when I said page 200 I meant uhh page 205Did @fohdeesha make public the “special things“ he was going to make public? Would be a shame if we closed the thread before that ...
when I said page 200 I meant uhh page 205Did @fohdeesha make public the “special things“ he was going to make public? Would be a shame if we closed the thread before that ...
Maybe I'm not understanding this correctly...Hi all,
Does anyone how to enable 'ingress filtering' for vlan tags on a port (on an ICX 6610)?
I know this typically has to be enabled as a separate setting in Cisco switches, but not sure about FastIron.
What I'm trying to achieve is:
VLAN Aware End Point, has tagged interfaces on VLANs 25, 200, 322 and 1000.
This is connected to e 1/1/1 which is a tagged port on the 6610 for VLANs 1000 and 322. VLANs 25 and 200 are not present on this port (neither in a tagged or untagged/dual-mode fashion).
I want e 1/1/1 to drop any traffic from the end point that is tagged as VLAN 25 or 200, whilst accepting VLANs 1000 and 322.
I have this configured, other than how to tell it to discard traffic tagged for VLANs that aren't configured on the e 1/1/1 interface.
This link implies (i think) that what I'm trying to achieve happens by default:
Commscope Technical Content Portal
docs.ruckuswireless.com
I disagree though, as it's playing havoc with DHCP on VLAN 200 when the endpoint is plugged into e 1/1/1.
(The reasoning as to why, is so that in the event of failure of a different piece of equip, they can move the cable from e 1/1/1 to a different port with VLAN 200, where the end point needs to pickup the DHCP role).
Any tips?
That should happen automatically.Well, exactly as I originally wrote basically:
I want e 1/1/1 to drop any traffic from the end point that is tagged as VLAN 25 or 200, whilst accepting VLANs 1000 and 322.
(The above could be clarified to include: "and also drop any untagged traffic, or traffic tagged with any vlan except 1000 and 322")
I get where you are coming from (i.e. that the end point isn't responding to traffic originated from somewhere within VLAN 25 or 200 because, as you say, no such traffic would egress from e 1/1/1 on the switch to the end point). That is not to say though that the end point isn't originating it's own tagged traffic and sending it, resulting in ingress traffic on the e 1/1/1 interface.
In this case the end point is a firewall with NTP/DHCP/All-Other--Usual-Suspects, so I'm trying to ensure that whilst plugged in to e 1/1/1, if it tries to generate any untagged traffic or traffic on a vlan other than 1000 or 322, then that traffic will be dropped by the switch when it hits the e 1/1/1 interface. I'm thinking this is meant to be happening by default on FastIron, but it isn't.
I'm going to reboot the switch and see if it continues the same behaviour, it's just weird what it's doing at the moment.
Yep, that's about the summary of it.So your endpoint connects to fw1 via the main port in question, but has an extra set of vlans setup as a secondary (normally inactive) uplink. Those vlans are configured on another switch port that's in a vlan with the 4g router. When you swap it, those vlans go active and your primary ones go down. Because you need two vlans on the port you can't just make both ports access ports.
I think I understand. The alternate solution (barring true ha) would be putting the 4g router on its own dedicated switch with identical vlan numbering so your endpoint device wouldn't need the extra vlans, but that's a lot of hardware to dedicate for a single failover port.
@LodeRunner I still haven't found a way to dump the NAND successfully to USB. I have only found a way to copy small amounts of data from the NAND using tftp. I can only access the unlocked bootloader which has limited capability. I'd still really like to save the TPM keys, but I haven't found a way to discover where they are located. I would appreciate any thoughts on that you might have though.Looks like nuking the NAND and starting over all the way at the bottom with SPS8060 GA and then step upgrading has fixed it for me? I don't know if your unit was as far gone as mine, or if it worked with no issues despite the TPM failure.
This is only on the 64XX switch though right?That happens automatically, when you tag a port in a vlan (or multiple vlans) it's going to ignore any other traffic outside that vlan including untagged (unless you use the dual-mode command)
I've never used the 7x50 series, but I have successfully cross-compiled something (strace) for the 6450. I used musl-cross-make and tried to match the kernel a closely as possible with 2.6.35. There were some issues with the kernel uapi assuming glibc that had to be patched. After booting with the telnet server enabled, I can ship over the statically compiled binary and run it. Strace had zero external dependencies while tpm-tools does not however.Or somehow figure out how to compile the needed tpm-tools package for that specific build of BusyBox.
post the output of "show run", looks like you removed a trunk-port command from one of the stack unitsI am trying to stack my two 6610s, and I have followed the docs, but I am obviously missing something. Where did I go wrong and how do I correct it?
Thank you, fohdeesha!
stack unit 1
module 1 icx6610-48p-poe-port-management-module
module 2 icx6610-qsfp-10-port-160g-module
module 3 icx6610-8-port-10g-dual-mode-module
priority 128
stack-port 1/2/1 1/2/6
stack unit 2
module 1 icx6610-48p-poe-port-management-module
module 2 icx6610-qsfp-10-port-160g-module
module 3 icx6610-8-port-10g-dual-mode-module
stack-trunk 2/2/6 to 2/2/7
stack-port 2/2/1 2/2/6
stack enable
stack mac 748e.f8ce.2e9c