Per a message from REdX1, these screws work on the icx7250 as well. Just in case someone else here would like to know.
Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)
- Thread starter fohdeesha
- Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
There are no aliases that I know of in the switch ACLs.
Here's an example you should be able to work from. This is from 8.0.30 firmware not sure if it's the same on 7xxx series firmware.
Code:
ip access-list extended guest-v4
remark DENY ADMIN ACCESS TO SWITCH
deny tcp any host 10.23.15.1 eq ssh log
deny tcp any host 10.23.15.1 eq telnet log
deny tcp any host 10.23.15.1 eq http log
deny tcp any host 10.23.15.1 eq ssl log
remark ALLOW SAME VLAN TRAFFIC
permit ip any 10.23.15.0 0.0.0.255
remark ALLOW DHCP
permit udp any any eq bootps
permit udp any any eq bootpc
remark ALLOW ICMP
permit icmp any any
remark ALLOW ESTABLISHED TCP TRAFFIC
permit tcp any any established
remark ALLOW DNS REQUESTS
permit udp any host 10.23.60.3 eq dns
permit tcp any host 10.23.60.3 eq dns
permit udp any host 10.23.60.5 eq dns
permit tcp any host 10.23.60.5 eq dns
remark ALLOW ACCESS TO CACHE01 HTTP/S
permit tcp any host 10.23.60.5 eq http
permit tcp any host 10.23.60.5 eq ssl
remark ALLOW RETURN OF SNMP TRAFFIC TO MON01
permit udp any eq snmp host 10.23.60.81
permit udp any eq snmp-trap host 10.23.60.81
remark DENY ALL OTHER INTER-VLAN TRAFFIC
deny ip any 10.0.0.0 0.255.255.255 log
remark PERMIT REMAINING TRAFFIC
permit ip any any
enable-accounting
just keep in mind that even though this is a layer 3 switch, it is not an edge router / firewall. unlike nexus switches, these don't support any type of nat, so if you plan to connect this to the internet you will still need something upstream to perfrom snat and dnat.
@Blue)(Fusion thanks for this. Will get me started. 3 questions:
- Does this allow incoming traffic from another vlan? e.g. I will have a printer sitting in this dmz. Does this restrict access to that printer from other vlans on the network?
- The devices in the dmz wont need to talk to each other in the same vlan - e.g. printer and sprinkler system. so remove the rule for same vlan traffic?
- when applying to the dmz ve interface, is this for inbound or outbound packets? - ip access-group "dmz acl" in/out
Last edited:
1. No*. This ACL is meant to be applied as inbound on the VE. In the example ACL, established TCP traffic is permitted to another VLAN that initiated the traffic, but UDP must specifically be allowed on a host, network, and/or port basis. Note in the example ACL, the return path of SNMP requests from devices on the guest network to my LibreNMS server on a different network.
2. Don't quote me but I believe you can modify the rule to allow traffic to the VE gateway IP and traffic bound to other devices on the L2 network will be dropped.
3. Inbound. It's almost always preferable to do inbound ACLs.
Still have one ICX7250-48 left for sale, cheapest one I see for sale on ebay without port damage is around 260+40 shipping, I could do $240 including a couple optics or 10gbase-T modules. pickup only tho in northern indianapolis, NO SHIP
some ICX6610s too
some ICX6610s too
How much for a 6610? I am enjoying my 6450, but the temptation is there to go with 10GB, lol.
prolly around whatever ebay prices are currently minus ~20% - can you do indy pickup?
Any recommendations for alternatives to the ICX7750-48F's? I am using these as TOR's, but they are now very hard to find on the used market.
Not sure what Arista model would be the equiv that can still run latest code?
Don't need any layer3 features, all layer2 use case, trunking, vlans, etc.
Thanks!
Not sure what Arista model would be the equiv that can still run latest code?
Don't need any layer3 features, all layer2 use case, trunking, vlans, etc.
Thanks!
Last edited:
I have a couple 7250s that came with the L2 only SPS firmware. Initially I ran them as is since the FW was new enough and I was just dipping my toes into the brocade world.
Since then I've flashed them up to 80.0.90 with the L3 SPR firmware. I don't use/need L3 stuff and the guides say it should work fine for L2 only if you don't configure any L3 features.
I have been experiencing strange network issues (can't access anything on my local network or through my firewall for a few minutes at a time) and I suspect it could be the switch with SPR/L3 firmware since they started around the time I did the upgrade. I don't have any evidence other than the timing. Another strange issue is that I can no longer SSH or access the webui (i dont use the webui but it was working in L2 mode) of the switch after flashing the SPR variant. I followed the parts of the guide (as of nov 5) that talk about enabling SSH and the webui and it still doesn't work. I also noticed that the switch doesn't always grab a DHCP lease from my pfsense firewall DHCP server.
Before I go and reflash to L2 fw for diagnostic purposes I thought I'd ask here if anyone has similar experiences or just general knowledge about using these switches in L3 vs L2 mode.
