Drag to reposition cover

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

pinkypie

New Member
Dec 2, 2021
20
3
3
I am planning to use the ICX6450-24P for a about 12-16 IP cameras isolated and not connected to the internet. Going to have ethernet cable connected from a pfSense box to the switch for management only and looking for the ICX6450 to handle all the routing with the cameras.

So I checked the config guide, fastiron-08030mb-l3guide.pdf.

correct me if I am wrong but the guide says IP routing is on by default. I dont believe I will need DHCP, going to use static addresses for the cameras. Therefore, I believe all I would need to do is configure VLANs and I would be good to go.

Does that sound correct? This would be my first L3 switch, never configured an L3 before. It's probably very obvious, lol.
 
Last edited:

klui

Well-Known Member
Feb 3, 2019
824
453
63
IP routing feature is enabled but you still need to configure everything on your VE(s) per the guide if cameras need to talk to devices outside their VLANs.
 

pinkypie

New Member
Dec 2, 2021
20
3
3
IP routing feature is enabled but you still need to configure everything on your VE(s) per the guide if cameras need to talk to devices outside their VLANs.
You are correct, I wasn't thinking of the scenario where the management VLAN would need to access both the ICX6450 and the cameras but prevent Camera VLAN from talking to the Management VLAN.

Am I on the right path?

#Create VLANs
Code:
vlan 2 Management
untagged ethe 1/1/1
router-interface ve 2
interface ve 2 ip address 192.168.2.2/24

vlan 3 Cameras
untagged ethe 1/1/2 to 1/1/24
router-interface ve 3
interface ve 3 ip address 192.168.3.2/24
#Block access to management VLAN
Code:
ip access-list extended "Block inbound"
deny ip any any

interface ve 2 ip access-group "Block inbound" in
 

klui

Well-Known Member
Feb 3, 2019
824
453
63
I would not waste a regular port for management when there is a dedicated management port on the switch.

Don't you want your block to be on ve 3 and not 2?
 

pinkypie

New Member
Dec 2, 2021
20
3
3
I just ordered an 6450-24P off eBay.

I was a bit confused on reading the ACL implementation. Wouldn't "deny ip any any" assigned to ve2 deny any inbound traffic to the management interface from any IPs?

From what I read, inbound ACLs on VEs apply to traffic going IN to the VE from the VLAN to which the VE is assigned.

I would not waste a regular port for management when there is a dedicated management port on the switch.
you referring to the out-of-band-management port, below the console port?

I believe the issue with using that is that it cannot access the regular network channels/ports. I still need to be able to access the Camera VLAN 3 to configure the cameras and NVR.

I think I may have figured out a better solution, just make VLAN 2 the management VLAN for security purposes. I dont think I would need ACLs. I believe no other VLANs can access the Management VLAN by definition.

vlan 2 Management
untagged ethe 1/1/1
management-vlan
router-interface ve 2
interface ve 2 ip address 192.168.2.2/24

Screen Shot 2021-12-04 at 12.51.45 PM.png
 

klui

Well-Known Member
Feb 3, 2019
824
453
63
I've not implemented ACLs but your original post just seems wrong. Blocking the VE basically prevents you from connecting to your switch. Look at Terry Henry's videos about that as there is precedence for ACLs. It's in the first post.

What I see is you're using the management interface to access user data and that goes against the concept of an OOB management network. Of course it's your network and you can probably get it to work.
 

pinkypie

New Member
Dec 2, 2021
20
3
3
Yep, viewed those video prior to that post. I see what you mean by blocking the VE. I guess I could either block inbound on ve 2 or block outbound on ve 3. However, it probably makes more sense to block incoming on ve 2.

#Create VLANs
Code:
vlan 2 Management
untagged ethe 1/1/1
router-interface ve 2
interface ve 2 ip address 192.168.2.2/24

vlan 3 Cameras
untagged ethe 1/1/2 to 1/1/24
router-interface ve 3
interface ve 3 ip address 192.168.3.2/24
#Block access to management VLAN
Code:
ip access-list extended "Block inbound to Management"
deny ip 192.168.3.0/24 192.168.2.0/24

interface ve 2 ip access-group "Block inbound to Management" in
 

Scarlet

Member
Jul 29, 2019
86
38
18
I guess I could either block inbound on ve 2 or block outbound on ve 3. However, it probably makes more sense to block incoming on ve 2.
Do you need the management VLAN to be routed at all? If not you could just remove the ve and ip address from vlan 2 and the switch would not route anything to it.

