Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

[sic0048]

I guess the question would be why is permit ip any any necessary at the end ?
Which packet it is allowing which is not handled by the first 3 lines ?

This is more of a "how do rules work" question than a technical problem. As such, I think you need to do more research about what you are trying to accomplish.

This leads me to my next question - why you are even trying to set the switch up as a layer 3 device? I would recommend that you stop attempting this and instead set up your firewall/router in a "router on a stick" scheme. This way you will let your firewall/router manage the VLANs and the firewall rules, DHCP services, etc, etc. Let the switch act as a "layer 2" device (ie don't attempt to put VLAN management, ACL rules, DHCP, etc on the switch itself). Using a "router on a stick" design is generally easier to grasp and execute for the non-IT professional. For a typical home network there is going to be little to no speed differences between setting the switch up as a layer 2 device (using the router on a stick design) and as a true layer 3 device - especially if you give a little though to what devices you put into each VLAN and try to minimize cross VLAN traffic.

 

[Serveur]

I was trying to use the good practice:

Permit what you explicitly want to allow
Deny everything else.

So the goal was to avoid having this permit ip any any

As for why, well one reason is to learn and the others is to have more control of the network.
I have a number of devices that I would like to properly isolate:

• camera that should not go on internet and should only be queried by my server
• door monitor that should only be connected to the corresponding doorbell camera
• work from home laptops which should only have access to internet and not not any other devices
• IoT sensors which may communicate with one another and with internet (depending on the situation)

I don't think that I will manage to achieve a fine control without ACL rules.
And as I said the point was to learn.

 

[kpfleming]

I have a number of devices that I would like to properly isolate:

• camera that should not go on internet and should only be queried by my server
• door monitor that should only be connected to the corresponding doorbell camera
• work from home laptops which should only have access to internet and not not any other devices
• IoT sensors which may communicate with one another and with internet (depending on the situation

All of this can be done on the router that handles your connectivity between VLANs (subnets), except for intra-VLAN traffic between devices on the same VLAN. Controlling that traffic does require the use of ACLs on the ICX device, but they can be layer 2 (MAC) ACLs. There's a lot to learn here and it would be useful if you reviewed the various sections of this monster thread to see examples of various types of ACLs.

 

[sic0048]

I was trying to use the good practice:

So the goal was to avoid having this permit ip any any

I get that, but the fact that your system only works when you added the "allow all" rule obviously means that something is "wrong" with your rules. Perhaps they are set as incoming rules when they should be outgoing rules or vice versa or perhaps you need a mixture of both. There is no right or wrong answer to give you because everyone is trying to accomplish different things with their rules. Unfortunately this means you simply can't copy a set of rules that someone else uses in their setup.

Long story short however, you are obviously not permitting what you think you are permitting with the rules and it is only the "allow all" rule that is actually making things work. This is why you need to go back a read up more about the rules - especially the difference between incoming and outgoing rules. I suspect this is where the confusion lies (it's a hard topic to grasp).

 

[Serveur]

I thought that I understood it after someone explained that it is counter-intuitive: the "in" rules are applied to requests coming from the vlan to the ve.
As the vlan devices have 192.168.10.x IP addresses, I thought I covered all cases and I didn't need permit ip any any.
But perhaps I misunderstood this "counter-intuitive" explanation ?

 

[Serveur]

Ok I activated the logs (pretty awesome feature by the way) and immediately understood the issue.

Here is the standard ACL for those who want a VLAN whose devices are allowed to go on internet, but cannot access other VLAN (but can be reached from other VLAN).

ip access-list extended "vlan10 internet only IN"
permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
permit tcp 192.168.10.0 0.0.0.255 any established
permit udp 192.168.10.0 0.0.0.255 host 192.168.178.1 eq dns
permit tcp 192.168.10.0 0.0.0.255 host 192.168.178.1 eq dns
permit icmp 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255 echo-reply
permit icmp 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip any 192.168.0.0 0.0.255.255
deny icmp any 192.168.0.0 0.0.255.255
permit ip any any
permit icmp any any
permit igmp any any

I think this is pretty standard except that I have authorized with permit icmp 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255 the devices in the VLAN to ping other devices in the same VLAN (should be harmless and could be useful for debugging, I'll see).
Also I am not sure about the last line (igmp), not sure if I really need it or not.

