You'll need to show the full output of 'show version', that alone is not enough.I'm not sure whether I'm on the S or R version of software. show runver 08.0.95mT213
.
You'll need to show the full output of 'show version', that alone is not enough.I'm not sure whether I'm on the S or R version of software. show runver 08.0.95mT213
.
SSH@icx6450>show run
Current configuration:
!
ver 08.0.30uT313
!
stack unit 1
module 1 icx6450-48p-poe-port-management-module
module 2 icx6450-sfp-plus-4port-40g-module
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
router-interface ve 1
!
vlan 5 name MGMT by port
tagged ethe 1/1/11 to 1/1/12 ethe 1/1/46 ethe 1/1/48
untagged ethe 1/1/2 to 1/1/4
router-interface ve 5
!
vlan 10 name Trusted by port
tagged ethe 1/1/11 to 1/1/12 ethe 1/1/46 ethe 1/1/48
untagged ethe 1/1/5 to 1/1/10 ethe 1/1/13 to 1/1/36 ethe 1/2/1 to 1/2/3
router-interface ve 10
!
vlan 20 name Lights by port
tagged ethe 1/1/11 to 1/1/12 ethe 1/1/46 ethe 1/1/48
untagged ethe 1/1/38 ethe 1/1/40
router-interface ve 20
!
vlan 30 name NVR by port
untagged ethe 1/1/37 ethe 1/1/39 ethe 1/1/41 ethe 1/1/43 ethe 1/1/45 ethe 1/1/4 7
router-interface ve 30
!
vlan 40 name IOT by port
tagged ethe 1/1/11 to 1/1/12 ethe 1/1/46 ethe 1/1/48
untagged ethe 1/1/42
router-interface ve 40
!
vlan 50 name Guest by port
tagged ethe 1/1/11 to 1/1/12 ethe 1/1/46 ethe 1/1/48
untagged ethe 1/1/44
router-interface ve 50
!
vlan 172 name Transit by port
untagged ethe 1/1/1 ethe 1/2/4
router-interface ve 172
!
!
!
!
!
optical-monitor
aaa authentication web-server default local
aaa authentication login default local
hostname icx6450
ip dhcp-client disable
ip route 0.0.0.0/0 172.16.1.1
!
no telnet server
username admin password .....
!
!
web-management https
!
!
!
interface ethernet 1/1/11
dual-mode 5
!
interface ethernet 1/1/12
dual-mode 5
!
interface ethernet 1/1/37
inline power
!
interface ethernet 1/1/38
inline power
!
interface ethernet 1/1/39
inline power
!
interface ethernet 1/1/40
inline power
!
interface ethernet 1/1/41
inline power
!
interface ethernet 1/1/42
inline power
!
interface ethernet 1/1/43
inline power
!
interface ethernet 1/1/44
inline power
!
interface ethernet 1/1/45
inline power
!
interface ethernet 1/1/46
dual-mode 5
inline power
!
interface ethernet 1/1/47
inline power
!
interface ethernet 1/1/48
dual-mode 5
inline power
!
interface ethernet 1/2/1
speed-duplex 1000-full-master
!
interface ve 5
ip address 10.10.5.1 255.255.255.0
!
interface ve 10
ip address 10.10.10.1 255.255.255.0
!
interface ve 20
ip address 10.10.20.1 255.255.255.0
!
interface ve 30
ip address 10.10.30.1 255.255.255.0
!
interface ve 40
ip address 10.10.40.1 255.255.255.0
!
interface ve 50
ip address 10.10.50.1 255.255.255.0
!
interface ve 172
ip address 172.16.1.2 255.255.255.252
!
!
!
!
!
!
!
!
!
end
You don't happen to have the desktop plugged into 1/2/4, do you?I have my desktop connected to one of the SFP+ ports using a Brocade optic and a fiber cable.
Any help would be appreciated. ThanksCode:SSH@icx6450>show run ... vlan 10 name Trusted by port tagged ethe 1/1/11 to 1/1/12 ethe 1/1/46 ethe 1/1/48 untagged ethe 1/1/5 to 1/1/10 ethe 1/1/13 to 1/1/36 ethe 1/2/1 to 1/2/3 router-interface ve 10 ! vlan 172 name Transit by port untagged ethe 1/1/1 ethe 1/2/4 router-interface ve 172 ! end
No, it's definitely plugged into 1/2/1. I actually tested plugging my laptop in 1/2/1 using a RJ45 SFP adapter and it is able to ping the desktop at 10.10.10.50, but is also doesn't get an IP from DHCP servers on the DCs and is unable to ping 10.10.5.1 or either of the DC VMs(10.10.5.2 & 10.10.5.3)You don't happen to have the desktop plugged into 1/2/4, do you?
