Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

[LodeRunner]

The switch was a Netgear GS116Ev2. It has basic admin config but I never use them besides for update.

With these hints I seach a little deeper in the freebox config and I found that freebox server and player communicate via VLAN100 (tagged) and they also are visible via the standard LAN (untagged). the freebox player always gets its IP via the freebox server DHCP.

I am still not familiar to what I need to config on the switch, but I am closer to a solution. Is it possible to have a RJ45 port with both VLAN100 (tagged) and standard LAN (untagged) packets ?

Thanks for the link about the diagram, I will use it.

That Netgear does appear to have support for VLANs, so either it was configured once upon a time, or it can optionally ignore tags, which wouldn't surprise me on a consumer or 'prosumer' switch. Enterprise switches tend to be far stricter about such things.

In Brocade syntax (this may be slightly different, I run 7k series with 8.0.95), and using ports 23 and 24 as the example:

conf t
int e 1/1/23
port-name Freebox Server
int e 1/1/24
port-name Freebox STB
vlan 100 name TV by port
tag e 1/1/23 e 1/1/24
end
wr me

If you have more than one STB, then you'd setup additional ports the same way.

For the TV equipment, you don't need to worry about untagged, since the only thing using these ports will be the TV equipment which is applying tags. If you were linking multiple switches and needed to pass multiple VLANs, you can tag one port in multiple VLANs to make a trunk.

Untagged VLANs are for when devices are not applying the tags themselves; then traffic entering the port gets tagged by the switch. In most cases you will not need to mix tagged and untagged traffic on a port. For a 6k series switch, if you needed to do so, there's a 'dual-mode' option or some such that I have no experience with as it stopped being a thing in v8.0.80 I believe.

 

[fohdeesha]

Sorry, help me please I have ICX6610-48 with Maximum PORT-VLAN entries: 64. I need more vlan, best will be 4095. How I can remove a limit for 64 vlan

run "show default values" to see a table of how the default TCAM limits are arranged, I believe on the 6450 you'll get:

System Parameters    Default    Maximum    Current    Configured
ip-arp               1024       4096       1024       1024
ip-static-arp        256        1024       256        256
ip-cache             13212      13212      13212      13212
ip-filter-port       3068       3068       3068       3068
ip-filter-sys        2048       8192       2048       2048
l3-vlan              32         1024       32         32
ip-qos-session       128        256        128        128
mac                  16384      16384      16384      16384
ip-route             12000      12000      12000      12000
ip-static-route      64         2048       64         64
---trimmed---
vlan                 64         4095       64         64
---trimmed---

showing the default max is 64, but can be configured up to 4095. To go that high you may have to free up some TCAM by reducing the max of other things here, but to change vlan would be "system-max vlan 2000" for example, then a write mem and reload of the switch is required

 

[sergi0]

For the TV equipment, you don't need to worry about untagged, since the only thing using these ports will be the TV equipment which is applying tags. If you were linking multiple switches and needed to pass multiple VLANs, you can tag one port in multiple VLANs to make a trunk.

Thanks for the help, I was able to manage some tests. The problem is not resolved yet, but I am close.

Using the GUI, I created a VLAN100 and assigned 2 ports in it. I plugged the freebox server (directly from the back of the device, no switch between) and the TV wall plug in the other ports. It worked and I was able to get the TV flux from the freebox server onto the player. BUT...

What I did not explicited is that on the TV side there are on RJ45 in the wall and 3 devices behind via a simple switch (tv, freebox player and nvidia shield - so 2 differents networks and a VLAN for the freebox player). this plug then gets into the brocade in the VLAN100 tagged port. I was not able to get the NAS from the shield. It is plugged on the VLAN100 tagged port so that is probably why I can't reach it.

I have a totally newbie question: if I put all the brocade ports in the VLAN100, with both network (10.11.12.x and 192.168.1.x), will it work ?

S.

 

[Lone Wolf]

What I did not explicited is that on the TV side there are on RJ45 in the wall and 3 devices behind via a simple switch (tv, freebox player and nvidia shield - so 2 differents networks and a VLAN for the freebox player). this plug then gets into the brocade in the VLAN100 tagged port. I was not able to get the NAS from the shield. It is plugged on the VLAN100 tagged port so that is probably why I can't reach it.

If you assign 'dual-mode' on the port where it plugs into the Brocade, it will allow your tagged freebox player on VLAN 100 to communicate, plus the other devices which don't use tags to talk on the default untagged VLAN - assuming that the switch everything is plugged into behind the TV supports VLAN tags. If it doesn't then the switch will need to be replaced with one that does, or a network cable run just for the freebox player.

