@fohdeesha were you not impressed by my tape mod?
drops temps 10% on the 6450
edit: i wanted to impress you now that your picture shows how pretty you are, and i thought maybe we could be an item? ;]
Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)
- Thread starter fohdeesha
- Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
Yes, you will need a VE in both VLANs. One will have your ISP-assigned endpoint address from the /30 subnet, and the other will have one of the addresses from the /27 (which will be the gateway address for the other devices on that VLAN).
I only have the one, so no stack. If the eeprom in my 6450 is marginal, is it replaceable? I'd hate to have to fight with it every time it gets unplugged.
it's soldered to the board so not easily, but I doubt the EEPROM itself is going bad. Any writes to it (like serial eeprom commands) don't take effect until next boot, part of me wonders if you or someone else had ran a bad serial command in the past while they were running, and it didn't **** up your license until you just now unplugged and replugged it. I'd power cycle them again to check, I have a feeling it'll be perfectly fine
I'm the only one who has logged into the switch, and the only time I ran the serial command was when I first set up the switch while following your guide. I've had the switch off several times since then - I replaced the fans a week or so ago so it was definitely unplugged at that point! No issues until yesterday. I guess I'll just keep an eye on it - at least if it messes up again I know how to fix it now
Hi, I'm back with my baby steps with the 6450 and needing a little help please...
I'm more than a little embarassed that I can't sort this myself, so please be gentle!
The back story for those who haven't seen my earlier posts is that I've swapped out my HP2910al for the ICX, mainly for noise and power reasons.
I had the 2910al configured quite happily with my pfsense and 4 VLANs, LAN/WiFi/IoT/CCTV.
Having brought my 6450 up to date with the help of the fine folk on here, I've spent the last week or so with just everything plugged in and working on the default VLAN.
First off, I attempted to just create VLAN 40, to take the CCTV cameras. And failed.
A few things that look a little different to that I've used before........... "Dual mode" and "Router Interface". I've read what the manual says, but I don't fully understand how it relates to what I'm trying to do...
If I create VLAN 40, do I need to select Router Interface v40 to match it?
The pfsense connects to the switch on 1/1/1. The cameras are on ports 1/1/40-1/1/48. I assumed that I just needed to create my VLAN 40, assign 40-48 as untagged ports and 1/1/1 as a tagged port and all would be well.
Unfortunately not. When I assign 1/1/1 in any form (tagged,untagged or Dual) to VLAN 40, it takes down my connection to pfsense although I can still communicate with the switch via the GUI.
Any pointers please?
TIA
Paul
I'm more than a little embarassed that I can't sort this myself, so please be gentle!
The back story for those who haven't seen my earlier posts is that I've swapped out my HP2910al for the ICX, mainly for noise and power reasons.
I had the 2910al configured quite happily with my pfsense and 4 VLANs, LAN/WiFi/IoT/CCTV.
Having brought my 6450 up to date with the help of the fine folk on here, I've spent the last week or so with just everything plugged in and working on the default VLAN.
First off, I attempted to just create VLAN 40, to take the CCTV cameras. And failed.
A few things that look a little different to that I've used before........... "Dual mode" and "Router Interface". I've read what the manual says, but I don't fully understand how it relates to what I'm trying to do...
If I create VLAN 40, do I need to select Router Interface v40 to match it?
The pfsense connects to the switch on 1/1/1. The cameras are on ports 1/1/40-1/1/48. I assumed that I just needed to create my VLAN 40, assign 40-48 as untagged ports and 1/1/1 as a tagged port and all would be well.
Unfortunately not. When I assign 1/1/1 in any form (tagged,untagged or Dual) to VLAN 40, it takes down my connection to pfsense although I can still communicate with the switch via the GUI.
Any pointers please?
TIA
Paul
@Paul Mew
when you were using the HP (pffftt) switch - how many physical interconnections did you have between your pfsense and your switch?
How was your HP (pfffft) switch configured? How was pfsense configured? What changes have you already made in pfsense since switching over.
