportSave can be captured by selecting Management ‐> Infra from the
menu and clicking on the Start button in the SUPPORT SAVE pane.
– This will generate two
.tgz files
– These files are copied
over an HTTPS channel
to the download location
– The supportsave must
complete before any
additional navigation
can occur
29 © 2022 CommScope, Inc.

Under the Management menu option, select Infra and we can see the SupportSave feature
pane. When you click the Start button in the Support Save pane on the web interface, the
request is sent to the ICX device, which begins to collect the supportsave logs and put them
into two files with .tgz extensions. One of the .tgz files contains the core and log files. The
second contains the show command output. The files are copied over an HTTPS channel to
the download location.

If you are running supportsave from the web interface for the first time, a dialog box is
displayed requesting permission to download multiple files. You must select Allow to
confirm the multiple file download. The supportsave must complete before any additional
navigation can occur.

Revision 2212 15 ‐ 29
ICX 150 FI 09.0.xx Features

You should now be able to:

• Identify the new ICX 7850 hardware and
features

• Describe:
– 1Gbps breakout ports
Summary – Configuration archive, reload and rollback
services
– Copying UFI and manifest files to a USB
– Flexlink L2 redundancy protocol

• View and manage ICX products using the

Web UI

You should be able to:

• Identify the new ICX 7850 hardware and features
• Describe:
– 1Gbps breakout ports
– Configuration archive, reload and rollback services
– Copying UFI and manifest files to a USB
– Flexlink L2 redundancy protocol
• View and manage ICX products using the Web UI

Revision 2212 15 ‐ 30
ICX 150 FI 09.0.xx Features

End of Presentation:
FI 09.0.xx Features

Thank you

This is the end of the presentation, FI 09.0.xx Features overview.

Revision 2212 15 ‐ 31
ICX 150 FI 09.0.xx Features

Revision 2212 15 ‐ 32