I’m not sure exactly what you mean by wanting to “put the L3 magic on”, but you’d typically want to pick a single L3 router rather than using multiple routers. A managed L2 PoE switch would let you configure VLANs on that device downstream of your 7250. You could also use an unmanaged PoE switch (or individual PoE injectors) and manage VLANs on the 7250 itself (look for MAC/flex auth in the L2 security guide if you need dynamic VLANs on a single 7250 port - e.g., an IoT VLAN and a ‘trunk’ for an AP all powered by the same unmanaged PoE switch).so I could theoretically have another managed switch with PoE even 2.5gb poe or higher, and a 10gb uplink to this switch, and I could put the L3 magic on that port and thus get a similar outcome to having a the poe version?
Check @fohdeesha ’s excellent guidealso, what is the best or highest firmware 7250 models are recommended to be on ?
Yup - if devices don’t like a non-authoritative DHCP server, you’ll have problems using the switch in that capacity, but DHCP relay works well to a separate device (typically your upstream router/gateway/firewall or a separate server).last question --- is the 7250 a switch that has issues as a DHCP server?? that was one of the reasons among many others I went this direction. if it does have issues, what is the best solution for a dhcp server so I can setup the 7250 with dhcp relay or whatever?
Practically, no. The PoE-less switches not only lack the PoE daughter board but are also missing other components.and can a 7250-24 be upgraded to a 7250-24P?
Thanks for the confirmation. At this time, I've got OpenWRT doing the gateway to the ISP (Comcast) who gives me a /60. So OpenWRT has a static route through fe80::1 (ICX6450 ve 1) to the /60, and ve 1 has a default route through the link-local EUI-64 of OpenWRT to the internet. Then, I assign static /64's to ve 2 and ve 3 (thus allowing routing traffic to those segments) as well as giving them fe80::1. The switch announces that it is the default route on ve 2 and 3, which covers the delegated prefix as well as a ULA for the "site".All hope is not lost.
As far as your routing situation, it needs to know where to send the packets with either a router advertisement or a static assigned gateway. Can't just send it out of an interface. AFAIK, other switch firmware is similar.
ipv6 unicast-routing
ipv6 route ::/0 ve 1 fe80::f2ad:4eff:fexx:xxxx
!
interface ve 1
ipv6 address fe80::1 link-local
ipv6 address fdxx:xxxx:xxxx::/64 eui-64
ipv6 address 2601:xxxx:xxxx:xxx0::/64 eui-64
ipv6 nd suppress-ra
!
interface ve 2
ipv6 address fe80::1 link-local
ipv6 address fd50:xxxx:xxxx:20::/64 eui-64
ipv6 address 2601:xxxx:xxxx:xxx2::/64 eui-64
ipv6 nd other-config-flag
I've never felt comfortable with the idea of an L3 switch. I like to keep routing and switching separated.I found the layer 3 IPv6 support in the ICX very limiting and in my recent network rebuild I stopped using it; my ICX units only handle layer 2 now.
How retro.I've never felt comfortable with the idea of an L3 switch. I like to keep routing and switching separated.
I am trying to figure out the DHCPv6 giving out DNS and NTP servers, since the ICX6450 can't advertise those in the RA; then I will be figuring out the DHCPv6 relay.
ipv6 dhcp-relay destination <primary ipv6 dhcp server>
ipv6 dhcp-relay destination <secondary ipv6 dhcp server>
ipv6 dhcp-relay include-options interface-id remote-id
ipv6 nd other-config-flag
Did you see that isc-dhcp-server is deprecated? They want you to move to isc-kea-server.I am using ISC's DHCP server on FreeBSD for IPv4 DHCP assignments and now the same for IPv6 DNS, NTP, and TFTP assignments.
Nope sure didn't but thanks for the info I'll start migrating soon.Did you see that isc-dhcp-server is deprecated? They want you to move to isc-kea-server.
Thanks for the code snippet.
Most of my rationale is because I have a lot of experience (job and hobby) with routing&etc. Switching, not so much.How retro.
Most of my rationale is because I have a lot of experience (job and hobby) with routing&etc. Switching, not so much.
