Thanks for continuing to upload these, I absolutely wouldn't know about them otherwise.site updated with 8030t, a lot of niche case bug fixes. not something I would rush to install. release notes in the zip
Thanks for continuing to upload these, I absolutely wouldn't know about them otherwise.site updated with 8030t, a lot of niche case bug fixes. not something I would rush to install. release notes in the zip
I am using my Layer 3 switch as the first Layer 3 device and letting it do the routing between my VLANs.Out of curiosity...
If you guys/girls:
- use a VLAN capable switch (like the ones in this thread or any other)
- and actually use VLANs...
Do you:
- terminate your WAN at the switch and access it via a VLAN?
- or terminate it at your firewall/router?
Did you ever consider terminating your WAN on the switch (in a VLAN) and using a single pipe to your firewall to do everything? If not, why not? Complexity? Security?I am using my Layer 3 switch as the first Layer 3 device and letting it do the routing between my VLANs.
Clients use the switches VLAN interface as the default gateway.
The switch then has the LAN interface of my Firewall as its default gateway.
I have considered all the options, but why have a super fast layer 3 switch and let my firewall do the routing, may as well get a layer 2 switch with vlans. (Reason 1)Did you ever consider terminating your WAN on the switch (in a VLAN) and using a single pipe to your firewall to do everything? If not, why not? Complexity? Security?
Your setup sounds similar to mine. pfSense has been great to me over the years of experimenting. With the ICX6610 upgrade in my rack from the Netgear switch I had, I decided to get the Brocade to do the L3 routing. I learned ACLs today and I still have some tweaking to do, and I have no idea if I'm doing this right.I am only really concerned with LAN<>WAN firewall no matter how I use the Firewall I will get that benefit.
I also run my IPS in line not on a port mirror, this is faster and more powerful than trying to block packets after they have already passed.
PFSense (what I am using) is also an interesting creature in that it does not let you do DHCP for subnets that it does not see as directly connected.
I am using PFSense for DHCP right now, in the next couple of weeks looking to stand up an AD server and run DHCP and possibly DNS from there.
Current configuration:
!
ver 08.0.30tT7f3
!
stack unit 1
module 1 icx6610-48p-poe-port-management-module
module 2 icx6610-qsfp-10-port-160g-module
module 3 icx6610-8-port-10g-dual-mode-module
!
global-stp
!
!
lag electron-Trunk dynamic id 1
ports ethernet 1/3/1 to 1/3/2
primary-port 1/3/1
lacp-timeout short
deploy
!
lag neutron dynamic id 5
ports ethernet 1/2/2 to 1/2/3
primary-port 1/2/2
lacp-timeout short
deploy
!
lag proton dynamic id 6
ports ethernet 1/2/7 to 1/2/8
primary-port 1/2/7
lacp-timeout short
deploy
!
lag pve1-Trunk dynamic id 4
ports ethernet 1/2/4 to 1/2/5
primary-port 1/2/4
lacp-timeout short
deploy
!
lag pve2-Trunk dynamic id 3
ports ethernet 1/2/9 to 1/2/10
primary-port 1/2/9
lacp-timeout short
deploy
!
lag sw2-Trunk dynamic id 2
ports ethernet 1/3/3 to 1/3/6
primary-port 1/3/3
lacp-timeout short
deploy
!
!
vlan 1 name DEFAULT-VLAN by port
spanning-tree
!
vlan 2 name VOIP by port
tagged ethe 1/2/4 to 1/2/5 ethe 1/2/9 to 1/2/10 ethe 1/3/1 to 1/3/6
router-interface ve 2
spanning-tree
!
vlan 3 name IOT by port
tagged ethe 1/3/1 to 1/3/6
untagged ethe 1/1/48
router-interface ve 3
spanning-tree
!
vlan 4 name SAN by port
tagged ethe 1/1/37 to 1/1/38 ethe 1/3/1 to 1/3/7
untagged ethe 1/2/2 to 1/2/3 ethe 1/2/7 to 1/2/8
router-interface ve 4
spanning-tree
!
vlan 5 name MGMT by port
tagged ethe 1/2/4 to 1/2/5 ethe 1/2/9 to 1/2/10 ethe 1/3/3 to 1/3/7
untagged ethe 1/1/1 to 1/1/12
router-interface ve 5
!
vlan 6 name APP by port
tagged ethe 1/2/4 to 1/2/5 ethe 1/2/9 to 1/2/10 ethe 1/3/1 to 1/3/6
router-interface ve 6
spanning-tree
!
vlan 10 name TRUSTED by port
tagged ethe 1/1/37 to 1/1/38 ethe 1/3/1 to 1/3/7
router-interface ve 10
spanning-tree
!
vlan 20 name UNTRUSTED by port
tagged ethe 1/2/4 to 1/2/5 ethe 1/2/9 to 1/2/10 ethe 1/3/1 to 1/3/7
router-interface ve 20
spanning-tree
!