 

[LodeRunner]

I have a totally newbie question: if I put all the brocade ports in the VLAN100, with both network (10.11.12.x and 192.168.1.x), will it work ?

You would potentially have two DHCP servers in the same broadcast domain (VLAN 100) so devices could get the wrong subnet.

Use dual-mode as indicated by Lone Wolf so that devices with no tagging get put in the default VLAN.

 

[sergi0]

I manage to find some good manual to dual-mode the 2 ports. It was not possible via GUI but I did it using the terminal (the doc I have present a GUI sligthly different from the one I have - I use foshdeesha guide to update everything).

Here is what I have after dual-moded the 2 ports :

Spoiler

SSH@bro6450#show vlan
Total PORT-VLAN entries: 2
Maximum PORT-VLAN entries: 64

Legend: [Stk=Stack-Id, S=Slot]

PORT-VLAN 1, Name DEFAULT-VLAN, Priority level0, Spanning tree Off
 Untagged Ports: (U1/M1)   1   2   3   4   5   6   7   8   9  10  11  12
 Untagged Ports: (U1/M1)  13  14  16  18  19  20  21  22  23  24
 Untagged Ports: (U1/M2)   1   2   3   4
   Tagged Ports: None
   Uplink Ports: None
 DualMode Ports: None
 Mac-Vlan Ports: None
     Monitoring: Disabled

PORT-VLAN 100, Name TV, Priority level0, Spanning tree Off
 Untagged Ports: None
   Tagged Ports: None
   Uplink Ports: None
 DualMode Ports: (U1/M1)  15  17
 Mac-Vlan Ports: None
     Monitoring: Disabled

SSH@bro6450#

I plugged the freebox server into 1/1/15 and TV one into 1/1/17 and I did not have Internet on the rest of the network (10.11.12.x), and I did not get the TV either on the freebox player.

Of course, if I plugged the freebox server into any other ports, I have Internet access, but the TV does not get in touch with freebox server, neither did the shield gets access to Internet (which it should considering the port is in dual mode configuration and the shield is on the same network as 10.11.12.x.

 

[sergi0]

You would potentially have two DHCP servers in the same broadcast domain (VLAN 100) so devices could get the wrong subnet.

Use dual-mode as indicated by Lone Wolf so that devices with no tagging get put in the default VLAN.

I have only one DHCP server on my network, it is on the freebox server for 192.168.1.x network. For 10.11.12.x everything is manually set.

Regarding the VLAN stuff, it is clearly a little bit out of my area of expertise so I need to read more on it. The specific configuration of the STB is also painfull. I won't have these problems if I put 2 differents RJ45 inside the wall on the TV area. I put only one so I must deal with this shitup .

 

[Lone Wolf]

Which port goes to your router? That port must also be tagged with VLAN 100 and dual mode

 

[sergi0]

Which port goes to your router? That port must also be tagged with VLAN 100 and dual mode

The freebox server goes into port 15 and the freebox player is behind a switch that goes into port 17. Both in VLAN100. The switch near the TV is a very simple one that let everything pass.

 

[Lone Wolf]

I looked up what a freebox server is since I had no idea what it is, and I see that it IS your router.

Freebox - Wikipedia

en.wikipedia.org

How do you have things wired up now? Earlier you said, if I understood your diagram properly, that the freebox player was plugged directly into the freebox server, and an OpenBSD firewall was plugged directly into the freebox server as well with the rest of your network behind that. Is it still like that? I am guessing not.

What happens if you plug the TV directly into port 17, bypassing the switch near the TV? Does it still work? What happens if you then plug the Shield directly into port 17? Does it work? This should help you determine if you have the VLANs and dual modes set up correctly.

I am also assuming that the freebox talks on VLAN 100 and untagged VLAN at the same time, rather than expecting everything to be tagged VLAN100.

 

[Lone Wolf]

I had a closer look and compared your 'show vlan' to mine. Yours looks quite different than mine. I don't think you have it set up right. Here is my config:

Spoiler: My config

PORT-VLAN 1, Name DEFAULT-VLAN, Priority level0, Spanning tree Off
Untagged Ports: (U1/M1) 1 2 3 4 5 6 7 8 9 10 11 12
Untagged Ports: (U1/M1) 13 14 15 16 17 18 19 20 21 22 23 24
Untagged Ports: (U1/M1) 25 26 27 28 29 30 31 32 33 34 35 36
Untagged Ports: (U1/M1) 37 38 39 40 41 42 43 44 45 46 47
Untagged Ports: (U1/M2) 1 2 4
Tagged Ports: None
Uplink Ports: None
DualMode Ports: (U1/M1) 48
DualMode Ports: (U1/M2) 3
Mac-Vlan Ports: None
Monitoring: Disabled

