Drag to reposition cover

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

jode

Member
Jul 27, 2021
65
57
18
Received my ICX6610 a couple of days ago. I actually invested in a "factory new" unit. Assumed benefit is a couple of years of less wear on fans and other components. It's quite surprising (to me) finding "factory new" unit after that model has officially been EOL'ed for 5 years. I do appreciate the console cable, stack cables that came it ;)

Unit came with Version:08.0.10gT7f3 installed (anybody willing to guess a manufacturing date based on this?). But following the excellent install script I had it updated and licensed in no time. I am a very happy camper at this point.

I spent the last couple of days fitting it into my network mostly as a dumb switch w/ vlans and reading through this thread. I'm about 300 pages in and feel I have accumulated enough knowledge to start my next steps. Except ...

/rant
I am dumbfounded by a product that was introduced in this millenium, inherently dependent and favoring a cli management approach that has such a limited and borked command line experience. Paging, anybody?
/rant

Well, as I am trying to setup some form of iterative, agile improvement to my switch configuration by submitting lists of commands (scripts) via ssh
I run into the good-old "Protocol error, doesn't start with scp!" and found the official Ruckus response to this issue here.

How do y'all manage a reasonable complex configuration if it is seemingly impossible to submit scripts to the switch? Links/instructions appreciated.
 
  • Like
Reactions: kpfleming

NablaSquaredG

Bringing 100G switches to homelabs
Aug 17, 2020
1,688
1,120
113
anybody willing to guess a manufacturing date based on this?
No need to guess..

Do a
show pid and it will happily show you some info, e.g. for an ICX7450-48:
Code:
ICX7450-48 Router(config)#show pid
Version Number: 0003
Part Number: 84-1002599-02
Serial Number: CYQ3334L053
Bench test: Passed
Burnin test: Passed
Test Date: 09/01/15
Date of manufacture at CM: 09/02/15
Date received at factory: 09/02/15
Date of burn in: 09/02/15
Mfg Test: Passed
RMA Date: 00/00/00
RMA Info: 
LID info: pattern=b6cd, LID in EEPROM=easIIIJnFKI, LID str=easIIIJnFKI
 
  • Like
Reactions: jode

jode

Member
Jul 27, 2021
65
57
18
No need to guess..

Do a
show pid and it will happily show you some info, e.g. for an ICX7450-48:
Code:
SSH@ICX6610#sh pid
Version Number: 0000
Part Number: 84-1003347-01
Serial Number: 2ax5o2jk68e
Bench test: Passed
Burnin test: Passed
Test Date: 02/03/18
Date of manufacture at CM: 02/24/18
Date received at factory: 02/24/18
Date of burn in: 02/03/18
Mfg Test:
RMA Date: 00/00/00
RMA Info:
LID info: pattern=b6cd, LID in EEPROM=H4CKTH3PLN8, LID str=H4CKTH3PLN8
So much to learn ... ;)
 

klui

༺༻
Feb 3, 2019
970
552
93
/rant
I am dumbfounded by a product that was introduced in this millenium, inherently dependent and favoring a cli management approach that has such a limited and borked command line experience. Paging, anybody?
/rant
So much to learn ... ;)
Don't know what you mean.


It's also in the last command reference PDF provided by @fohdeesha under Scroll Control.
 

jode

Member
Jul 27, 2021
65
57
18
Don't know what you mean.
I read both the manual as well a the command reference.

Even in the last millennium it was pretty common for a paging app to adjust its behavior to terminal size and not be hard coded to 23 lines. If it did I think I'd not comment on it. But in 2023, where 4k displays are a common thing, a pager hard-coded to 23 lines is pretty annoying.

The fact that it's possible to turn this default behavior off is laudable, but that cannot not even be made a persistent behavior and you need to remember to do that every time you log in.
Oh, yes, if you forget this in a new session as you elevate your connection through the levels this basic command is not available in every level and you need to exit back out just to turn off paging.