If you have only one physical link from your pfsense to the switch you could always define vlans on the pfsense box and use a tagged port to access both vlans from pfsense.
 

narapon

New Member
Mar 31, 2017
18
2
3
34
Has anyone managed to 3d-print the rack ears for the ICX7150-C12P? Would be great to have the blueprints for those.
 

pinkypie

New Member
Dec 2, 2021
20
3
3
Do you need the management VLAN to be routed at all? If not you could just remove the ve and ip address from vlan 2 and the switch would not route anything to it.
Hi Scarlett, yes I need the Management VLAN to be routed because I need to be able to configure the cameras. It is management not only for switch but for the cameras as well. I want to keep routing off the pfSense box.
 

etnoy

New Member
Jul 16, 2021
2
0
1
Just wanted to jump in and say thanks, got my 6450-48p for €250 including shipping here in Europe. Works great, and the guide was very helpful for the initial setup.

Is there a command to shut down the switch before pulling power? Is that even needed? Didn't see that mentioned.
 

LodeRunner

Active Member
Apr 27, 2019
540
227
43
If you made config changes you want to keep, then a “write mem” before pulling power is required. Otherwise, no. Pulling power is the standard way to revert a bad config change as almost all config changes are immediately applied.
 
  • Like
Reactions: etnoy

dswartz

Active Member
Jul 14, 2011
610
79
28
If you made config changes you want to keep, then a “write mem” before pulling power is required. Otherwise, no. Pulling power is the standard way to revert a bad config change as almost all config changes are immediately applied.
Back in the day when I had to manage cisco routers, calling the NOC and telling the night shift guy "yeah, i borked XXX, can you power cycle it? thanks bro!"
 
  • Haha
Reactions: tinfoil3d

jasonwc

Member
Dec 31, 2018
49
18
8
Has anyone tried the XQX2502 KAIAM QSFP+40G-LR4 Lite transceivers to connect an ICX6610 with a Mellanox MCX354A-FCBT? An STH user indicated that Cisco-coded generic 40G-LR optics worked with his Mellanox card (https://forums.servethehome.com/ind...-back-using-fs-qsfp-bd-40g.22302/#post-210165). In addition, the ConnectX-3 Pro firmware release notes (2.42.5000) list Cisco 40G-BiDi optics (QSFP-40G-SR-BD) as supported. FS lists power consumption as 3.5W for their generic version of this optic.

The Kaiam card appears to just be a low power version (2.3W) that is limited to 2km versus the standard 10km. An Ebay seller with good reviews is offering these transceivers for $10 each. Thus, I was wondering if anyone gave it a shot. There are also cheap LR Lite optics from AOI.

I'm looking to do a 20M run between the switch an my server. A 20M 8 fiber MPO Type B cable is $100 from a seller in China. FS charges $166 for a MTP®-12 (Female) to MTP®-12 (Female) OM4 Multimode Elite Trunk Cable, 12 Fibers, Type B, Plenum (OFNP), Magenta. They don't offer OM3 or 8-fiber trunk cables. A 20M SMF duplex cable would cost around $15.
 
Last edited:

jasonwc

Member
Dec 31, 2018
49
18
8
I followed the advanced guide for the ICX6000 series to enable RSA public key authentication for SSH while disabling password authentication. While RSA key authentication worked, the switch continued to allow password authentication. However, I noticed that when logging in via Putty, the server listed "keyboard-interactive" as the authentication method when logging in via a password. So, I tried "ip ssh interactive-authentication no" (page 92 of Security Configuration manual). This worked. If I don't select a public key for authentication, Putty now complains that there's no acceptable authentication method, and it only lists publickey. Further testing indicates that you need BOTH "ip ssh interactive-authentiation no" and ip ssh password-authentication no" to disable password authentication.

