Edgecore Switches
Edgecore switches are open networking switches commonly used with TIP OpenWiFi deployments and enterprise networks. The rXg supports both standard Edgecore firmware and OLS (OpenLAN Switch) firmware variants, providing comprehensive configuration management, monitoring, and zero-touch provisioning capabilities.
Supported Models
| Model/Series | Notes |
|---|---|
| ECS2100 Series | Gigabit access switches (e.g., ECS2100-10P-TIPC) |
| ECS4100 Series | Gigabit PoE access switches |
| ECS4155 Series | Multi-gigabit PoE switches (e.g., ECS4155-30P) |
| ECS5550 Series | 10G aggregation switches (e.g., ECS5550-30X) |
Both standard Edgecore firmware and OLS (OpenLAN Switch) firmware are supported. The rXg automatically detects firmware type and adjusts configuration commands accordingly.
Features Supported
| Feature | Supported | Description |
|---|---|---|
| Config Sync | Yes | Automatic configuration synchronization from rXg |
| Auto Bootstrap | Yes | Zero-touch onboarding from factory-default state via DHCP discovery |
| SNMP Monitoring | Yes | CPU, memory, and port statistics collection |
| LLDP Neighbor Discovery | Yes | Automatic detection of connected devices via SNMP |
| Switch Port Import | Yes | Automatic import and management of switch ports |
| 802.1X Authentication | Yes | Port-based network access control via dot1x |
| MAC Authentication Bypass (MAB) | Yes | MAC-based authentication for non-802.1X devices |
| Dynamic VLAN Assignment | Yes | RADIUS-assigned VLAN based on authentication |
| DHCP Snooping | Yes | Protection against rogue DHCP servers with per-port trust |
| Firmware Management | Yes | Upload and upgrade firmware via TFTP |
| PoE Power Priority | Yes | Configure inline power priority (1-3) per port |
| STP Protection | Yes | Edge protection and STP protect settings per port |
| SPB-m Fabric | No | Not supported |
Prerequisites
Firmware Requirements
- Standard Edgecore firmware or OLS (OpenLAN Switch) firmware
- SSH support required for config sync (enabled during bootstrap if not present)
Network Requirements
- Management IP connectivity to rXg
- SSH access (TCP port 22) - configured during bootstrap
- SNMP access (UDP port 161) - configured during bootstrap
- RADIUS connectivity (UDP ports 1812, 1813) - for 802.1X/MAB
- TFTP connectivity (UDP port 69) - for firmware upgrades
Onboarding Process
Automatic Onboarding
Edgecore switches support fully automatic onboarding from factory-default state. The rXg detects factory-default switches by checking if NTP/SNTP is disabled (NTP being disabled indicates factory state).
Prerequisites for Auto-Bootstrap:
- The switch must be connected to the network and obtain a DHCP address from rXg
- A switch record must exist in rXg with the switch's MAC address configured
- The target management IP address must be configured in the switch record
- Valid SSH credentials must be provided (factory default or pre-configured)
Auto-Bootstrap Process:
- Click the Auto Bootstrap action link in the switch record (or it triggers automatically when the switch is detected at a DHCP IP)
- The rXg looks up the switch's current DHCP IP address using the configured MAC address
- Connection is established via SSH (with fallback to Telnet for older/factory-default switches)
- The system detects factory-default state by checking if NTP is disabled
- If factory-default, bootstrap configuration is automatically applied:
- SSH host key generation (can take up to 3 minutes)
- Management VLAN creation (if not VLAN 1)
- Static IP address assignment on the management VLAN interface
- Default gateway configuration
- SNMP community string configuration
- SNTP/NTP server configuration (using rXg IP)
- DNS server configuration (using rXg IP)
- RADIUS server and dot1x system-auth-control (if RADIUS is configured)
- SSH server enabled, Telnet disabled
- Configuration is saved to startup-config
- The switch reconnects on its new management IP address
Connection Methods:
The rXg attempts connection in the following order: 1. SSH with modern algorithms 2. SSH with legacy algorithms (for older firmware) 3. Telnet (as fallback, triggers bootstrap to enable SSH)
Manual Onboarding
For manual configuration, connect to the switch via console or existing network access and apply the bootstrap commands below.
