Nortel ERS 5520 PwR Switch

Update: July 30, 2009
I’ve added a command to disable the User Interface Button (UI Button) “no ui-button enable”.

Update: February 7, 2009
It was time to update this article with some additional information and settings that I’m now using in all my switch deployments. The big change is the updated ADAC MAC address table. Please also note the VLACP time-out scale change and I’ve updated the year field for the Daylight Saving Time change.

Update: August 13, 2008
This was one of the first articles I wrote back in October 2007 and it is by far the most popular article out of all 110 articles that I currently have published. With that said I decided to come back and spruce up this post with some additional “tweaks” that I’ve added over the past 10 months. I’m also going to attack a link to a text file so folks can just download the file of commands, tweak the specific individual settings such as IP address and VLAN information, and then cut and paste into the CLI interface of the Nortel Ethernet Routing Switch 5520. It will hopefully save folks from having to cut and paste each section.

Note: just a quick warning about cutting and pasting into the CLI interface, I’ve often found that the buffer will overflow if I try to paste an entire configuration at once. I usually need to break it into at least two or three sections and cut and paste those section one at a time.

In this post I’ll try to outline how you can configure the Nortel Ethernet Routing Switch 5520 in a VoIP environment using Nortel i2002/i2004 Internet Telephones (this procedure will also work the same with the i2007/1120E/1140E phones).

You’ll obviously need a ERS 5520 switch and you’ll need SW 5.0.6.22 or later and FW 5.0.0.3 or later (there are known issues with earlier software versions that create inconsistent results using LLDP with the i2002/i2004 phones). I would strongly advise that you start with a default configuration. From the CLI issue the following commands to reset the switch to factory defaults;

5520-48T-PWR> enable
5520-48T-PWR# boot default

The switch should reboot with a default configuration. Let’s proceed with the configuration;

5520-48T-PWR> enable
5520-48T-PWR# configure terminal

Let’s set the local read-only and read-write passwords;

5520-48T-PWR (config)#cli password read-only readpass
5520-48T-PWR (config)#cli password read-write writepass
5520-48T-PWR (config)#cli password serial local
5520-48T-PWR (config)#cli password telnet local

Let’s disable the user interface button (UI button);

5520-48T-PWR (config)# no ui-button enable

Enable AUTOPVID;

5520-48T-PWR (config)# vlan configcontrol autopvid

We’ll be up linking this switch using a MultiLink trunk on ports 47 and 48 so we’ll enable tagging on the fiber uplinks;

5520-48T-PWR (config)# vlan ports 47,48 tagging enable

Let’s create the data VLAN (VID 100) and management VLAN (VID 200) on the switch;

5520-48T-PWR (config)# vlan members remove 1 ALL
5520-48T-PWR (config)# vlan create 200 name "10-1-200-0/24" type port
5520-48T-PWR (config)# vlan members add 200 47,48
5520-48T-PWR (config)# vlan create 100 name "10-1-100-0/24" type port
5520-48T-PWR (config)# vlan members add 100 1-48
5520-48T-PWR (config)# vlan port 1-46 pvid 100
5520-48T-PWR (config)# vlan port 47,48 pvid 200

Let’s make VLAN 200 the management VLAN and assign the IP address;

5520-48T-PWR (config)# vlan mgmt 200
5520-48T-PWR (config)# ip address switch 10.1.200.10 netmask 255.255.255.0 default-gateway 10.1.200.1

Let’s setup Simple Network Management Protocol (SNMP);

5520-48T-PWR (config)# snmp-server authentication-trap disable
5520-48T-PWR (config)# snmp-server community  ro
5520-48T-PWR (config)# snmp-server community  rw
5520-48T-PWR (config)# snmp-server host

Let’s configure the logging so it will overwrite the oldest events;

5520-48T-PWR (config)# logging volatile overwrite
5520-48T-PWR (config)# logging enable

Let’s setup Simple Network Time Protocol (SNTP);

5520-48T-PWR (config)# sntp server primary address
5520-48T-PWR (config)# sntp server secondary address
5520-48T-PWR (config)# sntp enable

Depending on the version of switch software your running you may be able to configure Daylight Saving Time;

5520-48T-PWR (config)#clock time-zone EST -5
5520-48T-PWR (config)#clock summer-time EDT date 9 Mar 2009 2:00 2 Nov 2009 2:00 +60

Let’s setup the MultiLink trunk that will connect the switch back to the backbone;

5520-48T-PWR (config)# mlt 1 disable
5520-48T-PWR (config)# mlt 1 name "MLT-8600"
5520-48T-PWR (config)# mlt 1 learning disable
5520-48T-PWR (config)# mlt 1 member 47,48
5520-48T-PWR (config)# mlt 1 enable

Let’s setup ADAC (Automatic Detection and Automatic Configuration) for our i2002/i2004 phones. We’ll using VLAN 50 as our voice VLAN and we’ll use port 48 as our uplink (the switch will add 47 automatically because of the MLT configuration). There is a new command to clear the ADAC MAC address table that may be missing from earlier versions, “no adac mac-range-table”. I’ve also updated the list of entries that I use.

