Drag to reposition cover

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

compufritz

New Member
Feb 25, 2024
4
3
3
Ok, so module 1 and 2 are communicating properly. I connected the laptop to 1/1/5 and manually set IP info (10.10.10.51, 255.255.255.0, 10.10.10.1) and was able to ping the desktop (10.10.10.50) and vice versa.

Had another epiphany to test VLAN routing, so hooked up wife's laptop to 1/1/38 and manually set IP (10.10.20.51,255.255.255.0,10.10.20.1) and was unable to ping the other laptop or the desktop. So that points me to a switch config issue with inter-VLAN routing. Found this post while researching, so restarted both machines since I already has DNS configured and now everything is talking... /facepalm...it's always DNS lol


Show IP route and show IP cache results below (ran before I tested the .20.0 ping so that's why it's not in the routes)
Code:
SSH@icx6450>show ip route
Total number of IP routes: 4
Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP  Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
        Destination        Gateway         Port          Cost          Type Upti                           me
1       0.0.0.0/0          172.16.1.1      ve 172        1/1           S    1m33                           s
2       10.10.5.0/24       DIRECT          ve 5          0/0           D    1m34                           s
3       10.10.10.0/24      DIRECT          ve 10         0/0           D    18h1                           1m
4       172.16.1.0/30      DIRECT          ve 172        0/0           D    1m33                           s
SSH@icx6450>show ip cache
Entries in default routing instance:
Total number of cache entries: 6
D:Dynamic  P:Permanent  F:Forward  U:Us  C:Complex Filter
W:Wait ARP  I:ICMP Deny  K:Drop  R:Fragment  S:Snap Encap
     IP Address         Next Hop        MAC            Type Port           Vlan Pri
1    172.16.1.2         DIRECT          0000.0000.0000 PU   n/a                 0
2    10.10.5.1          DIRECT          0000.0000.0000 PU   n/a                 0
3    10.10.5.2          DIRECT          0000.0000.0000 DW   n/a                 0
4    10.10.5.3          DIRECT          0000.0000.0000 DW   n/a                 0
5    10.10.10.1         DIRECT          0000.0000.0000 PU   n/a                 0
6    255.255.255.255    DIRECT          0000.0000.0000 PU   n/a                 0
SSH@icx6450>
Duh moment...eliminate variable to isolate the problem. Didn't think of that last night.

I'll try that later tonight. I had run "show ip route" and it looked normal. I'll run both of those commands later and post the output. Thanks
 

RuckusVol

New Member
Jul 2, 2024
11
8
3
You'll need to show the full output of 'show version', that alone is not enough.
SPR08095p, SW version 08.0.95pT213, Software Package ICX7250_L3_SOFT_PACKAGE, license l3-prem-8X10G. Does that tell you what you need to know? I didn't see anything else relevant in the logs.

I was able to get the GPON working. But it's very intermittent. I have a Firewalla and now none of my devices can ping the gateway. I assume I messed something up on the switch and it's not a Firewalla problem.

To get the WAN working I had to try a bunch of stuff. I doubt it's right or the best way so I'd like feedback on the big picture correct way to do it. I'm happy to learn how to implement the concepts myself.

I have a GPON SFP module bringing fiber in. That communicates on Vlan 1222 but also has untagged traffic. I'm not clear on the right way to handle that between two ports and not have them talk to any other ports so it all goes to the router. I ended up with tagged Vlan 1222 and untagged Vlan 22 on both ports. It worked, but I'm not sure if split Vlans causes an issue or not. I did configure the router to expect Vlan 1222.

I tried untagged 1222 on the GPON and tagged on the other side, while removing the default Vlan. I tried the reverse of that, both tagged and removed from default, and both untagged. I don't know if there's a specific isolated Vlan I should use or something. I'm open to suggestions.

On the LAN side I have a default Vlan 1 and 11 & 57 for IoT & Guests. I just want to understand a simple setup well to start. I followed the guide, but does each vlan need a ve? Should they use their own router interfaces, the shared main one, or none aside from default Vlan? Do I need a transport vlan of some type to bridge them?

