Drag to reposition cover

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

MoMeanMugs

Member
Apr 16, 2018
60
19
8
74
Does anyone have a part number for the PSU blanking panels for the 6650? I want to pull the redundant ones and put them on the shelf. I can't seem to find the part number anywhere - just seems to be mentioned as part of the base device. Anyone have any they don't need and want to get rid of?
 

noduck

Member
Sep 12, 2020
38
10
8
Are there any recommendations on how to configure a mirror port?

I have configured a mirror port, and then monitoring on several VLANs. However, as the mirror port was still in VLAN1, it learned the IP addresses on the mirror port, instead of the actual port. Resulting in loss of VLAN 1 connectivity, and "[next hop router x.y.z.8 moved from port 1/2/1 to port 1/1/15" log entries. After moving the mirror port into another (non-monitored) VLAN, the problem went away. In hindsight that does make sense. Any other recommendations?

Configuration extract:
Code:
vlan 1 name DEFAULT-VLAN by port
 monitor ethernet 1/1/15
 router-interface ve 1                                            
!
vlan 4 name guest by port
 tagged ethe 1/1/17 ethe 1/2/5 ethe 1/2/8 lag 1 to 2 
 monitor ethernet 1/1/15
!
vlan 999 name monitor by port
 untagged ethe 1/1/15 
!
mirror-port ethernet 1/1/15 input
!
interface ethernet 1/1/15
 no spanning-tree
 no inline power
!
 

koifish59

Member
Sep 30, 2020
66
19
8
Can any of these switches or addon modules auto negotiate 2.5Gbe? I'm looking to pick up some Ruckus R750 wifi APs and hoping I can use the SFP+ ports with a 10BASE-T module conversion and POE injector to take full advantage of the 2.5gbps bandwidth of the AP.
 

dreamkass

Member
Aug 14, 2012
31
5
8
From what I can understand the 4 x 40GB port on the back, 2 of them could be used for servers @40GB but the 2 other ports are 40GB but breakout to 4 10GB? No way to connect those to servers @ 40GB?
 

Vesalius

Active Member
Nov 25, 2019
252
190
43
Can any of these switches or addon modules auto negotiate 2.5Gbe? I'm looking to pick up some Ruckus R750 wifi APs and hoping I can use the SFP+ ports with a 10BASE-T module conversion and POE injector to take full advantage of the 2.5gbps bandwidth of the AP.


try those two threads to see what others have tried.
 

MrGuvernment

Member
Nov 16, 2020
39
7
8
Great info in here, looking to bite the bullet soon on one of the recommended switches, eyeing the Brocade ICX7250 24 port, but seems in CAD cant find them below $300 + shipping :(
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,728
3,078
113
33
fohdeesha.com
From what I can understand the 4 x 40GB port on the back, 2 of them could be used for servers @40GB but the 2 other ports are 40GB but breakout to 4 10GB? No way to connect those to servers @ 40GB?
just like the infographic says, 2 are 40gbe only, and 2 are 4x 10gbe only. those two cannot be used for 40gb connections to servers
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,728
3,078
113
33
fohdeesha.com
@LodeRunner @jzeus @klui and anyone else who had to clear their ICX7150/7250 NAND due to bad blocks or otherwise, and because of that had constant errors regarding "Device Key or Cert file is not available" -

I think I found a much cleaner way of working around it. I had to recover a dev 7150 for someone and of course that meant his NAND never had the keys to begin with, so he got the same error. It seems just disabling smartzone (which is on by default, and the only thing that uses those keys) completely stops the error messages and issues it causes. just run `sz disable` at the conf t level and write mem / reload. You'll get the error once during boot and never again, at least that's what happens on his

apologies if one of you already found this and posted it, I remember one of you found some way to make it kind of shut up and I don't remember what it was

edit: OK yeah @jzeus posted that this command stopped his errors too several pages ago, oops. my memory is top notch
 
  • Like
Reactions: tommybackeast

koifish59

Member
Sep 30, 2020
66
19
8
For these switches, I’m assuming it’s possible to block all mac addresses by default except for whitelisted ones? Based on THIS, he details how to block specific vendor’s mac address and allow everything else. But adapting it to my situation, would these commands be fitting?

