Drag to reposition cover

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

VirtualBacon

Member
Aug 21, 2017
95
24
8
30
Eyeing up a ICX7150-C12P. Do they block unsupported transceivers? I'll be ordering from FS.COM anyway, but I can't seem to find an answer
 

LodeRunner

Active Member
Apr 27, 2019
553
235
43
Eyeing up a ICX7150-C12P. Do they block unsupported transceivers? I'll be ordering from FS.COM anyway, but I can't seem to find an answer
As far as I recall, it won't stop you from using 3rd party optics of any sort, but the optical monitoring will be disabled by default for non Brocade optics and can be overridden with a console command. Of course, if you're ordering from FS.com just have them code the optics or DACs as Brocade. There's no secret key being used.
 
  • Like
Reactions: VirtualBacon

patg84

New Member
Sep 1, 2023
3
0
1
As far as I recall, it won't stop you from using 3rd party optics of any sort, but the optical monitoring will be disabled by default for non Brocade optics and can be overridden with a console command. Of course, if you're ordering from FS.com just have them code the optics or DACs as Brocade. There's no secret key being used.
Does this apply to the VDX line?
 

Midvalley

New Member
Aug 30, 2023
10
6
3
Hello all. Just wanted to drop a message to thank everyone for the information in this thread to date. I stumbled across this a couple weeks back while I was investigating PoE switches to power some IP cameras I had just purchased. Without finding this, I don't know if I would have started down the road of used enterprise gear and probably ended up with a prosumer switch of some sort. However, based on the info here, I was able to search out a used ICX6450-48P for a pretty good price. The switch arrived today and is in pretty good condition all in all, and I'm currently working through the initial config and updates.

Kudos to @fohdeesha for the documentation and resources, it's all really well written and concise. Also, kudos to the community that has sprung up in this thread, there is a ton of information I am sifting through while I go about my first foray into enterprise networking.

I'll probably be around asking borderline dumb question that may have already been answered soon, so I figured I should have something other than a "how do I" question as my first post on STH.

Thanks all!
 
  • Like
Reactions: blunden and itronin

tr_deal

New Member
Sep 27, 2023
6
3
3
Hey everyone, I have another odd situation and after trying to search all 442 pages of the thread didn't find anything helpful...

I have 2 PSU and 2 Fan Trays in my 6610. One of the fans in my fan trays has a bad bearing, so I bought a new fan tray off eBay. However, when I swap the new fan tray in the fans never kick down from full speed. If I plug the old fan tray in its fans do kick down after a minute of so...

I followed the guide and updated all the firmwares, and cold booted the switch to ensure the IC2 bus reset. dm fan-speed shows fan tray 1 fans running at 21,000, while fan tray 2 fans are at 6000.

Any ideas?
 

VirtualBacon

Member
Aug 21, 2017
95
24
8
30
Hey everyone, I have another odd situation and after trying to search all 442 pages of the thread didn't find anything helpful...

I have 2 PSU and 2 Fan Trays in my 6610. One of the fans in my fan trays has a bad bearing, so I bought a new fan tray off eBay. However, when I swap the new fan tray in the fans never kick down from full speed. If I plug the old fan tray in its fans do kick down after a minute of so...

I followed the guide and updated all the firmwares, and cold booted the switch to ensure the IC2 bus reset. dm fan-speed shows fan tray 1 fans running at 21,000, while fan tray 2 fans are at 6000.

Any ideas?
Got pictures of both?
 

Mpegger

New Member
Oct 4, 2023
1
0
1
I hope I can get some help here about a Brocade ICX 6430-C12 I just bought off eBay. There was no password given, but that wasn't a big deal to me since there is a way to reset the password via serial console. I wired up a cable to access the serial console but all that comes through is jibberish, as if the serial port settings that I am using are incorrect (I've seen similar jibberish when connecting to a Raspi or one of my GPS modules at the wrong line speed or settings). I tried different serial speeds and settings, I made sure that my cable was correctly wired, even trying it with the TX and RX lines backwards, with or without the ground pins grounded, ensuring with a multimeter that there wasn't a bad connection (4 pins coming up 0.23 ohms), but nothing worked.

