Drag to reposition cover

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

kpfleming

Active Member
Dec 28, 2021
227
105
43
Pelham NY USA
Thank you, this works if I assign an IP to the VE. Obviously I am lacking in my understanding how this works.

What I am trying to do is have one /30 form ISP to /27 assigned to me. I was thinking to make two VLANS with one having the /30 network with its isp assigned GW and then another with my /27 routed to the /30 VLAN. I will need VE on both, right?

As what I have now is just a VLAN with nothing in it, connected to ISP and then pfsense with two interfaces doing the routing.

I am just learning this, and hope not to make some too complicated setup if a simple and fast one is better.
Yes, you will need a VE in both VLANs. One will have your ISP-assigned endpoint address from the /30 subnet, and the other will have one of the addresses from the /27 (which will be the gateway address for the other devices on that VLAN).
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,587
2,776
113
31
fohdeesha.com
I only have the one, so no stack. If the eeprom in my 6450 is marginal, is it replaceable? I'd hate to have to fight with it every time it gets unplugged.
it's soldered to the board so not easily, but I doubt the EEPROM itself is going bad. Any writes to it (like serial eeprom commands) don't take effect until next boot, part of me wonders if you or someone else had ran a bad serial command in the past while they were running, and it didn't **** up your license until you just now unplugged and replugged it. I'd power cycle them again to check, I have a feeling it'll be perfectly fine
 

Lone Wolf

Member
Apr 3, 2022
47
9
8
it's soldered to the board so not easily, but I doubt the EEPROM itself is going bad. Any writes to it (like serial eeprom commands) don't take effect until next boot, part of me wonders if you or someone else had ran a bad serial command in the past while they were running, and it didn't **** up your license until you just now unplugged and replugged it. I'd power cycle them again to check, I have a feeling it'll be perfectly fine
I'm the only one who has logged into the switch, and the only time I ran the serial command was when I first set up the switch while following your guide. I've had the switch off several times since then - I replaced the fans a week or so ago so it was definitely unplugged at that point! No issues until yesterday. I guess I'll just keep an eye on it - at least if it messes up again I know how to fix it now :D
 

Paul Mew

New Member
Dec 31, 2019
17
2
3
Hi, I'm back with my baby steps with the 6450 and needing a little help please...

I'm more than a little embarassed that I can't sort this myself, so please be gentle!

The back story for those who haven't seen my earlier posts is that I've swapped out my HP2910al for the ICX, mainly for noise and power reasons.

I had the 2910al configured quite happily with my pfsense and 4 VLANs, LAN/WiFi/IoT/CCTV.

Having brought my 6450 up to date with the help of the fine folk on here, I've spent the last week or so with just everything plugged in and working on the default VLAN.

First off, I attempted to just create VLAN 40, to take the CCTV cameras. And failed.

A few things that look a little different to that I've used before........... "Dual mode" and "Router Interface". I've read what the manual says, but I don't fully understand how it relates to what I'm trying to do...

If I create VLAN 40, do I need to select Router Interface v40 to match it?

The pfsense connects to the switch on 1/1/1. The cameras are on ports 1/1/40-1/1/48. I assumed that I just needed to create my VLAN 40, assign 40-48 as untagged ports and 1/1/1 as a tagged port and all would be well.

Unfortunately not. When I assign 1/1/1 in any form (tagged,untagged or Dual) to VLAN 40, it takes down my connection to pfsense although I can still communicate with the switch via the GUI.

Any pointers please?

TIA

Paulcctv.JPGdevice.JPGVLAN.JPG
 

itronin

Well-Known Member
Nov 24, 2018
978
624
93
Denver, Colorado
@Paul Mew

when you were using the HP (pffftt) switch - how many physical interconnections did you have between your pfsense and your switch?
How was your HP (pfffft) switch configured? How was pfsense configured? What changes have you already made in pfsense since switching over.
At a simplistic level you should be able to leave pfsense "how it was" and make it work with the ICX.

