Drag to reposition cover

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

eduncan911

The New James Dean
Jul 27, 2015
648
510
93
eduncan911.com
I missed out on a 7750-48F or 7750-26Q for under $1k on eBay a while back, I regret it a lot. I want the 7750 as a core; 40G link to the 7450 for access and PoE, and 10G to my 7150-c12's around the house. Setup the control bridge and have the 7450 and 7150s be port extenders off the 7750.
I've been eyeing these for a while. But do not have the cash/real need for them, and it needs a fan/psu.

 

TZann

New Member
Jul 9, 2019
4
0
1
I have a icx6450-24p and trying to configure it so that some clients only have internet access but no access to the lan. If possible I would even like to prevent these internet only clients to communicate between them.
I am testing this by implementing the following ACL based on information from this thread and other sites. At the moment this is for on a single ip and ve 1.
Once I get this working for a single client I plan to modify this so it's more generic and assign it to a guest VLAN.

192.168.1.80 is the ve 1 ip
192.168.1.140 is the host with internet only access

Code:
ip access-list extended nolan
remark Deny access to the switch
deny tcp host 192.168.1.140 host 192.168.1.80 eq ssh log
deny tcp host 192.168.1.140 host 192.168.1.80 eq telnet log
deny tcp host 192.168.1.140 host 192.168.1.80 eq http log
deny tcp host 192.168.1.140 host 192.168.1.80 eq 443 log
remark allow dhcp
permit udp any any eq bootps
permit udp any any eq bootpc
remark allow dns requests
permit udp any any eq dns
permit tcp any any eq dns
remark allow icmp
permit icmp host 192.168.1.140 host 192.168.1.1 echo
permit tcp any any gt 1023 established
remark block inter vlan traffic for this host
deny ip host 192.168.1.140 192.168.0.0 0.0.255.255 log
remark allow everything else
permit ip any any
1. Is the above correct or am I missing something that should really be there. Also is there another better way to implement this?
2. Even though the client (testing using my phone) could not ssh to the switch, it seems it could still "see" my network. I used a network tool and it could still list other devices in my lan.
3. While testing this I had to restart the switch. Is there a reason the above or issuing "no ip access-list extended nolan" would lock up the switch?
4. General acl question, to alter the acl rules do I need to drop it using "no ip access-list extended nolan" and re-issue all the rules?

Appreciate any help on this
 

ArmedAviator

Member
May 16, 2020
91
56
18
Kansas
@TZann ,

1. It can be shorted some by removing the switch rules at the top as these would be covered in the catchall deny ip host 192.168.1.140 192.168.0.0 0.0.255.255 log.
2. I'm not certain, but this is likely because you're still on the same L2 network (same VLAN). The ACLs are only applied at L3 so L2 traffic (MAC-to-MAC) is not filtered. Don't quote me on technical details, but I do know that all it would take is your phone to use a different manually assigned IP or broadcast address to access anything on the same VLAN, bypassing the ACL.
3. No this shouldn't ever lock up the switch. It may lock you out of the switch if it's applied to the VE and an incorrect deny rule was in the ACL which locked you out.
4. Yes, you delete the entire ACL and then re-create the ACL and all rules therein.

If you really want to restrict access to the rest of your network but not the internet, you'd be better off with a separate VLAN.

Consider this:
VLAN 99 for all wireless devices with subnet 192.168.99.0/24
Code:
ip access-list extended nolan
remark Deny access to the switch
deny tcp any host 192.168.99.80 eq ssh log
deny tcp any host 192.168.99.80 eq telnet log
deny tcp any host 192.168.99.80 eq http log
deny tcp any host 192.168.99.80 eq 443 log
remark allow intra vlan traffic
permit ip 192.168.99.0 0.0.0.255 192.168.99.0 0.0.0.255
remark allow dhcp
permit udp any any eq bootps
permit udp any any eq bootpc
remark allow dns requests
permit udp any any eq dns
permit tcp any any eq dns
permit tcp any any gt 1023 established
****insert any allowed inter vlan traffic rules here****
remark block inter vlan traffic
deny ip 192.168.99.0 0.0.0.255 192.168.0.0 0.0.255.255 log
remark allow everything else
permit ip any any
To isolate wireless devices on same L2/SSID from eachother, your wireless AP may have that feature. Unifi has that as an easy toggle switch in the wireless network settings.
 

tubs-ffm

Active Member
Sep 1, 2013
198
66
28
1. Is the above correct or am I missing something that should really be there. Also is there another better way to implement this?
I would use a different VLAN for the clients that should not communicate to LAN. No ACL requird.
In case of limit access from clients to client on different ports of the switch it is easy to do by ACL. But in case of multiple clients outside the switch like AP it is better to handle by the AP.

3. While testing this I had to restart the switch. Is there a reason the above or issuing "no ip access-list extended nolan" would lock up the switch?
When I was "playing" with ACL I never rebooted (only when I locked out myself :)).
Set the rules with "ip acess-list ..." or deleted the rules with "no ip acess-list ...". That's it. Once it is working as expected save with "write mem".

