Drag to reposition cover

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

fohdeesha

Kaini Industries
Nov 20, 2016
2,587
2,776
113
31
fohdeesha.com
Let us know how it goes!
just finished, copy-pasting what I DMd him:


so it looks like it was some corrupted chassis metadata cache under linux, I cleaned out every single file in the temporary filesystem mount, and it's now reading correctly and came up with the right serial and LID:
Code:
ICX6450-48P-Router>show pid-prom
-cut-for-privacy-
I had no idea fastiron seems to keep some kind of record of chassis eeprom data on the filesystem, but it definitely seems to. not sure if it was /fast_iron/cvpersistent, /fast_iron/meta_data.bin, or /fast_iron/cvpersistent, but it was definitely one of these that had some bad values in them. clearing them and having fastiron regen them on next boot seems to have totally fixed everything. I suspect maybe one of these was in the middle of getting written to when your first power outage occurred

doing this wiped everything off the switch, so you'll need to reconfigure everything then re-import the licenses - but they should work perfectly now. Just to be sure, I would first pull power from the switch for a minute or so, then repower it. once it's back up, run "show pid-prom" and check that the values are still what I pasted above, and haven't gone blank again - to ensure it's not some cold-boot phenomenon
 

Lone Wolf

Member
Apr 3, 2022
47
9
8
Much appreciated, Fohdeesha, for helping a guy out on a Sunday evening! I'll throw a little at your liquor fund again, as you saved me from having a bum switch! Many thanks.
 
  • Love
Reactions: fohdeesha

fohdeesha

Kaini Industries
Nov 20, 2016
2,587
2,776
113
31
fohdeesha.com
Looks like it's only applicable for newer gen switches per Accessing Linux - Fohdeesha Docs 6450, 6650, 7xxx only.

Hopefully won't affect older gens like 6610, FCX, GS...
since those older gens aren't running linux (which is why accessing linux does not work on them :p) they're definitely not caching metadata under linux (and if the monolithic fastiron app that boots is, it's entirely wiped out by a primary slot OS reflash)
 

casperghst42

Member
Sep 14, 2015
71
13
8
54
Is it possible to set the switch up with more than one SSH public key? I don't share private keys across my machines, but it'd be nice to be able to SSH into the switch from more than one computer.
Normally what you do, is that you create an ssh key for only this, which you then distribute to the people and/or computers who/which need it.

Or if this is an enterprice environment, then maybe an PAM solution could be used.
 
  • Like
Reactions: danb35

tangent

New Member
Feb 7, 2020
7
1
3
Hello!

I've got a icx7250 running my network core

After a power outage, my switch which had happily been running for a year straight seems to have forgotten it's license!

What's worse, when I type "license" and hit tab, the only option is "delete" and "license install" is giving invalid syntax errors!

Google has not helped me. I can't easily post command output since I can only easily console into the switch the moment and I am posting from my phone...

Edit: ok so this is fun. Looks like the primary flash got corrupted, and it is falling back to secondary flash which does not support honor-based licensing. I should be good once I re-flash it with the right version.
 
Last edited:

fohdeesha

Kaini Industries
Nov 20, 2016
2,587
2,776
113
31
fohdeesha.com
Hello!

I've got a icx7250 running my network core

After a power outage, my switch which had happily been running for a year straight seems to have forgotten it's license!

What's worse, when I type "license" and hit tab, the only option is "delete" and "license install" is giving invalid syntax errors!

Google has not helped me. I can't easily post command output since I can only easily console into the switch the moment and I am posting from my phone...
Sounds like it reverted to booting from the secondary firmware slot, which has an old version from before licenses were made free. You can verify by running show version and see what it's running. If it's old it might have gotten rid of some of your config too. Just follow the guide to flash the new firmware back to primary again, and ensure it's set to boot from primary (if it's booting from secondary, you may have to knock some sense into it by running "boot system flash primary" at the configure terminal level, then write mem to save it)
 
  • Like
Reactions: tangent

tangent

New Member
Feb 7, 2020
7
1
3
Yup, and the best part is that most of my key devices (router, fileserver with config backup, etc) were connected to the 10g ports :rolleyes:

It was due for an upgrade anyway.

Thanks for all your support!
 
  • Like
Reactions: fohdeesha

adman_c

Active Member
Feb 14, 2016
156
71
28
Chicago
Done. Now about to try my hand at some paper clip MPO trunks.

thanks again!

