Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

[tommybackeast]

Help with setting up a new Brocade 7250-48p which is factory new in the box.

Using official Brocade supplied cable with the micro-usb plugged into switch; and Serial end attached to very old Win7 Thinkpad's serial port. Putty is running, smash the 'b' key every second, plug in power cord; and per fohdeesha's instructions am expecting to see "ICX7250-Boot" but it boots into the OS. (Note: per fohdeesha instructions, I have a CAT6 plugged into Switch Port 20 with other end going into Asus-Merlin router). Putty connection established via Serial connection.

I do believe this switch is new, old stock and never used before.

I tried 3 times; (smashing the b key within Putty) but each time it boots to OS and I never see the "ICX7250-Boot" prompt.

Question: should tftpd be running doing this -or- does one launch tftpd after seeing the "ICX7250-Boot" prompt?

Any thoughts to what I am doing wrong? (note: network noob) & thanks for reading

 

[fohdeesha]

Once it fully boots can you type stuff and have it show up? (Like try running "show version")

 

[groove]

Help with setting up a new Brocade 7250-48p which is factory new in the box.

Using official Brocade supplied cable with the micro-usb plugged into switch; and Serial end attached to very old Win7 Thinkpad's serial port. Putty is running, smash the 'b' key every second, plug in power cord; and per fohdeesha's instructions am expecting to see "ICX7250-Boot" but it boots into the OS. (Note: per fohdeesha instructions, I have a CAT6 plugged into Switch Port 20 with other end going into Asus-Merlin router). Putty connection established via Serial connection.

I do believe this switch is new, old stock and never used before.

I tried 3 times; (smashing the b key within Putty) but each time it boots to OS and I never see the "ICX7250-Boot" prompt.

Question: should tftpd be running doing this -or- does one launch tftpd after seeing the "ICX7250-Boot" prompt?

Any thoughts to what I am doing wrong? (note: network noob) & thanks for reading

what seemed to work for me was to keep the b key pressed - don’t tap it. Just press it as soon as you plug it the power cord (within a split second) and keep it pressed. That worked on a ICX-6610.

 

[tommybackeast]

Once it fully boots can you type stuff and have it show up? (Like try running "show version")

Here is screen grab showing "show version" command

Serial number has been redacted.

I did not enter any other commands without additional smart-people comments

Thank you.

PS: typing "?" gives 5 lines : enable - ping - show - stop-traceroute - traceroute

PPS: I see on your instructions the next normal step is "factory set-fault" since this is supposed to be coming from ICX7250-BOOT menu and I have "ICX7250-48P-Switch78a6" I have -NOT- done this step as I await your kind guidance. I am a big believer in "ask before doing something, not after"

 

[tommybackeast]

what seemed to work for me was to keep the b key pressed - don’t tap it. Just press it as soon as you plug it the power cord (within a split second) and keep it pressed. That worked on a ICX-6610.

white holding down the "b" key steady, did you have tftpd running ?

 

[groove]

You have to run tftpd on a different host - yes I did have it running on another vm I had running within my network.

 

[DRAGONKZ]

What model/config of a 7000 series gives the most amount of 10Gb ports and still supports PoE?

(A 7450 with 3 x 4 port 10Gb modules?)

 

[fohdeesha]

white holding down the "b" key steady, did you have tftpd running ?

it doesn't matter if you have tftpd running - the good news is since you can send the switch commands after it boots, your switch, serial cable etc are fine, so you're probably just not getting the timing right. as others have said try holding down the b key in putty, then plugging in power to the switch. It should drop into the boot menu eventually

 

[tommybackeast]

it doesn't matter if you have tftpd running - the good news is since you can send the switch commands after it boots, your switch, serial cable etc are fine, so you're probably just not getting the timing right. as others have said try holding down the b key in putty, then plugging in power to the switch. It should drop into the boot menu eventually

Most odd : using new-in-box official Brocade microUSB-to-Serial cable connected to old Thinkpad's serial port; pressing and/or holding the 'b' key failed 5 or 6 times. Even though from what you saw in 'show version' the cable is working fine; and I could type commands.

I then switched the Serial cable from the Thinkpad to an old 1U SuperMicro's serial port; and 'b' press worked instantly.

Question : in the INITIAL CONFIG & UPDATE section of your instructions you write :


Now we need to assign that virtual interface an address. Choose an IP that is unused in your subnet, and out of your DHCP server range (ping it first to be sure it's unused):

interface ve 1
ip address 192.168.1.55/24
exit
write mem
______________________________

I am confused by your statement of out of your DHCP server range. I'm sadly still a network noob and only using 192.168.1.0/24; but looking at my router I have confirmed 192.168.1.20 is not used; so can I use that IP in the above use case or must I use something like 192.0.10.0 ?

