[SOLVED] Help Needed - Brocade ICX 6450 + Ruckus R720

b1g_bake

New Member
Jun 27, 2019
5
0
1
I have a similar setup with Pfsense, to a ICX6610, and a ruckus r710 AP. The r710 is on port 42 of the 6610 serving vlan 1, 50 and 30. How exactly do I tag it? Right now I cannot get any ip address on the vlan networks
I think @itronin got you in the right direction. I believe tagging and untagging vlans is possible on the web interface, but I think dual mode has to be done from command line. The docs walk you through it though.

I'm also using pfsense as my router. I'm just using my brocade 6450 for L2 work right now. Pfsense is in a "router on a stick" config basically.
 

epicurean

Active Member
Sep 29, 2014
676
42
28
I think I got the pfsense part done correctly. Just need help on exactly how to configure the vlans on port 42 of my 6610. So I ssh into the console, what commands are needed?
 

itronin

Well-Known Member
Nov 24, 2018
449
281
63
Denver, Colorado
ssh, telnet, depends on how you have your switch configured.

without knowing how your switch is currently configured from your troubleshooting a specific recipe may be required, however you can give this a shot and see if it works once you're in the CLI

Code:
enable
! enter your username
! enter your password
conf t
vlan 30
tagged ethe 1/1/42
vlan 50
tagged ethe 1/1/42
int ethe 1/1/42
dual-mode 1
write mem
a "show vlan" should give you a pretty clear idea of what ports are in what vlan and their configuration type.

I used port 39 because 42 is already in use on my switch
Code:
telnet@icx6610-stack>show vlan
Total PORT-VLAN entries: 7
Maximum PORT-VLAN entries: 64

Legend: [Stk=Stack-Id, S=Slot]

PORT-VLAN 1, Name DEFAULT-VLAN, Priority level0, Spanning tree Off
 Untagged Ports: None
   Tagged Ports: None
   Uplink Ports: None
 DualMode Ports: (U1/M1)  39
 Mac-Vlan Ports: None
     Monitoring: Disabled

PORT-VLAN 30, Name [None], Priority level0, Spanning tree Off
 Untagged Ports: None
   Tagged Ports: (U1/M1)  39
   Uplink Ports: None
 DualMode Ports: None
 Mac-Vlan Ports: None
     Monitoring: Disabled

PORT-VLAN 50, Name [None], Priority level0, Spanning tree Off
 Untagged Ports: None
   Tagged Ports: (U1/M1)  39                                     
   Uplink Ports: None
 DualMode Ports: None
 Mac-Vlan Ports: None
     Monitoring: Disabled
.



make a backup of your config either by doing a show run and copy/paste into a text fileor if you have an tftp server set up copy the running config there.
 
  • Like
Reactions: epicurean

epicurean

Active Member
Sep 29, 2014
676
42
28
Thank you very much. COnfigured the 6610 switch for vlan 30 and 50 on port 42. But I am still not getting an IP address . Is there anything more I need to configure on the r710?
 

K D

Well-Known Member
Dec 24, 2016
1,431
309
83
30041

This shows how to configure IP helpers so that you can get dchp in all virtual interfaces.

I use a 720 with the unleashed firmware. You can configure one vlan for each SSID. I don't recall exactly where to set it up though.
 

itronin

Well-Known Member
Nov 24, 2018
449
281
63
Denver, Colorado
Thank you very much. COnfigured the 6610 switch for vlan 30 and 50 on port 42. But I am still not getting an IP address . Is there anything more I need to configure on the r710?
On the R710, probably not if you have everything set up on pfsense, but let's run through a pre-flight list

(1) On the R710 you should have three SSID's, one mapped to each VLAN: 1, 30 and 50
(2) On the ICX you have port 42 configured as dual-mode for vlan 1, and tagged for vlan 30 and 50
(3) On pfsense you should have at least 4 interfaces, one for your internet and one each for vlan, 1, 30, and 50
This could be as few as 2 physical ethernet interfaces if you are using VLAN trunking on your trusted side or more likely 4 physical ethernet interfaces using untagged ports for each VLAN 1, 30, and 50
(4) You have a DHCP scope configured for 3 of the interfaces, VLAN 1, VLAN 30, and VLAN 50 and the.
In each scope you defined the IP address range that will be used, the default gateway for each VLAN, the netmask (or size), and probably at least 1 DNS server. The default gateway has to be in the same subnet in use on that vlan. The DNS server can inside your network somewhere or out on the Internet depending on how you have things set up.

