Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

[fohdeesha]

Above optics working great in Mellanox NICs as well (ICX6610 to ConnectX-3):

ICX6610-24P Router(config)#show int e 1/2/6
40GigabitEthernet1/2/6 is up, line protocol is up
  Port up for 34 second(s)
  Hardware is 40GigabitEthernet, address is cc4e.243d.3f04 (bia cc4e.243d.3f04)
  Interface type is 40Gig Fiber
  Configured speed 40Gbit, actual 40Gbit, configured duplex fdx, actual fdx

 

[juju]

I can't seem to get ssh to work at all. My 7250 seems to working great, except I can't ssh into it, with password only ( no keys ), using

ip ssh key-authentication no
ip ssh password-authentication yes
ip ssh interactive-authentication yes

I also tried using ssh keys, but cant upload my public key with the tftp server because I can't connect. I am getting "no route to host", though I can ping the server ip from the switch! Windows firewall turned off. Strange.
It connected ok when I initially setting up the machine. I am plugged into a regular port on the switch and using the same tftpd64 program. Not sure what I am missing. Could use another pair of eyes. Here is my ssh info:

 

[fohdeesha]

I can't seem to get ssh to work at all. My 7250 seems to working great, except I can't ssh into it, with password only ( no keys ), using

ip ssh key-authentication no
ip ssh password-authentication yes
ip ssh interactive-authentication yes

I also tried using ssh keys, but cant upload my public key with the tftp server because I can't connect. I am getting "no route to host", though I can ping the server ip from the switch! Strange.
It connected ok when I initially setting up the machine. I am plugged into a regular port on the switch and using the same tftpd64 program. Not sure what I am missing. Could use another pair of eyes. Here is my ssh info:

View attachment 20832

have you created a user with a password? post your config

 

[Sean Ho]

Seller on those KAIAM optics is getting wise to the renewed interest; refused $8 but took $9. Great find!

 

[juju]

have you created a user with a password? post your config

here it is:

