Drag to reposition cover

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

tinfoil3d

QSFP28
May 11, 2020
526
190
43
Japan
The Larger screws are 8/32 UNC and the Smaller screws are 6/32 UNC.

Check out - MS24693 MACHINE SCREWS (AN507) from some suppliers.

You will need 1/4" long countersunk, if you are using the standard brackets.
Thanks a lot, I did try standard 6/32 screws from pc cases but because their head is flat i can't rely on them to hold it tight, might collapse. MS24693 is apparently 8-32 thread which i already have, only fit rear. Do you know the front p/n?
 

RedX1

Active Member
Aug 11, 2017
109
103
43
Thanks a lot, I did try standard 6/32 screws from pc cases but because their head is flat i can't rely on them to hold it tight, might collapse. MS24693 is apparently 8-32 thread which i already have, only fit rear. Do you know the front p/n?

Hi

MS24693 MACHINE SCREWS (AN507) is the generic screw type.

You will need to specify the Size and Length. They are 100 Deg Countersunk Angle. Some commercial syles have 90 Deg CS angles.

Both will work for your application.


Cad PlatedMS24693-S246-321/4$0.05

Cad PlatedMS24693-S468-321/4$0.06

These are from this supplier in the USA

MS24693 MACHINE SCREWS (AN507) | Aircraft Spruce


If you are in Europe.

MS24693 UNC/UNF Countersunk LAS Aerospace Ltd


Or you might try eBay.


Best of luck.


REdX1
 

ccie4526

Member
Jan 25, 2021
47
32
18
maybe a simpler question:

I use a VPN for work and have to connect using Cisco Anyconnect from as many as 3 computers at a time. Problem is that while anyconnect is up, I can't get to my private email, printers, smb shares, etc. It blocks all of them.

Is there a way using the facilities of the ICX 6610 that I can bring-up an Anyconnect VPN from the switch? Maybe a dumb question but I am a sales person and I amaze myself that I got this far. I remember a while back Anyconnect allowed you to specify the TLD that was routed out that VPN bit that's been gone for a while.

Thanks
You're experiencing that problem because your company has disallowed split-tunneling for its VPN connections. I've not used Cisco's AnyConnect for a long time and it was possible to override that in the past probably due to no formal setting.
A little off topic from this thread, but @klui is correct. AnyConnect policies are defined by your corporate IT department, and you won't be able to change that locally. You *might* be able to talk your IT department into allowing access to a local printer, but access to your private email or local SMB shares is considered a security hole, and will likely be disallowed.
 

Drewy

Active Member
Apr 23, 2016
200
53
28
52
This is kind of the point of corporate VPN access. Your employer doesn’t want your network connected to theirs.
I get around the printer problem by having my printer Ethernet connection on my network, for my stuff and the usb connection connected to my work laptop.
Back in the day when we were allowed to connect our own devices to work via vpn, I got my first and worse virus from work. So the current norm is safer both ways.
 
  • Like
Reactions: OKGolombRuler

liquidated

New Member
Feb 19, 2021
1
0
1
I've just purchased three 6610's that I'll be adding into a rack and a single 7250 for a closet on the other side of the house. I have four cat6 cables going from the rack to the closet (about 15 - 20 meters.) My plan was to ring stack the 6610's using QSFP cables on the back stacking ports, then trunk to the 7250 using the cat6 cables. Does this make sense? Is there a way to include the 7250 into the stack with the 6610's without running any additional cables? Is there something else I should consider without having to run more cable?
 

LodeRunner

Active Member
Apr 27, 2019
368
148
43
Trunking is your only option. You can't stack switches across families, only within them (so you can stack different versions of the 6610).
 
  • Like
Reactions: liquidated

Cncjerry

New Member
Oct 16, 2021
24
3
3
Thanks for the hopeless replies. I thought at one time there was a way using Cisco's Anyconnect to only route to XYXCorp.com's domain and everything else stayed on the local lan. But once I fire-up Anyconnect, everything goes to the VPN including all my owncloud syncs, dropbox, printers, fileservers, etc. I see the point though. I was hoping there would be a way to hang a laptop on the network and bridge it's lan to the vpn and then in the switch, route that domain to the laptop, or something like that...