5520-48T-PWR (config)# adac voice-vlan 50
5520-48T-PWR (config)# adac op-mode tagged-frames
5520-48T-PWR (config)# adac uplink-port 48
5520-48T-PWR (config)# no adac mac-range-table
5520-48T-PWR (config)# adac mac-range-table low-end 00:0a:e4:75:00:00 high-end 00:0a:e4:75:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:13:65:00:00:00 high-end 00:13:65:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:14:c2:00:00:00 high-end 00:14:c2:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:16:ca:00:00:00 high-end 00:16:ca:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:17:65:00:00:00 high-end 00:17:65:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:18:b0:00:00:00 high-end 00:18:b0:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:19:69:00:00:00 high-end 00:19:69:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:19:e1:00:00:00 high-end 00:19:e1:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:1b:ba:00:00:00 high-end 00:1b:ba:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:1e:ca:00:00:00 high-end 00:1e:ca:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:22:67:00:00:00 high-end 00:22:67:ff:ff:ff
5520-48T-PWR (config)# adac enable

We need to strip the 802.1q tag from any packets in the PVID VLAN from going to the phone. In this design we’re expecting to connect IP phones to ports 1 – 46.

5520-48T-PWR (config)# vlan port 1-46 tagging untagpvidOnly

Let’s configure LLDP for the ports we expect to connect IP phones (1 – 46);

5520-48T-PWR (config)# interface fastEthernet 1-46
5520-48T-PWR (config-if)# vlan ports 1-46 filter-unregistered-frames disable
5520-48T-PWR (config-if)# lldp tx-tlv port-desc sys-cap sys-desc sys-name
5520-48T-PWR (config-if)# lldp status txAndRx config-notification
5520-48T-PWR (config-if)# lldp tx-tlv med extendedPSE med-capabilities network-policy
5520-48T-PWR (config-if)# poe poe-priority high
5520-48T-PWR (config-if)# spanning-tree learning fast
5520-48T-PWR (config-if)# adac enable
5520-48T-PWR (config-if)# exit

The option in RED above was added after an issue was discovered when trying to upgrade the firmware on the IP phones. The filter-unregistered-frames is enabled by default and should be disabled to avoid and issues with upgrading the firmware on the IP phones. We are attempting to investigate further with Nortel and our voice vendor Shared Technologies.

Let’s disable the two remaining ports that share the GBIC interfaces incase we need those in the future;

5520-48T-PWR (config)# interface fastEthernet 45-46
5520-48T-PWR (config-if)# shutdown
5520-48T-PWR (config-if)# exit

Let’s setup a QoS interface group to trust all traffic that will ingress on the fiber uplinks. By default the ERS 5520 switch will strip all QoS tags on all ports. Thankfully ADAC will take care of the QoS settings for all VoIP traffic.

5520-48T-PWR (config)# qos if-group name allUpLinks class trusted
5520-48T-PWR (config)# interface fastEthernet 47,48
5520-48T-PWR (config)# qos if-assign port 47,48 name allUpLinks
5520-48T-PWR (config)# exit

Let’s set the SNMP information;

5520-48T-PWR (config)# snmp-server name "sw-icr1-1east.sub.domain.org"
5520-48T-PWR (config)# snmp-server location "Acme Internet Phone Company (ICR1)"
5520-48T-PWR (config)# snmp-server contact "Network Infrastructure Team"

Let’s enable rate limiting for all broadcast and multicast traffic to 10% of the link;

5520-48T-PWR (config)# interface fastEthernet ALL
5520-48T-PWR (config-if)# rate-limit both 5
5520-48T-PWR (config-if)# exit

Let’s setup VLACP (Virtual Link Aggregation Protocol) on the uplinks to the core;

5520-48T-PWR (config)# interface fastEthernet 47,48
5520-48T-PWR (config-if)# vlacp port 47,48 timeout short
5520-48T-PWR (config-if)# vlacp port 47,48 timeout-scale 5
5520-48T-PWR (config-if)# vlacp port 47,48 enable
5520-48T-PWR (config-if)# exit
5520-48T-PWR (config)# vlacp enable

That’s it your done! Well hopefully your done.

In my next post I’ll tell you what DHCP options you’ll need to configure on your DHCP server in order for the phones to boot properly and connect to the Nortel Call Server.

Cheers!

ADAC, ERS5520, LLDP, MLT, QOS, VLACP

Print article

This entry was posted by Michael McNamara on October 23, 2007 at 7:49 pm, and is filed under EthernetRtngSwitch. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.

Related Posts
Comments (37)

#1 written by Anonymous
about 2 years ago

Reply Quote

Man thanks for the tips on setup I found this very interesting and got me pointed in the right direction.
#2 written by Charles
about 2 years ago

Reply Quote

Hi, thanks a lot for the precise info. I have a few questions:

1) What can happen if some tagged packets go to the phone’s PVID? (referring tho the untag pvid command)

2) Do you always need to enable both MLT & VLACP? I (mis)understood that it was an option to use one protocol or the other..

