Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

[kapone]

Could you please give me some examples of those rules?

Like this:

Do I need a 10.10.10.0/24 Allow.... All? rule in the Transit interface? For Inet? That seems to me that would allow routing to other vlans coming from the FW.

Yes and No. This depends on your DHCP config as well. Your DHCP server should be setting the default gateway for those CIDR ranges (your VLANS) to be the IP address of the VE on the switch. That's how the inter-vlan routing will stay on the switch.

The only traffic hitting the firewall would be if one of those Networks/CIDR ranges tries to access a network that the switch does not know about (i.e. WAN or some other external network).

The problem is...on your TRANSIT interface...Opensense will drop any traffic that doesn't match the network range for that interface (In your case 192.168.0.x) unless you specify rules for that traffic specifically.

In the end, It should only remain the Transit interface and the Wan interface, isn't it?

Yes, those will be the only two interfaces, but your rules will need to expand beyond that.

 

[dasbooter]

no

I have set up eve-ng. It seems that cisco is kind of the oddman out for the cli. Is there another switch vendor I can add to the sim that more closely matches Brocade in the icx 6450 era? Question is open to anybody who wants to answer

 

[EngineerNate]

Just scored an ICX7550-24ZP on the auction site.

Does anyone know if the qsfp28 uplink ports can take a break out cable?

 

[NablaSquaredG]

Does anyone know if the qsfp28 uplink ports can take a break out cable?

Commscope Technical Content Portal

docs.commscope.com

 

[EngineerNate]

Commscope Technical Content Portal

docs.commscope.com

Thank you, exactly what I was looking for. Interesting that it’s limited to one port on the 24ZP but both work on the 48ZP.

 

[fohdeesha]

Thank you, exactly what I was looking for. Interesting that it’s limited to one port on the 24ZP but both work on the 48ZP.

1 port per asic can do it, 48 has 2x asics

 

[John T Davis]

Hello,

I tried searching the thread for this, but I just wanted to confirm that the Ruckus-branded ICX-7150 series uses the same software package as the Brocade-branded ones, listed here: Brocade Overview - Fohdeesha Docs

I'm 99.9 percent sure that they do, but I just got it out of the box from eBay and don't want to fry it doing something stupid.

 

[NablaSquaredG]

I tried searching the thread for this, but I just wanted to confirm that the Ruckus-branded ICX-7150 series uses the same software package as the Brocade-branded ones, listed here: Brocade Overview - Fohdeesha Docs

Yes they do.

 

[John T Davis]

Yes they do.

Thanks! Now I just have to be patient and wait on my serial cable to arrive.

I was not expecting a switch like this to be completely silent. Just handling it and getting it plugged in and not having it scream at me has already been a great experience.

 

[EngineerNate]

1 port per asic can do it, 48 has 2x asics

Ah interesting! I had figured since the physical ports were the same the hardware behind them was the same (for the 40/100gig ports) but that makes complete sense.

 

[maes]

Has anyone tinkered with or traced the various internal headers on the 6450-24? I'm curious as to what J2, J3 (close to the fans) and J51 (close to the PSU) do, or what they can be used for, same with the unpopulated DIP8 footprint close to J2 and J3 (U29).


From earlier pictures at the beginning of the thread, J3 seems to be JTAG but no idea for the other ones.

 

[Chiron]

Hi everyone. I've been working with a 6450-24p but I'm having some weirdness with POE on just the first 12 ports (eth 1/1/1 through 1/1/12).

I have been using a Ubiquiti U6-Lite (802.3af) access point to test with. When I enable inline power on any of the first 12 ports, nothing happens. Nada, zilch, zero. No entry in the log, no response. When I plug normal devices in, the ports come up just fine. Not a problem there.

When I enable inline power on any of the second set of twelve ports (1/1/13 through 1/1/24), the AP powers up. I do notice that my switch shows a capacity of 370 watts instead of 390.

The question I have: Is this expected behavior for an 802.3af device? Or is this an indication of a faulty POE board/switch?

I find no indication of errors when booting up. I've tried running the "hidden" technician "dm" poe-diag command "dm poe-diag" for port 1/1/1 and port 1/1/13 (with blank config, no inline power enabled) and get the following with nothing plugged in.