ICX7250-24 Router(config)# show run
Current configuration:
!
ver 08.0.95dT213
!
stack unit 1
  module 1 icx7250-24-port-management-module
  module 2 icx7250-sfp-plus-8port-80g-module
  stack-port 1/2/1
  stack-port 1/2/3
!
!
global-stp
!
lag toProxmox dynamic id 1
ports ethe 1/2/1 to 1/2/2
!
lag to24POE dynamic id 3
ports ethe 1/1/5 to 1/1/6
!
lag to24Pro dynamic id 4
ports ethe 1/2/5 to 1/2/6
!
!
!                                                                
vlan 1 name DEFAULT-VLAN by port
router-interface ve 1
spanning-tree 802-1w
spanning-tree 802-1w priority 8192
!
vlan 5 name mgmt by port
tagged lag 1 lag 3 to 4
router-interface ve 5
spanning-tree 802-1w
spanning-tree 802-1w priority 8192
!
vlan 20 by port
tagged ethe 1/1/1 lag 1 lag 3 to 4
!
vlan 30 by port
tagged ethe 1/1/1 lag 1 lag 3 to 4
!
vlan 50 name test by port
tagged lag 1 lag 3 to 4
router-interface ve 50
spanning-tree 802-1w
spanning-tree 802-1w priority 8192
!                                                                
vlan 100 name transit-pfsense by port
tagged ethe 1/1/1
router-interface ve 100
!
vlan 110 name home by port
tagged lag 1 lag 3 to 4
router-interface ve 110
spanning-tree 802-1w
spanning-tree 802-1w priority 8192
multicast passive
multicast version 3
!
vlan 120 name lab by port
tagged lag 1 lag 3 to 4
router-interface ve 120
spanning-tree 802-1w
spanning-tree 802-1w priority 8192
!
vlan 130 name iot by port
tagged lag 1 lag 3 to 4
router-interface ve 130
spanning-tree 802-1w
spanning-tree 802-1w priority 8192                              
!
vlan 140 name dmz by port
tagged lag 1 lag 3 to 4
router-interface ve 140
spanning-tree 802-1w
spanning-tree 802-1w priority 8192
ip access-group dmz-acl in
!
!
!
!
!
!
!
!
!
!
!
!
system-max ip-route-default-vrf 5000
system-max ip-route-vrf 512
!
vrf mgmt                                                        
rd 1:1
address-family ipv4
exit-address-family
exit-vrf
!
management-vrf mgmt
!
!
optical-monitor
optical-monitor non-ruckus-optic-enable
aaa authentication web-server default local
aaa authentication login default local
enable aaa console
ip dhcp-client disable
ip dns server-address 172.16.1.1
ip route 0.0.0.0/0 172.16.1.1
!
no telnet server
username super password .....
!
!
!                                                                
!
clock summer-time
clock timezone us Eastern
!
!
ntp
disable serve
server 172.16.1.1
!
!
no web-management http
web-management https
!
!
!
manager port-list 987
!
ip multicast-routing
!
!
!
!
!                                                                
!
router pim
!
!
!
interface ethernet 1/1/1
loop-detection shutdown-disable
!
interface ethernet 1/2/3
no optical-monitor
!
interface ethernet 1/2/4
no optical-monitor
!
interface ethernet 1/2/7
no optical-monitor
!
interface ethernet 1/2/8
no optical-monitor
!
interface ve 1
ip address 10.1.0.1 255.255.255.0
ip bootp-gateway 10.1.0.1                                      
ip helper-address 1 10.0.0.103
ip helper-address 2 10.0.0.104
!
interface ve 5
ip address 10.1.5.1 255.255.255.0
ip bootp-gateway 10.1.5.1
ip helper-address 1 10.0.0.103
ip helper-address 2 10.0.0.104
!
interface ve 50
ip address 10.1.50.1 255.255.255.0
ip bootp-gateway 10.1.50.1
ip helper-address 1 10.0.0.103
ip helper-address 2 10.0.0.104
!
interface ve 100
ip address 172.16.1.2 255.255.255.252
!
interface ve 110
ip address 10.1.10.1 255.255.255.0
ip bootp-gateway 10.1.10.1
ip helper-address 1 10.0.0.103
ip helper-address 2 10.0.0.104                                  
!
interface ve 120
ip address 10.1.20.1 255.255.255.0
ip bootp-gateway 10.1.20.1
ip helper-address 1 10.0.0.103
ip helper-address 2 10.0.0.104
!
interface ve 130
ip address 10.1.30.1 255.255.255.0
ip bootp-gateway 10.1.30.1
ip pim
ip helper-address 1 10.0.0.103
ip helper-address 2 10.0.0.104
!
interface ve 140
ip address 10.1.40.1 255.255.255.0
ip bootp-gateway 10.1.40.1
ip helper-address 1 10.0.0.103
ip helper-address 2 10.0.0.104
!
!
!
ip access-list extended dmz-acl                                  
enable accounting
remark block access to switch admin interface
sequence 10 deny tcp any host 10.1.0.1 eq ssh log
sequence 20 deny tcp any host 10.1.0.1 eq telnet log
sequence 30 deny tcp any host 10.1.0.1 eq http log
sequence 40 deny tcp any host 10.1.0.1 eq ssl log
remark block access to pfsense
sequence 50 deny tcp any host 172.16.1.1 eq ssh log
sequence 60 deny tcp any host 172.16.1.1 eq 12900 log
remark allow hosts to reach dhcp servers
sequence 70 permit udp any any eq bootps
sequence 80 permit udp any host 10.0.0.103 eq bootpc
sequence 90 permit udp any host 10.0.0.104 eq bootpc
remark allow hosts to do dns lookups
sequence 100 permit udp any host 172.16.1.1 eq dns
sequence 110 permit tcp any host 172.16.1.1 eq dns
remark allow icmp
sequence 120 permit icmp any any
sequence 130 permit tcp any any established
remark allow same vlan traffic
sequence 140 permit ip any 10.1.40.0 0.0.0.255
remark block outbound access to all local VLANs
sequence 150 deny ip any 10.1.0.0 0.0.255.255 log                
remark permit all other traffic out
sequence 160 permit ip any any
!
!
!
!
!
!
!
ip ssh  key-authentication no
!
!
!
!
!
end
ICX7250-24 Router(config)#

 

[fohdeesha]

try creating a new user like " username customname password yourpasshere " and logging in with that, to rule out it blocking the default user from SSHing or something (I think it does that when super has the default pass, I don't remember)

 

[juju]

try creating a new user like " username customname password yourpasshere " and logging in with that, to rule out it blocking the default user from SSHing or something (I think it does that when super has the default pass, I don't remember)

done. created a new user with priority 0 and able to log in via console. Still getting this:

 

[daboxx]

Try removing "management-vrf mgmt" See this SSH may be captured by the mgmt vrf and it has no interfaces.

 

[juju]

Try removing "management-vrf mgmt" See this SSH may be captured by the mgmt vrf and it has no interfaces.

That's exactly what it was. Thank you and @fohdeesha for helping out. Now I need to figure out how to properly setup my management vlan .