3) I wonder why you did not include any spanning tree commands in this article. Are they in by default somehow on the ERS?

4)In the case of a single link trunk from one switch to another, is it true that you would need to disable stp on the trunk port? What protection could be the best choice then, apart from rate limiting?

thanks in advance!
#3 written by Michael McNamara
about 2 years ago

Reply Quote

Hi Charles,

Let me try to answer our questions (which are very good by the way);

1) The end device (laptop or desktop) will not understand the 802.1q frame and will just drop the frames leaving any device you plug into the PC port on the phone unusable. In essence this command just tells the switch to leave the 802.1q headers on the voice VLAN traffic so the phone can identify those frames but strip the 802.1q headers for the PC traffic so the PC won’t freak out – it’s not expecting an 802.1q frame.

2) These are two very different protocols. MLT allows you to trunk two physical links into a single link at Layer 2 for additional bandwidth and additional redundancy should one link fail. VLACP is a method used to detect a communication problem over a link and mark the port as down so you don’t end up switch/bridging packets across a dead uplink – an uplink that has link but there’s nobody home on the far end. I use VLACP where I have Ethernet Switch 470s because the GBICs don’t support autonegotiation. Without autonegotiation there’s no ability to detect a far end failure – say a single fiber strand breaks, one switch will still have link while the other won’t have link. VLACP would detect that loss of connectivity and mark the port as down keeping your network from switching/bridging/routing traffic down a dead link where the packets would ultimately be lost forever.

3) I did include Spanning Tree commands. I recommend that everything use “fast start” because of the auto MDI/MDI-X feature where an end-user or confused technician could easily put a loop into your network by mistakenly cabling two ports together. Search for “spanning-tree” above, here’s the reference;
5520-48T-PWR (config-if)# spanning-tree learning fast
Note: you should NOT run Spanning Tree on your MLT ports!

4) Spanning Tree as a system wide protocol. We use to run Spanning Tree across an ATM LAN where it sometimes took 90 seconds for Spanning Tree to converge. We employ a few layers of protection; the first is at the closet switch which I discussed in the answer above using “spanning-tree learning fast” on all edge ports, the second we use SLPP (Simple Loop Protection Protocol) on our ERS 8600 cores and lastly we use CP limiting on the ERS 8600 cores which will shutdown an uplink if too many broadcast or multicast frames start flooding the network from that specific uplink.

Great questions and thanks for the comment!
#4 written by Charles
about 2 years ago

Reply Quote

Thanks for being so helpful!
#5 written by alphaalpha1
about 1 year ago

Reply Quote

Mike,

You mentioned do NOT run spanning tree on MLT ports. Is that means we should disable STP on MLT ports? I am planning to cofigure 4ports MLT on two 5510-48 switches. What is your suggestion. Thanks in advance.

Alpha
#6 written by Michael McNamara
about 1 year ago

Reply Quote

You can run STP across a MLT but I would not recommend it. So my advice would be to disable STP on all ports which are going to belong to the MLT, on both switches.

Good Luck!
#7 written by michael gagnon
about 1 year ago

Reply Quote

Michael,
one more question for you if you have time regarding ‘rate-limiting’

we have sometimes seen issues where a user will bring a linksys/home switch in and plug it into their drop (unauthorized).
the linksys/netgear/etc switch does NOT from STP. we are now implementing STP BPDU-Filtering/Guard on our edge ports to prevent unauthorized switches connecting to the network, but this doesn’t help with un-managed switches (which would be the majority of what people would bring in from their home).

now, if they connect a cable from the linksys switch to itself again (creating a loop), the flood of broadcast packets will also egress out the single uplink into the production network.

rate-limiting (e.g. 10% setting), will suppress this flood of broad/multi-cast traffic to 10% of the link, which is great because it will save the network … but the problem is , how do we then know a loop has occurred?

does the switch send an SNMP-trap when this threshold is hit? that is the biggest concern. the network will be saved from a storm, but at the same time if i am not alerted or notified, then the loop continues to exist (suppressed).

any suggestions?
thanks, again!
#8 written by Michael McNamara
about 1 year ago

Reply Quote

You’re keeping me busy there Michael! :)

The rate limiting feature is built into the ASCIC hardware so there’s no reliance on actual switch software – which is a good thing. While your basically correct, you’ll generally know soon enough that there’s a problem. While rate limiting will keep the majority of your switches reachable/manageable you still going to experience all sorts of MAC/FDB issues because of the loop. If you have a management system that is performing threshold monitoring that system will generally alert you to the surge in traffic. I’m currently using a combination of HP Open View and MRTG. In the majority of instances you’ll see SLPP kick-in and eventually CP-LIMIT will kick in at the core isolating the edge switch in question.

In a ultra secure environment you could configure MAC security (old school way) or you could go with a Network Access Control (NAC) solution which integrates with the latest Nortel switches.

With regard to your example… Spanning Tree enabled on the edge access ports will help save you 99% of the time in my experience.