Code:
SSH@ICX661>skip-page-display
Unrecognized command
SSH@ICX6610>enable
No password has been assigned yet...
SSH@ICX6610#skip
skip-page-display Enable continuous display
SSH@ICX6610#conf t
SSH@ICX6610(config)#skip-page-display
Unrecognized command
Actually, I don't want to come across as a party pooper - I am actually pretty stoked about the switch and its capabilities.

I just want to learn how to use it effectively. As you can tell it's still eluding me ...
 
  • Like
Reactions: klui

klui

༺༻
Feb 3, 2019
970
552
93
Then those are valid criticisms; your first post was ambiguous.

I'm pretty sure you'll have more challenges when it comes to VLAN tagging on the ICX 6000s.
 

ManoftheSea

Member
Apr 18, 2023
41
16
8
How do y'all manage a reasonable complex configuration if it is seemingly impossible to submit scripts to the switch? Links/instructions appreciated.
With TFTP.
"copy tftp startup-config A:B::C:D filename.txt"
then reboot.

I've started a git repo, and as I make changes to the running-config, I copy that to my TFTP server, then to my git repo, so I can track the changes as I'm making them. If I really break it, I have yesterday's configuration ready to reload and reboot.

It might be possible to copy from tftp to running-config, but I'm not sure whether all the errors and feedback are important or can be ignored.
 
  • Like
Reactions: jode

jode

Member
Jul 27, 2021
65
57
18
With TFTP.
"copy tftp startup-config A:B::C:D filename.txt"
then reboot.

I've started a git repo, and as I make changes to the running-config, I copy that to my TFTP server, then to my git repo, so I can track the changes as I'm making them. If I really break it, I have yesterday's configuration ready to reload and reboot.

It might be possible to copy from tftp to running-config, but I'm not sure whether all the errors and feedback are important or can be ignored.
Awesome. This, or rather something similar, is what I am looking for.

Strictly speaking, you have a pull configuration, right? Or did you find a way to initiate the copy command from outside of the switch?

I am looking for a push configuration, where I can develop in git and push configuration changes via a delivery pipeline.
 

kpfleming

Active Member
Dec 28, 2021
432
222
43
Pelham NY USA
Even in the last millennium it was pretty common for a paging app to adjust its behavior to terminal size and not be hard coded to 23 lines. If it did I think I'd not comment on it. But in 2023, where 4k displays are a common thing, a pager hard-coded to 23 lines is pretty annoying.
There is no 'paging app' involved here. You are using a dumb-terminal interface, which barely supports any sort of control mechanisms at all (it doesn't use colors or highlighting or anything else), and most likely is unable to query the attached terminal to find out how many lines it can display at once. Even though you are connecting to it over SSH, it's still the same dumb-terminal interface :)
 
  • Like
Reactions: fohdeesha

ManoftheSea

Member
Apr 18, 2023
41
16
8
Awesome. This, or rather something similar, is what I am looking for.

Strictly speaking, you have a pull configuration, right? Or did you find a way to initiate the copy command from outside of the switch?

I am looking for a push configuration, where I can develop in git and push configuration changes via a delivery pipeline.
Well, I've been making live changes and testing them on the switch, saving the running-config as I *think* it's working, and writing to the startup-config a little less frequently. I wonder if you might be able to use ssh and an expect-script to send the commands to the switch to pull files from TFTP to running-config or startup-config.

Be advised, I ran into a strange situation: 1/2/4 was monitoring a bunch of other ports. I undid that option in the web-interface, but the port itself was still mirroring traffic, until I rebooted the switch ("reload", described as a warm-reboot). So simply loading the config file may not give you the same result as the reboot.
 

kevindd992002

Member
Oct 4, 2021
125
6
18
@fohdeesha is there a way to make thr dhcp server in a brocade icx6450 authoritative? I setup some pools and some of my devices cannot get an ip from the pool but others can. I don't have the luxury of setting up ISC dhcpd on another device.
 