Is there any way that using the L3 firmware could cause issues if I'm trying to use it for L2 only? Is there anything in the guide that could cause some L3 features to be turned on?
Since then I've flashed them up to 80.0.90 with the L3 SPR firmware. I don't use/need L3 stuff and the guides say it should work fine for L2 only if you don't configure any L3 features.
I have been experiencing strange network issues (can't access anything on my local network or through my firewall for a few minutes at a time) and I suspect it could be the switch with SPR/L3 firmware since they started around the time I did the upgrade. I don't have any evidence other than the timing. Another strange issue is that I can no longer SSH or access the webui (i dont use the webui but it was working in L2 mode) of the switch after flashing the SPR variant. I followed the parts of the guide (as of nov 5) that talk about enabling SSH and the webui and it still doesn't work. I also noticed that the switch doesn't always grab a DHCP lease from my pfsense firewall DHCP server.
Before I go and reflash to L2 fw for diagnostic purposes I thought I'd ask here if anyone has similar experiences or just general knowledge about using these switches in L3 vs L2 mode.
Is there any way that using the L3 firmware could cause issues if I'm trying to use it for L2 only? Is there anything in the guide that could cause some L3 features to be turned on?
I'd start by setting a static IP on your management interface. DHCP reservations are usually fine, but I would avoid DHCP for infrastructure. If that doesn't sort it out, backup the config and factory default it.
I purchased a Brocade ICX 6450-48 and updated the config as well as setting it up via the docs provided on the first page of the forum.
Due to me finding the stock fans too loud I modified the switch and changed them for the Delta EFB0412VHD-F00 which were advised by another person in this forum.It is a little bit quiter than the stock ones but it's still loud.
I have another fan of the same model.Is it worth using another fan as well or is this expected?
Due to me finding the stock fans too loud I modified the switch and changed them for the Delta EFB0412VHD-F00 which were advised by another person in this forum.It is a little bit quiter than the stock ones but it's still loud.
I have another fan of the same model.Is it worth using another fan as well or is this expected?
Yea good point, I have been meaning to do that. I'll try that out before resorting to flashing.
Update on my network interruption issue.
I set all my infrastructure to static IPs instead of DHCP reservations (7250 48P, 2xR710, and 1xR610). I was still getting the interruptions.
I flashed a 7150 with SPS fw and swapped out the 7250. It appears to be more stable now no interruptions yet. It's very noticeable so I'll know in a day or two if it for sure fixes the issue.
In the mean time I reset the 7250 to factory (still on spr) and manually set it up again. going to swap that back in if the 7150 with sps reproduces the issue.
I set all my infrastructure to static IPs instead of DHCP reservations (7250 48P, 2xR710, and 1xR610). I was still getting the interruptions.
I flashed a 7150 with SPS fw and swapped out the 7250. It appears to be more stable now no interruptions yet. It's very noticeable so I'll know in a day or two if it for sure fixes the issue.
In the mean time I reset the 7250 to factory (still on spr) and manually set it up again. going to swap that back in if the 7150 with sps reproduces the issue.
Hello!
I recently acquired one of these neat little 6450 12 port boxes - and followed @fohdeesha 's awesome guide. The only thing that's tweaking me out a bit is the licensing:
The premium license sticks just fine, but the 10gig doesn't. I redid things from scratch a couple of times, thinking maybe I'd missed something in the process, (and maybe I still am?) I'm hoping someone can point me in the right direction.
I recently acquired one of these neat little 6450 12 port boxes - and followed @fohdeesha 's awesome guide. The only thing that's tweaking me out a bit is the licensing:
Code:
ICX6450-C12PD-Router#show license
Index Lic Mode Lic Name Lid/Serial No Lic Type Status Lic Period Lic Capacity
Stack unit 1:
1 Node Lock ICX6450-PREM-LIC-SW H4CKTH3PLN8 Normal Active Unlimited 1
2 Node Lock ICX6450-10G-LIC-POD H4CKTH3PLN8 Normal Invalid Unlimited 2The premium license sticks just fine, but the 10gig doesn't. I redid things from scratch a couple of times, thinking maybe I'd missed something in the process, (and maybe I still am?) I'm hoping someone can point me in the right direction.
Well that's where I went wrong. Step 1 *reading the documentation*. For some reason I thought the SFP ports were 10gig. Oh well. Thanks for setting me straight!
I just got ICX 7250. Following fohdeesha's guide works perfectly except the SPR08090mc.bin from download page can NOT be flashed to primary. Downloaded 8080f and works fine. In case anyone having the same issue.
Instead doing:
I did
Instead doing:
Bash:
#IP of your TFTP server:
setenv serverip 192.168.1.8
setenv image_name ICX7xxx/SPR08090mc.bin
setenv uboot ICX7xxx/spz10118.bin
Bash:
#IP of your TFTP server:
setenv serverip 192.168.1.8
setenv image_name ICX7xxx/SPR08080f.bin
setenv uboot ICX7xxx/spz10114.bin