 

[tommybackeast]

You have to run tftpd on a different host - yes I did have it running on another vm I had running within my network.

very odd problem, serial cable in Thinkpad's serial port pounding/holding the 'b' key failed; switching to old SuperMicro and using its serial port 'b' key press-and-hold worked instantly.

 

[infoMatt]

I am confused by your statement of out of your DHCP server range. I'm sadly still a network noob and only using 192.168.1.0/24; but looking at my router I have confirmed 192.168.1.20 is not used; so can I use that IP in the above use case or must I use something like 192.0.10.0 ?

No, you can't use 192.0.10.0 because it's in a reserved IP range (192.0.0.0/24), and most notably, it's outside of your local network (as you said, if you're using 192.168.1.0/24, the valid addresses are in the range 192.168.1.1-192.168.1.254). The idea behind the use of a non-DHCP allocable address is to avoid duplicate IP on the network: if you choose an address in the pool, the DHCP server cannot know if something else has picked it before, and it could lease it out to a client.
Most of the times, you can see and/or edit the DHCP pool on you router config pages.

 

[tommybackeast]

No, you can't use 192.0.10.0 because it's in a reserved IP range (192.0.0.0/24), and most notably, it's outside of your local network (as you said, if you're using 192.168.1.0/24, the valid addresses are in the range 192.168.1.1-192.168.1.254). The idea behind the use of a non-DHCP allocable address is to avoid duplicate IP on the network: if you choose an address in the pool, the DHCP server cannot know if something else has picked it before, and it could lease it out to a client.
Most of the times, you can see and/or edit the DHCP pool on you router config pages.

Thank you - so if I login to my router and confirm that 192.168.1.20 is NOT used by anything on the LAN, that is an acceptable IP to use in my above use case

 

[infoMatt]

Thank you - so if I login to my router and confirm that 192.168.1.20 is NOT used by anything on the LAN, that is an acceptable IP to use in my above use case

You'll have to verify that it is not used at the moment (ie. no DHCP lease active), and it is outside of the DHCP pool

 

[fohdeesha]

the note about being outside of your DHCP scope is just best practice, since it's a temporary IP you'll just be using to update the switch it's generally enough to just attempt to ping your chosen address and make sure you don't get a response. Best practice though, you should have your DHCP server "range" setting clamped down to only part of your local subnet, like 192.168.1.50 - 192.168.1.254. That way you know you can assign any IP from 192.168.1.2 - 192.168.1.49 statically and your DHCP server will never try to hand that address out to a client

 

[magi]

What temp are you looking at? The fan ramps are based on the "Fan controlled temperature:" you see in show chassis output

For instance on one of my stacks:

Fan controlled temperature: 71.5 deg-C

Fan speed switching temperature thresholds:
                Speed 1: NM<----->84       deg-C
                Speed 2:       79<-----> 87 deg-C (shutdown)

as you can see, it's about 13 degrees from ramping up

First thank you for the guides

One question, is there a way to tune these values? Aiming to further reduce noise...

 

[fohdeesha]

nope, and even if you could you wouldn't want to. You wanna let it get even hotter than 85C before ramping up? hehe

 

[magi]

nope, and even if you could you wouldn't want to. You wanna let it get even hotter than 85C before ramping up? hehe

Ah, forgot to mention that I added the 120mm fans and the temp is well below threshold (40C). Just want to further push down on the thermal equilibrium

 

[fohdeesha]

Ah, forgot to mention that I added the 120mm fans and the temp is well below threshold (40C). Just want to further push down on the thermal equilibrium

ah, in that case with those extra fans I think it would take a house fire to get it up to the 80C+ required to hit speed 2

 

[French Chamallow]

Can you tell me if I'm going on the right road
my original language is not english but you must have noticed it ...
Actually it's my pfsense that manages all the routing.

that look like that in pfsense :
Capture


I have a nano HD AP with several different ssd and 1 vlan per ssid
I did my first vlan 2 weeks ago to explain my level!

for me all this is new and I try to read and learn.
I update my 6450, active the poe for the AP successfully all run.