Last edited:

ManoftheSea

Member
Apr 18, 2023
41
16
8
dhcp server
Plus, ISC-DHCP-Server is end of life.

Since you say "some pools", I assume you've got multiple vlans, multiple virtual interfaces, or some other construction going on. It'd be helpful to post the results of "show ip dhcp-server address-pools" and/or "show ip dhcp-server binding". If all pools are in state "active", then "show ip address" will help to map the pools against the interfaces, and "show running-config vlan" seems to be the most concise way to confirm ve, port, and vlan relative to each other.
 

kevindd992002

Member
Oct 4, 2021
125
6
18
Oh ok, I didn't know ISC DHCP is EOL.

Correct, multiple VLANs with ve's since I want interVLAN routing using this L3 switch. Nothing fancy.

Code:
SSH@mainswitch#show ip dhcp-server address-pools

Showing all address pool(s):


                    Pool Name:  main
Time elapsed since last save:  00d:00h:24m:54s
Total number of active leases:  0
           Address Pool State:  active
        IP Address Exclusions:  192.168.31.1 192.168.31.99
      Pool Configured Options:
          dhcp-default-router:  192.168.31.1
                   dns-server:  192.168.100.1
                        lease:  1 0 0
                      network:  192.168.31.0 255.255.255.0

                    Pool Name:  iot
Time elapsed since last save:  00d:00h:24m:54s
Total number of active leases:  0
           Address Pool State:  active
        IP Address Exclusions:  192.168.32.1 192.168.32.99
      Pool Configured Options:
          dhcp-default-router:  192.168.32.1
                   dns-server:  192.168.100.1
                        lease:  1 0 0
                      network:  192.168.32.0 255.255.255.0

                    Pool Name:  cctv
Time elapsed since last save:  00d:00h:24m:54s
Total number of active leases:  1
           Address Pool State:  active
        IP Address Exclusions:  192.168.33.1 192.168.33.99
      Pool Configured Options:
          dhcp-default-router:  192.168.33.1
                   dns-server:  192.168.100.1
                        lease:  1 0 0
                      network:  192.168.33.0 255.255.255.0

                    Pool Name:  guest
Time elapsed since last save:  00d:00h:24m:54s
Total number of active leases:  0
           Address Pool State:  active
        IP Address Exclusions:  192.168.34.1 192.168.34.99
      Pool Configured Options:
          dhcp-default-router:  192.168.34.1
                   dns-server:  192.168.100.1
                        lease:  1 0 0
                      network:  192.168.34.0 255.255.255.0

                    Pool Name:  management
Time elapsed since last save:  00d:00h:24m:54s
Total number of active leases:  1
           Address Pool State:  active
        IP Address Exclusions:  192.168.35.1 192.168.35.99
      Pool Configured Options:
          dhcp-default-router:  192.168.35.1
                   dns-server:  192.168.100.1
                        lease:  1 0 0
                      network:  192.168.35.0 255.255.255.0
Code:
SSH@mainswitch#show ip dhcp-server binding
Bindings from all pools:
        IP Address    Client-ID/        Lease expiration Type
                      Hardware address

    192.168.35.100    001d.xxxx.xxxx   000d:23h:59m:57s   Automatic
    192.168.33.101    fc9f.xxxx.xxxx   000d:23h:59m:32s   Automatic
192.168.33.101 is for an nvr device that has the issue. So it does show in the bindings but the nvr never gets an IP. It is also not pingable from the switch.