 

[juju]

i fixed it with a mdns server, it’s a simple python script that relays the broadcast since mDNS normally have ttl of 1 hop

Not home right now so can’t see the script name

@jasonwc @nerdalertdk seems both your setups have pfsense doing the routing, correct? my vlans are all on the switch . There seems to be a lot of igmp snooping and multirouting functionality built in so surprised its quite difficult to set this up. On pfsense, I simply installed pimd, which only works with interfaces directly attached to pfsense.

 

[LodeRunner]

Above optics working great in Mellanox NICs as well (ICX6610 to ConnectX-3):

ICX6610-24P Router(config)#show int e 1/2/6
40GigabitEthernet1/2/6 is up, line protocol is up
  Port up for 34 second(s)
  Hardware is 40GigabitEthernet, address is cc4e.243d.3f04 (bia cc4e.243d.3f04)
  Interface type is 40Gig Fiber
  Configured speed 40Gbit, actual 40Gbit, configured duplex fdx, actual fdx

Darn it, where was this info 6 weeks ago when it could have saved me the purchase of several DACs! Two of these plus 3m of OS2 would have been cheaper than the 3m DACs. Since they work in Brocade I would expect them to work in Arista as it's not picky about the optics either.

 

[pinkypie]

if you follow the guide linked in the OP, it should get you updated with pretty simple steps regardless of how old the existing bootloader is

as for "new" features, not really outside of new connectivity options like multigig/2.5gbE etc

What about issues with older CPU and encryption?

I have been following the guide and I am pretty much done for the basic load out. The problem is SSH. I've uploaded the public key per your guide (thanks btw, excellent instructions on setup) but it throws the error:

Unable to negotiate with 192.168.1.250 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

I searched for that same error on this thread and don't see it. The only thing I have found is possible issue with older CPU and management card.

 

[fohdeesha]

That's exactly what it was. Thank you and @fohdeesha for helping out. Now I need to figure out how to properly setup my management vlan .

wow, I should have scrolled farther down in your config - indeed when you define a management VRF, all CPU bound mgmt stuff gets bound and isolated to that VRF. Your config was halfway there for an isolated management VRF/interface, you created the VRF, assigned to to management, you just need to then stick a VE into that VRF - then that vlan / VE / VE IP will be a part of that isolated VRF, have the management stuff bound to it, and will not route to/from your other VE networks. like:

interface ve 100
  vrf forwarding mgmt
  ip address 172.16.1.2 255.255.255.252

here's an example config from our LAN events with an isolated management VRF with its own default route etc: reboot-lan/LAB-CORE-01-6610.cfg at master · Fohdeesha/reboot-lan

 

[jasonwc]

What about issues with older CPU and encryption?

I have been following the guide and I am pretty much done for the basic load out. The problem is SSH. I've uploaded the public key per your guide (thanks btw, excellent instructions on setup) but it throws the error:

Unable to negotiate with 192.168.1.250 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

I searched for that same error on this thread and don't see it. The only thing I have found is possible issue with older CPU and management card.

That error is just telling you that the Brocade switch is using a deprecated key exchange method. You can whitelist that key exchange on Putty if you’re on Windows, and there are instructions on the first page for the OpenSSH client on Linux.

https://forums.servethehome.com/index.php?threads/brocade-icx-series-cheap-powerful-10gbe-40gbe-switching.21107/page-27

 

[gridstop]

Oddly enough I was just registering to ask about a similar ssh issue. I am able to ssh into my 6450 by allowing that key exchange, but I can't get the ssh client on the switch to work when trying to backup my config to a machine. I whitelisted the same key exchange algorithms in sshd_config on my linux machine, but the switch outputs this:

ICX6450-24P Router#copy startup-config scp 10.1.1.100 /home/testuser/startup.txt
User name:testuser
Password:
Connecting to remote host......
return error need to revisit
(insert ~2 minute delay here)
Connection Closed

On the linux machine, I put sshd logging in verbose and I only got a Connection from 10.1.1.1 port 7507 on 10.1.1.100 port 22 rdomain "" message and then nothing else. tcpdump shows a couple packets, then a 30 second delay, a few more packets exchanged and then nothing. So at least packets are getting through in both directions. Googling and searching this thread for 'return error need to revisit' gives nothing.

EDIT: Tracked this down by running sshd in full debug mode. The last thing that sshd sends to the 6450 is SSH2_MSG_NEWKEYS and then sits at expecting SSH2_MSG_NEWKEYS forever. Looking at the default /etc/ssh/ssh_host_rsa_key using ssh-keygen -lf revealed they're 3072 bit keys by default, which the ICX6450 can't handle.