ICX6450-24P Router#dm poe-diag 1/1/1 1
Port   1/1/1: Voltage - 54  V, Current - 2   mA, Power - 100     mW

ICX6450-24P Router#dm poe-diag 1/1/13 1
Port  1/1/13: Voltage - 54  V, Current - 2   mA, Power - 100     mW

This is what I get when I run the same command with the U6-Lite AP plugged in, but still no port configuration:

ICX6450-24P Router#dm poe-diag 1/1/1 1
Port   1/1/1: Voltage - 54  V, Current - 69  mA, Power - 3700    mW

ICX6450-24P Router#dm poe-diag 1/1/13 1
Port  1/1/13: Voltage - 54  V, Current - 68  mA, Power - 3800    mW

Here's what I get when I enable inline power, plug in the AP, and run the diag:

ICX6450-24P Router#config t
ICX6450-24P Router(config)#int eth 1/1/1
ICX6450-24P Router(config-if-e1000-1/1/1)#inline power
ICX6450-24P Router(config-if-e1000-1/1/1)#int eth 1/1/13
ICX6450-24P Router(config-if-e1000-1/1/13)#inline power
ICX6450-24P Router(config-if-e1000-1/1/13)#end

ICX6450-24P Router#show inline power 1/1/1

 Port   Admin   Oper    ---Power(mWatts)---  PD Type  PD Class  Pri  Fault/
        State   State   Consumed  Allocated                          Error
--------------------------------------------------------------------------
  1/1/1 On      Off            0          0  n/a      n/a         3  n/a


ICX6450-24P Router#show inline power 1/1/13

 Port   Admin   Oper    ---Power(mWatts)---  PD Type  PD Class  Pri  Fault/
        State   State   Consumed  Allocated                          Error
--------------------------------------------------------------------------
 1/1/13 On      Off            0          0  n/a      n/a         3  n/a


ICX6450-24P Router#dm poe-diag 1/1/1 1
Port   1/1/1: Voltage - 54  V, Current - 76  mA, Power - 4000    mW
ICX6450-24P Router#show inline power 1/1/1

 Port   Admin   Oper    ---Power(mWatts)---  PD Type  PD Class  Pri  Fault/
        State   State   Consumed  Allocated                          Error
--------------------------------------------------------------------------
  1/1/1 On      Off            0          0  n/a      n/a         3  n/a


ICX6450-24P Router#PoE: Power enabled on port 1/1/13.
dm poe-diag 1/1/13 1
Port  1/1/13: Voltage - 54  V, Current - 78  mA, Power - 3900    mW
ICX6450-24P Router#PoE: Power disabled on port 1/1/13 because of admin off.
PoE: Power enabled on port 1/1/13.
ICX6450-24P Router#show inline power 1/1/13

 Port   Admin   Oper    ---Power(mWatts)---  PD Type  PD Class  Pri  Fault/
        State   State   Consumed  Allocated                          Error
--------------------------------------------------------------------------
 1/1/13 On      On          4300      15400  802.3af  Class 3     3  n/a

Here's the entire boot sequence in case something stands out.

Bootloader Version: 10.1.05T310 (Mar 19 2015 - 16:39:59)





Model ID: 1.0.0.0.1.0



Enter 'b' to stop at boot monitor:  0

bootdelay: ===

Booting image from Primary

## Booting image at 00007fc0 ...

   Created:      2020-04-23  17:58:12 UTC

   Data Size:    9870536 Bytes =  9.4 MB

   Load Address: 00008000

   Entry Point:  00008000

   Verifying Checksum ... OK

OK



Starting kernel in BE mode ...

Uncompressing Image.............................................................................................................................................................................................................................................................................................................................................................................................................. done, booting the kernel.

Config partition mounted.

Creating TUN device

Starting the FastIron.

FIPS Disabled:PORT NOT DISABLED

platform type 45

OS>Unable to set the kernel wall time

                                      Starting Main Task .INFO: startup config data is not available, try to read from backup

INFO: startup config data in the backup area is not available

CPSS DxCh Version: cpss3.4p1 release

Pre Parsing Config Data ...

INFO: empty config data in the primary area, try to read from backup

INFO: empty config data in the backup area also



Parsing Config Data ...

INFO: empty config data in the primary area, try to read from backup

INFO: empty config data in the backup area also



System initialization completed...console going online.

  Copyright (c) 1996-2016 Brocade Communications Systems, Inc. All rights reserved.

