Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

[Vesalius]

@fohdeesha is there a way to make thr dhcp server in a brocade icx6450 authoritative? I setup some pools and some of my devices cannot get an ip from the pool but others can. I don't have the luxury of setting up ISC dhcpd on another device.

Check out the post from @fohdeesha back in 2018 in regards to the FastIron 08.0.30 dhcp server implementation.

Gave the built in DHCP server a go to see if I would run into your issue, and I did indeed with a couple IOT type stuff. After a ton of debugging, it turned out to be the fact the FastIron DHCP server is not set as authoritative, and some DHCP stack implementations (like Roku's and Sonos) do not like this, and will ignore it.

https://forums.servethehome.com/index.php?threads/brocade-icx-series-cheap-powerful-10gbe-40gbe-switching.21107/post-206144

 

[Spindle2274]

Well, I can only help you eliminate assumptions...
Does "show ip client-pub-key" agree with your key? does "show ip ssh config" agree that Public-key is an authentication method? Does "ssh -vvv switch-host" show that you're not offering multiple keys before the one you want?

Thank you, I appreciate any help I can get. Still no cigar, unfortunately.

show ip client-pub-key shows my public key that I am using (RSA 2048).


ssh -vvv switch-host only shows the intended key being offered.

I verfied file permissions. Re-uploaded the key. Tried from another machine. I even created a docker container based on Ubuntu 16.04 with OpenSSL 7 to see if it had something to do with my modern client, same result.

show ip ssh config
SSH server                 : Enabled
SSH port                   : tcp\22
Host Key                   :  RSA 2048
Encryption                 : aes256-cbc, aes192-cbc, aes128-cbc, aes256-ctr, aes192-ctr, aes128-ctr
Permit empty password      : No
Authentication methods     : Public-key
Authentication retries     : 3
Login timeout (seconds)    : 120
Idle timeout (minutes)     : 0
Strict management VRF      : Disabled
SCP                        : Enabled
SSH IPv4 clients           : All
SSH IPv6 clients           : All
SSH IPv4 access-group      :
SSH IPv6 access-group      :
SSH Client Keys            :

I have already wasted a day on this! Hopefully I can get some relief soon.

EDIT: I was finally able to connect by trying a 1024 bit key! Not ideal, obviously, but I am willing to accept the risk if I specify the allowed hosts manually.

 

[kevindd992002]

We're not so different, you and I.

vlan 10 name wired by port
untagged ethe 1/1/43
router-interface ve 10
!
vlan 100 name Comcast by port
untagged ethe 1/1/45 to 1/1/48
!
vlan 101 name Wifi-Users by port
tagged ethe 1/1/39
router-interface ve 101
!
vlan 200 name DMZ by port
untagged ethe 1/1/31 ethe 1/2/4
router-interface ve 200
!
vlan 201 name Printers by port
tagged ethe 1/1/39
router-interface ve 201
!
vlan 400 name Wifi-Guest by port
tagged ethe 1/1/39
untagged ethe 1/1/37
router-interface ve 400
!
vlan 1000 name Internal by port
tagged ethe 1/1/39
untagged ethe 1/1/38 ethe 1/1/40
router-interface ve 1000
!
vlan 1500 name DEFAULT-VLAN by port

ip dhcp-server pool guests
dhcp-default-router 172.20.20.1
dns-server 8.8.8.8 1.1.1.1
excluded-address 172.20.20.1 172.20.20.99
lease 0 1 0
network 172.20.20.0 255.255.255.0
static-mac-ip-mapping 172.20.20.100 0011.2233.4455
deploy
!
!
ip dhcp-server pool internal
dhcp-default-router 10.255.253.1
dns-server 8.8.8.8 1.1.1.1
excluded-address 10.255.253.1 10.255.253.99
lease 0 1 0
network 10.255.253.0 255.255.255.0
static-mac-ip-mapping 10.255.253.100 0011.2233.4455
static-mac-ip-mapping 10.255.253.251 0011.2233.4455
static-mac-ip-mapping 10.255.253.253 0011.2233.4455
deploy
!
!
ip dhcp-server pool printers
dhcp-default-router 192.168.201.1
excluded-address 192.168.201.1 192.168.201.2
excluded-address 192.168.201.4 192.168.201.255
lease 1 0 0
network 192.168.201.0 255.255.255.0
static-mac-ip-mapping 192.168.201.3 0011.2233.4455
deploy
!
!
ip dhcp-server pool users
dhcp-default-router 192.168.101.1
dns-server 192.168.200.5
excluded-address 192.168.101.1 192.168.101.99
lease 0 1 0
network 192.168.101.0 255.255.255.0
deploy