So just did a new ssh-keygen -t rsa -b 2048, and replaced the keys in /etc/ssh and the ssh client on the switch can now connect to sshd on linux. Still not sure what 'return error need to revisit' has to do with a bad key length but it wouldn't be the first unhelpful error message I've ever seen.

 

[jasonwc]

So, those $13 Bidi 40gbE transceivers work with zero issues on the 6610. Also, he's accepting best offers of $8 - absolute steal. 40gb over regular cheap duplex singlemode fiber, thanks to @jasonwc for the find. auction - XQX2502 KAIAM QSFP+40G-LR4 Lite OPTICAL MODULE NEW PULLS | eBay (if link dies, search around for KAIAM XQX2502)

ICX6610-24P Router#show stack con
Probing the topology. Please wait ...
ICX6610-24P Router#
    standby      active
     +---+        +---+
  2/6| 2 |2/1==2/1| 1 |2/6
     +---+        +---+

trunk probe results: 1 links
Link 1: u1 -- u2, num=1
  1: 1/2/1 (T0) <---> 2/2/1 (T0)

ICX6610-24P Router#show media e 1/2/1
Port   1/2/1:Type  : 40G QSFP Module
Vendor Name: KAIAM CORP       Serial Num: KD60630129      Revision: 1A
ICX6610-24P Router#show media e 2/2/1
Port   2/2/1: Type  : 40G QSFP Module
             Vendor: KAIAM CORP         Version: 1A
             Part# :    Serial#: KD60628356

ICX6610-24P Router#ICX6610-24P Router#show int e 1/2/1
40GigabitEthernet1/2/1 is up, line protocol is up
  Port up for 10 minute(s) 31 second(s)
  Hardware is 40GigabitEthernet, address is cc4e.243d.3eff (bia cc4e.243d.3eff)
  Interface type is 40Gig Fiber
  Configured speed 40Gbit, actual 40Gbit, configured duplex fdx, actual fdx

Tested in all 4 ports as I recall talk of one port being higher power for ZR factory optics, and these work in all 4 slots including the 4x10gbE slots:

ICX6610-24P Router#show stack con
Probing the topology. Please wait ...
ICX6610-24P Router#
                 active
     +---+        +---+
  2/6| 2 |2/1==2/1| 1 |2/6
     +---+        +---+

trunk probe results: 1 links
Link 1: u1 -- u2, num=4
  1: 1/2/2 (T0) <---> 2/2/2 (T0)
  2: 1/2/3 (T0) <---> 2/2/3 (T0)
  3: 1/2/4 (T0) <---> 2/2/4 (T0)
  4: 1/2/5 (T0) <---> 2/2/5 (T0)
CPU to CPU packets are fine between 2 units.

These transceivers are an insane value! Not only do they work perfectly in both the ICX6610 AND the Mellanox ConnectX-3 but you also get digital optical monitoring data from ethtool. Moreover, It appears that the transceiver uses a maximum of 2.5W, which is about 1W less than the typical 10km 40G-LR4 modules I've seen. For example, Fiber Store's generic module reports ~3.5W of as maximum power consumption.