At a simplistic level you should be able to leave pfsense "how it was" and make it work with the ICX.
Does pfsense have vlans configured against the interface going to the ICX switch? if so detail as to how they are configured... If your pfsense has multiple interfaces you may want to consider starting off with untagged vlan ports and using 1:1 interface from pfsense to swtich - get that working and then move to tagged vlans and fewer interfaces. Added benefit of not killing your Internet while you figure this stuff out.
starting simple and going complex will get you where you need to go. But trying to run a marathon before you've run a 10k will likely be way more challenging.
when you were using the HP (pffftt) switch - how many physical interconnections did you have between your pfsense and your switch?
How was your HP (pfffft) switch configured? How was pfsense configured? What changes have you already made in pfsense since switching over.
At a simplistic level you should be able to leave pfsense "how it was" and make it work with the ICX.
Does pfsense have vlans configured against the interface going to the ICX switch? if so detail as to how they are configured... If your pfsense has multiple interfaces you may want to consider starting off with untagged vlan ports and using 1:1 interface from pfsense to swtich - get that working and then move to tagged vlans and fewer interfaces. Added benefit of not killing your Internet while you figure this stuff out.
starting simple and going complex will get you where you need to go. But trying to run a marathon before you've run a 10k will likely be way more challenging.
Thanks, i think I'm already doing some of your suggestions..........
I was running a virtual pfsense on an Unraid server. It had a quad port nic passed through to it and each vlan had a physical connection to the switch.
Another part of my "change down" was to have a dedicated low power machine for pfsense. In my case, it's a Dell R210ii with a low power Xeon and just the two onboard NICs for now. That was sufficiently different for me to start again with pfsense with an absolutely basic "default" install. The only extra above the minimum is the one VLAN and a couple of packages. See images. CCTV has a DHCP server enabled and a wide open rule set, just like the LAN.
So, I did indeed start with nothing other than the LAN plugged into 1/1/1 and every device attached the default VLAN...... That works.... no problem.
I think I'm at your last comment.... I'm now trying to segregate the cameras onto it's own VLAN(40)...... but what worked on the HP doesnt work here.... I suppose what I really need to know is how to amend my example above to bring those 40-48 ports onto VLAN 40 to let pfsense do it's thing.
Cheers,
Paul
p.s. This is where I was...........
I was running a virtual pfsense on an Unraid server. It had a quad port nic passed through to it and each vlan had a physical connection to the switch.
Another part of my "change down" was to have a dedicated low power machine for pfsense. In my case, it's a Dell R210ii with a low power Xeon and just the two onboard NICs for now. That was sufficiently different for me to start again with pfsense with an absolutely basic "default" install. The only extra above the minimum is the one VLAN and a couple of packages. See images. CCTV has a DHCP server enabled and a wide open rule set, just like the LAN.
So, I did indeed start with nothing other than the LAN plugged into 1/1/1 and every device attached the default VLAN...... That works.... no problem.
I think I'm at your last comment.... I'm now trying to segregate the cameras onto it's own VLAN(40)...... but what worked on the HP doesnt work here.... I suppose what I really need to know is how to amend my example above to bring those 40-48 ports onto VLAN 40 to let pfsense do it's thing.
Cheers,
Paul
p.s. This is where I was...........
Last edited:
Edited with correction after I looked it up.
@Paul Mew
didn't reply cause I didn't want to edit out the graphics and such in my reply. Okay - the change in pfsense platform was good to know. apologies if I seemed overly harsh. but that does help me understand your original question.
Are you attempting to use the 6450 as just a L2 switch right now? If so you do not need to configure router interfaces in the 6450. typically you have a parent interface (bce1) and then you define the rest of your vlan interfaces, 1, 40 and so on. BUT - what about my gui? chicken and the egg or you need to use the head on your pfsense box... chicken and the egg 'cause if you don't get it right you won't have internet to look for help on how to config what you want. the example I gave you above you would need to configure tagging for vlan 1 and vlan 40 on 1/1/1. question is when do you do that?
digression...
end digression...
at the beginning of course. my guess is you configured it as LAN during the pfsense setup see the link I referenced above.
also your labels may cause you some confusion though I think its a valid key/clue to where you are at. FWIW, that quad port NIC would be handy in a pfsense box.
