Brocade ICX6450 - Help with VLAN Config/SFP Licensing Question

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Karson

New Member
Sep 4, 2018
6
1
1
I have a user VLAN (VLAN100) configured in pfSense. The uplink for pfsense is on 1/1/1. At this point, I want all 1/1/1->1/1/48 GbE ports on that VLAN as untagged access ports (I think?).

Is my config file below way off? I know I'm missing the port range config somewhere.

Also, in the future I might utilize the SFP+ ports for some 10Gb connectivity to FreeNAS. Is there anything special as far as the SFP ports being configured as access ports? Are all 4 SFP ports configurable to access ports/is there any licensing gotchas I need to look into before going any further?

I apologize for the very basic questions. I am trying to grasp more networking fundamentals in my homelab, but am getting frustrated with VLAN configuration on this switch. It seems like @fodeesha is the equivalent of Michael McNamara of the Nortel world, so I'm still trying to sort through forum posts of his.

I tried to configure a few things via the WebUI, but screwed something up to the point of having to re-rack my Nortel 5520 just to get back online. To make matters worse, I can't find my gender bender adapter to console into the 5520 to look at how I had the VLAN/ports configured :(

Code:
enable
configure terminal
vlan 100
router-interface ve 100
exit
interface ve 100
ip address 192.168.1.55/24
exit
interface ethernet 1/1/2 to 1/1/12
inline power
hostname brocade
crypto key generate rsa
username root password redacted
aaa authentication login default local
aaa authentication enable default local
aaa authentication web default local
enable telnet authentication
write memory
 
Last edited:

kapone

Well-Known Member
May 23, 2015
1,095
642
113
I'm confused...if you're using the 6450 as a "Layer 3" switch, why do you have VLANs on pfSense??
 
  • Like
Reactions: Karson

Karson

New Member
Sep 4, 2018
6
1
1
I'm confused...if you're using the 6450 as a "Layer 3" switch, why do you have VLANs on pfSense??
Full disclosure - because I don't know any better. Doing all the routing through pfSense was clearer for me when I first started out. I would absolutely go forward with leveraging the switch's Layer 3 features if I felt more comfortable, but I'm not there yet.

Is it painfully easy to do all the routing on the switch as opposed to pfSense?
 

kapone

Well-Known Member
May 23, 2015
1,095
642
113
Because I don't know any better. Doing all the routing through pfSense was clearer for me when I first started out.
Well...not sure how to say this...you have a long road ahead of you. :) Dabbling in OSI layers is not for the faint of the heart, and patience is definitely a virtue in this case.

My advice would be:
- Draw a diagram of how you want your network to be. Label ports, interfaces, IP addresses on the diagram first.
- Start with the 6450 disconnected from pfSense.
- Create two VLANs on the 6450 and see if you can communicate between them, don't worry about internet/transit access just yet.
- Figure out how you're going to do DHCP and DNS with VLANs (hint: pfSense can't do it).
 
  • Like
Reactions: Karson

Karson

New Member
Sep 4, 2018
6
1
1
Well...not sure how to say this...you have a long road ahead of you. :) Dabbling in OSI layers is not for the faint of the heart, and patience is definitely a virtue in this case.
Thanks - I picked this switch up based off recommendations here knowing I would use likely only use 1% of its features. I'd be just fine with a 48 port unmanaged switch, but then it ends up being more expensive than these are used once you add in the need for PoE.

What helped me most in the past was getting a working/running config to baseline off of, then if I really bomb something, I'm only a factory reset and reapplication of the working config away from being back to square 1.

Since you responded, I found this site: Configuring Brocade Switches - AN!Wiki

I should be able to hack something together from that later tonight.
 

kapone

Well-Known Member
May 23, 2015
1,095
642
113
If that's the case...you might wanna just load the "Switch firmware" (instead of the router firmware) aka Layer 2 firmware, and just use it that way.
 