Cheers!
#9 written by michael gagnon
about 1 year ago

Reply Quote

just discovered your blog a few days ago and it’s nice to have discussion (just found the nortel community forums as well) :)))

that’s good to hear that the rate-limiting is done in ASIC; no sense in overwhelming the CPU with rate-limiting enabled no all ports…
but i wish there was a way to admin_down the interface when those thresholds were reached on the edge switches (5520, 460)…i would much rather have the interface be disabled than the traffic limited until I found the issue/error.

i’m using Open View as well, so maybe i need to do some tweaking/etc but not sure where to start for this topic at hand…

many of our IDFs/switches in different campuses are not connected via SMLT. many are DMLT or single-uplink, depending on our availability of fiber backbone and 8600 interfaces. slowly trying to migrate these to SMLT, but it does take a lot of time for the campuses in different countries where i’m not on-site, physically…so SLPP wouldn’t help for those locations (uplinks are NOT SMLT).

i’ve noticed CP-Limit appears to be enabled by default for 8300 and 8600s. this is generally the case when there is a loop and an interface is auto-disabled. i have not configured these thresholds, so they must be at default values (enabled by default); i have also noticed (and remember working with Nortel on a case about this years ago), that there is a separate per-interface CP-Limit. i’m trying to recall, but I remember (this was back in 3.5.x.x days), that you eat up resources by enabling the CP-Limit on a per-interface basis, and as a result could only do so many interfaces. i’ll have to re-investigate this, but it was like there was two seperate types of rate-limiters on the 8600.

thanks!
#10 written by samir rana
about 1 year ago

Reply Quote

Hi Michael,

If we have question regarding nortel, how could i submit it ?

Thanks,
#11 written by Michael McNamara
about 1 year ago

Reply Quote

Hello Samir,

I happy to try and help. What’s your question?

Cheers!
#12 written by alex
about 1 year ago

Reply Quote

Hi,

We have been advised by Nortel that STP is required when assigning multiple VLANs on a trunk. Is this correct? as you mentioned above that STP should be disabled on the MLT…

Cheers!
Alex
#13 written by alex
about 1 year ago

Reply Quote

Also, I presume the same rules apply for SMLT’s?
We currently have two edge switches configured with MLT’s that connect to the core and form a SMLT. There seem to have been a few inconsistencies when they were initially configured as one has STP disabled on the trunk and the other enabled.
#14 written by Michael McNamara
about 1 year ago

Reply Quote

Hi Alex,

I’m not sure who you’ve been talking to at Nortel but you certainly don’t need STP enabled on a trunk just because you have multiple VLANs (802.1q) traversing that link. If you had multiple trunks between two switches without using a MLT/DMLT/SMLT configuration you would certainly need STP enabled between those switches in order to prevent the Layer 2 loops that would be present in such a configuration.

It’s my recommendation NOT to running STP between your edge and core switches. I definitely recommend you run it on your edge switches but not on the ports that uplink to your core (or distribution) network. You can run it if you chose to I just don’t find it very useful to-do so and there can be implementation differences between some vendors (example, Cisco floods BPDUs across all ports in an etherchannel configuration with Nortel only floods BPDUs across the lowest interface in a MultiLink trunk configuration).

In an SMLT configuration you CAN NOT run STP at all between your edge and core (or distribution) switches because it defeats the whole purpose of building a network architecture that is active/active as opposed to active/passive. In an SMLT design both uplinks from the edge are actively passing and receiving traffic, unlike when you use STP/RSTP/MSTP traffic can only traverse one of the uplinks while STP blocks the other uplink.

Hopefully that helps a little. Good Luck!
#15 written by Alex
about 1 year ago

Reply Quote

Thanks Michael,

That has cleared up a few things! – I’m still getting to know the network as I have only recently joined the company!

As you mentioned STP is disabled on the SMLT configs on our two core switches. We have around 20 edge switches which after further investigation 7 have STP enabled on the MLT trunks. We attempted to disable STP on one of the edge MTL trunks (connected to each core as SMLT) but had to quickly change this back as once we re-enabled to trunk we lost connectivity from the edge switch.

I will be getting back in touch with Nortel with your comments and see where we go from there.

Thanks again!
Alex
#16 written by Shine
about 1 year ago

Reply Quote

Sir,
Thanks for the patience.

In fact I am working in a place where we have only Nortel Access Swtiches, but NTP is not yet configured.
Wondering how to interrupt the logs with out having NTP configured in swtiches.
Kindly help …
- #17 written by Michael McNamara
  about 1 year ago
  
  Reply Quote
  
  Hi Shine,
  
  It can be ugly to read the logs without the proper date/time and timezone set. I believe the switches count up from the time they were started/booted.
  
  Depending on the version of software on the switch you should be able to issue a “show log sort-reverse” from the CLI interface and it will show you the log from the bottom up (latest events first). You’ll need to then do the math to figure out how to match up the timestamp in in the logs to the real date/time.
  
  If you have access and configure NTP the timestamps in the log will be automatically updated so you can read them properly. You can have a look at the post Network Time Protocol (NTP) for information on how to configure NTP.
  
