Drag to reposition cover

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

tubs-ffm

Member
Sep 1, 2013
88
26
18
FYI I was on the brocade site and noticed the latest firmware available for the ICX7250 is 08090d,
One point I forgot in my previous answer. "latest firmware" depends on the definition. You may have looked on latest issued. There are several firmware paths that are getting maintained in parallel: 08080, 08090, 08092, 08095. The higher number is the newer path with newer functionality. The letters at the end is the revision number per path. Acc. feedback in this forum, 08092 can be considered as stable enough.
 

eduncan911

Active Member
Jul 27, 2015
188
91
28
eduncan911.com
To the 7450 owners... Convince me to pickup an 7450 over an 6610 or another 7250.

I have an 7250-48P that I was planning on installing. But now that I've started curating parts for my rack, I need more than 8x 10Gbps. I actually need 12x 10Gbps, leaving not much room to expand in the future if I pickup a 2nd 7250.

I've read a lot about the 7450 in this thread. It's louder than the 6610(?), more power, not as much bandwidth as the 6610 (though all i need are 10Gbps, not 40Gbps - so I think). However, I really want the higher-powered ports as one RPi hat I was thinking of designing will require more power than standard PoE+ (for high-torque robotics) - not to mention newer access points 5/10 years from now.

So, I'm on the fence...
  • Has anyone confirmed the rear 40Gbps break-out cables for the 7450 work as assignable ports (not as stackable)? I saw the data sheet list the breakout cables, but not much in this thread about assigning them ports/VLANs/etc.
  • Convince me to not just buy another 7250-24/48. I mean, it will give me 14x SPF+ (have to use two to link them). That's $500+ in switches, when I could donate my 7250 to a school and just get a single 6610 or 7450 instead. And idle of 50W sounds nice, until you realize - I have to run two, for 100W idle! Which leads me to...
  • The 6610-48P idles around 110W, which is around 2x 7250s. It also has 40Gbps ports to connect to my media/storage server. However, the 6610 doesn't have high-powered PoE ports (PoH).
So, the 7450-48P sounds like the winner due to being only a single switch, PoH, etc instead of running 2x 7250s. Plus the school I am working on would get the 7250 as a donation since I am rebuilding their network as well.

Sound is a little concern but I do plan on building a fully-enclosed rack for under the stairs.
 
Last edited:

eduncan911

Active Member
Jul 27, 2015
188
91
28
eduncan911.com
I ordered a Dell Force10 DAC breakout to try. If it doesn't work on my 7450 I'll send it to someone with a 6610 free to verify compatibility for future reference.
Digging up this old post from 9 months ago...

@EngineerNate Did that cable work? Also, are we able to assign individual ports on the rear module to systems? Ashamed to say I actually dug through your user history and rear all of your posts since that one above. Didn't see any follow-up. ;)
 

LodeRunner

Active Member
Apr 27, 2019
126
57
28
7450 supports the 4x SFP+ modules in the back slots; I needed more ports and just bought another 4x10G module and it worked fine. As far as I have found, it does not have the commands to enable breakout and all the documentation I found for configuring 40g breakout applies to the 7750. I don't know why the breakout cable is listed unless when you use the breakout QSFP it auto-configures the breakout.

Edit:
Lack of breakout options on my 7450 might be because even with "stack disable" set it still says
Code:
stack unit 1
  module 1 icx7450-48p-poe-management-module
  module 2 icx7400-xgf-4port-40g-module
  module 3 icx7400-xgf-4port-40g-module
  module 4 icx7400-qsfp-1port-40g-module
  stack-port 1/4/1
stack disable
Guess I need to pull the config, nuke it to factory, and redo it, being sure to gut any stack setup first. Trying to remove the last stack port results in:
Code:
SSH@core(config-unit-1)#no stack-port 1/4/1
Error! cannot remove the only stack-port 1/4/1.
 
