Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

[hmw]

Could anybody direct me to some good resources to guide me on best practices of using an L3 switch along with a firewall appliance? My Asus N router is finally starting to give me some trouble and for the short term my plan is to use the J6413 box I ordered earlier this week to branch out into something a bit more advanced with OPNsense while using the router in AP mode. Longer term I've been debating on just taking the plunge on a C12P along with a Ruckus AP so I could also expand out to some security cameras later. I had looked at the switch and AP a couple years ago it just wasn't priority and was hopeful that UBNT would have a bit more friendly SOHO non rack solutions come out as I liked the idea of having network and video integrated into one place, but alas the Dream Router and Dream Wall just weren't the solutions for me.

I'll do a write up later but I managed to get OpnSense working with a US-XG-24 and a Brocade ICX-6610 for my homelab. Don't know if that is what you're looking for.

At some point when the prices for ICX7650s have dropped to reasonable levels, I will just go with that. It's a headache getting anything Ubiquiti working properly. Except for their Unifi Video, I intend to ditch Ubiquiti and move away from their APs and switches when economically feasible

 

[azmaveth]

Talking to a vendor on eBay about a ICX6610 they are selling and they said that they get this when booting:

Monitordir
1740 [fccb] $$sshhost.key
364 [d646] stacking.boot
8657 [8af8] startup-config
8648 [a2e1] startup-config.backup
2658 [01e4] startup-config.legacy
22067 bytes 5 File(s)
65142784 bytes free
Monitorboot system flash primary
`File not found, 'primary'
Monitorboot system flash secondary
`File not found, 'secondary'

Am I right in thinking this is basically bricked since both flash memories are wiped/corrupted? Is there a way for me to restore the firmware without hardware tools?

 

[NablaSquaredG]

s there a way for me to restore the firmware without hardware tools?

My guess would be that the u-boot bootloader is still there and working, so you should be able to flash the primary / secondary image from the bootloader (as described in @fohdeesha's guides)

But that's just a guess... Could be that the switch is broken.

Possibly related:

https://forums.servethehome.com/index.php?threads/issues-with-an-icx6610-dont-boot.21653/

 

[i386]

The switches from the op are now about 10 years old (The oldest pdf I found was dated 2013 from brocade). I'm wondering how long the components used for these icx switches will last...

 

[zunder1990]

The switches from the op are now about 10 years old (The oldest pdf I found was dated 2013 from brocade). I'm wondering how long the components used for these icx switches will last...

Given that the end of sale was 2018 I am betting they was still making new 6610 in 2018, alot of those switches still floating around may not be that old.

 

[thegardentool]

I'll do a write up later but I managed to get OpnSense working with a US-XG-24 and a Brocade ICX-6610 for my homelab. Don't know if that is what you're looking for.

At some point when the prices for ICX7650s have dropped to reasonable levels, I will just go with that. It's a headache getting anything Ubiquiti working properly. Except for their Unifi Video, I intend to ditch Ubiquiti and move away from their APs and switches when economically feasible

Well I do think I’ll likely skip UBNT stuff now completely. I hadn’t invested in any of it while waiting to see if anything new would have worked better. I suppose I’ll get it all figured out. May just end up still picking up one of these C12P switches and start off running it just as an L2 while learning OPNsense and then figuring out down the line if it would be better to move the routing back to the switch.

 

[msg7086]

Sunon PSD1204PHB1-A(2).Z.F.PWM.GN "Tiny Terror" - also currently unobtainable
These are new design MagLev parts, and really impressive. 40x40x15mm (so the thinnest here,) but 14CFM, 0.63in H2O, and 44.2dBA @ 1m at 12,000RPM. They're also a LOT easier than the Mechatronics; Sunon MOQ is just 30 for a non-custom part, expect around $10-12/ea. These are awesome fans if you can get your hands on them and can stand the noise.

Hey, I just got some of these but they seem to have 4 leads (red, yellow, black, blue). Any suggestion on how to wire them to ICX6450-48P?

Thanks!