!
!
!
!
aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
jumbo
hostname sw1-br
ip dhcp-client disable
ip dns server-address 10.1.1.1 10.1.1.254
ip route 0.0.0.0/0 10.1.1.254
!
no telnet server
username rich password .....
username admin password .....
snmp-server community ..... ro
snmp-server contact Rich Gannon <rich@richgannon.net>
snmp-server location Core Rack
!
!
clock timezone us Eastern
!
!
ntp
disable serve
server 10.1.1.1
server 10.1.1.254
!
!
web-management session-timeout 3000
!
!
!
!
!
!
!
interface management 1
ip address 192.168.1.1 255.255.255.0
!
interface ethernet 1/1/48
inline power
!
interface ethernet 1/3/1
speed-duplex 10G-full
!
interface ethernet 1/3/3
speed-duplex 10G-full
!
interface ethernet 1/3/7
speed-duplex 10G-full
!
interface ethernet 1/3/8
speed-duplex 10G-full
!
interface ve 2
ip access-group 102 in
ip address 10.1.2.1 255.255.255.0
!
interface ve 3
ip access-group 103 in
ip address 10.1.3.1 255.255.255.0
!
interface ve 4
ip access-group 104 in
ip address 10.1.4.1 255.255.255.0
!
interface ve 5
ip access-group 105 in
ip address 10.1.1.1 255.255.255.0
!
interface ve 6
ip access-group 106 in
ip address 10.1.6.1 255.255.255.0
!
interface ve 10
ip access-group 110 in
ip address 10.1.10.1 255.255.255.0
!
interface ve 20
ip access-group 120 in
ip address 10.1.20.1 255.255.255.0
!
!
!
access-list 102 permit icmp 10.1.2.0 0.0.0.255 10.1.0.0 0.0.255.255 echo-reply
access-list 102 deny tcp any 10.1.2.0 0.0.0.255 eq ssh
access-list 102 deny tcp any 10.1.2.0 0.0.0.255 eq http
access-list 102 deny tcp any 10.1.2.0 0.0.0.255 eq ssl
access-list 102 deny ip any 10.1.1.0 0.0.0.255
access-list 102 deny ip any 10.1.3.0 0.0.0.255
access-list 102 deny ip any 10.1.4.0 0.0.0.255
access-list 102 deny ip any 10.1.5.0 0.0.0.255
access-list 102 deny ip any 10.1.6.0 0.0.0.255
access-list 102 deny ip any 10.1.10.0 0.0.0.255
access-list 102 deny ip any 10.1.20.0 0.0.0.255
access-list 102 permit ip any any
!
access-list 103 permit icmp 10.1.3.0 0.0.0.255 10.1.0.0 0.0.255.255 echo-reply
access-list 103 permit tcp 10.1.3.0 0.0.0.255 eq http 10.1.10.0 0.0.0.255
access-list 103 deny tcp any 10.1.3.0 0.0.0.255 eq ssh
access-list 103 deny tcp any 10.1.3.0 0.0.0.255 eq http
access-list 103 deny tcp any 10.1.3.0 0.0.0.255 eq ssl
access-list 103 deny ip any 10.1.1.0 0.0.0.255
access-list 103 deny ip any 10.1.2.0 0.0.0.255
access-list 103 deny ip any 10.1.4.0 0.0.0.255
access-list 103 deny ip any 10.1.5.0 0.0.0.255
access-list 103 deny ip any 10.1.6.0 0.0.0.255
access-list 103 deny ip any 10.1.10.0 0.0.0.255
access-list 103 deny ip any 10.1.20.0 0.0.0.255
access-list 103 permit ip any any
!
access-list 104 permit icmp 10.1.4.0 0.0.0.255 10.1.0.0 0.0.255.255 echo-reply
access-list 104 deny tcp any 10.1.4.0 0.0.0.255 eq ssh
access-list 104 deny tcp any 10.1.4.0 0.0.0.255 eq http
access-list 104 deny tcp any 10.1.4.0 0.0.0.255 eq ssl
access-list 104 deny ip any 10.1.1.0 0.0.0.255
access-list 104 deny ip any 10.1.2.0 0.0.0.255
access-list 104 deny ip any 10.1.3.0 0.0.0.255
access-list 104 deny ip any 10.1.5.0 0.0.0.255
access-list 104 deny ip any 10.1.6.0 0.0.0.255
access-list 104 deny ip any 10.1.10.0 0.0.0.255
access-list 104 deny ip any 10.1.20.0 0.0.0.255
access-list 104 permit ip any any
!