I don't see any reason your devices should be having an issue here. Any chance you're making use of ACLs? Here's my "guest network" ACL:

interface ve 400
ip access-group 104 in
ip address 172.20.20.1 255.255.255.0
!
access-list 104 deny ip any 192.168.0.0 0.0.255.255
access-list 104 permit ip any 172.20.20.0 0.0.0.255
access-list 104 permit udp any eq bootpc any eq bootps
access-list 104 deny ip any 172.16.0.0 0.15.255.255
access-list 104 deny ip any 10.0.0.0 0.255.255.255
access-list 104 permit icmp any 192.168.0.0 0.0.255.255 echo-reply
access-list 104 deny icmp any 192.168.0.0 0.0.255.255
access-list 104 permit icmp any 172.20.20.0 0.0.0.255
access-list 104 deny icmp any 172.16.0.0 0.15.255.255
access-list 104 deny icmp any 10.0.0.0 0.255.255.255
access-list 104 permit ip any any
access-list 104 permit icmp any any

In particular, DHCP's DISCOVER is from 0.0.0.0:bootpc to 255.255.255.255:bootps, which is why the extra UDP rule has to be included.

To investigate your problem more, I'd suggest you mirror the traffic on that VE to somewhere that you can do a package capture or tcpdump. Your bindings say that the router thinks the address is assigned - why doesn't the NVR know?

No ACL's at all because I'm not yet at that part of the config. I'll have those later.

Yeah, that's what's weird. The switch knows it assigned the IP but the nvr doesn't. When I plug in a windows device on the same port, no issues. When I plug in the nvr to another netowrk in another house with a pfsense dhcp server, no issues. So it's got to be th combiantion of this switch and nvr, no?

I'll see how I can mirror the traffic of a ve to do a packet dump. But what ie the disadvantage of using a non-authoritative dhcp server?

 

[ManoftheSea]

But what ie the disadvantage of using a non-authoritative dhcp server?

Apparently, the NVR not accepting the lease.

 

[kevindd992002]

Check out the post from @fohdeesha back in 2018 in regards to the FastIron 08.0.30 dhcp server implementation.

https://forums.servethehome.com/index.php?threads/brocade-icx-series-cheap-powerful-10gbe-40gbe-switching.21107/post-206144

Well that's exactly the post that made me ask my initial dhcp question in the first place. But why does it not assign the IP? I thought having a non-authoritative dhcp is only bad when you multiple dhcp servers in a subnet or something, since it doesn't reply to NACK packets?

 

[kevindd992002]

Apparently, the NVR not accepting the lease.

I guess the better question is what is the use case of a non-authoritative dhcp server?

I don't to have this same problem in the future for other devices. It's bizarre that an enterprise L3 switch has this type of problem.

 

[notdeadyet]

Multicast config is all default no changes. Once I upgraded the firmware it worked. What switch do you have? Does it have the latest firmware?

I have an ICX-6450P on the latest router firmware. Everything works except for multicast across VLANs. I can share my config if that could help with troubleshooting. I've tried everything, even running a VM with avahi on all VLANs and it still doesn't work.

 

[rnavarro]

Alright, I've got a weird one and it's driving me absolutely bonkers. This is ALL in the context of IPv6

Problem

I'm having an issue with wireless IPv6 connectivity to the internet. When a wireless client roams from the initial association WAP (access point) it loses IPv6 connectivity to the internet.