I'm making the assumption that you are also using pfsense to route between the VLAN's though you don't have to do that if you are just using pfsense as the DHCP Server.

How are we doing on 1-4?
 

itronin

Well-Known Member
Nov 24, 2018
449
281
63
Denver, Colorado

This shows how to configure IP helpers so that you can get dchp in all virtual interfaces.

I use a 720 with the unleashed firmware. You can configure one vlan for each SSID. I don't recall exactly where to set it up though.
That's a good video lesson on dhcp helpers for brocade.

@epicurean is using pfsense as their firewall and dhcp server.

I'm not sure dhcp helpers will get this going. I'm 99.9% sure pfsense requires a static IP configured interface on each vlan for each dhcp scope that will be served. As such no dhcp forwarding should be required. Not saying this is the best way to do this. Simply observing how the described configuration will work.

@epicurean : Question, do you have an SSID configured for VLAN 1, is pfsense handing out DHCP IP addresses for VLAN 1 and does that work whether on wireless on just conneccted to an ethernet port in VLAN 1?
 
Last edited:

Vesalius

Member
Nov 25, 2019
51
28
18
Do you have a single ethernet port plugged in or both on the AP's? I'm guessing you only have 1 port plugged in since I do not see a LAG configuration in your posts.

FWIW this past weekend I replaced my Cisco WLC and AP's with Ruckus R710's running unleashed. I'm using an ICX6610 though. I had some unexpected behavior trying to use both ethernet ports on the R710, my initial thoughts were STP related since AP switch ports starting going into disable state (even though I had LAG's defined). I moved to a single port connection on my AP's until I have time (and downtime; home vlan=prod for me) to troubleshoot. Briefly troubleshooting I noticed some notes about the power usage requirements on the POE ports required to use BOTH ethernet ports on the AP.

Differences:
qty 3 x R710's
Single ICX 6610 at the moment
I created a VLAN for all the AP's and their unleashed traffic. "AP VLAN"
I'm serving reserved IP's to each AP VIA DHCP using dhcp forwarding from the AP VLAN.
I am using a static IP in the AP VLAN for the unleashed management IP.
Running ISC Bind.

I plan on setting up a dedicated VLAN for guest traffic and forwarding that out through a separate FW interface until I have time to learn about the guest capabilities in unleashed.

Edit - One thing I did notice in ruckus forums is that LAG must be configured via CLI for each AP.
Unless LLDP is enabled on your switch your ruckus ap will not negotiate a full power allotment from the POE switch. The AP will only be able to use one of the 2 LAN ports and I have also read the WIFI power will be slightly decreased at 2.4 bands.

By default, LLDP is disabled in ICX 7000 and 6ooo series switches. To enable it, the following global command has to be issued:
ICX6450-48P Router(config)#lldp run

The switch will have to advertise power via LLDP and the following commands have to be issued either for the specific port e.g. port 1/1/5,
ICX6450-48P Router(config-if-e1000-1/1/5)#lldp advertise power-via-mdi ports ethernet 1/1/5

or if all ports have to be configured identically
ICX6450-48P Router(config-if-e1000-1/1/5)#lldp advertise power-via-mdi ports all

I also finally figured out the CLI commands to enable LACP on the 710 AP's if anyone needs that.
 
Last edited:
  • Like
Reactions: itronin

epicurean

Active Member
Sep 29, 2014
676
42
28
On the R710, probably not if you have everything set up on pfsense, but let's run through a pre-flight list

(1) On the R710 you should have three SSID's, one mapped to each VLAN: 1, 30 and 50

I am on unleashed. I have 3 wireless SSID. One each for my internal LAN, 30 (guests), 50 (IOT)
(2) On the ICX you have port 42 configured as dual-mode for vlan 1, and tagged for vlan 30 and 50

Yes, based on the clear instructions you gave earlier. Thank you
(3) On pfsense you should have at least 4 interfaces, one for your internet and one each for vlan, 1, 30, and 50

Yes, I have this done too.