PORT-VLAN 5, Name [None], Priority level0, Spanning tree Off
Untagged Ports: None
Tagged Ports: (U1/M1) 48
Tagged Ports: (U1/M2) 3
Uplink Ports: None
DualMode Ports: None
Mac-Vlan Ports: None
Monitoring: Disabled

And here is yours:

Spoiler: Your config

PORT-VLAN 1, Name DEFAULT-VLAN, Priority level0, Spanning tree Off
Untagged Ports: (U1/M1) 1 2 3 4 5 6 7 8 9 10 11 12
Untagged Ports: (U1/M1) 13 14 16 18 19 20 21 22 23 24
Untagged Ports: (U1/M2) 1 2 3 4
Tagged Ports: None
Uplink Ports: None
DualMode Ports: None
Mac-Vlan Ports: None
Monitoring: Disabled

PORT-VLAN 100, Name TV, Priority level0, Spanning tree Off
Untagged Ports: None
Tagged Ports: None
Uplink Ports: None
DualMode Ports: (U1/M1) 15 17
Mac-Vlan Ports: None
Monitoring: Disabled

Your setup is different than mine. Here are the commands from my documentation of how I got my VLANs to work with both tagged and untagged. I adjusted it for your VLAN. You may have to undo some of the settings in your VLAN100 first:

enable
conf t
vlan 100
tagged ethernet 1/1/15
tagged ethernet 1/1/17
exit
interface ethernet 1/1/15
dual-mode
interface ethernet 1/1/17
dual-mode

Try it out and see if it works. If it does, don't forget to do a 'write mem'

 

[sergi0]

Arff, my explanation were clearly lacking of a good diagram... the FW is behind the freebox server (router) and deserve only 10.11.12.x lan. right now I have a setup that works but need another switch besides the brocade (the one with the TV is not an issue, see later).

For my setup to work, I have the freebox server plugged in a switch (netgear without management - 5 ports) and the TV RJ45 is also plugged in this switch (my walls are wired, so when i say TV RJ45 I mean the cables that get out of the wall and comes from the TV area RJ45 plug). There is another RJ45 cables between this switch and the brocade. I don't use the 15 and 17 ports (VLAN100) in this setup.
In this configuration, everything work fine as the brocade don't have to deal with the VLAN stuff.

I may have not correctly configure the VLAN as when instead of the 5 ports switch, I plug the freebox player/server in port 15 and 17 I still don't have the TV or I should have it.

Did you give a look at my show vlan command ?

 

[Lone Wolf]

Did you give a look at my show vlan command ?

I did, the message right above your last one, in case you missed it.

 

[sergi0]

I did, the message right above your last one, in case you missed it.

I just saw it. I will try your conf tomorrow (1.30am right now). I have read a couple of docs about VLAN. I understand better what their use is for and why my ISP use them. It's config aren't officially documented but there are some info on the web.
fingers crossed

 

[sergi0]

I did the step you mention but for each step I got a message saying it is already tagged and dual mode.
My config did not change when I do a show vlan. Here is what I have when I do a show version :

Spoiler

SSH@bro6450(config-if-e1000-1/1/17)#show version
  Copyright (c) 1996-2016 Brocade Communications Systems, Inc. All rights reserved.
    UNIT 1: compiled on Feb 13 2019 at 17:44:29 labeled as ICX64R08030t
                (9868556 bytes) from Primary ICX64R08030t.bin
        SW: Version 08.0.30tT313
  Boot-Monitor Image size = 786944, Version:10.1.05T310 (kxz10105)
  HW: Stackable ICX6450-24
==========================================================================
UNIT 1: SL 1: ICX6450-24 24-port Management Module
         Serial  #: xxxxxx
         License: ICX6450_PREM_ROUTER_SOFT_PACKAGE   (LID: H4CKTH3PLN8)
         P-ENGINE  0: type DEF0, rev 01
==========================================================================
UNIT 1: SL 2: ICX6450-SFP-Plus 4port 40G Module
==========================================================================
  800 MHz ARM processor ARMv5TE, 400 MHz bus
65536 KB flash memory
  512 MB DRAM
STACKID 1  system uptime is 110 day(s) 56 minute(s) 59 second(s)
The system started at 00:00:56 GMT+00 Thu Jan 01 1970

 The system : started=cold start

SSH@bro6450(config-if-e1000-1/1/17)#

[/spoiler]

 

[Lone Wolf]

I did the step you mention but for each step I got a message saying it is already tagged and dual mode.
My config did not change when I do a show vlan. Here is what I have when I do a show version :

I think you would need to undo the tagging and dual modes on 15 and 17 first.

