Drag to reposition cover

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

nerdalertdk

Fleet Admiral
Mar 9, 2017
228
118
43
::1
@jasonwc avahi on the 7250 ? or somewhere else? I have avahi setup on pfsense, but the layer 3 traffic will not hit pfsense for intervlan traffic, no? So pim or multicast routing setup on the 7250 has no impact on mdns traffic between vlans ?
i fixed it with a mdns server, it’s a simple python script that relays the broadcast since mDNS normally have ttl of 1 hop

Not home right now so can’t see the script name
 

jasonwc

Member
Dec 31, 2018
49
18
8
@jasonwc avahi on the 7250 ? or somewhere else? I have avahi setup on pfsense, but the layer 3 traffic will not hit pfsense for intervlan traffic, no? So pim or multicast routing setup on the 7250 has no impact on mdns traffic between vlans ?
Sorry, I’m using pfsense to route the relevant VLANs. However, I can tell you that HomeBridge required me to enable Avahi on pfsense with reflection enabled (repeats mdns packets across subnets). Pfsense will give you the option to choose the specific subnets where you want to enable this feature. Once I did that, HomeBridge worked immediately with no additional configuration. Since neither the IoT VLAN or the VLANs I use for my Wifi networks require > 1 Gb of traffic, I just have pfsense handle routing.

For greater security, you can filter for only the services you wish to reflect. On Linux,
Code:
avahi-browse —all
will give you a list of available services.
0A232ACD-B280-4751-A8B5-100ADF372812.png
CBBBBBFA-7910-438F-AB2E-915DC08AABE9.png
 
Last edited:

pinkypie

New Member
Dec 2, 2021
20
3
3
I bought a 6450 off eBay. In the process of getting it configured but the older boot software is bit troublesome.

Anyway, figured out this switch is about 7 years old. Is there any significant hardware upgrades in the past 7 years or so? Wondering how this switch compares to the newer models. Couldn't find any information online about the old versions.
 

jasonwc

Member
Dec 31, 2018
49
18
8
I bought a 6450 off eBay. In the process of getting it configured but the older boot software is bit troublesome.

Anyway, figured out this switch is about 7 years old. Is there any significant hardware upgrades in the past 7 years or so? Wondering how this switch compares to the newer models. Couldn't find any information online about the old versions.
What trouble are you having specifically? Did you follow the guide to upload the bootloader and OS firmware to the latest version? If so, you can check the 68-page product support matrix to determine exactly which features are supported. This manual can be found in the ICX6xxx Manuals folder.
 

daboxx

New Member
Nov 3, 2021
8
0
1
Any router peeps out there willing to lend a hand? I am configuring OSPF and having an issue with passive interfaces. I come from the Cisco world where I would passive default the config then no passive the links I want to form neighbors on. I see the passive default command in the Brocade but I cant figure out how to no passive the interfaces I want. Transit Vlan specifically.

I did read the manual but it only reverences the passive-interface-default command and not how to enable an interface.
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,835
3,275
113
33
fohdeesha.com
I bought a 6450 off eBay. In the process of getting it configured but the older boot software is bit troublesome.

Anyway, figured out this switch is about 7 years old. Is there any significant hardware upgrades in the past 7 years or so? Wondering how this switch compares to the newer models. Couldn't find any information online about the old versions.
if you follow the guide linked in the OP, it should get you updated with pretty simple steps regardless of how old the existing bootloader is

as for "new" features, not really outside of new connectivity options like multigig/2.5gbE etc
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,835
3,275
113
33
fohdeesha.com
So, those $13 Bidi 40gbE transceivers work with zero issues on the 6610. Also, he's accepting best offers of $8 - absolute steal. 40gb over regular cheap duplex singlemode fiber, thanks to @jasonwc for the find. auction - XQX2502 KAIAM QSFP+40G-LR4 Lite OPTICAL MODULE NEW PULLS | eBay (if link dies, search around for KAIAM XQX2502)