If I re-associate (reset wifi on the device) after roaming IPv6 comes back for the new WAP, roaming again will break connectivity to the internet.

Environment

Router
I have an OpnSense router with a direct "transit" connection down to a pair of stacked ICX6610's. I turned off all dynamic routing protocols and I'm using only static routing on the ICX's and the opnSense.

Switches
The ICX 6610's are running the latest firmware:
Copyright (c) Ruckus Networks, Inc. All rights reserved.
UNIT 1: compiled on Aug 8 2023 at 23:06:54 labeled as SPR08095m
(33554432 bytes) from Primary SPR08095m.bin (UFI)
SW: Version 08.0.95mT213
Compressed Primary Boot Code size = 786944, Version:10.1.26T215 (spz10126)
Compiled on Tue Nov 29 04:43:15 2022
UNIT 2: compiled on Aug 8 2023 at 23:06:54 labeled as SPR08095m
(33554432 bytes) from Primary SPR08095m.bin (UFI)
SW: Version 08.0.95mT213
Compressed Primary Boot Code size = 786944, Version:10.1.26T215 (spz10126)

HW: Stackable ICX7250-24-HPOE


The ICX's are running as L3 gateways for their respective VLANs, each vlan is using SLAAC for IPv6 address allocation.

The ICX routing table has the upstream opnSense router as it's default route.

Access Points
I trunk 3 VLANs to three different Aruba InstantOn AP22 access points, the 3 access points are split accross multiple switch ports in the stack.

Debugging Attempts
Removed all dynamic routing protocols and moved to static routes

*after* roaming to a different access point
Ping from OpnSense to wireless device - fails
Ping from hardwired device to wireless device in the same VLAN (ie no routing) - succeeds
Ping from hardwired device to wireless device in a different VLAN (ie routed through 6610) - succeeds

Here is a tcpdump from the perspective of the OpnSense router:

OpnSense: 2001:db8:2d00:24f0::1
Wireless Client: 2001:db8:2d00:2405:207a:305e:39d9:b385

Associated with WAP1
19:57:46.434682 IP6 2001:db8:2d00:2405:207a:305e:39d9:b385 > 2001:db8:2d00:24f0::1: ICMP6, echo reply, seq 994, length 16
19:57:47.427977 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 995, length 16
19:57:47.434530 IP6 2001:db8:2d00:2405:207a:305e:39d9:b385 > 2001:db8:2d00:24f0::1: ICMP6, echo reply, seq 995, length 16
19:57:48.430550 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 996, length 16
19:57:48.438575 IP6 2001:db8:2d00:2405:207a:305e:39d9:b385 > 2001:db8:2d00:24f0::1: ICMP6, echo reply, seq 996, length 16
19:57:49.433206 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 997, length 16
19:57:49.499337 IP6 2001:db8:2d00:2405:207a:305e:39d9:b385 > 2001:db8:2d00:24f0::1: ICMP6, echo reply, seq 997, length 16