The r710 is my only AP, and it is connected to port 42 on the 6610.

This could be as few as 2 physical ethernet interfaces if you are using VLAN trunking on your trusted side or more likely 4 physical ethernet interfaces using untagged ports for each VLAN 1, 30, and 50
(4) You have a DHCP scope configured for 3 of the interfaces, VLAN 1, VLAN 30, and VLAN 50 and the.

Yes, I did this in pfsense.
In each scope you defined the IP address range that will be used, the default gateway for each VLAN, the netmask (or size), and probably at least 1 DNS server.

ah... I did not put a specific DNS server for each of the DHCP servers to the 3 vlans. Is this needful because I did not need to do so for the non vlan LAN network
The default gateway has to be in the same subnet in use on that vlan. The DNS server can inside your network somewhere or out on the Internet depending on how you have things set up.

I'm making the assumption that you are also using pfsense to route between the VLAN's though you don't have to do that if you are just using pfsense as the DHCP Server.

How are we doing on 1-4?
 

epicurean

Active Member
Sep 29, 2014
676
42
28
@epicurean : Question, do you have an SSID configured for VLAN 1, is pfsense handing out DHCP IP addresses for VLAN 1 and does that work whether on wireless on just conneccted to an ethernet port in VLAN 1?[/QUOTE]

yes, if I connect any wireless or wired device to vlan 1( my default LAN network), DHCP works without any issues
 

epicurean

Active Member
Sep 29, 2014
676
42
28
Unless LLDP is enabled on your switch your ruckus ap will not negotiate a full power allotment from the POE switch. The AP will only be able to use one of the 2 LAN ports and I have also read the WIFI power will be slightly decreased at 2.4 bands.

By default, LLDP is disabled in ICX 7000 and 6ooo series switches. To enable it, the following global command has to be issued:
ICX6450-48P Router(config)#lldp run

The switch will have to advertise power via LLDP and the following commands have to be issued either for the specific port e.g. port 1/1/5,
ICX6450-48P Router(config-if-e1000-1/1/5)#lldp advertise power-via-mdi ports ethernet 1/1/5

or if all ports have to be configured identically
ICX6450-48P Router(config-if-e1000-1/1/5)#lldp advertise power-via-mdi ports all

I also finally figured out the CLI commands to enable LACP on the 710 AP's if anyone needs that.
How do I input these commands to my 6610 switch?
 

itronin

Well-Known Member
Nov 24, 2018
449
281
63
Denver, Colorado
@epicurean :

In each scope you defined the IP address range that will be used, the default gateway for each VLAN, the netmask (or size), and probably at least 1 DNS server.

ah... I did not put a specific DNS server for each of the DHCP servers to the 3 vlans. Is this needful because I did not need to do so for the non vlan LAN network
The default gateway has to be in the same subnet in use on that vlan. The DNS server can inside your network somewhere or out on the Internet depending on how you have things set up.

yes, if I connect any wireless or wired device to vlan 1( my default LAN network), DHCP works without any issues
On DNS no its not necessary to have dns for anything. I can't remember if pfsense dhcp scopes inherit dns configured at the top level.

Anyway you've hit the nail on the head with your comment about vlan 1. Best next step to troubleshoot DHCP on one of the other vlans is to set an unused ethernet port on your switch to be an untagged member of VLAN 30 or VLAN 50. Connect a PC or laptop to that port and see if you get a DHCP address. If it is working on the wired side its a wireless issue. If you are not getting a dhcp on the wired side then there's a dhcp config issue.

I;m sure you did this but on pfsense there's a check box to enable the dhcp scope. You might want to verify its checked.
 

