Support Store Sign In
Overview
System
Network
Services
Identities
Policies
Billing
Archives
Instruments
Installation
Lab Manual
Portal Customization
RESTful API
Miscellaneous
View as one page

Ruckus ICX Switches

Ruckus ICX switches are enterprise-class stackable switches providing high-performance Layer 2/3 switching with deep integration into Ruckus wireless ecosystems. The rXg supports both Layer 2 Switching (SPS) and Layer 3 Routing (SPR) firmware variants, with comprehensive configuration management, monitoring, and zero-touch provisioning capabilities.

Supported Models

Model/Series Notes
ICX 7150 Series Compact enterprise access switches
ICX 7250 Series Stackable enterprise access switches
ICX 7450 Series High-performance enterprise switches
ICX 7550 Series Campus aggregation switches
ICX 7650 Series Multi-rate campus switches
ICX 7850 Series 100G campus core switches
ICX 8200 Series Next-gen campus switches with dynamic PoE

Both Layer 2 Switching (SPS) and Layer 3 Routing (SPR/RDR) firmware variants are supported. The rXg automatically detects firmware type and adjusts configuration commands accordingly.

Features Supported

Feature Supported Description
Config Sync Yes Automatic configuration synchronization from rXg
Auto Bootstrap Yes Zero-touch onboarding from factory-default state with default credentials
SNMP Monitoring Yes CPU, memory, and port statistics collection
LLDP Neighbor Discovery Yes Automatic detection of connected devices
Switch Port Import Yes Automatic import and management of switch ports
LAG Interfaces Yes Link Aggregation Group support with sub-interfaces
802.1X Authentication Yes Port-based network access control
MAC Authentication Bypass (MAB) Yes MAC-based authentication for non-802.1X devices
MAB + 802.1X Combined Yes Auth-order configuration for combined authentication
Dynamic VLAN Assignment Yes RADIUS-assigned VLAN with per-port override
DHCP Snooping Yes Per-VLAN and per-port trust configuration
Firmware Management Yes Upload and upgrade via TFTP to primary/secondary slots
STP Protection Yes 802.1w support with edge-port and stp-protect
Optical Monitoring Yes SFP/SFP+ optical signal monitoring
PoE Management Yes Inline power priority configuration
IP Multicast Yes IGMP snooping with version 3 support
Custom Config Yes Support for custom configuration snippets
SPB-m Fabric No Not supported

Prerequisites

Firmware Requirements

  • ICX firmware version 8.x or later
  • Version 9.x or later recommended for latest features
  • Version 10.x supported with updated SSH key exchange
  • SSH enabled with RSA keys generated

Licensing Requirements

  • Base license included with switch
  • PoE+ licensing may be required for higher power ports

Network Requirements

  • Management IP connectivity to rXg
  • SSH access (TCP port 22)
  • SNMP access (UDP port 161)
  • RADIUS connectivity (UDP ports 1812, 1813) - for 802.1X/MAB
  • TFTP connectivity (UDP port 69) - for firmware upgrades
  • NTP connectivity (UDP port 123) - recommended

Onboarding Process

Automatic Onboarding

Ruckus ICX switches support automatic onboarding from factory-default state. The rXg detects factory-default switches by attempting login with default credentials (super/sp-admin).

Prerequisites for Auto-Bootstrap:

  1. The switch must be connected to the network and obtain a DHCP address from rXg
  2. A switch record must exist in rXg with the switch's MAC address configured
  3. The target management IP address must be configured in the switch record
  4. Factory default credentials or pre-configured credentials

Auto-Bootstrap Process:

  1. The rXg looks up the switch's current DHCP IP address using the configured MAC address
  2. SSH connection is established to the DHCP IP
  3. Login is attempted with configured credentials, then default credentials (super/sp-admin)
  4. If factory-default (password prompt for new password), bootstrap configuration is applied:
    • RSA key generation for SSH (2048-bit)
    • SSH key exchange method (dh-group14-sha256 for v9+, dh-group1-sha1 for older)
    • Management user credentials
    • AAA configuration (local authentication)
    • LLDP enabled
    • SNMP community configured
    • Management VLAN and IP address
    • Default gateway
    • NTP server configuration
    • System max VLAN set to 4095
  5. Configuration is saved and switch is rebooted
  6. The switch reconnects on its new management IP address

Firmware-Specific Bootstrap:

  • Switching Code (SPS): IP address configured on management VLAN interface
  • Routing Code (SPR): IP address configured on virtual interface (VE) with IP routing

Manual Onboarding

For manual configuration, connect to the switch via console and apply the bootstrap commands below.

Bootstrap Commands

Enter Configuration Mode:

enable
skip-page-display
config terminal

Generate SSH Keys:

crypto key generate rsa modulus 2048
ip ssh key-exchange-method dh-group14-sha256
ip ssh idle-time 10

Configure AAA:

aaa authentication web-server default local
aaa authentication login default local
aaa authentication dot1x default radius

Enable LLDP:

lldp run

Configure SNMP:

snmp-server community <community-string> ro

Configure Management User:

username <admin-user> password <password>

Configure Management VLAN (Switching Code):

vlan <management-vlan>
  tagged ethernet <uplink-ports>
  management-vlan
  default-gateway <gateway-ip> 1
exit
ip address <switch-ip> <subnet-mask>
ip default-gateway <gateway-ip>

Configure Management VLAN (Routing Code):

vlan <management-vlan>
  tagged ethernet <uplink-ports>
exit
interface ve <management-vlan>
  ip address <switch-ip> <subnet-mask>
exit
ip route 0.0.0.0/0 <gateway-ip>

Configure NTP:

ntp
  server <ntp-server-ip>
exit

Set Maximum VLANs and Save:

system-max vlan 4095
write mem
exit
reload

Configuration

Connection Settings

Configure the switch in the Network::Wired::Switches scaffold with:

  • Host: Target management IP address
  • MAC Address: Required for auto-bootstrap DHCP lookup
  • Username/Password: SSH credentials (default: super/sp-admin)
  • Enable Password: If different from login password (deprecated in v9+)
  • Management VLAN: VLAN for management traffic (default: 1)
  • SNMP Community: Community string for monitoring (default: public)

RADIUS / AAA Configuration

When a RADIUS Server Option is active in rXg, the system supports combined MAB and 802.1X authentication:

System-Level Configuration:

aaa authentication dot1x default radius
authentication
  auth-default-vlan <fallback-vlan>
  auth-timeout-action failure
  auth-mode multiple-untagged
  auth-order mac-auth dot1x
  mac-authentication enable
  mac-authentication dot1x-override
  mac-authentication dot1x-disable
  dot1x enable
exit

Port-Level Configuration for MAB:

mac-authentication enable ethernet <port-list>
interface ethernet <port>
  authentication auth-default-vlan <native-vlan>
exit

Port-Level Configuration for 802.1X:

dot1x enable ethernet <port-list>
dot1x port-control auto ethernet <port-list>

VLAN Configuration

VLANs are automatically managed through Switch Port Profiles:

  • Access ports: Configured with untagged on the native VLAN
  • Trunk ports: Configured with tagged VLANs and untagged native VLAN
  • VLANs are created/removed automatically as needed

VLAN Commands:

vlan <vlan-id>
  tagged ethernet <port-list>
  untagged ethernet <port-list>
exit

LAG Configuration

Link Aggregation Groups (LAGs) are fully supported with up to 256 LAG IDs:

lag "<lag-name>" <dynamic|static> id <lag-id>
  ports ethernet <port-list>
exit

Sub-interfaces automatically inherit VLAN configuration from the parent LAG.