It looks like you can plug the laptop into 1/1/5, manually assign 10.10.10.49/24, and ping the desktop at 10.10.10.50. This will demonstrate that modules 1 and 2 can pass traffic to each other.It seems like it's not routing from module 2 to module 1
Duh moment...eliminate variable to isolate the problem. Didn't think of that last night.It looks like you can plug the laptop into 1/1/5, manually assign 10.10.10.49/24, and ping the desktop at 10.10.10.50. This will demonstrate that modules 1 and 2 can pass traffic to each other.
You might also try running tcpdump at various points to determine where traffic is breaking down.
I'd also recommend the "show ip route" and "show ip cache" commands.
SSH@icx6450>show ip route
Total number of IP routes: 4
Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
Destination Gateway Port Cost Type Upti me
1 0.0.0.0/0 172.16.1.1 ve 172 1/1 S 1m33 s
2 10.10.5.0/24 DIRECT ve 5 0/0 D 1m34 s
3 10.10.10.0/24 DIRECT ve 10 0/0 D 18h1 1m
4 172.16.1.0/30 DIRECT ve 172 0/0 D 1m33 s
SSH@icx6450>show ip cache
Entries in default routing instance:
Total number of cache entries: 6
D:Dynamic P:Permanent F:Forward U:Us C:Complex Filter
W:Wait ARP I:ICMP Deny K:Drop R:Fragment S:Snap Encap
IP Address Next Hop MAC Type Port Vlan Pri
1 172.16.1.2 DIRECT 0000.0000.0000 PU n/a 0
2 10.10.5.1 DIRECT 0000.0000.0000 PU n/a 0
3 10.10.5.2 DIRECT 0000.0000.0000 DW n/a 0
4 10.10.5.3 DIRECT 0000.0000.0000 DW n/a 0
5 10.10.10.1 DIRECT 0000.0000.0000 PU n/a 0
6 255.255.255.255 DIRECT 0000.0000.0000 PU n/a 0
SSH@icx6450>
Duh moment...eliminate variable to isolate the problem. Didn't think of that last night.
I'll try that later tonight. I had run "show ip route" and it looked normal. I'll run both of those commands later and post the output. Thanks
SPR08095p, SW version 08.0.95pT213, Software Package ICX7250_L3_SOFT_PACKAGE, license l3-prem-8X10G. Does that tell you what you need to know? I didn't see anything else relevant in the logs.You'll need to show the full output of 'show version', that alone is not enough.
Yes, that's it. The 'SPR' prefix means you are using the 'routing' (layer 3) version of the firmware, which means you can assign IP addresses to interfaces (including virtual interfaces), setup routes between VLANs, etc. It's not *necessary* to do any of that, you can operate the switch entirely at layer 2 even with the SPR firmware installed.SPR08095p, SW version 08.0.95pT213, Software Package ICX7250_L3_SOFT_PACKAGE, license l3-prem-8X10G. Does that tell you what you need to know?
Thank you so much! This part still confuses me:Yes, that's it. The 'SPR' prefix means you are using the 'routing' (layer 3) version of the firmware, which means you can assign IP addresses to interfaces (including virtual interfaces), setup routes between VLANs, etc. It's not *necessary* to do any of that, you can operate the switch entirely at layer 2 even with the SPR firmware installed.
Your VLAN configuration sounds correct: the SFP port for the GPON should have an untagged VLAN (the number doesn't matter as long it's not 1222 or 1), and a tagged VLAN (number 1222). The port for the Firewalla will need to have the same tagged VLAN (number 1222) which it will use to communicate with the ISP via the GPON SFP. That port will also need VLANs (untagged and tagged) for all of the VLANs that the Firewalla is providing routing/addressing/etc. for (VLAN 1, 11, and 57, it sounds like). The Firewalla will have to be configured to know about all of the VLANs on its port, and have IP subnets (presumably with a DHCP server on 1, 11, and 57, and a DHCP client on 1222) on each of them.
You don't need any virtual ethernet interfaces on any of the VLANs for traffic to be able to pass between the GPON SFP, Firewalla, and LAN clients; a layer 2 configuration of just VLANs will be sufficient for that.
The only situation where you will need a virtual ethernet interface is if you want to be able to manage the switch itself over the LAN (instead of using the console port or management port); in that case you'd create a VE on VLAN 1 (probably) and give that an address in the VLAN 1 subnet. The switch would then be reachable at that address.