Based on this example, I am confident that I can configure the other VLANs without any issues.

 

[sic0048]

I have two 7250 - one that works fine and the other has multiple POE power failures and the MS LED on the front of the switch is orange instead of green. I've posted the errors below. I also happen to have several 6610s and a 6450 that are not beig used right now. Does anyone know if it is possible to swap POE components from one of the older 6xxxx series switches and put them into the 7250? I figured I would ask before I start cracking cases open because I figure it is a long shot that this is possible.

PoE Severe Error: Hardware Fault with ports 2/1/1 to 2/1/8. Remove PDs and then configure "no inline power" on these ports.
PoE Severe Error: Hardware Fault with ports 2/1/9 to 2/1/16. Remove PDs and then configure "no inline power" on these ports.
PoE Severe Error: Hardware Fault with ports 2/1/25 to 2/1/32. Remove PDs and the n configure "no inline power" on these ports.
PoE Severe Error: Hardware Fault with ports 2/1/33 to 2/1/40. Remove PDs and the n configure "no inline power" on these ports.

 

[WeDontBelongHere]

Purchased a few 7250 PoE units from eBay to replace my existing switches. One of them arrived damaged. I already got a replacement on the damaged one, but it still mostly works. The issue: the management ethernet port is damaged. I cannot get it to connect to anything. Is there any way to perform the uboot updates with a different port or via USB? If not, this switch may be toast for me.

 

[BoGs]

If anyones looking for ICX7250-48P, for 75$ USD. They do not have the console cable to test the switch which is why its parts only is my guess. If you willing to risk it.

Pardon Our Interruption...

 

[blunden]

If anyones looking for ICX7250-48P, for 75$ USD. They do not have the console cable to test the switch which is why its parts only is my guess. If you willing to risk it.

Pardon Our Interruption...

It sounded to me like they had a console cable but it doesn't show any output.

 

[BoGs]

It sounded to me like they had a console cable but it doesn't show any output.

Yes because the 7250 does not use the same console cable as others so they would not be able to get it to work. Requires special cable(s) you can see in one pic that both the system status and unit number is green. I have purchased 7450 from them before and same problem with warning. It is a risk as its no refund. I would not be surprised if you offered $25 as its as is.

 

[blunden]

Yes because the 7250 does not use the same console cable as others so they would not be able to get it to work. Requires special cable(s) you can see in one pic that both the system status and unit number is green. I have purchased 7450 from them before and same problem with warning. It is a risk as its no refund. I would not be surprised if you offered $25 as its as is.

I see. That's important context that was left out of your previous post. Then it sounds like the odds are a lot better.

 

[tubs-ffm]

Is there an easy way to achieve both on an ICX 8200 running Fastiron 10.0.10?

1. Creating an isolated network, that only is living on the icx and some devices connected to it.
   I easily can do this by creating a separate vlan with all ports involved.
   
   
2. Providing dhcp and ntp service from the icx to this isolated network.
   I easily can do this by adding a ve to the network

My problem is that as son I add the ve to the network the switch is doing L3 routing and my network is not isolated any longer.
The possibilities for acl seems to be limited on the icx 8200 in comparison to older devices.

Is there any easy way to combine both instead of messing around with port based acl?

 

[tubs-ffm]

Is there an easy way to achieve both on an ICX 8200 running Fastiron 10.0.10?
[...]
Is there any easy way to combine both instead of messing around with port based acl?