root@storage-server:~# ethtool -m enp2s0
        Identifier                                : 0x0d (QSFP+)
        Extended identifier                       : 0x80
        Extended identifier description           : 2.5W max. Power consumption
        Extended identifier description           : No CDR in TX, No CDR in RX
        Extended identifier description           : High Power Class (> 3.5 W) not enabled
        Connector                                 : 0x07 (LC)
        Transceiver codes                         : 0x02 0x00 0x00 0x00 0x00 0x00 0x00 0x00
        Transceiver type                          : 40G Ethernet: 40G Base-LR4
        Encoding                                  : 0x00 (unspecified)
        BR, Nominal                               : 10300Mbps
        Rate identifier                           : 0x00
        Length (SMF,km)                           : 2km
        Length (OM3 50um)                         : 0m
        Length (OM2 50um)                         : 0m
        Length (OM1 62.5um)                       : 0m
        Length (Copper or Active cable)           : 0m
        Transmitter technology                    : 0x40 (1310 nm DFB)
        Laser wavelength                          : 1310.000nm
        Laser wavelength tolerance                : 6.500nm
        Vendor name                               : KAIAM CORP
        Vendor OUI                                : 14:ed:e4
        Vendor PN                                 : XQX2502
        Vendor rev                                : 1A
        Vendor SN                                 : KD60629247
        Date code                                 : 16062900
        Revision Compliance                       : SFF-8636 Rev 1.5
        Module temperature                        : 39.52 degrees C / 103.13 degrees F
        Module voltage                            : 3.2447 V
        Alarm/warning flags implemented           : No
        Laser tx bias current (Channel 1)         : 45.030 mA
        Laser tx bias current (Channel 2)         : 38.174 mA
        Laser tx bias current (Channel 3)         : 40.436 mA
        Laser tx bias current (Channel 4)         : 39.490 mA
        Transmit avg optical power (Channel 1)    : 1.4921 mW / 1.74 dBm
        Transmit avg optical power (Channel 2)    : 1.5180 mW / 1.81 dBm
        Transmit avg optical power (Channel 3)    : 1.4837 mW / 1.71 dBm
        Transmit avg optical power (Channel 4)    : 1.4863 mW / 1.72 dBm
        Rcvr signal avg optical power(Channel 1)  : 0.8646 mW / -0.63 dBm
        Rcvr signal avg optical power(Channel 2)  : 0.7799 mW / -1.08 dBm
        Rcvr signal avg optical power(Channel 3)  : 0.6020 mW / -2.20 dBm
        Rcvr signal avg optical power(Channel 4)  : 0.5647 mW / -2.48 dBm

It's pretty crazy how cheap 40G ethernet has gotten. I picked up a HP 649281-B21 Mellanox ConnectX-3 for $30 on Ebay and flashed it to the FCBT variant using your guide (also removed the crappy PXE ROM). In contrast, a single-port 10G Mellanox ConnectX-3 is about $25 and lacks DOM (ethtool -m provides no output even with Mellanox optics). I paid $10 each for the 40G-LR Lite transceivers and around $10 for a 20M OS2 duplex cable.

Thus far, the ICX6610 and ConnectX-3 cards have accepted every transceiver I've used.

Macroreer for Brocade 10G-SFPP-LR SFP+ ($7 on Ebay): Works with DOM
Curvature SFP-10G-LR-CURV 10GB 1310nm 10GBASE-LR: ($5 on Ebay in a lot of 4): Works but no DOM
ProLabs for Cisco SFP-10G-LR ($6 on Ebay): Works but no DOM
Brocade Genuine 10G-SFPP-LR 57-0000076-01 SFP+ LR ($5 ea. for a lot of 4) - As expected, works with DOM
Brocade Genuine 10G-SFPP-SR 57-0000075-01 10GB 10GBASE-SR ($5ea for a lot of 4) - As expected, works with DOM

Given that you can get 10G-LR SFP+ modules for $5 and these KAIAM 40G-LR4 Lite QSFP transceivers dramatically reduce the cost of 40G fiber connections, I''ll probably use SMF for all my runs moving forward. It's just more future-proof. For my 150ft runs from my network closet to my upstairs bedrooms, FS OS2 duplex cables are $15 and MTP OM3 cables with 8 fibers are $184.

EDIT: There's also a seller offering genuine Brocade 57-10000263-01 40G-LR4 10km optics for $27 each if you buy 3. Presumably this would provide DOM and it's validated to work on the ICX6610.

 

[rocketpanda40]

Any router peeps out there willing to lend a hand? I am configuring OSPF and having an issue with passive interfaces. I come from the Cisco world where I would passive default the config then no passive the links I want to form neighbors on. I see the passive default command in the Brocade but I cant figure out how to no passive the interfaces I want. Transit Vlan specifically.

I did read the manual but it only reverences the passive-interface-default command and not how to enable an interface.

ip ospf active / ipv6 ospf active in the interface config like so:

interface ve 69
  port-name transit
  ip ospf area 69
  ip ospf active
  ipv6 ospf area 69
  ipv6 ospf active

 

[daboxx]

ip ospf active / ipv6 ospf active in the interface config like so:

interface ve 69
  port-name transit
  ip ospf area 69
  ip ospf active
  ipv6 ospf area 69
  ipv6 ospf active

Thank you Sir! That was it. I appreciate the assist!

 

[fohdeesha]

8095f was released, just a couple bug fixes over 8095e. guide updated

 

[dswartz]

ip ospf active / ipv6 ospf active in the interface config like so:

interface ve 69
  port-name transit
  ip ospf area 69
  ip ospf active
  ipv6 ospf area 69
  ipv6 ospf active

I remember once configuring a cisco for a customer. They were kinda of a PITA, so when i set up OSPF on their router, I made it 'ip ospf area 51'.