Code:
SSH@mainswitch#show ip address
        IP Address       Type      Lease Time       Interface
     192.168.100.2       Static    N/A             1/1/37
      192.168.31.1       Static    N/A             31
      192.168.32.1       Static    N/A             32
      192.168.33.1       Static    N/A             33
      192.168.34.1       Static    N/A             34
      192.168.35.1       Static    N/A             35
Code:
SSH@mainswitch#show running-config vlan
vlan 1 name DEFAULT-VLAN by port
!
vlan 30 name transit by port
!
vlan 31 name main by port
tagged ethe 1/1/17 to 1/1/25
untagged ethe 1/1/26 to 1/1/27 ethe 1/1/30 to 1/1/31 ethe 1/1/34
router-interface ve 31
!
vlan 32 name iot by port
tagged ethe 1/1/17 to 1/1/25
untagged ethe 1/1/28 to 1/1/29 ethe 1/1/32 to 1/1/33 ethe 1/1/35 to 1/1/36
router-interface ve 32
!
vlan 33 name cctv by port
untagged ethe 1/1/1 to 1/1/16
router-interface ve 33
!
vlan 34 name guest by port
tagged ethe 1/1/17 to 1/1/25
router-interface ve 34
!
vlan 35 name management by port
tagged ethe 1/1/17 to 1/1/25
untagged ethe 1/1/38 to 1/1/39
router-interface ve 35
!
!
 

Spindle2274

New Member
Dec 1, 2023
4
0
1
For the life of me, I cannot ssh into the 6610, even after following all instructions multiple times.

My RSA key is 2048 bits.

Even if I enable password auth, it says my password is wrong when it isn't.

Any help would be greatly appreciated:

Here is my ssh config (all combos of commenting out lines have been tried):


Code:
StrictHostKeyChecking no
Host 192.168.2.2 (my switch)
#  PubkeyAcceptedKeyTypes +ssh-rsa
  HostKeyAlgorithms +ssh-rsa
  IdentitiesOnly yes
  KexAlgorithms +diffie-hellman-group1-sha1
  IdentityFile ~/.ssh/id_rsa_legacy
#  Ciphers aes256-ctr
Here are my verbose ssh logs from the connection attempt:

Code:
OpenSSH_8.9p1 Ubuntu-3ubuntu0.4, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /home/serveradmin/.ssh/config
debug1: /home/serveradmin/.ssh/config line 2: Applying options for 192.168.2.2
debug3: kex names ok: [diffie-hellman-group1-sha1]
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.2.2 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/serveradmin/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/serveradmin/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.2.2 [192.168.2.2] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /home/serveradmin/.ssh/id_rsa_legacy type 0
debug1: identity file /home/serveradmin/.ssh/id_rsa_legacy-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4
debug1: Remote protocol version 2.0, remote software version RomSShell_5.40
debug1: compat_banner: no match: RomSShell_5.40
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.2.2:22 as 'root'
debug3: record_hostkey: found key type RSA in file /home/serveradmin/.ssh/known_hosts:138
debug3: load_hostkeys_file: loaded 1 keys from 192.168.2.2
debug1: load_hostkeys: fopen /home/serveradmin/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: prefer hostkeyalgs: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com
debug2: ciphers ctos: aes256-ctr
debug2: ciphers stoc: aes256-ctr
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes256-cbc,aes192-cbc,aes128-cbc,aes256-ctr,aes192-ctr,aes128-ctr
debug2: ciphers stoc: aes256-cbc,aes192-cbc,aes128-cbc,aes256-ctr,aes192-ctr,aes128-ctr
debug2: MACs ctos: hmac-sha1
debug2: MACs stoc: hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha1 compression: none
debug2: bits set: 518/1024
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:hDr/FVms/sPE/zGI2X835eGo5Uo845zv8mM4PN7qnBA
debug3: record_hostkey: found key type RSA in file /home/serveradmin/.ssh/known_hosts:138
debug3: load_hostkeys_file: loaded 1 keys from 192.168.2.2
debug1: load_hostkeys: fopen /home/serveradmin/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '192.168.2.2' is known and matches the RSA host key.
debug1: Found key in /home/serveradmin/.ssh/known_hosts:138
debug2: bits set: 507/1024
debug3: send packet: type 21
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/serveradmin/.ssh/id_rsa_legacy RSA SHA256:UGYFYar2T1b6PgREJa+bk+X93bspta6XEsQlqbIM568 explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/serveradmin/.ssh/id_rsa_legacy RSA SHA256:UGYFYar2T1b6PgREJa+bk+X93bspta6XEsQlqbIM568 explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /home/serveradmin/.ssh/id_rsa_legacy RSA SHA256:UGYFYar2T1b6PgREJa+bk+X93bspta6XEsQlqbIM568 explicit
debug3: sign_and_send_pubkey: using publickey with RSA SHA256:UGYFYar2T1b6PgREJa+bk+X93bspta6XEsQlqbIM568
debug3: sign_and_send_pubkey: signing using ssh-rsa SHA256:UGYFYar2T1b6PgREJa+bk+X93bspta6XEsQlqbIM568
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
root@192.168.2.2: Permission denied (publickey).
 

