Cambium cnMatrix Switches
Cambium cnMatrix switches are enterprise-grade switching solutions designed to work seamlessly with Cambium's wireless portfolio, providing unified wired and wireless network management. The rXg integrates with cnMatrix switches via SSH for configuration synchronization, 802.1X/MAB authentication, and VLAN management.
Supported Models
| Model/Series | Notes |
|---|---|
| EX2010 | 8-port Gigabit + 2 SFP compact switch |
| EX2010-P | 8-port PoE Gigabit + 2 SFP compact switch |
| EX2016M-P | 16-port PoE Gigabit managed switch |
| EX2028 | 24-port Gigabit + 4 SFP managed switch |
| EX2028-P | 24-port PoE Gigabit + 4 SFP managed switch |
| EX2052 | 48-port Gigabit + 4 SFP managed switch |
| EX2052-P | 48-port PoE Gigabit + 4 SFP managed switch |
Features Supported
| Feature | Supported | Description |
|---|---|---|
| Config Sync | Yes | Automatic configuration synchronization from rXg |
| Auto Bootstrap | Yes | Zero-touch onboarding capability |
| SNMP Monitoring | Yes | CPU, memory, and port statistics collection |
| LLDP Neighbor Discovery | Yes | Automatic detection of connected devices |
| Switch Port Import | Yes | Automatic import and management of switch ports |
| 802.1X Authentication | Yes | Port-based network access control |
| MAC Authentication Bypass | Yes | MAC-based authentication for non-802.1X devices |
| Dynamic VLAN Assignment | Yes | RADIUS-assigned VLAN based on authentication |
| DHCP Snooping | No | Not managed by rXg |
| Firmware Management | No | Manual firmware upgrades required |
| SPB-m Fabric | No | Not supported |
Prerequisites
Firmware Requirements
| Version | Support Status | Notes |
|---|---|---|
| CNS 4.x+ | Supported | SSH and RADIUS support required |
Network Requirements
- Management IP connectivity to rXg
- SSH access (TCP port 22)
- SNMP access (UDP port 161)
- RADIUS connectivity (UDP ports 1812, 1813) for 802.1X/MAB
Onboarding Process
Auto Bootstrap
cnMatrix switches support automatic bootstrap configuration from rXg. The bootstrap process configures:
- Maximum VLAN count (requires reboot)
- SSH with RSA key and key exchange
- AAA authentication settings
- LLDP
- SNMP community
- User credentials
- Management VLAN and IP
- NTP server
Bootstrap Configuration
Phase 1 - Increase max VLANs (requires reboot):
enable
config terminal
system-max vlan 4095
write mem
exit
reload
y
Phase 2 - Configure remaining settings (after reboot):
enable
skip-page-display
config terminal
! SSH configuration
crypto key generate rsa modulus 2048
ip ssh key-exchange-method dh-group14-sha1
! AAA configuration
aaa authentication web-server default local
aaa authentication login default local
aaa authentication dot1x default radius
! LLDP
lldp run
! SNMP configuration
snmp-server community <community> ro
! User account
username <username> password <password>
enable super-user-password <enable_password>
aaa authentication login default local
! Management VLAN configuration
vlan 1
ip address <ip> <subnet>
management-vlan
default-gateway <gateway> 1
exit
! NTP configuration
ntp
server <rxg_ip>
exit
write mem
Manual Onboarding
For manual configuration before adding to rXg:
- Configure management IP address
- Enable SSH with RSA keys
- Create user account
- Configure SNMP community
- Add device to rXg Infrastructure Devices
Configuration
Connection Settings
The rXg connects via SSH using RubyExpect for CLI automation.
