In the previous posts focused on the topic of configuring Ruckus ICX Switches, we got the ICX 7150-C12P up and running and upgraded to the latest Layer 3 image. In this post I want to start configuring it to act as a Layer 3 switch for my Ruckus laboratory environment.
If you are learning about Ruckus ICX Switches and their capabilities, I recommend reviewing the following useful documentation (along with everything else) available on the Ruckus support site:
- Command Reference Guide
- Layer 2 Switching Configuration Guide
- Layer 3 Routing Configuration Guide
- DHCP Configuration Guide
Configuring IP Addresses
The first thing I am going to need is an IP address on the ICX switch. The ICX layer 3 switch firmware gives you the ability to define an IP Address on the following types of interfaces:
- Ethernet Ports
- Virtual Interfaces / Virtual Ethernet (VE)
- Loopback interfaces
- GRE Tunnels
You can assign an IP address directly to a specified Ethernet interface. For example you can assign the address 10.0.0.1/24 to Ethernet interface 1/1/1 on the switch. You can also load multiple IP addresses onto a given Ethernet interface. This is useful in scenarios where you know exactly which Ethernet Interface the traffic will arrive on. A good example of when to apply this configuration is if you are running a point to point link between two locations using a specific interface on either side of the link.
As it turns out, this is exactly the kind of scenario I have in my home laboratory between the Ruckus ICX7150-C12P and the Internet NAT router! Here is an example where I assign an IP address directly to uplink port 1/2/2 on the ICX7150 switch in my laboratory.
SSH@RobLab_7150_C12P_1#configure terminal SSH@RobLab_7150_C12P_1(config)#interface ethernet 1/2/2 SSH@RobLab_7150_C12P_1(config-if-e1000-1/2/2)#ip address 172.31.254.2/30 SSH@RobLab_7150_C12P_1(config-if-e1000-1/2/2)#exit SSH@RobLab_7150_C12P_1(config)#write memory Flash Memory Write (8192 bytes per dot) . Write startup-config done. Copy Done. SSH@RobLab_7150_C12P_1(config)#
A virtual interface is the same as a “sub interface” on Cisco routers and is referred to as Virtual Ethernet or VE in Ruckus ICX nomenclature. A virtual interface acts as the layer 3 interface to terminate VLAN tagged Ethernet traffic. The advantage of this interface type over an Ethernet interface is that you can aggregate traffic entering the switch via multiple Ethernet interfaces.
Consider a scenario in which you have Layer 2 traffic tagged with VLAN 100 entering the Layer 3 switch. You want the Layer 3 switch to route that traffic to destinations on other subnets, but the traffic may enter through multiple ethernet interfaces. The Layer 3 switch solves this scenario with a Virtual Interface that can be assigned to multiple Ethernet interfaces.
Maximum Virtual Interfaces
Be aware that your chosen switch model may have some limitations in terms of the number of Virtual Interfaces it can support. Consult the data sheet and configuration guides of your switch model and firmware releases to be certain of how many Virtual Interfaces (VEs) are supported.
Configuring a Virtual Interface
The management VLAN exists to allow me to access all physical and virtual network components from a single location. The Management VLAN will be exclusively enabled, untagged on Ethernet interface 1/1/12. The management VLAN will be assigned to
RobLab_7150_C12P_1>enable User Name:<user> Password: RobLab_7150_C12P_1#conf t RobLab_7150_C12P_1(config)#vlan 101 name MGMT RobLab_7150_C12P_1(config-vlan-100)#untagged ethernet 1/1/12 Added untagged port(s) ethe 1/1/12 to port-vlan 101. RobLab_7150_C12P_1(config-vlan-100)#router-interface ve 2 RobLab_7150_C12P_1(config-vlan-100)#interface ve 2 RobLab_7150_C12P_1(config-vif-2)#ip address 172.31.255.1/24 RobLab_7150_C12P_1(config-vif-2)#write memory Flash Memory Write (8192 bytes per dot) . Write startup-config done. Copy Done. RobLab_7150_C12P_1(config-vif-2)#exit RobLab_7150_C12P_1(config)#exit RobLab_7150_C12P_1#
x86 Hosts VLAN
The x86_Hosts VLAN (VLAN 100) will be exclusively enabled, untagged on ethernet interfaces 1/1/1 to 1/1/6. The x86 Hosts VLAN will be assigned to router-interface ve 1 with IP address 172.31.0.1/24. This will allow me to gain direct access to the switch CLI should anything go wrong with my Management VLAN.