Roam to WAP2
19:57:50.437464 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 998, length 16
19:57:51.438580 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 999, length 16
19:57:52.440642 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1000, length 16
19:57:53.441971 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1001, length 16
19:57:54.443574 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1002, length 16
19:57:55.444589 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1003, length 16
19:57:56.448761 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1004, length 16
19:57:57.450438 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1005, length 16
19:57:58.452506 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1006, length 16
19:57:59.457450 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1007, length 16
19:58:00.458815 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1008, length 16
19:58:01.463074 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1009, length 16
19:58:02.464345 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1010, length 16
19:58:03.465588 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1011, length 16
19:58:04.467961 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1012, length 16
19:58:05.468944 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1013, length 16
19:58:06.470789 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1014, length 16
19:58:07.478637 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1015, length 16
19:58:08.479740 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1016, length 16
19:58:09.484910 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1017, length 16
19:58:10.492031 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1018, length 16
19:58:11.494773 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1019, length 16
19:58:12.502221 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1020, length 16
19:58:13.508098 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1021, length 16
19:58:14.514172 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1022, length 16
19:58:15.516477 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1023, length 16
19:58:16.519838 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1024, length 16
19:58:17.521306 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1025, length 16
19:58:18.523018 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1026, length 16
19:58:19.529879 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1027, length 16
19:58:20.532896 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1028, length 16
19:58:21.534109 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1029, length 16
19:58:22.535387 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1030, length 16
19:58:23.536953 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1031, length 16
19:58:24.537997 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1032, length 16
19:58:25.541886 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1033, length 16
19:58:26.546915 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1034, length 16
19:58:27.555055 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1035, length 16
19:58:28.563192 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1036, length 16
19:58:29.567090 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1037, length 16
19:58:30.568384 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1038, length 16
19:58:31.583843 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1039, length 16
19:58:32.595609 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1040, length 16
19:58:33.604105 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1041, length 16
19:58:34.610626 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1042, length 16
19:58:35.618694 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1043, length 16
19:58:36.622297 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1044, length 16
19:58:37.627183 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1045, length 16
19:58:38.629207 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1046, length 16
19:58:39.630363 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1047, length 16
19:58:40.633129 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1048, length 16
19:58:41.634566 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1049, length 16
19:58:42.636545 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1050, length 16
19:58:43.637942 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1051, length 16
19:58:44.638553 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1052, length 16
19:58:45.641411 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1053, length 16
19:58:46.642567 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1054, length 16
19:58:47.643843 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1055, length 16
19:58:48.645237 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1056, length 16
19:58:49.646044 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1057, length 16
19:58:50.649867 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1058, length 16
19:58:51.650661 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1059, length 16
19:58:52.651403 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1060, length 16
19:58:53.652821 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1061, length 16
19:58:54.653917 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1062, length 16
19:58:55.657144 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1063, length 16

Return to WAP1
19:58:55.665094 IP6 2001:db8:2d00:2405:207a:305e:39d9:b385 > 2001:db8:2d00:24f0::1: ICMP6, echo reply, seq 1063, length 16
19:58:56.657742 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1064, length 16
19:58:56.665141 IP6 2001:db8:2d00:2405:207a:305e:39d9:b385 > 2001:db8:2d00:24f0::1: ICMP6, echo reply, seq 1064, length 16
19:58:57.659884 IP6 2001:db8:2d00:24f0::1 > 2001:db8:2d00:2405:207a:305e:39d9:b385: ICMP6, echo request, seq 1065, length 16
19:58:57.664363 IP6 2001:db8:2d00:2405:207a:305e:39d9:b385 > 2001:db8:2d00:24f0::1: ICMP6, echo reply, seq 1065, length 16

During that entire test, pings from a device on the same VLAN and another device in a different VLAN experienced zero packet loss.

P.S. I'm seeing these issues ONLY with my wireless clients, my hard wired IPv6 client works great.

 

[jode]

I wonder if you might be able to use ssh and an expect-script to send the commands to the switch

Took a little while, but this works.

#!/usr/bin/expect -f
## Sypnosis: run_script.exp <ICX_IP> <ICX_SCRIPT>
## Run script <ICX_SCRIPT> line by line on ICX <ICX_IP>. Connection via SSH certificate assumed.

set ICX_IP [lindex $argv 0]
set ICX_SCRIPT [lindex $argv 1]

set timeout 15
spawn ssh $ICX_IP
match_max 100000
expect -exact "SSH@ICX6610>"
send -- "enable\r"
expect "SSH@ICX6610#"
send -- "skip\r"
expect "SSH@ICX6610#"

set infile [open "$ICX_SCRIPT"]
while { [gets $infile line] >= 0 } {
  send "$line\r"
  expect -re "SSH@ICX6610(?:>|.*#)"
}

send_user "\r"

In the next step I'll try to create scripted tests.

 

[rnavarro]

Relating to the above, I found another interesting detail.

I setup port mirroring on the ICX's to take a look at the traffic out of the WAP ports.

