ENTERPRISE CAMPUS NETWORKING

Ruckus ICX vs Cisco IOS CLI comparison

ICX Campus Switches
January 2018
Ruckus Networks
Cisco CLI comparison

Jan 2018

LEGAL DISCLAIMER
Product features, functionality and specifications may change or be discontinued without notice. Nothing
in this document shall be deemed to create a warranty of any kind, either express or implied, statutory or
otherwise, including but not limited to, any implied warranties of merchantability, fitness for a particular
purpose, non-infringement of third-party rights or availability with respect to any products and services.
Refer to www.ruckuswireless.com for the latest version of this document. Notice: This document is for
informational purposes only and does not set forth any warranty, expressed or implied, concerning any
equipment, equipment feature, or service offered or to be offered by Ruckus. Ruckus reserves the right
to make changes to this document at any time, without notice, and assumes no responsibility for its use.
This informational document describes features that may not be currently available. Contact a Ruckus
sales office for information on feature and product availability. Export of technical data contained in this
document may require an export license from the United States government.

Copyright © 2017, Ruckus Wireless, Inc. All rights reserved. Ruckus Wireless and Ruckus Wireless design are registered in the U.S.
Patent and Trademark Office. Ruckus Wireless, the Ruckus Wireless logo, BeamFlex, ZoneFlex, MediaFlex, FlexMaster, ZoneDirector,
SpeedFlex, SmartCast, SmartCell, ChannelFly and Dynamic PSK are trademarks of Ruckus Wireless, Inc. in the United States and
other countries. All other trademarks mentioned in this document or website are the property of their respective owners. 17-8-B

Ruckus Wireless, Inc. | 350 West Java Drive | Sunnyvale, CA 94089 USA | T: (650) 265-4200 | F: (408) 738-2065
ruckuswireless.com

1
Ruckus Networks
Cisco CLI comparison

Jan 2018

Contents
LEGAL DISCLAIMER ............................................................................................................................ 1
Introduction ............................................................................................................................................ 4
Managing Access .................................................................................................................................. 4
Telnet Server........................................................................................................................................ 4
Password Encryption ............................................................................................................................. 4
SSH ..................................................................................................................................................... 4
SNMP .................................................................................................................................................. 4
File System........................................................................................................................................... 4
TFTP Backup......................................................................................................................................... 5
Configuration Files ................................................................................................................................ 5
Saving Configuration Files ...................................................................................................................... 5
Delayed Reload .................................................................................................................................... 5
VLAN ..................................................................................................................................................... 5
Membership Wrappers ......................................................................................................................... 6
VLAN Management (Access, Trunk, and Native VLAN) ............................................................................... 8
VoIP Support with Voice VLAN: PC Connected to Phone and Phone to ICX Switch ...................................... 10
Cisco VoIP devices .............................................................................................................................. 11
Management VLAN ............................................................................................................................. 11
Spanning Tree Protocol (STP) ............................................................................................................. 12
Spanning Tree Configuration ................................................................................................................ 12
RPVST/RPVST+ and Spanning Tree Port Fast .......................................................................................... 13
MSTP ................................................................................................................................................ 14
BPDU Guard ....................................................................................................................................... 15
Root Guard ........................................................................................................................................ 15
Discovery Protocols LLDP, CDP, and FDP .......................................................................................... 15
Cisco Discovery Protocol (CDP) ............................................................................................................. 15
Link Layer Discovery Protocol (LLDP) ..................................................................................................... 16
Foundry Discovery Protocol (FDP) ......................................................................................................... 16
Link Aggregation: LACP and LAG ........................................................................................................ 17
Power over Ethernet (PoE) .................................................................................................................. 18
Quality of Service (QoS) ...................................................................................................................... 18

2
Ruckus Networks
Cisco CLI comparison

Jan 2018

FCX and ICX devices ............................................................................................................................ 19

Traffic Policing .................................................................................................................................... 21
Configuring ACL-based fixed rate limiting .............................................................................................. 21
Configuring ACL-based Adaptive rate limiting......................................................................................... 22
ACL ................................................................................................................................................... 22
Rate Limiting ...................................................................................................................................... 23
Security ............................................................................................................................................... 24
Flexible Authentication........................................................................................................................ 24
Conclusion ........................................................................................................................................... 26

3
Ruckus Networks
Cisco CLI comparison

Jan 2018

Introduction
This guide explains the terminology and concepts associated with integrating or migrating from Cisco to Ruckus
campus solutions. It also discusses the compatibility between Ruckus and Cisco product portfolios from a
configuration and management perspective. This guide compares the Ruckus CLI with the Cisco CLI for the ICX
7150, ICX 7250, ICX 7450, and ICX 7750 switches running FastIron 8.0.70 software. Some of the data in this
document have been collected from previous Cisco cli comparison documents.

Managing Access
Telnet Server
On both Ruckus switch and router the Telnet server is enabled by default. Like the system password, there is no
default value. On Cisco devices the Telnet server must be enabled through a VTY line.

Ruckus devices have no default password. The password may be configured with the enable telnet password
<password> command. On Cisco devices Telnet is disabled by default and requires the configuration of VTY lines
and enable password.

Cisco IOS Ruckus ICX

Cisco(config)# line vty 0 15 Ruckus(config)# telnet server
Cisco(config-line)# password letmein Ruckus(config)# enable telnet password
Cisco(config-line)# login SW1(config-if)# no letmein
shut

Password Encryption
Ruckus layer 3 switches password, are all encrypted in the running-config and startup-config files by default.
Encryption can be disabled with no service password-encryption command. On Cisco devices, all passwords are
encrypted by default.

SSH
Secure Shell (SSH v2) access is available, but disabled by default on both Ruckus and Cisco switches and routers.

SNMP
By default, Ruckus switches and routers support SNMP v1/v2c read-only access with community string of “public.”
Read-write access is only permitted when an RW community string is manually configured. Ruckus supports SNMP
version 1, 2c and 3. The status of SNMP access on Cisco devices is platform specific. SNMP read-only access is
enabled by default, the RO community string is “cisco”.

File System
Ruckus devices do not contain a FAT file system for managing files. The flash on Ruckus switch/router is divided
in primarily into 4 locations:

• Primary image location – This is the default image location for booting the switch
• Secondary image location – This is the default image location for booting the switch
• Boot image location – This area of flash is where the bootstrap code is located

4
Ruckus Networks
Cisco CLI comparison

Jan 2018

• Startup-config – Similar to Cisco, this is where the operational configuration of the switch/router is saved so
configuration can be restored after reboot.

Cisco layer 3 switches use IOS File System (IFS), a DOS-type file system for managing files.

TFTP Backup
The commands for transferring file to/from an external TFTP server are very similar between Ruckus and Cisco.
The difference is based on the fact that there is not FAT file system on Ruckus switches and routers.

Copying an image file from a TFTP server to the flash:

Cisco IOS Ruckus ICX

Cisco# copy tftp flash 192.22.33.4 Ruckus# copy tftp flash 192.22.33.4 test.img
test.image test.img secondary
Copying an image from flash to TCTP server

Cisco IOS Ruckus ICX

Cisco# copy flash tftp test.img 192.22.33.4 Ruckus# copy flash tftp 192.22.33.4 test.img
test.image test.img secondary

Configuration Files
Both Ruckus and Cisco use the startup-config and running-config operation. The startup-config is the file
referenced when the system boots. The running-config contains the current operation parameters of the
switch/router. In order to maintain the current configuration across reboots, the contents of the running-config
must be copied to the startup-config file.

Saving Configuration Files

The write memory command on a Ruckus switch/router copies the contents of the running-config to the startup-
config file in flash. This command may be executed at any level, including configuration mode.