Thanks again,

Jerry
 

phekno

New Member
Oct 24, 2021
16
2
3
Registered here after reading the OP. Just took delivery of an ICX6610. I've loved getting it setup and learning on it so far. Now I'm debating using L3 on it, or sticking with a router-on-a-stick topology with OPNSense for my home.

Thanks for everything!
 

Blue)(Fusion

Active Member
Mar 1, 2017
130
46
28
Chicago
Registered here after reading the OP. Just took delivery of an ICX6610. I've loved getting it setup and learning on it so far. Now I'm debating using L3 on it, or sticking with a router-on-a-stick topology with OPNSense for my home.

Thanks for everything!
Don't do router-on-a-stick.
 

Cncjerry

New Member
Oct 16, 2021
24
3
3
quick question on the 6610:

Do the rear ports when fanned out (1/2/2 to 1/2/5) need to be configured as individual ports? I plugged an MTP fan out cable in with a QSFP and the ports are working yet the switch shows 1/2/2 as up and 1/2/3 to 1/2/5 as down. I have the 2nd port of a dual port card plugged into 1/2/3 and it is replying to pings yet the switch shows it as down and state as blocking as below. I tried to config enable it without luck.

Thanks

Code:
SSH@ioburger#show interface e 1/2/3
  10GigabitEthernet 1/2/3 is down, line protocol is down
  Port down for 1 hour(s) 47 minute(s) 8 second(s)
  Hardware is   10GigabitEthernet , address is cc4e.243b.ec14 (bia cc4e.243b.ec47)
  Configured speed 10Gbit, actual unknown, configured duplex fdx, actual unknown
  Configured mdi mode AUTO, actual unknown
  Member of L2 VLAN ID 1, port is untagged, port state is BLOCKING
  BPDU guard is Disabled, ROOT protect is Disabled, Designated protect is Disabled
  Link Error Dampening is Disabled
  STP configured to ON, priority is level0, mac-learning is enabled
  Openflow is Disabled, Openflow Hybrid mode is Disabled,  Flow Control is config enabled, oper enabled, negotiation disabled
  Mirror disabled, Monitor disabled
  Mac-notification is disabled
  Not member of any active trunks
  Not member of any configured trunks
  Port name is owc2
  MTU 1500 bytes, encapsulation ethernet
  300 second input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization
  300 second output rate: 0 bits/sec, 0 packets/sec, 0.00% utilization
  43530328 packets input, 56998726541 bytes, 0 no buffer
  Received 3946 broadcasts, 704676 multicasts, 42821706 unicasts
  3 input errors, 3 CRC, 0 frame, 0 ignored
  0 runts, 0 giants
  22315910 packets output, 12573297677 bytes, 0 underruns
  Transmitted 98428 broadcasts, 293779 multicasts, 21923703 unicasts
  0 output errors, 0 collisions
  Relay Agent Information option: Disabled

Egress queues:
Queue counters    Queued packets    Dropped Packets
    0            22287511                   0
    1                   0                   0
    2                   0                   0
    3               28357                   0
    4                   0                   0
    5                  42                   0
    6                   0                   0
    7                   0                   0
 
Last edited:

metalpizza123

New Member
Nov 2, 2021
6
0
1
Hi hi quick question on whether I've just a defective unit or I'm missing something in the setup guide. I'm trying to setup the 6430-48P.

Following Fohdeesha's guide, I have the master zip downloaded and I had PuTTy set up to connect to the switch. I have a USB to serial adapter cable hooked up to the serial port, and a standard Cat 6 ethernet cable to the existing router. After booting several times with the PuTTy settings in the guide (I turned off Flow control), the output in the image showed up. After waiting several minutes, It briefly flashed some messages about loading PoE and restarted. However, since then I haven't been able to get any serial output, and can't set the values to the factory default. I've tried using the reset button on the front of the switch but to no avail. Mashing or holding the B button doesn't seem to be able to stop the bootloader, though with no output I have no clue whether it's even loading anything.