It looks like the ping from the OpnSense router is being routed through the switch, however it's going out of the wrong port.

The echo request seems to be stuck on the initial WAP port.

When doing a mirror of the roamed WAP port, I don't see the echo request.

What's more interesting is that the switch definitely updates it's internal neighbor cache:

show ipv6 neighbor 2001:db8:2d00:2405:207a:305e:39d9:b385
IPv6 Address LinkLayer-Addr State Age Port vlan IsR
2001:db8:2d00:2405:207a:305e:39d9:b385 ac3e.b17a.0038 STALE 6333 e 1/1/12 5 0

1/1/12 is the port of the roamed to WAP

It seems like there is a mismatch when routing traffic, as it doesn't seem to get the memo that this address is now on a different port.

 

[rnavarro]

One more discovery for the night.

If I clear the ipv6 neighbor cache on the router, things start working even after a roam:

clear ipv6 neighbor 2001:db8:2d00:2405:207a:305e:39d9:b385

pings immediately start working again

 

[fohdeesha]

One more discovery for the night.

If I clear the ipv6 neighbor cache on the router, things start working even after a roam:

clear ipv6 neighbor 2001:db8:2d00:2405:207a:305e:39d9:b385

pings immediately start working again

ya v8030 no handle ipv6 neighbor enmtrties moving to different ports sdo good need to clear neihgbors

 

[rnavarro]

ya v8030 no handle ipv6 neighbor enmtrties moving to different ports sdo good need to clear neihgbors

Booo these 7250's were perfect with POE and SFP+ port count.

I think I'm going to try try the 9.x branch for the hell of it to see what it does.

I guess worst case I'll just go back to terminating all my vlans on the OpnSense, but I hate hate hate taking down the whole network when it does updates.

We'll see.

 

[kpfleming]

I think I'm going to try try the 9.x branch for the hell of it to see what it does.

I had a lot of strange IPv6 problems with the 08.x branch which were fixed by the 09.x branch; it's definitely worth a try.

 

[fohdeesha]

Booo these 7250's were perfect with POE and SFP+ port count.

I think I'm going to try try the 9.x branch for the hell of it to see what it does.

I guess worst case I'll just go back to terminating all my vlans on the OpnSense, but I hate hate hate taking down the whole network when it does updates.

We'll see.

hmm, the v6 neighbors not migrating ports on their own is a bug in 8030/icx6xxx series, shouldn't be happening on icx7xxx series running latest 8095

edit: yeah try 9x

 

[joku]

Can anyone recommend a serial cable that is known to work with the Brocade ICX6450 (availability in Germany would be great)?
I've ordered this one, which doesn't work (it prints garbage to the console). It seems the PIN layout is wrong.

https://amzn.eu/d/cQv388q

 

[NablaSquaredG]

I've ordered this one, which doesn't work (it prints garbage to the console). It seems the PIN layout is wrong.

Have you set the correct baud rate + settings?

9600 8N1

 

[i386]

Can anyone recommend a serial cable that is known to work with the Brocade ICX6450 (availability in Germany would be great)?
I've ordered this one, which doesn't work (it prints garbage to the console). It seems the PIN layout is wrong.

https://amzn.eu/d/cQv388q

I use a startech adapter with ftdi chip (ICUSB2321F) and the serial cable that came with an arista switch. Bought it after two other cheaper usb adapters/cables didn't work.

 

[joku]

Have you set the correct baud rate + settings?

9600 8N1

Settings are as follows (checked in the driver settings as well as in the PuTTY settings):
Baud rate: 9600
Data bits: 8
Stop bits: 1
Parity: NONE
Flow control: NONE

 

[dbvader]

I've ordered this one, which doesn't work (it prints garbage to the console). It seems the PIN layout is wrong.
https://amzn.eu/d/cQv388q

Not familiar with that particular cable but one review (from Japan) states it only worked after installing the driver. If on Windows 11 there seems to be some confusion as to which (PL2303) driver to install.

The pin layout otherwise seems to be the same as an ebay cable I'm successfully using (with minicom).