Skip to content

Setting up Brocade ICX7250 & ICX7450


Download the ZIP below, which contains the firmware files and documentation you'll need. The ICX7250 and ICX7450 run the same PoE firmware, bootloader, and OS image so this guide can be used for either.

Brocade v8080 Firmware/Docu Zip
SW version: 08080e
ZIP Updated: 10-29-2019
MD5: 0d9c19da7ab9c9e69596efc7235da27b

Connect to the switches serial/console port on the front using a program like Putty (9600 8N1), and connect any of the normal switch ports to your network (do NOT use the dedicated management port).

You need to set up a temporary TFTP server - I recommend Tftpd32 Portable Edition if you're on Windows and don't want to install anything. Point the server to an empty folder to serve files from. From the ZIP, copy the bootloader from the Boot folder into your tftp server directory. Then, from the Images folder, copy over the OS image to the same place. If you have a PoE model, copy over the PoE firmware from the PoE Firmware folder to your TFTP directory as well.

Power on the switch while watching your serial terminal - start smashing the b key until you're dropped into the bootloader prompt, which looks like ICX7250-Boot> . If you missed the prompt and it boots the OS instead, pull power and try again.

Now at the boot prompt, we tell the switch to clear all current configs and old keys, so it boots into a fresh state:

factory set-default

To confirm this action, you must send CAPITAL Y - sending a lowercase y will just make it abort.

Now just tell the switch to reboot:


It will boot into the full OS and you can continue to the next section.

Initial Configuration & update

Now that it's booted into the full OS you may get TFTP timed out errors in the console, this is normal. just hit enter until they go away. We'll fix that in the next section. Now to make any changes we must enter the enable level:


Now we enter the configure terminal level to make config changes:

configure terminal

Now we turn off the DHCP client, so it doesn't automatically grab an IP and look for a TFTP config (the cause of the earlier timeout messages):

ip dhcp-client disable
write memory

Note: If during the ip dhcp-client disable command you get an invalid input error, your switch probably came with the layer 2 only firmware loaded. In that case, just run ip address (replace the IP) - this will give it a temporary IP, so it can load the layer 3 firmware. Then skip down to the Load The New Images section below, and use those commands to copy in the latest layer 3 firmware and reload. Once the switch comes back up, don't forget to come back and follow this Initial Configuration section all the way through now that you have the proper firmware!

Now just reload the switch so it comes back up without an IP assigned to a port via DHCP:


Once it's back up, enter the configure level again:

configure terminal

We need to give it an IP so we can load the new firmware. By default, all ports are in VLAN 1, so it will behave like a typical switch. First we need to give VLAN 1 its own virtual interface:

vlan 1
router-interface ve 1

Now we need to assign that virtual interface an address. Choose an IP that is unused in your subnet, and out of your DHCP server range (ping it first to be sure it's unused):

interface ve 1
ip address
write mem

Load The New Images

Now that the switch has an IP address, we can TFTP in the new images, then reload:

copy tftp flash spz10114.bin bootrom  
copy tftp flash SPR08080e.bin primary

Note: if you skipped to this section because your switch had layer 2 firmware on it and a note in the previous section instructed you to, go back above and go through the whole Initial Configuration & update section once the switch finishes rebooting.

The switch will reload, loading the new software. Continue on to the Configuration Details section below.

Configuration Details

Your switch should now be freshly booted with the latest layer 3 firmware image and bootloader. First give the switch a name:

configure terminal
hostname intertubes

Now tell it to generate an RSA keypair - this is the first step to enable SSH access:

crypto key generate rsa

Update PoE Firmware

If your switch is the PoE model, you need to update the PoE controller firmware. If it's a non-PoE model, skip this step. Assuming you completed the previous section and the switch now has in-band network access, just do the following:

inline power install-firmware stack-unit 1 tftp icx7xxx_poe_02.1.1.b002.fw
#after a few seconds, hit enter to return to cli
#save changes you made from the previous section
write memory
#reload the switch
#you'll probably get a message that it hasn't finished. it can take up to 10 minutes
#run "show log" occasionally to monitor the update progress
#try the "reload" command again once it's reached 100%
#once you've rebooted back into the OS:
configure terminal

Now you have the latest PoE firmware, and can continue on.

If Access Protection Is NOT Required

If you do not want to password protect access to the switch (you're using it in a lab), follow this section. If you'd like to password protect it, skip to the next section.

Allow SSH login with no passwords configured:

ip ssh permit-empty-passwd yes

If Access Protection IS Required (or WEB-UI Access)

If you do want to secure access to the switch, or use the (limited) web UI, follow this section. If not, skip it.

To secure the switch, we need to create an account - "root" can be any username string you wish:

username root password yourpasshere

We also need to tell it to use our new local user account(s) to authorize attempts to log in, use the webpage, as well as attempts to enter the enable CLI level:

aaa authentication login default local
aaa authentication enable default local
aaa authentication web default local

If you wanted to use the WEB UI, you can now log into it using the credentials you created above.