I'm at a loss here as to what to do now. If I can't access the serial console to reset the password, I can't change the configuration of the switch. I'm guessing that the wire I made isn't correct for the switch, but according to all the docs I've come across, there should only be 4 pins in use, TX pin 3, RX pin 6, and GND pins 4+5. Could it be the docs are wrong? Are there other pins in use (CTS, RTS?) that I need to wire up? Is it possible that the current configuration on the switch prevents serial access in some way, or that the connection settings were changed from stock settings?

Any help would be appreciated.


Welp, I finally found my other USB-to-Serial adapter, and after trying 5 different drivers I finally got it working, and now I'm able to access the serial port on the switch just fine on the first try. I have no idea why the first USB-to-Serial adapter I tried wasn't working correctly with it, as it works with all the SOC devices and GPS modules I program all the time. :confused:
 
Last edited:

rocksteady88

New Member
Oct 5, 2023
1
0
1
I was inspired by this thread to purchase the Brocade ICX6450-24. I followed the guide and everything is working, but I get that pesky "Unable to negotiate with X.X.X.X port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1" message when attempting SSH.

From research I know that this is because the switch is using the outdated SHA1. I have seen several post in this thread over the years that offer a workaround. That workaround is just using the insecure SHA1. I just wanted to see if that is still the advice to follow? Has anyone found any alternatives to just using the deprecated SSH? For those of you that are just using the deprecated SSH, have you ran into any security issues?
 

Midvalley

New Member
Aug 30, 2023
10
6
3
I was inspired by this thread to purchase the Brocade ICX6450-24. I followed the guide and everything is working, but I get that pesky "Unable to negotiate with X.X.X.X port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1" message when attempting SSH.

From research I know that this is because the switch is using the outdated SHA1. I have seen several post in this thread over the years that offer a workaround. That workaround is just using the insecure SHA1. I just wanted to see if that is still the advice to follow? Has anyone found any alternatives to just using the deprecated SSH? For those of you that are just using the deprecated SSH, have you ran into any security issues?
You could always segment SSH access onto a dedicated management vlan if you want to lock it down. Essentially, apply ACLs to the VE's for your device vlans that deny access to http/https/ssh/telnet to the VE IPs and the switch IP. Or go nuts and use a different RFC1918 range for the management vlan and just lock everthing else out of it.

I'm doing that now and carrying the vlan on a port with multiple tagged vlans, and then using Hyper-v to host a VM on the management vlan dedicated to managing local stuff.
 

tr_deal

New Member
Sep 27, 2023
6
3
3
Hey everyone, I have another odd situation and after trying to search all 442 pages of the thread didn't find anything helpful...

I have 2 PSU and 2 Fan Trays in my 6610. One of the fans in my fan trays has a bad bearing, so I bought a new fan tray off eBay. However, when I swap the new fan tray in the fans never kick down from full speed. If I plug the old fan tray in its fans do kick down after a minute of so...

I followed the guide and updated all the firmwares, and cold booted the switch to ensure the IC2 bus reset. dm fan-speed shows fan tray 1 fans running at 21,000, while fan tray 2 fans are at 6000.

Any ideas?
I'm still wracking my brain on this one. Besides the individual delta fan p/n (which look to be different on every fan tray I can find) everything else is identical. Wiring is the same on all 3 fan trays I have and I don't see a controller chip on the fan tray itself that could possibly need a firmware update. Is there a config or command I'm missing here?
 

