Drag to reposition cover

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

losx

New Member
Oct 16, 2020
15
2
3
Funny you mention this... I am debating using my FreeNAS installation as well or maybe a dedicated raspberry pi just for dhcp and dns and pi-hole
 

dswartz

Active Member
Jul 14, 2011
610
79
28
I like being able to monitor IP addresses by looking at the ARP table. As said previously, this won't work for other than VLAN 1 if I am running a vanilla switched image, since the switch won't have an IP address in a subnet used by hosts in that VLAN. Assume I understand this correctly, is my only alternative to run the routing image instead? And define a virtual interface in each VLAN, with a unique IP address in a subnet used by hosts in that VLAN?
 

ptibeur

New Member
Sep 4, 2020
5
0
1
You could observe the ARP table of your router/firewall, instead of focusing on the switch's ARP table, it's the same function on a different host, you should get a similar result.
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,728
3,078
113
33
fohdeesha.com
I like being able to monitor IP addresses by looking at the ARP table. As said previously, this won't work for other than VLAN 1 if I am running a vanilla switched image, since the switch won't have an IP address in a subnet used by hosts in that VLAN. Assume I understand this correctly, is my only alternative to run the routing image instead? And define a virtual interface in each VLAN, with a unique IP address in a subnet used by hosts in that VLAN?
yes, and even then you aren't guaranteed to have ARP entries on the switch for every device in that VLAN, they'll have to talk to that switch IP first to generate an entry. The place to check arp tables is pretty much *always* the router/gateway for said subnet. In your case it sounds like that's pfsense/opnsense (Diagnostics > ARP Table). trying to move this functionality to a layer 2 device in your network is indeed a pretty bizarre use case
 

dswartz

Active Member
Jul 14, 2011
610
79
28
The router is also my home gateway, and is unaware of any other VLANs. This is only a convenience for me, not a requirement. I'm puzzled about the assertion that the switch will only add hosts to the ARP cache if that host talks to the switch first. I see a number of entries in the ARP cache of both switches (the 7250 stack and the 7150 by my desk) for hosts who shouldn't even know about either switch directly. Odd.
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,728
3,078
113
33
fohdeesha.com
The router is also my home gateway, and is unaware of any other VLANs. This is only a convenience for me, not a requirement. I'm puzzled about the assertion that the switch will only add hosts to the ARP cache if that host talks to the switch first. I see a number of entries in the ARP cache of both switches (the 7250 stack and the 7150 by my desk) for hosts who shouldn't even know about either switch directly. Odd.
it just completely depends on the device/software on the other end. some devices behave normally and won't send out an ARP response with it's IP info unless it sees an arp request directed at it from said device (your switch), others will send gratuitous arps (arp responses that weren't provoked by an arp request), gARP messages are also broadcast instead of unicast, so they'll get picked up and entered into the arp table of everything in the subnet, including your switch

Then you have a lot of other cases that will cause you getting arp entries like some devices trying to ping random hosts in their subnet (IOT crap is bad about this) etc
 

infoMatt

Active Member
Apr 16, 2019
222
100
43
IOT crap is bad about this
Not only that, but they tend to flood the network with a lot of multicast/broadcast traffic (as for example, every discovery that runs on top of mDNS, such as Chromecast and Bonjour, to name a few). Usually, multicast flows are being sent to the switch CPU for IGMP Snooping and flow control, so it can obtain a IP-MAC address tuple, ie. an ARP entry.
 
  • Like
Reactions: fohdeesha

rootpeer

Member
Oct 19, 2019
73
13
8
Hey! I just got a 6450-24P!

I am trying to set it up and I am having a hard time. I want it to grab a DHCP IP from my router on one of the 24 ports (not the mgmt port) and manage it from there. How can I do that?
 

Scarlet

Member
Jul 29, 2019
86
38
18
Hey! I just got a 6450-24P!