  • Like
Reactions: Karson

fohdeesha

Kaini Industries
Nov 20, 2016
2,727
3,075
113
33
fohdeesha.com
It seems like @fodeesha is the equivalent of Michael McNamara of the Nortel world
LOL

assuming the pfsense port to the switch has vlan 100 set as tagged, you just need to add port 1/1/1 to vlan 100 as tagged. Then add the rest of the ports to vlan 100 as well, but untagged (since they will be normal end devices)

enable
conf t
vlan 100
tagged e 1/1/1
untagged e 1/1/2 to 1/1/48
#put the 10gbe ports in there too
untagged e 1/2/1 to 1/2/4
#save
write mem

If for some reason the vlan 100 pfsense port is untagged, and not actually configured for vlan tags, the first "tagged e 1/1/1" would instead be "untagged e 1/1/1"

I usually recommend staying on the l3 firmware image even if not specifically using l3 features, they don't seem to spend much time/attention on the L2 images the last couple years, plus if you ever wanna use any L3 feature, it'll be a PITA to forklift all of your l2 only config over to the l3 image where different commands do different things
 
  • Like
Reactions: Karson

fohdeesha

Kaini Industries
Nov 20, 2016
2,727
3,075
113
33
fohdeesha.com
As for licenses, 2 of the 10gbE ports come ready to use, and the remaining 2 require a software license to unlock. Some advanced routing features (that I don't think you'll be using based on your setup) also require a software license. If you want them, pm me

I highly recommend reading through the ICX megathread here, I know it's long but it has a lot of good info
 
  • Like
Reactions: Karson

Karson

New Member
Sep 4, 2018
6
1
1
As for licenses, 2 of the 10gbE ports come ready to use, and the remaining 2 require a software license to unlock. Some advanced routing features (that I don't think you'll be using based on your setup) also require a software license. If you want them, pm me

I highly recommend reading through the ICX megathread here, I know it's long but it has a lot of good info
Thanks for responding - which ports come 10Gb ready out of the box? 1 & 2? I don't know if my 6450 had a license on it from the eBay seller, or if the factory set-default command I did might've cleared it out when I first set it up.

I appreciate everyone's responses and deserve some critical responses about my setup. As much as I planned upfront to do this homelab v2 upgrade/consolidation, some gotchas appeared (like always) and I got frustrated and panicked being short on time. So, I grabbed something to eat since I hadn't eaten all day, got the kids from daycare and after we got them down to bed, had a chance to collect my thoughts.

I am weak at networking, like I mentioned in my first post. However, configuring things in my lab in realistic, albeit illogical ways, has paid dividends in my professional career. Even if I don't even sniff at becoming a fluent network guy, at least I can be on the phone with network engineers and speak/ask logical questions.

I will take everyone's advice here, diagram things out, and get my config sorted. I got the cart way in front of the horse asking for config questions before even knowing what I want to do myself. I do have a couple physical hosts along with a FreeNAS controller in front of a Lenovo SA120 I'd like to 10G, so ideally 3 ports at 10Gb would be helpful in the near future.
 

Karson

New Member
Sep 4, 2018
6
1
1
I'm up and running, for the most part. Very basic config, but something I can start out with One thing I can't seem to figure out is how to get access remote access (telnet/ssh) as well as name my ports.

I created the ve 1 like in fodeesha's site, and essentially added a few more config options to round out my setup. Even after doing a factory set-default and running this config, the switch only is accessible through local console.

I've got a good switch diagram created in Excel (I don't have a Visio license), and would like to name my ports within the switch. But, I am having a hard time after RTFM and dissecting some of the blogs I've read on how to do that. Can someone help me with the CLI command to accomplish that?

Lastly, is there a "softer" way to clear the config beyond entering the bootloader and running factory set-default?

Code:
enable
configure terminal
ip dhcp-client disable
write memory
exit
reload

enable
configure terminal
vlan 1
router-interface ve 1
interface ve 1
ip address 192.168.1.55/24
exit
hostname brocade
vlan 100 name User
tagged ethernet 1/1/1
untagged ethernet 1/1/2 to 1/1/48
!#put the 10gbe ports in there too
untagged ethernet 1/2/1 to 1/2/4
exit
inline power ethernet 1/1/2 to 1/1/12
crypto key generate rsa
username redacted password redacted
aaa authentication login default local
aaa authentication enable default local
aaa authentication web default local
enable telnet authentication
!#save
write mem
 

kapone

Well-Known Member
May 23, 2015
1,095
642
113
Lastly, is there a "softer" way to clear the config beyond entering the bootloader and running factory set-default?
erase startup-config
Edit: As far as port naming goes, I almost never do it, and I don't think the names show up in all of the commands consistently. I keep my diagram handy, which has the server-port mappings.
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,727
3,075
113
33
fohdeesha.com
you cant telnet/ssh to it because you added the virt interface to vlan 1, but put everything in vlan 100

remove the vlan 1 config stuff:

vlan 1
no router-interface ve 1
interface ve 1
no ip address 192.168.1.55/24
exit