VirtualBacon

Member
Aug 21, 2017
95
24
8
30
Question for anyone who knows

I followed the guide from here ICX7xxx Advanced - Fohdeesha Docs

Is there any reason I shouldn't update all the way to latest v9 code? The downloads in that guide are all v8. I followed it just to get to a good baseline, but I'm trying to figure out if its worth upgrading

Second, I also followed the guide and got the interface on VLAN 1 and a static IP, but after configuring my VLAN's I wanted to get the interface onto VLAN 80 instead, my management VLAN

So, I did

configt
vlan 1
no router-interface ve1
exit

vlan 80
router-interface ve80
exit

router-interface ve80
ip address 10.0.80.4/24
exit

no ip route 0.0.0.0/0 10.0.0.1
ip route 0.0.0.0/0 10.0.80.1

no ip dns server-address 10.0.0.1
ip dns server-address 10.0.80.1


Does that get me to the correct place for what I want? The "Problem" I am facing is that the console fills up with entries for each VLAN that say

Debug: Oct 11 08:29:17 No address! cannot send IGMP msg. Must config address on VL30 or a loopback port

Is that expected? I have a trunk port with all my VLAN's on, and a port for a future AP with all the VLAN's on, but no interfaces for each VLAN of course, since I'm not doing any L3

I don't recall seeing that when I had the interface on VLAN1, but then I don't know if I had the console up for long
 
Last edited:

tr_deal

New Member
Sep 27, 2023
6
3
3
I'm kinda stumped by that one too

Have you thought about swapping the fans themselves into the old tray?
To close this out, last night I decided to try to plug the new fan tray in again and fiddle with the fan speed settings. To my shock, when I slid the fan in it immediately spun down to match the low RPM of the other fan tray! I've made no changes besides utilizing the QSFP+ uplinks, which if anything would have put a higher heat load in the switch.

So if anyone runs across this with the same issue, the 7th time is the charm to make it work?!!
 

VirtualBacon

Member
Aug 21, 2017
95
24
8
30
Regarding my post with the error " No address! cannot send IGMP msg. Must config address on VL30 or a loopback port "

I also reference this post: Ruckus ICX Firmware Update and Setup

That has you enable multicast with

ip multicast active

I did

no ip multicast active

And now I no longer get those messages in the console. For usual network switch function, should I have that enabled? I don't ever recall manually enabling multicast on any of my switches, unless its just a default for others

EDIT: Just checked, and I don't see any multi-cast or IGMP turned on, on any of my other switches. I'll leave it off
 

willbicks

New Member
Oct 9, 2023
1
0
1
Just got my ICX 6450-24P and am having fun getting up to speed with it. I have it working in my setup as a basic L2 switch, accepting untagged traffic on two "access" ports and sending upstream via as tagged traffic over a 1 GBE "trunk" to my Mikrotik RB4011. What's weird is that everything works perfectly using the standard gigabit ethernet port as a trunk, but trying to move the trunk to SFP+ port 1/2/1 fails to pass traffic. Looking on both sides the SFP link is up (using a DAC cable), but I can't ping across to the router, get DHCP, etc. I've checked the configs for both the switch and the router and everything looks the same for both ports, so I can't quite figure out what to debug next.