I am trying to set it up and I am having a hard time. I want it to grab a DHCP IP from my router on one of the 24 ports (not the mgmt port) and manage it from there. How can I do that?
If you have a used switch: not without using the instructions in the first post. There is no reset switch / procedure for the 6450.
 

rootpeer

Member
Oct 19, 2019
73
13
8
If you have a used switch: not without using the instructions in the first post. There is no reset switch / procedure for the 6450.
I have serial access to the switch, as well as through the mgmt port. I just don't know how to enable the dhcp client for all or at least one interface.

I tried to enable it on 1/1/1 but it is not requesting an ip.
 

infoMatt

Active Member
Apr 16, 2019
222
100
43
I have serial access to the switch, as well as through the mgmt port. I just don't know how to enable the dhcp client for all or at least one interface.

I tried to enable it on 1/1/1 but it is not requesting an ip.
You have to enable on a router interface, not on a port (unless it is a pure layer 3 interface, ie. "no switchport"), and the interface tied to your DHCP server must be an untagged member of the same VLAN that contains the router interface.

Please, start from the first message of this thread, you'll find an awesome collection of documentation and examples. Take small steps at a time, specially if it is your first time managing an enterprise-grade switch.
You have to learn the concept, and familiarise yourself with the concept of "interface", "port", "VLAN", "layer 2" and "layer 3" , after that finding the command that enables what you want will be much easier.
 

rootpeer

Member
Oct 19, 2019
73
13
8
OK I reset the switch and got DHCP working on interface 1/1/1 but it is behaving as untagged on VLAN 1.

I cannot add a virtual interface on VLAN 1 (where 1/1/1 gets its IP from), nor can I tag the 1/1/1 port in other VLANs, making the DHCP method useless. Furthermore, I cannot tag the 1/1/1 port on VLAN 1 and as such, I cannot switch it to dual mode.

Is this a limitation of the software? Is DHCP there just for first-time set-up and you are then supposed to configure a static IP? Or am I missing something? I was hoping to have 1/1/1 plugged to my router, have it obtain a DHCP address from VLAN 1 (aka LAN) and then function as a "cisco trunk" port so I can do routing on the router instead of the switch.
 

infoMatt

Active Member
Apr 16, 2019
222
100
43
I cannot add a virtual interface on VLAN 1
Please check if you have already a VE defined on this VLAN, and it should, as you said that it took an IP address.

nor can I tag the 1/1/1 port in other VLANs
Yes, but you have to enable "dual mode" on an interface to make it accept both tagged and untagged frames. It is written on the documentation that @fohdeesha made available on the first page.

Furthermore, I cannot tag the 1/1/1 port on VLAN 1 and as such, I cannot switch it to dual mode.
You can't have a VLAN as tagged and untagged at the same time. This is normal.

Issue a
Code:
conf t
int ethe 1/1/1
dual mode
To enable other VLAN as tagged on if 1/1/1.

The "Cisco trunk" (ie. switchport trunk allowed vlan xxxx; switchport trunk native vlan yyy can be translated in "dual mode yyy; vlan xxx; tagged int ethe z/z/z").
 
Last edited:

rootpeer

Member
Oct 19, 2019
73
13
8
Please check if you have already a VE defined on this VLAN, and it shoud, as you said that it took an IP address.
Code:
SSH@icx645024p(config-if-e1000-1/1/1)#show int e 1/1/1
GigabitEthernet1/1/1 is up, line protocol is up
  Port up for 3 hour(s) 43 minute(s) 27 second(s)
  Hardware is GigabitEthernet, address is cc4e.2451.cc60 (bia cc4e.2451.cc60)
  Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx
  Configured mdi mode AUTO, actual MDIX
  Member of L2 VLAN ID 1, port is untagged, port state is FORWARDING
  BPDU guard is Disabled, ROOT protect is Disabled, Designated protect is Disabled
  Link Error Dampening is Disabled
  STP configured to ON, priority is level0, mac-learning is enabled
  Flow Control is config enabled, oper enabled, negotiation disabled
  Mirror disabled, Monitor disabled
  Mac-notification is disabled
  Not member of any active trunks
  Not member of any configured trunks
  No port name
  Inter-Packet Gap (IPG) is 96 bit times
  Internet address is 10.0.10.202/24, MTU 1500 bytes, encapsulation ethernet
  300 second input rate: 9632 bits/sec, 7 packets/sec, 0.00% utilization
  300 second output rate: 1504 bits/sec, 1 packets/sec, 0.00% utilization
  136542 packets input, 18555997 bytes, 0 no buffer
  Received 51299 broadcasts, 77567 multicasts, 7676 unicasts
  0 input errors, 0 CRC, 0 frame, 0 ignored
  0 runts, 0 giants
  7784 packets output, 2635763 bytes, 0 underruns               
  Transmitted 11 broadcasts, 0 multicasts, 7773 unicasts
  0 output errors, 0 collisions
  Relay Agent Information option: Disabled

Egress queues:
Queue counters    Queued packets    Dropped Packets
    0                   0                   0
    1                   0                   0
    2                   0                   0
    3                   0                   0
    4                   0                   0
    5                   0                   0
    6                   0                   0
    7                   0                   0
Code:
SSH@icx645024p(config-if-e1000-1/1/1)#show int ve 1
Error - ve 1 was not configured
Code:
SSH@icx645024p(config-vlan-1)#router-interface ve 1
error - IP routing, vrf, ip policy or route-only was configured on ports  1/1/1
Code:
SSH@icx645024p(config-vlan-200)#show vlan
Total PORT-VLAN entries: 2
Maximum PORT-VLAN entries: 64

Legend: [Stk=Stack-Id, S=Slot]

PORT-VLAN 1, Name DEFAULT-VLAN, Priority level0, Spanning tree Off
Untagged Ports: (U1/M1) 1 4 5 6 7 8 9 10 11 12 13 14
Untagged Ports: (U1/M1) 15 16 17 18 19 20 21 22 23 24
Untagged Ports: (U1/M2) 1 2 3 4
Tagged Ports: None
Uplink Ports: None
DualMode Ports: None
Mac-Vlan Ports: None
Monitoring: Disabled
PORT-VLAN 200, Name family, Priority level0, Spanning tree Off
Untagged Ports: None
Tagged Ports: (U1/M1) 2 3
Uplink Ports: None
DualMode Ports: None
Mac-Vlan Ports: None
Monitoring: Disabled
Issue a
Code:
conf t
int ethe 1/1/1
dual mode
To enable other VLAN as tagged on if 1/1/1.
Code:
SSH@icx645024p(config-if-e1000-1/1/1)#int ethe 1/1/1
SSH@icx645024p(config-if-e1000-1/1/1)#dual-mode    
error - cannot set untagged port 1/1/1 to dual mode
Code:
SSH@icx645024p(config-if-e1000-1/1/1)#vlan 200
SSH@icx645024p(config-vlan-200)#tag e 1/1/1
error - IP routing, vrf, ip policy or route-only was configured on ports 1/1/1
It seems that the physical interface has grabbed the IP and is not letting me make changes to it. This is on a 6450 with 8030t firmware, not a 7250. AFAIK, DHCP on VEs is not allowed on 8030t.
 

infoMatt

Active Member
Apr 16, 2019
222
100
43
It seems that the physical interface has grabbed the IP and is not letting me make changes to it. This is on a 6450 with 8030t firmware, not a 7250. AFAIK, DHCP on VEs is not allowed on 8030t.
Please post a "show run" output, but to me there's something strange on your configuration...