Does pfsense have vlans configured against the interface going to the ICX switch? if so detail as to how they are configured... If your pfsense has multiple interfaces you may want to consider starting off with untagged vlan ports and using 1:1 interface from pfsense to swtich - get that working and then move to tagged vlans and fewer interfaces. Added benefit of not killing your Internet while you figure this stuff out.

starting simple and going complex will get you where you need to go. But trying to run a marathon before you've run a 10k will likely be way more challenging.
 

Paul Mew

New Member
Dec 31, 2019
17
2
3
Thanks, i think I'm already doing some of your suggestions..........

I was running a virtual pfsense on an Unraid server. It had a quad port nic passed through to it and each vlan had a physical connection to the switch.

Another part of my "change down" was to have a dedicated low power machine for pfsense. In my case, it's a Dell R210ii with a low power Xeon and just the two onboard NICs for now. That was sufficiently different for me to start again with pfsense with an absolutely basic "default" install. The only extra above the minimum is the one VLAN and a couple of packages. See images. CCTV has a DHCP server enabled and a wide open rule set, just like the LAN.
pfsense dash.JPG
pfsense.JPG

So, I did indeed start with nothing other than the LAN plugged into 1/1/1 and every device attached the default VLAN...... That works.... no problem.

I think I'm at your last comment.... I'm now trying to segregate the cameras onto it's own VLAN(40)...... but what worked on the HP doesnt work here.... I suppose what I really need to know is how to amend my example above to bring those 40-48 ports onto VLAN 40 to let pfsense do it's thing.

Cheers,

Paul

p.s. This is where I was...........

my network.JPG
 
Last edited:

itronin

Well-Known Member
Nov 24, 2018
978
624
93
Denver, Colorado
Edited with correction after I looked it up.

@Paul Mew

didn't reply cause I didn't want to edit out the graphics and such in my reply. Okay - the change in pfsense platform was good to know. apologies if I seemed overly harsh. but that does help me understand your original question.

Are you attempting to use the 6450 as just a L2 switch right now? If so you do not need to configure router interfaces in the 6450. typically you have a parent interface (bce1) and then you define the rest of your vlan interfaces, 1, 40 and so on. BUT - what about my gui? chicken and the egg or you need to use the head on your pfsense box... chicken and the egg 'cause if you don't get it right you won't have internet to look for help on how to config what you want. the example I gave you above you would need to configure tagging for vlan 1 and vlan 40 on 1/1/1. question is when do you do that?

digression...
Unfortunately not. When I assign 1/1/1 in any form (tagged,untagged or Dual) to VLAN 40, it takes down my connection to pfsense although I can still communicate with the switch via the GUI.
assigning 1/1/1 untagged to VLAN 40 will absolutely take down your connection to pfsense and it will also kill your connection to at pfsense to VLAN40 - dead. tagging VLAN 40 will cause vlan 1 packets to get tagged (I believe) unless you use dual-mode (which is to say untagged traffic goes to this vlan and in your case - trying to use 1).

end digression...

at the beginning of course. my guess is you configured it as LAN during the pfsense setup see the link I referenced above.

also your labels may cause you some confusion though I think its a valid key/clue to where you are at. FWIW, that quad port NIC would be handy in a pfsense box.

However if you are going to only have 2 interfaces (which is fine) and want to use the 6450 as a core router/switch then I recommend to simply establish a "transit vlan" This will require you to use the 6450 as a L3 device (core router and it will need a default g/w configured going to the pfsense connected interface). The plus side is that inter vlan traffic routes at switch speed. there are some down-sides. no pfsense providing DHCP, must impelment any inter vlan restrictions via access lists in the 6450. Note to me these aren't really down sides but they may be to you.

so it may be truly better to understand your final desired state with all vlans to help you get there from here.

However

Without going into what you really want to build then if you want to start small and use the pfsense box for routing - you can but you'll need to reconfigure to use vlans (1, and 40) from the get go - though you can probably reconfigure and not need to re-install by using the head on the box.

your bce1 will need to be "physical" use vlans, configure vlan 1 (if that is what you are using for most of your trusted ports) and then vlan 40 both as tagged on bce 1.

1/1/1 will be tagged for 1 and 40 can't remember whether you will need to set up a dummy vlan or not. don't think so but vlan 1 is kinda funny about certain things...