Off topic, but I made the switch to a HA active-standby Kea DHCP setup. Took a while to figure things out for BIND DNS updates, but got it going and I like it.Did you see that isc-dhcp-server is deprecated? They want you to move to isc-kea-server.
Thanks for the code snippet.
Current configuration:
!
ver 08.0.30tT7f3
!
stack unit 1
module 1 icx6610-48p-poe-port-management-module
module 2 icx6610-qsfp-10-port-160g-module
module 3 icx6610-8-port-10g-dual-mode-module
!
global-stp
!
!
!
spanning-tree single
!
vlan 1 name DEFAULT-VLAN by port
router-interface ve 1
spanning-tree
!
vlan 10 name TRUSTED by port
tagged ethe 1/1/1 to 1/1/3 ethe 1/1/36 ethe 1/1/41 ethe 1/1/43 ethe 1/3/1 to 1/3/2
untagged ethe 1/1/8 to 1/1/9 ethe 1/1/12 ethe 1/1/16 ethe 1/1/18 ethe 1/1/22 ethe 1/1/24 to 1/1/28 ethe 1/1/38 ethe 1/3/3 ethe 1/3/8
router-interface ve 10
spanning-tree
!
vlan 69 name GUEST by port
tagged ethe 1/1/1 to 1/1/3 ethe 1/1/36 ethe 1/1/41 ethe 1/1/43 ethe 1/3/1
router-interface ve 69
spanning-tree
!
vlan 88 name WORK by port
tagged ethe 1/1/1 to 1/1/3 ethe 1/1/36 to 1/1/37 ethe 1/1/41 ethe 1/1/43 ethe 1/3/1
router-interface ve 88
spanning-tree
!
vlan 120 name IOT by port
tagged ethe 1/1/1 to 1/1/3 ethe 1/1/36 to 1/1/37 ethe 1/1/41 ethe 1/1/43 ethe 1/3/1
router-interface ve 120
spanning-tree
!
vlan 130 name CCTV by port
tagged ethe 1/1/1 to 1/1/3 ethe 1/1/36 ethe 1/1/41 ethe 1/1/43 ethe 1/3/1
untagged ethe 1/1/14 to 1/1/15 ethe 1/1/19 ethe 1/1/31 to 1/1/32 ethe 1/1/34 ethe 1/1/39 to 1/1/40 ethe 1/1/45 ethe 1/1/47 to 1/1/48 ethe 1/3/7
router-interface ve 130
spanning-tree
!
!
spanning-tree single 802-1w
spanning-tree single 802-1w priority 0
!
!
!
!
aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
enable telnet authentication
hostname superbeefbox
ip dhcp-client disable
ip route 0.0.0.0/0 10.0.0.1
!
username root password .....
!
!
!
!
!
!
!
!
!
interface ethernet 1/1/1
dual-mode
!
interface ethernet 1/1/2
port-name DownStairs-AP
dual-mode
inline power
!
interface ethernet 1/1/3
port-name UpStairs-AP
dual-mode
inline power
!
interface ethernet 1/1/4
port-name Firewall-IPMI
!
interface ethernet 1/1/8
port-name Sonos-Amp
!
interface ethernet 1/1/9
port-name Living-room-apple-tv
!
interface ethernet 1/1/12
port-name AC_Closet_Switch
!
interface ethernet 1/1/14
port-name Driveway-Camera
inline power
!
interface ethernet 1/1/15
port-name Backyard-Camera
inline power
!
interface ethernet 1/1/16
port-name SuperDesktop
!
interface ethernet 1/1/18
port-name SonosArc
!
interface ethernet 1/1/19
port-name Lanai-Camera
inline power
!
interface ethernet 1/1/22
port-name Gym-AppleTV
!
interface ethernet 1/1/24
port-name MasterBed AppleTV
!
interface ethernet 1/1/25
port-name Sonos-Amp-Pool
!
interface ethernet 1/1/26
port-name Envisalink
!
interface ethernet 1/1/27
port-name Hubitat Upstairs
!
interface ethernet 1/1/28
port-name Sonos-Amp-Kitchen
!
interface ethernet 1/1/31
port-name KidsHall-Camera
inline power
!