Code:
ICX6610-24P Router#show stack con
Probing the topology. Please wait ...
ICX6610-24P Router#
    standby      active
     +---+        +---+
  2/6| 2 |2/1==2/1| 1 |2/6
     +---+        +---+

trunk probe results: 1 links
Link 1: u1 -- u2, num=1
  1: 1/2/1 (T0) <---> 2/2/1 (T0)
Code:
ICX6610-24P Router#show media e 1/2/1
Port   1/2/1:Type  : 40G QSFP Module
Vendor Name: KAIAM CORP       Serial Num: KD60630129      Revision: 1A
ICX6610-24P Router#show media e 2/2/1
Port   2/2/1: Type  : 40G QSFP Module
             Vendor: KAIAM CORP         Version: 1A
             Part# :    Serial#: KD60628356
Code:
ICX6610-24P Router#ICX6610-24P Router#show int e 1/2/1
40GigabitEthernet1/2/1 is up, line protocol is up
  Port up for 10 minute(s) 31 second(s)
  Hardware is 40GigabitEthernet, address is cc4e.243d.3eff (bia cc4e.243d.3eff)
  Interface type is 40Gig Fiber
  Configured speed 40Gbit, actual 40Gbit, configured duplex fdx, actual fdx
Tested in all 4 ports as I recall talk of one port being higher power for ZR factory optics, and these work in all 4 slots including the 4x10gbE slots:

Code:
ICX6610-24P Router#show stack con
Probing the topology. Please wait ...
ICX6610-24P Router#
                 active
     +---+        +---+
  2/6| 2 |2/1==2/1| 1 |2/6
     +---+        +---+

trunk probe results: 1 links
Link 1: u1 -- u2, num=4
  1: 1/2/2 (T0) <---> 2/2/2 (T0)
  2: 1/2/3 (T0) <---> 2/2/3 (T0)
  3: 1/2/4 (T0) <---> 2/2/4 (T0)
  4: 1/2/5 (T0) <---> 2/2/5 (T0)
CPU to CPU packets are fine between 2 units.
 
Last edited:

fohdeesha

Kaini Industries
Nov 20, 2016
2,835
3,275
113
33
fohdeesha.com
Above optics working great in Mellanox NICs as well (ICX6610 to ConnectX-3):

Code:
ICX6610-24P Router(config)#show int e 1/2/6
40GigabitEthernet1/2/6 is up, line protocol is up
  Port up for 34 second(s)
  Hardware is 40GigabitEthernet, address is cc4e.243d.3f04 (bia cc4e.243d.3f04)
  Interface type is 40Gig Fiber
  Configured speed 40Gbit, actual 40Gbit, configured duplex fdx, actual fdx
 

juju

Member
Sep 29, 2021
36
1
8
I can't seem to get ssh to work at all. My 7250 seems to working great, except I can't ssh into it, with password only ( no keys ), using

Code:
ip ssh key-authentication no
ip ssh password-authentication yes
ip ssh interactive-authentication yes
I also tried using ssh keys, but cant upload my public key with the tftp server because I can't connect. I am getting "no route to host", though I can ping the server ip from the switch! Windows firewall turned off. Strange.
It connected ok when I initially setting up the machine. I am plugged into a regular port on the switch and using the same tftpd64 program. Not sure what I am missing. Could use another pair of eyes. Here is my ssh info:

ssh.jpg
 
Last edited:

fohdeesha

Kaini Industries
Nov 20, 2016
2,835
3,275
113
33
fohdeesha.com
I can't seem to get ssh to work at all. My 7250 seems to working great, except I can't ssh into it, with password only ( no keys ), using

Code:
ip ssh key-authentication no
ip ssh password-authentication yes
ip ssh interactive-authentication yes
I also tried using ssh keys, but cant upload my public key with the tftp server because I can't connect. I am getting "no route to host", though I can ping the server ip from the switch! Strange.
It connected ok when I initially setting up the machine. I am plugged into a regular port on the switch and using the same tftpd64 program. Not sure what I am missing. Could use another pair of eyes. Here is my ssh info:

View attachment 20832
have you created a user with a password? post your config
 

juju

Member
Sep 29, 2021
36
1
8
have you created a user with a password? post your config

here it is:


Code:
ICX7250-24 Router(config)# show run
Current configuration:
!
ver 08.0.95dT213
!
stack unit 1
  module 1 icx7250-24-port-management-module
  module 2 icx7250-sfp-plus-8port-80g-module
  stack-port 1/2/1
  stack-port 1/2/3
!
!
global-stp
!
lag toProxmox dynamic id 1
ports ethe 1/2/1 to 1/2/2
!
lag to24POE dynamic id 3
ports ethe 1/1/5 to 1/1/6
!
lag to24Pro dynamic id 4
ports ethe 1/2/5 to 1/2/6
!
!
!                                                                
vlan 1 name DEFAULT-VLAN by port
router-interface ve 1
spanning-tree 802-1w
spanning-tree 802-1w priority 8192
!
vlan 5 name mgmt by port
tagged lag 1 lag 3 to 4
router-interface ve 5
spanning-tree 802-1w
spanning-tree 802-1w priority 8192
!
vlan 20 by port
tagged ethe 1/1/1 lag 1 lag 3 to 4
!
vlan 30 by port
tagged ethe 1/1/1 lag 1 lag 3 to 4
!
vlan 50 name test by port
tagged lag 1 lag 3 to 4
router-interface ve 50
spanning-tree 802-1w
spanning-tree 802-1w priority 8192
!                                                                
vlan 100 name transit-pfsense by port
tagged ethe 1/1/1
router-interface ve 100
!
vlan 110 name home by port
tagged lag 1 lag 3 to 4
router-interface ve 110
spanning-tree 802-1w
spanning-tree 802-1w priority 8192
multicast passive
multicast version 3
!
vlan 120 name lab by port
tagged lag 1 lag 3 to 4
router-interface ve 120
spanning-tree 802-1w
spanning-tree 802-1w priority 8192
!
vlan 130 name iot by port
tagged lag 1 lag 3 to 4
router-interface ve 130
spanning-tree 802-1w
spanning-tree 802-1w priority 8192                              
!
vlan 140 name dmz by port
tagged lag 1 lag 3 to 4
router-interface ve 140
spanning-tree 802-1w
spanning-tree 802-1w priority 8192
ip access-group dmz-acl in
!
!
!
!
!
!
!
!
!
!
!
!
system-max ip-route-default-vrf 5000
system-max ip-route-vrf 512
!
vrf mgmt                                                        
rd 1:1
address-family ipv4
exit-address-family
exit-vrf
!
management-vrf mgmt
!
!
optical-monitor
optical-monitor non-ruckus-optic-enable
aaa authentication web-server default local
aaa authentication login default local
enable aaa console
ip dhcp-client disable
ip dns server-address 172.16.1.1
ip route 0.0.0.0/0 172.16.1.1
!
no telnet server
username super password .....
!
!
!                                                                
!
clock summer-time
clock timezone us Eastern
!
!
ntp
disable serve
server 172.16.1.1
!
!
no web-management http
web-management https
!
!
!
manager port-list 987
!
ip multicast-routing
!
!
!
!
!                                                                
!
router pim
!
!
!
interface ethernet 1/1/1
loop-detection shutdown-disable
!
interface ethernet 1/2/3
no optical-monitor
!
interface ethernet 1/2/4
no optical-monitor
!
interface ethernet 1/2/7
no optical-monitor
!
interface ethernet 1/2/8
no optical-monitor
!
interface ve 1
ip address 10.1.0.1 255.255.255.0
ip bootp-gateway 10.1.0.1                                      
ip helper-address 1 10.0.0.103
ip helper-address 2 10.0.0.104
!
interface ve 5
ip address 10.1.5.1 255.255.255.0
ip bootp-gateway 10.1.5.1
ip helper-address 1 10.0.0.103
ip helper-address 2 10.0.0.104
!
interface ve 50
ip address 10.1.50.1 255.255.255.0
ip bootp-gateway 10.1.50.1
ip helper-address 1 10.0.0.103
ip helper-address 2 10.0.0.104
!
interface ve 100
ip address 172.16.1.2 255.255.255.252
!
interface ve 110
ip address 10.1.10.1 255.255.255.0
ip bootp-gateway 10.1.10.1
ip helper-address 1 10.0.0.103
ip helper-address 2 10.0.0.104                                  
!
interface ve 120
ip address 10.1.20.1 255.255.255.0
ip bootp-gateway 10.1.20.1
ip helper-address 1 10.0.0.103
ip helper-address 2 10.0.0.104
!
interface ve 130
ip address 10.1.30.1 255.255.255.0
ip bootp-gateway 10.1.30.1
ip pim
ip helper-address 1 10.0.0.103
ip helper-address 2 10.0.0.104
!
interface ve 140
ip address 10.1.40.1 255.255.255.0
ip bootp-gateway 10.1.40.1
ip helper-address 1 10.0.0.103
ip helper-address 2 10.0.0.104
!
!
!
ip access-list extended dmz-acl                                  
enable accounting
remark block access to switch admin interface
sequence 10 deny tcp any host 10.1.0.1 eq ssh log
sequence 20 deny tcp any host 10.1.0.1 eq telnet log
sequence 30 deny tcp any host 10.1.0.1 eq http log
sequence 40 deny tcp any host 10.1.0.1 eq ssl log
remark block access to pfsense
sequence 50 deny tcp any host 172.16.1.1 eq ssh log
sequence 60 deny tcp any host 172.16.1.1 eq 12900 log
remark allow hosts to reach dhcp servers
sequence 70 permit udp any any eq bootps
sequence 80 permit udp any host 10.0.0.103 eq bootpc
sequence 90 permit udp any host 10.0.0.104 eq bootpc
remark allow hosts to do dns lookups
sequence 100 permit udp any host 172.16.1.1 eq dns
sequence 110 permit tcp any host 172.16.1.1 eq dns
remark allow icmp
sequence 120 permit icmp any any
sequence 130 permit tcp any any established
remark allow same vlan traffic
sequence 140 permit ip any 10.1.40.0 0.0.0.255
remark block outbound access to all local VLANs
sequence 150 deny ip any 10.1.0.0 0.0.255.255 log                
remark permit all other traffic out
sequence 160 permit ip any any
!
!
!
!
!
!
!
ip ssh  key-authentication no
!
!
!
!
!
end
ICX7250-24 Router(config)#
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,835
3,275
113
33
fohdeesha.com
try creating a new user like " username customname password yourpasshere " and logging in with that, to rule out it blocking the default user from SSHing or something (I think it does that when super has the default pass, I don't remember)
 

