Drag to reposition cover

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

CIR-Engineering

I am a functional adult?
Jan 14, 2021
85
30
18
48
Chicago USA
www.cir-engineering.com
Do the ears of a 6450-48P (or a -24P) allow for vertically wall mounting the switch?
Just tried and it seems nope, there's no way to make more than 1 hole line up at a time vertically:

1U 19" Vertical Wall Mount Rack Wall Mountable Server Rack w/ Hardware Black | eBay
I wanted to strap my 6450 to the wall to and your posts gave me a great idea. I always keep rack mount ears when I decommission hardware and it turned out that a pair from an old Netgear switch fit. If you have some old ears and want to wall mount one of these check your junk pile.

craigr
 

Ixian

Member
Oct 26, 2018
88
16
8
Can anyone assist me with a config?

I have an ICX6450 that I upgraded to 08.0.30tT313 (last version available I believe) and I want to isolate my POE cameras from the rest of my Lan.

My Blue Iris NVR server is on port 1/1/5 and my cameras are on 1/1/15 to 1/1/19. My pfsense firewall is on 1/1/1

I need some help with the commands needed to:

Put the camera ports in VLAN 20.
Allow the cameras to access the NVR on port 1/1/5. That server also needs access to my lan/wan so I'm not sure if I need to have it belong to VLAN 20 as well as the default VLAN or set up inter-vlan routing.

I'd also like to figure out how to do the same for my firewall - I have several IP based IoT devices I'd like to put on VLAN 40 and have pfsense serve DHCP to them.

Can anyone help me with the commands needed? My last two attempts have resulted in my locking myself out of ssh and having to reset the switch so I'm clearly doing something wrong.
Thanks!
 

CIR-Engineering

I am a functional adult?
Jan 14, 2021
85
30
18
48
Chicago USA
www.cir-engineering.com
Huge thank you to fohdeesha for all the information and help!!!

I got my 6450, and in less than four hours I had it fully licensed, configured, and mounted in my network. Your instructions are really incredible. I got one with software from 2014 and "a very old bootloader" but, you already had a procedure written up right there to deal with that as well.

What a wonderful low power switch!

I bought from this seller on eBay:

Offered $100, he countered at $130 and I took it. He shipped the next day and it was here in three. The one I got is old and looks to have been heavily used, but it does have the v2 power supply so the fans spin down properly. A little more beaten up than I would like, but I tend to be overly concerned with cosmetics.

Only thing is that the fans are worn out in it. They aren't terribly loud, but are too loud for my environment. They also are emitting that high pitched whine that others have mentioned.

craigr
 
Last edited:

CIR-Engineering

I am a functional adult?
Jan 14, 2021
85
30
18
48
Chicago USA
www.cir-engineering.com
Question: I got two different 10G SFP+ RJ45 copper transceivers. The recommended MikroTik S+RJ10 and also an ipolex.

Both work great, but the ipolex is $21 cheaper. Is there any reason I should stick with the MikroTik over the ipolex?

Also, if possible I'd like to flash these over to Brocade. Does anyone have images for the Brocade version and a bit of instruction to get me started?

Thanks again,
craigr
 

CIR-Engineering

I am a functional adult?
Jan 14, 2021
85
30
18
48
Chicago USA
www.cir-engineering.com
Thanks for the link. I figure the chances are low, but I'd like to check and see if either unit is possibly unlocked. I'm hoping the cheapy might have overlooked the write protection.

If someone knows where in the manual (or other source) I can lookup the write command I could try and write one byte and see if it works. Since it's just one piece I wouldn't mind doing it +100 times... while I further procrastinate doing my taxes o_O

craigr
 

klui

Well-Known Member
Feb 3, 2019
824
453
63
If someone knows where in the manual (or other source) I can lookup the write command I could try and write one byte and see if it works.
Knowing the command is simple enough through a search within this thread. @fohdeesha's post at https://forums.servethehome.com/ind...erful-10gbe-40gbe-switching.21107/post-198322 outlines how to use the read command. In the next post he shows how to modify QSFP+es. The problem you will have is you need to get the I2C id/address of the transceiver but I don't know what that means nor how to obtain it. Maybe changing things is different for SFP+es because his write example allows him to write multiple bytes per command.
 