I looks like I can answer myself.
The manual was not helpful to me. But after having a chat with Copilot, it looks easy when using vlan acl, if the AI this is correct.
An example how to add permit rules I got on top without asking for it.

ip access-list extended BLOCK_50
! Allow HTTP from VLAN 2 → VLAN 50
permit tcp 192.168.2.0/24 192.168.50.0/24 eq 80

! Block everything else between the two VLANs
deny ip 192.168.2.0/24 192.168.50.0/24
deny ip 192.168.50.0/24 192.168.2.0/24

! Allow all other traffic (needed!)
permit ip any any

vlan 2
ip access-group BLOCK_50

vlan 50
ip access-group BLOCK_50

I have to test if if it easy like this.

 

[sic0048]

Is there an easy way to achieve both on an ICX 8200 running Fastiron 10.0.10?

1. Creating an isolated network, that only is living on the icx and some devices connected to it.
   I easily can do this by creating a separate vlan with all ports involved.
   
   
2. Providing dhcp and ntp service from the icx to this isolated network.
   I easily can do this by adding a ve to the network

My problem is that as son I add the ve to the network the switch is doing L3 routing and my network is not isolated any longer.
The possibilities for acl seems to be limited on the icx 8200 in comparison to older devices.

Is there any easy way to combine both instead of messing around with port based acl?

What are you currently using for your router/firewall?

Odds are the easiest solution is to create the VLANs on the router/firewall and let that device manage them (ie with rules, DHCP, etc set up in the firewall/router). When set up like this, you will leave the switch in "layer 2 mode". Sometimes I've seen this design referred to as a "router on a stick". You'll still need to create VLANs in the switch and assign tagged/untagged ports to the various VLANs, but that is all that is required in the switch. Everything else will be handled at the firewall/router.

Now the switch can/will still handle traffic routing at the MAC address level. This means that any traffic flowing in the same VLAN will be handled at the switch. Only traffic traveling between VLANs will need to be routed through the router/firewall. While it is common to have a small amount of inter-vlan traffic, it should be relatively easy to setup/design your home network LVANs to avoid having to send data across different VLANs. For example, you should put your media storage on the same VLAN as your media players, your CCTV NVR on the same VLAN as your cameras, or your home automation machine on the same VLAN as your IOT devices, etc, etc, etc.

It's not wrong to set up a switch for layer 3 use in a home network, especially if you are already well versed in how to setup and manage all of this. But for the average home user without a lot of network experience, moving your switch to layer 3 functionality creates more complexity than is really neccessary IMHO. Keeping all layer 3 functionality on the router/firewall is certainly easier in most cases.

 

[tubs-ffm]

What are you currently using for your router/firewall?

opnSense

Odds are the easiest solution is to create the VLANs on the router/firewall and let that device manage them (ie with rules, DHCP, etc).

This is my current set-up. But I want to do it different.

I did not provided all background information why I want to go a different way. This usually creates huge posts that nobody is reading or or I receive answers to questions that I have not asked.

My goal is to get more simplicity and robustness against certain failures.

My firewall is at one physical end of my network and the icx switch related to my question on the other side. The switch is connecting my video surveillance cameras to the video recorder. This network I want to isolate for everything else by separate vlan to avoid connection to and from the cameras where the cameras do not have business in. This is easy to achieve by a separate vlan. But I also want to provide NTP and DHCP service to the cameras. This currently I am doing by the firewall as you have proposed. Spanning the vlan up to there involves one more switch, the firewall and a different power supply. By doing all on the switch gives to me more robustness against failures of other devices, cable connections and power supply.

 

[sic0048]

opnSense



This is my current set-up. But I want to do it different.

I did not provided all background information why I want to go a different way. This usually creates huge posts that nobody is reading or or I receive answers to questions that I have not asked.

My goal is to get more simplicity and robustness against certain failures.