Last edited:

eduncan911

Active Member
Jul 27, 2015
188
91
28
eduncan911.com
7450 supports the 4x SFP+ modules in the back slots; I needed more ports and just bought another 4x10G module and it worked fine. As far as I have found, it does not have the commands to enable breakout and all the documentation I found for configuring 40g breakout applies to the 7750. I don't know why the breakout cable is listed unless when you use the breakout QSFP it auto-configures the breakout.
Yeah, those modules are cheap too on eBay ($25). That's what I would most likely do, installing two of those in the back to give me the spec'd 12x SPF+ ports.

And it leaves a good upgrade path in the future: I can add another switch and swap back in the QSFP+ module to link them.
 
Last edited:

LodeRunner

Active Member
Apr 27, 2019
126
57
28
I missed out on a 7750-48F or 7750-26Q for under $1k on eBay a while back, I regret it a lot. I want the 7750 as a core; 40G link to the 7450 for access and PoE, and 10G to my 7150-c12's around the house. Setup the control bridge and have the 7450 and 7150s be port extenders off the 7750.
 

eduncan911

Active Member
Jul 27, 2015
188
91
28
eduncan911.com
I missed out on a 7750-48F or 7750-26Q for under $1k on eBay a while back, I regret it a lot. I want the 7750 as a core; 40G link to the 7450 for access and PoE, and 10G to my 7150-c12's around the house. Setup the control bridge and have the 7450 and 7150s be port extenders off the 7750.
I've been eyeing these for a while. But do not have the cash/real need for them, and it needs a fan/psu.

 

TZann

New Member
Jul 9, 2019
4
0
1
I have a icx6450-24p and trying to configure it so that some clients only have internet access but no access to the lan. If possible I would even like to prevent these internet only clients to communicate between them.
I am testing this by implementing the following ACL based on information from this thread and other sites. At the moment this is for on a single ip and ve 1.
Once I get this working for a single client I plan to modify this so it's more generic and assign it to a guest VLAN.

192.168.1.80 is the ve 1 ip
192.168.1.140 is the host with internet only access

Code:
ip access-list extended nolan
remark Deny access to the switch
deny tcp host 192.168.1.140 host 192.168.1.80 eq ssh log
deny tcp host 192.168.1.140 host 192.168.1.80 eq telnet log
deny tcp host 192.168.1.140 host 192.168.1.80 eq http log
deny tcp host 192.168.1.140 host 192.168.1.80 eq 443 log
remark allow dhcp
permit udp any any eq bootps
permit udp any any eq bootpc
remark allow dns requests
permit udp any any eq dns
permit tcp any any eq dns
remark allow icmp
permit icmp host 192.168.1.140 host 192.168.1.1 echo
permit tcp any any gt 1023 established
remark block inter vlan traffic for this host
deny ip host 192.168.1.140 192.168.0.0 0.0.255.255 log
remark allow everything else
permit ip any any
1. Is the above correct or am I missing something that should really be there. Also is there another better way to implement this?
2. Even though the client (testing using my phone) could not ssh to the switch, it seems it could still "see" my network. I used a network tool and it could still list other devices in my lan.
3. While testing this I had to restart the switch. Is there a reason the above or issuing "no ip access-list extended nolan" would lock up the switch?
4. General acl question, to alter the acl rules do I need to drop it using "no ip access-list extended nolan" and re-issue all the rules?

Appreciate any help on this
 

ArmedAviator

Member
May 16, 2020
89
51
18
Ohio
@TZann ,

1. It can be shorted some by removing the switch rules at the top as these would be covered in the catchall deny ip host 192.168.1.140 192.168.0.0 0.0.255.255 log.
2. I'm not certain, but this is likely because you're still on the same L2 network (same VLAN). The ACLs are only applied at L3 so L2 traffic (MAC-to-MAC) is not filtered. Don't quote me on technical details, but I do know that all it would take is your phone to use a different manually assigned IP or broadcast address to access anything on the same VLAN, bypassing the ACL.
3. No this shouldn't ever lock up the switch. It may lock you out of the switch if it's applied to the VE and an incorrect deny rule was in the ACL which locked you out.
4. Yes, you delete the entire ACL and then re-create the ACL and all rules therein.