Code:
mac filter 1 deny any any
mac filter 2 permit 1a2b.3c4d.5e6f ffff.ffff.ffff any
Is there an easier way to block all devices on my network by default other than using this switch? My environment is currently using a ICX 6610 switch, pfsense, win server 2012 for DHCP and DNS server, and a couple ubiquiti unif APs.
 

tommybackeast

Active Member
Jun 10, 2018
286
105
43
added some hidden u-boot dev mode commands for more switch models, think I have them all now except for the new ICX7550 Hidden Dev Stuff - Fohdeesha Docs
On your firmware page, for 7250; you still show 08080e from Oct 2019. That is your "approved" firmware version.

As I am a total noob, I've never updated past that version. Question: is that still your suggested firmware version for the 7250.

Thank you
 

klui

Well-Known Member
Feb 3, 2019
824
453
63
Code:
mac filter 1 deny any any
mac filter 2 permit 1a2b.3c4d.5e6f ffff.ffff.ffff any
Normal convention of FW rules, ACLs, etc. will stop evaluation when the first rule meets the criteria. So your rules as they are defined will block everything because the first rule will match (any MACs). Imagine the inefficiency of the engine evaluating all rules every time a rule has to be invoked.

Follow Terry's video and have deny any any defined as the maximum filter id.
 

koifish59

Member
Sep 30, 2020
66
19
8
Normal convention of FW rules, ACLs, etc. will stop evaluation when the first rule meets the criteria. So your rules as they are defined will block everything because the first rule will match (any MACs). Imagine the inefficiency of the engine evaluating all rules every time a rule has to be invoked.

Follow Terry's video and have deny any any defined as the maximum filter id.
Ah I see. So I just had the order wrong? So have all mac address block as the last filter rule, and preceding filter rules are "allow" for each mac address?

Is there a more efficient way to do this than to manually make a new allow filter rule for each mac address?
 

klui

Well-Known Member
Feb 3, 2019
824
453
63
Ah I see. So I just had the order wrong? So have all mac address block as the last filter rule, and preceding filter rules are "allow" for each mac address?

Is there a more efficient way to do this than to manually make a new allow filter rule for each mac address?
Are you concerned with manually entering every MAC address to your filter list? Yeah, that will be a hassle but it's your use case.

You can inspect all MACs on your network and figure out their common OUIs (first 3) and maybe some of their remainder octets and use a wildcard or forgo filtering it in this way and use rules from your firewall/DHCP server instead. You may have more flexibility with not using MAC filters as in the video that device only supports 64, but I assume you can reconfigure a global setting to have more.
 
  • Like
Reactions: koifish59

koifish59

Member
Sep 30, 2020
66
19
8
Are you concerned with manually entering every MAC address to your filter list? Yeah, that will be a hassle but it's your use case.

You can inspect all MACs on your network and figure out their common OUIs (first 3) and maybe some of their remainder octets and use a wildcard or forgo filtering it in this way and use rules from your firewall/DHCP server instead. You may have more flexibility with not using MAC filters as in the video that device only supports 64, but I assume you can reconfigure a global setting to have more.
This is for small business and we have a new policy to block all devices by default and only allow a couple hundred company computers to be on our network. I thought about doing it via DHCP server, but that only prevents users from pulling an IP address. It doesn't stop them from setting up a static IP on their device. I'll look into firewall rules first.

I think Terry said there is a max of 512 mac filters, but that's for the ICX 7000 switches (hoping this ICX 6610 has the same max)
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,728
3,078
113
33
fohdeesha.com
This is for small business and we have a new policy to block all devices by default and only allow a couple hundred company computers to be on our network. I thought about doing it via DHCP server, but that only prevents users from pulling an IP address. It doesn't stop them from setting up a static IP on their device. I'll look into firewall rules first.

I think Terry said there is a max of 512 mac filters, but that's for the ICX 7000 switches (hoping this ICX 6610 has the same max)
dhcp snooping + ip source guard IP Source Guard
 
  • Like
Reactions: koifish59 and klui