Next step :
As I have an ICX-6450 with the firmware R I want to do the routing by the ICX.
if it's a bad idea for a beginner like me tell me


WAN 1000baseT <full-duplex> redacted
LAN 1000baseT <full-duplex> 192.168.0.1
VLAN50_WIFI_ENFANT 192.168.50.1
VLAN_IOT 192.168.60.1
VLAN40_STEVE 192.168.40.1
VLAN30_HELENE_AUTRE 192.168.30.1

I have my pfsense in 1/1/1 with this vlan : 30 - 40 - 50 - 60
I have a Nano HD wifi in 1/1/2 with this vlan : 30 - 40 - 50 - 60
1/1/1 is in dual mode
1/1/2 is in dual mode


From what I read it takes a dhcp server separate from the switch and my pfsense and do some ve on the switch.
---------------------------------------------------
here's what I'm thinking of doing but I'm scared to get started

1 install isc-dhcp-server on a raspberry pi 3
apt install isc-dhcp-server
nano /etc/default/isc-dhcp-server
INTERFACESv4="interface of the Pi"

nano /etc/dhcp/dhcpd.conf
option domain-name "$yourdomainhere";
option domain-name-servers 192.168.0.1 ( my pfsense )
default-lease-time 3600;
max-lease-time 7200;
authoritative;

# exemple VLAN 50 wifi enfant, VE Int 50
subnet 192.168.50.0 netmask 255.255.255.0 {
option routers 192.168.50.1;
option subnet-mask 255.255.255.0;
range 192.168.50.1 192.168.50.20;
}

# exemple VLAN40_STEVE, VE Int 40
subnet 192.168.40.0 netmask 255.255.255.0 {
option routers 192.168.40.1;
option subnet-mask 255.255.255.0;
range 192.168.40.1 192.168.40.100;


#exemple static ip
host plex {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.40.200;
option host-name "plex";
}

# exemple dhcp for transport pfsense -> ICX
subnet 192.168.0.0 netmask 255.255.255.248 {
option routers 192.168.0.1;
option subnet-mask 255.255.255.248;
range 192.168.0.1 192.168.0.7;
}



2 configure icx6450
( what I read "you almost never assign an IP directly to a physical interface in layer 3 firmware/switches"

#"add a vlan for the route to pfsense port 1/1/1"
vlan 100
untagged e 1/1/1
router-interface ve 100
exit
int ve 100
ip addr 192.168.0.2/29

#"add ve for vlan 50"
vlan 50
router-interface ve 50
exit
int ve 50
ip addr 192.168.50.1

ip helper-adress n xxx.xxx.xxx.xxx

- where n is a number starting from 1. If this is the only "helper", use 1.
- xxx.... is the IP address of the DHCP server.

3 add a route ( I do not know how to do... I see this link but I don't understand)
dont forget that pfsense will also need a route to know how to reach all the vlans, see the diagram here: https://forums.servethehome.com/ind...ware-trouble-routing-vlans.21113/#post-196527

question in pfsense /system/Routing/static route/
I see destination network
I see Gateway, find what to use ?

4 learn ACL

 

[Wolfstar]

Okay, I'm going to lay out a couple of things here that I see that are wrong with your examples. One, your dhcpd.conf examples are configuring to hand out your router IP address. You want the "range" option to be something more like, for example on VLAN50, "range 192.168.50.50 192.168.50.200". If done that way it will issue IPs only from between 50.50 and 50.200 to the VLAN 50 clients.

Second, you NEVER want to use DHCP to configure IPv4 addresses on a router or switch. Leave out your DHCP for transport section. I would simply configure 192.168.0.1 for the pfSense LAN interface, and 192.168.0.2 for the ve100 interface.

For your ICX configurations, there's some things you need to do first - specifically, you would need to remove 1/1/1 from the tagged VLANs before it will allow you to add the untagged one:

config t
interface ethe 1/1/1
no dual-mode
!
vlan 30 40 50 60
no tagged ethe 1/1/1
!
vlan 100
untagged ethe 1/1/1
!
end

Alternately, since your current setup is working, I would strongly recommend you use a different port for the new configuration - say, 1/1/3, or 1/1/48, just something else. Then configure THAT port for the new setup on VLAN 100. That will mean you can configure it, move the cable to the new port, and if it doesn't work right away you can move back.

For your routes, you want Destination Network on pfSense to be 192.168.0.0/16 (or 192.168.0.0 netmask 255.255.0.0) and Gateway to be the ve100 interface IP (192.168.0.2). On the ICX, you need to configure "ip route 0.0.0.0/0 192.168.0.1" in order for traffic to get past the switch in the first place. Remember that routing will always use the most specific (smallest IP range) route first, so even though 192.168.0.0/16 covers all of your VLANs, it will prefer the routes for /24 ranges over the larger one. This also means you need to pick a VLAN to test from and disable its interface on the pfSense before you switch over, or it will not work.