TLDR - To disable password authentication, use "ip ssh interactive-authentiation no" AND "ip ssh password-authentication no"
 
Last edited:

fohdeesha

Kaini Industries
Nov 20, 2016
2,728
3,075
113
33
fohdeesha.com
Has anyone tried the XQX2502 KAIAM QSFP+40G-LR4 Lite transceivers to connect an ICX6610 with a Mellanox MCX354A-FCBT? An STH user indicated that Cisco-coded generic 40G-LR optics worked with his Mellanox card (https://forums.servethehome.com/ind...-back-using-fs-qsfp-bd-40g.22302/#post-210165). In addition, the ConnectX-3 Pro firmware release notes (2.42.5000) list Cisco 40G-BiDi optics (QSFP-40G-SR-BD) as supported. FS lists power consumption as 3.5W for their generic version of this optic.

The Kaiam card appears to just be a low power version (2.3W) that is limited to 2km versus the standard 10km. An Ebay seller with good reviews is offering these transceivers for $10 each. Thus, I was wondering if anyone gave it a shot. There are also cheap LR Lite optics from AOI.

I'm looking to do a 20M run between the switch an my server. A 20M 8 fiber MPO Type B cable is $100 from a seller in China. FS charges $166 for a MTP®-12 (Female) to MTP®-12 (Female) OM4 Multimode Elite Trunk Cable, 12 Fibers, Type B, Plenum (OFNP), Magenta. They don't offer OM3 or 8-fiber trunk cables. A 20M SMF duplex cable would cost around $15.
---edited, thought at first these were standard MPO LR4 modules-----

edit: just saw in another ebay listing that shows the connector side, and it's just regular old LC, so they appear to be BiDi indeed, just bought four - that is an absolute steal. will test on the juniper, dell, brocade, mellanox 40g stuff i have lying around and report back. being able to run 40gbe between stack members over regular old cheap and plentiful single pair duplex fiber would be great
 
Last edited:

fohdeesha

Kaini Industries
Nov 20, 2016
2,728
3,075
113
33
fohdeesha.com
I followed the advanced guide for the ICX6000 series to enable RSA public key authentication for SSH while disabling password authentication. While RSA key authentication worked, the switch continued to allow password authentication. However, I noticed that when logging in via Putty, the server listed "keyboard-interactive" as the authentication method when logging in via a password. So, I tried "ip ssh interactive-authentication no" (page 92 of Security Configuration manual). This worked. If I don't select a public key for authentication, Putty now complains that there's no acceptable authentication method, and it only lists publickey. Further testing indicates that you need BOTH "ip ssh interactive-authentiation no" and ip ssh password-authentication no" to disable password authentication.

TLDR - To disable password authentication, use "ip ssh interactive-authentiation no" AND "ip ssh password-authentication no"
Are you sure it was allowing successful logins with no keys loaded, when you had just ""ip ssh password-authentication no" enabled? According to the manual this should excplicitly disable any kind of password based login, it even warns that this in combination with key-authentication no will make the ssh server useless. I wonder if the password login you saw was one of the enable passwords or something? if you can confirm it lets full succesful logins with the current recommendations in the guide, I'll update the guide with the extra line
 

LodeRunner

Active Member
Apr 27, 2019
540
227
43
---edited, thought at first these were standard MPO LR4 modules-----

edit: just saw in another ebay listing that shows the connector side, and it's just regular old LC, so they appear to be BiDi indeed, just bought four - that is an absolute steal. will test on the juniper, dell, brocade, mellanox 40g stuff i have lying around and report back. being able to run 40gbe between stack members over regular old cheap and plentiful single pair duplex fiber would be great
Since they're 2km rated, would one need an attenuator for sub 100m runs?
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,728
3,075
113
33
fohdeesha.com
Since they're 2km rated, would one need an attenuator for sub 100m runs?
nah, regular LR power is fine over short singlemode runs and is what makes up the majority of runs inside DCs etc. to top it off these are "LR lite" which isn't really a standard, but LR running at lower power, so it's limited to "only" 2km versus ~10 (they're still backwards compatible with regular LR transceivers)