access-list 105 permit icmp 10.1.1.0 0.0.0.255 10.1.0.0 0.0.255.255 echo-reply
access-list 105 permit icmp host 10.1.1.254 any echo
access-list 105 permit tcp 10.1.1.0 0.0.0.255 eq http 10.1.10.0 0.0.0.255
access-list 105 permit tcp 10.1.1.0 0.0.0.255 eq ssl 10.1.10.0 0.0.0.255
access-list 105 permit tcp 10.1.1.0 0.0.0.255 eq ssh 10.1.10.0 0.0.0.255
access-list 105 permit tcp 10.1.1.0 0.0.0.255 eq 5900 10.1.10.0 0.0.0.255
access-list 105 permit tcp 10.1.1.0 0.0.0.255 eq asf-rmcp 10.1.10.0 0.0.0.255
access-list 105 permit udp 10.1.1.0 0.0.0.255 eq asf-rmcp 10.1.10.0 0.0.0.255
access-list 105 permit ip host 10.1.1.10 10.1.10.0 0.0.0.255
access-list 105 permit ip host 10.1.1.11 10.1.10.0 0.0.0.255
access-list 105 deny ip any 10.1.2.0 0.0.0.255
access-list 105 deny ip any 10.1.3.0 0.0.0.255
access-list 105 deny ip any 10.1.4.0 0.0.0.255
access-list 105 deny ip any 10.1.5.0 0.0.0.255
access-list 105 deny ip any 10.1.6.0 0.0.0.255
access-list 105 deny ip any 10.1.10.0 0.0.0.255
access-list 105 deny ip any 10.1.20.0 0.0.0.255
access-list 105 permit ip any any
!
access-list 106 permit icmp 10.1.6.0 0.0.0.255 10.1.0.0 0.0.255.255 echo-reply
access-list 106 permit tcp host 10.1.6.39 any eq ssh
access-list 106 permit tcp host 10.1.6.40 any eq ssh
access-list 106 permit tcp host 10.1.6.39 any eq rsh-spx
access-list 106 permit tcp host 10.1.6.40 any eq rsh-spx
access-list 106 permit tcp host 10.1.6.39 any eq asf-rmcp
access-list 106 permit tcp host 10.1.6.40 any eq asf-rmcp
access-list 106 permit udp host 10.1.6.39 any eq asf-rmcp
access-list 106 permit udp host 10.1.6.40 any eq asf-rmcp
access-list 106 permit tcp 10.1.6.0 0.0.0.255 eq ssh 10.1.10.0 0.0.0.255
access-list 106 permit tcp 10.1.6.0 0.0.0.255 eq rsh-spx 10.1.10.0 0.0.0.255
access-list 106 permit tcp 10.1.6.0 0.0.0.255 eq http 10.1.10.0 0.0.0.255
access-list 106 permit tcp 10.1.6.0 0.0.0.255 eq ssl 10.1.10.0 0.0.0.255
access-list 106 deny tcp any 10.1.6.0 0.0.0.255 eq ssh
access-list 106 deny tcp any 10.1.6.0 0.0.0.255 eq http
access-list 106 deny tcp any 10.1.6.0 0.0.0.255 eq ssl
access-list 106 deny ip any 10.1.1.0 0.0.0.255
access-list 106 deny ip any 10.1.2.0 0.0.0.255
access-list 106 deny ip any 10.1.3.0 0.0.0.255
access-list 106 deny ip any 10.1.4.0 0.0.0.255
access-list 106 deny ip any 10.1.5.0 0.0.0.255
access-list 106 deny ip any 10.1.10.0 0.0.0.255
access-list 106 deny ip any 10.1.20.0 0.0.0.255
access-list 106 permit ip any any
!
access-list 110 permit ip any any
!
access-list 120 permit icmp 10.1.20.0 0.0.0.255 10.1.0.0 0.0.255.255 echo-reply
access-list 120 deny tcp any 10.1.20.0 0.0.0.255 eq ssh
access-list 120 deny tcp any 10.1.20.0 0.0.0.255 eq http
access-list 120 deny tcp any 10.1.20.0 0.0.0.255 eq ssl
access-list 120 deny ip any 10.1.1.0 0.0.0.255
access-list 120 deny ip any 10.1.2.0 0.0.0.255
access-list 120 deny ip any 10.1.3.0 0.0.0.255
access-list 120 deny ip any 10.1.4.0 0.0.0.255
access-list 120 deny ip any 10.1.5.0 0.0.0.255
access-list 120 deny ip any 10.1.6.0 0.0.0.255
access-list 120 deny ip any 10.1.10.0 0.0.0.255
access-list 120 permit ip any any
!
