Drag to reposition cover

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

ncarlson42

New Member
Apr 28, 2021
3
0
1

fohdeesha

Kaini Industries
Nov 20, 2016
2,132
2,036
113
30
fohdeesha.com
Can you go from an 6610 to a 6610 breakout to breakout and get 4x10gb?

Will any QSFP cable work or do you need one specifically for 4x10gb?

Thank you again for all the help!

all 4 QSFP ports on the rear are stacking ports - going from the 4x 10gbe breakout qsfp to another icx6610 4x 10gbe qsfp breakout port is how theyre designed to be stacked from the factory (using all 4 ports)

you don't need a special type of qsfp cable, 4x 10gbE QSFP+ and 40gbE QSFP+ are identical electrically
 
Do the ears of a 6450-48P (or a -24P) allow for vertically wall mounting the switch?
Just tried and it seems nope, there's no way to make more than 1 hole line up at a time vertically:

1U 19" Vertical Wall Mount Rack Wall Mountable Server Rack w/ Hardware Black | eBay
I wanted to strap my 6450 to the wall to and your posts gave me a great idea. I always keep rack mount ears when I decommission hardware and it turned out that a pair from an old Netgear switch fit. If you have some old ears and want to wall mount one of these check your junk pile.

craigr
 

Ixian

Member
Oct 26, 2018
88
15
8
Can anyone assist me with a config?

I have an ICX6450 that I upgraded to 08.0.30tT313 (last version available I believe) and I want to isolate my POE cameras from the rest of my Lan.

My Blue Iris NVR server is on port 1/1/5 and my cameras are on 1/1/15 to 1/1/19. My pfsense firewall is on 1/1/1

I need some help with the commands needed to:

Put the camera ports in VLAN 20.
Allow the cameras to access the NVR on port 1/1/5. That server also needs access to my lan/wan so I'm not sure if I need to have it belong to VLAN 20 as well as the default VLAN or set up inter-vlan routing.

I'd also like to figure out how to do the same for my firewall - I have several IP based IoT devices I'd like to put on VLAN 40 and have pfsense serve DHCP to them.

Can anyone help me with the commands needed? My last two attempts have resulted in my locking myself out of ssh and having to reset the switch so I'm clearly doing something wrong.
Thanks!
 
Huge thank you to fohdeesha for all the information and help!!!

I got my 6450, and in less than four hours I had it fully licensed, configured, and mounted in my network. Your instructions are really incredible. I got one with software from 2014 and "a very old bootloader" but, you already had a procedure written up right there to deal with that as well.

What a wonderful low power switch!

I bought from this seller on eBay:

Offered $100, he countered at $130 and I took it. He shipped the next day and it was here in three. The one I got is old and looks to have been heavily used, but it does have the v2 power supply so the fans spin down properly. A little more beaten up than I would like, but I tend to be overly concerned with cosmetics.

Only thing is that the fans are worn out in it. They aren't terribly loud, but are too loud for my environment. They also are emitting that high pitched whine that others have mentioned.

craigr
 
Last edited:
Question: I got two different 10G SFP+ RJ45 copper transceivers. The recommended MikroTik S+RJ10 and also an ipolex.

Both work great, but the ipolex is $21 cheaper. Is there any reason I should stick with the MikroTik over the ipolex?

Also, if possible I'd like to flash these over to Brocade. Does anyone have images for the Brocade version and a bit of instruction to get me started?

Thanks again,
craigr
 
Thanks for the link. I figure the chances are low, but I'd like to check and see if either unit is possibly unlocked. I'm hoping the cheapy might have overlooked the write protection.

If someone knows where in the manual (or other source) I can lookup the write command I could try and write one byte and see if it works. Since it's just one piece I wouldn't mind doing it +100 times... while I further procrastinate doing my taxes o_O

craigr
 

klui

Active Member
Feb 3, 2019
328
137
43
If someone knows where in the manual (or other source) I can lookup the write command I could try and write one byte and see if it works.
Knowing the command is simple enough through a search within this thread. @fohdeesha's post at https://forums.servethehome.com/ind...erful-10gbe-40gbe-switching.21107/post-198322 outlines how to use the read command. In the next post he shows how to modify QSFP+es. The problem you will have is you need to get the I2C id/address of the transceiver but I don't know what that means nor how to obtain it. Maybe changing things is different for SFP+es because his write example allows him to write multiple bytes per command.
 
