Ruckus ICX7150-C12P – Initial Configuration

Ruckus ICX7150-C12P – Initial Configuration

This post covers the initial steps required to configure a Ruckus ICX 7150 switch.  Topics covered here include:

  • Console Access
  • Setting the switch hostname
  • Assigning an IP address
  • Enabling SSH access
  • Setting a username and password

Further configuration will be covered in later posts.

Console Access

All initial configuration tasks must be completed via the console interface on the front of the switch.  The Ruckus ICX7150-C12P has two console interfaces.  The first you will notice is the standard RJ-45 interface and the second is the more modern USB-C interface placed in the top left corner of the front of the switch.  You can use either of these interfaces with a terminal emulator program of your choice.

RJ-45 Console access

The switch ships with an RJ-45 to DB-9 Serial  console cable in the box, I imagine because it is more compatible with all the other switches out there!  To use this you will need  a USB to RS-232 DB9 Male serial cable with the relevant drivers to make it work.

USB-C Console Access

To use the USB-C port you simply need a USB data cable with a USB-C connection on one end and a compatible connection for your laptop on the other.  If your laptop uses the regular USB ports, you will need a USB Type-A to USB-C data cable.  On newer laptops like the MacBook Pros that come only with USB-C ports, you will need a USB-C to USB-C data cable.  Some notes here:

  • Most common operating systems (Windows, macOS etc) already have the necessary FTDI drivers for this USB connection, so you shouldn’t need to do anything additional to get this to work.
  • If the connection doesn’t work at first, check that you are in fact using a data cable and not a charging cable.  I have made this mistake before and wasted quite some time fidgeting with drivers etc before realizing my cable was a charging cable and not a data cable, and therefore unable to actually move any serial data.
  • If you are aware that you don’t have the FTDI drivers, or the connection doesn’t load even after you’ve double checked the cable type, you can get them from the support site or here.  You should download the VCP drivers.

Serial Port Settings

The serial port settings are detailed in the table below:

Parameter Value
Baud Rate 9600
Data Bits 8
Parity None
Stop Bits 1
Flow Control None

 

Configuration Tasks

Setting the Switch Hostname

First thing to do now is set the switch hostname, so we can always know which switch it is we are looking at.

ICX7150-C12 Switch>enable
No password has been assigned yet...
ICX7150-C12 Switch#conf t
ICX7150-C12 Switch(config)#hostname RobLab_7150_C12P_1
RobLab_7150_C12P_1(config)#

Assigning an IP Address

We need to give our switch an IP address so we can manage it via something a little more convenient than the console cable.

RobLab_7150_C12P_1(config)#ip address 172.31.0.1/24
RobLab_7150_C12P_1(config)#

Enabling SSH Access

Now that we have a hostname and an IP address, we want to enable SSH access to the switch.  First we need to tell the switch to generate a set of keys to be used for SSH access:

RobLab_7150_C12P_1(config)#crypto key generate rsa modulus 2048
RobLab_7150_C12P_1(config)#
Creating RSA key pair, please wait...
RSA Key pair is successfully created
RobLab_7150_C12P_1(config)# 

Note: DSA keys have been deprecated by openSSH as they are no longer considered secure. I believe the original reason for this is a weakness in some Debian linux systems with a flawed pseudo random number generator.  The main takeaway is that if your DSA key gets used in a compromised system, your private key is at risk.  That is why we are using RSA keys with the longest supported modulus, giving good security and the best compatibility across systems.

Setting the Diffie-Hellman Key Exchange Algorithm Group

The default key exchange algorithm used by the Ruckus ICX Switches is Diffie-Hellman Group-1, SHA-1 with a modulus of 768 bits.  If you are using macOS Sierra 10.12 or later, or are using OpenSSH 7, you may find that when you try to connect to the switch you get an error that states: “Unable to negotiate with xxx.xxx.xxx.xxx port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1”

This is because the Diffie-Hellman Key Exchange Algorithm using shorter modulus lengths (less than or equal to 1024 bits) is considered to be insecure.  These legacy key exchange algorithms are no longer enabled by default in openSSH 7.  The minimum modulus length considered sufficient for secure communications is 2048-bits supported by Diffie-Hellman Group-14.

