Drag to reposition cover

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

ClintE

Member
Feb 22, 2019
31
7
8
I noticed my second 6610 (48P) is showing stack ID 2 instead of 1, like the 24F. I don't want to stack the switches, so I would like to configure the 48P to be ID 1 also. No matter what I try, I can't seem to get this to take. When attempting some stack commands, it returns an error message that the switch is not the active controller. I think I'm missing something simple. Any suggestions?
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,727
3,075
113
33
fohdeesha.com
I noticed my second 6610 (48P) is showing stack ID 2 instead of 1, like the 24F. I don't want to stack the switches, so I would like to configure the 48P to be ID 1 also. No matter what I try, I can't seem to get this to take. When attempting some stack commands, it returns an error message that the switch is not the active controller. I think I'm missing something simple. Any suggestions?

did you follow my guide on both of them to reset them to factory defaults? sounds like the second one is still configured to be a stack member. theres a blurb in the update guide about removing stack configs
 

ClintE

Member
Feb 22, 2019
31
7
8
did you follow my guide on both of them to reset them to factory defaults? sounds like the second one is still configured to be a stack member. theres a blurb in the update guide about removing stack configs
Yes, but when I enter the command "stack unconfigure clean", I get the message "This command is not available on standalone or Active Controller".

When entering "show stack" it returns:

***** Warning! stack is not enabled. *****

T=18m55.0: alone: standalone, D: dynamic cfg, S: static
ID Type Role Mac Address Pri State Comment
2 S ICX6610-48P alone xxxx.xxxx.xxxx 0 local None:0


+---+
2/1| 2 |2/6
+---+
Current stack management MAC is xxxx.xxxx.xxxx
 

JacobRhea

New Member
Feb 1, 2019
18
2
3
I'm having issues getting internet access to my VLANs. I have a PFSense router and a Brocade ICX6610. The VLANs can all see each other, and the switch can ping out to google, but I can't get anything on any VLAN to see outside of my LAN.

My PFSense router is 10.0.0.1 and I've added a gateway of 10.0.0.2 for the switch, I've then added static routes for all of the VLANs on the switch (10.0.xx.0/24). The router connects to port 47 on the switch.

I'm currently using the DHCP server on the brocade and was relying on PFSense for DNS.

Code:
Startup configuration:
!
ver 08.0.30tT7f3
!
stack unit 1
  module 1 icx6610-48p-poe-port-management-module
  module 2 icx6610-qsfp-10-port-160g-module
  module 3 icx6610-8-port-10g-dual-mode-module
!
!
!
!
vlan 1 name TRASNIT by port
 untagged ethe 1/1/47
 router-interface ve 1
!
vlan 3 name DEFAULT-VLAN by port
!
vlan 10 name Servers by port
 untagged ethe 1/1/25 to 1/1/32
 router-interface ve 10
!
vlan 20 name Storage by port
 untagged ethe 1/1/35 to 1/1/36
 router-interface ve 20
!
vlan 30 name Media by port
 untagged ethe 1/1/33 to 1/1/34
 router-interface ve 30
!
vlan 99 name Management by port
 untagged ethe 1/1/13 to 1/1/24
 router-interface ve 99
!
!
!
!
!
aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
default-vlan-id 3
enable telnet authentication
enable aaa console
hostname switch
ip dhcp-client disable
ip dhcp-server enable
!
ip dhcp-server pool servers
 dhcp-default-router 10.0.10.1
 dns-server 10.0.0.1
 excluded-address 10.0.10.1
 lease 1 0 0
 network 10.0.10.0 255.255.255.0
 deploy
!
!
ip dhcp-server pool storage
 dhcp-default-router 10.0.20.1
 dns-server 10.0.0.1
 excluded-address 10.0.20.1
 lease 1 0 0
 network 10.0.20.0 255.255.255.0
 deploy
!
!
ip dhcp-server pool media
 dhcp-default-router 10.0.30.1
 dns-server 10.0.0.1
 excluded-address 10.0.30.1
 lease 1 0 0
 network 10.0.30.0 255.255.255.0
 deploy
!
!
ip dhcp-server pool management
 dhcp-default-router 10.0.99.1
 dns-server 10.0.0.1
 excluded-address 10.0.99.1
 lease 1 0 0
 network 10.0.99.0 255.255.255.0
 deploy
!
ip dns server-address 10.0.0.1
ip route 0.0.0.0/0 10.0.0.1
!
no telnet server
username admin password .....
snmp-server community ..... ro
!
!
clock summer-time
clock timezone gmt GMT-06

!
ntp
 disable serve
 server 216.239.35.0
 server 216.239.35.4
!
!
web-management https
!
!
!
!
!
!
!
interface management 1
 disable
!
interface ethernet 1/3/1
 speed-duplex 10G-full
!
interface ethernet 1/3/2
speed-duplex 10G-full
!
interface ethernet 1/3/3
 speed-duplex 10G-full
!
interface ethernet 1/3/4
 speed-duplex 10G-full
!
interface ethernet 1/3/5
 speed-duplex 10G-full
!
interface ethernet 1/3/6
 speed-duplex 10G-full
!
interface ethernet 1/3/7
 speed-duplex 10G-full
!
interface ethernet 1/3/8
 speed-duplex 10G-full
!
interface ve 1
 ip address 10.0.0.2 255.255.255.0
!
interface ve 10
 ip address 10.0.10.1 255.255.255.0
 ip helper-address 1 10.0.0.1
!
interface ve 20
 ip address 10.0.20.1 255.255.255.0
 ip helper-address 1 10.0.0.1
!
interface ve 30
 ip address 10.0.30.1 255.255.255.0
 ip helper-address 1 10.0.0.1
!
interface ve 99
 ip address 10.0.99.1 255.255.255.0
 ip helper-address 1 10.0.0.1
!
!
!
!
!
!
!
ip ssh  password-authentication no
!
end
 
  • Like
Reactions: tommybackeast

ArmedAviator

Member
May 16, 2020
91
56
18
Kansas
@JacobRhea ,

Is your DHCP working right? To me it looks like it shouldn't for two reasons.....

1) Don't use the switch's DHCP server - it is non-authorative on the ICX6xxx series and this will not work with many devices. ISC's dhcpd server + BIND named for DNS is easy to configure together,, lightweight, and reliable.

2) You have your IP helper address as your pfSense. If it's using the default DHCP server, it will not work for any VLANs not configured and the DHCP server running on those VLANs - it will not work with a transport setup like you have.

Bonus tips:
3) Though it's certainly not necessary, it is common to use /30s for point-to-point links.

4) You can skip the VLAN to connect to your pfSense box and simply assign the port an IP address.
Code:
int eth 1/1/47
ip address 10.0.0.2/30
route-only
Regarding your specific issue......
5) Can you show the pfSense routing table?

6) Perhaps your DNS server is resolving AAAA (IPv6) but your devices have no global IPv6 addresses (the VEs and pfSense LAN/VLAN would need to have IPv6 addresses as well)[/code]
 

JacobRhea

New Member
Feb 1, 2019
18
2
3
@ArmedAviator

Here is the routing table for PFSense:
Code:
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            c-73-183-224-1.hsd UGS        igb0
10.0.0.0/24        link#1             U           em0
router             link#1             UHS         lo0
10.0.10.0/24       10.0.0.2           UGS         em0
10.0.20.0/24       10.0.0.2           UGS         em0
10.0.30.0/24       10.0.0.2           UGS         em0
10.0.99.0/24       10.0.0.2           UGS         em0
10.0.100.0/24      10.0.0.2           UGS         em0
10.10.10.1         link#4             UH          lo0
73.183.224.0/22    link#2             U          igb0
c-73-183-224-186.h link#2             UHS         lo0
localhost          link#4             UH          lo0

Internet6:
Destination        Gateway            Flags     Netif Expire
default            fe80::256:2bff:fe7 UG         igb0
localhost          link#4             UH          lo0
fe80::256:2bff:fe7 fe80::256:2bff:fe7 UGHS       igb0
fe80::%em0/64      link#1             U           em0
fe80::ec4:7aff:fe0 link#1             UHS         lo0
fe80::%igb0/64     link#2             U          igb0
fe80::ec4:7aff:fe0 link#2             UHS         lo0
fe80::%lo0/64      link#4             U           lo0
fe80::1%lo0        link#4             UHS         lo0
Currently, all devices connected to the switch aren't having issues getting an ip address. I know that many people have issues with IoT devices but I don't have any of those on this network currently and just figured I'd stick to using the switches DHCP until I have to setup a separate server.

Are the IP Helper addresses not necessary for this setup?
 

ArmedAviator

Member
May 16, 2020
91
56
18
Kansas
The IP helper address is used when the DHCP server is not on the same L2 network. In your case, the DHCP server is on each L2 network so no need, besides you have yours pointing to pfSense which should not also be offering DHCP leases on those VLANs since you're using the switch's DHCP server.

Your routing table looks good. You can combine them all into one if you want for simplicity and easier adding of subnets, e.g. 10.0.0.0/16.

Thinking about it, I ran into this issue before and know exactly what it is. You must add the subnets to pfSense's NAT Outbound settings. By default, it only translates the networks configured on pfSense through NAT. In this case, you need to add the subnets that is not configured on pfSense. Again, probably easiest to just do a single netmask of 10.0.0.0/16.
 

JacobRhea

New Member
Feb 1, 2019
18
2
3
My NAT settings in pfSense are set to "Automatic" and it appears that the routes have already been added under "Source".
 

JacobRhea

New Member
Feb 1, 2019
18
2
3
I tried that and still had issues, I realized I could actually ping out to google from one of the systems I was having trouble with so I went into pfSense DNS Resolver and added that vlan subnet to the access list and everything seems to be working. I'm not sure if this is the correct fix, but it works.
 

csementuh

Member
Oct 7, 2019
36
10
8
Pittsburgh, PA
Not offhand, sorry. I tried to reproduce your issue here locally with a wireshark dump, but I see no DNS requests (or anything, really) after running those sz disable commands. that was on an icx7250 running 8092d

have you rebooted the switch since running all the SZ disable stuff? Only other thing I can think to try. you SURE you're seeing requests from the switch itself?
Thanks for checking!

I'm running FW 8080e like in your guide. Is the 8092d a newer version I should try? I didn't see any reference to it.

My switch had been up for 180 days so I did reboot it. No change sadly. I really don't see how it's not the switch, considering I don't own anything else Brocade/Ruckus. I haven't done a WireShark or anything so perhaps I'll have to try it and see.

EDIT: I changed my switch DNS to only use the pi-hole and I can see the direct hits from my main switch to the ruckus domains. It is 100% doing the DNS hits directly even though all of the sz stuff is disabled.

Rebooting the switch did clear all the junk from the sz logs. I have this now with current data only, but it doesn't look very exciting.

Code:
>show sz logs
Start i/max/iter 0/5/1
Jan  7 23:48:52:ca_stop_timer>Cancelled Timer id 0, rc=0
Jan  7 23:48:52:ca_start_timer:95912>Started timer with l/p 30000/30000 for u17, rc 0, id 167172236
Jan  7 23:48:53:ca_stop_timer>Cancelled Timer id 0, rc=41
Jan  7 23:48:53:sz_execute_state_machine>Entering with state/event: INIT/0, DISABLE/2005
Jan  7 23:48:53:sz_execute_state_machine>Exit with state/event: DISABLED/1, NONE/2000 RC: 1
End i/max/iter 5/5/0
 
Last edited:

tubs-ffm

Active Member
Sep 1, 2013
171
57
28
I'm running FW 8080e like in your guide. Is the 8092d a newer version I should try? I didn't see any reference to it.
A list of all FW versions you can find on the support page.
Software Downloads | Ruckus Wireless Support

What I am asking myself is if there is somewhere a simple overview if the different "branches". At least to me it looks like branches. Please correct me if this is wrong. Old and newer branches are getting maintained in parallel: 08.0.80, 08.0.90, 08.0.92, 08.0.95