Cisco offers two ways of saving the current configuration:

• Write memory – This command works identically as the Ruckus equivalent. However, on a Cisco switch/router using
IOS 12.2 or earlier, this command can only be from privileged (or enabled) mode.
• Copy running-config startup-config – This command is equivalent to the write memory command and contains the
same restriction in its usage

Delayed Reload
Both Ruckus and Cisco support the ability delay a switch reload. Ruckus accomplishes this with the reload after
<dd: hh: mm> command. On a Cisco switch you can delay a reload with the reload at <hh:mm> [month day]
command.

VLAN
This section compares the commands that are used to configure VLANs.

5
Ruckus Networks
Cisco CLI comparison

Jan 2018

Membership Wrappers
In a Cisco configuration, the VLANs follow the interface hierarchy in the parser chain and preprocessing
configuration. In a Ruckus configuration, the interface follows the VLAN hierarchy for port-based VLANs. Thus, the
Ruckus device must create the VLAN configuration first, and tie it to interfaces for Layer 2 and Layer 3 processing.
On all Ruckus devices, you can configure port-based VLANs. A port-based VLAN is a subset of ports on a Ruckus
device that constitutes a Layer 2 broadcast domain. By default, all the ports on a Ruckus device are members of
the default VLAN. Thus, all the ports on the device constitute a single Layer 2 broadcast domain. When you
configure a port-based VLAN, the device automatically removes the ports from the default VLAN and adds them
to the VLAN. You can configure multiple port-based VLANs. You can configure up to 4094 port-based VLANs on a
Layer 2 switch or Layer 3 switch. On both device types, valid VLAN IDs are 1 through 4095. You can configure up
to the maximum number of VLANs within that ID range. VLAN membership configuration can be created easily
using wrappers and interface range commands on the Cisco switch. The Ruckus switch also supports VLAN
wrappers, multi-range VLANs, and the interface range command.

Ruckus VLAN wrappers may be configured in the following ways:

Ruckus VLAN Wrappers:

• Single command support to add or remove an interface to all VLANs in the system

Ruckus(config-lag-Ruckus)# interface e 1/1/1

Ruckus(config-if-e10000-1/1/1)# vlan-config add all-tagged
Ruckus(config-if-e10000-1/1/1)# vlan-config remove all-tagged

• Single command support to move an untagged port from one VLAN to another VLAN

Ruckus (config-lag-Ruckus)# interface e 1/1/1

Ruckus (config-if-e10000-1/1/1)# vlan-config move untagged 100

• Single command support to selectively add and delete VLANs at FastIron 08.0.70 and beyond

Ruckus(config)# interface e 1/1/1

Ruckus(config-if-e10000-1/1/1)# vlan-config add tagged-vlan 101
Ruckus(config-if-e10000-1/1/1)# vlan-config add tagged-vlan 102 113
Ruckus(config-if-e10000-1/1/1)# vlan-config add tagged-vlan 1001 to 1005
Ruckus(config-if-e10000-1/1/1)# vlan-config remove vlan 107 108 109 110

Note: Multi-range VLANs allow users to use a single command to create and configure
multiple VLANs. These VLANs can be continuous, for example, from 2 to 7, or discontinuous,
for example, 2 4 7.

Cisco IOS Ruckus ICX

Cisco(config)# interface range Ruckus(config-vlan-10)# untagged ethernet
gigabitEthernet1/1/1 - 4 1/1/1 to 1/1/4
Cisco(config-if-range)# switchport mode
access Added untagged port(s) ethe 1/1/1 to 1/1/4
Cisco(config-if-range)# switchport access to port-vlan 10
vlan 10
Cisco(config-if-range)# switch port port- Ruckus(config)# interface Ethernet 1/1/1 to
security 1/1/4

6
Ruckus Networks
Cisco CLI comparison

Jan 2018

Cisco(config-if-range)# switchport port- Ruckus(config-mif-1/1/1-1/1/4)# port

security security
violation restrict Ruckus(config-port-securitymif-1/1/1-1/1/4)#
violation restrict
Cisco# show running-config interface Ruckus(config-port-securitymif-1/1/1-1/1/4)#
gigabitEthernet 1/1/1 end
Building configuration...
Current configuration : 160 bytes Ruckus# show running-config interface
! ethernet 1/1/1
interface GigabitEthernet1/1/1 interface ethernet 1/1/1
switchport access vlan 10 port security
switchport mode access violation restrict
switchport port-security violation restrict
switchport port-security Ruckus(config)# vlan 10 20 30
end Ruckus(config-mvlan-10*30)# tagged ethernet
Cisco(config)# interface gigabitEthernet 1/1/5
1/0/1
Cisco(config-if)# switchport mode trunk Added tagged port(s) ethe 1/1/5 to port-vlan
Cisco(config-if)# switchport trunk allowed 10
vlan 10 Added tagged port(s) ethe 1/1/5 to port-vlan
Cisco(config-if)# switchport trunk allowed 20
vlan add 20 Added tagged port(s) ethe 1/1/5 to port-vlan
Cisco(config-if)# switchport trunk allowed 30
vlan add 30

Cisco# show running-config interface

gigabitEthernet
1/0/1
Building configuration...
Current configuration : 101 bytes
!
interface GigabitEthernet1/0/1
switchport trunk allowed vlan 10,20,30
switchport mode trunk
end

Cisco IOS Ruckus ICX

Cisco(config)# interface gigabitEthernet Ruckus(config)# interface ethernet 1/1/4
1/0/4 Ruckus(config-if-e1000-1/1/4)# vlan-config
Cisco(config-if)# switchport mode trunk add all-tagged
Cisco(config-if)# switchport trunk allowed
vlan 101 INFO: Command may take approximately 1
Cisco(config-if)# switchport trunk allowed Seconds
vlan add
102-105 Ruckus(config-if-e1000-1/1/4)#
Cisco(config-if)# switchport trunk allowed VLAN : [1005]
vlan add Port(s) ethe 1/1/4 add to 10 vlan(s)
1001-1005 complete.....
Cisco(config-if)# switchport trunk allowed Ruckus(config-if-e1000-1/1/4)#
vlan VLAN : [1003]
remove 1001-1003 Port(s) ethe 1/1/4 add to 2 vlan(s)
complete.....
Cisco# show running-config interface Ruckus(config-if-e1000-1/1/4)# vlan-config
gigabitEthernet remove vlan 1001 to 1003
1/0/1 Port(s) ethe 1/1/4 removed from VLANs 1001
Building configuration... to 1003
Current configuration : 101 bytes

7
Ruckus Networks
Cisco CLI comparison

Jan 2018

! Ruckus# show vlan brief ethernet 1/1/4

interface GigabitEthernet1/0/1 Port 1/1/4 is a member of 7 VLANs
switchport trunk allowed vlan 101-105, 1004, VLANs 101 to 105 1004 to 1005
1005 Untagged VLAN : 1
switchport mode trunk Tagged VLANs : 101 to 105 1004 to 1005
end

VLAN Management (Access, Trunk, and Native VLAN)

This section compares the commands that are used to configure VLANs, trunks, and native and tagged VLANs. In
Cisco IOS, the term trunk refers to an interface that you configure to support 802.1Q VLAN tagged frames. That
is, an interface that you configure to support multiple VLANs is a trunk interface in each VLAN in Cisco. In Ruckus
ICX, an interface that supports multiple VLANs is a tagged interface in each VLAN.