On my prior WAN setup, there were no vlans required on the WAN port. If you aren't familiar with Firewalla, mine has 4 ports. I'm using 1 for WAN and previously that came from an ISP box direct to the Firewalla. So I didn't have to deal with any vlans there, but I never thought the Firewalla might be tagging traffic out to the ISP box. In my case here, I have two isolated ports being used for the WAN, 1 for GPON in and another for ethernet out to the Firewalla WAN port. I thought those two should only have the 1222 and alternate untagged ports. Otherwise, wouldn't traffic be free to flow to the network without going through the firewall? And wouldn't the Firewalla handle translating the incoming 1222/alternate traffic to the needed vlan?The port for the Firewalla will need to have the same tagged VLAN (number 1222) which it will use to communicate with the ISP via the GPON SFP. That port will also need VLANs (untagged and tagged) for all of the VLANs that the Firewalla is providing routing/addressing/etc. for (VLAN 1, 11, and 57, it sounds like). The Firewalla will have to be configured to know about all of the VLANs on its port, and have IP subnets (presumably with a DHCP server on 1, 11, and 57, and a DHCP client on 1222) on each of them.
vlan 'alternate'
GPON untagged
FIREWALLA_WAN_ICX tagged? or empty to discard non-1222 traffic?
vlan 1222
GPON tagged
FIREWALL_WAN_ICX tagged
vlan 1
ICX_IN_FROM_FIREWALLA tagged
RELEVANT_ICX_PORTS tagged/untagged
??FIREWALLA_WAN_ICX tagged??
vlan 11
ICX_IN_FROM_FIREWALLA tagged
RELEVANT_ICX_PORTS tagged/untagged
??FIREWALLA_WAN_ICX tagged??
vlan 57
ICX_IN_FROM_FIREWALLA tagged
RELEVANT_ICX_PORTS tagged/untagged
??FIREWALLA_WAN_ICX tagged??
SSH@ICX7250#show inline power detail
Power Supply Data On unit 1:
++++++++++++++++++
Power Supply Data:
++++++++++++++++++
Power Supply #1:
Max Curr: 13.7 Amps
Voltage: 54.0 Volts
Capacity: 740 Watts
PoePower: 740 Watts
power supply 2 is not present
power supply 3 is not present
POE Details Info. On Unit 1 :
General PoE Data:
+++++++++++++++++
Firmware
Version
----------------
02.1.8 Build 004
Hardware
Version
----------------
V1R3
Device HW version : 0:V1R3 1:V1R3 2:V1R3 3:V1R3 4:V1R3 5:V1R3
Device Temperature(deg-C) : 0:44 1:48 2:50 3:44 4:44 5:46
Device Status : 0:VOP-Sev1 1:VOP-Sev1 2:VOP-Sev1 3:VOP-Sev1 4:VOP-Sev1 5:Good
It's difficult to answer your questions without a diagram of the connections between the various devices. Also, if the GPON SFP was previously in an ISP-provided device which provided an Ethernet port for the router, then that device handled the VLAN 1222 stuff for you, and that's why you didn't need to deal with it. Now that you've moved the SFP to your own device, you have to handle the VLAN tagging/untagging.My two main questions right now are:
- Should the FIREWALLA_WAN_ICX have the alternate VLAN untagged or should it be excluded?
- Should the FIREWALLA_WAN_ICX port be tagged with the VLANS or is that a security concern allowing traffic to bypass the firewall?
Which N4000s come with POE?brocade is dead, go with dell instead N4000 switches instead
SSH@ruckus7250>show inline power
Power Capacity: Total is 740000 mWatts. Current Free is 740000 mWatts.
Power Allocations: Requests Honored 48 times
Port Admin Oper ---Power(mWatts)--- PD Type PD Class Pri Fault/
State State Consumed Allocated Error
-----------------------------------------------------------------------------
1/1/1 On Off 0 0 n/a n/a 3 n/a
1/1/2 On Non-PD 0 0 n/a n/a 3 n/a
1/1/3 On Off 0 0 n/a n/a 3 n/a
1/1/4 On Off 0 0 n/a n/a 3 n/a
1/1/5 On Off 0 0 n/a n/a 3 n/a
1/1/6 On Off 0 0 n/a n/a 3 n/a
1/1/7 On Off 0 0 n/a n/a 3 n/a
1/1/8 On Off 0 0 n/a n/a 3 n/a
1/1/9 On Off 0 0 n/a n/a 3 internal h/w fault
1/1/10 On Off 0 0 n/a n/a 3 internal h/w fault
1/1/11 On Off 0 0 n/a n/a 3 internal h/w fault
1/1/12 On Off 0 0 n/a n/a 3 internal h/w fault
1/1/13 On Off 0 0 n/a n/a 3 internal h/w fault