To fix this problem you have a few options: The first (and worst) option is to alter your system settings (another link here) to re-enable the weak Diffie-Hellman groups.  This may be the only workable option for compatibility whilst moving your network entities to a more secure key exchange algorithm.  The other, less terrible option is to allow weak Diffie-Hellman key exchange algorithms on an as needed basis when opening the connections.

The best option for your new Ruckus ICX switching environment however, is to enforce Diffie-Hellman Group 14 key exchange, which uses a 2048 bit modulus and won’t require you to weaken your system’s security.

RobLab_7150_C12P_1(config)#ip ssh key-exchange-method dh-group14-sha1
Warning: This operation would close all existing SSH connection.
RobLab_7150_C12P_1(config)#

Setting a Username and Password

We need to configure a username and password on the switch.  For now we are going to focus on using the local AAA feature on the switch.  Ruckus ICX Switches allow you to specify the privilege level of a new user as follows:

RobLab_7150_C12P_1(config)#username <user> privilege 
  DECIMAL   <0 READ-WRITE, 4 PORT-CONFIG, 5 READ-ONLY> User privilege level
RobLab_7150_C12P_1(config)#

We are going to go ahead and create an administrator account with read-write privileges, note that if you do not specify the privilege level, it defaults to 0: Read-Write:

RobLab_7150_C12P_1(config)#username <user> password <password>
RobLab_7150_C12P_1(config)#

Now we need to configure local user accounts in the default list to be able to enter privileged exec mode:

RobLab_7150_C12P_1(config)#aaa authentication enable default local
RobLab_7150_C12P_1(config)#

And we also need to enable local user accounts in the default list to be able to login to the switch

RobLab_7150_C12P_1(config)#aaa authentication login default local
RobLab_7150_C12P_1(config)#

A final neat trick useful for laboratory environments (NOT RECOMMENDED IN A PRODUCTION SYSTEM) is to enable users to enter privileged exec mode directly after login:

RobLab_7150_C12P_1(config)#aaa authentication login privilege-mode 
RobLab_7150_C12P_1(config)#

Save your configuration!

RobLab_7150_C12P_1(config)#write memory            
Flash Memory Write (8192 bytes per dot) 
.
Write startup-config done.
Copy Done.
RobLab_7150_C12P_1(config)#

Testing SSH Access

You should now be at a point where you can test SSH access to the switch.  Plug an ethernet cable into your laptop and set an IP on your laptop in the same subnet as you set on the switch.

host:~ user$ ssh <user>@172.31.0.1
The authenticity of host '172.31.0.1 (172.31.0.1)' can't be established.
RSA key fingerprint is SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.31.0.1' (RSA) to the list of known hosts.
Password:
SSH@RobLab_7150_C12P_1#

Congratulations, you are all setup and can now access your switch securely via SSH using a locally stored username and password.  You should still easily be able get into the switch via direct console connection, just in case things go bad!

Summary:

ICX7150-C12 Switch>enable
  No password has been assigned yet... 
ICX7150-C12 Switch#configure terminal
ICX7150-C12 Switch(config)#hostname RobLab_7150_C12P_1 
RobLab_7150_C12P_1(config)#ip address 172.31.0.1/24 
RobLab_7150_C12P_1(config)#
RobLab_7150_C12P_1(config)#crypto key generate rsa modulus 2048 
RobLab_7150_C12P_1(config)# 
Creating RSA key pair, please wait... 
RSA Key pair is successfully created 
RobLab_7150_C12P_1(config)#ip ssh key-exchange-method dh-group14-sha1 
Warning: This operation would close all existing SSH connection. 
RobLab_7150_C12P_1(config)#username <user> password <password>
RobLab_7150_C12P_1(config)#aaa authentication enable default local
RobLab_7150_C12P_1(config)#aaa authentication login default local
RobLab_7150_C12P_1(config)#aaa authentication login privilege-mode
RobLab_7150_C12P_1(config)#write memory            
Flash Memory Write (8192 bytes per dot)
.
Write startup-config done.
Copy Done.
RobLab_7150_C12P_1(config)#

Thats all for now!

 

One thought on “Ruckus ICX7150-C12P – Initial Configuration

Leave a Reply

Your email address will not be published. Required fields are marked *