Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

[CHANABRA]

and can a 7250-24 be upgraded to a 7250-24P?

 

[Rttg]

so I could theoretically have another managed switch with PoE even 2.5gb poe or higher, and a 10gb uplink to this switch, and I could put the L3 magic on that port and thus get a similar outcome to having a the poe version?

I’m not sure exactly what you mean by wanting to “put the L3 magic on”, but you’d typically want to pick a single L3 router rather than using multiple routers. A managed L2 PoE switch would let you configure VLANs on that device downstream of your 7250. You could also use an unmanaged PoE switch (or individual PoE injectors) and manage VLANs on the 7250 itself (look for MAC/flex auth in the L2 security guide if you need dynamic VLANs on a single 7250 port - e.g., an IoT VLAN and a ‘trunk’ for an AP all powered by the same unmanaged PoE switch).

also, what is the best or highest firmware 7250 models are recommended to be on ?

Check @fohdeesha ’s excellent guide

last question --- is the 7250 a switch that has issues as a DHCP server?? that was one of the reasons among many others I went this direction. if it does have issues, what is the best solution for a dhcp server so I can setup the 7250 with dhcp relay or whatever?

Yup - if devices don’t like a non-authoritative DHCP server, you’ll have problems using the switch in that capacity, but DHCP relay works well to a separate device (typically your upstream router/gateway/firewall or a separate server).

and can a 7250-24 be upgraded to a 7250-24P?

Practically, no. The PoE-less switches not only lack the PoE daughter board but are also missing other components.

 

[ManoftheSea]

All hope is not lost.

As far as your routing situation, it needs to know where to send the packets with either a router advertisement or a static assigned gateway. Can't just send it out of an interface. AFAIK, other switch firmware is similar.

Thanks for the confirmation. At this time, I've got OpenWRT doing the gateway to the ISP (Comcast) who gives me a /60. So OpenWRT has a static route through fe80::1 (ICX6450 ve 1) to the /60, and ve 1 has a default route through the link-local EUI-64 of OpenWRT to the internet. Then, I assign static /64's to ve 2 and ve 3 (thus allowing routing traffic to those segments) as well as giving them fe80::1. The switch announces that it is the default route on ve 2 and 3, which covers the delegated prefix as well as a ULA for the "site".

ipv6 unicast-routing
ipv6 route ::/0 ve 1  fe80::f2ad:4eff:fexx:xxxx
!
interface ve 1
 ipv6 address fe80::1 link-local
 ipv6 address fdxx:xxxx:xxxx::/64 eui-64
 ipv6 address 2601:xxxx:xxxx:xxx0::/64 eui-64
 ipv6 nd suppress-ra
!
interface ve 2
 ipv6 address fe80::1 link-local
 ipv6 address fd50:xxxx:xxxx:20::/64 eui-64
 ipv6 address 2601:xxxx:xxxx:xxx2::/64 eui-64
 ipv6 nd other-config-flag

I am trying to figure out the DHCPv6 giving out DNS and NTP servers, since the ICX6450 can't advertise those in the RA; then I will be figuring out the DHCPv6 relay.

 

[dswartz]

I found the layer 3 IPv6 support in the ICX very limiting and in my recent network rebuild I stopped using it; my ICX units only handle layer 2 now.

I've never felt comfortable with the idea of an L3 switch. I like to keep routing and switching separated.

 

[bitbckt]

I've never felt comfortable with the idea of an L3 switch. I like to keep routing and switching separated.

How retro.

 

[Blue)(Fusion]

I am trying to figure out the DHCPv6 giving out DNS and NTP servers, since the ICX6450 can't advertise those in the RA; then I will be figuring out the DHCPv6 relay.

I literally just figured out how to do this last week properly. I am using ISC's DHCP server on FreeBSD for IPv4 DHCP assignments and now the same for IPv6 DNS, NTP, and TFTP assignments.

ipv6 dhcp-relay destination <primary ipv6 dhcp server>
ipv6 dhcp-relay destination <secondary ipv6 dhcp server>
ipv6 dhcp-relay include-options interface-id remote-id
ipv6 nd other-config-flag

In your dhcpd6.conf you'll have to put each subnet and options for the subnets you are serving DHCP with, including the subnet that the DHCP6 server is running on, even if you aren't actually using DHCP on that subnet (this took a while to figure out for me as I have only static assignments on that network service related subnet).

