I’ve added a command to disable the User Interface Button (UI Button) “no ui-button enable”.
Update: February 7, 2009
It was time to update this article with some additional information and settings that I’m now using in all my switch deployments. The big change is the updated ADAC MAC address table. Please also note the VLACP time-out scale change and I’ve updated the year field for the Daylight Saving Time change.
Update: August 13, 2008
This was one of the first articles I wrote back in October 2007 and it is by far the most popular article out of all 110 articles that I currently have published. With that said I decided to come back and spruce up this post with some additional “tweaks” that I’ve added over the past 10 months. I’m also going to attack a link to a text file so folks can just download the file of commands, tweak the specific individual settings such as IP address and VLAN information, and then cut and paste into the CLI interface of the Nortel Ethernet Routing Switch 5520. It will hopefully save folks from having to cut and paste each section.
Note: just a quick warning about cutting and pasting into the CLI interface, I’ve often found that the buffer will overflow if I try to paste an entire configuration at once. I usually need to break it into at least two or three sections and cut and paste those section one at a time.
In this post I’ll try to outline how you can configure the Nortel Ethernet Routing Switch 5520 in a VoIP environment using Nortel i2002/i2004 Internet Telephones (this procedure will also work the same with the i2007/1120E/
1140E phones).
You’ll obviously need a ERS 5520 switch and you’ll need SW 5.0.6.22 or later and FW 5.0.0.3 or later (there are known issues with earlier software versions that create inconsistent results using LLDP with the i2002/i2004 phones). I would strongly advise that you start with a default configuration. From the CLI issue the following commands to reset the switch to factory defaults;
5520-48T-PWR> enable 5520-48T-PWR# boot default
The switch should reboot with a default configuration. Let’s proceed with the configuration;
5520-48T-PWR> enable 5520-48T-PWR# configure terminal
Let’s set the local read-only and read-write passwords;
5520-48T-PWR (config)#cli password read-only readpass 5520-48T-PWR (config)#cli password read-write writepass 5520-48T-PWR (config)#cli password serial local 5520-48T-PWR (config)#cli password telnet local
Let’s disable the user interface button (UI button);
5520-48T-PWR (config)# no ui-button enable
Enable AUTOPVID;
5520-48T-PWR (config)# vlan configcontrol autopvid
We’ll be up linking this switch using a MultiLink trunk on ports 47 and 48 so we’ll enable tagging on the fiber uplinks;
5520-48T-PWR (config)# vlan ports 47,48 tagging enable
Let’s create the data VLAN (VID 100) and management VLAN (VID 200) on the switch;
5520-48T-PWR (config)# vlan members remove 1 ALL 5520-48T-PWR (config)# vlan create 200 name "10-1-200-0/24" type port 5520-48T-PWR (config)# vlan members add 200 47,48 5520-48T-PWR (config)# vlan create 100 name "10-1-100-0/24" type port 5520-48T-PWR (config)# vlan members add 100 1-48 5520-48T-PWR (config)# vlan port 1-46 pvid 100 5520-48T-PWR (config)# vlan port 47,48 pvid 200
Let’s make VLAN 200 the management VLAN and assign the IP address;
5520-48T-PWR (config)# vlan mgmt 200 5520-48T-PWR (config)# ip address switch 10.1.200.10 netmask 255.255.255.0 default-gateway 10.1.200.1
Let’s setup Simple Network Management Protocol (SNMP);
5520-48T-PWR (config)# snmp-server authentication-trap disable 5520-48T-PWR (config)# snmp-server community ro 5520-48T-PWR (config)# snmp-server community rw 5520-48T-PWR (config)# snmp-server host
Let’s configure the logging so it will overwrite the oldest events;
5520-48T-PWR (config)# logging volatile overwrite 5520-48T-PWR (config)# logging enable
Let’s setup Simple Network Time Protocol (SNTP);
5520-48T-PWR (config)# sntp server primary address 5520-48T-PWR (config)# sntp server secondary address 5520-48T-PWR (config)# sntp enable
Depending on the version of switch software your running you may be able to configure Daylight Saving Time;
5520-48T-PWR (config)#clock time-zone EST -5 5520-48T-PWR (config)#clock summer-time EDT date 9 Mar 2009 2:00 2 Nov 2009 2:00 +60
Let’s setup the MultiLink trunk that will connect the switch back to the backbone;
5520-48T-PWR (config)# mlt 1 disable 5520-48T-PWR (config)# mlt 1 name "MLT-8600" 5520-48T-PWR (config)# mlt 1 learning disable 5520-48T-PWR (config)# mlt 1 member 47,48 5520-48T-PWR (config)# mlt 1 enable
Let’s setup ADAC (Automatic Detection and Automatic Configuration) for our i2002/i2004 phones. We’ll using VLAN 50 as our voice VLAN and we’ll use port 48 as our uplink (the switch will add 47 automatically because of the MLT configuration). There is a new command to clear the ADAC MAC address table that may be missing from earlier versions, “no adac mac-range-table”. I’ve also updated the list of entries that I use.