  • Like
Reactions: CIR-Engineering
Knowing the command is simple enough through a search within this thread. @fohdeesha's post at https://forums.servethehome.com/ind...erful-10gbe-40gbe-switching.21107/post-198322 outlines how to use the read command. In the next post he shows how to modify QSFP+es. The problem you will have is you need to get the I2C id/address of the transceiver but I don't know what that means nor how to obtain it. Maybe changing things is different for SFP+es because his write example allows him to write multiple bytes per command.
Thanks again. I'm only on page 28 of this thread and that was 14 pages ago so I had forgotten :oops:

I think I just need the equivalent for "i2c read 41 0 256." My 1/2/1 probably has different values I'm guessing because I don't know what device to read from or how to identify it.

craigr
 

DavidB

Member
Aug 31, 2018
57
18
8
anyone got experience in replacing the SFP+ cages in a 6450? The one I bought is missing the retaining clips, probably because someone yanked SFP+ modules out with some force and without unlocking them.
 

LodeRunner

Active Member
Apr 27, 2019
136
61
28
Does anyone know if the ICX7650-48f is fixed as 24x 1g and 24x 1/10g or can it be licensed up to 48x 10g? Documentation leads me to believe it's the former, but I have not been able to confirm that.

Edit: The hardware install manual certainly seems to indicate that it is indeed a fixed configuration with 24 SFP and 24 SFP+, which is a shame.
 
Last edited:

Ixian

Member
Oct 26, 2018
88
15
8
I've come a long way in figuring out my own questions re: Camera VLANs but would appreciate it if someone could give my config a once-over and point out if I'm doing something wrong:


Created vlan 20 and added 4 POE camera ports as untagged
Code:
SSH@tubestation(config)#vlan 20 name Cameras by port
SSH@phattubes(config-vlan-20)#untag e1/1/14 to e1/1/17
Then I added tagged ports for my APs (I have a 5th camera that is wireless and so I created a VLAN network on my APs along with a wireless network that was associated with it) and my pfsense firewall
Code:
SSH@phattubes(config-vlan-20)#tag e/1/1/1 e1/1/8 e1/1/12 e1/1/13
I then enabled dual-mode 1 on the trunk interfaces so they could access the default VLAN (which is still 1 on my switch)

Then I re-configured my cameras to use 192.168.20.x net and next worked on setting up routing & ACLs.

I had already created a virtual interface for VLAN 1 and assigned it an IP from my default 192.168.86.0 subnet so I added a VI for VLAN 20:
Code:
SSH@phattubes(config-vlan-20)#router-interface ve 20
SSH@phattubes(config-vlan-20)#interface ve 20
SSH@phattubes(config-vif-20)#ip add 192.168.20.1/24
At this point routing between the two subnets/vlans worked but without ACLs devices on VLAN 20 had unrestricted access to VLAN 1 incl. my gateway and from there the WAN so time to lock things down.

My wireless camera needs to see a valid ICMP response from the gateway, otherwise it disconnects/reconnects to the network every 2 minutes, and all the cameras need NTP server access to my pfsense firewall. I also wanted to allow DHCP for now even though all my cameras have static assignments. Finally, I originally set up my NVR with a virtual interface so it could be a part of VLAN 1 and 20 however this wasn't very performant and also seemed unnecessary - Since a major point of using a layer 3 firewall like this is the speed it can route between VLANs I think the better way is to allow access to the host on its default VLAN 1 interface and allow via ACL access to the ports my ONVIF-compliant cameras need to stream.

So with routing between VLAN 1 and 20 networks in place here's the ACL I created to lock things down:

Code:
access-list 112 remark ALLOW DHCP
access-list 112 permit udp any any eq bootps
access-list 112 permit udp any any eq bootpc
access-list 112 remark ALLOW ICMP REQUESTS TO PFSENSE
access-list 112 permit icmp any host 192.168.86.1
access-list 112 remark ALLOW ESTABLISHED TCP TRAFFIC
access-list 112 permit tcp any any established
access-list 112 remark ALLOW NTP REQUESTS TO AND FROM PFSENSE
access-list 112 permit udp 192.168.86.0 0.0.0.255 host 192.168.86.1 eq ntp
access-list 112 permit udp host 192.168.86.1 eq ntp 192.168.86.0 0.0.0.255
access-list 112 remark DENY ALL OTHER ACCESS TO SWITCH AND ROUTER
access-list 112 deny ip any host 192.168.86.1 log
access-list 112 deny ip any host 192.168.20.2 log
access-list 112 remark ALLOW CAMERA/ONVIF TRAFFIC TO NVR
access-list 112 permit tcp 192.168.20.0 0.0.0.255 host 192.168.86.192 eq 80
access-list 112 permit tcp 192.168.20.0 0.0.0.255 host 192.168.86.192 eq 443
access-list 112 permit tcp 192.168.20.0 0.0.0.255 host 192.168.86.192 eq 554
access-list 112 permit tcp 192.168.20.0 0.0.0.255 host 192.168.86.192 eq 1935
access-list 112 permit tcp 192.168.20.0 0.0.0.255 host 192.168.86.192 eq 8000
access-list 112 remark DENY REMAINING TRAFFIC
access-list 112 deny ip any any log
This look correct? By applying it via interface ve 20 ip access-group 112 in the devices on VLAN 20 should only able to do DHCP, ICMP, and NTP to my firewall, the ONVIF Camera/streaming ports for the NVR, and everything else is dropped including remaining inter-vlan traffic, right? I had explicit statements blocking my other VLAN subnets but with the catch-all deny at the end that seemed unnecessary.