Interface Use Cisco IOS Ruckus ICX

Non-802.1Q interfaces (such as used for
Access Untagged
computers)
802.1Q interfaces (such as used for switch-to
switch, switch-to-server, and switch-to-VoIP Trunk Tagged
phones)
Specify a native VLAN for untagged 802.1Q
frames on a trunk port
Native VLAN Dual mode

Cisco IOS Ruckus ICX

Cisco(config)# vlan 220 Ruckus(config)# vlan 220 name test
Cisco(config-vlan)# name test

Cisco IOS Ruckus ICX

Trunk Tagged
Cisco(config)# interface g1/0/6 Ruckus(config-vlan-220)# tagged ethernet
Cisco(config-if)# switchport trunk 1/1/1
encapsulation
dot1q
Cisco(config-if)# switchport trunk allowed
vlan 220
Cisco(config-if)# switchport mode trunk
Cisco(config-if)# switchport nonegotiate
Cisco(config)# interface g1/0/4 Ruckus(config-vlan-220)# untagged ethernet
Cisco(config-if)# switchport 1/1/2
Cisco(config-if)# switchport access vlan 220
Cisco(config-if)# switchport mode access
Cisco# show vlan id 220 Ruckus# show run vlan 220

Cisco IOS Ruckus ICX

Trunk and Native on one port Tagged and untagged on one port
Cisco(config)# interface g1/0/6 Ruckus(config-vlan-220)# tagged ethernet
Cisco(config-if)# switchport trunk 1/1/6
encapsulation Ruckus(config-vlan-200)# tagged ethernet
dot1q 1/1/6
Cisco(config-if)# switchport trunk allowed Ruckus(config)# interface ethernet 1/1/6
vlan 220 Ruckus(config-if-e1000-1/1/6)# dual-mode 200

8
Ruckus Networks
Cisco CLI comparison

Jan 2018

Cisco(config-if)# switchport mode trunk NOTE: Dual mode specifies a native VLAN for
Cisco(config-if)# switchport nonegotiate untagged 802.1Q frames.
Cisco(config-if)# switchport trunk native NOTE: The dual-mode command without a VLAN
vlan 200 specifies the default VLAN ID.
NOTE: Native VLAN 200 specifies a native
VLAN for untagged 802.1Q frames.
Cisco# show interfaces gigabitEthernet 1/0/6 Ruckus(config-if-e1000-1/1/6)# show vlan 200
switchport Total PORT-VLAN entries: 3
Name: Gi1/0/19 Maximum PORT-VLAN entries: 64
Switchport: Enabled Legend: [Stk=Stack-Id, S=Slot]
Administrative Mode: trunk PORT-VLAN 200, Name [None], Priority level0,
Operational Mode: down Spanning tree Off
Administrative Trunking Encapsulation: dot1q Untagged Ports: None
Negotiation of Trunking: On Tagged Ports: None
Access Mode VLAN: 1 (default) Uplink Ports: None
Trunking Native Mode VLAN: 200 (VLAN0200) DualMode Ports: (U1/M1) 6
Administrative Native VLAN tagging: enabled Mac-Vlan Ports: None
Voice VLAN: none Monitoring: Disabled1/1/2
Administrative private-vlan host-
association: none Ruckus# show interfaces ethernet 1/1/6
Administrative private-vlan mapping: none GigabitEthernet1/1/6 is down, line protocol
Administrative private-vlan trunk native is
VLAN: none down
Administrative private-vlan trunk Native Port down for 14 minute(s) 1 second(s)
VLAN Hardware is GigabitEthernet, address is
tagging: enabled 609c.
Administrative private-vlan trunk 9fab.cd5d (bia 609c.9fab.cd5d)
encapsulation: Configured speed auto, actual unknown,
dot1q configured duplex fdx, actual unknown
Administrative private-vlan trunk normal Configured mdi mode AUTO, actual unknown
VLANs: none EEE Feature Disabled
Administrative private-vlan trunk Member of 2 L2 VLANs, port is dual mode in
associations: none Vlan
Administrative private-vlan trunk mappings: 200, port state is BLOCKING
none BPDU guard is Disabled, ROOT protect is
Operational private-vlan: none Disabled, Designated protect is Disabled
Trunking VLANs Enabled: 220 Link Error Dampening is Disabled
Pruning VLANs Enabled: 2-1001 STP configured to ON, priority is level0,
Capture Mode Disabled maclearning
Capture VLANs Allowed: ALL is enabled
Protected: false Openflow is Disabled, Openflow Hybrid mode
Unknown unicast blocked: disabled is
Unknown multicast blocked: Disabled, Flow Control is config enabled,
oper
enabled, negotiation disabled
Mirror disabled, Monitor disabled
Mac-notification is disabled
Not member of any active trunks
Not member of any configured trunks
No port name
IPG MII 0 bits-time, IPG GMII 0 bits-time
MTU 1500 bytes, encapsulation ethernet
300 second input rate: 0 bits/sec, 0
packets/
sec, 0.00% utilization
300 second output rate: 0 bits/sec, 0
packets/
sec, 0.00% utilization
0 packets input, 0 bytes, 0 no buffer

9
Ruckus Networks
Cisco CLI comparison

Jan 2018

Received 0 broadcasts, 0 multicasts, 0

unicasts
0 input errors, 0 CRC, 0 frame, 0 ignored
0 runts, 0
giants
0 packets output, 0 bytes, 0 underruns
Transmitted 0 broadcasts, 0 multicasts, 0
unicasts
0 output errors, 0 collisions

Cisco IOS Ruckus ICX

Relay Agent Information option: Disabled
UC Egress queues:
Queue counters Queued packets Dropped Packets
0 0 0
1 0 0
2 0 0
3 0 0
4 0 0
5 0 0
6 0 0
7 0 0
MC Egress queues:
Queue counters Queued packets Dropped Packets
0 0 0
1 0 0
2 0 0
3 0 0
Cisco# show vlan id 220 Ruckus# show vlan 220
! !
lldp run cdp run
!! fdp run
interface GigabitEthernet1/0/4 !
switchport access vlan 200 !
switchport mode access lldp run
! !
interface GigabitEthernet1/0/6 !!
switchport trunk native vlan 200 vlan 1 name DEFAULT-VLAN by port
switchport trunk allowed vlan 200,220 !
switchport mode trunk vlan 200 by port
switchport nonegotiate tagged ethe 1/1/6
! !
!
vlan 220 by
port
untagged ethe 1/1/1
!
interface ethernet 1/1/6
dual-mode 200
inline power
!

VoIP Support with Voice VLAN: PC Connected to Phone and Phone to ICX Switch
When an IP phone connects to the switch, the access port (PC-to-telephone jack) of the IP phone can connect to
a PC. Packets to and from the PC and to or from the IP phone share the same physical link to the switch and the
same switch port. ATTENTION Voice VLAN is different between Cisco and Ruckus. On the Cisco switch, the
switchport voice vlan xx command causes the switch to communicate with the phone via CDP/LLDP and ensures
packets from the IP phone are put onto the voice VLAN. The VLAN ID configures the phone to forward all voice
traffic through the specified VLAN. In Ruckus voice VLAN, the voice-vlan xx command is only for CDP. The switch

10
Ruckus Networks
Cisco CLI comparison

Jan 2018

communicates with the phone via CDP and ensures packets from the IP phone are put onto the voice VLAN. The
VLAN ID configures the phone to forward all voice traffic through the specified VLAN. LLDP MED commands cause
the LLDP-MED to advertise VLAN 10 in its Network Policy TLV to LLDP only on the IP phone.

Cisco IOS Ruckus ICX

! !
lldp run lldp run
! fdp run
interface FastEthernet1/1/1 cfp run
switchport access vlan 11 !
switchport mode access vlan 11
switchport voice vlan 10 tagged Ethernet 1/1/1
spanning-tree portfast vlan 10
! tagged Ethernet 1/1/1
!
interface Ethernet 1/1/1
dual-mode 11
voice-vlan 10
!
lldp med network-policy application voice
tagged
vlan 10 priority 6 dscp 46 ports ethe 1/1/1
to
1/1/2
Cisco# show lldp neighbors detail Ruckus# show fdp neighbors
Ruckus# show lldp neighbors detail

Cisco VoIP devices

The dynamic configuration of a Cisco VoIP phone works in conjunction with the VoIP phone discovery process.
Upon installation, and sometimes periodically, a VoIP phone will query the Ruckus device for VoIP information
and will advertise information about itself, such as, a device ID, port ID, and platform. When the Ruckus devices
receives the VoIP phone query, it sends the voice VLAN ID in a reply packet back to the VoIP phone. The VoIP
phone then configures itself within the voice VLAN. As long as the port to which the VoIP phone is connected has
a voice VLAN ID, the phone will configure itself into that voice VLAN. If you change the voice VLAN ID, the software
will immediately send the new ID to the VoIP phone, and the VoIP phone will re-configure itself with the new voice
VLAN. The standard based method to the usage of CDP is LLDP—MED, which is also supported by Ruckus FastIron.