  Good Luck!
#18 written by Luke Kuret
about 1 year ago

Reply Quote

Hi, just found the posts here.

Michael Gagnon raised a question regarding loop backs abnd better detection, however I don’t believe it was answered.

I work for a company which has all 5520′s at the edge and an 8600 at the core. We randomly see the issue of a loop back with will bring that edge device down and is often very difficult to locate the looped device.

We are already using Rate limiting on the trunks to protect the network, as well as Spanning Tree, however as mentioned earlier in the posts we eventually CP-Limit kicks in and the 8600 will block the port. This takes our edge offline and we need to troubleshoot the issue by placing the switch back online.

Also – The syslog does not seem to every indicate where the problem originated from.

Does anyone have any advise that could help us identify and/or prevent the broadcast storm which occurs.

Any advise would be most appreciated
- #19 written by Michael McNamara
  about 1 year ago
  
  Reply Quote
  
  Hi Luke,
  
  I believe the basic answers to your questions can be found throughout the different comments.
  
  I generally follow a “defense in layers” approach… utilizing the different features such as STP, SLPP, Rate Limiting, BPDU Guard, CP-Limit and Ext CP-Limit to provide an overall defense against any situation where a high rate of broadcast/multicast frames might endanger the general operation of the network.
  
  In short Spanning Tree running on the edge switch (edge ports only please, no STP on the uplinks) should cure 99% of any loop induced problems by preventing any the loop from either within that specific switch/stack/closet or downstream of that switch/stack/closet (someone plugging in an unmanaged hub/switch). SLPP helps to protect against and MLT configuration issue on the edge switch by disabling one of the MLT downlinks. I use rate limiting on all ports not just trunk uplinks. This prevents any single port from injecting too many multicast/broadcast frames into the network although you need to test this feature carefully if you have multicast applications. Ultimately CP-Limit protects the core network from an single switch/stack/closet flooding the CPUs with too many broadcast/multicast frames.
  
  In my experience Spanning Tree (Fast Learning) has resolved 99.9% of issues in my environment (I have over 24,000 switch ports in my environment). In a few instances I’m happy to sacrifice a switch/stack/closet using CP-Limit to protect the rest of the network. The log on the ERS 5500 series switches will not show you “where the problem is”, what would be the need for us network engineers? If you are using Spanning Tree you can look at the switch port interfaces to see which port is in a blocking mode as opposed to forwarding mode.
  
  Hopefully that answers some of your questions.
  
  Good Luck!
#20 written by Nadya
about 1 year ago

Reply Quote

Hi Michael,

Thanks a lot for this post!

Maybe you also can answer to my question: is there any way to configure the LLDP on the switch so that it will send two Network Policy TLVs – one for the Voice Application and one the Voice Signaling Application? This is needed to provide different dscp values to IP phones – one will be used by the phone for control traffic (between the IP phone and the Signaling Server) and the other for media traffic (between the Ip phones)

Many thanks,
Nadya
- #21 written by Michael McNamara
  about 1 year ago
  
  Reply Quote
  
  Hi Nadya,
  
  I believe this is already the case with Nortel’s IP phones and their integration with ADAC/LLDP but I can’t be 100% sure. You’d need to run a packet capture against the data stream to see if the control traffic is tagged differently than the actual RTP stream. The Nortel IP phones themselves have configuration options for Control Priority Bits, Media Priority Bits, Control DSCP and Media DSCP. Are they both being set to the same Expedite Forward (EF) when using ADAC/LLDP with an Nortel IP phone? I’m not really sure although I could probably get a quick packet trace. Is there a way to set different 802.1p bits and DSCP entries? I don’t really know the answer to be truthful.
  
  I’ll look at a few packet traces to see if the packets are marked differently.
  
  Sorry I couldn’t really help!
#22 written by Nadya
about 1 year ago

Reply Quote

Mike, thank you for the answer!

The reason why I’m asking you is that I work at the company which is Nortel partner and we develop FirmWare for the Nortel IP phones.
You are correct that IP phones themselves have configuration options and in the current FW releases when some DSCP and 802.1p Priority is sent by the switch in the Network Policy TLV (for Voice Application type), the IP phone applies these values to both – Control and Media traffic.

Currently official IP phones FW supports only Network Policy TLV for Voice application type.
So I modified IP phones FW so that it sends and accepts two Networks Policy TLVs (for voice and voice signaling applications), now I need to configure the switch somehow to send to the phones two Network Policy TLVs as well.

Looks like nobody knows the answer, most likely it is not possible in current Baystack software :)

Many thanks for your help!
- #23 written by Michael McNamara
  about 1 year ago
  
  Reply Quote
  
  Hi Nadya,
  
  Very interesting… thanks for the post!
  
  Mike
#24 written by Thomas K Mathew
about 1 year ago

Reply Quote

Hi mike,
I m having a technical problem.
We are using Nortel switches(8600).We are maiantaing MRTG for inter buliding links.When we create an access point to secure the telnet,MRTG will stops functioning.But i wil be able to telenet to system and i am also able to ping, but MRTG is not fuctioning.We need a solution where we wil be able to use MRTG when we use access policy to secure telnet.Wil u plz help me
- #25 written by Michael McNamara
  about 1 year ago
  
  Reply Quote
  
  Hi Thomas,
  
  I had thought I replied to your post (perhaps you posted in the forums?) but I see you have a reply here without any response… sorry for that.
  