 

[NablaSquaredG]

I'm just reading through the guides, but I want to make sure I miss nothing

What security features are supported by FastIron that can be used in public networks (aka everybody can connect to the switch gigabit ports)?

Stuff like
BPDU Guard
Root Guard
Port Security (MAC Address Limit)
DHCP Snooping
Dynamic ARP Inspection
IP Source Guard
Segmentation into multiple VLANs


I'm currently trying to figure out what is the best way to secure access to management (no out of band management possible)

 

[kpfleming]

The docs for the FastIron software are publicly available, so you can review them to determine whether the features you desire are available (some may have different names than what you used). Also keep in mind that the software has different features for different families of devices: for example the L3 software for 71xx/72xx devices doesn't support BGP but the 73xx and above do.

VLANs are definitely supported. If you don't have any OOB management, you'll be stuck with SSH and will have to secure it using normal SSH mechanisms. The SSH implementation in the 08.x series firmware is a bit dated and doesn't support modern SSH features like elliptic curve keys, but it's otherwise functional.

 

[NablaSquaredG]

The docs for the FastIron software are publicly available, so you can review them to determine whether the features you desire are available

Guess what I've been doing (And if you look carefully, you'll find all of them in the FastIron manuals)

 

[PANiCnz]

My ICX 6450 is shutting down once a week. I have to disconnect it from the power and leave it for several hours before it will turn on again. Assumed it might be heat related, but the last time it shutdown was a cool day, and the room was well ventilated. Has happend three times now and seems to be happening about a week apart.

Any ideas/tips on how to try and investigate the problem?

 

[i386]

Did you Check for dust in the vents/openings?

 

[PANiCnz]

Did you Check for dust in the vents/openings?

Yip pulled it apart and everything was reasonably clean, definitely not blocked.

 

[zunder1990]

My ICX 6450 is shutting down once a week. I have to disconnect it from the power and leave it for several hours before it will turn on again. Assumed it might be heat related, but the last time it shutdown was a cool day, and the room was well ventilated. Has happend three times now and seems to be happening about a week apart.

Any ideas/tips on how to try and investigate the problem?

What does the logs say, also get a console cable and see if there was any console messages.

 

[autumnwalker]

At the very least their documentation should be updated to state the command only works on the FCX (I've ran into a couple other commands like this, that exist in the base firmware but only become active when booted on an FCX, namely "ip ssh key-exchange-method dh-group14-sha1"

Was there ever any update on this perticular command? I'd like to enable group14 ... but as stated, the command isn't available on my ICX.

 

[msg7086]

Hey, I just got some of these but they seem to have 4 leads (red, yellow, black, blue). Any suggestion on how to wire them to ICX6450-48P?

Thanks!

UPDATE: After putting them in, the unit overheated and lost response in a few minutes.

 

[PANiCnz]

What does the logs say, also get a console cable and see if there was any console messages.

Are the logs retained after the device has been powered off for several hours? I can see anything obvious in the logs to indicate a problem.

 

[ManoftheSea]

Thanks for this thread. I got an ICX6450 based on it. And now, the configuration.
Would fohdeesha like any extra content for the guide, such as "VLANs", "ACLs", or "IPv6 configuration" (when/if I learn these things)?
At the moment, I think the router should be able to route using nothing more than link-local addresses, but I can't figure out how to configure a ve to route to a VLAN without having an address within the prefix. I'm also faking Prefix Delegation by setting it up statically.

 

[kpfleming]

You can add IPv6 static routes to the routing table to let the device know that a specific subnet is reachable via that VE.

 

[ManoftheSea]

I understand that's what I want to do. However, where the "ip" command will accept an interface or ve as "next-hop", the ipv6 command requires a gateway address, which I understand to be the destination for this hop. As far as I understand the documentation, I should be able to run the command within the (config) level:
ipv6 route 2001:db8::/64 ve 3
But the interface tells me "gateway address is required".
ip ve as hop Configuring a virtual interface as next hop
ipv6 route Commscope Technical Content Portal