I know that's a lot of mess and not laid out very cleanly. But I wanted this to be a fun learning project and I've ended up thrashing with the whole house down for over a day. Any ideas are much appreciated!
 

kpfleming

Active Member
Dec 28, 2021
432
222
43
Pelham NY USA
SPR08095p, SW version 08.0.95pT213, Software Package ICX7250_L3_SOFT_PACKAGE, license l3-prem-8X10G. Does that tell you what you need to know?
Yes, that's it. The 'SPR' prefix means you are using the 'routing' (layer 3) version of the firmware, which means you can assign IP addresses to interfaces (including virtual interfaces), setup routes between VLANs, etc. It's not *necessary* to do any of that, you can operate the switch entirely at layer 2 even with the SPR firmware installed.

Your VLAN configuration sounds correct: the SFP port for the GPON should have an untagged VLAN (the number doesn't matter as long it's not 1222 or 1), and a tagged VLAN (number 1222). The port for the Firewalla will need to have the same tagged VLAN (number 1222) which it will use to communicate with the ISP via the GPON SFP. That port will also need VLANs (untagged and tagged) for all of the VLANs that the Firewalla is providing routing/addressing/etc. for (VLAN 1, 11, and 57, it sounds like). The Firewalla will have to be configured to know about all of the VLANs on its port, and have IP subnets (presumably with a DHCP server on 1, 11, and 57, and a DHCP client on 1222) on each of them.

You don't need any virtual ethernet interfaces on any of the VLANs for traffic to be able to pass between the GPON SFP, Firewalla, and LAN clients; a layer 2 configuration of just VLANs will be sufficient for that.

The only situation where you will need a virtual ethernet interface is if you want to be able to manage the switch itself over the LAN (instead of using the console port or management port); in that case you'd create a VE on VLAN 1 (probably) and give that an address in the VLAN 1 subnet. The switch would then be reachable at that address.
 

RuckusVol

New Member
Jul 2, 2024
11
8
3
Yes, that's it. The 'SPR' prefix means you are using the 'routing' (layer 3) version of the firmware, which means you can assign IP addresses to interfaces (including virtual interfaces), setup routes between VLANs, etc. It's not *necessary* to do any of that, you can operate the switch entirely at layer 2 even with the SPR firmware installed.

Your VLAN configuration sounds correct: the SFP port for the GPON should have an untagged VLAN (the number doesn't matter as long it's not 1222 or 1), and a tagged VLAN (number 1222). The port for the Firewalla will need to have the same tagged VLAN (number 1222) which it will use to communicate with the ISP via the GPON SFP. That port will also need VLANs (untagged and tagged) for all of the VLANs that the Firewalla is providing routing/addressing/etc. for (VLAN 1, 11, and 57, it sounds like). The Firewalla will have to be configured to know about all of the VLANs on its port, and have IP subnets (presumably with a DHCP server on 1, 11, and 57, and a DHCP client on 1222) on each of them.

You don't need any virtual ethernet interfaces on any of the VLANs for traffic to be able to pass between the GPON SFP, Firewalla, and LAN clients; a layer 2 configuration of just VLANs will be sufficient for that.

The only situation where you will need a virtual ethernet interface is if you want to be able to manage the switch itself over the LAN (instead of using the console port or management port); in that case you'd create a VE on VLAN 1 (probably) and give that an address in the VLAN 1 subnet. The switch would then be reachable at that address.
Thank you so much! This part still confuses me:

The port for the Firewalla will need to have the same tagged VLAN (number 1222) which it will use to communicate with the ISP via the GPON SFP. That port will also need VLANs (untagged and tagged) for all of the VLANs that the Firewalla is providing routing/addressing/etc. for (VLAN 1, 11, and 57, it sounds like). The Firewalla will have to be configured to know about all of the VLANs on its port, and have IP subnets (presumably with a DHCP server on 1, 11, and 57, and a DHCP client on 1222) on each of them.
On my prior WAN setup, there were no vlans required on the WAN port. If you aren't familiar with Firewalla, mine has 4 ports. I'm using 1 for WAN and previously that came from an ISP box direct to the Firewalla. So I didn't have to deal with any vlans there, but I never thought the Firewalla might be tagging traffic out to the ISP box. In my case here, I have two isolated ports being used for the WAN, 1 for GPON in and another for ethernet out to the Firewalla WAN port. I thought those two should only have the 1222 and alternate untagged ports. Otherwise, wouldn't traffic be free to flow to the network without going through the firewall? And wouldn't the Firewalla handle translating the incoming 1222/alternate traffic to the needed vlan?