Management VLAN
A management VLAN allows remote devices to access the switch by way of SSH, SNMP, SSL, and syslog to manage
the switch with proper access credentials. Any VLAN can be leveraged or designated to be a management VLAN.
By default, the Ruckus management IP address that is configured on a Layer 2 switch applies globally to all ports
on the device. This configuration can be modified to apply on a specific VLAN and from a specific port. On Ruckus
Layer 2 switches, the management IP address is configured globally and is accessible from any configured VLAN
by way of any in-band and out-of-band port by default. If you want to restrict the IP management address to a
specific port-based VLAN, you can make that VLAN the designated management VLAN for the device. When you
configure a VLAN to be the designated management VLAN, the management IP address you configure on the
device is associated only with the ports and the management port in the designated VLAN. To establish a

11
Ruckus Networks
Cisco CLI comparison

Jan 2018

Telnet/SSH management session with the device, a user must access the device through one of the ports in the
designated management VLAN. The default gateway is under this VLAN. On Cisco Layer 2 switches, IP addresses
can be configured on any configured VLAN and are only accessible from the assigned VLAN. Additionally, Cisco
Layer 2 switches can have IP addresses assigned on all configured VLANs, but can only have one globally assigned
default gateway for routed management connectivity. On the Cisco device, you configure a VLAN for management
access and apply an IP address. The default gateway is applied globally.

Cisco IOS Ruckus ICX

Cisco> enable Ruckus(config)# ip address 10.20.74.100/25
Cisco> configure terminal Ruckus(config)# vlan 10
Enter configuration commands, one per line. Ruckus(config-vlan-10)# untagged ethernet
End with CNTL/Z 1/1/1
Cisco(config)# vlan 10 Ruckus(config-vlan-10)#
Cisco(config-vlan)# name Management Ruckus(config-vlan-10)# management-vlan
Cisco(config-vlan)# end Out of band management interface untagged
Cisco(config)# interface vlan 10 with VLAN 10
Cisco(config-if)# ip address 10.1.1.10 Management VLAN Configured. Clearing IPv4
255.255.255.0 ARP, IPv6 Neighbor
SW1(config-if)# no shut Ruckus(config-vlan-10)#
Cisco(config-if)# Ruckus(config-vlan-10)# default-gateway
Cisco(config)# int fa1/1/1 10.20.74.1 1
Cisco(config-if)# switchport mode access
Cisco(config-if)# switchport access vlan 10
Cisco(config)# ip default-gateway 10.1.1.1 Ruckus# show running-config vlan 10
vlan 10 by port
untagged ethe 1/1/1
management-vlan
default-gateway 10.20.74.1 1
!!
ip address 10.20.74.100 255.255.255.128
!
Ruckus#

Spanning Tree Protocol (STP)

Spanning Tree Configuration
The default state for Ruckus varies depending on which image is running on the device. If the switch is running a
layer 2 switch code, spanning tree is enabled by default. If the switch is running the layer 3 code, Spanning Tree is
disabled by default. Spanning Tree is enabled by default on all Cisco switches and is based on the IEEE 802.1D
standard. Both Ruckus and Cisco run an instance of Spanning Tree for each VLAN created on the switch. Both
Ruckus and Cisco have functionality to allow fast convergence at edge ports for Spanning Tree. On the Ruckus
switches the feature is called “Fast Port Mode” and is enabled by default. Cisco’s feature is called Portfast and
disabled by default.

Cisco IOS Ruckus ICX

Cisco(config)# spanning-tree mode pvst Ruckus(config)# vlan 220
Cisco(config)# spanning-tree vlan 220 Ruckus(config-vlan-220)# spanning-tree
priority Ruckus(config-vlan-220)# spanning-tree
16384 priority 16384
Cisco(config)# interface g1/0/9

12
Ruckus Networks
Cisco CLI comparison

Jan 2018

Cisco(config-if)# spanning-tree portfast

RPVST/RPVST+ and Spanning Tree Port Fast

Based on the IEEE 802.1w standard, Rapid Spanning Tree Protocol (RSTP) is an optimized version of the IEEE
802.1D standard, Spanning Tree Protocol (STP). It achieves rapid network convergence by allowing a newly elected
root port or designated port to enter the forwarding state much quicker than STP under certain conditions. Cisco
implements Per-VLAN Spanning Tree Plus (PVST+), which is based on the IEEE 802.1D standard (Spanning Tree
Protocol [STP]) and additional proprietary extensions, or Rapid Per-VLAN Spanning Tree Plus (RPVST+), which is
based on the IEEE 802.1w standard (Rapid STP [RSTP]) and additional proprietary extensions. Unlike STP and RSTP,
in which bridges in a LAN must forward their VLAN packets in the same spanning tree, PVST+ allows each VLAN to
build a separate spanning tree. RPVST+ is a proprietary spanning tree implementation that extends RSTP (802.1w)
to run a separate spanning tree for each VLAN on the switch, and ensures that only one active, loop-free path
exists between any two nodes on a given VLAN, enabling layer 2 edge protocols to transition the user port to the
forwarding state quicker.

Cisco IOS Ruckus ICX

Cisco(config)# spanning-tree mode rapid-pvst Ruckus(config)# vlan 100
Cisco(config)# spanning-tree vlan 100 Ruckusconfig-vlan-100)# tagged ethernet
priority 1/1/1
12288 Ruckus(config-vlan-100)# spanning-tree 802-
Cisco(config)# interface g1/0/9 1w
Cisco(config-if)# spanning-tree portfast Ruckus(config-vlan-100)# spanning-tree 802-
1w
priority 12288
Ruckus(config-vlan-100)# show running-config
vlan 100 by port
tagged ethe 1/1/1
spanning-tree 802-1w
spanning-tree 802-1w priority 12288
!!

NOTE:
The following command declares the port to
be an operational edge for all VLANs

Ruckus(config-if-e1000-1/1/1)# spanning-tree
802-1w
admin-edge-port

NOTE:
The following command declares the port to
be on a point-to-point link for all VLANs

Ruckus(config-if-e10000-1/2/1)# spanning-
tree 8
admin-pt2pt-mac

NOTE:
The following command changes the priority
on a per VLAN or per port basis

13
Ruckus Networks
Cisco CLI comparison

Jan 2018

Ruckus(config)# vlan 100

Ruckus(config-vlan-100)# spanning-tree 802-
1w priority 10
Ruckus(config-vlan-100)# spanning-tree 802-
1w ethernet 1/1/1 path-cost 15 priority 64

MSTP
The Multiple spanning tree protocol (MSTP) provides both simple and full connectivity assigned to any given VLAN
through a bridged LAN network. MSTP enables grouping and mapping VLANs into different spanning tree
instances. This section compares the commands that are used to enable a single instance of STP to manage
multiple VLANS in the system.