You should enable authentication for telnet access as well:

enable telnet authentication

If your switch is outside of your home, or accessible by others in any way, telnet should be disabled entirely, and access to the serial console should also be password protected. Otherwise skip this step at your discretion:

no telnet server
enable aaa console

OPTIONAL: Key Based SSH Access

If you have followed the above to set up authentication, and also wish to disable password-based SSH login and set up a key pair instead, follow this section. If not, skip it. Enable key login, and disable password login:

ip ssh key-authentication yes
ip ssh password-authentication no

Now we have to generate our key pair with puttygen on windows or ssh-keygen -t rsa on linux. The default settings of RSA @ 2048 bits works without issue. Generate the pair and save out both the public and private key.

Copy the public key file to your TFTP server. Then use the following command to import it into your switch:

ip ssh pub-key-file tftp public.key

You shouldn't need to be told basic key management if you're following this section, but just in case - copy your private key to the proper location on the *nix machine you'll be SSH'ing from, or if you're on windows, load it using pageant. Now when you SSH to the switch, it will authenticate using your private key.

License The Switch (ICX7250)

Run the following to unlock all the features of the ICX7250 (10gbE ports, advanced routing, etc). If you are using this switch in a commercial setting or to make money, please purchase a license entitlement from Ruckus.

license install perpetual 1 8x10g
license install perpetual 1 l3-prem
conf t
interface ethernet 1/2/1 to 1/2/8
no speed-duplex 1000-full
write mem

The switch will reload, then the 10gbE ports and everything else will now be fully functional.

License The Switch (ICX7450)

Run the following to unlock all the features of the ICX7450 (advanced routing & macsec encryption). If you are using this switch in a commercial setting or to make money, please purchase a license entitlement from Ruckus.

license install perpetual 1 l3-prem
license install perpetual 1 macsec
write mem

The switch will reload, then the new features will now be fully functional.

Saving & Conclusions

Whenever you make changes (like above) they take effect immediately, however they are not saved to onboard flash. So if you reboot the switch, they will be lost. To permanently save them to onboard flash, use the write memory command. To do so, you must be at the enable level or higher.

Note: Since you did a write memory in the previous section before reloading the switch, there are no changes to save. But just for practice:

write memory

Your switch now has a basic configuration, as well as an IP address you can telnet or SSH to for further configuration.

Some more useful general commands:

Show chassis information like fan and temperature status:

show chassis

Show a table of all interfaces:

show interface brief

To show one interface in detail:

show interfaces ethernet 1/1/1
#Also works for virtual interfaces:
show interfaces ve 1

Give a port a friendly name:

interface ethernet 1/1/1
port-name freenas
show interfaces brief ethernet 1/1/1

Show the running configuration:

show run

Show the system log:

show log

To remove configuration options, put a no in front of them at the appropriate CLI level:

no hostname intertubes


To exit the CLI level you are at, use exit. So assuming you are still at the configure terminal level, type the following to exit back to the enable level:


Commands can also be shortened, as long as they are still unique. So to re-enter the configure terminal level, Instead of typing the entirety of configure terminal, the following will also work:

conf t

There is also tab help and completion. To see all the commands available at the current CLI level, just hit tab. To see the options available for a certain command, just type that command (like ip) then hit tab a couple times.

Advanced Configuration

Default Route & DNS

To give the switch a default route and a DNS server so it can reach external hostnames and IP's (to ping external servers or to update time via NTP etc), do the following. replace the IP with the IP of your gateway/router/etc. Assuming you are still at the configure terminal level:

ip dns server-address
ip route


To have the switch keep its time synced via NTP (so its logs make more sense), use the following. If you live in an area that doesn't use Daylight Savings, skip the clock summer-time command. Use tab completion for the timezone command to see what's available. The IP's in the following example are google's NTP servers and work well for most cases:

clock summer-time
clock timezone gmt GMT-05
disable serve


To quickly enable SNMPv2 (read only), follow the below. SNMP v3 is available but you'll have to refer to the included documentation:

snmp-server community public ro


If you made any of the above extra changes, remember they have not been saved to onboard flash yet. Do so:

write memory

SFP/Optics Information

Brocade does not restrict the use of optics by manufacturer, they'll take anything given it's the right protocol. However by default, optical monitoring information is disabled unless it sees Brocade or Foundry optics.

So if you want to see information like this :

telnet@Route2(config)#sh optic 5
 Port  Temperature   Tx Power     Rx Power       Tx Bias Current
5       32.7460 C  -002.6688 dBm -002.8091 dBm    5.472 mA
        Normal      Normal        Normal         Normal

You'll need to pick up some official Brocade or Foundry optics on ebay, or buy some flashed optics from FiberStore.

Note: Starting in v8080 firmware, Ruckus added a command that enables optical monitoring details (like the above example) for non-brocade branded optics. It's not guaranteed to work with all optics, but should with most that conform to SFF-8472. Run the following to enable this:

conf t
optical-monitor non-ruckus-optic-enable
write mem




The markdown source for these guides is hosted on my Github repo. If you have any suggested changes or additions feel free to submit a pull request.

Documentation version: v2.0 (01-03-2020)