However if you are going to only have 2 interfaces (which is fine) and want to use the 6450 as a core router/switch then I recommend to simply establish a "transit vlan" This will require you to use the 6450 as a L3 device (core router and it will need a default g/w configured going to the pfsense connected interface). The plus side is that inter vlan traffic routes at switch speed. there are some down-sides. no pfsense providing DHCP, must impelment any inter vlan restrictions via access lists in the 6450. Note to me these aren't really down sides but they may be to you.
so it may be truly better to understand your final desired state with all vlans to help you get there from here.
However
Without going into what you really want to build then if you want to start small and use the pfsense box for routing - you can but you'll need to reconfigure to use vlans (1, and 40) from the get go - though you can probably reconfigure and not need to re-install by using the head on the box.
your bce1 will need to be "physical" use vlans, configure vlan 1 (if that is what you are using for most of your trusted ports) and then vlan 40 both as tagged on bce 1.
1/1/1 will be tagged for 1 and 40 can't remember whether you will need to set up a dummy vlan or not. don't think so but vlan 1 is kinda funny about certain things...
I can see how you came out thinking about dual-mode (or pvid or native vlan)...My recollection is that pfsense does not support that model.
last bit of advice. If possible also avoid using vlan 1 Or "The DEFAULT VLAN" there's some magic sometimes with that. that said sometimes you have to cause some devices (usually older that say they support vlans) don't really do well except using vlan 1...
I realize this rambled a little bit. sorry.
@Paul Mew
didn't reply cause I didn't want to edit out the graphics and such in my reply. Okay - the change in pfsense platform was good to know. apologies if I seemed overly harsh. but that does help me understand your original question.
Are you attempting to use the 6450 as just a L2 switch right now? If so you do not need to configure router interfaces in the 6450. typically you have a parent interface (bce1) and then you define the rest of your vlan interfaces, 1, 40 and so on. BUT - what about my gui? chicken and the egg or you need to use the head on your pfsense box... chicken and the egg 'cause if you don't get it right you won't have internet to look for help on how to config what you want. the example I gave you above you would need to configure tagging for vlan 1 and vlan 40 on 1/1/1. question is when do you do that?
digression...
assigning 1/1/1 untagged to VLAN 40 will absolutely take down your connection to pfsense and it will also kill your connection to at pfsense to VLAN40 - dead. tagging VLAN 40 will cause vlan 1 packets to get tagged (I believe) unless you use dual-mode (which is to say untagged traffic goes to this vlan and in your case - trying to use 1).
end digression...
at the beginning of course. my guess is you configured it as LAN during the pfsense setup see the link I referenced above.
also your labels may cause you some confusion though I think its a valid key/clue to where you are at. FWIW, that quad port NIC would be handy in a pfsense box.
However if you are going to only have 2 interfaces (which is fine) and want to use the 6450 as a core router/switch then I recommend to simply establish a "transit vlan" This will require you to use the 6450 as a L3 device (core router and it will need a default g/w configured going to the pfsense connected interface). The plus side is that inter vlan traffic routes at switch speed. there are some down-sides. no pfsense providing DHCP, must impelment any inter vlan restrictions via access lists in the 6450. Note to me these aren't really down sides but they may be to you.
so it may be truly better to understand your final desired state with all vlans to help you get there from here.
However
Without going into what you really want to build then if you want to start small and use the pfsense box for routing - you can but you'll need to reconfigure to use vlans (1, and 40) from the get go - though you can probably reconfigure and not need to re-install by using the head on the box.
your bce1 will need to be "physical" use vlans, configure vlan 1 (if that is what you are using for most of your trusted ports) and then vlan 40 both as tagged on bce 1.
