ICX switch with jumbo frames - management port failure

fohdeesha

Kaini Industries
Nov 20, 2016
2,577
2,775
113
31
fohdeesha.com
Completely agree with what you guys are saying... I am learning quite a bit here from feedback. I see your points on the 1500 MTU and I have encountered my own issues with it over the years when some things on the network are not setup properly and it does waste time tracking that down - I can only imagine the nightmare that would be in a large datacenter.

Had assumed the management port should be on it's own network, but I really didn't want to bother with that currently as I believe it's more setup headache than it's worth for a home lab setup. I will simply unplug the management port for now and only plug it in if I ever need to use it, or if I get adventurous and dive into vlan territory one day.

For now I'll listen to your warnings and switch everything back to 1500 MTU at the switch, and all devices, to keep things simple and to standard.
it's worth noting as I mentioned previously, you don't need the management port/a dedicated management network to manage/log in to the switch. If you followed my main icx config/update/licensing guide, the switch will have its own IP on your main network, that you can access from any PC plugged into the regular ports https://forums.servethehome.com/ind...s-cheap-powerful-10gbe-40gbe-switching.21107/
 
  • Like
Reactions: sth2100

sth2100

Member
Feb 22, 2022
39
17
8
Thanks Fohdeesha, but I think I'll just leave it unplugged for now. Something runs rampant on my network, I'd rather they not have access to make config changes on the switch. It's just a quick walk into the basement to plug the line back in when I need to use it.

I also have a console server I installed in the rack, so it can manage 24 serial based consoles. After some cable wiring struggles, I got that setup and it's very handy. I'll likely put that console server on a wifi plug to remotely turn it on when needed, and always keep it connected to the console ports on the switches, which I'm guessing is a better interface anyway. So it's a private management network, but it's a serial-based console network.
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,577
2,775
113
31
fohdeesha.com
Thanks Fohdeesha, but I think I'll just leave it unplugged for now. Something runs rampant on my network, I'd rather they not have access to make config changes on the switch. It's just a quick walk into the basement to plug the line back in when I need to use it.

I also have a console server I installed in the rack, so it can manage 24 serial based consoles. After some cable wiring struggles, I got that setup and it's very handy. I'll likely put that console server on a wifi plug to remotely turn it on when needed, and always keep it connected to the console ports on the switches, which I'm guessing is a better interface anyway. So it's a private management network, but it's a serial-based console network.
You know you can password protect access to the switch so someone can't just run rampant on it right :p you can even configure SSH key based authentication. I agree console servers are nice, but if I were arguing from the same "someone's made it onto my network and is running rampant" argument, the last thing I would want is a console server on the same network - with direct console access to the switch you can use all the vendors common password reset functionality (as serial consoles imply physical access, so that's where manufacturers put their password/config recovery/etc functionality). Can't do that if all the attacker has is an IP of the switch that immediately drops them with they attempt to log in without a key. One of the many reasons the only place you typically find console servers is highly isolated and secured management networks
 

sth2100

Member
Feb 22, 2022
39
17
8
I do have a password on it, but the console server is not running. Currently I leave the console server unplugged, similar to how the management port is now unplugged. Once I get a wifi plug on the console server, then it will remain turned off until I need to access it, will wait the 60 seconds it takes for it to start up, make my changes, then turn it off again. Even the console server is password protected behind ssh (haven't setup a key yet).

I doubt I'll have much need to go into the console on these switches now that they are setup. I plan to disable jumbo frames today after I negotiate with the family when I can kill the network for a few minutes, and then I'll be done with it for quite a while I believe.
 
  • Like
Reactions: fohdeesha