5520-48T-PWR (config)# adac voice-vlan 50 5520-48T-PWR (config)# adac op-mode tagged-frames 5520-48T-PWR (config)# adac uplink-port 48 5520-48T-PWR (config)# no adac mac-range-table 5520-48T-PWR (config)# adac mac-range-table low-end 00:0a:e4:75:00:00 high-end 00:0a:e4:75:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:13:65:00:00:00 high-end 00:13:65:ff:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:14:c2:00:00:00 high-end 00:14:c2:ff:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:16:ca:00:00:00 high-end 00:16:ca:ff:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:17:65:00:00:00 high-end 00:17:65:ff:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:18:b0:00:00:00 high-end 00:18:b0:ff:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:19:69:00:00:00 high-end 00:19:69:ff:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:19:e1:00:00:00 high-end 00:19:e1:ff:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:1b:ba:00:00:00 high-end 00:1b:ba:ff:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:1e:ca:00:00:00 high-end 00:1e:ca:ff:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:22:67:00:00:00 high-end 00:22:67:ff:ff:ff 5520-48T-PWR (config)# adac enable
We need to strip the 802.1q tag from any packets in the PVID VLAN from going to the phone. In this design we’re expecting to connect IP phones to ports 1 – 46.
5520-48T-PWR (config)# vlan port 1-46 tagging untagpvidOnly
Let’s configure LLDP for the ports we expect to connect IP phones (1 – 46);
5520-48T-PWR (config)# interface fastEthernet 1-46
5520-48T-PWR (config-if)# vlan ports 1-46 filter-unregistered-frames disable
5520-48T-PWR (config-if)# lldp tx-tlv port-desc sys-cap sys-desc sys-name
5520-48T-PWR (config-if)# lldp status txAndRx config-notification
5520-48T-PWR (config-if)# lldp tx-tlv med extendedPSE med-capabilities network-policy
5520-48T-PWR (config-if)# poe poe-priority high
5520-48T-PWR (config-if)# spanning-tree learning fast
5520-48T-PWR (config-if)# adac enable
5520-48T-PWR (config-if)# exit
The option in RED above was added after an issue was discovered when trying to upgrade the firmware on the IP phones. The filter-unregistered-frames is enabled by default and should be disabled to avoid and issues with upgrading the firmware on the IP phones. We are attempting to investigate further with Nortel and our voice vendor Shared Technologies.
Let’s disable the two remaining ports that share the GBIC interfaces incase we need those in the future;
5520-48T-PWR (config)# interface fastEthernet 45-46 5520-48T-PWR (config-if)# shutdown 5520-48T-PWR (config-if)# exit
Let’s setup a QoS interface group to trust all traffic that will ingress on the fiber uplinks. By default the ERS 5520 switch will strip all QoS tags on all ports. Thankfully ADAC will take care of the QoS settings for all VoIP traffic.