On the LAN side there are 3 ports. I'm only using 1 right now, but the VLANs are created in the Firewalla and all the traffic is tagged. On the ICX I have the input port tagged for all the VLANs and the individual ports tagged/untagged as needed. Am I doing something wrong by not tagging the external WAN port of the Firewalla? My concern was traffic bypassing the firewall, but maybe I misunderstand the concept.

But it sounds like it should be:

Code:
vlan 'alternate'
  GPON untagged
  FIREWALLA_WAN_ICX tagged? or empty to discard non-1222 traffic?

vlan 1222
  GPON tagged
  FIREWALL_WAN_ICX tagged

vlan 1
  ICX_IN_FROM_FIREWALLA tagged
  RELEVANT_ICX_PORTS tagged/untagged
  ??FIREWALLA_WAN_ICX tagged??
 vlan 11
  ICX_IN_FROM_FIREWALLA tagged
  RELEVANT_ICX_PORTS tagged/untagged
  ??FIREWALLA_WAN_ICX tagged??
 
vlan 57
  ICX_IN_FROM_FIREWALLA tagged
  RELEVANT_ICX_PORTS tagged/untagged
  ??FIREWALLA_WAN_ICX tagged??
My two main questions right now are:
  1. Should the FIREWALLA_WAN_ICX have the alternate VLAN untagged or should it be excluded?
  2. Should the FIREWALLA_WAN_ICX port be tagged with the VLANS or is that a security concern allowing traffic to bypass the firewall?
 

Burthouse4563

New Member
Jan 27, 2019
1
0
1
Is my 7250 POE no good? I can't get it to work for anything.

Code:
SSH@ICX7250#show inline power detail


Power Supply Data On unit 1:
++++++++++++++++++



Power Supply Data:
++++++++++++++++++

Power Supply #1:
        Max Curr:       13.7 Amps
        Voltage:        54.0 Volts
        Capacity:       740 Watts
        PoePower:       740 Watts
power supply 2 is not present
power supply 3 is not present


POE Details Info. On Unit 1 :


General PoE Data:
+++++++++++++++++

Firmware
Version
----------------
02.1.8 Build 004

Hardware
Version
----------------
V1R3

Device HW version         : 0:V1R3      1:V1R3      2:V1R3      3:V1R3      4:V1R3      5:V1R3
Device Temperature(deg-C) : 0:44        1:48        2:50        3:44        4:44        5:46
Device Status             : 0:VOP-Sev1  1:VOP-Sev1  2:VOP-Sev1  3:VOP-Sev1  4:VOP-Sev1  5:Good
 

kpfleming

Active Member
Dec 28, 2021
432
222
43
Pelham NY USA
My two main questions right now are:
  1. Should the FIREWALLA_WAN_ICX have the alternate VLAN untagged or should it be excluded?
  2. Should the FIREWALLA_WAN_ICX port be tagged with the VLANS or is that a security concern allowing traffic to bypass the firewall?
It's difficult to answer your questions without a diagram of the connections between the various devices. Also, if the GPON SFP was previously in an ISP-provided device which provided an Ethernet port for the router, then that device handled the VLAN 1222 stuff for you, and that's why you didn't need to deal with it. Now that you've moved the SFP to your own device, you have to handle the VLAN tagging/untagging.

If you can provide a diagram of the devices involved and how they are connected to each other, that will help quite a lot.
 

OKGolombRuler

New Member
Mar 13, 2020
22
6
3
Long time no chat, Brocade Brigade--

I have a 7150 stack consisting of a pair of 2 -24s and a -12 running 8.0.95. The stack connects to my core (a Cisco 3172) via a pair of 10G links. The core feeds VLANs to another couple of -12s that due to their location cannot be gracefully stacked.