My firewall is at one physical end of my network and the icx switch related to my question on the other side. The switch is connecting my video surveillance cameras to the video recorder. This network I want to isolate for everything else by separate vlan to avoid connection to and from the cameras where the cameras do not have business in. This is easy to achieve by a separate vlan. But I also want to provide NTP and DHCP service to the cameras. This currently I am doing by the firewall as you have proposed. Spanning the vlan up to there involves one more switch, the firewall and a different power supply. By doing all on the switch gives to me more robustness against failures of other devices, cable connections and power supply.

I guess I still am not following the desired set up.

If the CCTV equipment and NVR are going to be on a physically separate LAN network, then connecting all of those devices to a network switch set up with layer 3 functionality could certainly make things easier because there is no need for a separate router/firewall device for that second network. In that case, there would be no connections between the two network. They would be completely isolated from each other.

However, everything you have stated up to this point seems to indicate that you simply want to create a VLAN on your existing network that would allow you to isolate those CCTV devices from the rest of the network. If that what you are trying to accomplish, this is all done "virtually" (VLAN stands for "Virtual LAN") and there is no need for a second firewall/router, etc even if you keep your switch in layer 2 mode. The physical distance between devices on the local network really doesn't matter (until you reach the max recommended distances of the wiring being used - which depends on the type of wire that you are using).

You only need one layer 3 device per LAN network. Currently your layer 3 device is your firewall/router. If you changed over to using the switch as your layer 3 device, you would normally remove the existing router/firewall device completely because the switch would be handling all of the layer 3 functionality that the firewall/router was handling before. So while setting it up your network switch as a layer 3 device would allow you to completely remove your existing the firewall/router, setting up the VLAN in the firewall/router does not require that you use a second firewall/router device.

 

[tubs-ffm]

I guess I still am not following the desired set up.

Sorry for poor explanation and thank you for helping.
My explanation is misleading you completely. Please read my initial post again (link).

Yes, with a separate physical switch I could all do this. But I want to achieve it with the existing icx switch that also is doing other things. Forget about other devices in the network that technically also could do the same.

Yes, part (1) of my goal I purely can achieve by setting up an additional vlan. This is pure L2.
But for part (2) of my goal I must assign an ve in icx to be able to provide ntp and dhcp service by the icx. And this by default brings in L3 functionality I do not want. And therefore I am looking for the right acl to block it again.

 

[sic0048]

Yes, part (1) of my goal I purely can achieve by setting up an additional vlan. This is pure L2.
But for part (2) of my goal I must assign an ve in icx to be able to provide ntp and dhcp service by the icx. And this by default brings in L3 functionality I do not want. And therefore I am looking for the right acl to block it again.

The point I'm trying to make is that #2 is completely unneeded. Your firewall/router currently provides routing rules (called ACL when implemented at the switch level), DHCP, NTP services, etc to your existing LAN network. It can do the same thing for your new VLAN network as well (independently of the LAN network). There is no need to set ANY of that up in the switch (and doing so creates unneeded complexity IMHO).

 

[tubs-ffm]

The point I'm trying to make is that #2 is completely unneeded.

Yes, it is unneeded if I go you proposed direction.
There some more directions I could go. Installing ntp and dhcp on the Windows machine doing the video recording. Spining up a vm or container providing these services. Connecting an additional physical device. ...

I am asking my question here in this icx thread because I want to know how to achieve this with the icx.

Your firewall/router currently provides routing rules, DHCP, NTP services, etc to your existing LAN network. It can do the same thing for your new VLAN network as well (independently of the LAN network). There is no need to set ANY of that up in the switch (and doing so creates unneeded complexity IMHO).

It does not create more complexity. I creates a different complexity and it provides more robustness. This you cannot fully see as you do not have the full knowledge of my network architecture. Your proposal requires to spin up an additional vlan across multiple switches involved up to the firewall. This creates multiple points for potential failures. The icx way doe not ivolve any further device. More comple on the single switch, less complex and more robust in the complete network.