  • Like
Reactions: CIR-Engineering

CIR-Engineering

I am a functional adult?
Jan 14, 2021
85
30
18
48
Chicago USA
www.cir-engineering.com
Knowing the command is simple enough through a search within this thread. @fohdeesha's post at https://forums.servethehome.com/ind...erful-10gbe-40gbe-switching.21107/post-198322 outlines how to use the read command. In the next post he shows how to modify QSFP+es. The problem you will have is you need to get the I2C id/address of the transceiver but I don't know what that means nor how to obtain it. Maybe changing things is different for SFP+es because his write example allows him to write multiple bytes per command.
Thanks again. I'm only on page 28 of this thread and that was 14 pages ago so I had forgotten :oops:

I think I just need the equivalent for "i2c read 41 0 256." My 1/2/1 probably has different values I'm guessing because I don't know what device to read from or how to identify it.

craigr
 

DavidB

Member
Aug 31, 2018
60
19
8
anyone got experience in replacing the SFP+ cages in a 6450? The one I bought is missing the retaining clips, probably because someone yanked SFP+ modules out with some force and without unlocking them.
 

LodeRunner

Active Member
Apr 27, 2019
540
227
43
Does anyone know if the ICX7650-48f is fixed as 24x 1g and 24x 1/10g or can it be licensed up to 48x 10g? Documentation leads me to believe it's the former, but I have not been able to confirm that.

Edit: The hardware install manual certainly seems to indicate that it is indeed a fixed configuration with 24 SFP and 24 SFP+, which is a shame.
 
Last edited:

Ixian

Member
Oct 26, 2018
88
16
8
I've come a long way in figuring out my own questions re: Camera VLANs but would appreciate it if someone could give my config a once-over and point out if I'm doing something wrong:


Created vlan 20 and added 4 POE camera ports as untagged
Code:
SSH@tubestation(config)#vlan 20 name Cameras by port
SSH@phattubes(config-vlan-20)#untag e1/1/14 to e1/1/17
Then I added tagged ports for my APs (I have a 5th camera that is wireless and so I created a VLAN network on my APs along with a wireless network that was associated with it) and my pfsense firewall
Code:
SSH@phattubes(config-vlan-20)#tag e/1/1/1 e1/1/8 e1/1/12 e1/1/13
I then enabled dual-mode 1 on the trunk interfaces so they could access the default VLAN (which is still 1 on my switch)

Then I re-configured my cameras to use 192.168.20.x net and next worked on setting up routing & ACLs.

I had already created a virtual interface for VLAN 1 and assigned it an IP from my default 192.168.86.0 subnet so I added a VI for VLAN 20:
Code:
SSH@phattubes(config-vlan-20)#router-interface ve 20
SSH@phattubes(config-vlan-20)#interface ve 20
SSH@phattubes(config-vif-20)#ip add 192.168.20.1/24
At this point routing between the two subnets/vlans worked but without ACLs devices on VLAN 20 had unrestricted access to VLAN 1 incl. my gateway and from there the WAN so time to lock things down.

My wireless camera needs to see a valid ICMP response from the gateway, otherwise it disconnects/reconnects to the network every 2 minutes, and all the cameras need NTP server access to my pfsense firewall. I also wanted to allow DHCP for now even though all my cameras have static assignments. Finally, I originally set up my NVR with a virtual interface so it could be a part of VLAN 1 and 20 however this wasn't very performant and also seemed unnecessary - Since a major point of using a layer 3 firewall like this is the speed it can route between VLANs I think the better way is to allow access to the host on its default VLAN 1 interface and allow via ACL access to the ports my ONVIF-compliant cameras need to stream.

So with routing between VLAN 1 and 20 networks in place here's the ACL I created to lock things down:

Code:
access-list 112 remark ALLOW DHCP
access-list 112 permit udp any any eq bootps
access-list 112 permit udp any any eq bootpc
access-list 112 remark ALLOW ICMP REQUESTS TO PFSENSE
access-list 112 permit icmp any host 192.168.86.1
access-list 112 remark ALLOW ESTABLISHED TCP TRAFFIC
access-list 112 permit tcp any any established
access-list 112 remark ALLOW NTP REQUESTS TO AND FROM PFSENSE
access-list 112 permit udp 192.168.86.0 0.0.0.255 host 192.168.86.1 eq ntp
access-list 112 permit udp host 192.168.86.1 eq ntp 192.168.86.0 0.0.0.255
access-list 112 remark DENY ALL OTHER ACCESS TO SWITCH AND ROUTER
access-list 112 deny ip any host 192.168.86.1 log
access-list 112 deny ip any host 192.168.20.2 log
access-list 112 remark ALLOW CAMERA/ONVIF TRAFFIC TO NVR
access-list 112 permit tcp 192.168.20.0 0.0.0.255 host 192.168.86.192 eq 80
access-list 112 permit tcp 192.168.20.0 0.0.0.255 host 192.168.86.192 eq 443
access-list 112 permit tcp 192.168.20.0 0.0.0.255 host 192.168.86.192 eq 554
access-list 112 permit tcp 192.168.20.0 0.0.0.255 host 192.168.86.192 eq 1935
access-list 112 permit tcp 192.168.20.0 0.0.0.255 host 192.168.86.192 eq 8000
access-list 112 remark DENY REMAINING TRAFFIC
access-list 112 deny ip any any log
This look correct? By applying it via interface ve 20 ip access-group 112 in the devices on VLAN 20 should only able to do DHCP, ICMP, and NTP to my firewall, the ONVIF Camera/streaming ports for the NVR, and everything else is dropped including remaining inter-vlan traffic, right? I had explicit statements blocking my other VLAN subnets but with the catch-all deny at the end that seemed unnecessary.

Anyone spot any issues with this? Appreciate any help!
 
  • Like
Reactions: fohdeesha

Defenestrate

New Member
May 18, 2021
1
0
1
I'm going to ask a sacrilegious question, given the topic of this thread :cool:

When this thread was born, most of these switches had over 3 years before hitting End of Life/End of Support. At this point, it seems most of the switches mentioned have hit EOL/EOS.

I'm about to start at the beginning, and plan to build my home network on a 48 port POE switch. My question is simple, are there new switches in town with similar feature sets and used pricing that still have a few years of life in them, or are the icx switches still the target of choice?

Are most of you comfortable just continuing to run the 64xx series without additional firmware/security updates, or are you planning to migrate soon? Any suggestions on these points/other switch options to consider are appreciated. Budget is a major constraint for me, and I'm trying to stay in the $100 to $200 range for a switch.

And thanks in advance to the 276 pages worth of the shoulders of giants that I'm standing on to be able to make this post. There is an incredible amount of good information in this thread!
 

DavidRa

Infrastructure Architect
Aug 3, 2015
329
152
43
Central Coast of NSW
www.pdconsec.net
Are most of you comfortable just continuing to run the 64xx series without additional firmware/security updates, or are you planning to migrate soon?
I don't know how representative I am, but I just purchased 6450s to replace a failing LB4m; I didn't see anything significantly better available, certainly not at the price. I have a pair for myself (one live, one spare) and I'll just keep the configs synced.

Firmware? Unless there is a significant bug (and by now we'd have found out I would hope), switch firmware isn't something I'm particularly concerned about.
 

Vesalius

Active Member
Nov 25, 2019
252
190
43
I'm going to ask a sacrilegious question, given the topic of this thread :cool:

When this thread was born, most of these switches had over 3 years before hitting End of Life/End of Support. At this point, it seems most of the switches mentioned have hit EOL/EOS.

I'm about to start at the beginning, and plan to build my home network on a 48 port POE switch. My question is simple, are there new switches in town with similar feature sets and used pricing that still have a few years of life in them, or are the icx switches still the target of choice?

Are most of you comfortable just continuing to run the 64xx series without additional firmware/security updates, or are you planning to migrate soon? Any suggestions on these points/other switch options to consider are appreciated. Budget is a major constraint for me, and I'm trying to stay in the $100 to $200 range for a switch.

And thanks in advance to the 276 pages worth of the shoulders of giants that I'm standing on to be able to make this post. There is an incredible amount of good information in this thread!
Look at the 7*** series fodeesha has listed for the latest firmware updates. The 7150 and 7250 are good, but slightly more expensive, alternative options to the 6*** series. Can be had from 12-48 ports, 10g and even multigig on some models.
 