  I’m guessing that when you enable the Access Policy your not making allowances in the policy for the server/desktop running MRTG to be allowed to perform SNMP queries against the switch.
  
  Have a look at this post for an example of how to configure an Access Policy; http://blog.michaelfmcnamara.com/2008/01/ers-8600-access-policy/
  
  Good Luck!
#26 written by mike haakenson
about 1 year ago

Reply Quote

Michael,
What about enabling SLPP on the edge switch ports?
- #27 written by Michael McNamara
  about 1 year ago
  
  Reply Quote
  
  Hi Mike,
  
  In an SMLT configuration it’s best practice to enable SLPP on the edge ports at the core switch (not the edge switch).
  
  I have an article that describes SLPP here;
  http://blog.michaelfmcnamara.com/2007/12/simple-loop-prevention-protocol-slpp/
  
  While SLPP is applicable it doesn’t get configured on the edge ERS5520 itself but rather on the core switch.
  
  If you are running any of the ERS 5500 series switches in a Layer 3 configuration with the Advanced Routing License then those switches themselves can act as core switches as opposed to just being a Layer 2 edge switch.
  
  Thanks for the comment!
#28 written by Todd
about 11 months ago

Reply Quote

Michael, I just wanted to thank you for this post. Nortel is limited when it comes to online information and your site is a great resource.

I just found your site today and have already forwarded it off to probably 10 people.

Thanks in advance for any solutions your provide me, I’ll be sure to give credit where credit is due!
- #29 written by Michael McNamara
  about 11 months ago
  
  Reply Quote
  
  Hi Todd,
  
  I really appreciate the comment and I’m happy to hear that you found the information useful.
  
  Cheers!
#30 written by Todd
about 11 months ago

Reply Quote

Hi Michael, I hope all is well. I have a quick design idea/question for you. I read from your posts, also from Nortel docs that STP on MLT links should be a no-no. I have a bit different scenario. Imagine if you will 3 ‘Edge Closets’ with 3 stacked 5520′s in each closet. Each Edge Closet uses MLT to connect two fiber connections to the core respectfully. So all is fine and dandy, I can have STP disabled and we are good. But I have a small enough campus I was able to run Ethernet cable to the edge closets between them. So again, I have 2 fiber connections using a mlt link for each edge closet connecting to the core. But edge closet 1 and 2 have an Ethernet cable run to edge closet 3. The reason is if (knock on wood) someone cut the fiber my mlt is worth nothing and both links are down, thus my edge closet. With STP if the fiber is cut in edge closet 1 the Ethernet cable will provide a link to the core (the Ethernet port is blocking via stp, but when the fiber mlt link is disabled the Ethernet port is brought online to edge closet 3), not the best for ‘best practice’ but will be enough for them to be online for a period of time until the primary link is repaired. Again I use STP for this config,

Now if I would disable stp on the mlt ports, I would imagine it would create a loop and down the network goes…. anywho, i did my best to explain this…. hope it makes sense. let me know your thoughts when you have time.

Thanks!
Todd
- #31 written by Michael McNamara
  about 11 months ago
  
  Reply Quote
  
  Hi Todd,
  
  Before I respond let me encourage you to post any furture questions/follow-ups on the forums; http://forums.networkinfrastructure.info/nortel-ethernet-switching/.
  
  You can most certainly run Spanning Tree in an MLT configuration. You cannot run Spanning Tree in an SMLT configuration. I’ve made the personal decision to avoid using Spanning Tree where ever possible and instead rely on Layer 3 routing and Nortel’s proprietary IST/SMLT technology.
  
  With respect to your specific configuration you can certainly enable and run STP between your closets and your core switch (you didn’t say what switch you had in the core). You only need to be mindful of how Nortel’s proprietary Spanning Tree works, unless you configure all your switches for RSTP or MSTP (you’ll need to make sure that your running a software version that supports RSTP and/or MSTP on both your core and edge switches). In short you need to align the ports in your MLT from the lowest ifNum to the highest ifNum. Example; port 1/48 on the 5520 connects to port 1/8 on the core while port 2/48 connects to port 2/8 on the core. If you were to cross those ports using Nortel’s proprietary Spanning Tree you would probably experience issues since Nortel only broadcasts BPDUs on one port (the lowest ifNum in the MLT) while other vendors like Cisco broadcast BPDUs on all ports in the EtherChannel (MLT).
  
  You would definitely need to-do your homework though and make sure that you set the root bridge priority on your core switch properly. You might also need to tweak the STP path costs to make sure that the interconnects between your edge switches are the ports that go into blocking and not your MLT uplinks.
  
