Ruckus ICX switching – Displaying files on USB or flash

I needed to update the firmware on a Ruckus ICX 7150, but could not remember the file name of the firmware I was updating. I looked through the commands for a dir: flash, or dir:usb and really couldn’t find much. After some googling didn’t come up with anything either.

To display the the files use the “Show files {Device}” for example to show files on flash “show files flash”

ICX7150-24P Switch#show files?
ASCII string dir name


ICX7150-24P Switch#show files flash

Type Size Name

F 33554432 primary
F 32539748 secondary
F 256 primary.sig
F 162204 poe-fw
F 1576 $$ssh8rsahost.key
F 256 secondary.sig

66258472 bytes 6 File(s) in FI root

1135529984 bytes free in FI root

Below show getting the files on the USB drive.

ICX7150-24P Switch#show files disk0
F 60783027 SPR08095dufi.bin
D 4096 [—-] disk0/System Volume Information

60783027 bytes 1 File(s) in disk0

Setting up Static Addresses for Fortigate SSL VPN clients

I needed to have a specific SSL VPN client to always have the same IP address. This is not overly simple as it seems it should be. I have read there are very neat ways to do it through FortiAuth, or Radius options – but Here I am just doing all Fortigate configuration.

I am using a local account on the firewall in this example, but it would work with an AD users without issues – you would just have to map the user directly and not use groups.

SO, in this example I have a Scan gun that needs to have a specific IP every time it connects. So an overview of the steps are:

  • Setup SSL VPN (Should be already done if you are trying this).
  • Have LDAP or Radius integration already setup if you are specifically using that.
  • Setup Address object that you need the device to get – For this example 10.200.253.241.
  • Create a user object either local, or LDAP/Radius. – In this example Bargun01.
  • Create a specific portal if needed just for this user.
  • Create group/portal matching in SSL Settings.
  • Create firewall policy allowing that client in.

Ok, first lets create our address object .

Next lets create our user object – We need to do a specific user object, because we only want one device to be logged in and match this policy.

Then lets create the portal specific for this device – which only needs access to one server. In this portal we will match the it to the individual IP object we created, and set the remote access server it needs. Notice that the source IP Pool is the specific IP we set – this is where all the real magic is.

Next lets match up our user to the portal.

One more thing to do – and that’s to setup our firewall policy! Notice that the user matches what we put in the portal. Very specific. That’s it.

Enabling Cisco 3850 VRRP

So, you went into to the interface and are looking for VRRP, but cant find it. I had done this 1000 times in other firmwares/devices and had no issues setting up VRRP. But for some reason on I could not find VRRP under the interface – Thought it was firmware/licensing (IP Services) – Nope all good there. The trick was that you have to enable the First Hop Routing Protocol you want to run.

Do this with

config t

fhrp version vrrp v3 or v2

Now VRRP will show up under the interface and you can configure it as normal.

Some search help – Where is VRRP , 3850 VRRP not there

Cisco ASR 1002-X bandwidth license increase

I installed a new license to a ASR 1002-X going from the default 5 gig to 20 gig throughput. Installing the license was no problem, but after the reboot nothing changed. I found that I had forgotten to change the hardware throughput settings – I thought the license would jus take care of this, but it didn’t.

Here are the commands/options to get the hardware throughput to match the license

First – lets check to make sure what the level is –

ASR#show platform hardware throughput level
The current throughput level is 5000000 kb/s

You can also do a show version and see this info.

Now, lets change to our installed license throughput level.

ASR(config)#platform hardware throughput level ?
10000000 throughput in kbps
20000000 throughput in kbps
36000000 throughput in kbps
40000000 throughput in kbps
5000000 throughput in kbps

ASR(config)#platform hardware throughput level 20000000

exit, and save config. The throughput level does not kick in until a reboot. After the reboot

ASR#show platform hardware throughput level
The current throughput level is 20000000 kb/s

Cisco Nexus C92160YC-X Port Breakout

The Cisco C92160YC has the option to change the port layout for different bandwidth needs. Below hows the command to change the default (In my case) port config from 48x25G ports, with 2 X 100G, and 4 X40 to 4 100 Gig ports. This way

c92160yc-x-01# show run | inc port
hardware profile portmode 48x25G+2x100G+4x40G

The above looks through the config for the setting – I do believe you can also “show hardware profile”.

Below shows the config to change the setting, and different options under the setting.

c92160yc-x-01# config t
Enter configuration commands, one per line. End with CNTL/Z.
c92160yc-x-01(config)# hardware profile portmode ?
48x25g+2x100g+4x40g 48x25G+2x100G+4x40G port mode
48x25g+4x100g 48x25G+4x100G port mode

c92160yc-x-01(config)# hardware profile portmode 48x25g+4x100g
c92160yc-x-01(config)# exit
c92160yc-x-01# copy run start
c92160yc-x-01# reload

The switch has to be restarted for the change to be enabled.

Finding Transceiver info in Ruckus ICX switches

I needed to find out what type of Optic was installed into a switch, and if it read up correctly. In most vendors its “show interface transceivers” or some other command. I struggled to find Ruckus’s – so I thought I would share.

