Drag to reposition cover

Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

casperghst42

Member
Sep 14, 2015
112
20
18
55
Is it possible to set the switch up with more than one SSH public key? I don't share private keys across my machines, but it'd be nice to be able to SSH into the switch from more than one computer.
Normally what you do, is that you create an ssh key for only this, which you then distribute to the people and/or computers who/which need it.

Or if this is an enterprice environment, then maybe an PAM solution could be used.
 
  • Like
Reactions: danb35

tangent

New Member
Feb 7, 2020
7
1
3
Hello!

I've got a icx7250 running my network core

After a power outage, my switch which had happily been running for a year straight seems to have forgotten it's license!

What's worse, when I type "license" and hit tab, the only option is "delete" and "license install" is giving invalid syntax errors!

Google has not helped me. I can't easily post command output since I can only easily console into the switch the moment and I am posting from my phone...

Edit: ok so this is fun. Looks like the primary flash got corrupted, and it is falling back to secondary flash which does not support honor-based licensing. I should be good once I re-flash it with the right version.
 
Last edited:

fohdeesha

Kaini Industries
Nov 20, 2016
2,728
3,078
113
33
fohdeesha.com
Hello!

I've got a icx7250 running my network core

After a power outage, my switch which had happily been running for a year straight seems to have forgotten it's license!

What's worse, when I type "license" and hit tab, the only option is "delete" and "license install" is giving invalid syntax errors!

Google has not helped me. I can't easily post command output since I can only easily console into the switch the moment and I am posting from my phone...
Sounds like it reverted to booting from the secondary firmware slot, which has an old version from before licenses were made free. You can verify by running show version and see what it's running. If it's old it might have gotten rid of some of your config too. Just follow the guide to flash the new firmware back to primary again, and ensure it's set to boot from primary (if it's booting from secondary, you may have to knock some sense into it by running "boot system flash primary" at the configure terminal level, then write mem to save it)
 
  • Like
Reactions: tangent

tangent

New Member
Feb 7, 2020
7
1
3
Yup, and the best part is that most of my key devices (router, fileserver with config backup, etc) were connected to the 10g ports :rolleyes:

It was due for an upgrade anyway.

Thanks for all your support!
 
  • Like
Reactions: fohdeesha

adman_c

Active Member
Feb 14, 2016
257
135
43
Chicago
Done. Now about to try my hand at some paper clip MPO trunks.

thanks again!

I’ll post some pics of our setup when we’re done. Setting up some 40G uplinks for our Truenas box to serve video and rendering editors.
Sheeit. All this time and I've just been freeloading! Donated!

Anyone think we'll start to see more 7250 models showing up on ebay now that they've been emergency suddenly EOL'd discontinued? Or do we think that folks will hang on to them since there's no current equivalent for a 24/48 port switch with > 4 sfp+ slots without going all the way up to the 7450. (Edited that for more accuracy).

Oh, and sorry to bump my own question, but does anyone have any ideas why I can't seem to get my 7250 to route properly?
OK. I've been banging my head against this for a bunch of hours and I would love it if someone could just point out where I'm being dumb. I cannot for the life of me get my 7250 to route between VLANs. I'm running pfsense/opnsense (virtualized and switching between back and forth between the two while I get my opnsense install fully operational--for the purposes of this question, it doesn't matter which firewall I'm running). I have a bunch of VLANs--more than I need, but whatever. 3 of the VLANs are trusted, and I want to be able to route between them via the switch rather than going out to the firewall. The rest of the VLANs I want to go ahead and use the firewall to the extent there needs to be routing between them (rare), because I'm substantially more comfortable with filter rules than ACLs. At the bottom of this message is my current running config, and here is the output of 'sh ip route':
Code:
SSH@coreswitch(config)#sh ip route
Total number of IP routes: 6
Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP  Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
STATIC Codes - v:Inter-VRF
        Destination        Gateway         Port          Cost          Type Uptime
1       0.0.0.0/0          172.16.2.1      ve 2162       1/1           S    10h49m
2       10.10.10.0/24      DIRECT          ve 1010       0/0           D    10h49m
3       172.16.1.0/24      DIRECT          ve 2161       0/0           D    10h49m
4       172.16.2.0/24      DIRECT          ve 2162       0/0           D    10h49m
5       192.168.0.0/24     DIRECT          ve 2          0/0           D    10h49m
6       192.168.10.0/24    DIRECT          ve 10         0/0           D    10h49m
The three VLANs between which I want to route are 2, 10, and 1010. 2161 and 2162 are transit VLANs for WAN and LAN, respectively. When I set the gateway on any of the trusted VLANs for the firewall (X.X.X.1), everything works as expected. The firewall routes between VLANs according to my rules and I can get out to the internet. On the other hand, when I set the gateway on any of the trusted VLANs for the switch (X.X.X.254), I cannot reach one subnet from another. SSH/HTTPS are both inaccessible between local subnets. However, going out to the internet works, and for some reason I can ping between local subnets. This behavior is the same whether I'm running pfsense and opnsense, and even if I yank the LAN transit cable between the switch and the firewall.