I can see how you came out thinking about dual-mode (or pvid or native vlan)... My recollection is that pfsense does not support that model.

last bit of advice. If possible also avoid using vlan 1 Or "The DEFAULT VLAN" there's some magic sometimes with that. that said sometimes you have to cause some devices (usually older that say they support vlans) don't really do well except using vlan 1...

I realize this rambled a little bit. sorry.
 
Last edited:

itronin

Well-Known Member
Nov 24, 2018
978
624
93
Denver, Colorado
@Paul Mew

so dual-mode is brocade specific way of having tagged and untagged vlans on the same port. You want 1/1/1 to be dual-mode allowing it to pass untagged vlan1 and tagged vlan40. Basically follow example 1 below in the link below and substitute vlan 40 and 1/1/1 in.

@Paul Mew yep. looking it up pfsense can handle untagged traffic and tagged traffic as configured and I was wrong about whether it could or could not. Though as to it being recommended there are some rather emphatic arguments about not doing it that way as well as not using vlan 1.

@Vesalius has provided the deets on how to configure this in the 6450.
 
  • Like
Reactions: Paul Mew

Paul Mew

New Member
Dec 31, 2019
17
2
3
Thanks so much for the detailed reply.

The aim is eventually to put the quad NIC back in (...it's in the post) but I guessed that starting with just the one physical connection would keep it as simple as possible.

Yes, I believe I do just want to use it as a switch and let pfsense do the routing. It seems as though I stumbled naively through with the HP2910 as it seems to be closer to the consumer stuff I've worked with before and possibly it's more intuitive to a rookie like me.....

I'll take some time to digest what you've said and have an experiment.......

One point I'm still in the dark with though is the application of the "Router Interface" selection in the VLAN setup? I still haven't a clue as to what value, if any, to make when setting up the VLAN.

Cheers,

Paul
 

itronin

Well-Known Member
Nov 24, 2018
978
624
93
Denver, Colorado
edit - grammar clarification

One point I'm still in the dark with though is the application of the "Router Interface" selection in the VLAN setup? I still haven't a clue as to what value, if any, to make when setting up the VLAN.
Only if you were going to use the 6450 to handle L3 routing for your inter-vlan traffic.
You will be routing inter-vlan traffic through pfsense.
 
  • Like
Reactions: Paul Mew

Vesalius

Active Member
Nov 25, 2019
224
160
43
@Paul Mew yep. looking it up pfsense can handle untagged traffic and tagged traffic as configured and I was wrong about whether it could or could not. Though as to it being recommended there are some rather emphatic arguments about not doing it that way as well as not using vlan 1.

@Vesalius has provided the deets on how to configure this in the 6450.
I would second being cautious of vlan 1. @Paul Mew - you can always add a different vlan on the 6450 for your LAN (let’s say 10) later and then just changing port 1/1/1 with dual-mode 10 will get the pfSense side of that equation sorted.
 
Last edited:
  • Like
Reactions: Paul Mew

klui

Well-Known Member
Feb 3, 2019
583
276
63
Dual mode is only applicable to older ICX 6000-series switches and older FW on ICX 7000 series. If you get a 7xxx and use version 8.0.80 and newer FW there is no more dual mode.
 
  • Like
Reactions: Vesalius

kpfleming

Active Member
Dec 28, 2021
227
105
43
Pelham NY USA
Dual mode is only applicable to older ICX 6000-series switches and older FW on ICX 7000 series. If you get a 7xxx and use version 8.0.80 and newer FW there is no more dual mode.
Just to be clear: the 'dual mode' is no longer required to support tagged and untagged traffic on the same port. The functionality still exists, it just doesn't have that name.
 

klui

Well-Known Member
Feb 3, 2019
583
276
63
That's just being pendantic. Of course the ability exists to tagged and untagged VLANs on a port. The functionality is just using industry standard syntax with a caveat.

 

kpfleming

Active Member
Dec 28, 2021
227
105
43
Pelham NY USA
Indeed it is being pedantic, but given the number of relatively-newbie networking people in this thread, I thought it might be useful to be clear that the functionality still exists, it's just named differently :)
 
  • Like
Reactions: Lone Wolf