Vesalius

Member
Nov 25, 2019
51
28
18
you will need to ssh into each AP and get to privileged mode and then set up lacp on each separately.
  • SSH into each slave AP then type “enable” at the prompt before using the lacp commands below.
  • You need to get to AP-mode on the Master.
SSH AP-Master access
- if you don’t know the up addresses or which is master, just SSH into the any AP in the network
- Now run the command "get election"
  • will give you a list of all APs connected to Unleashed network with all the other information about the APs (MAC add, IP, firmware ver, current role, etc). find IP address of master AP - labeled as 'master' in get election output
- SSH into the master and this time when you login, you will see 'ruckus>' prompt
- To go to enable mode, run 'enable' .
in limited mode, the prompt appears as ruckus> (with a greater than sign). If you are in privileged mode, the prompt appears as ruckus# (with a pound sign).
  • to move to AP mode for master AP, run 'ap-mode'

Configuring LACP on a ruckus 710 with unleashed 200.8
  1. Verify that the AP power mode is 802.3at:
rkscli: get power-mode
PoE Configured Mode : Auto
Power Consumption Status : 802.3at PoE+
  1. ruckus(ap-mode)# set bond bond0 enable
Usage:
set bond <profile> {options}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
** <profile>: bond0, ...
** options:
- enable : to enable LACP Mode
- disable : to disable LACP Mode
 

epicurean

Active Member
Sep 29, 2014
676
42
28
On DNS no its not necessary to have dns for anything. I can't remember if pfsense dhcp scopes inherit dns configured at the top level.

Anyway you've hit the nail on the head with your comment about vlan 1. Best next step to troubleshoot DHCP on one of the other vlans is to set an unused ethernet port on your switch to be an untagged member of VLAN 30 or VLAN 50. Connect a PC or laptop to that port and see if you get a DHCP address. If it is working on the wired side its a wireless issue. If you are not getting a dhcp on the wired side then there's a dhcp config issue.

I;m sure you did this but on pfsense there's a check box to enable the dhcp scope. You might want to verify its checked.
OK, I will try get a wired device and plug into unused port ( configure it to vlan 30 or vlan 50 ONLY?)
Sorry, where is the check box to "enable dhcp scope" in pfsense?
 

epicurean

Active Member
Sep 29, 2014
676
42
28
Sorry, but I don't understand why LLDP on the switch and LACP on the AP is needed for enabling vlan ? Apologies for the newbie question
 

itronin

Well-Known Member
Nov 24, 2018
449
281
63
Denver, Colorado
OK, I will try get a wired device and plug into unused port ( configure it to vlan 30 or vlan 50 ONLY?)
Sorry, where is the check box to "enable dhcp scope" in pfsense?
yes. You want the interface to be an untagged member of vlan 30 or 50.

I don't know if you can do this from the gui but you may be able to.

from the cli using vlan 30 and say port 39 as an example:

conf t
vlan 30
untag ethe 39
write mem

my bad its "enable dhcp service on interface"... it should be at the top of the dhcp service configuration page for the interface you are working on. I couldn't find a good screen shot online for an interface other than LAN. I'm not using pfsense at home at the moment.

But see this video at about 2:05
 
Last edited:

Vesalius

Member
Nov 25, 2019
51
28
18
How do I input these commands to my 6610 switch?
Do you know how to get serial/console port access or have you set up ssh access? You can follow the steps from fohdeesha’s guide to get back there. once there


Code:
ICX6610 Router#enable
ICX6610 Router#configure terminal
ICX6610 Router(config)#lldp run
Check out page 9 of the linked document below to turn on POE and lldp for the switch ports you have the RUckus AP’s plugged into followed by how to set up the lagg/lacp on your switch.

Brocade LAG/LLDP/PoE Configuration

remember to follow all of that up with a :write memory at the command line.
 

itronin

Well-Known Member
Nov 24, 2018
449
281
63
Denver, Colorado
Sorry, but I don't understand why LLDP on the switch and LACP on the AP is needed for enabling vlan ? Apologies for the newbie question
you might want to stay away from lldtp and lacp for the moment until DHCP is working. LLDP and LACP are for using both ethernet ports on a R710 to increase bandwidth for multiple clients. single stream bw will still be limited to 1 ethernet connection...