DHCP Snooping Configuration

DHCP snooping is configured through:

  1. Trusted DHCP VLANs on the Switch record - specifies which VLANs have DHCP snooping enabled
  2. DHCP Snooping Trust on Switch Port Profiles - marks uplink ports as trusted
ip dhcp snooping vlan <vlan-list>
interface ethernet <trusted-port>
  dhcp snooping trust
exit

STP Protection

Switch Port Profiles support:

  • Edge Protection: spanning-tree 802-1w admin-edge-port
  • STP Protect: stp-protect for BPDU guard functionality

STP Priority Configuration:

spanning-tree single 802-1w
spanning-tree single 802-1w priority <priority>

Port Settings

Per-port settings available through Switch Port Profiles:

Setting Description
Optical Monitor Enable SFP/SFP+ signal monitoring
Trust DSCP Trust DSCP marking from incoming traffic
DHCP Snooping Trust Mark port as trusted for DHCP snooping
Inline Power Priority PoE priority (1=critical, 2=high, 3=low)
Speed/Duplex Manual speed/duplex configuration

Advanced Settings

Web Management:

no web-management https

DNS Server:

ip dns server-address <dns-ip>

Timezone:

Automatically configured based on rXg DeviceOption timezone setting.

IP Multicast (IGMP Snooping):

ip multicast active
ip multicast version 3
no ip multicast disable-flooding

Login Security:

aaa authentication login default <methods>
aaa authentication enable default <methods>
max-login-failures <count>
login-recovery-time <seconds>

Monitoring Capabilities

Metric Collection Method Notes
CPU Usage SNMP Collected at configured monitoring interval
Memory Usage SNMP Collected at configured monitoring interval
Port Statistics SNMP Packets in/out, errors, discards
Port Status SNMP/SSH Up/down, speed, duplex via show interface brief
LLDP Neighbors SNMP Connected device discovery
MAC Address Table SSH Client discovery via show mac-address
LAG Status SSH LAG member ports and aggregated speed
Optical Levels SSH SFP/SFP+ Tx/Rx power levels
Device Info SSH Serial number, model, firmware version, MAC
Flash Status SSH Primary/secondary firmware versions
Boot Preference SSH Current boot configuration

Firmware Upgrade

Ruckus ICX switches support firmware upgrades via TFTP:

Supported Upload Methods: - TFTP

Supported Flash Locations: - primary - secondary - bootrom

Upgrade Process:

  1. Upload firmware file to rXg via Device Firmwares scaffold
  2. Associate firmware with the switch
  3. Select target flash location (primary/secondary)
  4. Initiate upgrade from the switch record
  5. The rXg:
    • Copies firmware to TFTP directory
    • Connects to switch via SSH
    • Executes copy tftp flash <server> <filename> <location>
    • Waits for transfer completion (up to 10 minutes)
    • Saves configuration (write memory)
    • Sets boot system to new firmware
    • Optionally reboots the switch

Firmware Upgrade Commands:

copy tftp flash <tftp-server-ip> <firmware-filename> primary
write memory
boot system flash primary yes

Troubleshooting

Common Issues

Issue: Switch shows offline in rXg

Symptom: Switch appears offline despite being reachable via ping Cause: SSH connectivity issues or SNMP community mismatch Resolution: - Verify SSH credentials match switch configuration - Check SNMP community string matches - Ensure SSH is enabled: show ip ssh - Check for locked-out IP (60 second lockout after failed attempts) - Verify RSA keys are generated

Issue: Auto-bootstrap fails

Symptom: Switch detected at DHCP IP but bootstrap doesn't complete Cause: Credential issues or network configuration mismatch Resolution: - Verify factory default credentials (super/sp-admin) - For Switching Code: Ensure DHCP IP matches configured management IP and VLAN - For Routing Code: Ensure management VLAN is different from default if IP differs - Check if switch already has partial configuration - Try manual bootstrap via console

