Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

[klui]

The manuals from the Rucksu/Commscope site or pacakged in Fohdeesha's ZIP assume that you have a passing familiarity with the concepts. The manufacturer's documentation is not going to have a full "here's how you go form first start to routed VLAN" example; it's mostly a command reference that will have specific, basic examples of a given command.

There is literally a PDF titled "fastiron-*-l3guide.pdf / Layer 3 Routing Configuration Guide." It starts with ARP and ends with Multi-VRF. The command reference is just one among many documents.

Honestly a lot of that is out of my comfort zone but it serves as a great starting point. The documents provide a good starting foundation. Isn't this what "homelab" is all about? Self learning and initiative? If someone wants to be spoonfed they can get a support contract and ask the vendor directly. Otherwise it's slogging through threads like this one.

Sorry for sounding like an asshole.

 

[LodeRunner]

@klui: I haven't re-read the OP or the checked the ZIP since before his big V2 update, so my bad. That is an extremely comprehensive doc set (just downloaded it).

And no, you don't sound like an asshole, at least to me. I did read this whole thread back when I first encountered it, took a few days (I think it was sub 200 pages when I first found it?) and I was wanting to get into 10G networking and retire my Cisco 2960S.

That L3 guide (I scrolled through the IPv4 and IPv4 Static Routing sections) should give anyone with a basic understanding of routing and subnetting enough information to piece together a working config, at least on the switch side.

The most common error I see in setting up routed VLANs is that people forget to put reverse routes on the firewall/router upstream and wonder why the internet doesn't work.

 

[pinkypie]

Literally the first post, linked at "Setup / Config / Licensing Guide v2"

Master ZIP (Firmware, Manuals, Licenses)

Honestly it's not for you. Get a Netgear or something that's plug and play.

My eyes totally skipped over that. FML

There is literally a PDF titled "fastiron-*-l3guide.pdf / Layer 3 Routing Configuration Guide." It starts with ARP and ends with Multi-VRF. The command reference is just one among many documents.

Honestly a lot of that is out of my comfort zone but it serves as a great starting point. The documents provide a good starting foundation. Isn't this what "homelab" is all about? Self learning and initiative? If someone wants to be spoonfed they can get a support contract and ask the vendor directly. Otherwise it's slogging through threads like this one.

Sorry for sounding like an asshole.

All good brother. I am looking at that one right now. "fastiron-08030mb-l3guide.pdf"

 

[pinkypie]

Brocade is like HPE in that you define a VLAN, then enter the VLAN and tag or untag ports to it. This is the opposite of Cisco, where you define a VLAN, then enter the port and add your VLANs there

Very helpful post. Thank you LR.

 

[fohdeesha]

we just a big ole happy switching family

 

[pinkypie]

I am planning to use the ICX6450-24P for a about 12-16 IP cameras isolated and not connected to the internet. Going to have ethernet cable connected from a pfSense box to the switch for management only and looking for the ICX6450 to handle all the routing with the cameras.

So I checked the config guide, fastiron-08030mb-l3guide.pdf.

correct me if I am wrong but the guide says IP routing is on by default. I dont believe I will need DHCP, going to use static addresses for the cameras. Therefore, I believe all I would need to do is configure VLANs and I would be good to go.

Does that sound correct? This would be my first L3 switch, never configured an L3 before. It's probably very obvious, lol.

 

[klui]

IP routing feature is enabled but you still need to configure everything on your VE(s) per the guide if cameras need to talk to devices outside their VLANs.

 

[pinkypie]

IP routing feature is enabled but you still need to configure everything on your VE(s) per the guide if cameras need to talk to devices outside their VLANs.

You are correct, I wasn't thinking of the scenario where the management VLAN would need to access both the ICX6450 and the cameras but prevent Camera VLAN from talking to the Management VLAN.

Am I on the right path?

#Create VLANs

vlan 2 Management
untagged ethe 1/1/1
router-interface ve 2
interface ve 2 ip address 192.168.2.2/24

vlan 3 Cameras
untagged ethe 1/1/2 to 1/1/24
router-interface ve 3
interface ve 3 ip address 192.168.3.2/24

#Block access to management VLAN

ip access-list extended "Block inbound"
deny ip any any

interface ve 2 ip access-group "Block inbound" in

 

[klui]

I would not waste a regular port for management when there is a dedicated management port on the switch.

Don't you want your block to be on ve 3 and not 2?

 

[pinkypie]

I just ordered an 6450-24P off eBay.

I was a bit confused on reading the ACL implementation. Wouldn't "deny ip any any" assigned to ve2 deny any inbound traffic to the management interface from any IPs?

From what I read, inbound ACLs on VEs apply to traffic going IN to the VE from the VLAN to which the VE is assigned.