5520-48T-PWR (config)# qos if-group name allUpLinks class trusted 5520-48T-PWR (config)# interface fastEthernet 47,48 5520-48T-PWR (config)# qos if-assign port 47,48 name allUpLinks 5520-48T-PWR (config)# exit
Let’s set the SNMP information;
5520-48T-PWR (config)# snmp-server name "sw-icr1-1east.sub.domain.org" 5520-48T-PWR (config)# snmp-server location "Acme Internet Phone Company (ICR1)" 5520-48T-PWR (config)# snmp-server contact "Network Infrastructure Team"
Let’s enable rate limiting for all broadcast and multicast traffic to 10% of the link;
5520-48T-PWR (config)# interface fastEthernet ALL 5520-48T-PWR (config-if)# rate-limit both 5 5520-48T-PWR (config-if)# exit
Let’s setup VLACP (Virtual Link Aggregation Protocol) on the uplinks to the core;
5520-48T-PWR (config)# interface fastEthernet 47,48 5520-48T-PWR (config-if)# vlacp port 47,48 timeout short 5520-48T-PWR (config-if)# vlacp port 47,48 timeout-scale 5 5520-48T-PWR (config-if)# vlacp port 47,48 enable 5520-48T-PWR (config-if)# exit 5520-48T-PWR (config)# vlacp enable
That’s it your done! Well hopefully your done.
In my next post I’ll tell you what DHCP options you’ll need to configure on your DHCP server in order for the phones to boot properly and connect to the Nortel Call Server.
Cheers!
Related posts:
network architect and security professional, excited about helping folks make the most out of what technology as a whole has to offer.
Loading ...
#1 by Anonymous on April 24, 2008 - 10:36 pm
Man thanks for the tips on setup I found this very interesting and got me pointed in the right direction.
#2 by Charles on August 6, 2008 - 1:37 pm
Hi, thanks a lot for the precise info. I have a few questions:
1) What can happen if some tagged packets go to the phone’s PVID? (referring tho the untag pvid command)
2) Do you always need to enable both MLT & VLACP? I (mis)understood that it was an option to use one protocol or the other..
3) I wonder why you did not include any spanning tree commands in this article. Are they in by default somehow on the ERS?
4)In the case of a single link trunk from one switch to another, is it true that you would need to disable stp on the trunk port? What protection could be the best choice then, apart from rate limiting?
thanks in advance!
#3 by Michael McNamara on August 6, 2008 - 5:33 pm
Hi Charles,
Let me try to answer our questions (which are very good by the way);
1) The end device (laptop or desktop) will not understand the 802.1q frame and will just drop the frames leaving any device you plug into the PC port on the phone unusable. In essence this command just tells the switch to leave the 802.1q headers on the voice VLAN traffic so the phone can identify those frames but strip the 802.1q headers for the PC traffic so the PC won’t freak out – it’s not expecting an 802.1q frame.
2) These are two very different protocols. MLT allows you to trunk two physical links into a single link at Layer 2 for additional bandwidth and additional redundancy should one link fail. VLACP is a method used to detect a communication problem over a link and mark the port as down so you don’t end up switch/bridging packets across a dead uplink – an uplink that has link but there’s nobody home on the far end. I use VLACP where I have Ethernet Switch 470s because the GBICs don’t support autonegotiation. Without autonegotiation there’s no ability to detect a far end failure – say a single fiber strand breaks, one switch will still have link while the other won’t have link. VLACP would detect that loss of connectivity and mark the port as down keeping your network from switching/bridging/routing traffic down a dead link where the packets would ultimately be lost forever.
3) I did include Spanning Tree commands. I recommend that everything use “fast start” because of the auto MDI/MDI-X feature where an end-user or confused technician could easily put a loop into your network by mistakenly cabling two ports together. Search for “spanning-tree” above, here’s the reference;
5520-48T-PWR (config-if)# spanning-tree learning fast
Note: you should NOT run Spanning Tree on your MLT ports!