Bootstrap Commands
Generate SSH Host Keys (in enabled mode, before entering configure mode):
ip ssh crypto host-key generate
ip ssh save host-key
Note: SSH key generation can take up to 3 minutes on some models.
Enter Configuration Mode:
configure
Create Management VLAN (if not using VLAN 1):
vlan database
vlan <management-vlan-id>
exit
Configure Management VLAN Interface:
interface vlan <management-vlan-id>
ip address <switch-ip> <subnet-mask>
exit
Configure Default Route:
no ip route *
y
ip route 0.0.0.0 0.0.0.0 <gateway-ip>
Configure NTP and DNS:
sntp client
sntp server <rxg-ip>
ip name-server <rxg-ip>
no ip domain-lookup
Enable SSH and Disable Telnet:
ip ssh server
ip ssh timeout 15
no ip telnet server
Configure RADIUS (if using 802.1X/MAB):
radius-server 1 host <rxg-ip> auth-port 1812 acct-port 1813 timeout 5 retransmit 3 key <radius-secret>
dot1x system-auth-control
Configure SNMP:
For standard firmware:
snmp-server community <community-string> ro
For OLS firmware:
snmp
snmp-server community <community-string> ro
Exit and Save:
exit
copy running-config startup-config
startup1.cfg
Configuration
Connection Settings
Configure the switch in the Network::Wired::Switches scaffold with:
- Host: Target management IP address
- MAC Address: Required for auto-bootstrap DHCP lookup
- Username/Password: SSH credentials
- Enable Password: If different from login password
- Management VLAN: VLAN for management traffic (default: 1)
- Gateway IP: Default gateway for the switch
- SNMP Community: Community string for monitoring (default: public)
RADIUS / AAA Configuration
When a RADIUS Server Option is active in rXg, the bootstrap process automatically configures:
System-Level Configuration:
radius-server 1 host <rxg-ip> auth-port 1812 acct-port 1813 timeout 5 retransmit 3 key <radius-secret>
dot1x system-auth-control
Port-Level Configuration for MAB:
Ports configured for MAC authentication receive:
interface ethernet <port>
dot1x port-control auto
network-access mode mac-authentication
dot1x operation-mode mac-based-auth
exit
VLAN Configuration
VLANs are automatically managed through Switch Port Profiles:
- Access ports: Configured with a single untagged (native) VLAN
- Trunk ports: Configured with tagged VLANs and optional native VLAN
- VLAN database entries are automatically created/removed as needed
DHCP Snooping Configuration
DHCP snooping is configured through:
- Trusted DHCP VLANs on the Switch record - specifies which VLANs have DHCP snooping enabled
- DHCP Snooping Trust on Switch Port Profiles - marks uplink ports as trusted
When enabled, the rXg configures:
ip dhcp snooping
ip dhcp snooping vlan <vlan-list>
interface ethernet <trusted-port>
ip dhcp snooping trust
Note: VLAN 1 is automatically included when DHCP snooping is enabled to ensure daisy-chained switches can obtain DHCP addresses during onboarding.