RobLab_7150_C12P_1>enable User Name:<user> Password: RobLab_7150_C12P_1#conf t RobLab_7150_C12P_1(config)#vlan 100 name x86_Hosts RobLab_7150_C12P_1(config-vlan-100)#untagged ethernet 1/1/1 to 1/1/6 Added untagged port(s) ethe 1/1/1 to 1/1/6 to port-vlan 100. RobLab_7150_C12P_1(config-vlan-100)#router-interface ve 1 RobLab_7150_C12P_1(config-vlan-100)#interface ve 1 RobLab_7150_C12P_1(config-vif-1)#ip address 172.31.0.1/24 RobLab_7150_C12P_1(config-vif-1)#write memory Flash Memory Write (8192 bytes per dot) . Write startup-config done. Copy Done. RobLab_7150_C12P_1(config-vif-1)#exit RobLab_7150_C12P_1(config)#exit RobLab_7150_C12P_1#
Additional VLANs will be enabled on the switch to provide Layer 2 services on an as needed basis in my testing. These will include VLANs for Access Points and Client Subnets. These VLANs will simply allow the traffic to pass through to the routers in the virtual lab.
Loopback Interfaces & GRE Interfaces
I am rather conspicuously not talking about configuring these interfaces at this point in time. But I believe the topic will come up in a later post. If you cannot wait, I strongly recommend reading the Ruckus ICX Layer 3 Routing Configuration Guide.
I will require a DHCP server in the Management VLAN that provides addresses to clients as they connect. I also want this DHCP server to work on the out of band management port, just in case my access via WLAN fails or using a cable is faster!
Let me start by saying there is a ton you can do with this DHCP server and the DHCP capabilities in the switch. The below configuration is truly trivial.
RobLab_7150_C12P_1#conf t RobLab_7150_C12P_1(config)#ip dhcp-server enable RobLab_7150_C12P_1(config)#ip dhcp-server pool mgmt_1 RobLab_7150_C12P_1(config-dhcp-mgmt_1)#network 172.31.255.0/24 RobLab_7150_C12P_1(config-dhcp-mgmt_1)#dhcp-default-router 172.31.255.1 RobLab_7150_C12P_1(config-dhcp-mgmt_1)#dns-server 172.31.255.1 RobLab_7150_C12P_1(config-dhcp-mgmt_1)#excluded-address 172.31.255.1 172.31.255.99 RobLab_7150_C12P_1(config-dhcp-mgmt_1)#lease 0 6 0 RobLab_7150_C12P_1(config-dhcp-mgmt_1)#deploy RobLab_7150_C12P_1(config)#write memory
Note 1: If you ever change the DHCP pool config, remember to issue the DEPLOY command again, otherwise the DHCP address pool will simply remain in a “pending” state after your changes!
Here are some useful commands to check the status of the DHCP server and the address pools.