4) Spanning Tree as a system wide protocol. We use to run Spanning Tree across an ATM LAN where it sometimes took 90 seconds for Spanning Tree to converge. We employ a few layers of protection; the first is at the closet switch which I discussed in the answer above using “spanning-tree learning fast” on all edge ports, the second we use SLPP (Simple Loop Protection Protocol) on our ERS 8600 cores and lastly we use CP limiting on the ERS 8600 cores which will shutdown an uplink if too many broadcast or multicast frames start flooding the network from that specific uplink.
Great questions and thanks for the comment!
#4 by Charles on August 11, 2008 - 1:25 pm
Thanks for being so helpful!
#5 by alphaalpha1 on November 14, 2008 - 4:43 pm
Mike,
You mentioned do NOT run spanning tree on MLT ports. Is that means we should disable STP on MLT ports? I am planning to cofigure 4ports MLT on two 5510-48 switches. What is your suggestion. Thanks in advance.
Alpha
#6 by Michael McNamara on November 14, 2008 - 5:37 pm
You can run STP across a MLT but I would not recommend it. So my advice would be to disable STP on all ports which are going to belong to the MLT, on both switches.
Good Luck!
#7 by michael gagnon on January 27, 2009 - 12:18 pm
Michael,
one more question for you if you have time regarding ‘rate-limiting’
we have sometimes seen issues where a user will bring a linksys/home switch in and plug it into their drop (unauthorized).
the linksys/netgear/etc switch does NOT from STP. we are now implementing STP BPDU-Filtering/Guard on our edge ports to prevent unauthorized switches connecting to the network, but this doesn’t help with un-managed switches (which would be the majority of what people would bring in from their home).
now, if they connect a cable from the linksys switch to itself again (creating a loop), the flood of broadcast packets will also egress out the single uplink into the production network.
rate-limiting (e.g. 10% setting), will suppress this flood of broad/multi-cast traffic to 10% of the link, which is great because it will save the network … but the problem is , how do we then know a loop has occurred?
does the switch send an SNMP-trap when this threshold is hit? that is the biggest concern. the network will be saved from a storm, but at the same time if i am not alerted or notified, then the loop continues to exist (suppressed).
any suggestions?
thanks, again!
#8 by Michael McNamara on January 27, 2009 - 9:18 pm
You’re keeping me busy there Michael! :)
The rate limiting feature is built into the ASCIC hardware so there’s no reliance on actual switch software – which is a good thing. While your basically correct, you’ll generally know soon enough that there’s a problem. While rate limiting will keep the majority of your switches reachable/manageable you still going to experience all sorts of MAC/FDB issues because of the loop. If you have a management system that is performing threshold monitoring that system will generally alert you to the surge in traffic. I’m currently using a combination of HP Open View and MRTG. In the majority of instances you’ll see SLPP kick-in and eventually CP-LIMIT will kick in at the core isolating the edge switch in question.
In a ultra secure environment you could configure MAC security (old school way) or you could go with a Network Access Control (NAC) solution which integrates with the latest Nortel switches.
With regard to your example… Spanning Tree enabled on the edge access ports will help save you 99% of the time in my experience.
Cheers!
#9 by michael gagnon on January 27, 2009 - 9:39 pm
just discovered your blog a few days ago and it’s nice to have discussion (just found the nortel community forums as well) :)))
that’s good to hear that the rate-limiting is done in ASIC; no sense in overwhelming the CPU with rate-limiting enabled no all ports…
but i wish there was a way to admin_down the interface when those thresholds were reached on the edge switches (5520, 460)…i would much rather have the interface be disabled than the traffic limited until I found the issue/error.
i’m using Open View as well, so maybe i need to do some tweaking/etc but not sure where to start for this topic at hand…
many of our IDFs/switches in different campuses are not connected via SMLT. many are DMLT or single-uplink, depending on our availability of fiber backbone and 8600 interfaces. slowly trying to migrate these to SMLT, but it does take a lot of time for the campuses in different countries where i’m not on-site, physically…so SLPP wouldn’t help for those locations (uplinks are NOT SMLT).
i’ve noticed CP-Limit appears to be enabled by default for 8300 and 8600s. this is generally the case when there is a loop and an interface is auto-disabled. i have not configured these thresholds, so they must be at default values (enabled by default); i have also noticed (and remember working with Nortel on a case about this years ago), that there is a separate per-interface CP-Limit. i’m trying to recall, but I remember (this was back in 3.5.x.x days), that you eat up resources by enabling the CP-Limit on a per-interface basis, and as a result could only do so many interfaces. i’ll have to re-investigate this, but it was like there was two seperate types of rate-limiters on the 8600.
thanks!