Ixian

Member
Oct 26, 2018
88
16
8
Look at the 7*** series fodeesha has listed for the latest firmware updates. The 7150 and 7250 are good, but slightly more expensive, alternative options to the 6*** series. Can be had from 12-48 ports, 10g and even multigig on some models.
I know Ebay prices fluctuate quite a bit so deals may still be had but I rarely see the equivalent 7x series go for less than double a 6x. The 6450 is still in the $100 or even sub $100 range for non-POE models and is a great switch. Certainly the 7250 has additional features like 40gb for stacking and so on but for a lot of home lab or even small office setups the 6450 is a fantastic value.

I don't worry much about the firmware being EOL since it's been stable now for years and I don't expose mine to the edge, security-wise, in any event.
 
  • Like
Reactions: Vesalius

Vesalius

Active Member
Nov 25, 2019
252
190
43
I know Ebay prices fluctuate quite a bit so deals may still be had but I rarely see the equivalent 7x series go for less than double a 6x. The 6450 is still in the $100 or even sub $100 range for non-POE models and is a great switch. Certainly the 7250 has additional features like 40gb for stacking and so on but for a lot of home lab or even small office setups the 6450 is a fantastic value.

I don't worry much about the firmware being EOL since it's been stable now for years and I don't expose mine to the edge, security-wise, in any event.
Yup, was just answering in case they needed/wanted something in the latest ruckus firmware.
 
  • Like
Reactions: Ixian

nerdalertdk

Fleet Admiral
Mar 9, 2017
228
118
43
::1
Well with the 7xxx series you can now add them to the unleased controller and I’m hoping the add more features down the line
 

eduncan911

The New James Dean
Jul 27, 2015
648
506
93
eduncan911.com
Well with the 7xxx series you can now add them to the unleased controller and I’m hoping the add more features down the line
Yeah, but they deprecated several APs recently with that exact version that allows you to add them to the Unleashed controller.

I was like... "Come on, seriously? Not a single version overlap so we can use our Unleashed T310s and R310s with Unleashed AND the ICX7150s?!?!" Nope. And, they just recommended the 9x T310s and R310s for our campus just 60 days BEFORE that version dropped. Couldn't return any of it, nor would they exchange them.

This is why I am using Ansible for all of my switches and APs, and some routers (Unify/EdgeMax). Doesn't matter if it's Cisco APs with Unify APs, with Ruckus 7150s and 7750s - I'm using the same repo to configure all the hodge-podge devices using the same base configurations (e.g. no stacking required).
 
Last edited:

nerdalertdk

Fleet Admiral
Mar 9, 2017
228
118
43
::1
Yeah, but they deprecated several APs recently with that exact version that allows you to add them to the Unleashed controller.

I was like... "Come on, seriously? Not a single version overlap so we can use our Unleashed T310s and R310s with Unleashed AND the ICX7150s?!?!" Nope. And, they just recommended the 9x T310s and R310s for our campus just 60 days BEFORE that version dropped. Couldn't return any of it, nor would they exchange them.

This is why I am using Ansible for all of my switches and APs, and some routers (Unify/EdgeMax). Doesn't matter if it's Cisco APs with Unify APs, with Ruckus 7150s and 7750s - I'm using the same repo to configure all the hodge-podge devices using the same base configurations (e.g. no stacking required).
I nevet ansible to work with my 7150
Think it’s was because I used the just released .90 version on my switch

but yes the AP thing sucks “had” to upgrade my R310 to R720 so I could use it :)
 

iotapi322

Member
Sep 8, 2017
66
14
8
48
Yeah, but they deprecated several APs recently with that exact version that allows you to add them to the Unleashed controller.

I was like... "Come on, seriously? Not a single version overlap so we can use our Unleashed T310s and R310s with Unleashed AND the ICX7150s?!?!" Nope. And, they just recommended the 9x T310s and R310s for our campus just 60 days BEFORE that version dropped. Couldn't return any of it, nor would they exchange them.

This is why I am using Ansible for all of my switches and APs, and some routers (Unify/EdgeMax). Doesn't matter if it's Cisco APs with Unify APs, with Ruckus 7150s and 7750s - I'm using the same repo to configure all the hodge-podge devices using the same base configurations (e.g. no stacking required).
I'm a big ansible user / fan, I would love it if you had a github repo to share to configure / update the brocade icx-6450 / icx-7750.