Several months ago i switched everything over to authenticate via RADIUS (good learning exercise, that) and after some recent network hiccups, discovered that I can authenticate to every switch in the network EXCEPT the stack. Not via SSH, not via web, not via telnet, not via serial console. :facepalm

The radius server shows no logs (and indeed no IP traffic at all) from the stack- it's not trying to authenticate to the radius so I can't cheat it there. I assume I bungled something in the stack config and didn't notice it at the time. Not a crisis, just need a weekend, a notepad, and a good craft festival to get the wife out of wifi range of the broken internet. :D

Here's the trouble: I can't get the stack to reset.

I've done the reset process (serial console, boot interrupt, all that) for one of the stack units, but it seems to be in a race with the stack to reprovision/reconfigure the unit I'm console'd into. I'd rather not wipe the entire stack config if I can avoid it (though I will if i have to, just need a bigger craft festival). Other than ripping the stack apart and reprovisioning it as a stanalone unit one switch at a time, anybody got any clever ideas to try?
 

rmzachar

New Member
Mar 8, 2024
10
0
1
Am I correct in assuming my 7250-48P is bad? Got it off eBay and have been having issues where POE either won't work on certain ports or will work and then stop working a few days later. Some port are showing 'internal h/w fault' (more were showing this before a reboot). I'm guessing this is a lost cause?

Code:
SSH@ruckus7250>show inline power

Power Capacity:         Total is 740000 mWatts. Current Free is 740000 mWatts.

Power Allocations:      Requests Honored 48 times


 Port   Admin   Oper    ---Power(mWatts)---  PD Type  PD Class     Pri  Fault/
        State   State   Consumed  Allocated                             Error
-----------------------------------------------------------------------------
  1/1/1 On      Off            0          0  n/a      n/a            3  n/a
  1/1/2 On      Non-PD         0          0  n/a      n/a            3  n/a
  1/1/3 On      Off            0          0  n/a      n/a            3  n/a
  1/1/4 On      Off            0          0  n/a      n/a            3  n/a
  1/1/5 On      Off            0          0  n/a      n/a            3  n/a
  1/1/6 On      Off            0          0  n/a      n/a            3  n/a
  1/1/7 On      Off            0          0  n/a      n/a            3  n/a
  1/1/8 On      Off            0          0  n/a      n/a            3  n/a
  1/1/9 On      Off            0          0  n/a      n/a            3  internal h/w fault
 1/1/10 On      Off            0          0  n/a      n/a            3  internal h/w fault
 1/1/11 On      Off            0          0  n/a      n/a            3  internal h/w fault
 1/1/12 On      Off            0          0  n/a      n/a            3  internal h/w fault
 1/1/13 On      Off            0          0  n/a      n/a            3  internal h/w fault
 1/1/14 On      Off            0          0  n/a      n/a            3  internal h/w fault
 1/1/15 On      Off            0          0  n/a      n/a            3  internal h/w fault
 1/1/16 On      Off            0          0  n/a      n/a            3  internal h/w fault
 1/1/17 On      Off            0          0  n/a      n/a            3  n/a
 1/1/18 On      Off            0          0  n/a      n/a            3  n/a
 1/1/19 On      Off            0          0  n/a      n/a            3  n/a
 1/1/20 On      Off            0          0  n/a      n/a            3  n/a
 1/1/21 On      Off            0          0  n/a      n/a            3  n/a
 1/1/22 On      Off            0          0  n/a      n/a            3  n/a
 1/1/23 On      Off            0          0  n/a      n/a            3  n/a
 1/1/24 On      Off            0          0  n/a      n/a            3  n/a
 1/1/25 On      Off            0          0  n/a      n/a            3  n/a
 1/1/26 On      Off            0          0  n/a      n/a            3  n/a
 1/1/27 On      Off            0          0  n/a      n/a            3  n/a
 1/1/28 On      Non-PD         0          0  n/a      n/a            3  n/a
 1/1/29 On      Non-PD         0          0  n/a      n/a            3  n/a
 1/1/30 On      Non-PD         0          0  n/a      n/a            3  n/a
 1/1/31 On      Off            0          0  n/a      n/a            3  n/a
 1/1/32 On      Off            0          0  n/a      n/a            3  n/a
 1/1/33 On      Off            0          0  n/a      n/a            3  n/a
 1/1/34 On      Off            0          0  n/a      n/a            3  n/a
 1/1/35 On      Off            0          0  n/a      n/a            3  n/a
 1/1/36 On      Off            0          0  n/a      n/a            3  n/a
 1/1/37 On      Off            0          0  n/a      n/a            3  n/a
 1/1/38 On      Off            0          0  n/a      n/a            3  n/a
 1/1/39 On      Off            0          0  n/a      n/a            3  n/a
 1/1/40 On      Off            0          0  n/a      n/a            3  n/a
 1/1/41 On      Off            0          0  n/a      n/a            3  n/a
 1/1/42 On      Off            0          0  n/a      n/a            3  n/a
 1/1/43 On      Off            0          0  n/a      n/a            3  n/a
 1/1/44 On      Off            0          0  n/a      n/a            3  n/a
 1/1/45 On      Off            0          0  n/a      n/a            3  n/a
 1/1/46 On      Non-PD         0          0  n/a      n/a            3  n/a
 1/1/47 On      Off            0          0  n/a      n/a            3  n/a
 1/1/48 On      Off            0          0  n/a      n/a            3  n/a
-----------------------------------------------------------------------------
 Total                         0          0