4. General acl question, to alter the acl rules do I need to drop it using "no ip access-list extended nolan" and re-issue all the rules?
You can modify the ACL. But for me it was the easiest to delete all with "no ip acess-list" and re-issue again. I maintained simple text file and did copy-paste of the complete block at once. For testing and learning purpose I could keep and modify different versions in this way.
 

Harr_cami

New Member
May 10, 2020
10
0
1
Hi, Recently bought the ICX 7250-24p however its too noisy for my living room, and i was wondering if anyone had any solutions to the fan noise?
already spent $700 on the switch so not scared to pay another $300 max to make it quiet/silent...

Any help greatly appreciated

PS. i bought noctua fans and SUNON Cooling Fan KDE1204PKVX and installed them however they dont power on or spin
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,874
3,374
113
34
fohdeesha.com
Yeah, those modules are cheap too on eBay ($25). That's what I would most likely do, installing two of those in the back to give me the spec'd 12x SPF+ ports.

And it leaves a good upgrade path in the future: I can add another switch and swap back in the QSFP+ module to link them.
7450 does not support QSFP+ breakout in any configuration, the QSFP+ modules are single link 40gbE only. You'll need the 4x SFP+ modules from the start
 

tubs-ffm

Active Member
Sep 1, 2013
198
66
28
Hi, Recently bought the ICX 7250-24p however its too noisy for my living room, and i was wondering if anyone had any solutions to the fan noise?
already spent $700 on the switch so not scared to pay another $300 max to make it quiet/silent...

Any help greatly appreciated

PS. i bought noctua fans and SUNON Cooling Fan KDE1204PKVX and installed them however they dont power on or spin
Don't do it! At least not with the PoE version.
I paid my lessons. My power supply exploded. See post linked below.

The reason why your fans do not turn on is because the pin layout on this switch is different to a standard PC fan connection layout. Two pin you need to switch. The pin layout you can find in this thread somewhere.


ICX 7250-24P exploded.

The joy with my ICX 7250-24P suddenly came to an end when the PSU exploded yesterday. Smoke, flames and electrical "bzzzz sound" included.

To go back in time. I modified my device by replacing the fans to for noise reasons. There is no heavy load on my device and I used only one PoE device. Temperature of both sensors are fine. See record of last 24 h till crash below. The device is running like this for 3 weeks or so. The up and down is because of changing ambient temperature during day and night. But suddenly an "explosion" and it was over.

I cannot say for sure if it is because of the modification I did or by chance. Theoretically the temperature at the sensor could be fine but not in other areas. In every case I would not recommend to anybody to do this type of modification.

Anybody who wants to exchange my broken ICX 7250-24P to a running ICX 7150-24 or ICX 7150-24P? :)

View attachment 17835
View attachment 17836
 
  • Like
Reactions: klui and Harr_cami

Harr_cami

New Member
May 10, 2020
10
0
1
Don't do it! At least not with the PoE version.
I paid my lessons. My power supply exploded. See post linked below.

The reason why your fans do not turn on is because the pin layout on this switch is different to a standard PC fan connection layout. Two pin you need to switch. The pin layout you can find in this thread somewhere.
Thanks for your response man, and holy shit im scared to run this thing 24/7 now in my house hahahha, sometimes the room can get 30 to 35 degrees ambiant on a hot day i might just cut my losses and sell the unit!
 

LodeRunner

Active Member
Apr 27, 2019
553
235
43
7450 does not support QSFP+ breakout in any configuration, the QSFP+ modules are single link 40gbE only. You'll need the 4x SFP+ modules from the start
I wonder why they even list the QSFP breakout on the compatible transceiver list. I'm not saying you're wrong, it's just weird they would list that unless it's copy/paste laziness; like they grabbed the compatibility table from the 7750 and pasted it into the 7450 material.
 

LodeRunner

Active Member
Apr 27, 2019
553
235
43
Thanks for your response man, and holy shit im scared to run this thing 24/7 now in my house hahahha, sometimes the room can get 30 to 35 degrees ambiant on a hot day i might just cut my losses and sell the unit!
That ambient temperature shouldn't be enough to kill a 7250. Either tubs-ffm had insufficient airflow and it overheated and blew, or it had a faulty component and the failure was coincidence.

Edit: from the manual: Operating temperature: −5°C to 50°C/23°F to 122°F
 

richtj99

Member
Jul 8, 2017
70
1
8
51
Hi - I am going to pull the trigger on a Brocade ICX 6450-48P. I see that some units say 10gb, some say 1gb. Is the hardware all the same?

Is it still possible to get a free license to unlock the 6450?

This is what I am looking at & some feedback is that it did not come with working 10gb ports.

 

RoachedCoach

Member
Feb 4, 2020
46
54
18
Thanks for your response man, and holy shit im scared to run this thing 24/7 now in my house hahahha, sometimes the room can get 30 to 35 degrees ambiant on a hot day i might just cut my losses and sell the unit!
So I'm going to totally disagree and say you can do it safely. I modified a 48P and quieted it down quite a bit. It's been running for a year continuously in a poorly ventilated closet under moderate POE load with no issues. That said, I feel terrible for tubs - that is NOT something I'd want to wake up to.