Essentially I'm just wondering if it's borked. It starts up and has a period of high fan load before slowing down, so the behaviour seems to be the same as before. The cable I'm using is a FTDI cable and I've installed their drivers for it.

Many thanks in advance.
 

Attachments

Last edited:

richtj99

Member
Jul 8, 2017
63
0
6
49
Hi - is it possible to have SSH available only vlan of choice?

My 7250 has two IP's

Vlan 10 - 192.168.10.10
Vlan 20 - 192.168.20.20

Is it possible to allow SSH access only on vlan 20 but not on vlan 10?

Thanks,
Rich
 

dos

New Member
Oct 13, 2021
13
1
3
Hi hi quick question on whether I've just a defective unit or I'm missing something in the setup guide. I'm trying to setup the 6450-48P.

Following Fohdeesha's guide, I have the master zip downloaded and I had PuTTy set up to connect to the switch. I have a USB to serial adapter cable hooked up to the serial port, and a standard Cat 6 ethernet cable to the existing router. After booting several times with the PuTTy settings in the guide (I turned off Flow control), the output in the image showed up. After waiting several minutes, It briefly flashed some messages about loading PoE and restarted. However, since then I haven't been able to get any serial output, and can't set the values to the factory default. I've tried using the reset button on the front of the switch but to no avail. Mashing or holding the B button doesn't seem to be able to stop the bootloader, though with no output I have no clue whether it's even loading anything.

Essentially I'm just wondering if it's borked. It starts up and has a period of high fan load before slowing down, so the behaviour seems to be the same as before. The cable I'm using is a FTDI cable and I've installed their drivers for it.

Many thanks in advance.
its going to depend on the what fdti cable you have. some of them are only 3.3v logic and all though you can "see" the output from the switch you can't actually send any commands because the high to low is only 3.3v and not enough to actually trigger a signal. pleanty of people have posted about this but the tl;dr is use a standard cisco console cable, use either a rj45 keystone jack (i used a rj45 breakout adapter as an alternative) to connect the green, white & black usb wires. from there you should be able to interacte and "talk" to the switch.
 

Blue)(Fusion

Active Member
Mar 1, 2017
130
46
28
Chicago
Hi - is it possible to have SSH available only vlan of choice?

My 7250 has two IP's

Vlan 10 - 192.168.10.10
Vlan 20 - 192.168.20.20

Is it possible to allow SSH access only on vlan 20 but not on vlan 10?

Thanks,
Rich
Set up an ACL on the VE that you wish to prevent SSH access on.
 

Freebsd1976

Active Member
Feb 23, 2018
325
55
28
upgrade my 7250-24 firmware to 0.9.0.00a today, Ambient temperature 25C, running temperature 58-61C (add 0615 fan on asic ). very satisfied for its running cool and almost silence, expect the idle power consumption.
1635925361343.png
 

metalpizza123

New Member
Nov 2, 2021
6
0
1
its going to depend on the what fdti cable you have. some of them are only 3.3v logic and all though you can "see" the output from the switch you can't actually send any commands because the high to low is only 3.3v and not enough to actually trigger a signal. pleanty of people have posted about this but the tl;dr is use a standard cisco console cable, use either a rj45 keystone jack (i used a rj45 breakout adapter as an alternative) to connect the green, white & black usb wires. from there you should be able to interacte and "talk" to the switch.

