Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

[pokeimon]

I'm a relatively new to this and I have run up against a wall of what to do next.
I'm trying to configure the switch as layer 3 while routing outgoing traffic to OPNsense (More or less PFsense).

Port 1/2/1 which is connected to OPNsense with a Gateway created with the IP set to 10.0.2.1 and a Route set to that gateway with Network set to 10.0.10.0/24 to encompass the VLAN 10 network. OPNsense's IP is 10.0.2.2.

I did try to follow a guide though its for a CISCO router but I'm stuck.
I am currently just trying to get VLAN 10 to connect to OPNsense/Internet. Currently I created VLAN 2 to be used as the Transit VLAN and VLAN 10 to be a 'trusted' network.

Any help would be much appreciated.

For the switch I have the following config:

ICX6450-48P Router(config)#show run
Current configuration:
!
ver 08.0.30tT313
!
stack unit 1
  module 1 icx6450-48p-poe-port-management-module
  module 2 icx6450-sfp-plus-4port-40g-module
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
!
vlan 2 name Transit by port
 untagged ethe 1/1/1 ethe 1/2/1
 router-interface ve 2
!
vlan 10 name Trusted by port
 untagged ethe 1/1/3
 router-interface ve 10
!
!
!
!
!
aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
ip dhcp-client disable
ip dhcp-server enable
!
ip dhcp-server pool pool10
 dhcp-default-router 10.0.10.1
 dns-server 1.1.1.1
 excluded-address 10.0.10.1
 excluded-address 10.0.10.2 10.0.10.99
 lease 1 0 0
 network 10.0.10.0 255.255.255.0
 deploy
!
ip route 0.0.0.0/0 10.0.2.2
!
no telnet server
username root password .....
!
!
!
!
!
interface ve 2
 ip address 10.0.2.1 255.255.255.0
!
interface ve 10
 ip address 10.0.10.1 255.255.255.0
!
!
!
!
!
!
!
!
!
end

 

[BobTB]

did you run the "ip mtu 9000" command on the ve assigned to that vlan? should work fine. if you're trying to do it just on a per port basis I believe you'll need to run the layer2 only firmware

Ok, I think I found out what is wrong. This is bad. Very bad. I am using mikrotik sfp+ ports into rj45 10gbE copper adapters ( S+RJ10 )

These do not support jumbo frames? Check the forum posts below:

S+RJ10 and Jumbo Frames - MikroTik

forum.mikrotik.com

This is the only thing that could be wrong with my setup, I tried everything to make it work, and it does not work

Anyone else using these sucesfully with jumbo frames?

 

[BobTB]

ok, there are two versions rev.1 and rev.2 of Mikrotik S+RJ10. The R2 supports jumbo, R1 does not. I don't even need to go to look on mine which rev. they are....

 

[Roelf Zomerman]

can I also run DHCP services on the ICX or only relay?
found it...

 

[Dreece]

Just thought I'd do a catch up on this thread, wow have things moved on! Some great mods going on!!

I really think this thread needs a sub forum, "Brocade/Ruckus Enthusiasts" or something.

224 pages and counting

 

[virulent]

I'm a relatively new to this and I have run up against a wall of what to do next.
I'm trying to configure the switch as layer 3 while routing outgoing traffic to OPNsense (More or less PFsense).

Port 1/2/1 which is connected to OPNsense with a Gateway created with the IP set to 10.0.2.1 and a Route set to that gateway with Network set to 10.0.10.0/24 to encompass the VLAN 10 network. OPNsense's IP is 10.0.2.2.

I did try to follow a guide though its for a CISCO router but I'm stuck.
I am currently just trying to get VLAN 10 to connect to OPNsense/Internet. Currently I created VLAN 2 to be used as the Transit VLAN and VLAN 10 to be a 'trusted' network.

Any help would be much appreciated.

For the switch I have the following config:

ICX6450-48P Router(config)#show run
Current configuration:
!
ver 08.0.30tT313
!
stack unit 1
  module 1 icx6450-48p-poe-port-management-module
  module 2 icx6450-sfp-plus-4port-40g-module
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
!
vlan 2 name Transit by port
untagged ethe 1/1/1 ethe 1/2/1
router-interface ve 2
!
vlan 10 name Trusted by port
untagged ethe 1/1/3
router-interface ve 10
!
!
!
!
!
aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
ip dhcp-client disable
ip dhcp-server enable
!
ip dhcp-server pool pool10
dhcp-default-router 10.0.10.1
dns-server 1.1.1.1
excluded-address 10.0.10.1
excluded-address 10.0.10.2 10.0.10.99
lease 1 0 0
network 10.0.10.0 255.255.255.0
deploy
!
ip route 0.0.0.0/0 10.0.2.2
!
no telnet server
username root password .....
!
!
!
!
!
interface ve 2
ip address 10.0.2.1 255.255.255.0
!
interface ve 10
ip address 10.0.10.1 255.255.255.0
!
!
!
!
!
!
!
!
!
end

your switch config looks ok (I think?)
from a device on vlan10 (not opnsense) can you ping the switch and opnsense? 10.0.10.1 (will definitely work), 10.0.2.1 (should), 10.0.2.2 (should)

if you can ping 10.0.2.2 then you have an issue on OPNsense, so check your NAT rules that they are OK. Also check the live firewall view for any blocked packets from 10.0.10.0/24.

edit: tied to above, does it work with a device on vlan2?