#add it to vlan 100
vlan 100
router-interface ve 100
interface ve 100
ip address 192.168.1.55/24
write mem
#make sure to change that IP to something that is free on your network

as far as naming ports, just go to that port and run port-name
interface e 1/1/1
port-name intertubes
write mem

Now when you run "show int br" you'll see names next to ports

It's good to remember that to see all possible commands at the current level, just hit tab a couple times. Like go to a port config level and hit tab twice, you'll see port-name with a description listed
 
  • Like
Reactions: Karson

Karson

New Member
Sep 4, 2018
6
1
1
Edit: As far as port naming goes, I almost never do it, and I don't think the names show up in all of the commands consistently. I keep my diagram handy, which has the server-port mappings.
That's a good thing to remember - I can see where that'd be tedious, and over time, less accurate than an easy to edit diagram. I'm going full n00b here and posting my diagram. Probably embarrasing myself, but oh well. (things like the VID, I'm not sure are applicable here. I think they are, but still reading...)



you cant telnet/ssh to it because you added the virt interface to vlan 1, but put everything in vlan 100

remove the vlan 1 config stuff:

vlan 1
no router-interface ve 1
interface ve 1
no ip address 192.168.1.55/24
exit

#add it to vlan 100
vlan 100
router-interface ve 100
interface ve 100
ip address 192.168.1.55/24
write mem
#make sure to change that IP to something that is free on your network

as far as naming ports, just go to that port and run port-name
interface e 1/1/1
port-name intertubes
write mem

Now when you run "show int br" you'll see names next to ports

It's good to remember that to see all possible commands at the current level, just hit tab a couple times. Like go to a port config level and hit tab twice, you'll see port-name with a description listed
Thank you!
 
  • Like
Reactions: PGlover

arglebargle

H̸̖̅ȩ̸̐l̷̦͋l̴̰̈ỏ̶̱ ̸̢͋W̵͖̌ò̴͚r̴͇̀l̵̼͗d̷͕̈
Jul 15, 2018
657
244
43
- Figure out how you're going to do DHCP and DNS with VLANs (hint: pfSense can't do it).
Just a heads up -- pfSense handles DHCP and DNS per VLAN without issue, I've been using pfSense to do just this for a couple of years now. I actually prefer handling all of my inter-vlan routing with pfSense for log readability and use of the firewall. Obviously raw performance is going to be better on an ASIC but logging and firewall rules on pfSense are a lot nicer. I'm still running pfSense 2.3.x for ~reasons~ so these aren't new features.
 

ViciousXUSMC

Active Member
Nov 27, 2016
264
140
43
41
Just a heads up -- pfSense handles DHCP and DNS per VLAN without issue, I've been using pfSense to do just this for a couple of years now. I actually prefer handling all of my inter-vlan routing with pfSense for log readability and use of the firewall. Obviously raw performance is going to be better on an ASIC but logging and firewall rules on pfSense are a lot nicer. I'm still running pfSense 2.3.x for ~reasons~ so these aren't new features.
I am assuming you mean as long as it has a vlan interface for that subnet.
I would assume DNS can work just fine with layer 3 done on the switch (need to test) but I do know the pain points for the DHCP issues. I also like having all my DHCP on PFSense as I have everything aliased and static leases.

I have a few ideas on how to get DHCP working while still using the switch to do the inter-vlan routing.
 

PGlover

Active Member
Nov 8, 2014
499
64
28
57
That's a good thing to remember - I can see where that'd be tedious, and over time, less accurate than an easy to edit diagram. I'm going full n00b here and posting my diagram. Probably embarrasing myself, but oh well. (things like the VID, I'm not sure are applicable here. I think they are, but still reading...)





Thank you!
Can you please post a copy of your Excel spreadsheet. I would like to use it as template for mapping my ports on the ICX6610.