SSH@RobLab_7150_C12P_1#show ip dhcp-server address-pools Display all address pools binding Display DHCP lease-binding database flash Displays the lease-binding database stored in flash memory summary Displays the DHCP servers statistics --- SSH@RobLab_7150_C12P_1#show ip dhcp-server summary DHCP Server Summary: Total number of active leases: 2 Total number of deployed address-pools: 1 Total number of undeployed address-pools: 0 Server uptime: 04d:09h:32m:16s --- SSH@RobLab_7150_C12P_1#show ip dhcp-server address-pools Showing all address pool(s): Pool Name: mgmt_1 Time elapsed since last save: 00d:00h:29m:34s Total number of active leases: 2 Address Pool State: active IP Address Exclusions: 172.31.255.1 172.31.255.99 Pool Configured Options: dhcp-default-router: 172.31.255.1 dns-server: 10.0.0.254 126.96.36.199 lease: 0 6 0 network: 172.31.255.0 255.255.255.0 --- SSH@RobLab_7150_C12P_1#show ip dhcp-server binding Bindings from all pools: IP Address Client-ID/ Lease expiration Type Hardware address 172.31.255.100 c0d0.1274.2590 000d:05h:58m:15s Automatic 172.31.255.101 48d7.05be.758d 000d:05h:59m:24s Automatic SSH@RobLab_7150_C12P_1#
Routing Between Subnets
To provide Internet access for the subnets I have configured above, I must provide a default route to the internet. Internet access in the laboratory is provided by a Mikrotik router (172.31.254.1) connected to the Ethernet Interface 1/2/2 on the ICX7150 switch.
Ruckus ICX switches have a feature called Integrated Switch Routing (ISR), which allows routing traffic between virtual interfaces in the switch without the need for an external router. You don’t (shouldn’t) need to do anything to enable this feature. You do, however, have to configure routes to reach external entities using either static or dynamic routing protocols. Thus far I am sticking to static routing protocols.
Setting a Default Route
RobLab_7150_C12P_1#conf t RobLab_7150_C12P_1(config)# SSH@RobLab_7150_C12P_1(config)#ip route 0.0.0.0/0 172.31.254.1 SSH@RobLab_7150_C12P_1(config)#write memory Flash Memory Write (8192 bytes per dot) . Write startup-config done. Copy Done. SSH@RobLab_7150_C12P_1(config)#exit SSH@RobLab_7150_C12P_1#
About Management Access
On the Ruckus ICX layer 3 switch you can use any one of the configured IP addresses on the switch for management access to the switch. I can access the switch over ssh via 172.31.0.1, 172.31.255.1 and 172.31.254.2. I will discuss hardening the switch configuration in a later post.
Quick Summary Config
Here is the current running config of the switch (also the config startup!) to summarize what we have done so far.
SSH@RobLab_7150_C12P_1#show run Current configuration: ! ver 08.0.61T213 ! stack unit 1 module 1 icx7150-c12-poe-port-management-module module 2 icx7150-2-copper-port-2g-module module 3 icx7150-2-sfp-plus-port-20g-module ! ... vlan 1 name DEFAULT-VLAN by port ! vlan 100 name x86_Hosts by port untagged ethe 1/1/1 to 1/1/6 router-interface ve 1 ! vlan 101 name MGMT by port tagged ethe 1/1/12 router-interface ve 2 ! ... aaa authentication enable default local aaa authentication login default local aaa authentication login privilege-mode hostname RobLab_7150_C12P_1 ip dhcp-server enable ip dhcp-server server-identifier 172.31.255.1 ! ip dhcp-server pool mgmt_1 dhcp-default-router 172.31.255.1 dns-server 172.31.255.1 excluded-address 172.31.255.1 172.31.255.99 lease 0 6 0 network 172.31.255.0 255.255.255.0 deploy ! ip route 0.0.0.0/0 172.31.254.1 ! username <user> password ..... ! ... interface ethernet 1/2/2 ip address 172.31.254.2 255.255.255.252 ! interface ve 1 ip address 172.31.0.1 255.255.255.0 ! interface ve 2 ip address 172.31.255.1 255.255.255.0 ! ... ip ssh key-exchange-method dh-group14-sha1 ! ! end SSH@RobLab_7150_C12P_1#
Thats All for Now!