1/1/14 On Off 0 0 n/a n/a 3 internal h/w fault
1/1/15 On Off 0 0 n/a n/a 3 internal h/w fault
1/1/16 On Off 0 0 n/a n/a 3 internal h/w fault
1/1/17 On Off 0 0 n/a n/a 3 n/a
1/1/18 On Off 0 0 n/a n/a 3 n/a
1/1/19 On Off 0 0 n/a n/a 3 n/a
1/1/20 On Off 0 0 n/a n/a 3 n/a
1/1/21 On Off 0 0 n/a n/a 3 n/a
1/1/22 On Off 0 0 n/a n/a 3 n/a
1/1/23 On Off 0 0 n/a n/a 3 n/a
1/1/24 On Off 0 0 n/a n/a 3 n/a
1/1/25 On Off 0 0 n/a n/a 3 n/a
1/1/26 On Off 0 0 n/a n/a 3 n/a
1/1/27 On Off 0 0 n/a n/a 3 n/a
1/1/28 On Non-PD 0 0 n/a n/a 3 n/a
1/1/29 On Non-PD 0 0 n/a n/a 3 n/a
1/1/30 On Non-PD 0 0 n/a n/a 3 n/a
1/1/31 On Off 0 0 n/a n/a 3 n/a
1/1/32 On Off 0 0 n/a n/a 3 n/a
1/1/33 On Off 0 0 n/a n/a 3 n/a
1/1/34 On Off 0 0 n/a n/a 3 n/a
1/1/35 On Off 0 0 n/a n/a 3 n/a
1/1/36 On Off 0 0 n/a n/a 3 n/a
1/1/37 On Off 0 0 n/a n/a 3 n/a
1/1/38 On Off 0 0 n/a n/a 3 n/a
1/1/39 On Off 0 0 n/a n/a 3 n/a
1/1/40 On Off 0 0 n/a n/a 3 n/a
1/1/41 On Off 0 0 n/a n/a 3 n/a
1/1/42 On Off 0 0 n/a n/a 3 n/a
1/1/43 On Off 0 0 n/a n/a 3 n/a
1/1/44 On Off 0 0 n/a n/a 3 n/a
1/1/45 On Off 0 0 n/a n/a 3 n/a
1/1/46 On Non-PD 0 0 n/a n/a 3 n/a
1/1/47 On Off 0 0 n/a n/a 3 n/a
1/1/48 On Off 0 0 n/a n/a 3 n/a
-----------------------------------------------------------------------------
Total 0 0
SSH@ruckus7250>show inline power detail
Power Supply Data On unit 1:
++++++++++++++++++
Power Supply Data:
++++++++++++++++++
Power Supply #1:
Max Curr: 13.7 Amps
Voltage: 54.0 Volts
Capacity: 740 Watts
PoePower: 740 Watts
power supply 2 is not present
power supply 3 is not present
POE Details Info. On Unit 1 :
General PoE Data:
+++++++++++++++++
Firmware
Version
----------------
02.1.8 Build 004
Hardware
Version
----------------
UNKNOWN
Device HW version : 0:V1R3 1:UNKNOWN 2:V1R3 3:V1R3 4:V1R3 5:V1R3
Device Temperature(deg-C) : 0:39 1:n/a 2:40 3:40 4:40 5:39
Device Status : 0:VOP-Sev1 1:Failed 2:Good 3:Good 4:VOP-Sev1 5:Good
Cumulative Port State Data:
+++++++++++++++++++++++++++
#Ports #Ports #Ports #Ports #Ports #Ports #Ports
Admin-On Admin-Off Oper-On Oper-Off Off-Denied Off-No-PD Off-Fault
-------------------------------------------------------------------------
48 0 0 48 0 48 8
Cumulative Port Power Data:
+++++++++++++++++++++++++++
#Ports #Ports #Ports Power Power
Pri: 1 Pri: 2 Pri: 3 Consumption Allocation
-----------------------------------------------
0 0 48 0.000 W 0.000 W
YesAm I correct in assuming my 7250-48P is bad?
Device HW version 1:UNKNOWN
Device Temperature(deg-C) 1:n/a
Device Status 1:Failed
I disable 24 ports and it at least now shows power consumption on ports that are using POE which it wasn't before. I disabled everything but the 8 ports with the h/w faults and those still show fault. With POE off to those ports then the fault is gone.Doesn't look good but could it be that the budget somehow has been overcommitted? 740W / 48 ~= 15W and class 3 can go probably go up to 30W (or even higher).
I can't activate power for all 24 ports given a budget of 370W (on a 6450 24p), unless I reduce the max power allocated for class 3 devices to, say 15W. I guess the default for class 3 devices is 30W (could be different/higher for a 7250).
I'd try to either reduce the max power allocated for class 3 devices to, say 15W (which can be done under "inline power ...") or turn off inline power for at least half of the ports just to see if the hardware faults return when each of the remaining 24 ports has ~30W budget.
Yup, that is confirmed at this point. I'll see what I can do about a refund here. The seller is claiming everything worked fine when he sent it, but that's obviously not the case here. In reality, I really don't need all the ports to be POE enabled -- but still, it's not 100% functional as stated.Yes
This group of 8 ports has a broken PoE controller. Get a refund if you can.Code:Device HW version 1:UNKNOWN Device Temperature(deg-C) 1:n/a Device Status 1:Failed