Issue: Config sync warning about no ports

Symptom: "No ports were imported" warning during sync Cause: SNMP community mismatch preventing port discovery Resolution: - Verify SNMP community string matches switch configuration - Run "Import Ports" from switch record - Check SNMP connectivity

Issue: DHCP snooping blocks legitimate traffic

Symptom: Devices not getting DHCP addresses after enabling snooping Cause: Uplink port not marked as trusted Resolution: - Ensure Switch Port Profile for uplink ports has "DHCP Snooping Trust" enabled - Verify path to DHCP server has all intermediate ports trusted

Issue: Firmware upgrade fails

Symptom: Firmware transfer times out or switch doesn't boot new image Cause: TFTP connectivity issues or insufficient flash space Resolution: - Verify TFTP connectivity from switch to rXg - Check firmware file exists in /space/tftpboot/ - Verify flash space: show flash - Check boot preference: show boot-preference

Issue: LAG not forming

Symptom: LAG shows as down or sub-interfaces not bundled Cause: Port configuration mismatch or LACP issues Resolution: - Verify all member ports have same speed/duplex - Check LAG type (static vs dynamic/LACP) - Verify member ports are enabled - Check show lag brief for status

Diagnostic Commands

General: show version show running-config show ip show ip interface show interface brief wide show vlan

SSH and Authentication: show ip ssh show aaa show authentication show dot1x show mac-authentication

RADIUS: show radius statistics show aaa servers

VLANs and Ports: show run vlan show mac-address show interface configuration show lldp neighbors

Firmware: show flash show boot-preference

LAG: show lag brief show lag <lag-id>

DHCP Snooping: show ip dhcp snooping show ip dhcp snooping binding

Spanning Tree: show spanning-tree show spanning-tree detail

Known Limitations

  • SPB-m fabric not supported
  • Maximum 4095 VLANs (requires system-max vlan 4095 and reboot)
  • LAG limited to 256 IDs
  • TFTP is the only supported firmware upload method
  • Some features deprecated in firmware v9+ (enable super-user-password)

Operational Caveats

  • Firmware Types: Layer 2 Switching (SPS) and Layer 3 Routing (SPR/RDR) require different bootstrap configurations. The rXg automatically detects and handles both.
  • Default Credentials: Factory default is super/sp-admin. First login requires password change.
  • SSH Algorithm Support: The rXg uses diffie-hellman-group14-sha1 and ssh-rsa for compatibility. Version 9+ switches use dh-group14-sha256.
  • IP Lockout: ICX switches may temporarily lock out IP addresses (60 seconds) after failed authentication attempts.
  • DHCP Client: Switches with routing code may have DHCP client enabled. Config sync automatically disables it if IP address differs from configured management IP.
  • VTP Mode: ICX does not use VTP; VLAN configuration is local only.
  • Management VLAN: For Switching Code, management-vlan command moves management to specified VLAN. Ensure connectivity before applying.
  • System Max VLAN: Changing maximum VLANs requires reboot. Bootstrap automatically sets to 4095.
  • LAG Sub-Interfaces: Ports added to LAG inherit VLAN configuration from parent LAG. Individual port VLAN settings are ignored.
  • Custom Config: Support for custom configuration snippets that are checked and applied during sync.
  • Spanning Tree: Spanning tree configuration (802.1w) is handled at switch level and per-port via profiles.
  • ICX 8200 Series: Supports dynamic PoE power management across all stack units.

External References

About

RG Nets is the premium provider of gateways and centralized-authentication appliances designed to manage, provision, and protect revenue-generating networks. Our mission is to create tools that are so good, we would use our own money to buy them.

Company Links

Contact

316 California Ave.
Suite 331
Reno, NV 89509
+1 (408) 441 0100
[email protected]
Copyright 2026 RG Nets, Inc.
v2026.01-66-gc969c
Cookies help us deliver our services. By using our services, you agree to our use of cookies.