I’ll post some pics of our setup when we’re done. Setting up some 40G uplinks for our Truenas box to serve video and rendering editors.
Sheeit. All this time and I've just been freeloading! Donated!

Anyone think we'll start to see more 7250 models showing up on ebay now that they've been emergency suddenly EOL'd discontinued? Or do we think that folks will hang on to them since there's no current equivalent for a 24/48 port switch with > 4 sfp+ slots without going all the way up to the 7450. (Edited that for more accuracy).

Oh, and sorry to bump my own question, but does anyone have any ideas why I can't seem to get my 7250 to route properly?
OK. I've been banging my head against this for a bunch of hours and I would love it if someone could just point out where I'm being dumb. I cannot for the life of me get my 7250 to route between VLANs. I'm running pfsense/opnsense (virtualized and switching between back and forth between the two while I get my opnsense install fully operational--for the purposes of this question, it doesn't matter which firewall I'm running). I have a bunch of VLANs--more than I need, but whatever. 3 of the VLANs are trusted, and I want to be able to route between them via the switch rather than going out to the firewall. The rest of the VLANs I want to go ahead and use the firewall to the extent there needs to be routing between them (rare), because I'm substantially more comfortable with filter rules than ACLs. At the bottom of this message is my current running config, and here is the output of 'sh ip route':
Code:
SSH@coreswitch(config)#sh ip route
Total number of IP routes: 6
Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP  Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
STATIC Codes - v:Inter-VRF
        Destination        Gateway         Port          Cost          Type Uptime
1       0.0.0.0/0          172.16.2.1      ve 2162       1/1           S    10h49m
2       10.10.10.0/24      DIRECT          ve 1010       0/0           D    10h49m
3       172.16.1.0/24      DIRECT          ve 2161       0/0           D    10h49m
4       172.16.2.0/24      DIRECT          ve 2162       0/0           D    10h49m
5       192.168.0.0/24     DIRECT          ve 2          0/0           D    10h49m
6       192.168.10.0/24    DIRECT          ve 10         0/0           D    10h49m
The three VLANs between which I want to route are 2, 10, and 1010. 2161 and 2162 are transit VLANs for WAN and LAN, respectively. When I set the gateway on any of the trusted VLANs for the firewall (X.X.X.1), everything works as expected. The firewall routes between VLANs according to my rules and I can get out to the internet. On the other hand, when I set the gateway on any of the trusted VLANs for the switch (X.X.X.254), I cannot reach one subnet from another. SSH/HTTPS are both inaccessible between local subnets. However, going out to the internet works, and for some reason I can ping between local subnets. This behavior is the same whether I'm running pfsense and opnsense, and even if I yank the LAN transit cable between the switch and the firewall.

At this point I'm ready to give up and just let the firewall handle all the routing, even thought it's not quite up to the task of linespeed routing. As an aside, how much CPU do you need to max iperf on 10gbe? Brief testing I can get ~7gbit with my i3-8100t.

Anyway, any suggestions would be awesome.

Thanks!