Yeah and that's what I had bought from here:

I'd seen that others had similar problems so I'd hoped that this cable was appropriate. It seemed to match the solution that other users had, and I did have console control briefly in that screenshot, so I'm optimistic about the cable, just not sure about the switch itself since it's not spitting any console output anymore.
 

dos

New Member
Oct 13, 2021
13
1
3
Yeah and that's what I had bought from here:

I'd seen that others had similar problems so I'd hoped that this cable was appropriate. It seemed to match the solution that other users had, and I did have console control briefly in that screenshot, so I'm optimistic about the cable, just not sure about the switch itself since it's not spitting any console output anymore.
on second glance i saw you mentioned you had the 6450 (rj45 console), not 7250 ("usb" console), so disregard the comments on needing the custom cable. a couple things of note, these switches take a small eternity to boot so you may just need to wait longer. the older images seem to have less output during the boot process compaired to the newer ufi images. secondly did this switch ever fully boot? it might be possible it doesn't have a valid image to load. i'd suggest restart the switch and smash that like button 'b' key and see if you can get into the boot monitor. if you can you know the console cable is working correctly, and then you can inspect the flash and make sure you have something to actually boot to. hopefully thats somewhat helpful.
 

tinfoil3d

QSFP28
May 11, 2020
526
190
43
Japan
I recently boarded the ruckus train for the first time and it's pretty cool. I'm still in a process of a basic setup but it feels so close to hp that i kinda figured out with tab completion all by myself. Restricting access to vlan is a bit different for this system but will figure it out. So cool. Thanks guys.
 

richtj99

Member
Jul 8, 2017
63
0
6
49
Set up an ACL on the VE that you wish to prevent SSH access on.
Im not 100% sure but:


conf t
ip access-list 22 deny 192.168.10.0/24 log
ssh access-group 22
wr mem


or

conf t
int ve 10
ip access-list 22 deny ve 10
ssh access-group 22
wr mem


or

conf t
no ip ssh client 192.168.10.0/24


Im a little hesitant to try it & lose ssh but figured I would ask here first - thanks!
 

Blue)(Fusion

Active Member
Mar 1, 2017
130
46
28
Chicago
Here's a modified example of what I have in place.

Code:
ip access-list extended noadmin4                                    
  remark DENY ADMIN ACCESS TO SWITCH
  deny tcp any host 192.168.10.1 eq ssh log
  deny tcp any host 192.168.10.1 eq telnet log
  deny tcp any host 192.168.10.1 eq http log
  deny tcp any host 192.168.10.1 eq ssl log
  remark PERMIT REMAINING TRAFFIC
  permit ip any any 
  enable-accounting
  exit

ipv6 access-list noadmin6 
  logging-enable
  remark DENY ADMIN ACCESS TO SWITCH
  remark LINK-LOCAL
  deny tcp any host fe80::768e:f8ff:fe3e:b28a eq ssh log
  deny tcp any host fe80::768e:f8ff:fe3e:b28a eq telnet log
  deny tcp any host fe80::768e:f8ff:fe3e:b28a eq http log
  deny tcp any host fe80::768e:f8ff:fe3e:b28a eq ssl log
  remark ULA
  deny tcp any host fdc6:3916:1234:10::1 eq ssh log
  deny tcp any host fdc6:3916:1234:10::1 eq telnet log
  deny tcp any host fdc6:3916:1234:10::1 eq http log
  deny tcp any host fdc6:3916:1234:10::1 eq ssl log
  remark GUA
  deny tcp any host 2603:6018:3393:1610::1 eq ssh log
  deny tcp any host 2603:6018:3393:1610::1 eq telnet log
  deny tcp any host 2603:6018:3393:1610::1 eq http log
  deny tcp any host 2603:6018:3393:1610::1 eq ssl log
  remark ALLOW REMAINING TRAFFIC
  permit ipv6 any any
  enable-accounting
  exit

interface ve 10
  ip access-group noadmin4 in
  ipv6 traffic-filter noadmin6 in
  exit
Important note: In the above example, a host on the VLAN can access the switch via another VE IP. You can either enter the IP addresses of each VE and loopback of the switch in the rule or block access to other VLANs by default using the ACL, depending on your needs.