Cisco IOS Ruckus ICX

Cisco(config)# spanning-tree mode mst Ruckus(config)# mstp scope all
Cisco(config)# spanning-tree mst Enter MSTP scope would remove STP and
configuration topology
Cisco(config-mst)# name Cisco group related configuration for system
Cisco(config-mst)# revision 1 Are you sure? (enter 'y' or 'n'): y
Cisco(config-mst)# instance 1 vlan 220 'MSTP Start' need to be entered in order to
Cisco(config-mst)# instance 2 vlan 100 activate this MSTP feature
Cisco(config-mst)# instance 3 vlan 240 Ruckus(config)# mstp start
Cisco(config)# spanning-tree mst 0 priority Ruckus(config)# mstp name Ruckus
20480 Ruckus(config)# mstp revision 1
Cisco(config)# spanning-tree mst 1 priority Ruckus(config)# mstp instance 1 vlan 220
16384 Ruckus(config)# mstp instance 2 vlan 100
Cisco(config)# spanning-tree mst 2 priority Ruckus(config)# mstp instance 3 vlan 240
12288 Ruckus(config)# mstp instance 1 priority
Cisco(config)# spanning-tree mst 3 priority 20480
8192 Ruckus(config)# mstp instance 2 priority
12288
Ruckus(config)# mstp instance 3 priority
8192
Cisco(config)# interface g1/0/9 Ruckus(config)# mstp admin-edge-port
Cisco(config-if)# spanning-tree portfast ethernet 1/1/9
Cisco(config-if)# spanning-tree mst 1 cost Ruckus (config)# mstp instance 1 ethernet
1000 1/1/9
Cisco(config-if)# spanning-tree mst 1 port- path-cost 1000
priority Ruckus (config)# mstp instance 1 ethernet
160 1/1/9
priority 160

NOTE:
The mstp admin-edge-port x/x/x command
defines this port to be an edge port
Cisco(config)# interface g1/0/10 Ruckus(config)# mstp admin-pt2pt-mac
Cisco(config-if)# spanning-tree link-type ethernet 1/1/10
point-to-point
NOTE:
The mstp admin-pt2pt-mac x/x/x command
defines this port to be a point-to-point
link
! !
spanning-tree mode mst mstp scope all

14
Ruckus Networks
Cisco CLI comparison

Jan 2018

spanning-tree extend system-id mstp name Ruckus

! mstp revision 1
spanning-tree mst configuration mstp instance 0 vlan 1
name Cisco mstp instance 0 vlan 200
revision 1 mstp instance 1 vlan 220
instance 1 vlan 220 mstp instance 1 priority 20480
instance 2 vlan 100 mstp instance 2 vlan
instance 3 vlan 240 100
! mstp instance 2 priority 12288
spanning-tree mst 0 priority 20480 mstp instance 3 vlan 240
spanning-tree mst 1 priority 16384 mstp instance 3 priority 8192
spanning-tree mst 2 priority 12288 mstp admin-edge-port ethe 1/1/9
spanning-tree mst 3 priority 8192 mstp start
spanning-tree vlan 10 priority 8192 !
!!
interface GigabitEthernet1/0/9
spanning-tree portfast
end

BPDU Guard
This section compares the commands that are used to filter BPDU frames received on user ports connected to the
switches.

Cisco IOS Ruckus ICX

Cisco(config)# interface g1/0/17 Ruckus(config)# interface ethernet 1/1/4
Cisco(config-if)# spanning-tree bpduguard Ruckus(config-if-e1000-1/1/1)# stp-bpdu-
enable guard
Cisco(config-if)# spanning-tree bpdufilter Ruckus(config-if-e1000-1/1/1)# stp-protect
enable

Root Guard
This section compares the commands that are used to prevent a user device connected to a switch from becoming
a root port in STP to avoid sub-optimal packet forwarding.

Cisco IOS Ruckus ICX

Cisco(config)# interface g1/0/17 Ruckus(config)# interface ethernet 1/1/1
Cisco(config-if)# spanning-tree guard root Ruckus(config-if-e1000-1/1/1)# spanning-
tree
root-protect

Discovery Protocols LLDP, CDP, and FDP

Cisco Discovery Protocol (CDP)
The Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer (DLL) network protocol developed by Cisco,
which is implemented in most Cisco networking equipment and is used to share information, such as the operating
system version and IP address, with other directly connected Cisco equipment. CDP can also be used for On-
Demand Routing, which is a method of including routing information in CDP announcements so that dynamic
routing protocols do not need to be used in simple networks.

15
Ruckus Networks
Cisco CLI comparison

Jan 2018

By default, Ruckus devices forward CDP packets without examining their contents. You can configure a Ruckus
device to intercept and display the contents of CDP packets. This feature is useful for learning device and interface
information for Cisco devices in the network. Ruckus devices support intercepting and interpreting CDP version 1
and version 2 packets.

Cisco IOS Ruckus ICX

Cisco(config)# lldp run Ruckus(config)# lldp run
Cisco# show lldp neighbors Ruckus(config)# show lldp neighbors
Cisco# show lldp neighbors g1/0/1 detail Ruckus(config)# show lldp neighbors detail
ports
ethernet 1/1/1

Link Layer Discovery Protocol (LLDP)

Along with support for CDP, Ruckus uses the following standards-based protocols to share information about
other directly connected devices.

• Link Layer Discovery Protocol (LLDP). The Layer 2 network discovery protocol described in the IEEE
802.1AB standard, Station and Media Access Control Connectivity Discovery. This protocol enables a
station to advertise its capabilities to and to discover other LLDP-enabled stations in the same 802 LAN
segments.
• LLDP media endpoint devices (LLDP-MED). The Layer 2 network discovery protocol extension described in
the ANSI/TIA-1057 standard, LLDP for Media Endpoint Devices. This protocol enables a switch to configure
and manage connected Media Endpoint devices that need to send media streams across the network (for
example, IP telephones and security cameras).
• LLDP enables network discovery between network connectivity devices (such as switches), whereas LLDP-
MED enables network discovery at the edge of the network, between network connectivity devices and
media end-point devices (such as IP phones).

Cisco IOS Ruckus ICX

Cisco(config)# lldp run Ruckus(config)# lldp run
Cisco# show lldp neighbors Ruckus(config)# show lldp neighbors
Cisco# show lldp neighbors g1/0/1 detail Ruckus(config)# show lldp neighbors detail
ports
ethernet 1/1/1

Foundry Discovery Protocol (FDP)

Foundry Discovery Protocol (FDP) is a Ruckus-specific protocol for device discovery.

Cisco IOS Ruckus ICX

Cisco does not support FDP Ruckus(config)# fdp run
Ruckus(config)# show fdp neighbors
Ruckus(config)# show fdp neighbors detail

16
Ruckus Networks
Cisco CLI comparison

Jan 2018

Link Aggregation: LACP and LAG

This section compares the commands that are used to configure Port Channels on Cisco and Ruckus ICX switches
to the Cisco configuration. Both Ruckus and Cisco support static trunks (Etherchannel for Cisco) and dynamic
trunks (802.3ad standard for both). Cisco also supports PAgP, a proprietary trunking standard developed by Cisco.
Ruckus uses the concept of port members and one primary port. The primary port and its configuration are used
to apply identical setting to all member ports. Any changes to ports in the lag are performed on the primary port
and all member ports will inherit them. In the cisco example, ports are assigned to channel-group, then
configurations are performed on the port-channel interface.

Cisco IOS Ruckus ICX

Cisco(config)# interface port-channel 1 Ruckus(config)# lag Ruckus dynamic id 1
Cisco(config-if)# switchport trunk Ruckus(config-lag-Ruckus)# ports ethernet
encapsulation 1/1/23
dot1q ethernet 1/1/24
Cisco(config-if)# switchport trunk allowed
vlan 220 Note: adding the LAG into vlan 220
Cisco(config-if)# switchport mode trunk
Cisco(config-if)# switchport nonegotiate Ruckus(config-vlan-220)# tagged lag 1
Cisco(config)# interface range g1/0/23 - 24
Cisco(config-if-range)# switchport trunk Note: Added tagged port(s) lag lg1 to port-
encapsulation dot1q vlan 220
Cisco(config-if-range)# switchport trunk
allowed Ruckus# show lag id 1
vlan 220
Cisco(config-if-range)# switchport mode trunk
Cisco(config-if-range)# switchport
nonegotiate
Cisco(config-if-range)# channel-group 1 mode
active
Cisco# show lacp 1 internal
Cisco# show interfaces etherchannel
! !
interface Port-channel1 !
switchport trunk allowed vlan 220 lag Ruckus dynamic id 1
switchport mode trunk ports ethe 1/1/23 to 1/1/24
switchport nonegotiate !
end lag to CISCO dynamic id 3
! ports ethe 1/1/18 to 1/1/19
interface GigabitEthernet1/0/18 !
switchport trunk allowed vlan 220 !
switchport mode trunk !
switchport nonegotiate vlan 1 name DEFAULT-VLAN by port
channel-group 1 mode active !
end vlan 200 by
port
Current configuration: 184 bytes tagged ethe 1/1/7
! !
interface GigabitEthernet1/0/19 vlan 220 by port
switchport trunk allowed vlan 220 tagged ethe 1/1/7 lag 1 lag 3
switchport mode trunk untagged ethe 1/1/1
switchport nonegotiate !
channel-group 1 mode active !
end

17
Ruckus Networks
Cisco CLI comparison

Jan 2018

Power over Ethernet (PoE)

PoE is defined in the IEEE 802.3af-2003 standard and enables power-sourcing equipment (PSE) to supply up to
15.4W of DC power to powered devices (PDs) through Ethernet interfaces over twisted-pair cables.