!
!
!
!
!
!
end
If you have your pfSense connected to each VLAN...how is your switch doing layer 3 routing?? Where's the gateway for each VLAN? on the switch or pfSense?Your setup sounds similar to mine. pfSense has been great to me over the years of experimenting. With the ICX6610 upgrade in my rack from the Netgear switch I had, I decided to get the Brocade to do the L3 routing. I learned ACLs today and I still have some tweaking to do, and I have no idea if I'm doing this right.
For those of you with more networking knowledge, feedback is welcome. Right now, the switch acts as my VLAN gateways. All traffic not routed in the switch goes to pfSense which does LAN-WAN firewall duty, Squid proxy cache, DNS, and DHCP.
pfSense is connected on each VLAN (for DHCP purposes) as 10.1.x.254/24.
I'm moving to a router on a stick setup slowly over here. My plan is to ultimately terminate the WAN at one of my 6450s and run a pfSense HA cluster on a couple of T730 thin clients with Mellanox CX-3 cards. I use pfSense to firewall/route between about 6 vlans and the WAN for visibility into FW events and because it's convenient to stand up a RADIUS server in 5 minutes with the freeradius package. When I get more lab infrastructure up and running I'm planning to have my switches route storage traffic so that won't pass through pfSense.Out of curiosity...
If you guys/girls:
- use a VLAN capable switch (like the ones in this thread or any other)
- and actually use VLANs...
Do you:
- terminate your WAN at the switch and access it via a VLAN?
- or terminate it at your firewall/router?
I see in your video that you ended up with the 6.3 CFM fans. How have the temps been in your 48P so far? Have the fans spun up to full speed yet?Worked on this yesterday as my fans came in.
Goes over the fan mod, things I had to do, things to look for, and of course the net gains in noise reduction and temperature changes.
Have a ICX 6450-24P on the way and will do this again with that one if its as loud as my 48P was.
Temps are good, I let it run a solid hour before I got the temps posted in the video. However as I warned that was not under heavy load.I see in your video that you ended up with the 6.3 CFM fans. How have the temps been in your 48P so far? Have the fans spun up to full speed yet?
Was just about to order the 10.8 CFM Sunon fans based on your video until I realized how quiet the 6.3 CFM ones were!
Re-did my home network based on what I was thinking... and it actually turned out pretty good. I even removed the standalone DHCP/DNS server and got pfSense to play nice with a layer 3 switch and doing DHCP/DNS without compromising on the routing speed between VLANs.Out of curiosity...
If you guys/girls:
- use a VLAN capable switch (like the ones in this thread or any other)
- and actually use VLANs...
Do you:
- terminate your WAN at the switch and access it via a VLAN?
- or terminate it at your firewall/router?
Mind adding more detail so I can understand what you did? I might do the same?Re-did my home network based on what I was thinking... and it actually turned out pretty good. I even removed the standalone DHCP/DNS server and got pfSense to play nice with a layer 3 switch and doing DHCP/DNS without compromising on the routing speed between VLANs.
Also terminated my WAN directly on the switch (on a VLAN, no SVI), so no there is a single 10gb pipe to pfSense.
View attachment 10634
The "performance" of the WAN seems to have improved slightly, although it could just be placebo. (I have symmetric gigabit at home)
View attachment 10633
I'll draw a diagram in a bit (don't have my Visio machine handy, it's at the office).Mind adding more detail so I can understand what you did? I might do the same?
I figure you created vlan interfaces on PFSense so that you can do DHCP but use the switches vlan interfaces for routing. As for the connection to PFSense from the switch, a trunk port?
A simple network diagram would do wonders as well as any relevant switch configuration.
Edit: Oh I think I just sort of realized one thing you were saying you wanted to do that made no sense to me. Instead of your connection from the wall going directly into the WAN interface of your PFSense box, you have it going into the switch on its own vlan so it can talk to anybody other than the PFSense WAN interface, so when you kept saying having your WAN directly to the switch that is what you meant? I don't actually see any reason to do that and it kind of gives me the shudders from a security standpoint but I think I finally understand it now.
Did you just assume I'm hooman?So, in trying to solve these issues, the lightbulb moment actually came from someone here... @Blue)(Fusion - you're the man! (or woman)