PoE Configuration
PoE power priority can be configured per port through Switch Port Profiles:
- Priority 1: Critical (highest)
- Priority 2: High
- Priority 3: Low (default)
STP Protection
Switch Port Profiles support:
- Edge Protection: Enables spanning-tree edge port settings
- STP Protect: Enables BPDU guard and other STP protection features
Monitoring Capabilities
| Metric | Collection Method | Notes |
|---|---|---|
| CPU Usage | SNMP | Collected at configured monitoring interval |
| Memory Usage | SNMP | Collected at configured monitoring interval |
| Port Statistics | SNMP | Packets in/out, errors, discards |
| Port Status | SNMP | Up/down, speed, duplex |
| LLDP Neighbors | SNMP | Connected device discovery for automatic port matching |
| Device Info | SSH | Serial number, firmware version, MAC address |
Firmware Upgrade
Edgecore switches support firmware upgrades via TFTP:
- Upload firmware file to rXg via Device Firmwares scaffold
- Associate firmware with the switch
- Initiate upgrade from the switch record
- The rXg:
- Copies firmware to TFTP directory
- Connects to switch via SSH
- Executes interactive
copy tftp filecommand - Sets boot image to new firmware
- Optionally reboots the switch
Firmware Upgrade Commands:
copy tftp file
<tftp-server-ip>
2
<firmware-filename>
<firmware-filename>
boot system opcode:<firmware-filename>
copy running-config startup-config
reload
Troubleshooting
Common Issues
Issue: Switch shows offline in rXg
Symptom: Switch appears offline despite being reachable via ping
Cause: SSH connectivity issues or SNMP community mismatch
Resolution:
- Verify SSH credentials match switch configuration
- Check SNMP community string matches
- Ensure SSH is enabled on the switch (ip ssh server)
- Check firewall rules allow TCP/22 and UDP/161
Issue: Auto-bootstrap fails
Symptom: Switch detected at DHCP IP but bootstrap doesn't complete Cause: SSH key generation timeout or credential issues Resolution: - SSH key generation can take up to 3 minutes - wait for completion - Verify factory default credentials are correct - Check if switch is actually in factory-default state (NTP should be disabled) - Try manual bootstrap via console if SSH fails
Issue: Config sync shows differences but won't apply
Symptom: Config comparison shows changes needed but sync fails Cause: Configuration buffer locked by another session Resolution: - Wait for other CLI sessions to complete - Check for stuck SSH sessions on the switch - Reboot switch if necessary to clear locked sessions
Issue: DHCP snooping blocks legitimate traffic
Symptom: Devices not getting DHCP addresses after enabling snooping Cause: Uplink port not marked as trusted Resolution: - Ensure the Switch Port Profile for uplink ports has "DHCP Snooping Trust" enabled - Verify the path to the DHCP server has all intermediate ports trusted
Issue: Firmware upgrade fails
Symptom: Firmware upload fails or switch doesn't boot new firmware
Cause: TFTP connectivity issues or incorrect boot image setting
Resolution:
- Verify TFTP connectivity from switch to rXg
- Check firmware file exists in /space/tftpboot/
- Verify boot image is set correctly with show boot
Diagnostic Commands
show version
show system
show running-config
show interfaces brief
show vlan
show ip dhcp snooping
show ip dhcp snooping binding
show dot1x
show radius statistics
show sntp
show boot
show ip route
Check NTP Status (factory detection):
show ntp
Check SSH Status:
show ip ssh
Check LLDP Neighbors:
show lldp neighbors
Known Limitations
- SPB-m fabric not supported
- TFTP is the only supported firmware upload method (HTTP not supported)
- SSH key generation can take up to 3 minutes on initial bootstrap
- OLS firmware requires slightly different SNMP configuration syntax
Operational Caveats
- Factory Detection: The rXg uses NTP/SNTP disabled state to detect factory-default switches. If NTP is manually disabled on a configured switch, it may trigger re-bootstrap.
- SSH Timeout: SSH server timeout is set to 15 seconds during bootstrap to prevent session exhaustion from failed authentication attempts.
- Configuration Buffer: Only one session can modify configuration at a time. Config sync will fail if another session has the configuration buffer locked.
- OLS Firmware: OpenLAN Switch (OLS) firmware is automatically detected and handled. OLS requires the
snmpcommand before configuring SNMP community. - Legacy SSH: Older firmware may require legacy SSH algorithms. The rXg automatically falls back to legacy algorithms if modern algorithms fail.
- Telnet Fallback: For factory-default switches without SSH enabled, the rXg will connect via Telnet, apply bootstrap configuration to enable SSH, then reconnect via SSH.