Anyone spot any issues with this? Appreciate any help!
 
  • Like
Reactions: fohdeesha

Defenestrate

New Member
May 18, 2021
1
0
1
I'm going to ask a sacrilegious question, given the topic of this thread :cool:

When this thread was born, most of these switches had over 3 years before hitting End of Life/End of Support. At this point, it seems most of the switches mentioned have hit EOL/EOS.

I'm about to start at the beginning, and plan to build my home network on a 48 port POE switch. My question is simple, are there new switches in town with similar feature sets and used pricing that still have a few years of life in them, or are the icx switches still the target of choice?

Are most of you comfortable just continuing to run the 64xx series without additional firmware/security updates, or are you planning to migrate soon? Any suggestions on these points/other switch options to consider are appreciated. Budget is a major constraint for me, and I'm trying to stay in the $100 to $200 range for a switch.

And thanks in advance to the 276 pages worth of the shoulders of giants that I'm standing on to be able to make this post. There is an incredible amount of good information in this thread!
 

DavidRa

Infrastructure Architect
Aug 3, 2015
284
128
43
Central Coast of NSW
www.pdconsec.net
Are most of you comfortable just continuing to run the 64xx series without additional firmware/security updates, or are you planning to migrate soon?
I don't know how representative I am, but I just purchased 6450s to replace a failing LB4m; I didn't see anything significantly better available, certainly not at the price. I have a pair for myself (one live, one spare) and I'll just keep the configs synced.

Firmware? Unless there is a significant bug (and by now we'd have found out I would hope), switch firmware isn't something I'm particularly concerned about.
 

Vesalius

Active Member
Nov 25, 2019
116
80
28
I'm going to ask a sacrilegious question, given the topic of this thread :cool:

When this thread was born, most of these switches had over 3 years before hitting End of Life/End of Support. At this point, it seems most of the switches mentioned have hit EOL/EOS.

I'm about to start at the beginning, and plan to build my home network on a 48 port POE switch. My question is simple, are there new switches in town with similar feature sets and used pricing that still have a few years of life in them, or are the icx switches still the target of choice?

Are most of you comfortable just continuing to run the 64xx series without additional firmware/security updates, or are you planning to migrate soon? Any suggestions on these points/other switch options to consider are appreciated. Budget is a major constraint for me, and I'm trying to stay in the $100 to $200 range for a switch.

And thanks in advance to the 276 pages worth of the shoulders of giants that I'm standing on to be able to make this post. There is an incredible amount of good information in this thread!
Look at the 7*** series fodeesha has listed for the latest firmware updates. The 7150 and 7250 are good, but slightly more expensive, alternative options to the 6*** series. Can be had from 12-48 ports, 10g and even multigig on some models.
 

Ixian

Member
Oct 26, 2018
88
15
8
Look at the 7*** series fodeesha has listed for the latest firmware updates. The 7150 and 7250 are good, but slightly more expensive, alternative options to the 6*** series. Can be had from 12-48 ports, 10g and even multigig on some models.
I know Ebay prices fluctuate quite a bit so deals may still be had but I rarely see the equivalent 7x series go for less than double a 6x. The 6450 is still in the $100 or even sub $100 range for non-POE models and is a great switch. Certainly the 7250 has additional features like 40gb for stacking and so on but for a lot of home lab or even small office setups the 6450 is a fantastic value.

I don't worry much about the firmware being EOL since it's been stable now for years and I don't expose mine to the edge, security-wise, in any event.
 
  • Like
Reactions: Vesalius

Vesalius

Active Member
Nov 25, 2019
116
80
28
I know Ebay prices fluctuate quite a bit so deals may still be had but I rarely see the equivalent 7x series go for less than double a 6x. The 6450 is still in the $100 or even sub $100 range for non-POE models and is a great switch. Certainly the 7250 has additional features like 40gb for stacking and so on but for a lot of home lab or even small office setups the 6450 is a fantastic value.

I don't worry much about the firmware being EOL since it's been stable now for years and I don't expose mine to the edge, security-wise, in any event.
Yup, was just answering in case they needed/wanted something in the latest ruckus firmware.
 
  • Like
Reactions: Ixian