ManoftheSea

Member
Apr 18, 2023
41
16
8
We're not so different, you and I.

Code:
vlan 10 name wired by port
 untagged ethe 1/1/43 
 router-interface ve 10
!
vlan 100 name Comcast by port
 untagged ethe 1/1/45 to 1/1/48 
!
vlan 101 name Wifi-Users by port
 tagged ethe 1/1/39 
 router-interface ve 101
!
vlan 200 name DMZ by port
 untagged ethe 1/1/31 ethe 1/2/4 
 router-interface ve 200
!
vlan 201 name Printers by port
 tagged ethe 1/1/39 
 router-interface ve 201
!
vlan 400 name Wifi-Guest by port
 tagged ethe 1/1/39 
 untagged ethe 1/1/37 
 router-interface ve 400
!
vlan 1000 name Internal by port
 tagged ethe 1/1/39 
 untagged ethe 1/1/38 ethe 1/1/40 
 router-interface ve 1000
!
vlan 1500 name DEFAULT-VLAN by port
Code:
ip dhcp-server pool guests
 dhcp-default-router 172.20.20.1 
 dns-server 8.8.8.8 1.1.1.1 
 excluded-address 172.20.20.1 172.20.20.99
 lease 0 1 0
 network 172.20.20.0 255.255.255.0
 static-mac-ip-mapping 172.20.20.100 0011.2233.4455
 deploy
!
!
ip dhcp-server pool internal
 dhcp-default-router 10.255.253.1 
 dns-server 8.8.8.8 1.1.1.1 
 excluded-address 10.255.253.1 10.255.253.99
 lease 0 1 0
 network 10.255.253.0 255.255.255.0
 static-mac-ip-mapping 10.255.253.100 0011.2233.4455
 static-mac-ip-mapping 10.255.253.251 0011.2233.4455
 static-mac-ip-mapping 10.255.253.253 0011.2233.4455
 deploy
!
!
ip dhcp-server pool printers
 dhcp-default-router 192.168.201.1 
 excluded-address 192.168.201.1 192.168.201.2
 excluded-address 192.168.201.4 192.168.201.255
 lease 1 0 0
 network 192.168.201.0 255.255.255.0
 static-mac-ip-mapping 192.168.201.3 0011.2233.4455
 deploy
!
!
ip dhcp-server pool users
 dhcp-default-router 192.168.101.1 
 dns-server 192.168.200.5 
 excluded-address 192.168.101.1 192.168.101.99
 lease 0 1 0
 network 192.168.101.0 255.255.255.0
 deploy
I don't see any reason your devices should be having an issue here. Any chance you're making use of ACLs? Here's my "guest network" ACL:
Code:
interface ve 400
 ip access-group 104 in 
 ip address 172.20.20.1 255.255.255.0
!
access-list 104 deny ip any 192.168.0.0 0.0.255.255 
access-list 104 permit ip any 172.20.20.0 0.0.0.255 
access-list 104 permit udp any eq bootpc any eq bootps
access-list 104 deny ip any 172.16.0.0 0.15.255.255 
access-list 104 deny ip any 10.0.0.0 0.255.255.255 
access-list 104 permit icmp any 192.168.0.0 0.0.255.255 echo-reply 
access-list 104 deny icmp any 192.168.0.0 0.0.255.255 
access-list 104 permit icmp any 172.20.20.0 0.0.0.255 
access-list 104 deny icmp any 172.16.0.0 0.15.255.255 
access-list 104 deny icmp any 10.0.0.0 0.255.255.255 
access-list 104 permit ip any any 
access-list 104 permit icmp any any
In particular, DHCP's DISCOVER is from 0.0.0.0:bootpc to 255.255.255.255:bootps, which is why the extra UDP rule has to be included.

To investigate your problem more, I'd suggest you mirror the traffic on that VE to somewhere that you can do a package capture or tcpdump. Your bindings say that the router thinks the address is assigned - why doesn't the NVR know?
 

ManoftheSea

Member
Apr 18, 2023
41
16
8
Code:
OpenSSH_8.9p1 Ubuntu-3ubuntu0.4, OpenSSL 3.0.2 15 Mar 2022
...
debug1: Authentications that can continue: publickey
...
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
...
debug1: Server accepts key: /home/serveradmin/.ssh/id_rsa_legacy RSA SHA256:UGYFYar2T1b6PgREJa+bk+X93bspta6XEsQlqbIM568 explicit
debug3: sign_and_send_pubkey: using publickey with RSA SHA256:UGYFYar2T1b6PgREJa+bk+X93bspta6XEsQlqbIM568
debug3: sign_and_send_pubkey: signing using ssh-rsa SHA256:UGYFYar2T1b6PgREJa+bk+X93bspta6XEsQlqbIM568
...
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
root@192.168.2.2: Permission denied (publickey).
This looks like it's not asking for your password at all. Does the ICX6610 allow publickey auth, anyway?
EDIT: I found documentation on it:
"copy tftp flash 10.168.1.234 pkeys.txt ssh-pub-key-file"
EDIT 2:
"enable" and "configure terminal", then "ip ssh pub-key-file tftp 192.168.2.138 public-key.txt"
as well as enabling pubkey in the "ip ssh" options. It looks like our 08.0.30 devices only allow RSA and DSA.


My ssh_config for challenge-response (username/password):
Code:
Host ICX6450*
  User root
  KexAlgorithms=+diffie-hellman-group1-sha1
  HostKeyAlgorithms=+ssh-rsa
  PreferredAuthentications keyboard-interactive
 
Last edited:

Spindle2274

New Member
Dec 1, 2023
4
0
1
"copy tftp flash 10.168.1.234 pkeys.txt ssh-pub-key-file"
Slight typo in that command, here is what I have: ip ssh pub-key-file tftp 192.168.2.138 public-key.txt

In my case, it says the password is wrong everytime I enter it, even after copying your ssh config.
 

ManoftheSea

Member
Apr 18, 2023
41
16
8
Yep, I was looking at a 09.0.0 document. Here's the 08.0.60 (which is too new, but seems to mostly work)

For others following along, the document says only RSA and DSA. So the key is generated with
"ssh-keygen -t rsa -b 2048 -f output-filename"
and the ssh-pubkey-file for the router is generated with
"ssh-keygen -e -f id_rsa_keyname"

Should result in something like
Code:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by ManoftheSea@myhost from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQCvCeoQ7nLkwnpSt41S3dnGpB/p5cO6dV1m22lzW8
01NWi2Z4AZZ9LrwV3Cixyfcy4VwPyKP2UjNE/qXP5qLTexCEbTPKyC1wgX2lGieqApQ5Qq
+RvQMS+fGvviwrx0XQyYG5o/IqZwvKhNyht1rAMMHBn9phBvyvj+bkqNj125LU4E/lnf39
RuNOY/H59Q9GPiy72YvYB/Fcrujnd2RssiijE6UEjDTzRAMZCeEVi+qJUhlSrUWpVwykWu
L1Lj06O6/xu1blHNYkH5iHYvMEt5Rw5vP1UA0OXkszRZR3eO+0bzfaRpLVgLveZ/x5RtQA
ipBezCNtncltK2q92Ibkbr
---- END SSH2 PUBLIC KEY ----
Spindle, the verbose logs you posted don't show an attempt to use a password at all. To eliminate assumptions, you're typing the root password for the ICX device, not the password for your public key, right?