At this point I'm ready to give up and just let the firewall handle all the routing, even thought it's not quite up to the task of linespeed routing. As an aside, how much CPU do you need to max iperf on 10gbe? Brief testing I can get ~7gbit with my i3-8100t.

Anyway, any suggestions would be awesome.

Thanks!

Code:
SSH@coreswitch>sh run
Current configuration:
!
ver 08.0.95fT213
!
stack unit 1
  module 1 icx7250-24p-poe-port-management-module
  module 2 icx7250-sfp-plus-8port-80g-module
!
!
global-stp
!
!
!
vlan 1 name DEFAULT-VLAN by port
spanning-tree
!
vlan 2 name infra by port
tagged ethe 1/2/2 to 1/2/4
untagged ethe 1/1/2 to 1/1/3 ethe 1/1/5 to 1/1/7 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24
router-interface ve 2
spanning-tree
!
vlan 10 name home by port
tagged ethe 1/1/2 ethe 1/1/7 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24 ethe 1/2/2 to 1/2/4
untagged ethe 1/1/4 ethe 1/1/8 to 1/1/9 ethe 1/1/11 ethe 1/1/14 ethe 1/1/16 ethe 1/2/5
router-interface ve 10
spanning-tree
!
vlan 11 name voip by port
tagged ethe 1/1/2 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24 ethe 1/2/2
untagged ethe 1/1/12 ethe 1/1/18
spanning-tree
!
vlan 12 name guest by port
tagged ethe 1/1/2 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24 ethe 1/2/2
spanning-tree
!
vlan 20 name kids by port
tagged ethe 1/1/2 ethe 1/1/5 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24 ethe 1/2/2
spanning-tree
!
vlan 30 name IOT by port
tagged ethe 1/1/2 ethe 1/1/7 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24 ethe 1/2/2 to 1/2/4
untagged ethe 1/1/13 ethe 1/1/17 ethe 1/1/19 ethe 1/1/22 to 1/1/23 ethe 1/2/7
spanning-tree
!
!                                                             
vlan 999 by port
tagged ethe 1/1/24 ethe 1/2/2
!
vlan 1010 name data by port
tagged ethe 1/1/2 ethe 1/1/15 ethe 1/1/20 to 1/1/21 ethe 1/1/24 ethe 1/2/2
untagged ethe 1/2/3 to 1/2/4
router-interface ve 1010
spanning-tree
!
!
!
!
vlan 2161 name wansit_176_16_1 by port
untagged ethe 1/2/1
router-interface ve 2161
!
vlan 2162 name lansit_176_16_2 by port
untagged ethe 1/2/2
router-interface ve 2162
!
vlan 2222 name wan_vlan by port
tagged ethe 1/2/1
untagged ethe 1/1/1                                          
spanning-tree
!
!
!
vlan 3333 name 5g_wan_vlan by port
tagged ethe 1/1/24 ethe 1/2/1
untagged ethe 1/1/10
spanning-tree
!
!
!
!
!
!
!
!
aaa authentication web-server default local
aaa authentication login default local
enable aaa console
hostname coreswitch
ip dhcp-client disable
ip dns server-address 192.168.0.1
ip route 0.0.0.0/0 172.16.2.1
!
no telnet server
username super password .....
!
!
!
!
clock summer-time
clock timezone gmt GMT-06
!
!
ntp
disable serve
server 192.168.0.1
server 10.10.10.1
!
!
no web-management http
web-management https
!
manager disable
!                                                             
!
manager port-list 987
!
!
!
!
!
!
!
!
!
interface management 1
ip address 10.10.2.254 255.255.255.0
!
interface ethernet 1/1/1
port-name cablemodem
!
interface ethernet 1/1/2
port-name firemox
!
interface ethernet 1/1/3
port-name prox-enp35
!                                                             
interface ethernet 1/1/4
port-name printer
!
interface ethernet 1/1/5
port-name minimox-eno1
!
interface ethernet 1/1/6
port-name piman
!
interface ethernet 1/1/7
port-name micromox1
!
interface ethernet 1/1/8
port-name IPMI1
!
interface ethernet 1/1/9
port-name note-nook
!
interface ethernet 1/1/12
port-name obi200
!
interface ethernet 1/1/15
port-name kitchen-no-poe                                     
!
interface ethernet 1/1/17
port-name master-bed
!
interface ethernet 1/1/18
port-name security
!
interface ethernet 1/1/19
port-name garage
!
interface ethernet 1/1/20
port-name foyer
!
interface ethernet 1/1/21
port-name kitchen
!
interface ethernet 1/1/22
port-name garage-south-2
!
interface ethernet 1/1/23
port-name 2nd-bed
!
interface ethernet 1/1/24                                     
port-name 4th-floor
!
interface ethernet 1/2/1
port-name WANuplink
!
interface ethernet 1/2/2
port-name LANuplink
!
interface ethernet 1/2/3
port-name mmx-10g
!
interface ethernet 1/2/4
port-name prox-10g
!
interface ethernet 1/2/5
port-name m1mini
!
interface ve 2
ip address 192.168.0.254 255.255.255.0
!
interface ve 10
ip address 192.168.10.254 255.255.255.0
!                                                             
interface ve 1010
ip address 10.10.10.254 255.255.255.0
!
interface ve 2161
ip address 172.16.1.254 255.255.255.0
!
interface ve 2162
ip address 172.16.2.254 255.255.255.0
!
!
!
!
!
!
!
!
!
!
ip ssh  password-authentication no
ip ssh  idle-time 0
ip ssh  interactive-authentication no
!
!                                                             
!
!
!
end
 