 

[Allthatufear8]

Is anyone using a ruckus switch with a a multigigabit router? I have an icx 7150-48ZP that I'm using for inter-vlan routing. 1 gig connections run at full speed, but over that drops to 140mbps. I've turn on flow control and it jumps to 700mbps. I've tried Verizon's and ATT's router, an opnsense/vyos router and a dream machine pro se with the same results.

 

[heromode]

Good news everyone!

The Fan problem is now essentially SOLVED.

I just received my Arctic S4028-6K value pack.

Initial testing shows the new Arctic serie is the perfect fan for the 3-pin brocades. here's why:

before i am running 1x original fan with my tape mod. icx6450-48p completely idle with one hour running time:

#show chassis
The stack unit 1 chassis info:

Power supply 1 (NA - AC - PoE) present, status ok
Power supply 2 not present
Power supply 3 not present

Fan 1 failed
Fan 2 failed
Fan 3 failed

Fan controlled temperature: 55.0 deg-C

Fan speed switching temperature thresholds:
                Speed 1: NM<----->65       deg-C
                Speed 2:       56<-----> 79 deg-C (shutdown)

Sensor B Temperature Readings:
        Current temperature : 49.0 deg-C
Sensor A Temperature Readings:
        Current temperature : 55.0 deg-C
        Warning level.......: 69.0 deg-C
        Shutdown level......: 79.0 deg-C

Now i receive my 4028-6K value pack. Plus and minus wires needs to be switched. A value pack at german amazon.de is just under 30 EUR, includes 5 fans and 20 screws. Immediately as i open the pack i realize it's the real deal.

the 6K version are too slow for heavy usage, but as i'm writing this my 6450-48p is running at idle with 3x arctic 4028-6K's in ABSOLUTE ****ING SILENCE.

show chassis
The stack unit 1 chassis info:

Power supply 1 (NA - AC - PoE) present, status ok
Power supply 2 not present
Power supply 3 not present

Fan 1 ok, speed (auto): [[1]]<->2
Fan 2 ok, speed (auto): [[1]]<->2
Fan 3 ok, speed (auto): [[1]]<->2

Fan controlled temperature: 63.5 deg-C

Fan speed switching temperature thresholds:
                Speed 1: NM<----->65       deg-C
                Speed 2:       56<-----> 79 deg-C (shutdown)

Sensor B Temperature Readings:
        Current temperature : 56.5 deg-C
Sensor A Temperature Readings:
        Current temperature : 63.5 deg-C
        Warning level.......: 69.0 deg-C
        Shutdown level......: 79.0 deg-C

again, i repeat: ABSOLUTE SILENCE.
i have to put my ear right next to the fan outlets to hear that anything is going on.

Obviously, the Arctic 6K versions are insufficient for anything heavier that idle, i'm only a few degrees celcius for it kicking into high gear

BUT

first of all the arctic's are both voltage AND PWM controlled. 4.5V to 12V

a 5 fan value pack sells on amazon for 30 EUR, which includes 20 screws. That is great value. I'm gonna order the 15K version next, and depending on my final load, add 15K Arctics as necessary.

Again, i'm running my 6450-48p atm at ABSOLUTE SILENCE. presumably according to the specs they are running at 1400 RPM atm, at 4.5V lol.

Point is immediately as i received the 6k versions today i could feel holding them they are gonna be the perfect fans for the brocades, and remember, they are BOTH voltage AND PWM controlled, [4 pin] so users of the big beef qsfp switches take notice, it's possible these could serve as straight replacements!

this is a special alert! The perfect fans for all the brocade switches might very well have now been identified!!!!

 

[luks]

I'm experiementing with VLAN routing on ICX6610 and I would need some help. Two computers in different VLANs don't seem to be able to reach each other. I did it pretty much based on this video.

• Only two computers connected to the switch, both have static IPs configured
  • 10.0.10.100, default route to 10.0.10.1, VLAN 10
  • 10.0.20.100, default route to 10.0.20.1, VLAN 20
• Two VLANs, 10 and 20 with router-interfaces set
• Two virtual interfaces, 10 and 20
  • 10.0.10.1/24
  • 10.0.20.1/24

But the computers cannot see each other. I tried to ping the other machine from both machines, but they cannot see reach other. Pinging the switch IP 10.0.10.1 and 10.0.20.1 from the computers works fine. Pinging from the switch to the computers doesn't work. I checked the ARP table from the switch and both computers are there with their IPs and correct MAC addresses. I have tried to disable all firewalls etc. What am I doing wrong or is there something I have misunderstood about this?

 

[itronin]

But the computers cannot see each other. I tried to ping the other machine from both machines, but they cannot see reach other. Pinging the switch IP 10.0.10.1 and 10.0.20.1 from the computers works fine.

please post output from "show ip route" on the icx.

please post your icx configuration.