 

[ManoftheSea]

I am using ISC's DHCP server on FreeBSD for IPv4 DHCP assignments and now the same for IPv6 DNS, NTP, and TFTP assignments.

Did you see that isc-dhcp-server is deprecated? They want you to move to isc-kea-server.

Thanks for the code snippet.

 

[Blue)(Fusion]

Did you see that isc-dhcp-server is deprecated? They want you to move to isc-kea-server.

Thanks for the code snippet.

Nope sure didn't but thanks for the info I'll start migrating soon.

 

[am45931472]

anyone know what power supply is in the ICX 7150-24p. I got a dead one. its clearly different than the 7250-24p and 6450-24-48p

 

[dswartz]

How retro.

Most of my rationale is because I have a lot of experience (job and hobby) with routing&etc. Switching, not so much.

 

[Blue)(Fusion]

Most of my rationale is because I have a lot of experience (job and hobby) with routing&etc. Switching, not so much.

Did you see that isc-dhcp-server is deprecated? They want you to move to isc-kea-server.

Thanks for the code snippet.

Off topic, but I made the switch to a HA active-standby Kea DHCP setup. Took a while to figure things out for BIND DNS updates, but got it going and I like it.

 

[CHANABRA]

So it seems stacking with the 7250 is limited to only other 7250s? What if I wanted some ports with higher bandwidth? Can I still connect and use say a 7450 or 7750 with the 7250 and just not have it officially "stacked"?

 

[kpfleming]

That's true of the entire 7xxx family, not just 72xx.

You certainly interconnect any type of switch, and even use LAGs to provide higher-bandwidth links if you like. You'll just be managing them as independent switches, instead of a single 'logical' switch.

 

[CHANABRA]

That's what I thought, I guess I just didn't read long enough, thank you for the quick answer.

 

[hmw]

@fohdeesha - using the Ruckus warranty checker for some of these switches on eBay returns a 'no asset found'. From your vast Ruckus knowledege - is it indicative of grey market / serial not yet in system? Just trying to avoid fake labels (hence fake listings)

 

[SuperMiguel]

Hello all im looking for feedback on my switch (ICX-6610) configuration i have a few concerns:

1) my fw version is older than whats available now, should i upgrade? any benefits
2) I currently have spanning-tree enabled should i keep it that way?
3) My router is an OPNsense box, and its currently doing all of the inter VLAN communication, should i move that to the switch? (any benefits?)
4) If i do #3 then im guessing i would have to do all of the VLAN communication rules/policies on the switch right?

Here is my config:

Current configuration:
!
ver 08.0.30tT7f3
!
stack unit 1
  module 1 icx6610-48p-poe-port-management-module
  module 2 icx6610-qsfp-10-port-160g-module
  module 3 icx6610-8-port-10g-dual-mode-module
!
global-stp
!
!
!
spanning-tree single
!
vlan 1 name DEFAULT-VLAN by port
 router-interface ve 1
 spanning-tree
!
vlan 10 name TRUSTED by port
 tagged ethe 1/1/1 to 1/1/3 ethe 1/1/36 ethe 1/1/41 ethe 1/1/43 ethe 1/3/1 to 1/3/2
 untagged ethe 1/1/8 to 1/1/9 ethe 1/1/12 ethe 1/1/16 ethe 1/1/18 ethe 1/1/22 ethe 1/1/24 to 1/1/28 ethe 1/1/38 ethe 1/3/3 ethe 1/3/8
 router-interface ve 10
 spanning-tree
!
vlan 69 name GUEST by port
 tagged ethe 1/1/1 to 1/1/3 ethe 1/1/36 ethe 1/1/41 ethe 1/1/43 ethe 1/3/1
 router-interface ve 69
 spanning-tree
!
vlan 88 name WORK by port
 tagged ethe 1/1/1 to 1/1/3 ethe 1/1/36 to 1/1/37 ethe 1/1/41 ethe 1/1/43 ethe 1/3/1
 router-interface ve 88
 spanning-tree
!
vlan 120 name IOT by port
 tagged ethe 1/1/1 to 1/1/3 ethe 1/1/36 to 1/1/37 ethe 1/1/41 ethe 1/1/43 ethe 1/3/1
 router-interface ve 120
 spanning-tree
!
vlan 130 name CCTV by port
 tagged ethe 1/1/1 to 1/1/3 ethe 1/1/36 ethe 1/1/41 ethe 1/1/43 ethe 1/3/1
 untagged ethe 1/1/14 to 1/1/15 ethe 1/1/19 ethe 1/1/31 to 1/1/32 ethe 1/1/34 ethe 1/1/39 to 1/1/40 ethe 1/1/45 ethe 1/1/47 to 1/1/48 ethe 1/3/7
 router-interface ve 130
 spanning-tree
!
!
spanning-tree single 802-1w
spanning-tree single 802-1w priority 0
!
!
!
!
aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
enable telnet authentication
hostname superbeefbox
ip dhcp-client disable
ip route 0.0.0.0/0 10.0.0.1
!
username root password .....
!
!
!
!
!
!
!
!
!
interface ethernet 1/1/1
 dual-mode
!
interface ethernet 1/1/2
 port-name DownStairs-AP
 dual-mode
 inline power
!
interface ethernet 1/1/3
 port-name UpStairs-AP
 dual-mode
 inline power
!
interface ethernet 1/1/4
 port-name Firewall-IPMI
!
interface ethernet 1/1/8
 port-name Sonos-Amp
!
interface ethernet 1/1/9
 port-name Living-room-apple-tv
!
interface ethernet 1/1/12
 port-name AC_Closet_Switch
!
interface ethernet 1/1/14
 port-name Driveway-Camera
 inline power
!
interface ethernet 1/1/15
 port-name Backyard-Camera
 inline power
!
interface ethernet 1/1/16
 port-name SuperDesktop
!
interface ethernet 1/1/18
 port-name SonosArc
!
interface ethernet 1/1/19
 port-name Lanai-Camera
 inline power
!
interface ethernet 1/1/22
 port-name Gym-AppleTV
!
interface ethernet 1/1/24
 port-name MasterBed AppleTV
!
interface ethernet 1/1/25
 port-name Sonos-Amp-Pool
!
interface ethernet 1/1/26
 port-name Envisalink
!
interface ethernet 1/1/27
 port-name Hubitat Upstairs
!
interface ethernet 1/1/28
 port-name Sonos-Amp-Kitchen
!
interface ethernet 1/1/31
 port-name KidsHall-Camera
 inline power
!
interface ethernet 1/1/32
 port-name Stairs-Camera
 inline power
!
interface ethernet 1/1/34
 port-name LivingRoom-Camera
 inline power
!
interface ethernet 1/1/36
 port-name Lanai-AP
 dual-mode
 inline power
!
interface ethernet 1/1/37
 port-name GameRoomSwitch
 dual-mode
!
interface ethernet 1/1/38
 port-name Yanelis-Office
!
interface ethernet 1/1/39
 port-name SmallGarage-Camera
 inline power
!
interface ethernet 1/1/40
 port-name LargeGarage-Camera
 inline power
!
interface ethernet 1/1/41
 port-name MiguelOffice-2nd
 dual-mode
!
interface ethernet 1/1/43
 port-name LGarage-AP
 dual-mode
 inline power
!
interface ethernet 1/1/45
 port-name Backyard-Side-Camera
 inline power
!
interface ethernet 1/1/47
 port-name Kitchen-Camera
 inline power
!
interface ethernet 1/1/48
 port-name FrontDoor-Camera
 inline power
!
interface ethernet 1/3/1
 port-name LAN/Firewall
 dual-mode
 speed-duplex 10G-full
!
interface ethernet 1/3/2
 port-name Beef_Garage
 dual-mode
 speed-duplex 10G-full
!
interface ethernet 1/3/3
 port-name SuperDesktop
 speed-duplex 10G-full
!
interface ethernet 1/3/4
 speed-duplex 10G-full
!
interface ethernet 1/3/5
 speed-duplex 10G-full
!
interface ethernet 1/3/6
 speed-duplex 10G-full
!
interface ethernet 1/3/7
 port-name BlueIris
 speed-duplex 10G-full
!
interface ethernet 1/3/8
 port-name BlueIris
 speed-duplex 10G-full
!
interface ve 1
 ip address 10.0.0.2 255.255.255.0
!
interface ve 10
 ip address 10.0.10.2 255.255.255.0
!
interface ve 69
 ip address 172.30.69.2 255.255.255.0
!
interface ve 88
 ip address 172.18.88.2 255.255.255.0
!
interface ve 120
 ip address 192.168.120.2 255.255.255.0
!
interface ve 130
 ip address 192.168.130.2 255.255.255.0
!
!
!
!
!
lldp run
!
!
!
!
end

 

[tubs-ffm]

Hello all im looking for feedback on my switch (ICX-6610) configuration i have a few concerns:

I cannot answer to all of your questions,m but let me try a part of it.

