Tag Archives: icx

Ruckus ICX Radius logins

I refer back to these commands a lot and thought they might help someone else. This will allow the Ruckus or Brocade ICX switches to authenticate to a radius server for logins to the device.

aaa authentication web-server default radius local enable
aaa authentication login default radius local enable
aaa authentication login privilege-mode

radius-server host auth-port 1812 acct-port 1813 default key $aWdAblUmc3JuVSY9Z1k= dot1x

A few things to note about this. I am setting the web-server login and SSH logins to use radius, then if radius is not available use local authentication settings.

The login privilege-mode command bypasses the enable password and logs be straight in a privileged.


Ruckus ICX untagged vlan port config

I have been working with Brocade ICX and now Ruckus ICX for a few years now. They are awesome switches.

I was asked a couple of times about something that was happening when someone would try and set the untagged or access vlan on a port. They would get this error:

error – port ethe x/x/x are not member of default vlan

The reason we were getting this error is because other vlans were attached to port as either untagged or tagged. To put a port into a vlan other than default as ‘untagged’ we need to make sure no other vlans are bound to that port. To do this we can check what vlans are attached to the port. In this scenario my default vlan is 999. It would be 1 on a switch that it was not manually changed on.

switch#show vlan br eth 1/1/3

Port 1/1/3 is a member of 2 VLANs

VLANs 32 48

Untagged VLAN : 999

Tagged VLANs : 32 48

Great, so now we know its untagged 999 (default) but tagged those 2 other ports. We need to remove the tags of 32 and 48 on this port before we can add it untagged into vlan 16 – which is the goal

switch#config t

switch(config)#vlan 32

switch(config-vlan-32)#no tag eth 1/1/3

switch(config-vlan-32)#vlan 48

switch(config-vlan-48)#no tag eth 1/1/3

Voice-vlan is cleared on port 1/1/3


switch(config)#vlan 16

switch(config-vlan-16)#unt eth 1/1/3

Added untagged port(s) ethe 1/1/3 to port-vlan 16.



switch#show vlan br eth 1/1/3

Port 1/1/3 is a member of 1 VLANs

VLANs 16

Untagged VLAN : 16

Tagged VLANs :


Thats it! now we are untagged or access in vlan 16. But wait! what if we wanted to have it be a trunk port to allow vlans 32/48 and be native 16. Then we would use the ‘Dual port’ command with the modification of the untagged vlan like this:

dual mode 16   — means untagged 16, but allow whatever vlans are tagged to pass. Of course vlans 16,32,48 would need to be tagged on the port first. I will write another entry about that.