If you really want to restrict access to the rest of your network but not the internet, you'd be better off with a separate VLAN.

Consider this:
VLAN 99 for all wireless devices with subnet 192.168.99.0/24
Code:
ip access-list extended nolan
remark Deny access to the switch
deny tcp any host 192.168.99.80 eq ssh log
deny tcp any host 192.168.99.80 eq telnet log
deny tcp any host 192.168.99.80 eq http log
deny tcp any host 192.168.99.80 eq 443 log
remark allow intra vlan traffic
permit ip 192.168.99.0 0.0.0.255 192.168.99.0 0.0.0.255
remark allow dhcp
permit udp any any eq bootps
permit udp any any eq bootpc
remark allow dns requests
permit udp any any eq dns
permit tcp any any eq dns
permit tcp any any gt 1023 established
****insert any allowed inter vlan traffic rules here****
remark block inter vlan traffic
deny ip 192.168.99.0 0.0.0.255 192.168.0.0 0.0.255.255 log
remark allow everything else
permit ip any any
To isolate wireless devices on same L2/SSID from eachother, your wireless AP may have that feature. Unifi has that as an easy toggle switch in the wireless network settings.
 

tubs-ffm

Member
Sep 1, 2013
88
26
18
1. Is the above correct or am I missing something that should really be there. Also is there another better way to implement this?
I would use a different VLAN for the clients that should not communicate to LAN. No ACL requird.
In case of limit access from clients to client on different ports of the switch it is easy to do by ACL. But in case of multiple clients outside the switch like AP it is better to handle by the AP.

3. While testing this I had to restart the switch. Is there a reason the above or issuing "no ip access-list extended nolan" would lock up the switch?
When I was "playing" with ACL I never rebooted (only when I locked out myself :)).
Set the rules with "ip acess-list ..." or deleted the rules with "no ip acess-list ...". That's it. Once it is working as expected save with "write mem".

4. General acl question, to alter the acl rules do I need to drop it using "no ip access-list extended nolan" and re-issue all the rules?
You can modify the ACL. But for me it was the easiest to delete all with "no ip acess-list" and re-issue again. I maintained simple text file and did copy-paste of the complete block at once. For testing and learning purpose I could keep and modify different versions in this way.
 

Harr_cami

New Member
May 10, 2020
10
0
1
Hi, Recently bought the ICX 7250-24p however its too noisy for my living room, and i was wondering if anyone had any solutions to the fan noise?
already spent $700 on the switch so not scared to pay another $300 max to make it quiet/silent...

Any help greatly appreciated

PS. i bought noctua fans and SUNON Cooling Fan KDE1204PKVX and installed them however they dont power on or spin
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,115
1,981
113
30
fohdeesha.com
Yeah, those modules are cheap too on eBay ($25). That's what I would most likely do, installing two of those in the back to give me the spec'd 12x SPF+ ports.

And it leaves a good upgrade path in the future: I can add another switch and swap back in the QSFP+ module to link them.
7450 does not support QSFP+ breakout in any configuration, the QSFP+ modules are single link 40gbE only. You'll need the 4x SFP+ modules from the start
 

tubs-ffm

Member
Sep 1, 2013
88
26
18
Hi, Recently bought the ICX 7250-24p however its too noisy for my living room, and i was wondering if anyone had any solutions to the fan noise?
already spent $700 on the switch so not scared to pay another $300 max to make it quiet/silent...

Any help greatly appreciated

PS. i bought noctua fans and SUNON Cooling Fan KDE1204PKVX and installed them however they dont power on or spin
Don't do it! At least not with the PoE version.
I paid my lessons. My power supply exploded. See post linked below.