Have you issued a "route-only" on ethe 1/1/1? In case, yes, in can't be tagged or untagged, as it will work as a pure layer3 only interface, no switching operations can be done. But it may cause havoc on the relative vlan, as it shouldn't forward traffic to other clients -- I've never used it, I must be sincere with you.
But you're right, it seems that only route only ports can obtain a dhcp lease, not the virtual interfaces. But, they should be the gateway of the relative vlan/broadcast domain, so it is a reasonable assumption that they must have a static IP only.
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,728
3,078
113
33
fohdeesha.com
VEs cannot grab an address via DHCP, at least on the icx6xxx series. If you plug in an otherwise blankly configged switch to a network with a dhcp server, fastiron will grab a lease and throw it on the physical port you've plugged in. One of the first steps in my config guide in the OP of this thread is to disable dhcp-client so this doesn't happen, and it instructs you to set up a VE with a static IP so you can manage it in-band. Not sure why you'd want a dynamically assigned address for management of something as important as a core switch. Just pick an unused IP outside of your dhcp range to give the switch, and follow the config guide
 

rootpeer

Member
Oct 19, 2019
73
13
8
VEs cannot grab an address via DHCP, at least on the icx6xxx series. If you plug in an otherwise blankly configged switch to a network with a dhcp server, fastiron will grab a lease and throw it on the physical port you've plugged in. One of the first steps in my config guide in the OP of this thread is to disable dhcp-client so this doesn't happen, and it instructs you to set up a VE with a static IP so you can manage it in-band. Not sure why you'd want a dynamically assigned address for management of something as important as a core switch. Just pick an unused IP outside of your dhcp range to give the switch, and follow the config guide
Yeah I actually followed your guides for resetting and setting up the switch, I just thought I would try with DHCP first. I am using pfSense for DHCP and DNS so I set my static DHCP mappings there and then access my stuff through their hostnames. I figured that this is not really the way to use these switches since they are L3, I just thought I would try it my usual way first. So to recap, it seems like it is working as designed and we really need to set a static IP since that was how it was supposed to be used.

Please post a "show run" output, but to me there's something strange on your configuration...

Have you issued a "route-only" on ethe 1/1/1? In case, yes, in can't be tagged or untagged, as it will work as a pure layer3 only interface, no switching operations can be done. But it may cause havoc on the relative vlan, as it shouldn't forward traffic to other clients -- I've never used it, I must be sincere with you.
But you're right, it seems that only route only ports can obtain a dhcp lease, not the virtual interfaces. But, they should be the gateway of the relative vlan/broadcast domain, so it is a reasonable assumption that they must have a static IP only.
I don't think I did, I think it does it (or something else) automatically on DHCP.

Code:
SSH@icx645024p(config-vlan-200)#show run
Current configuration:
!
ver 08.0.30tT313
!
stack unit 1
  module 1 icx6450-24p-poe-port-management-module
  module 2 icx6450-sfp-plus-4port-40g-module
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
!
vlan 200 name family by port
 tagged ethe 1/1/2 to 1/1/3
!
!
!
!
!
aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
enable aaa console                                               
hostname icx645024p
ip dns domain-list thes
ip dns server-address 10.0.10.1
!
no telnet server
username root password .....
!
!
!
!
!
interface ethernet 1/1/1
 ip address 10.0.10.202 255.255.255.0 dynamic
!
!
!
!
!
!
!
!
!
end
 
  • Like
Reactions: fohdeesha

infoMatt

Active Member
Apr 16, 2019
222
100
43
I don't think I did, I think it does it (or something else) automatically on DHCP.
Yes, it's a mainly blank config. I have to apologize, I hadn't noticed the behavior that @fohdeesha said, as every time I've reconfigured the switch I've assigned a static IP to a VE. Sorry :(
I was thinking at the route-only interfaces as the only way a port could have a directly assigned IP address, but I had forgotten the dhcp client.
 

nerdalertdk

Fleet Admiral
Mar 9, 2017
228
118
43
::1
Got my lab up and running, so fare it’s working great!!!

p2p link between an ER-4 and the switch so most routing is done on the switch

icx7150-48zp with two R310, it’s going to replace my edgeswitch and ubiquitous access points



40D5C836-318D-4D67-854B-4B8B68F9E3CB.jpeg