I would not waste a regular port for management when there is a dedicated management port on the switch.

you referring to the out-of-band-management port, below the console port?

I believe the issue with using that is that it cannot access the regular network channels/ports. I still need to be able to access the Camera VLAN 3 to configure the cameras and NVR.

I think I may have figured out a better solution, just make VLAN 2 the management VLAN for security purposes. I dont think I would need ACLs. I believe no other VLANs can access the Management VLAN by definition.

vlan 2 Management
untagged ethe 1/1/1
management-vlan
router-interface ve 2
interface ve 2 ip address 192.168.2.2/24

 

[klui]

I've not implemented ACLs but your original post just seems wrong. Blocking the VE basically prevents you from connecting to your switch. Look at Terry Henry's videos about that as there is precedence for ACLs. It's in the first post.

What I see is you're using the management interface to access user data and that goes against the concept of an OOB management network. Of course it's your network and you can probably get it to work.

 

[pinkypie]

Yep, viewed those video prior to that post. I see what you mean by blocking the VE. I guess I could either block inbound on ve 2 or block outbound on ve 3. However, it probably makes more sense to block incoming on ve 2.

#Create VLANs

vlan 2 Management
untagged ethe 1/1/1
router-interface ve 2
interface ve 2 ip address 192.168.2.2/24

vlan 3 Cameras
untagged ethe 1/1/2 to 1/1/24
router-interface ve 3
interface ve 3 ip address 192.168.3.2/24

#Block access to management VLAN

ip access-list extended "Block inbound to Management"
deny ip 192.168.3.0/24 192.168.2.0/24

interface ve 2 ip access-group "Block inbound to Management" in

 

[Scarlet]

I guess I could either block inbound on ve 2 or block outbound on ve 3. However, it probably makes more sense to block incoming on ve 2.

Do you need the management VLAN to be routed at all? If not you could just remove the ve and ip address from vlan 2 and the switch would not route anything to it.

If you have only one physical link from your pfsense to the switch you could always define vlans on the pfsense box and use a tagged port to access both vlans from pfsense.

 

[narapon]

Has anyone managed to 3d-print the rack ears for the ICX7150-C12P? Would be great to have the blueprints for those.

 

[pinkypie]

Do you need the management VLAN to be routed at all? If not you could just remove the ve and ip address from vlan 2 and the switch would not route anything to it.

Hi Scarlett, yes I need the Management VLAN to be routed because I need to be able to configure the cameras. It is management not only for switch but for the cameras as well. I want to keep routing off the pfSense box.

 

[etnoy]

Just wanted to jump in and say thanks, got my 6450-48p for €250 including shipping here in Europe. Works great, and the guide was very helpful for the initial setup.

Is there a command to shut down the switch before pulling power? Is that even needed? Didn't see that mentioned.

 

[infoMatt]

Is there a command to shut down the switch before pulling power?

Nope, just pull the power. All the software runs in a ramdisk/read only flash, so it's expected to be hard-powered off, no worries.

 

[LodeRunner]

If you made config changes you want to keep, then a “write mem” before pulling power is required. Otherwise, no. Pulling power is the standard way to revert a bad config change as almost all config changes are immediately applied.

 

[dswartz]

If you made config changes you want to keep, then a “write mem” before pulling power is required. Otherwise, no. Pulling power is the standard way to revert a bad config change as almost all config changes are immediately applied.

Back in the day when I had to manage cisco routers, calling the NOC and telling the night shift guy "yeah, i borked XXX, can you power cycle it? thanks bro!"

 

[jasonwc]

Has anyone tried the XQX2502 KAIAM QSFP+40G-LR4 Lite transceivers to connect an ICX6610 with a Mellanox MCX354A-FCBT? An STH user indicated that Cisco-coded generic 40G-LR optics worked with his Mellanox card (https://forums.servethehome.com/ind...-back-using-fs-qsfp-bd-40g.22302/#post-210165). In addition, the ConnectX-3 Pro firmware release notes (2.42.5000) list Cisco 40G-BiDi optics (QSFP-40G-SR-BD) as supported. FS lists power consumption as 3.5W for their generic version of this optic.

The Kaiam card appears to just be a low power version (2.3W) that is limited to 2km versus the standard 10km. An Ebay seller with good reviews is offering these transceivers for $10 each. Thus, I was wondering if anyone gave it a shot. There are also cheap LR Lite optics from AOI.

I'm looking to do a 20M run between the switch an my server. A 20M 8 fiber MPO Type B cable is $100 from a seller in China. FS charges $166 for a MTP®-12 (Female) to MTP®-12 (Female) OM4 Multimode Elite Trunk Cable, 12 Fibers, Type B, Plenum (OFNP), Magenta. They don't offer OM3 or 8-fiber trunk cables. A 20M SMF duplex cable would cost around $15.