To find the media type of the port – just use the “Show media” command – so easy!

For instance, I need to find out what type SFP is on eth 1/2/8, and if it read correctly. Check out the below:

Then, if I just want to check what all ports are: “Show media” by itself. Notice ports 1/2/1 and 1/2/3 are my stack ports – and I have DACs (twinax) in these ports.

Enabling SNMPv3 on FortiOS 6.4.5

SNMPv3 should always be enabled if possible over v2.

First enable the SNMP agent and set the location/device name. Make sure to press apply down at the bottom of the page.

Next lets create the V3 user. You can do this by just clicking “Create New” Under the V3 options.

When you create the user you have options of Authentication algorithms, encryption, the IP of the monitoring host, and what they can monitor. Also, you can drop into CLI and change the source IP for traps.

Last part is now to enable SNMP on the interface you want to connect the monitor to. You only need to have SNMP enabled on the interface the monitor is connecting to, so just do a local LAN interface.

Make sure to click SNMP under the admin access of the interface, and click OK. Thanks it!

Getting mac-address table from Fortiswitch

Tracking down MACs from a switch can be very beneficial. You can use the information from the MAC table to track down where a device is plugged into, or if there is some kind of loop in the network.

This command is used from the Fortigate to drill down to the Fortiswitch. I do believe it would also work directly from the Fortiswitch.

To display the whole routing table:

diagnose switch-controller switch-info mac-table

Lets say I need to look for the last 4 of the MAC to find exactly where this device plugs into.

diagnose switch-controller switch-info mac-table | grep 3a:fe

00:60:6e:ec:3a:fe port1 1

Now we can see that device is plugged into port 1 of the switch.

Dell N2248-ON firmware restore from ONIE Recovery

I have been working a lot with the Dell N-series over last few years, and now the N2248-ON which can run OS10 as well as the default OS6. We upgraded firmware to the latest 6.6.3.10 and all seemed to go well. Somehow it did not and hosed both primary/secondary firmware. The device was boot looping – the only option was to drop into ONIE Recovery and re-install the firmware. Here are the steps I used:

The ONIE recovery area runs a version of Linux. First check out your NIC to make sure it finds it:

ONIE:/ # ifconfig
eth0 Link encap:Ethernet HWaddr 8C:47:BE:97:B5:0F
inet6 addr: fe80::8e47:beff:fe97:b50f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:67 errors:0 dropped:0 overruns:0 frame:0
TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6904 (6.7 KiB) TX bytes:1198 (1.1 KiB)
Memory:dfe00000-dfe7ffff

Great! Eth0 is found, but of course link status is down. Eth0 is the out of band management interface. We should be able to set an IP address on the interface and install firmware VIA TFTP or USB.

First I will setup and IP that can communicate with my laptop :

ifconfig eth0 192.168.1.100 netmask 255.255.255.0

ONIE:/ # ifconfig
eth0 Link encap:Ethernet HWaddr 8C:47:BE:97:B5:0F
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::8e47:beff:fe97:b50f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:108 errors:0 dropped:0 overruns:0 frame:0
TX packets:49 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10874 (10.6 KiB) TX bytes:7658 (7.4 KiB)
Memory:dfe00000-dfe7ffff

Perfect! My laptop is 192.168.1.99 – and connected directly to the out of band MGMT port.

Next we will TFTP the file up. This file is located in the software archive you download from Dell – Its located in the
“Otherfiles” folder. In this case the file name is onie-installer-x86_64-dellemc_n22xx_6.6.3.10. Next I put this on my TFTP server and we can start the install.

First lets turn off the ONIE-Discovery attempts with the onie-stop command.

Now lets upgrade – Run:

onie-nos-install tftp://192.168.1.99/onie-installer-x86_64-dellemc_n22x
x_6.6.3.10

The onie-nos-install will install the OS back to the device. The firmware took a few minutes to install, with about 4 reboots I think – it was all automatic.

Now lets see if the switch was updated with the “show version” command.

All is good!

Fortiauthenticator – SMS only remote sync rule

I had an issue, well more of a specific formatting issue with Fortiauthenticator that I thought I would share. I have a client who is only use SMS with forticlient via fortiauth. The idea is that the user connects and authenticates to the SSL VPN, and then hits Fortiauth for token code that was sent to the client VIA SMS.

When using SMS with tokens, you have to have the users mobile number entered so it can send to them. Hard coding the users mobile number worked great, but for some reason I could not get the remote sync rule to pull in the mobile phone number. Below are the steps I used to fix this.

First in the remote sync rule under “LDAP User Mapping Attributes” modify the mobile data field with “mobile” all lower case.

Then make sure that in Active Directory the mobile number is entered under the users profile. the Auth says it wants the mobile phone number in a very specific format – +[international_number] – this threw me for a while. In the end the number in AD wasn’t the problem it was the mapping attribute. Below is how to inset the number into AD. Notice the number has +[country code]number. Thats it, after putting that in the remote sync rule worked fine.