Code:
SSH@coreswitch>sh run
Current configuration:
!
ver 08.0.95fT213
!
stack unit 1
  module 1 icx7250-24p-poe-port-management-module
  module 2 icx7250-sfp-plus-8port-80g-module
!
!
global-stp
!
!
!
vlan 1 name DEFAULT-VLAN by port
spanning-tree
!
vlan 2 name infra by port
tagged ethe 1/2/2 to 1/2/4
untagged ethe 1/1/2 to 1/1/3 ethe 1/1/5 to 1/1/7 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24
router-interface ve 2
spanning-tree
!
vlan 10 name home by port
tagged ethe 1/1/2 ethe 1/1/7 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24 ethe 1/2/2 to 1/2/4
untagged ethe 1/1/4 ethe 1/1/8 to 1/1/9 ethe 1/1/11 ethe 1/1/14 ethe 1/1/16 ethe 1/2/5
router-interface ve 10
spanning-tree
!
vlan 11 name voip by port
tagged ethe 1/1/2 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24 ethe 1/2/2
untagged ethe 1/1/12 ethe 1/1/18
spanning-tree
!
vlan 12 name guest by port
tagged ethe 1/1/2 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24 ethe 1/2/2
spanning-tree
!
vlan 20 name kids by port
tagged ethe 1/1/2 ethe 1/1/5 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24 ethe 1/2/2
spanning-tree
!
vlan 30 name IOT by port
tagged ethe 1/1/2 ethe 1/1/7 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24 ethe 1/2/2 to 1/2/4
untagged ethe 1/1/13 ethe 1/1/17 ethe 1/1/19 ethe 1/1/22 to 1/1/23 ethe 1/2/7
spanning-tree
!
!                                                             
vlan 999 by port
tagged ethe 1/1/24 ethe 1/2/2
!
vlan 1010 name data by port
tagged ethe 1/1/2 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24 ethe 1/2/2
untagged ethe 1/2/3 to 1/2/4
router-interface ve 1010
spanning-tree
!
!
!
!
vlan 2161 name wansit_176_16_1 by port
untagged ethe 1/2/1
router-interface ve 2161
!
vlan 2162 name lansit_176_16_2 by port
untagged ethe 1/2/2
router-interface ve 2162
!
vlan 2222 name wan_vlan by port
tagged ethe 1/2/1
untagged ethe 1/1/1                                          
spanning-tree
!
!
!
vlan 3333 name 5g_wan_vlan by port
tagged ethe 1/1/24 ethe 1/2/1
untagged ethe 1/1/10
spanning-tree
!
!
!
!
!
!
!
!
aaa authentication web-server default local
aaa authentication login default local
enable aaa console
hostname coreswitch
ip dhcp-client disable
ip dns server-address 192.168.0.1
ip route 0.0.0.0/0 172.16.2.1
!
no telnet server
username super password .....
!
!
!
!
clock summer-time
clock timezone gmt GMT-06
!
!
ntp
disable serve
server 192.168.0.1
server 10.10.10.1
!
!
no web-management http
web-management https
!
manager disable
!                                                             
!
manager port-list 987
!
!
!
!
!
!
!
!
!
interface management 1
ip address 10.10.2.254 255.255.255.0
!
interface ethernet 1/1/1
port-name cablemodem
!
interface ethernet 1/1/2
port-name firemox
!
interface ethernet 1/1/3
port-name prox-enp35
!                                                             
interface ethernet 1/1/4
port-name printer
!
interface ethernet 1/1/5
port-name minimox-eno1
!
interface ethernet 1/1/6
port-name piman
!
interface ethernet 1/1/7
port-name micromox1
!
interface ethernet 1/1/8
port-name IPMI1
!
interface ethernet 1/1/9
port-name note-nook
!
interface ethernet 1/1/12
port-name obi200
!
interface ethernet 1/1/15
port-name kitchen-no-poe                                     
!
interface ethernet 1/1/17
port-name master-bed
!
interface ethernet 1/1/18
port-name security
!
interface ethernet 1/1/19
port-name garage
!
interface ethernet 1/1/20
port-name foyer
!
interface ethernet 1/1/21
port-name kitchen
!
interface ethernet 1/1/22
port-name garage-south-2
!
interface ethernet 1/1/23
port-name 2nd-bed
!
interface ethernet 1/1/24                                     
port-name 4th-floor
!
interface ethernet 1/2/1
port-name WANuplink
!
interface ethernet 1/2/2
port-name LANuplink
!
interface ethernet 1/2/3
port-name mmx-10g
!
interface ethernet 1/2/4
port-name prox-10g
!
interface ethernet 1/2/5
port-name m1mini
!
interface ve 2
ip address 192.168.0.254 255.255.255.0
!
interface ve 10
ip address 192.168.10.254 255.255.255.0
!                                                             
interface ve 1010
ip address 10.10.10.254 255.255.255.0
!
interface ve 2161
ip address 172.16.1.254 255.255.255.0
!
interface ve 2162
ip address 172.16.2.254 255.255.255.0
!
!
!
!
!
!
!
!
!
!
ip ssh  password-authentication no
ip ssh  idle-time 0
ip ssh  interactive-authentication no
!
!                                                             
!
!
!
end
 
Last edited:
  • Like
Reactions: thebwack

adman_c

Active Member
Feb 14, 2016
156
71
28
Chicago
I think that's just End of Sale, not End of Life/End of Support.
Oh shit you're right. I even read that when I saw that notice the first time. They're not EOL or EOS for a couple years at least. Sorry for the alarm! I edited my post. And also tracked down the doc with the dates.
Screen Shot 2022-05-19 at 5.15.59 PM.png
 
Last edited:

danb35

Member
Nov 25, 2017
34
4
8
42
And now a 6610 is here, updated, licensed, etc. with no problems. Outstanding. But damn, that's loud when it first starts up. Not too bad once the fans ramp down, but I don't think I want to be anywhere close if they have to spend any time at Speed 2.
 
  • Like
Reactions: thebwack