Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

[fohdeesha]

oh, it has FIPS mode enabled

did you run factory set-default from the bootloader like the guide says? this should disable fips

 

[snoturtle]

I had to do the other commands as factory set-default was not a recognized command

 

[fohdeesha]

well that's an interesting pickle you're in

extract the attached zip into the same tftp directory and try again

if it still doesn't work rename both files to bootrom

that should get you on the latest bootloader, then you need to go back into it and run the factory set-default command to get rid of FIPS or it's going to be very locked down

 

[snoturtle]

Same error

I did notice when the switch first comes up it says installed uboot 8.0.00 and recommended uboot 10.1.01 also a *** NOT FOR PRODUCTION*** tag.

 

[fohdeesha]

ooh fun, you got another dev bootloader/system

you will need one of the fohdeesha teamviewer sessions to fix this

 

[snoturtle]

yea fun lol

Sending pm

 

[mattaw]

You guys know these docs have been in the firmware zip on the update guide since day 1 right

I know, I know, I was referring to the zip although you would need telepathy to have known.

And thank you again for your help documenting and collecting resources. With a couple of videos behind me I was configuring like a master.

Thoughts so far:
- dual mode is odd (seems improved in fastiron 8080?)
- lag groups are odd, especially vlan tagging, double for dual mode lags.
- wish I could upgrade the key exchange on ssh to something more modern

I'll try the heatsinks soon and get you photos.

 

[snoturtle]

Just wanted to thank Fohdeesha for helping me out tonight with my new 6450.

Thank you for all of your help!!

 

[fohdeesha]

I know, I know, I was referring to the zip although you would need telepathy to have known.

And thank you again for your help documenting and collecting resources. With a couple of videos behind me I was configuring like a master.

Thoughts so far:
- dual mode is odd (seems improved in fastiron 8080?)
- lag groups are odd, especially vlan tagging, double for dual mode lags.
- wish I could upgrade the key exchange on ssh to something more modern

I'll try the heatsinks soon and get you photos.

dual-mode is obnoxious, there's usually never any reason to need it: make whatever untagged vlan you're running into tagged, if its vlan 1, just use a diff vlan. I generally move everything over to vlan 10 by default


tagging vlans on lags should be the exact same as regular ports, you just tag/untag the primary port of the lag and it applies it to the entire group

 

[mattaw]

dual-mode is obnoxious, there's usually never any reason to need it: make whatever untagged vlan you're running into tagged, if its vlan 1, just use a diff vlan. I generally move everything over to vlan 10 by default

My usual strategy is to have internet/basic access be untagged, then add tagged vlans such as iSCSI to the ports. In brocade speak having an untagged vlan and tagged through the same interface is dual mode? Is that right? (Also never use vlan 1 for anything, ever, as it is special and often has restrictions and rules that are different.)

As for the lags, like dual mode, it seems an odd way you have to configure them: making adjustments to a single interface rather than the lag itself behaving as an interface.

Overall my comments were really just comments on how brocade implemented things, rather than requesting any fixes.

I'll rack the switch tonight and see ifI can retire my D-Link.

PS was there any way to modernize the key exchange?

 

[juey]

PS was there any way to modernize the key exchange?

No, i dont think so https://forums.servethehome.com/ind...icx6450-icx6610-etc.21107/page-46#post-208332
Ive created a new RSA Keypair exclusively for the 6610, though i also prefer some of the newer ciphersuites and exchange methods like ecdsa/ecdh.

 

[fohdeesha]

In brocade speak having an untagged vlan and tagged through the same interface is dual mode? Is that right?

right, and if you're sending tagged and untagged packets out the same interface, that means the device on the other end understands vlan tags - in which case, you should make all the vlans going across it tagged. No reason to give yourself a headache and make one of them untagged so you have to deal with two types of vlan traffic over the same interface at both ends

The only reason dual-mode still exists is for setups where one of the vlans HAS to be vlan 1, and vlan 1 by definition can't be tagged (well, it'll let you do it if I remember right, but a vlan tag of 1 gets ignored by almost everything). So dual-mode allows you to carry it untagged with the rest of your tagged traffic. If you're not using vlan 1, and your device on the other end understands vlan tags, make them all tagged

 

[Snorf]

If I was to get a 6610-24P or 48P and didn't have the licenses for the 8 SFPP ports to make them 10G, would I still have 2-40G ports and 8-10G ports available from the 4-40G ports on the back without any license issues if I bought the correct breakout cables?

I have to read this whole thread again because there is tons of information and I have forgot a bunch of it after getting to the end, lol.

Thanks!

 

[fohdeesha]

If I was to get a 6610-24P or 48P and didn't have the licenses for the 8 SFPP ports to make them 10G, would I still have 2-40G ports and 8-10G ports available from the 4-40G ports on the back without any license issues if I bought the correct breakout cables?

I have to read this whole thread again because there is tons of information and I have forgot a bunch of it after getting to the end, lol.

Thanks!

yes but just send me a PM for lic

 

[Snorf]

Thank-you.

 

[Dave Corder]

Good: My 6610-48P arrived yesterday
Bad: no rack ears, despite them being shown in the photo in the eBay listing. Email sent to seller...

 

[maes]

Good: My 6450-24 arrived today, on schedule despite the postal strike
Better: Rack ears included, wasn't expecting them (not in the photo).
Best: pair or Brocade 10GE-SR optics included too! Definitely wasn't expecting those, but much appreciated.

Dumb: forgot the console cable at work.

Oh well, in the meantime, time to swap the squeaky fan with a 40x20 Noctua I have on hand.

 

[fohdeesha]

Bad: no rack ears, despite them being shown in the photo in the eBay listing. Email sent to seller...

Better: Rack ears included, wasn't expecting them (not in the photo)

give Dave his rack ears back

 

[maes]

give Dave his rack ears back

I might actually have some 'generic' compatible ears available, with long slots instead of specific screwholes on the enclosure-side. I'll check if the holes line up tomorrow and may just end up mailing them.

 

[Dave Corder]

give Dave his rack ears back

Got my 6610 all flashed to the latest and greatest thanks to fohdeesha's guide, but it turns out one of the PSU fans is broken in some way:

sw-core-03(config)#show chassis
The stack unit 1 chassis info:

Power supply 1 present, status failed
Power Supply 1 Fan has failed
Power supply 2 (AC - PoE) present, status ok
        Model Number:   23-0000142-02
        Serial Number:  64K
        Firmware Ver:    A
Power supply 2 Fan Air Flow Direction:  Front to Back

Waiting to see what the seller can do for me. I'm open to a partial refund so I can but a working fan or PSU and some rack ears...