The reason why your fans do not turn on is because the pin layout on this switch is different to a standard PC fan connection layout. Two pin you need to switch. The pin layout you can find in this thread somewhere.


ICX 7250-24P exploded.

The joy with my ICX 7250-24P suddenly came to an end when the PSU exploded yesterday. Smoke, flames and electrical "bzzzz sound" included.

To go back in time. I modified my device by replacing the fans to for noise reasons. There is no heavy load on my device and I used only one PoE device. Temperature of both sensors are fine. See record of last 24 h till crash below. The device is running like this for 3 weeks or so. The up and down is because of changing ambient temperature during day and night. But suddenly an "explosion" and it was over.

I cannot say for sure if it is because of the modification I did or by chance. Theoretically the temperature at the sensor could be fine but not in other areas. In every case I would not recommend to anybody to do this type of modification.

Anybody who wants to exchange my broken ICX 7250-24P to a running ICX 7150-24 or ICX 7150-24P? :)

View attachment 17835
View attachment 17836
 
  • Like
Reactions: klui and Harr_cami

Harr_cami

New Member
May 10, 2020
10
0
1
Don't do it! At least not with the PoE version.
I paid my lessons. My power supply exploded. See post linked below.

The reason why your fans do not turn on is because the pin layout on this switch is different to a standard PC fan connection layout. Two pin you need to switch. The pin layout you can find in this thread somewhere.
Thanks for your response man, and holy shit im scared to run this thing 24/7 now in my house hahahha, sometimes the room can get 30 to 35 degrees ambiant on a hot day i might just cut my losses and sell the unit!
 

LodeRunner

Active Member
Apr 27, 2019
126
57
28
7450 does not support QSFP+ breakout in any configuration, the QSFP+ modules are single link 40gbE only. You'll need the 4x SFP+ modules from the start
I wonder why they even list the QSFP breakout on the compatible transceiver list. I'm not saying you're wrong, it's just weird they would list that unless it's copy/paste laziness; like they grabbed the compatibility table from the 7750 and pasted it into the 7450 material.
 

LodeRunner

Active Member
Apr 27, 2019
126
57
28
Thanks for your response man, and holy shit im scared to run this thing 24/7 now in my house hahahha, sometimes the room can get 30 to 35 degrees ambiant on a hot day i might just cut my losses and sell the unit!
That ambient temperature shouldn't be enough to kill a 7250. Either tubs-ffm had insufficient airflow and it overheated and blew, or it had a faulty component and the failure was coincidence.

Edit: from the manual: Operating temperature: −5°C to 50°C/23°F to 122°F
 

richtj99

New Member
Jul 8, 2017
29
0
1
48
Hi - I am going to pull the trigger on a Brocade ICX 6450-48P. I see that some units say 10gb, some say 1gb. Is the hardware all the same?

Is it still possible to get a free license to unlock the 6450?

This is what I am looking at & some feedback is that it did not come with working 10gb ports.

 

RoachedCoach

New Member
Feb 4, 2020
20
21
3
Thanks for your response man, and holy shit im scared to run this thing 24/7 now in my house hahahha, sometimes the room can get 30 to 35 degrees ambiant on a hot day i might just cut my losses and sell the unit!
So I'm going to totally disagree and say you can do it safely. I modified a 48P and quieted it down quite a bit. It's been running for a year continuously in a poorly ventilated closet under moderate POE load with no issues. That said, I feel terrible for tubs - that is NOT something I'd want to wake up to.

Here's my fan mod post. The weird pinouts for fans are in the post that the below post quotes.


I would also add, if you feel the PSU sensor is running on the hot side, you could always side mount a fan next to PSU externally (there's vents there). Not the cleanest look in the world, but it'd be effective. I tried it for kicks and it dropped around 5 - 7 C off the PSU, but didn't stick with it since mine never climbed to a point that was anywhere close to unsafe for its tolerances.