CLI prompts recognized:
- Press Enter prompt: Press ENTER to continue
- Password prompt: password:
- Enabled prompt: #
- Disabled prompt: >
- Configure prompt: (config)#
- Interface prompt: (config-if)#
- Paging prompt: --More--
Initial connection handling:
- The rXg handles "Press ENTER" prompts automatically
- Paging is disabled with no pagination command in config mode
Port Naming Convention
cnMatrix uses a type/slot/port naming format:
| Type | Abbreviation | Example |
|---|---|---|
| Gigabit Ethernet | Gi | Gi0/1, Gi0/48 |
| Extreme Ethernet (10G) | Ex | Ex0/1, Ex0/4 |
VLAN Configuration
Creating VLANs
vlan <vlan_id>
name <description>
exit
Port VLAN Assignment
VLANs are configured within the VLAN context, specifying ports as tagged or untagged:
vlan <vlan_id>
ports gigabitethernet 0/1-24 untagged gigabitethernet 0/1-24
exit
Port list format:
- Single port: gigabitethernet 0/1
- Range: gigabitethernet 0/1-24
- Multiple ranges: gigabitethernet 0/1-28,0/29-48 extreme-ethernet 0/1-4
802.1X / MAB Configuration
Global Authentication
aaa authentication dot1x default radius
RADIUS Server Configuration
radius-server host <rxg_ip> auth-port 1812 acct-port 1813 key <shared_secret> primary
Per-Port 802.1X
interface gigabitethernet 0/1
dot1x port-control auto
exit
Per-Port MAB
interface gigabitethernet 0/1
dot1x mac-auth-bypass
exit
Combined 802.1X and MAB
interface gigabitethernet 0/1
dot1x port-control auto
dot1x mac-auth-bypass
exit
SNMP Configuration
snmp-server community <community> ro
Port Enable/Disable
interface gigabitethernet 0/1
enable
exit
interface gigabitethernet 0/2
disable
exit
Port Descriptions
interface gigabitethernet 0/1
description "Server Port"
exit
Monitoring Capabilities
| Metric | Collection Method | Notes |
|---|---|---|
| CPU Usage | SNMP | System health monitoring |
| Memory Usage | SNMP | System health monitoring |
| Port Statistics | SNMP | Packets in/out, errors |
| Port Status | SNMP / CLI | Up/down, speed, duplex |
| LLDP Neighbors | CLI | Connected device discovery |
| MAC Address Table | CLI | Client tracking |
Data Gathered
The config sync process collects: - Interface list and status - VLAN configurations - Port VLAN memberships (tagged/untagged) - 802.1X/MAB port configurations - RADIUS server configuration - Port descriptions
Troubleshooting
Common Issues
SSH Connection Failures
Symptom: Unable to establish SSH connection Resolution: - Verify SSH is enabled and RSA keys are generated - Check IP connectivity to switch management address - Verify user credentials are correct - Check for IP lockout after failed login attempts (60 second timeout)
802.1X Authentication Failures
Symptom: Clients failing to authenticate
Resolution:
- Verify RADIUS server is configured: show run radius
- Check RADIUS shared secret matches rXg
- Verify dot1x is enabled on port
- Review rXg RADIUS logs for authentication attempts
VLAN Configuration Not Applied
Symptom: Traffic not passing on expected VLANs
Resolution:
- Verify VLAN exists: show vlan
- Check port VLAN membership: show run vlan
- Verify port is enabled
- Note: VLANs above 4066 are not supported
Diagnostic Commands
System information:
show system information
show version
show running-config
Interface status:
show interfaces status
show interfaces description
show interface gigabitethernet 0/1
VLAN information:
show vlan
show run vlan
802.1X status:
show run interface all
RADIUS configuration:
show run radius
MAC address table:
show mac-address
IP configuration:
show ip interface
show ip route
LLDP neighbors:
show lldp neighbor
Known Limitations
- VLAN ID Limit: Maximum VLAN ID is 4066; VLANs above this are not supported
- No SPB-m Fabric: cnMatrix switches do not support SPB-m fabric mode
- Firmware Upgrades: Manual firmware upgrades required; not managed by rXg
- Max VLANs Reboot: Changing system-max vlan requires switch reboot
Operational Caveats
- Paging: Issue
no paginationin config mode orskip-page-displayin exec mode to disable output paging - Configuration Save: Changes must be saved with
write memto persist across reboots - Port Type Mapping: CLI uses full names (gigabitethernet) while show commands may use abbreviations (Gi)
- Bootstrap Reboot: Initial bootstrap requires a reboot to increase max VLAN count
- Press Enter Prompt: Some operations display "Press ENTER to continue" prompts that must be acknowledged
- RADIUS Primary: Use
primaryflag when configuring the RADIUS server - AAA Defaults: Configure
aaa authentication login default localfor CLI access