SSH@ruckus7250>show inline power detail


Power Supply Data On unit 1:
++++++++++++++++++



Power Supply Data:
++++++++++++++++++

Power Supply #1:
        Max Curr:       13.7 Amps
        Voltage:        54.0 Volts
        Capacity:       740 Watts
        PoePower:       740 Watts
power supply 2 is not present
power supply 3 is not present


POE Details Info. On Unit 1 :


General PoE Data:
+++++++++++++++++

Firmware
Version
----------------
02.1.8 Build 004

Hardware
Version
----------------
UNKNOWN

Device HW version         : 0:V1R3      1:UNKNOWN   2:V1R3      3:V1R3      4:V1R3      5:V1R3
Device Temperature(deg-C) : 0:39        1:n/a       2:40        3:40        4:40        5:39
Device Status             : 0:VOP-Sev1  1:Failed    2:Good      3:Good      4:VOP-Sev1  5:Good



Cumulative Port State Data:
+++++++++++++++++++++++++++

#Ports    #Ports     #Ports   #Ports    #Ports       #Ports     #Ports
Admin-On  Admin-Off  Oper-On  Oper-Off  Off-Denied   Off-No-PD  Off-Fault
-------------------------------------------------------------------------
48        0          0        48        0            48         8



Cumulative Port Power Data:
+++++++++++++++++++++++++++

#Ports  #Ports  #Ports        Power       Power
Pri: 1  Pri: 2  Pri: 3  Consumption  Allocation
-----------------------------------------------
0       0       48          0.000 W     0.000 W
 

dbvader

New Member
Oct 22, 2023
20
3
3
Doesn't look good but could it be that the budget somehow has been overcommitted? 740W / 48 ~= 15W and class 3 can go probably go up to 30W (or even higher).

I can't activate power for all 24 ports given a budget of 370W (on a 6450 24p), unless I reduce the max power allocated for class 3 devices to, say 15W. I guess the default for class 3 devices is 30W (could be different/higher for a 7250).

I'd try to either reduce the max power allocated for class 3 devices to, say 15W (which can be done under "inline power ...") or turn off inline power for at least half of the ports just to see if the hardware faults return when each of the remaining 24 ports has ~30W budget.
 

rmzachar

New Member
Mar 8, 2024
10
0
1
Doesn't look good but could it be that the budget somehow has been overcommitted? 740W / 48 ~= 15W and class 3 can go probably go up to 30W (or even higher).

I can't activate power for all 24 ports given a budget of 370W (on a 6450 24p), unless I reduce the max power allocated for class 3 devices to, say 15W. I guess the default for class 3 devices is 30W (could be different/higher for a 7250).

I'd try to either reduce the max power allocated for class 3 devices to, say 15W (which can be done under "inline power ...") or turn off inline power for at least half of the ports just to see if the hardware faults return when each of the remaining 24 ports has ~30W budget.
I disable 24 ports and it at least now shows power consumption on ports that are using POE which it wasn't before. I disabled everything but the 8 ports with the h/w faults and those still show fault. With POE off to those ports then the fault is gone.

