That error is just telling you that the Brocade switch is using a deprecated key exchange method. You can whitelist that key exchange on Putty if you’re on Windows, and there are instructions on the first page for the OpenSSH client on Linux.
Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)
- Thread starter fohdeesha
- Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
Oddly enough I was just registering to ask about a similar ssh issue. I am able to ssh into my 6450 by allowing that key exchange, but I can't get the ssh client on the switch to work when trying to backup my config to a machine. I whitelisted the same key exchange algorithms in sshd_config on my linux machine, but the switch outputs this:
ICX6450-24P Router#copy startup-config scp 10.1.1.100 /home/testuser/startup.txt
User name:testuser
Password:
Connecting to remote host......
return error need to revisit
(insert ~2 minute delay here)
Connection Closed
On the linux machine, I put sshd logging in verbose and I only got a Connection from 10.1.1.1 port 7507 on 10.1.1.100 port 22 rdomain "" message and then nothing else. tcpdump shows a couple packets, then a 30 second delay, a few more packets exchanged and then nothing. So at least packets are getting through in both directions. Googling and searching this thread for 'return error need to revisit' gives nothing.
EDIT: Tracked this down by running sshd in full debug mode. The last thing that sshd sends to the 6450 is SSH2_MSG_NEWKEYS and then sits at expecting SSH2_MSG_NEWKEYS forever. Looking at the default /etc/ssh/ssh_host_rsa_key using ssh-keygen -lf revealed they're 3072 bit keys by default, which the ICX6450 can't handle.
So just did a new ssh-keygen -t rsa -b 2048, and replaced the keys in /etc/ssh and the ssh client on the switch can now connect to sshd on linux. Still not sure what 'return error need to revisit' has to do with a bad key length but it wouldn't be the first unhelpful error message I've ever seen.
ICX6450-24P Router#copy startup-config scp 10.1.1.100 /home/testuser/startup.txt
User name:testuser
Password:
Connecting to remote host......
return error need to revisit
(insert ~2 minute delay here)
Connection Closed
On the linux machine, I put sshd logging in verbose and I only got a Connection from 10.1.1.1 port 7507 on 10.1.1.100 port 22 rdomain "" message and then nothing else. tcpdump shows a couple packets, then a 30 second delay, a few more packets exchanged and then nothing. So at least packets are getting through in both directions. Googling and searching this thread for 'return error need to revisit' gives nothing.
EDIT: Tracked this down by running sshd in full debug mode. The last thing that sshd sends to the 6450 is SSH2_MSG_NEWKEYS and then sits at expecting SSH2_MSG_NEWKEYS forever. Looking at the default /etc/ssh/ssh_host_rsa_key using ssh-keygen -lf revealed they're 3072 bit keys by default, which the ICX6450 can't handle.
So just did a new ssh-keygen -t rsa -b 2048, and replaced the keys in /etc/ssh and the ssh client on the switch can now connect to sshd on linux. Still not sure what 'return error need to revisit' has to do with a bad key length but it wouldn't be the first unhelpful error message I've ever seen.
Last edited:
These transceivers are an insane value! Not only do they work perfectly in both the ICX6610 AND the Mellanox ConnectX-3 but you also get digital optical monitoring data from ethtool. Moreover, It appears that the transceiver uses a maximum of 2.5W, which is about 1W less than the typical 10km 40G-LR4 modules I've seen. For example, Fiber Store's generic module reports ~3.5W of as maximum power consumption.So, those $13 Bidi 40gbE transceivers work with zero issues on the 6610. Also, he's accepting best offers of $8 - absolute steal. 40gb over regular cheap duplex singlemode fiber, thanks to @jasonwc for the find. auction - XQX2502 KAIAM QSFP+40G-LR4 Lite OPTICAL MODULE NEW PULLS | eBay (if link dies, search around for KAIAM XQX2502)
Code:ICX6610-24P Router#show stack con Probing the topology. Please wait ... ICX6610-24P Router# standby active +---+ +---+ 2/6| 2 |2/1==2/1| 1 |2/6 +---+ +---+ trunk probe results: 1 links Link 1: u1 -- u2, num=1 1: 1/2/1 (T0) <---> 2/2/1 (T0)Code:ICX6610-24P Router#show media e 1/2/1 Port 1/2/1:Type : 40G QSFP Module Vendor Name: KAIAM CORP Serial Num: KD60630129 Revision: 1A ICX6610-24P Router#show media e 2/2/1 Port 2/2/1: Type : 40G QSFP Module Vendor: KAIAM CORP Version: 1A Part# : Serial#: KD60628356Tested in all 4 ports as I recall talk of one port being higher power for ZR factory optics, and these work in all 4 slots including the 4x10gbE slots:Code:ICX6610-24P Router#ICX6610-24P Router#show int e 1/2/1 40GigabitEthernet1/2/1 is up, line protocol is up Port up for 10 minute(s) 31 second(s) Hardware is 40GigabitEthernet, address is cc4e.243d.3eff (bia cc4e.243d.3eff) Interface type is 40Gig Fiber Configured speed 40Gbit, actual 40Gbit, configured duplex fdx, actual fdx
Code:ICX6610-24P Router#show stack con Probing the topology. Please wait ... ICX6610-24P Router# active +---+ +---+ 2/6| 2 |2/1==2/1| 1 |2/6 +---+ +---+ trunk probe results: 1 links Link 1: u1 -- u2, num=4 1: 1/2/2 (T0) <---> 2/2/2 (T0) 2: 1/2/3 (T0) <---> 2/2/3 (T0) 3: 1/2/4 (T0) <---> 2/2/4 (T0) 4: 1/2/5 (T0) <---> 2/2/5 (T0) CPU to CPU packets are fine between 2 units.
Code:
root@storage-server:~# ethtool -m enp2s0
Identifier : 0x0d (QSFP+)
Extended identifier : 0x80
Extended identifier description : 2.5W max. Power consumption
Extended identifier description : No CDR in TX, No CDR in RX
Extended identifier description : High Power Class (> 3.5 W) not enabled
Connector : 0x07 (LC)
Transceiver codes : 0x02 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Transceiver type : 40G Ethernet: 40G Base-LR4
Encoding : 0x00 (unspecified)
BR, Nominal : 10300Mbps
Rate identifier : 0x00
Length (SMF,km) : 2km
Length (OM3 50um) : 0m
Length (OM2 50um) : 0m
Length (OM1 62.5um) : 0m
Length (Copper or Active cable) : 0m
Transmitter technology : 0x40 (1310 nm DFB)
Laser wavelength : 1310.000nm
Laser wavelength tolerance : 6.500nm
Vendor name : KAIAM CORP
Vendor OUI : 14:ed:e4
Vendor PN : XQX2502
Vendor rev : 1A
Vendor SN : KD60629247
Date code : 16062900
Revision Compliance : SFF-8636 Rev 1.5
Module temperature : 39.52 degrees C / 103.13 degrees F
Module voltage : 3.2447 V
Alarm/warning flags implemented : No
Laser tx bias current (Channel 1) : 45.030 mA
Laser tx bias current (Channel 2) : 38.174 mA
Laser tx bias current (Channel 3) : 40.436 mA
Laser tx bias current (Channel 4) : 39.490 mA
Transmit avg optical power (Channel 1) : 1.4921 mW / 1.74 dBm
Transmit avg optical power (Channel 2) : 1.5180 mW / 1.81 dBm
Transmit avg optical power (Channel 3) : 1.4837 mW / 1.71 dBm
Transmit avg optical power (Channel 4) : 1.4863 mW / 1.72 dBm
Rcvr signal avg optical power(Channel 1) : 0.8646 mW / -0.63 dBm
Rcvr signal avg optical power(Channel 2) : 0.7799 mW / -1.08 dBm
Rcvr signal avg optical power(Channel 3) : 0.6020 mW / -2.20 dBm
Rcvr signal avg optical power(Channel 4) : 0.5647 mW / -2.48 dBmThus far, the ICX6610 and ConnectX-3 cards have accepted every transceiver I've used.
Macroreer for Brocade 10G-SFPP-LR SFP+ ($7 on Ebay): Works with DOM
Curvature SFP-10G-LR-CURV 10GB 1310nm 10GBASE-LR: ($5 on Ebay in a lot of 4): Works but no DOM
ProLabs for Cisco SFP-10G-LR ($6 on Ebay): Works but no DOM
Brocade Genuine 10G-SFPP-LR 57-0000076-01 SFP+ LR ($5 ea. for a lot of 4) - As expected, works with DOM
Brocade Genuine 10G-SFPP-SR 57-0000075-01 10GB 10GBASE-SR ($5ea for a lot of 4) - As expected, works with DOM
Given that you can get 10G-LR SFP+ modules for $5 and these KAIAM 40G-LR4 Lite QSFP transceivers dramatically reduce the cost of 40G fiber connections, I''ll probably use SMF for all my runs moving forward. It's just more future-proof. For my 150ft runs from my network closet to my upstairs bedrooms, FS OS2 duplex cables are $15 and MTP OM3 cables with 8 fibers are $184.
EDIT: There's also a seller offering genuine Brocade 57-10000263-01 40G-LR4 10km optics for $27 each if you buy 3. Presumably this would provide DOM and it's validated to work on the ICX6610.
Last edited:
ip ospf active / ipv6 ospf active in the interface config like so:
Code:
interface ve 69
port-name transit
ip ospf area 69
ip ospf active
ipv6 ospf area 69
ipv6 ospf active
I remember once configuring a cisco for a customer. They were kinda of a PITA, so when i set up OSPF on their router, I made it 'ip ospf area 51'.
fohdeesha,
Perhaps the long-distance stacking link should be updated to note that these cheap 40G-LR4 (Lite) optics can be used with standard duplex SMF fiber for long distance runs. It should be considerably cheaper than using 40G-SR optics with MTP/MPO fiber, and will allow much longer runs, if necessary.
Perhaps the long-distance stacking link should be updated to note that these cheap 40G-LR4 (Lite) optics can be used with standard duplex SMF fiber for long distance runs. It should be considerably cheaper than using 40G-SR optics with MTP/MPO fiber, and will allow much longer runs, if necessary.
Last edited:
Hi,
I have found a Brocade ICX 7750-48F but the 6 port 40GE QSFP+ module at the back is missing and the seller said there is also no license present. The price is on the north side of 1000 euros. The missing module costs over 500 Euros on ebay (and the import tax of that is 177 euro). I can do without that module, but then the number of 40Gbe ports is limited.
I wonder if this is a good buy... (I live in Belgium, so nice deals on good network gear are scarce.)
I would like to have a fast router/switch (preferably 40gbE) and I was looking at Brocade, but to be honest: my knowledge of configuring this kind of hardware (or networks) is basic. Of course: there is already a lot of information in this thread, so that is a huge plus.
I want to set up a homelab to learn more about machine learning (analyzing security camera footage) and test Oracle / SQL Server database configurations. I would like to have 40gbE between my future workstation and NAS. I could also go for DAC, but a switch is nicer...
Do you have any thoughts on this?
Thanks!
I have found a Brocade ICX 7750-48F but the 6 port 40GE QSFP+ module at the back is missing and the seller said there is also no license present. The price is on the north side of 1000 euros. The missing module costs over 500 Euros on ebay (and the import tax of that is 177 euro). I can do without that module, but then the number of 40Gbe ports is limited.
I wonder if this is a good buy... (I live in Belgium, so nice deals on good network gear are scarce.)
I would like to have a fast router/switch (preferably 40gbE) and I was looking at Brocade, but to be honest: my knowledge of configuring this kind of hardware (or networks) is basic. Of course: there is already a lot of information in this thread, so that is a huge plus.
I want to set up a homelab to learn more about machine learning (analyzing security camera footage) and test Oracle / SQL Server database configurations. I would like to have 40gbE between my future workstation and NAS. I could also go for DAC, but a switch is nicer...
Do you have any thoughts on this?
Thanks!
The 7750 family is no longer receiving software updates. I would see if there are any Arista DCS-7050QX-32S units available in your region for a comparable price. 32 QSFP ports and the first 24 can be broken out as 10 G. Getting software for the Arista is admittedly more difficult, but it is still supported up to the latest EOS, if you can find it.
If you still want a 7750, the 7750-26Q is an all QSFP switch with several ports that can be configured as breakout for 10 G.
I had a strange ACL issue while setting up my ICX6450. I was trying to write a rule that would allow ssh traffic into my router as well as some bridged ssh traffic to a neighboring L3 router (ACL filtering of bridged traffic is on). These are just ACL's on that vlan's router-interface.
EDIT: I keep going down rabbit holes and think I've narrowed down exactly what rules do/don't work, but it seems what I've actually found is cases where the ACLs only load partially after doing a copy scp running-config.
My config has a rule like:
permit tcp 192.168.10.64/26 192.168.10.240/28 eq 22 (the ranges are a little odd but not tricky)
When I load this rule in using copy scp running-config <address> <path> overwrite (the rule is in the config), the rule does not match and it's not possible to ssh into the router anymore. Doing a show on the ACL shows the rule is present. Going into the ACL via the console cable and removing it and re-adding the exact same rule causes it to immediately work. After doing a write and reboot the ACL seems to load correctly.
EDIT: I keep going down rabbit holes and think I've narrowed down exactly what rules do/don't work, but it seems what I've actually found is cases where the ACLs only load partially after doing a copy scp running-config.
My config has a rule like:
permit tcp 192.168.10.64/26 192.168.10.240/28 eq 22 (the ranges are a little odd but not tricky)
When I load this rule in using copy scp running-config <address> <path> overwrite (the rule is in the config), the rule does not match and it's not possible to ssh into the router anymore. Doing a show on the ACL shows the rule is present. Going into the ACL via the console cable and removing it and re-adding the exact same rule causes it to immediately work. After doing a write and reboot the ACL seems to load correctly.
Last edited:
Hey all, first of all huge thanks for this thread, for the guide and licenses. Just finished the config process on a new-to-me 6610-24p.
I'd successfully run the process on a 7150-C12P and three 6450's, but running into a unique issue with this 6610.
I've done everything, including specifically entering
However when I access it via ip and click the link to login, entering that username and password doesn't work. It just re-prompts me to enter username and password as if it wasn't correct. I've changed the password, and even created a second user named root with just alpha characters in the password, and those credentials won't work for the web UI either.
I've searched this thread with no luck. Any tips?
edit: show run:
I'd successfully run the process on a 7150-C12P and three 6450's, but running into a unique issue with this 6610.
I've done everything, including specifically entering
username evan password mypasswordstring, followed by write mem, and even did a reload.However when I access it via ip and click the link to login, entering that username and password doesn't work. It just re-prompts me to enter username and password as if it wasn't correct. I've changed the password, and even created a second user named root with just alpha characters in the password, and those credentials won't work for the web UI either.
I've searched this thread with no luck. Any tips?
edit: show run:
Code:
telnet@ICX6610-24P Router#show run
Current configuration:
!
ver 08.0.30uT7f3
!
stack unit 1
module 1 icx6610-24p-poe-port-management-module
module 2 icx6610-qsfp-10-port-160g-module
module 3 icx6610-8-port-10g-dual-mode-module
stack disable
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
router-interface ve 1
!
!
!
!
!
enable telnet authentication
enable aaa console
ip dhcp-client disable
!
username evan password .....
username root password .....
!
!
!
!
!
!
!
!
!
interface ethernet 1/3/1
speed-duplex 10G-full
!
interface ethernet 1/3/2
speed-duplex 10G-full
!
interface ethernet 1/3/3
speed-duplex 10G-full
!
interface ethernet 1/3/4
speed-duplex 10G-full
!
interface ethernet 1/3/5
speed-duplex 10G-full
!
interface ethernet 1/3/6
speed-duplex 10G-full
!
interface ethernet 1/3/7
speed-duplex 10G-full
!
interface ethernet 1/3/8
speed-duplex 10G-full
!
interface ve 1
ip address 192.168.1.2 255.255.255.0
!
!
!
!
!
!
!
!
!
endYou skipped a step in the guide, make sure you're following the icx6xxx advanced setup page
Shoot, you're correct. I must have reloaded before write mem after that step. Running these two commands and writing to memory fixed it:
Code:
aaa authentication login default local
aaa authentication web default localHey Folks,
Hoping someone has a similar config for tips. :/ I picked up a few 6610s in the summer and tested for a bit. Fast-forward to now(ish) and I wanted to setup some Ruckus APs with VLAN. I set my VLANs on the ICX and in the AP config (assigned to SSID). An issue I found later is that there is no AP config option for having the AP based traffic (cluster heartbeat) assigned to a VLAN, it will always send untagged.
Ok, so I set dual-mode to a 'management' themed VLAN only to find out that all APs popped out of the cluster and are yelling at me. In the CLI of AP 1 I can ping the others so at least ICMP works but I'm not sure how to test the UDP ports for heartbeat pass.
Anyone else lock down their APs into a management VLAN and have some tips?
Hoping someone has a similar config for tips. :/ I picked up a few 6610s in the summer and tested for a bit. Fast-forward to now(ish) and I wanted to setup some Ruckus APs with VLAN. I set my VLANs on the ICX and in the AP config (assigned to SSID). An issue I found later is that there is no AP config option for having the AP based traffic (cluster heartbeat) assigned to a VLAN, it will always send untagged.
Ok, so I set dual-mode to a 'management' themed VLAN only to find out that all APs popped out of the cluster and are yelling at me. In the CLI of AP 1 I can ping the others so at least ICMP works but I'm not sure how to test the UDP ports for heartbeat pass.
Anyone else lock down their APs into a management VLAN and have some tips?
I don't use an ICX for my main switch but on Unleashed, edit your WLAN network and expand Show Advanced Options.
Click the WLAN Priority tab then enter the VLAN you wish tagged for this network in Access VLAN.
Your switch port should be trunked and your management network used to manage the AP should be defined as dual-mode. Define your WLAN VLANs as tagged.
Click the WLAN Priority tab then enter the VLAN you wish tagged for this network in Access VLAN.
Your switch port should be trunked and your management network used to manage the AP should be defined as dual-mode. Define your WLAN VLANs as tagged.
That's the method for assigning the SSID -> VLAN for client traffic. The hiccup I have is that the AP itself generates traffic (DHCP, Heartbeat to other APs, ssh). The (informal) way Ruckus has said to do this is add all the VLANs to the SSID so user client traffic explicitly goes into a VLAN and then we can 'assume' all untagged traffic is from the AP itself. I've set the tagged sections in the SSID config correctly but for some reason the AP can't find any others ... even though ping from the ap works against another ap.
Here is the relevent output from `show vlan` on the switch.
Code:
PORT-VLAN 30, Name admin, Priority level0, Spanning tree On
Untagged Ports: None
Tagged Ports: (U1/M1) 3 4 21 22 23 24
Uplink Ports: None
DualMode Ports: None
Mac-Vlan Ports: None
Monitoring: Disabled
PORT-VLAN 40, Name [None], Priority level0, Spanning tree On
Untagged Ports: None
Tagged Ports: (U1/M1) 3 4
Tagged Ports: (U1/M3) 3
Uplink Ports: None
DualMode Ports: (U1/M1) 21 22 23 24
Mac-Vlan Ports: None
Monitoring: DisabledEdit : perhaps I've fallen into a router-on-a-stick model instead of a direct routing on the switch - can someone suggest how to test in brocade? :/
Last edited:
Hey guys need a little help please. I am trying to figure out how ACLs work. In one of Terry Henry's videos he says in version 8095 the ACLs are applied to the physical interface instead of the virtual interface. I've got a 6450 running 8030 so I figure that is why I couldn't recreate the results he was getting from applying the ACLs rules from the video.
I ran through some testing with a couple of vlans but I can not get the results that I would expect. I have tried various rules permitting and denying ICMP traffic between VLANs with no success. It either allows all or blocks all. I seem to have a misunderstanding of how ACLs work despite watching hours of video and reading.
I read that extended ACLs should be placed as close to the source as possible. So if I want to block VLAN3 from communicating with VLANx, then wouldn't the code be placed on the "out" interface of VLAN3?
Problem is when I do this, it allows all traffic. I am sure my problem is with a misunderstanding of how to correctly use "in" vs "out".
Any help in understanding and identifying the problem would be most appreciated.
I ran through some testing with a couple of vlans but I can not get the results that I would expect. I have tried various rules permitting and denying ICMP traffic between VLANs with no success. It either allows all or blocks all. I seem to have a misunderstanding of how ACLs work despite watching hours of video and reading.
I read that extended ACLs should be placed as close to the source as possible. So if I want to block VLAN3 from communicating with VLANx, then wouldn't the code be placed on the "out" interface of VLAN3?
Code:
ip access-list extended block
remark block VLAN3 from communicating with other VLANs
deny ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.255.255
remark allow traffic from other VLANs to flow out
permit ip any anyAny help in understanding and identifying the problem would be most appreciated.
Last edited:
While I don't enable the DHCP server on Unleashed I have no trouble with it seeing my other AP.
u1/m3 just means unit 1 module 3, as in ethernet 1/3/x. Is your management VLAN 40? Did you assign the management configuration in VLAN 40's subnet?
System > IP Settings; Management Interface tab. Make sure Enable IPv4 Management Interface checkbox is checked.
In my IP Settings tab, Gateway Mode is not ticked but I do have an IP assigned in WAN IP Address. All my APs get reserved addresses in their management VLAN (untagged for that port).
DHCP is enabled on upstream firewall, not on AP. No concern here.
Got it. Awesome, thx for info.
I made vlan 40 untagged on that port so all AP created traffic can use as its native. The APs can reach the upstream dhcp on the firewall (pfsense)
Tried this but it doesn't affect the vlan the heartbeat uses.
Same config. Reserved DHCP on vlan 40 from pfsense. All APs do get the correct DHCP.