    UNIT 1: compiled on Apr 23 2020 at 10:57:06 labeled as ICX64R08030u

                (9871112 bytes) from Primary ICX64R08030u.bin

        SW: Version 08.0.30uT313

  Boot-Monitor Image size = 512, Version:10.1.05T310 (u-boot-fox_98dx)

  HW: Stackable ICX6450-24-HPOE

==========================================================================

UNIT 1: SL 1: ICX6450-24P POE 24-port Management Module

         Serial  #: 2ax5o2jk68e

         License: ICX6450_PREM_ROUTER_SOFT_PACKAGE   (LID: H4CKTH3PLN8)

         P-ENGINE  0: type DEF0, rev 01

==========================================================================

UNIT 1: SL 2: ICX6450-SFP-Plus 4port 40G Module

==========================================================================

  800 MHz ARM processor ARMv5TE, 400 MHz bus

65536 KB flash memory

  512 MB DRAM

STACKID 1  system uptime is 19 second(s)

The system started at 00:00:30 GMT+00 Thu Jan 01 1970



 The system : started=warm start         reloaded=by "reload"



ICX6450-24P Router>

Stack unit 1 PS 1, Internal Power supply detected and up.



Stack unit 1 PS 1, Internal Power supply detected and up.

PoE: Stack unit 1 PS 1, Internal Power supply  with 370000 mwatts capacity is up

PoE Info: Adding new 54V capacity of 370000 mW, total capacity is 370000, total free capacity is 370000

PoE Info: PoE module 1 of Unit 1 on ports 1/1/1 to 1/1/24 detected. Initializing....

PoE Event Trace Log Buffer for 2000 log entries allocated

PoE Event Trace Logging enabled...

PoE Info: PoE module 1 of Unit 1 initialization is done.

 

[John T Davis]

Hello!

Thanks again for all the work that went into the Fohdeesha docs. Inexperience led me to a few bumps in the road, but I've got a functioning, updated switch sitting behind me.

I did run into a few things I couldn't figure out.

1. Jumbo Frames/MTU 9000 on Uplink Port? My core switch's native MTU is 9000 on every port. Wierdly enough, there's no manual control over that. It's 9000 by default and invisibly configures itself downward if a non-MTU 9000 device gets plugged in (apparently?). My uplink to the core switch is a 10 Gbps connection over SFP+. I think it'll probably work fine with MTU 1500 frames (it's a 1 Gbps switch, after all), but I'm curious how this works, exactly. I know that I can enable jumbo frames globally. I assume, after that, I can enable them MTU 9000 on my uplink port? Is that correct? If so, I might try it just to keep the QNAP core switch from getting grumpy. It's a great core switch, but tends to fail quietly and without explanation if it doesn't like something.
2. Multiple NTP Servers for Clock Sync? Is there a problem with providing more than one NTP server for clock sync? I did it on reflex, because … backups good, right? After the fact, it occurred to me that giving the switch the opportunity to get confused about what time it is might not be a good idea. Is it okay to have more than one?
3. Management Port Configuration: Even looking at the included docs, I'm really confused on how to configure the management port. There seems to be more than one way to do it, and I sense that it would be very easy to make things more complicated than they need to be to do what I want. I'd like to put the management port on VLAN 10, which I've already added as "management-network," and have the management port pull an IP address via DHCP. I can't actually find a guide to do this.
4. Remove IP from ve 1: Per the guide, I created ve 1 as a virtual interface. All my ports live there, untagged on VLAN 1.Devices hanging off the switch are pulling IPs from the upstream firewall's DHCP server. Excellent. However, All the switch ports now expose the web/SSH interfaces on the static IP on VLAN 1. Once I have the management interface working, I want it to be the only interface where the web GUI and SSH live, so I want to remove the IP from ve 1 without breaking ve 1. Is that as simple as: interface ve 1 <CR> no ip address 192.168.1.50/24 <CR> write men <CR> exit?
5. SSH Server: I followed the guide, and … I'm almost there? I've clearly not entirely configured it, but I'm not familiar enough with how SSH works to figure out what's wrong. When I try to connect, I see this error:

ssh super@10.10.subnet.host
Unable to negotiate with 10.10.subnet.host port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

I hope these questions aren't too n00bish. I really did try to use the docs to figure these out; it's a lot to absorb at once when I've only got an hour or so a day to mess with things after work. I really appreciate any help.