PoE+ is defined in the IEEE 802.3at-2009 standard and supplies up to 30W of DC power to each device. This
configuration covers PoE and PoE+ capable devices.

Cisco IOS Ruckus ICX

PoE is enabled by default On the Ruckus switch, PoE is disabled by default in FastIron
up to release 08.0.61a. PoE will be enabled by default on the
Ruckus switch in FastIron release 08.0.70 and beyond.

Cisco(config-if)# power inline auto Ruckus(config-if-e1000-1/1/1)# inline power

Ruckus(config-if-e1000-1/1/1)# no inline
Cisco(config-if)# power inline never power
Cisco# show power inline Ruckus# show inline power
Cisco# show power inline f1/0/5 Ruckus# show inline power 1/1/1
!
interface ethernet 1/1/2
inline power
!

Quality of Service (QoS)

Quality of Service (QoS) features are used to prioritize the use of bandwidth in a switch. When QoS features are
enabled, traffic is classified as it arrives at the switch, and processed through on the basis of configured priorities.
Traffic can be dropped, prioritized for guaranteed delivery, or subject to limited delivery options as configured by
a number of different mechanisms. Classification is the process of selecting packets on which to perform QoS,
reading the QoS information, and assigning a priority to the packets. The classification process assigns a priority
to packets as they enter the switch. These priorities can be determined on the basis of information contained
within the packet or assigned to the packet as it arrives at the switch. Once a packet or traffic flow is classified, it
is mapped to a forwarding priority queue.

Packets on Ruckus devices are classified in up to eight traffic classes with values from 0 to 7. Packets with higher
priority classifications are given a precedence for forwarding.

• Configuring QOS
o Classifying (trust the port)
▪ FastIron(config)# interface e 0/1/17 to 0/1/20
▪ FastIron (config-if-0/1/17) # trust dscp (When trust dscp is enabled, the interface honors the Layer
3 DSCP value. By default, the interface honors the Layer 2 CoS value)
o Marking (If needed, we can remark DSCP) (Disabled by Default)
▪ FastIron(config)#qos-tos map dscp-priority 46 to 7
▪ FastIron(config)#ip rebind-ACL all
o Scheduling (WRR by default)
▪ FastIron(config)#qos mechanism strict (To change the method back to weighted round robin, enter
the following command)

18
Ruckus Networks
Cisco CLI comparison

Jan 2018

▪ FastIron(config)#qos mechanism weighted

▪ FastIron(config)#qos profile qosp7 25 qosp6 15 qosp5 12 qosp4 12 qosp3 10 qosp2 10 qosp1 10
qosp0 6
• Viewing QOS Settings
o FastIron# show qos-profiles all
o FastIron# show qos-tos

FCX and ICX devices

Ruckus ICX devices support DSCP-based QoS on a per-port basis. DSCP-based QoS is not automatically honored
for switched traffic. The default is 802.1p to CoS mapping. To honor DSCP-based QoS, enter the trust dscp
command at the interface level of the CLI.

One major difference between the configurations is that Brocade does not have the option of allocating
bandwidth based on DSCP values. As a result, we create a scheduler-profile that allows us to choose the bandwidth
associated with each queue. Creating an access-list that matches and remarks the inbound traffics dscp value,
allows us to choose what queue it will be placed. Ultimately, aligning DSCP values in one of three queues with a
certain bandwidth allocated; just as in Cisco.

Cisco IOS Ruckus ICX

// Porting Cisco Configuration to Brocade. // creating VLAN and tagging ports to create
VE,
//Configure CPL Class Map // matching all Ruckus(config)#vlan 10
statements // class-map name Ruckus(config-vlan-10)# tagged eth 1/1/1 to
class-map match-any EF 1/1/2
Ruckus(config-vlan-10)# router-interface ve
//Classification criteria // Matches IPv4 10
only // Match IP DSCP (DiffServ Codepoint) Ruckus(config-vlan-10)# interface ve 10
match ip dscp ef
// assigned IP add to VE to use as gateway
// same logic as above for testing
class-map match-any AF4-AF3 //Ruckus(config-vif-10)# ip add 10.0.0.1/24
match ip dscp cs4 af41 af42 af43
match ip dscp cs3 af31 af32 af33 //Creating and naming access-list that will
be applied to a VE and or interface
class-map match-any AF2-AF1 depending on //implementation
match ip dscp cs2 af21 af22 af23
match ip dscp cs1 af11 af12 af13 Ruckus(config)#ip access-list extended
! platinum-egress
//Configure CPL Policy MAP // Policy-Map name
policy-map platinum-egress // permitting UDP and TCP, using IP (any
internet protocol) would work as well just
// Policy criteria (already defined) // did it this way to
class-map name // show you can choose what internet
class EF protocols to look for
priority // Strict Scheduling priority // Group 2 queue 3, 20%
for this class
Ruckus(config-ext-nacl)# permit udp any any
dscp-matching 32 dscp-marking 24
// Police // Committed Information Rate // % Ruckus(config-ext-nacl)# permit tcp any any
of interface BW for CIR // Percentage dscp-matching 32 dscp-marking 24
police cir percent 40 Ruckus(config-ext-nacl)# permit udp any any
class AF4-AF3 dscp-matching 24 dscp-marking 24
bandwidth percent 20

19
Ruckus Networks
Cisco CLI comparison

Jan 2018

class AF2-AF1 Ruckus(config-ext-nacl)# permit tcp any any

bandwidth percent 25 dscp-matching 24 dscp-marking 24
! Ruckus(config-ext-nacl)# permit udp any any
dscp-matching 34 dscp-marking 24
interface <WAN Interface> Ruckus(config-ext-nacl)# permit tcp any any
//Configure CPL Service Policy // Assign dscp-matching 34 dscp-marking 24
policy-map to output of an int //Policy-Map Ruckus(config-ext-nacl)# permit udp any any
name dscp-matching 26 dscp-marking 24
service-policy output platinum-egress Ruckus(config-ext-nacl)# permit tcp any any
dscp-matching 26 dscp-marking 24
Ruckus(config-ext-nacl)# permit udp any any
dscp-matching 36 dscp-marking 24
Ruckus(config-ext-nacl)# permit tcp any any
dscp-matching 36 dscp-marking 24
Ruckus(config-ext-nacl)# permit udp any any
dscp-matching 28 dscp-marking 24
Ruckus(config-ext-nacl)# permit tcp any any
dscp-matching 28 dscp-marking 24
Ruckus(config-ext-nacl)# permit udp any any
dscp-matching 38 dscp-marking 24
ICX7450-48P Router(config-ext-nacl)# permit
tcp any any dscp-matching 38 dscp-marking 24
Ruckus(config-ext-nacl)# permit udp any any
dscp-matching 30 dscp-marking 24
Ruckus(config-ext-nacl)# permit tcp any any
dscp-matching 30 dscp-marking 24