Yes

Code:
Device HW version  1:UNKNOWN
Device Temperature(deg-C) 1:n/a
Device Status 1:Failed
This group of 8 ports has a broken PoE controller. Get a refund if you can.
Yup, that is confirmed at this point. I'll see what I can do about a refund here. The seller is claiming everything worked fine when he sent it, but that's obviously not the case here. In reality, I really don't need all the ports to be POE enabled -- but still, it's not 100% functional as stated.
 

shremi

New Member
Jun 29, 2020
8
0
1
Hi guys , i am trying to add a third device to my stack , however i am getting weird errors am i missing something here ???


Code:
SSH@brocade1#stack interactive-setup
You can abort stack interactive-setup at any stage by <ctrl-c>
0: quit
1: change stack unit IDs
2: discover and convert new units (no startup-config flash) to members
3: discover and convert existing/new standalone units to members
2&3 can also find new links and auto-trunk or convert chain(s) to ring.
Please type your selection: 3
Probing topology to find standalone units...
T=1h52m39.0: Sending probes to ports: u2: 2/2/2,
Probing in progress ...
Probing in progress ...
Existing stack: ============================================================
    active       standby
     +---+        +---+
  2/3| 1 |2/1--2/1| 2 |
     +---+        +---+


Horizontal bars link to discovered units. Vertical bars link to stack units.


Chain #0: ==================================================================
SN: serial #, H: hostname, IP, T: up time, (diff: image mismatch)
#1: icx7250-48p-poe-port 78a6.e108.8fe0 SN=DUK3826N0JC H=ferruche3 T=3h27m

     2/2/2
       |
       |
      2/1
     +---+
     |#1 |
     +---+

Discovered 1 chain/ring
Chain #0: Do you want to select this chain? (enter 'y' or 'n'): y
#1: icx7250-48p-poe-port 78a6.e108.8fe0 SN=DUK3826N0JC H=ferruche3 T=3h27m, type an ID (No: 0, default: 3): 3

You selected 1 unit(s): #1: ID=3,

T=1h53m4.2: Error! stack interactive-setup option 3 cannot find default-set for U2 type=ICX7250-48P, ports=2/2/1 (#=1), 2/2/2 (#=1)
Please connect the first port of a default set.

The following stack-ports/trunks are allowed.
Linear-topo trunk (exact ports): allowed only in one-direction
stack-trunk ethe 2/2/1 to 2/2/4
stack-trunk ethe 2/2/5 to 2/2/8
General stack-port/trunk that can be in up to two directions: Both directions must belong to the same valid-stack-port-set (dir_0_1st_port, dir_1_1st_port, max_#_ports):
(2/2/1, 2/2/3, 2), (2/2/5, 2/2/7, 2)
E.g., (1/2/1, 1/2/3, 2): each direction can have 1-2 ports.
     dir 0: stack-port ethe 1/2/1, or stack-trunk ethe 1/2/1 to 1/2/2
     dir 1: stack-port ethe 1/2/3, or stack-trunk ethe 1/2/3 to 1/2/4


NOTE: If this run does not find all links, please try again

****** Please resolve the error ******
stack interactive-setup detects the following links:
Links U2--U3, #=1: 2/2--2/1

    active       standby        #1
     +---+        +---+        +---+
     | 1 |2/1--2/1| 2 |2/2--2/1| 3 |
     +---+        +---+        +---+

 U1: MAC=609c.9f51.b948 SN=DUK3822M0HH running stack interactive-setup
 U2: MAC=609c.9f51.b984 SN=DUK3822M0HM standby
 U3: MAC=78a6.e108.8fe0 SN=DUK3826N0JC H=ferruche3 T=3h27m
SSH@brocade1#
 

ChaOConnor

New Member
Mar 20, 2022
4
0
1
Quick Question: I followed the guide on page one, updated the firmware and licensed my 6450-48p.