3) My router is an OPNsense box, and its currently doing all of the inter VLAN communication, should i move that to the switch? (any benefits?)

The benefit could be that it could be faster in case of your OPNsense box is the bottle neck. This depends on the routing performance of the OPNsense box and the connection links between ICX switch and OPNsense switch.

4) If i do #3 then im guessing i would have to do all of the VLAN communication rules/policies on the switch right?

Yes. Setting firewall rules in OPNsense is much easier than do the same on the switch.

But when I look on your config it already looks like a L3 configuration to me. All VLAN has assigned a router interface. For doing routing on the OPNsense box a L2 set-up might be what you want. In this case only one router interface ve1 (or other vlan id) for the default VLAN is required.

 

[sic0048]

Hello all im looking for feedback on my switch (ICX-6610) configuration i have a few concerns:

3) My router is an OPNsense box, and its currently doing all of the inter VLAN communication, should i move that to the switch? (any benefits?)
4) If i do #3 then im guessing i would have to do all of the VLAN communication rules/policies on the switch right?

Keep in mind that OPNsense (and pfSense) has a limitation when it comes to their system architecture. Boiling it down to it's simplest terms, you cannot use the firewall to run a DHCP server for any VLANs that aren't also setup on the firewall. This means that if you move your VLANs to the switch, then you cannot use the firewall's DHCP server to assign IPs for those VLANs.

Normally you would just run the DHCP server on the switch, but these Brocade switch's DHCP server cannot be run as an "Authoritative" server and therefore some devices (some IOT devices for example) may not be able to receive an ip address from the switch. It's a limitation that won't affect all of your connected devices, but odds are there are a few that won't work with the switch's DHCP server.

There are solutions/work arounds, but it's another layer of complexity that you need to be aware of and plan for before you run blindly into setting up the switch to run your VLANs.

 

[Bluerai]

Hey everyone, I’m running out of ideas to try and I’d love some input from folks smarter than myself so here we go:

I have a 6450-48p that I have reset and followed the guides on, etc (all amazing by the way, and so is this thread). Using two of the suggested MikroTik copper SFP+ modules I can run a speed test to my computer and hit around 1850Mbps as expected. However when I run any sort of speed test on the standard switch ports, my speeds are roughly 400Mbps.

Am I mistakenly under the impression that I should be seeing closer to 940Mbps on the rest of the switch ports? I’ve messed with flow control, duplex settings, a ton of Google searching and I’m not getting very far. It looks like the switch doesn’t recognize the SFP+ modules and they show empty, and I can see that the phy device never initializes from the console. Yet it will tell me when I unplug the module and they’re clearly working.

Hopefully this isn’t functioning as expected, but I’m not sure what to try next. I’ve only tried with two of the SFP ports, unplugged a module and left one in, and still haven’t seen any changes.

Any ideas or direction for next steps would be appreciated!

 

[NablaSquaredG]

@fohdeesha

Sorry for tagging - Do you happen to know details about the 7450 HW and EEPROM layout?
My 7450 with broken EEPROM is currently at a repair center and it seems like I was wrong, the normal 25L6433F EEPROMs are fine...

i looked through the u-boot source code, and it seems like for the 7450, the redundant SPI EEPROMs only hold u-boot and DDR shmoo.
There is something:

#define SPATHA_ENV_SPI_CS                       (CONFIG_IPROC_QSPI_CS + 2) /* SPI-NVRAM */
#define SPATHA_ENV_OFFSET                       0X00000  /* Saved in SPI-NVRAM */

so SPATHA_ENV_SPI_CS is 2... CS for the other 25L6433F EEPROMs seems to be 0 and 1

So now the question is: What is at CS 2?
There is an MR25H256CDF placed next to the 2x 25L6433F. Does this chip store the env? This seems like the only logical option to me


Update: I've carved through the image and found this in the device tree:

        mr25h256@2 {
            #address-cells = <0x00000001>;
            #size-cells = <0x00000001>;
            compatible = "mr25h256";
            #m25p,fast-read = <0x00000001>;
            spi-max-frequency = <0x03b9aca0>;
            reg = <0x00000002>;
            partition@0 {
                label = "uboot_env";
                reg = <0x00000000 0x00008000>;
            };
        };