// Group 1 queue 1, 25%

Ruckus(config-ext-nacl)# permit udp any any
dscp-matching 16 dscp-marking 8
Ruckus(config-ext-nacl)# permit tcp any any
dscp-matching 16 dscp-marking 8
Ruckus(config-ext-nacl)# permit udp any any
dscp-matching 8 dscp-marking 8
Ruckus(config-ext-nacl)# permit tcp any any
dscp-matching 8 dscp-marking 8
Ruckus(config-ext-nacl)# permit udp any any
dscp-matching 18 dscp-marking 8
Ruckus(config-ext-nacl)# permit tcp any any
dscp-matching 18 dscp-marking 8
Ruckus(config-ext-nacl)# permit udp any any
dscp-matching 10 dscp-marking 8
Ruckus(config-ext-nacl)# permit tcp any any
dscp-matching 10 dscp-marking 8
Ruckus(config-ext-nacl)# permit udp any any
dscp-matching 20 dscp-marking 8
Ruckus(config-ext-nacl)# permit tcp any any
dscp-matching 20 dscp-marking 8
Ruckus(config-ext-nacl)# permit udp any any
dscp-matching 12 dscp-marking 8
Ruckus(config-ext-nacl)# permit tcp any any
dscp-matching 12 dscp-marking 8
Ruckus(config-ext-nacl)# permit udp any any
dscp-matching 22 dscp-marking 8
Ruckus(config-ext-nacl)# permit tcp any any
dscp-matching 22 dscp-marking 8
Ruckus (config-ext-nacl)# permit udp any any
dscp-matching 14 dscp-marking 8

20
Ruckus Networks
Cisco CLI comparison

Jan 2018

Ruckus(config-ext-nacl)# permit tcp any any

dscp-matching 14 dscp-marking 8
// Group 3 queue 4 , 40%
Ruckus(config-ext-nacl)# permit udp any any
dscp-matching 46 dscp-marking 32
Ruckus(config-ext-nacl)# permit tcp any any
dscp-matching 46 dscp-marking 32
// Global scheduler-profile
// assigning bandwidth to queues
Ruckus(config)#qos scheduler-profile
platinum profile qosp0 3 qosp1 25 qosp2 3
qosp3 20 qosp4 40 qosp5 3 qosp6 3 qosp7 3
// guarantee bandwidth to queues
Ruckus(config)#qos scheduler-profile
platinum guaranteed-rate qosp0 0 qosp1 25
qosp2 0 qosp3 20 qosp4 40 qosp5 0 qosp6 0
qosp7 0

//applying ACL to VE, if VE is not

configured can also be applied on interface
// this is for inbound traffic but can be
changed to outbound with replacing “in” to
“out”
Ruckus(config-vif-10)# ip access-group
platinum in

Traffic Policing
Ruckus devices use traffic policies for the following:

• To rate limit inbound traffic

• To count the packets and bytes per packet to which ACL permit or deny clauses are applied

Configuring ACL-based fixed rate limiting

Ruckus ICX
// Create a traffic policy. Enter a command
such as the following:
Ruckus(config)# traffic-policy TPD1 rate-
limit fixed 100 exceed-action drop
// Create an extended ACL entry or modify an
existing extended ACL //entry that
references the traffic policy:
Ruckus(config)# access-list 101 permit ip
host 210.10.12.2 any traffic-policy TPD1
// Bind the ACL to an interface:
Ruckus(config)# int e 5
Ruckus(config-if-e5)# ip access-group 101 in
Ruckus(config-if-e5)# exit

The above commands configure a fixed rate limiting policy that allows port e5 to receive a maximum traffic rate
of 100 kbps. If the port receives additional bits during a given one-second interval, the port drops the additional
inbound packets that are received within that one-second interval.

21
Ruckus Networks
Cisco CLI comparison

Jan 2018

Syntax: [no] traffic-policy <TPD name> rate-limit fixed <cir value> exceed-action <action>
[count]
Syntax: access-list <num> permit | deny.... traffic policy <TPD name>
Syntax: [no] ip access-group <num> in

Configuring ACL-based Adaptive rate limiting

Ruckus ICX
// Create a traffic policy. Enter a command
such as the following.
Ruckus(config)# traffic-policy TPDAfour
rate-limit adaptive cir 10000 cbs 1600 pir
20000 pbs 4000 exceed-action drop
// Create a new extended ACL entry or modify
an existing extended ACL entry that
references the traffic policy.
Ruckus(config)# access-list 104 permit ip
host 210.10.12.2 any traffic-policy TPDAfour
// Bind the ACL to an interface.
Ruckus(config)# int e 7
Ruckus(config-if-e7)# ip access-group 104 in
Ruckus(config-if-e7)# exit

The above commands configure an adaptive rate limiting policy that enforces a guaranteed committed rate of
10000 kbps on port e7 and allows bursts of up to 1600 bytes. It also enforces a peak rate of 20000 kbps and allows
bursts of 4000 bytes above the PIR limit. If the port receives additional bits during a given one-second interval,
the port drops all packets on the port until the next one-second interval starts.
Syntax: [no] traffic-policy <TPD name> rate-limit adaptive cir <cir value> cbs <cbs value>
pir <pir value> pbs <pbs value> exceed-action <action> [count]
Syntax: access-list <num> permit | deny.... traffic policy <TPD name>
Syntax: [no] ip access-group <num> in

ACL
Ruckus layer 3 switches have the ability to specify IP addresses for stations allowed to access Telnet, HTTP and
SNMP services. Additionally, administrators have the ability to use Access Control Lists (ACLs) to limit accessibility
to these services. Cisco layer 3 switches have separate areas in the running-config for VTY, auxiliary and console
lines, as well as HTTP. Additionally, administrators have the ability to use Access Control List (ACLs) to limit
accessibility to these services.

Ruckus and Cisco both have the ability to use ACLs to control access to IP-related services. Ruckus uses the access-
group command to apply an ACL for Telnet/SSH and HTTP access. Cisco uses the access-class command to apply
an ACL for VTY, SSH and HTTP access.

Cisco IOS Ruckus ICX

Configuring ACL

22
Ruckus Networks
Cisco CLI comparison

Jan 2018

Cisco(config)# ip access-list name Ruckus(config)# access-list 100 permit icmp

Cisco(config-acl)# ip access-list name 209.157.22.0/24 209.157.21.0/24
Cisco(config-acl)# [sequence-number] {permit Ruckus(config)# access-list 100 deny tcp
| deny} protocol source destination host rkwong 209.157.21.0/24 eq telnet log
Cisco(config)# ip access-list acl-01 Ruckus(config)# access-list 100 deny udp
Cisco(config-acl)# permit ip 192.168.2.0/24 209.157.21.0/24 host rkwong eq tftp log
any Ruckus(config)# access-list 100 deny ip host
Cisco(config)# ip access-list acl-02 209.157.21.100 host 209.157.22.1
Cisco(config-acl)# deny ip 192.168.4.0/24 Ruckus(config)# access-list 100 deny ospf
any any any
Ruckus(config)# access-list 100 permit ip
any any

Cisco IOS Ruckus ICX

Deleting ACL’s
switch(config)# no ip access-list name Ruckus(config)# no access-list 100 permit
icmp 209.157.22.0/24 209.157.21.0/24
Ruckus(config)# no access-list 100

Cisco IOS Ruckus ICX

Enabling on an Interface
Cisco(config)# ip access-list acl-01 Ruckus(config)# int eth 3/8
Cisco(config-acl)# permit ip 192.168.2.0/24 Ruckus(config-if-1/2)# ip access-group 100
any in
Cisco(config-if)# interface ethernet 2/1 Ruckus(config-if-1/2)# int eth 4/3
Cisco(config-if)# ip access-group acl-01 in Ruckus(config-if-4/3)# ip access-group 100
out
Ruckus(config-if-4/3)# write memory

Cisco IOS Ruckus ICX

Disabling an AL on an Interface
Removing a rule requires that you enter the Ruckus(config)# int eth 3/8
whole rule Ruckus(config-if-1/2)# no ip access-group
Cisco(config-acl)# no permit tcp 10.0.0.0/8 100 in
any
However, if same rule had sequence number of
101, removing the rule requires only the
following
Cisco(config-acl)# no 101

Rate Limiting
Each Ruckus device supports line-rate rate limiting in hardware. The device creates entries in Content Addressable
Memory (CAM) for the rate limiting policies. The CAM entries enable the device to perform the rate limiting in
hardware instead of sending the traffic to the CPU. The device sends the first packet in a given traffic flow to the
CPU, which creates a CAM entry for the traffic flow. A CAM entry consists of the source and destination addresses
of the traffic. The device uses the CAM entry for rate limiting all the traffic within the same flow. A rate limiting
CAM entry remains in the CAM for two minutes before aging out.