juju

Member
Sep 29, 2021
36
1
8
try creating a new user like " username customname password yourpasshere " and logging in with that, to rule out it blocking the default user from SSHing or something (I think it does that when super has the default pass, I don't remember)
done. created a new user with priority 0 and able to log in via console. Still getting this:

ssh2.jpg
 

juju

Member
Sep 29, 2021
36
1
8
i fixed it with a mdns server, it’s a simple python script that relays the broadcast since mDNS normally have ttl of 1 hop

Not home right now so can’t see the script name
@jasonwc @nerdalertdk seems both your setups have pfsense doing the routing, correct? my vlans are all on the switch . There seems to be a lot of igmp snooping and multirouting functionality built in so surprised its quite difficult to set this up. On pfsense, I simply installed pimd, which only works with interfaces directly attached to pfsense.
 

LodeRunner

Active Member
Apr 27, 2019
553
235
43
Above optics working great in Mellanox NICs as well (ICX6610 to ConnectX-3):

Code:
ICX6610-24P Router(config)#show int e 1/2/6
40GigabitEthernet1/2/6 is up, line protocol is up
  Port up for 34 second(s)
  Hardware is 40GigabitEthernet, address is cc4e.243d.3f04 (bia cc4e.243d.3f04)
  Interface type is 40Gig Fiber
  Configured speed 40Gbit, actual 40Gbit, configured duplex fdx, actual fdx
Darn it, where was this info 6 weeks ago when it could have saved me the purchase of several DACs! Two of these plus 3m of OS2 would have been cheaper than the 3m DACs. Since they work in Brocade I would expect them to work in Arista as it's not picky about the optics either.
 

pinkypie

New Member
Dec 2, 2021
20
3
3
if you follow the guide linked in the OP, it should get you updated with pretty simple steps regardless of how old the existing bootloader is

as for "new" features, not really outside of new connectivity options like multigig/2.5gbE etc

What about issues with older CPU and encryption?

I have been following the guide and I am pretty much done for the basic load out. The problem is SSH. I've uploaded the public key per your guide (thanks btw, excellent instructions on setup) but it throws the error:

Code:
Unable to negotiate with 192.168.1.250 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
I searched for that same error on this thread and don't see it. The only thing I have found is possible issue with older CPU and management card.
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,835
3,275
113
33
fohdeesha.com
That's exactly what it was. Thank you and @fohdeesha for helping out. Now I need to figure out how to properly setup my management vlan .

wow, I should have scrolled farther down in your config - indeed when you define a management VRF, all CPU bound mgmt stuff gets bound and isolated to that VRF. Your config was halfway there for an isolated management VRF/interface, you created the VRF, assigned to to management, you just need to then stick a VE into that VRF - then that vlan / VE / VE IP will be a part of that isolated VRF, have the management stuff bound to it, and will not route to/from your other VE networks. like:

Code:
interface ve 100
  vrf forwarding mgmt
  ip address 172.16.1.2 255.255.255.252
here's an example config from our LAN events with an isolated management VRF with its own default route etc: reboot-lan/LAB-CORE-01-6610.cfg at master · Fohdeesha/reboot-lan