interface ethernet 1/1/32
port-name Stairs-Camera
inline power
!
interface ethernet 1/1/34
port-name LivingRoom-Camera
inline power
!
interface ethernet 1/1/36
port-name Lanai-AP
dual-mode
inline power
!
interface ethernet 1/1/37
port-name GameRoomSwitch
dual-mode
!
interface ethernet 1/1/38
port-name Yanelis-Office
!
interface ethernet 1/1/39
port-name SmallGarage-Camera
inline power
!
interface ethernet 1/1/40
port-name LargeGarage-Camera
inline power
!
interface ethernet 1/1/41
port-name MiguelOffice-2nd
dual-mode
!
interface ethernet 1/1/43
port-name LGarage-AP
dual-mode
inline power
!
interface ethernet 1/1/45
port-name Backyard-Side-Camera
inline power
!
interface ethernet 1/1/47
port-name Kitchen-Camera
inline power
!
interface ethernet 1/1/48
port-name FrontDoor-Camera
inline power
!
interface ethernet 1/3/1
port-name LAN/Firewall
dual-mode
speed-duplex 10G-full
!
interface ethernet 1/3/2
port-name Beef_Garage
dual-mode
speed-duplex 10G-full
!
interface ethernet 1/3/3
port-name SuperDesktop
speed-duplex 10G-full
!
interface ethernet 1/3/4
speed-duplex 10G-full
!
interface ethernet 1/3/5
speed-duplex 10G-full
!
interface ethernet 1/3/6
speed-duplex 10G-full
!
interface ethernet 1/3/7
port-name BlueIris
speed-duplex 10G-full
!
interface ethernet 1/3/8
port-name BlueIris
speed-duplex 10G-full
!
interface ve 1
ip address 10.0.0.2 255.255.255.0
!
interface ve 10
ip address 10.0.10.2 255.255.255.0
!
interface ve 69
ip address 172.30.69.2 255.255.255.0
!
interface ve 88
ip address 172.18.88.2 255.255.255.0
!
interface ve 120
ip address 192.168.120.2 255.255.255.0
!
interface ve 130
ip address 192.168.130.2 255.255.255.0
!
!
!
!
!
lldp run
!
!
!
!
end
I cannot answer to all of your questions,m but let me try a part of it.Hello all im looking for feedback on my switch (ICX-6610) configuration i have a few concerns:
The benefit could be that it could be faster in case of your OPNsense box is the bottle neck. This depends on the routing performance of the OPNsense box and the connection links between ICX switch and OPNsense switch.3) My router is an OPNsense box, and its currently doing all of the inter VLAN communication, should i move that to the switch? (any benefits?)
Yes. Setting firewall rules in OPNsense is much easier than do the same on the switch.4) If i do #3 then im guessing i would have to do all of the VLAN communication rules/policies on the switch right?
Keep in mind that OPNsense (and pfSense) has a limitation when it comes to their system architecture. Boiling it down to it's simplest terms, you cannot use the firewall to run a DHCP server for any VLANs that aren't also setup on the firewall. This means that if you move your VLANs to the switch, then you cannot use the firewall's DHCP server to assign IPs for those VLANs.Hello all im looking for feedback on my switch (ICX-6610) configuration i have a few concerns:
3) My router is an OPNsense box, and its currently doing all of the inter VLAN communication, should i move that to the switch? (any benefits?)
4) If i do #3 then im guessing i would have to do all of the VLAN communication rules/policies on the switch right?
#define SPATHA_ENV_SPI_CS (CONFIG_IPROC_QSPI_CS + 2) /* SPI-NVRAM */
#define SPATHA_ENV_OFFSET 0X00000 /* Saved in SPI-NVRAM */
SPATHA_ENV_SPI_CS
is 2... CS for the other 25L6433F EEPROMs seems to be 0 and 1 mr25h256@2 {
#address-cells = <0x00000001>;
#size-cells = <0x00000001>;
compatible = "mr25h256";
#m25p,fast-read = <0x00000001>;
spi-max-frequency = <0x03b9aca0>;
reg = <0x00000002>;
partition@0 {
label = "uboot_env";
reg = <0x00000000 0x00008000>;
};
};