  I’ve avoided such configuration because I believe it leads to overly complex networks that often tend to fail on their own or through some unforeseen circumstances. As an alternative you could also have ports configured and cables ready (just unplugged) such that if you had an actual disaster you could quickly wire up the ports to an alternate edge switch. It would require manually connecting the patch cables but it would restore you to service much faster than waiting for the cabling vendor to re-splice your fiber pairs.
  
  Cheers!
#32 written by Todd
about 10 months ago

Reply Quote

Good advice, thanks for the info.
#33 written by Jason
about 2 months ago

Reply Quote

Hi Michael

I have been reading your site for a while now and was wondering if you had any guidance on the use of DHCP-Relay to enable multiple subnets across multiple VLANs on ERS 5520.

Basically I have a situation where I need to do the following:
I have 20 VLAN’s each VLAN needs to have a different subnet (and clients issued DHCP), the way it was explained to me was this, I have simplified this config to one switch acting as the core and one as the edge (and I still get the same issue):

1. On the core switch, I put the dhcp server on port 1, member of all the vlans, pvid=1 (default vlan) and untag pvid only (ip address of switch = 172.16.119.25)

2. I have made the sfp port (48) as the trunk and member of all vlans

3. On the edge switch I set all (a part from the trunk port) as pvid=vlan id (say 106) and unTagPvidOnly.

4. I give vlan106 (not vlan 1) on the edge and ip address on the range it given 172.16.126.5 /24

5. Set a dhcp-relay from 172.16.126.5 to our dhcp server (172.16.119.201)

I have run a wireshark trace and I can see the address being offered, even to the point that the dhcp server thinks the address has been allocated – alas it never makes it to the client. I have seen on other forums that this is common and the exact issue with relays and redhat.

The switches are ERS 5520’s running, Software version = v6.1.2.028 and diag=v60009

Many thanks for any help you can give JP
- #34 written by Michael McNamara
  about 2 months ago
  
  Reply Quote
  
  Hi Jason,
  
  I would urge you to use the discussion forums in the future… you’ll find that there are quite a few people that are now following the forums and have a lot of advice and help to offer.
  
  With all that said you’ve taken the time to describe your situation in detail so I’ll respond here.
  
  You only need to enable DHCP relay on your router (Layer 3 switch) for that VLAN, that would be your core switch. So for your edge switches (Layer 2) there is nothing you need to on those switches. All your configuration is going to be on your Layer 3 switch/router.
  
  The DHCP server should be connected to the network just like any other server. The switch port (1) should be configured as an access (unTagAll) port. The port should be a member of the VLAN that matches the IP network assigned to the DHCP server.
  
  1) If VLAN 1 was IP network 172.16.119.0/24 (core switch might be 172.16.119.1/24) then you would assign port 1 to VLAN 1.
  
  2) the uplinks/downlinks all need to be configured as trunks, you need to extend the necessary VLANs to all the switches that will be connecting devices to that VLAN.
  
  3) you could set the ports as unTagAll but unTagPvidOnly will also work. The PVID should be set to whatever VLAN the port is a member of.
  
  4) for VLAN 106, you need to create the VLAN on your core switch, create an IP interface (this will be the default gateway for the PCs), enable DHCP/BOOTP and configure a DHCP relay address of 172.16.119.201 (your DHCP server). your edge switch will just be a Layer 2 device and you will bridge the frames to the core, not route them to the core. Make VLAN 106 a member of all downlinks from the core, create VLAN 106 on your edge switches, and add the switch ports in question to the VLAN making sure that the PVID is also set properly.
  
  5) you are basically correct but I would advise that you use .1 for your IP interfaces if possible, makes thing much easier to follow (at least for me).
  
  I suspect you have a configuration issue somewhere… DHCP relay isn’t that hard anymore.
  
  In short the DHCP relay agent (the core switch running the .1 interface – the default gateway for the DHCP clients) will see the DHCP discover broadcast from the client. The broadcast will be forwarded from the edge switch to the core, the core will see the broadcast and forward the DHCP request via a unicast packet to the DHCP server. The DHCP server will respond by sending a unicast packet back to the router (.1 interface) and the router will broadcast the response as a broadcast to all ports in the VLAN which eventually floods back down to the edge (Layer 2) switch and all ports in the VLAN.
  
  You need to be precise with your VLAN assignments, you should only assign IP interfaces to the core switch, leave the edge switches are Layer 2 switches only.
  
  Good Luck!
#35 written by Jason
about 2 months ago

Reply Quote

Hi Michael

Thanks very much for your guidance, with a couple of site adjustments that work very well.

Should you ever be in London I owe you a few beers!

Cheers
#36 written by Samy
about 2 months ago

Reply Quote

Hi Mike,

Need your help here. So here is the situation.

We have two set of stacked switches in two Racks. And would like to configure MLT/LACP/Etherchannels between them.

So four ports of MLT between Sw1 – Sw6 And four ports of MLT between Sw5 – Sw10 (for redundancy)

Stack1-Rack1 Stack2-Rack2
Cisco 3750 Nortel 5510-48t

Sw1 Sw6
Sw2 Sw7
Sw3 Sw8
Sw4 Sw9
Sw5 Sw10

Question:

1. Is this scenario possible/recommended.
2. Are both sets will remain active at the same time? How does the failover/failback will take place?
3. Does one set need to be Active /Passive or Master/slave?
4. STP needs to be disabled on all 16 ports?