 

[kpfleming]

SSH Server: I followed the guide, and … I'm almost there? I've clearly not entirely configured it, but I'm not familiar enough with how SSH works to figure out what's wrong. When I try to connect, I see this error:

The ICX software only supports old, deprecated, and somewhat insecure SSH key exchange methods; modern versions of SSH disable those for safety. You'll need to learn how to configure your SSH client to permit them. For example on a Debian system (should also work on Ubuntu and other Debian derivatives):

[CODE
]Host switch-1.km6g.us switch-2.km6g.us
ForwardAgent no
ForwardX11 no
KexAlgorithms diffie-hellman-group1-sha1
HostKeyAlgorithms ssh-rsa
PubkeyAcceptedAlgorithms ssh-rsa
[/CODE]

 

[kapone]

The ICX software only supports old, deprecated, and somewhat insecure SSH key exchange methods; modern versions of SSH disable those for safety. You'll need to learn how to configure your SSH client to permit them. For example on a Debian system (should also work on Ubuntu and other Debian derivatives):

[CODE
]Host switch-1.km6g.us switch-2.km6g.us
ForwardAgent no
ForwardX11 no
KexAlgorithms diffie-hellman-group1-sha1
HostKeyAlgorithms ssh-rsa
PubkeyAcceptedAlgorithms ssh-rsa
[/CODE]

On a Mac....

Host sx6036-core1
User xxxxx
port 22
KexAlgorithms +diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
Ciphers +aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa

 

[John T Davis]

@kpfleming @kapone Thanks! I'm just glad I wasn't somehow trying to log into SSH wrong. That would be embarrassing.

…I have serial access to the switch. It's permanently wired up to a serial access console server that I can either access via serial or modern, secure SSH. I kind of wonder if it might just be safer to use that. (Well, as safe as anything can be when you have direct serial access to a console that will let you factory reset a device if you know its login password.)

 

[kapone]

I can either access via serial or modern, secure SSH

Then why are you *ucking around with the SSH on the switch itself??

p.s. SSH from the switch itself is quite a bit faster than serial, if that matters. Usually it doesn't, because...I mean...you're not sitting there all day going...hmm...lemme change some VLANs...

 

[chlastakov]

Then why are you *ucking around with the SSH on the switch itself??

p.s. SSH from the switch itself is quite a bit faster than serial, if that matters. Usually it doesn't, because...I mean...you're not sitting there all day going...hmm...lemme change some VLANs...

It's not bit faster, it's a looot faster Also, I couldn't scroll up to see whole history serial console, works ok on SSH.

I have separate private VLAN for all network equipment management, so I really don't bother with old insecure SSH or IPMI versions. Noone but me can access them

 

[John T Davis]

Then why are you *ucking around with the SSH on the switch itself??

@kapone Just to make sure I knew how it worked, mostly. This is the first switch I've owned that can be managed via CLI--and from poking around the GUI, managing it via the CLI seems to be the best way.

Is there actually a way to disable SSH on the switch? I'm assuming there's nothing that I could do via SSH that couldn't also be done via serial console access, right?

I have separate private VLAN for all network equipment management, so I really don't bother with old insecure SSH or IPMI versions. Noone but me can access them

@chlastakov , how did you configure the management port? I want it to live on VLAN 10 (my management network), but I'm still not sure how to actually do that. Do I actually need to create a new ve with a static IP on VLAN 10 and assign the management port to that? Something else? I'd prefer the management port use DHCP to pull its address, but at this point I'm fine with it being static.

 

[chlastakov]

@chlastakov , how did you configure the management port? I want it to live on VLAN 10 (my management network), but I'm still not sure how to actually do that. Do I actually need to create a new ve with a static IP on VLAN 10 and assign the management port to that? Something else? I'd prefer the management port use DHCP to pull its address, but at this point I'm fine with it being static.

I am not using VLANs for management, I have management network completely physically separated

As far as I know, you can't assign VLANs to management port. Management port is completely separate from other ports. But you can assign VLAN 10 to any other port and use that for management. I couldn't find how to make dhcp client work on management port, so this approch would probably be better in this way too.

And yes, I think SSH can be disabled. It will be something like no web-management ssh, but you need to look.