Here's my fan mod post. The weird pinouts for fans are in the post that the below post quotes.


I would also add, if you feel the PSU sensor is running on the hot side, you could always side mount a fan next to PSU externally (there's vents there). Not the cleanest look in the world, but it'd be effective. I tried it for kicks and it dropped around 5 - 7 C off the PSU, but didn't stick with it since mine never climbed to a point that was anywhere close to unsafe for its tolerances.
 

nivedita

Member
Dec 9, 2020
41
22
8
Thanks for your response man, and holy shit im scared to run this thing 24/7 now in my house hahahha, sometimes the room can get 30 to 35 degrees ambiant on a hot day i might just cut my losses and sell the unit!
The wire switch needed is to swap the tachometer and ground pins. It's rather easy: use a flat-blade screwdriver or the end of a tweezer to push the pin in, pull the wires out, and reinsert them after swapping.

I found that the Delta FFB0412VHN (40x28, 15.8CFM, 9500RPM, 45 dbA) is a reasonable swap. They are loud at boot, but after switching to fan speed 1, they run at 3400RPM and aren't audible at that speed unless you listen for them. On my 7250-48P, ASIC temperature is currently about 77C and the POE sensor is only at 28.5C. The FFBs also have an operating voltage range down to 4.5V, while the EFB's are only specced to a 7V minimum voltage.

Btw, does anyone know what the temperature thresholds for the 7250P model POE sensor are supposed to be? My unit says 41/34, but the Ruckus docs say that's for the 7250-24P, and the -48P is supposed to be 57/49 -- is that a typo in their table?

CFM requirements from data sheet:
ICX 7250-24G: 14.3 CFM (Maximum), 5.7 CFM (Typical) ICX 7250-24 : 14.0 CFM (Maximum), 5.7 CFM (Typical) ICX 7250-24P: 34.4 CFM (Maximum), 13.7 CFM (Typical) ICX 7250-48: 34.8 CFM (Maximum), 13.8 CFM (Typical) ICX 7250-48P: 45.2 CFM (Maximum), 21.4 CFM (Typical)
 
  • Like
Reactions: Harr_cami

nivedita

Member
Dec 9, 2020
41
22
8
So I'm going to totally disagree and say you can do it safely. I modified a 48P and quieted it down quite a bit. It's been running for a year continuously in a poorly ventilated closet under moderate POE load with no issues. That said, I feel terrible for tubs - that is NOT something I'd want to wake up to.

Here's my fan mod post. The weird pinouts for fans are in the post that the below post quotes.


I would also add, if you feel the PSU sensor is running on the hot side, you could always side mount a fan next to PSU externally (there's vents there). Not the cleanest look in the world, but it'd be effective. I tried it for kicks and it dropped around 5 - 7 C off the PSU, but didn't stick with it since mine never climbed to a point that was anywhere close to unsafe for its tolerances.
That mechatronics fan has better specs than the Delta I suggested: lower noise and slightly higher CFM.
 

klui

༺༻
Feb 3, 2019
970
552
93
Don't do it! At least not with the PoE version.
I paid my lessons. My power supply exploded. See post linked below.

The reason why your fans do not turn on is because the pin layout on this switch is different to a standard PC fan connection layout. Two pin you need to switch. The pin layout you can find in this thread somewhere.
Although anecdotal advice, I ran into the same thing a long time ago with an Extreme Summit 400-48T. It lasted roughly a year and it started to reboot continuously every 5 minutes or so. Opened it up and the caps were bulging. Used some Noctuas--never again for me on a data switch. I also did it on a Digi terminal server but no issues with it for over 5 years.
 

shremi

New Member
Jun 29, 2020
8
0
1
Hey guys i am a noob when it comes to switches and i am still learning maybe its very stupid but can someone help me with setting up some basic ACL:

Here is the setup
Russound Amp vlan 40 with an ip of 10.0.40.40
Home Assistant with 10.0.0.40 on the main Vlan
Pfsense router with 10.0.0.1 on the main Vlan
Computer to test with 10.0.0.23 on the main vlan

The goal is for the russound amp 10.0.40.40 to only talk to the specific devices and to the pfsense for dhcp and dns. The issue is that the russound loses connectivity after a while and people on the HA forums have managed to fix the issue by creating an ACL and letting the amp to only talk to specific clients and pfsense.

I have created the ACL (standard don't know if that matters ) and assigned to the port of the amp

Code:
access-list 1 permit host 10.0.0.1
access-list 1 permit host 10.0.0.40
access-list 1 permit host 10.0.0.23
Assigned the ACL to the port in IN ( i know it has VLAN but is running dual mode)

I cant ping the AMP from my test computer

Main goal is to make 10.0.40.40 to talk to the clients i specify on the main LAN

PS: Stay tuned for a dual 120mm fan mod
 

Nikotine

Member
Mar 17, 2021
35
0
6
I'm sorry if this has been answered already, this thread is huge.
I just received my ICX 6450-48P and it didn't come with a console cable.
Is the console port just an RS-232 interface (Tx, Rx and GND)? Because I have in my box an RS-232 to usb interface.
If yes, which pins of an RJ45 do what?