Last edited:
  • Like
Reactions: thebwack

adman_c

Active Member
Feb 14, 2016
257
135
43
Chicago
I think that's just End of Sale, not End of Life/End of Support.
Oh shit you're right. I even read that when I saw that notice the first time. They're not EOL or EOS for a couple years at least. Sorry for the alarm! I edited my post. And also tracked down the doc with the dates.
Screen Shot 2022-05-19 at 5.15.59 PM.png
 
Last edited:

danb35

Member
Nov 25, 2017
34
4
8
44
And now a 6610 is here, updated, licensed, etc. with no problems. Outstanding. But damn, that's loud when it first starts up. Not too bad once the fans ramp down, but I don't think I want to be anywhere close if they have to spend any time at Speed 2.
 
  • Like
Reactions: thebwack

rootwyrm

Member
Mar 25, 2017
74
93
18
www.rootwyrm.com
I think that's just End of Sale, not End of Life/End of Support.
Nope. It is an emergency EOS and permanent EOSL.

Last Order: prior to Feb 7, 2022
Last Delivery: prior to July 1, 2022
Prior EOSD: no plans to terminate software development
New EOSD: terminating 1 year after final shipment, no later than July 1, 2023 but will be sooner if supply is exhausted before July 1
Prior EOSL: 2030ish
Last Contract: no later than July 1, 2022 but will be sooner if supply is exhausted before then
Absolute Contract Termination: no later than July 1, 2027 (5yr)

Additionally, all support contracts and licenses have been permanently discontinued effective no later than July 1, 2022. I've also been told (don't have solid confirmation) that Ruckus stopped permitting any same-day hardware contracts either new or renewal in February. 4 hour software only, no hardware secure uplifts, and no 4 hour parts.

edit: to clarify, EOSD means that no 7150 or 7250 will receive any further software updates, including security fixes, after July 1, 2023. So the market may shortly be flooded as this has the immediate effect of requiring all GSA, FedRamp, and CMS providers to immediately replace every 7150 and 7250 in their environment.
 
Last edited:

rootwyrm

Member
Mar 25, 2017
74
93
18
www.rootwyrm.com
Wow, I wonder what caused that. Supply issues or critical design flaw?
It's stated in the emergency EOS document that it's supply shortages and unexpected discontinuations.
The ICX7150 and ICX7250 both use the same processor. Broadcom's been basically surprise-axing older silicon left, right, and center and moving last order dates up years. Everything below Trident2 already had a last order date, all of them got moved up to "too late."
Basically in the past 12 months, the entire Broadcom 1GbE portfolio was surprise axed.
BCM56344 is listed as 'active' with 52+ week lead time at supply houses. But Broadcom no longer lists it as an active part on their site and has scrubbed all references and all pages - meaning it has been surprise permanently discontinued.
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,728
3,078
113
33
fohdeesha.com
I think that's just End of Sale, not End of Life/End of Support.
yeah it's just end of sale due to supply chain, same reason juniper just end-of-sale-d their most popular MX and everything else based on HMC they can't get built anymore. end of support date for the 7250 is still 5 years out
 

Attachments