Furthermore, after uploading the key above, I did this, and have working pubkey auth:
Code:
Host ICX6450*
  User root
  IdentityFile=~/.ssh/id_rsa_ICX6450
  KexAlgorithms=+diffie-hellman-group1-sha1
  PubkeyAcceptedKeyTypes=+ssh-rsa
  HostKeyAlgorithms=+ssh-rsa
  #PreferredAuthentications keyboard-interactive
  PreferredAuthentications publickey
Additional, my debug log:
Code:
...
debug1: Offering public key: /home/ManoftheSea/.ssh/id_rsa_ICX6450 RSA SHA256:su29sKf2JaYJlwmymkInj837y4vWDlrRTS4aqQS9BQQ explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /home/derek/.ssh/id_rsa_ICX6450 RSA SHA256:su29sKf2JaYJlwmymkInj837y4vWDlrRTS4aqQS9BQQ explicit
debug3: sign_and_send_pubkey: using publickey with RSA SHA256:su29sKf2JaYJlwmymkInj837y4vWDlrRTS4aqQS9BQQ
debug3: sign_and_send_pubkey: signing using ssh-rsa SHA256:su29sKf2JaYJlwmymkInj837y4vWDlrRTS4aqQS9BQQ
debug3: send packet: type 50
debug3: receive packet: type 52
Authenticated to fe80::1%wlp166s0 ([fe80::1%wlp166s0]:22) using "publickey".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Entering interactive session.
...
 
  • Like
Reactions: jode

Spindle2274

New Member
Dec 1, 2023
4
0
1
Thanks for the suggestions.

My key:

Code:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by ****"
AAAAB3NzaC1yc2EAAAADAQABAAABAQChRXoZFYD+ayUdc8jKwKiL6ECNdC0vCky1CSKW0l
GUUZJIt/J/r14rSBXcefBz5P9Bxu5zK4Isf2D0nlQg+lLjO60ytOhATu/aCw1vR0Nu4r4o
wPeNjbTc5af8O7HtkrT+H/efKO1LOeWFQR7xyaFRy+XGa8dg9QAJXnQrS92MKe0o6kodpi
3PWaU5pfHd2LQQaG165tQLwOr2hQ4vArP4YbIgpRXSM6R+ZLIRSnEEDsDk4hBmsZeSfEPg
Zu7yn+biaKTiYeTl9AyXoUO7bP4AQ6ZH+iV68v78tDFt9jpcldSmHbUiGwCbviUsoucufv
Bdp8w5Xce2ebFquZCXf2MN
---- END SSH2 PUBLIC KEY ----
~/.ssh/config:


Code:
StrictHostKeyChecking no
Host 192.168.2.2
  User root
  IdentityFile=~/.ssh/id_rsa_legacy
  KexAlgorithms=+diffie-hellman-group1-sha1
  PubkeyAcceptedKeyTypes=+ssh-rsa
  HostKeyAlgorithms=+ssh-rsa
  #PreferredAuthentications keyboard-interactive
  PreferredAuthentications publickey
root@192.168.2.2: Permission denied (publickey)

:(
 

ManoftheSea

Member
Apr 18, 2023
41
16
8
Well, I can only help you eliminate assumptions...
Does "show ip client-pub-key" agree with your key? does "show ip ssh config" agree that Public-key is an authentication method? Does "ssh -vvv switch-host" show that you're not offering multiple keys before the one you want?