My switch config is pretty simple:
Code:
Current configuration:
!
ver 08.0.10mT313
!
stack unit 1
  module 1 icx6450-24p-poe-port-management-module
  module 2 icx6450-sfp-plus-4port-40g-module
  no legacy-inline-power
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
!
vlan 10 by port
tagged ethe 1/1/7 ethe 1/2/1
untagged ethe 1/1/1 ethe 1/1/14
!
!
no telnet server
!
!
end
And the router is configured as:
Code:
# oct/11/2023 15:47:08 by RouterOS 7.9
/interface bridge
add admin-mac=48:8F:5A:40:F2:C0 auto-mac=no \
    ingress-filtering=no name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=1-INTERNAL vlan-id=1
add interface=bridge name=10-VW vlan-id=10
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp-pool-1 ranges=10.120.0.100-10.120.0.254
add name=dhcp-pool-10 ranges=10.120.10.100-10.120.10.254
/ip dhcp-server
add address-pool=dhcp-pool-1 interface=bridge lease-time=10m name=defconf
add address-pool=dhcp-pool-10 interface=10-VW lease-time=10m name=\
    dhcp-server-10-vw
/interface bridge port
add bridge=bridge frame-types=\
    admit-only-untagged-and-priority-tagged hw=no interface=ether8 pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged hw=no \
    ingress-filtering=no interface=ether9
add bridge=bridge hw=no ingress-filtering=no interface=\
    ether10 pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged hw=no \
    ingress-filtering=no interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge comment=vw tagged=bridge,sfp-sfpplus1,ether9 vlan-ids=10
add bridge=bridge comment=disabled vlan-ids=999
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
/ip address
add address=10.120.0.1/24 interface=bridge network=10.120.0.0
add address=10.120.10.1/24 interface=10-VW network=10.120.10.0
add address=10.120.11.1/24 interface=wg1 network=10.120.11.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.120.0.0/24 dns-server=10.120.0.1 gateway=\
    10.120.0.1 netmask=24
add address=10.120.10.0/24 dns-server=10.120.10.1 domain=example.com \
    gateway=10.120.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip firewall filter
add action=accept chain=forward comment="Allow established & related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward in-interface=10-VW out-interface-list=WAN
add action=drop chain=forward comment="Drop everything else (default)"
add action=masquerade chain=srcnat comment="NTP NAT Masquerade" dst-port=123 \
    protocol=udp to-ports=12300-12390
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system resource irq rps
set sfp-sfpplus1 disabled=no
Verifying the VLAN is configured and the link is up as follows:
Code:
ICX6450-24P Router(config)#show vlan 10
Total PORT-VLAN entries: 2
Maximum PORT-VLAN entries: 64

Legend: [Stk=Stack-Id, S=Slot]

PORT-VLAN 10, Name [None], Priority level0, Spanning tree Off
Untagged Ports: (U1/M1)   1  14
   Tagged Ports: (U1/M1)   7
   Tagged Ports: (U1/M2)   1
   Uplink Ports: None
DualMode Ports: None
Mac-Vlan Ports: None
     Monitoring: Disabled
ICX6450-24P Router(config)#show int e 1/2/1
10GigabitEthernet1/2/1 is up, line protocol is up
  Port up for 2 minutes 28 seconds
  Hardware is 10GigabitEthernet, address is cc4e.2407.4a99 (bia cc4e.2407.4a99)
  Configured speed 10Gbit, actual 10Gbit, configured duplex fdx, actual fdx
  Member of 1 L2 VLANs, port is tagged, port state is FORWARDING
  BPDU guard is Disabled, ROOT protect is Disabled, Designated protect is Disabled
  Link Error Dampening is Disabled
  STP configured to ON, priority is level0, mac-learning is enabled
  Flow Control is enabled
  Mirror disabled, Monitor disabled
  Mac-notification is disabled
  Not member of any active trunks
  Not member of any configured trunks
  No port name
  MTU 1500 bytes, encapsulation ethernet
  300 second input rate: 40696 bits/sec, 1 packets/sec, 0.00% utilization
  300 second output rate: 26400 bits/sec, 11 packets/sec, 0.00% utilization
  8508 packets input, 28994733 bytes, 0 no buffer
  Received 687 broadcasts, 1097 multicasts, 6724 unicasts
  51065 input errors, 45581 CRC, 0 frame, 0 ignored
  0 runts, 0 giants
  69722 packets output, 16326036 bytes, 0 underruns
  Transmitted 2592 broadcasts, 9434 multicasts, 57696 unicasts
  0 output errors, 0 collisions
  Relay Agent Information option: Disabled

Egress queues:
Queue counters    Queued packets    Dropped Packets
    0                   0                   0
    1                   0                   0
    2                   0                   0
    3                   0                   0
    4                   0                   0
    5                   0                   0
    6                   0                   0
    7                   0                   0
Any chance anyone recognizes something I overlooked or has ideas for how to further troubleshoot?
 

SadoKitten

Active Member
Apr 26, 2018
102
43
43
iowa
ezsolutions.us
I have probably missed it. But for the icx 7450, I know you stack them using the rear 40g or the front 10g. And some commands. But can you then run another 40g cable off the 2nd switch to the main 100g switch we have?