Thanks a budle in advance for your response.
- #37 written by Samy
  about 2 months ago
  
  Reply Quote
  
  I am not expert in networking so I don’t know detailed difference betw MLT/LACP/Etherchannel.
  
  As per the documents I found online I think on Nortel (5510) side we have to configure MLT and on Cisco side Etherchannel?
  
  Also I found Nortel MLT can be configured through GUI also by taking console in IE?
  
  but in cisco there is no such feature.
  
  Please share your knowledge.

No trackbacks yet.

Traffic Filters and ACLs for the Ethernet Routing Switch 5000

about 1 month ago - 4 comments

There have been a few recent comments on the blog and a few questions on the discussion forum around how ACLs (traffic filters) work on the Ethernet Routing Switch 5520. I thought I would take a few minutes to dive into the subject and perhaps either answer some of those questions or foster some additional

Avaya and Cisco Interoperability Technical Configuration Guide

about 2 months ago - 6 comments

Avaya has release an updated technical configuration guide geared towards the interoperability between Cisco and Avaya equipment.The document covers a lot of information including EtherChannel to MLT interoperability, Spanning Tree interoperability, Nortel IP phones connecting to Cisco switches and Cisco IP phones connecting to Nortel switches. It’s definitely well worth the time to review. Cheers!

Nortel Large Campus Technical Solution Guide

about 11 months ago - 11 comments

Nortel recently released a highly technical document, Large Campus Technical Solution Guide, that should be a great benefit Nortel customers. This document covers an amazing amount of information and is a treasure trove to organizations looking for best practice approaches to managing and deploying their Nortel data equipment. The document covers topics such as convergence

Upgrading the i2002 Phone Firmware

about 1 year ago - No comments

We’re preparing to deploying 300+ i2002/i2004 IP telephones over the next few weeks. In preparation for this deployment we decided to upgrade the current IP phone firmware from 0604DBG to 0604DCG. The site has a Nortel Succession 1000M Call Server with 3 Succession Remote Gateway (SRG) 50s providing local PSTN and E-911 services at three

ADAC and VLAN Configurations (Part 2)

about 1 year ago - No comments

In a previous post titled ADAC and VLAN Configurations I described some issues we were having with some of our switches where VLAN memberships were mysteriously changing. We suspected ADAC and we were right on with our suspicions. We performed some exhaustive testing with ADAC over the past few weeks and can confirm, as Roberto

LLDP with Cisco 3750

about 1 year ago - 16 comments

Nortel has released a Technical Configuration Guide designed to assist technical users configuring Nortel IP Phones connected to Cisco switches. The document makes specific references to the Cisco 3750 switch but the commands will apply to any Cisco switch that supports that specific feature. I applaud Nortel for for making these Technical Configuration Guides available

VLACP on a Nortel Ethernet Routing Switch Stack

about 1 year ago - 13 comments

I’ve seen quite a few issues with VLACP on the Nortel Ethernet Routing Switches but now Nortel has released a technical bulletin documenting a known issue when running VLACP on their stackable switches (ERS2500, ERS4500, ERS5500, ERS5600) with their chassis based ERS8300 and ERS8600 switches. The bulletin advises users to re-configure the VLACP timeout from

ADAC and VLAN Configurations

about 2 years ago - 22 comments

We’ve just recently come across this problem and I thought it would be a great topic to share and perhaps even solicit some feedback from others. As you might already know I’ve been deploying ADAC across a large number of Nortel Ethernet Routing Switch 5520s with great success. ADAC allows the switch to control the

Nortel Internet Telephones – Network Loops

about 2 years ago - No comments

A Tek-Tips forum member recently reported that one of his technicians improperly cabled a Nortel i2002/i2004 Internet Telephone (plugging both the ports on the back of the Internet Telephone into the network switch) causing a loop which took down their entire network. The member was curious about how to configure Spanning Tree to help prevent

Multicast Routing Protocol (Part 1)

about 2 years ago - 12 comments

I was originally just going to write about DVMRP, but I’ve also decided to post some basic examples for setting up PIM-SM. I’ll break this post into two parts; first part will look at utilizing DVMRP to setup a simple Multicast domain on a single switch while the second part will look at utilizing PIM-SM

Nortel ERS 5520 PwR Switch

No trackbacks yet.

Traffic Filters and ACLs for the Ethernet Routing Switch 5000

Avaya and Cisco Interoperability Technical Configuration Guide

Nortel Large Campus Technical Solution Guide

Upgrading the i2002 Phone Firmware

ADAC and VLAN Configurations (Part 2)

LLDP with Cisco 3750

VLACP on a Nortel Ethernet Routing Switch Stack

ADAC and VLAN Configurations

Nortel Internet Telephones – Network Loops

Multicast Routing Protocol (Part 1)

POLL

My latest tweets

GOOGLE READER

RECENT COMMENTS

Recent Discussions

Links

License