 

[virulent]

can I also run DHCP services on the ICX or only relay?
found it...

you can but tread carefully and test all of your devices (specifically IOT junk) if you do that. It has some issues.

https://forums.servethehome.com/index.php?threads/brocade-icx-series-cheap-powerful-10gbe-40gbe-switching.21107/page-39#post-206144

https://forums.servethehome.com/index.php?threads/brocade-icx-series-cheap-powerful-10gbe-40gbe-switching.21107/page-10#post-198017

 

[Roelf Zomerman]

you can but tread carefully and test all of your devices (specifically IOT junk) if you do that. It has some issues.

https://forums.servethehome.com/index.php?threads/brocade-icx-series-cheap-powerful-10gbe-40gbe-switching.21107/page-39#post-206144

https://forums.servethehome.com/index.php?threads/brocade-icx-series-cheap-powerful-10gbe-40gbe-switching.21107/page-10#post-198017

so setting up DHCP server on Juniper and have it relay via the ICX is better ?

 

[Roelf Zomerman]

I see it is possible to have the ICX run as a DNS Suffix-Searcher (with multiple domain names possible), but is it also possible to configure conditional forwarding on the device?

say
* --> 1.1.1.1
domain.local --> 172.16.5.10

like a DNS-Proxy

Commscope Technical Content Portal

docs.ruckuswireless.com

 

[sfrode]

Do anyone of you know of any compatible PSUs for an ICX7250-48 (non-poe) or happen to have one laying around? Mine decided to say "poff" today

 

[infoMatt]

ip helper-address: this is your DHCP server. The IP is the native host IP in its native VLAN! This is essentially the DHCP relay.

Good writing, but just to clarify... the switch itself in this case is the DHCP Relay, the helper address points to the server that receives the packet sourcing from the VE IP address on behalf of the client asking for an address. The server can choose the right subnet/pool based of the source address (ie. the VE one).

 

[pokeimon]

your switch config looks ok (I think?)
from a device on vlan10 (not opnsense) can you ping the switch and opnsense? 10.0.10.1 (will definitely work), 10.0.2.1 (should), 10.0.2.2 (should)

if you can ping 10.0.2.2 then you have an issue on OPNsense, so check your NAT rules that they are OK. Also check the live firewall view for any blocked packets from 10.0.10.0/24.

edit: tied to above, does it work with a device on vlan2?

Thanks for the info!
It was my NAT that was incorrectly set up (or I should say forgotten to set up)

 

[koifish59]

I just received a ICX 6610!

I don't have a console cable yet. While I wait for one, if I do a factory reset, will the switch be ready to use on my network as a plug-and-play unmanaged switch?

 

[virulent]

I just received a ICX 6610!

I don't have a console cable yet. While I wait for one, if I do a factory reset, will the switch be ready to use on my network as a plug-and-play unmanaged switch?

More or less, except your switch won't have a management IP (or does it default to DHCP on the mgmt port with telnet enabled? ...no idea). It will only route VLAN 1 but will otherwise act as unmanaged. PoE (if equipped) is off by default so if needed you will need to wait for a console cable.

 

[fohdeesha]

I just received a ICX 6610!

I don't have a console cable yet. While I wait for one, if I do a factory reset, will the switch be ready to use on my network as a plug-and-play unmanaged switch?

how do you plan on factory resetting it without a console cable?

 

[klui]

how do you plan on factory resetting it without a console cable?

This never even entered my mind and I would have thought the same as @koifish59. Recessed reset buttons can almost always be used to perform a factory default. But the ICX6610 installation guide says otherwise:

Reset button​

​

The reset button allows you to restart the system without switching the power supplies off and on or using the CLI or Web Management Interface. When the reset button is pressed, the system resets and the software is reloaded. The reset button is located next to the PSU LED on both 24-port and 48-port models. ​

The de facto behavior was only added to 8.0.80 and the 6610 can't run anything newer than 8.0.30.

 

[fohdeesha]

Indeed, if there was a physical way of wiping the config I would have been able to make the guides much simpler (no console cable needed, reset to default and plug management port in, telnet to the IP it grabs via dhcp)

 

[koifish59]

how do you plan on factory resetting it without a console cable?

Oh I guess I assumed too much! I saw youtube vid saying you can physically reset a brocade switch by pressing and holding down the physical reset button, plug in the power cable, wait 10 seconds, then it should wipe everything to factory default.

One of the engineers for brocade. So this only applies to the ICX 7000 series?

 

[fohdeesha]

That's indeed 7 series only behavior. I would be able to make the 6 series guide much simpler if the config could be wiped with the press of a button instead of a serial cable

 

[nerdalertdk]

Hi all

Do any of you have the default config for the icx7250
I’m planning on getting it soon so would be nice if I could start on the config