1/1/1 will be tagged for 1 and 40 can't remember whether you will need to set up a dummy vlan or not. don't think so but vlan 1 is kinda funny about certain things...
I can see how you came out thinking about dual-mode (or pvid or native vlan)...
last bit of advice. If possible also avoid using vlan 1 Or "The DEFAULT VLAN" there's some magic sometimes with that. that said sometimes you have to cause some devices (usually older that say they support vlans) don't really do well except using vlan 1...
I realize this rambled a little bit. sorry.
Last edited:
@Paul Mew
so dual-mode is brocade specific way of having tagged and untagged vlans on the same port. You want 1/1/1 to be dual-mode allowing it to pass untagged vlan1 and tagged vlan40. Basically follow example 1 below in the link below and substitute vlan 40 and 1/1/1 in.
docs.commscope.com
so dual-mode is brocade specific way of having tagged and untagged vlans on the same port. You want 1/1/1 to be dual-mode allowing it to pass untagged vlan1 and tagged vlan40. Basically follow example 1 below in the link below and substitute vlan 40 and 1/1/1 in.
Commscope Technical Content Portal
@Paul Mew yep. looking it up pfsense can handle untagged traffic and tagged traffic as configured and I was wrong about whether it could or could not. Though as to it being recommended there are some rather emphatic arguments about not doing it that way as well as not using vlan 1.@Paul Mew
so dual-mode is brocade specific way of having tagged and untagged vlans on the same port. You want 1/1/1 to be dual-mode allowing it to pass untagged vlan1 and tagged vlan40. Basically follow example 1 below in the link below and substitute vlan 40 and 1/1/1 in.
Commscope Technical Content Portal
@Vesalius has provided the deets on how to configure this in the 6450.
Thanks so much for the detailed reply.
The aim is eventually to put the quad NIC back in (...it's in the post) but I guessed that starting with just the one physical connection would keep it as simple as possible.
Yes, I believe I do just want to use it as a switch and let pfsense do the routing. It seems as though I stumbled naively through with the HP2910 as it seems to be closer to the consumer stuff I've worked with before and possibly it's more intuitive to a rookie like me.....
I'll take some time to digest what you've said and have an experiment.......
One point I'm still in the dark with though is the application of the "Router Interface" selection in the VLAN setup? I still haven't a clue as to what value, if any, to make when setting up the VLAN.
Cheers,
Paul
The aim is eventually to put the quad NIC back in (...it's in the post) but I guessed that starting with just the one physical connection would keep it as simple as possible.
Yes, I believe I do just want to use it as a switch and let pfsense do the routing. It seems as though I stumbled naively through with the HP2910 as it seems to be closer to the consumer stuff I've worked with before and possibly it's more intuitive to a rookie like me.....
I'll take some time to digest what you've said and have an experiment.......
One point I'm still in the dark with though is the application of the "Router Interface" selection in the VLAN setup? I still haven't a clue as to what value, if any, to make when setting up the VLAN.
Cheers,
Paul
Thanks for the lead! I'm heading right over there.@Paul Mew
so dual-mode is brocade specific way of having tagged and untagged vlans on the same port. You want 1/1/1 to be dual-mode allowing it to pass untagged vlan1 and tagged vlan40. Basically follow example 1 below in the link below and substitute vlan 40 and 1/1/1 in.
Commscope Technical Content Portal
edit - grammar clarification
You will be routing inter-vlan traffic through pfsense.
Only if you were going to use the 6450 to handle L3 routing for your inter-vlan traffic.
You will be routing inter-vlan traffic through pfsense.
I would second being cautious of vlan 1. @Paul Mew - you can always add a different vlan on the 6450 for your LAN (let’s say 10) later and then just changing port 1/1/1 with
dual-mode 10 will get the pfSense side of that equation sorted.
Last edited:
Just to be clear: the 'dual mode' is no longer required to support tagged and untagged traffic on the same port. The functionality still exists, it just doesn't have that name.