I purchased one of these (https://www.amazon.com/gp/product/B07P39G4XJ/ref=ppx_yo_dt_b_asin_title_o04_s00?ie=UTF8&th=1) to put in the a SFP+ port. I have a 10 GBE Network Adapter in my server, but I don't get a link light and my switch shows the port down.

Am I missing something completely basic, all I've done is follow the guide on page on and I can access the switch on my network via ethernet plugged into any one of the 48 ports.

Appreciate any thoughts you may have!
 

creidhne

New Member
Apr 11, 2020
27
19
3
I have probably dumb question, but here goes:
If I have a VLAN 10 and all machines in it have addresses in 192.168.10.0/24 subnet
and another VLAN 20 and all machines in it have addresses in 192.168.20.0/24 subnet
and I put a brocade6610's virtual router interface in each of those with no access restrictions (permit any rule), can a machine 192.168.10.5 in VLAN 10 access machine 192.168.20.5 in VLAN 20 without issues? Like can I just ping 192.168.20.5 from it and it'll go through?
 

kpfleming

Active Member
Dec 28, 2021
432
222
43
Pelham NY USA
I have probably dumb question, but here goes:
If I have a VLAN 10 and all machines in it have addresses in 192.168.10.0/24 subnet
and another VLAN 20 and all machines in it have addresses in 192.168.20.0/24 subnet
and I put a brocade6610's virtual router interface in each of those with no access restrictions (permit any rule), can a machine 192.168.10.5 in VLAN 10 access machine 192.168.20.5 in VLAN 20 without issues? Like can I just ping 192.168.20.5 from it and it'll go through?
If those machines have a 'default route' (default gateway), or an explicit route, set to the IP address of the VE in their respective VLANs, then yes. If there are no ACLs in place, layer 3 routing is permitted across all VLANs.
 
  • Like
Reactions: creidhne

creidhne

New Member
Apr 11, 2020
27
19
3
If those machines have a 'default route' (default gateway), or an explicit route, set to the IP address of the VE in their respective VLANs, then yes. If there are no ACLs in place, layer 3 routing is permitted across all VLANs.
So... all the packets in the VLAN 20 sent from VLAN 10 would appear as coming from the VE in VLAN 20 and the subnet is the same so it doesn't matter, correct? Same as I'm behind a NAT and despite being in a 192.168.1.1/24 subnet I can still freely ping google server at 142.250.186.206 since no ACL forbids me from doing so and it all goes through router at 192.168.1.1. Do I understand this correctly?
 

kpfleming

Active Member
Dec 28, 2021
432
222
43
Pelham NY USA
So... all the packets in the VLAN 20 sent from VLAN 10 would appear as coming from the VE in VLAN 20 and the subnet is the same so it doesn't matter, correct? Same as I'm behind a NAT and despite being in a 192.168.1.1/24 subnet I can still freely ping google server at 142.250.186.206 since no ACL forbids me from doing so and it all goes through router at 192.168.1.1. Do I understand this correctly?
No, all the packets will retain their source IP addresses as sent by the machines that sent them. There won't be any address translation in the ICX, and I don't think that's even available.
 

creidhne

New Member
Apr 11, 2020
27
19
3
No, all the packets will retain their source IP addresses as sent by the machines that sent them. There won't be any address translation in the ICX, and I don't think that's even available.
I need me some TCP/IP book it seems... I struggle to put down what I have in mind too. What would you recommend? ;D

Anyway. Source (machine in VLAN 10) wants to send the packet to a machine in a VLAN 20, but has no route to do so - so it sends the packet with default gateway's MAC as target (and maybe the IP as well, unsure?) and final destination IP (the one from VLAN 20). Virtual Router receives the packet and knows where to forward it based on the final destination IP, verifies against its routing tables and what not, ACLs, then changes the MAC in the packet to the target machine in VLAN 20. The packet comes out of the VE in VLAN 20 with the source and final destination IP address unchanged, but with MAC now pointing to the correct target machine. Destination machine accepts the packet.
Same principle applies when I'm trying to ping google's server from my LAN 192.168.1.1/24 subnet, my PC has no route for 142.250.186.206 so it gets sent to the default gateway instead which knows what to do with it - there's just many more routers and "hops" for the packet to go through before reaching the destination.
Is that phrased better and is correct now?
 
Last edited: