Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

[autoturk]

I believe you should be able to put firmware on a USB drive and install it from there, but haven’t done so myself.
If this is a recent purchase, I’d see if it is returnable as not functioning if the MGMT port isn’t working though…

yeah this is primarily my fault: the seller had it for a really good price ($50), saying that firmware needed to be reloaded.

I'll look into doing via USB, though the guides I've seen primarily show this upgrade method in the case that you CAN boot it up. Is there a command reference for the boot monitor anywhere?

 

[titoum]

hello,
i am bumping my head against the wall on that one...

i am currently playing with dynamic vlan and took this as a template to see how to do.
i have set up my radius server and so far so good.



but for whatever reason the beef wont listen to it



the following vlan were created:


as far as i understood, it does it because the client is properly identified but it doesnt see the Tunnel-Private-Group-Id = "T:7" properly to redirect the connection to the right vlan.

 

[NablaSquaredG]

as far as i understood, it does it because the client is properly identified but it doesnt see the Tunnel-Private-Group-Id = "T:7" properly to redirect the connection to the right vlan.

Are you sure that's the right format?

The format is U:<data VLAN-id>;T:<Voice-VLAN-id>

You probably only want U:<VLAN ID> instead of T:<VLAN ID>

 

[titoum]

Are you sure that's the right format?

hi,

thank you for your help. i followed the following guideline:

from here

if i set my group id to U:7 then it wont get any vlan, i just see 4092 and auth state no.

 

[NablaSquaredG]

if i set my group id to U:7 then it wont get any vlan, i just see 4092 and auth state no.

U is for Untagged, T is for Tagged.

What is your goal? Untagged or Tagged?

 

[titoum]

What is your goal? Untagged or Tagged?

i want to use radius to tell my switch on which vlan the device should be assigned.
unfortunately my AP don't have vlan tagging so i am playing around with that to see how to achieve it.

so far i made those command:

vlan 2 name vlan-auth-default by port
tagged ethe 1/2/1 to 1/2/4
!
authentication
mac-authentication enable
mac-authentication enable ethe 1/1/16
mac-authentication enable ethe 1/1/18
!
vlan 6 name vlan-media by port
tagged ethe 1/1/23
!
vlan 2 name vlan-auth-default by port
tagged ethe 1/1/23
!
vlan 7 name vlan-work by port
tagged ethe 1/1/23

aaa authentication dot1x default radius
radius-server host x.x.x.x auth-port 1812 acct-port 1813 default key littleSecret

and now i get the following:


which match my radius feed:
(0) Tunnel-Type = VLAN
(0) Tunnel-Medium-Type = IEEE-802
(0) Tunnel-Private-Group-Id = "6"
(0) Tunnel-Assignment-Id = "6"
(0) User-Name = "banana-R4"
(0) Finished request


i tagged 1/1/23 because it is my current connection to router so i can test if that configuration is working as well.

 

[titoum]

i am no network expert so i was wondering if i untagged a port on a specific vlan.
is it going to tag those packet implicitly or it expect the host to provide the vlan in the transmission?

i wonder if i have to put authen on all my port to have a vlan allocated or not, except the uplink port ofc

 

[NablaSquaredG]

i am no network expert so i was wondering if i untagged a port on a specific vlan.

Untagged Port = Packet are untagged, Outgoing packets are untagged (the switch basically removes the VLAN tag before sending out the packet), incoming packets are also untagged (the switch adds the VLAN tag when it receives then packet)

Tagged Port = Packets are sent out tagged, incoming packets must be tagged

Dual-Mode / Tagged+Untagged = Just Untagged and Tagged combined

Each ports can only have ONE untagged VLAN (otherwise the switch wouldn't know into which VLAN an untagged packet belongs)

 

[titoum]

thx for clarification and confirmation

so most of my port will have to be dual-mode if the incoming packet aren't tag from the source but will be tagged by radius.

so only my link port will be tagged for each vlan.

is it the proper way to go?

 

[NablaSquaredG]

so most of my port will have to be dual-mode if the incoming packet aren't tag from the source but will be tagged by radius.

That's not related to RADIUS at all.

RADIUS just tells the switch which port should have which VLANs as tagged & untagged. You could as well just manually configure that.

 

[titoum]

RADIUS just tells the switch which port should have which VLANs as tagged & untagged.

are you sure?

because if i read this: Dynamic VLAN and ACL Assignment with MAC Authentication for me it is radius that tell which mac belongs to which vlan independently of the port it is connected to.

 

[NablaSquaredG]

Dynamic VLAN and ACL Assignment with MAC Authentication for me it is radius that tell which mac belongs to which vlan independently of the port it is connected to.

Yes, but that's not what I meant.

Your client VLAN config has to be compatible with the VLAN config that the switch applies in whatever way (static or via RADIUS)

Note that the "Each ports can only have ONE untagged VLAN" does not apply once you have MAC authentication. With MAC authentication, you can have multiple untagged VLANs on one port, which are mapped by the MAC Address.

However, configuring all those feature is a huge pain. This is something if you're government and have to follow certain rules and regulations... I've never seen a valid use case in a home lab.

so most of my port will have to be dual-mode if the incoming packet aren't tag from the source but will be tagged by radius.

Indicates a misunderstanding of how VLANs work.

So - let's go back three steps.

What's your goal?

What exact type of clients are you connecting?

 

[titoum]

What's your goal?

i want to split my network at home so eufy/home alarm/amazon/internal stuff/work... are not mixed anymore.

What exact type of clients are you connecting?

lan + wifi

i have 2 ap with different client and Asus was lazy to not implement vlan tagging on 300eur AP.
i decided to go to radius authentication so i can tag on mac level in order to have an actual split.

may be i misunderstood something along the way :-/

 

[NablaSquaredG]

i have 2 ap with different client and Asus was lazy to not implement vlan tagging on 300eur AP.
i decided to go to radius authentication so i can tag on mac level in order to have an actual split.

ooofff... I mean, you could probably use MAC Auth for that. But honestly, it's not worth the time and effort. It would be a better investment to get rid of the asus consumer router and buy something else. Ideally something used from Ruckus, but even Omada or Ubiquiti would work and can do VLAN tagging.

 

[titoum]

But honestly, it's not worth the time and effort

i have already

• radius up and running
• openwrt mostly configured
• icx 6450 on the way

so i am quite close without any additional cost

thank you for your help and time.

 

[senor-hobbes]

Hey all,

I picked up a 6450-24P and just went through all the updating and licensing as per the guide. Im looking to set up some vlans for my home network but cant seem to get it working. Is anyone able to lend a hand as to the commands required? I've been learning as I go.

Hardware:
OPNsense FW
ICXS 6450-24P
Omada EAP772 AP

Looking to segregate into 3 networks;
- main network (which is how I currently have it setup up, Flat), combined wired/wifi
- guest network (internet only), VLAN80, all wifi
- IoT network (no internet), VLAN70, combined wired/wifi

Is it best to have everything tagged as a specific VLAN or can I keep the Main Network untagged while tagging the others? I've been reading up on Dual-Mode since SW is 8.0.30 and tried applying it to 1/1/1 (main uplink to OPNsense) but immediately loose connections form clients in testing.

 

[lo92fr]

Hello,

I've upgrade this morning my ICX-7250 to fastiron 9 (09.0.10j_cd8T213).
When I'm logging to the Web interface, I've got an error on the dashboard page : 'NoneType' object has no attribute 'response'.
When I look to the browser network log, the is a 500 error message on the getPortDetails?unit_id=1 request,with same error message in the response.

Does someone know how we can fix this ?

Thanks,
Laurent.

 

[autoturk]

Any tips on getting the mainboard out of the icx7150-c12p? Going to try to tinker around on why the management port is not working on mine. I can get the case and power supply off and have removed all visible screws but the board doesn't want to seem to budge.

 

[Digital Spaceport]

In the brocade lineup, what is the lowest noise stock or easily fan swapped switch that can run 40 or possibly even higher? I have an ICX 6610 and while a great switch it is pretty loud.

 

[i386]

that can run 40 or possibly even higher

Ports or GBit/s?