To enable broadcast limiting on a group of ports by counting the number of packets received, enter commands
such as the following.

23
Ruckus Networks
Cisco CLI comparison

Jan 2018

Cisco IOS Ruckus ICX

Cisco(config)# rate-limit {input | output} Ruckus(config) #interface ethernet 24
[dscp dscp-value] [access-group [rate- Ruckus(config-if-e1000-24) #rate input fixed
limit] acl-index] bps burst-normal burst- 500000
max conform-action conform-action exceed-
action exceed-action

Cisco(config)# rate-limit input access-group

111 10000000 1875000 3750000 conform-action
drop

To include multicasts limiting, enter the following command after enabling broadcast limiting.

Ruckus ICX
Ruckus(config) #interface ethernet 1/1/1 to
1/1/8
Ruckus(config-mif-e1000-1/1/1-1/1/8)
#broadcast limit 65536

// To include unknown unicast limiting by

counting the number of //packets received,
enter commands such as the following.
Ruckus(config-mif-e1000-1/1/1-1/1/8)
#unknown-unicast limit

Note:
Ruckus(config-mif-e1000-1-8) #multicast
limit
Syntax: [no] broadcast limit <num>
Syntax: [no] multicast limit
Syntax: [no] unknown-unicast limit

Security
Flexible Authentication
This section shows the configuration required to enable Dot1X, MAC Authentication, and RADIUS to make user
devices securely connect to the network. This comparison shows side-by-side Cisco and Ruckus CLI differences.

Cisco IOS Ruckus ICX

Cisco(config)# radius server ISE Ruckus(config)# radius-server host
Cisco(config-radius-server)# address ipv4 172.20.254.4
172.20.254.4 auth-port 1645 acct-port 1646 auth-port 1645 acct-port 1646 default key
Cisco(config-radius-server)# key cisco cisco
Cisco(config-radius-server)# end dot1x mac-auth web-auth
Ruckus(config)# end
Cisco(config)# radius-server dead-criteria Ruckus(config)# radius-server test test-user
time 5 Ruckus(config)# radius-server timeout 5
tries 3 Ruckus(config)# radius-server retransmit 3
Ruckus(config)# radius-server dead-time 1

24
Ruckus Networks
Cisco CLI comparison

Jan 2018

Cisco(config)# aaa authentication dot1x Ruckus(config)# aaa authentication dot1x

default default radius
group ise-group Ruckus(config)# aaa accounting dot1x default
Cisco(config)# aaa authorization network start-stop radius
default Ruckus(config)# aaa accounting mac-auth
group ise-group default start-stop radius
Cisco(config)#aaa accounting dot1x default
start-stop
group ise-group
Cisco(config)# aaa accounting update Ruckus(config)# radius-server accounting
periodic 5 interim-updates
Ruckus(config)# radius-server accounting
interim-interval 5
Cisco(config)# aaa server radius dynamic- Ruckus(config)# aaa authorization coa enable
author Ruckus(config)# host 10.1.100.21 key
Cisco(config-locsvr-da-radius)# client networknode
10.1.100.21 Ruckus(config)# radius-client coa 1700
server-key networknode
Cisco(config-locsvr-daradius)# Ruckus(config)# ip radius source-interface
ipradiussourceinterface vlan 100 ve 100
Cisco(config-if)# authentication event fail Ruckus(config)# authentication auth-order
action mac-auth
next-method dot1x
Ruckus(config-if)# authentication mac-auth
dot1x- override
Cisco(config-if)# authentication event Ruckus(config)# authentication
server dead Ruckus(config-authen)# voice-vlan number
action authorize voice Ruckus(config-authen)# auth-timeout-action
critical-vlan voice voice-vlan
Cisco(config-if)# authentication timer N/A
reauthenticate server
Cisco(config-if)# authentication timer
inactivity
server
Cisco(config-if)# authentication host-mode N/A
multi-auth
Cisco(config-if)# authentication order dot1x Ruckus(config)# authentication
mab Ruckus(config-authen)# authencation auth-
order
dot1x mac-auth
Cisco(config-if)# authentication port- Ruckus(config-if)# authentication port-
control auto control
Cisco(config-if)# dot1x pae authenticator auto
Cisco(config-if)# authentication periodic Ruckus(config)# authentication
Ruckus(config-authen)# re-authentication
Cisco(config-if)# mab Ruckus(config)# authentication
Ruckus(config-authen)# mac-auth enable
Ruckus(config-authen)# mac-auth enable
ethernet
1/1/47
Cisco(config-if)# dot1x timeout tx-period 10 Ruckus(config)# authentication
Ruckus(config)# dot1x timeout tx-period 10
Cisco# copy running-config startup-config Ruckus# write memory
！ !
radius server ise authentication
address ipv4 10.1.100.21 auth-port 1812 critical-vlan 10
acct-port auth-default-vlan 70
1813 voice-vlan 200
key networknode re-authentication

25
Ruckus Networks
Cisco CLI comparison

Jan 2018

！ dot1x enable
radius-server dead-criteria time 5 tries 3 dot1x enable ethe 1/1/47
！ dot1x timeout tx-period 10
aaa group server radius ise-group mac-authentication enable
server name ise mac-authentication enable ethe 1/1/47
！ auth-timeout-action critical-vlan voice
aaa authentication dot1x default group ise- voice-vlan
group !
aaa authorization network default group ise- aaa authentication dot1x default radius
group aaa authorization coa enable
aaa accounting dot1x default start-stop aaa accounting dot1x default start-stop
group ise-group radius
aaa accounting mac-auth default start-stop
！ radius
aaa accounting update periodic 5 !
！ radius-client coa host 10.1.100.21 key
aaa server radius dynamic-author networknode
client 10.1.100.21 server-key networknode radius-client coa port 1700
server-key networknode radius-server host 10.1.100.21 auth-port
！ 1812
ip radius source-interface vlan 100 acct-port 1813 default key networknode dot1x
！ mac-auth web-auth
system-auth-control radius-server retransmit 3
！
interface range g1/0/7-48 radius-server timeout 5
description ISE dot1x Port radius-server test test-user
switchport access vlan 70 radius-server accounting interim-updates
switchport mode access radius-server accounting interim-interval 5
authentication event fail action next- radius-server dead-time 2
method !
authentication event server dead action interface ethernet 1/1/47
authorize voice dot1x port-control auto
authentication timer reauthenticate server !
authentication timer inactivity server
authentication host-mode multi-auth
authentication order dot1x mab
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 10
！

Conclusion
In this detailed comparison of Ruckus IP product features and capabilities versus the Cisco IP product portfolio, it
is clear that the Ruckus approach is superior and allows customers to build and scale their networks based on
open standards—enabling a best-of-breed strategy and avoiding vendor lock-in. In addition, as shown in this
paper, the migration to Ruckus is made straight forward by the many similarities between the Ruckus and Cisco
CLIs and Ruckus’ comprehensive and integrated network management.

26