#10 by samir rana on March 13, 2009 - 11:56 am
Hi Michael,
If we have question regarding nortel, how could i submit it ?
Thanks,
#11 by Michael McNamara on March 13, 2009 - 9:58 pm
Hello Samir,
I happy to try and help. What’s your question?
Cheers!
#12 by alex on March 17, 2009 - 8:09 am
Hi,
We have been advised by Nortel that STP is required when assigning multiple VLANs on a trunk. Is this correct? as you mentioned above that STP should be disabled on the MLT…
Cheers!
Alex
#13 by alex on March 17, 2009 - 8:16 am
Also, I presume the same rules apply for SMLT’s?
We currently have two edge switches configured with MLT’s that connect to the core and form a SMLT. There seem to have been a few inconsistencies when they were initially configured as one has STP disabled on the trunk and the other enabled.
#14 by Michael McNamara on March 17, 2009 - 6:02 pm
Hi Alex,
I’m not sure who you’ve been talking to at Nortel but you certainly don’t need STP enabled on a trunk just because you have multiple VLANs (802.1q) traversing that link. If you had multiple trunks between two switches without using a MLT/DMLT/SMLT configuration you would certainly need STP enabled between those switches in order to prevent the Layer 2 loops that would be present in such a configuration.
It’s my recommendation NOT to running STP between your edge and core switches. I definitely recommend you run it on your edge switches but not on the ports that uplink to your core (or distribution) network. You can run it if you chose to I just don’t find it very useful to-do so and there can be implementation differences between some vendors (example, Cisco floods BPDUs across all ports in an etherchannel configuration with Nortel only floods BPDUs across the lowest interface in a MultiLink trunk configuration).
In an SMLT configuration you CAN NOT run STP at all between your edge and core (or distribution) switches because it defeats the whole purpose of building a network architecture that is active/active as opposed to active/passive. In an SMLT design both uplinks from the edge are actively passing and receiving traffic, unlike when you use STP/RSTP/MSTP traffic can only traverse one of the uplinks while STP blocks the other uplink.
Hopefully that helps a little. Good Luck!
#15 by Alex on March 18, 2009 - 6:41 am
Thanks Michael,
That has cleared up a few things! – I’m still getting to know the network as I have only recently joined the company!
As you mentioned STP is disabled on the SMLT configs on our two core switches. We have around 20 edge switches which after further investigation 7 have STP enabled on the MLT trunks. We attempted to disable STP on one of the edge MTL trunks (connected to each core as SMLT) but had to quickly change this back as once we re-enabled to trunk we lost connectivity from the edge switch.
I will be getting back in touch with Nortel with your comments and see where we go from there.
Thanks again!
Alex
#16 by Shine on April 2, 2009 - 6:33 pm
Sir,
Thanks for the patience.
In fact I am working in a place where we have only Nortel Access Swtiches, but NTP is not yet configured.
Wondering how to interrupt the logs with out having NTP configured in swtiches.
Kindly help …
#17 by Michael McNamara on April 2, 2009 - 6:40 pm
Hi Shine,
It can be ugly to read the logs without the proper date/time and timezone set. I believe the switches count up from the time they were started/booted.
Depending on the version of software on the switch you should be able to issue a “show log sort-reverse” from the CLI interface and it will show you the log from the bottom up (latest events first). You’ll need to then do the math to figure out how to match up the timestamp in in the logs to the real date/time.
If you have access and configure NTP the timestamps in the log will be automatically updated so you can read them properly. You can have a look at the post Network Time Protocol (NTP) for information on how to configure NTP.
Good Luck!
#18 by Luke Kuret on May 14, 2009 - 2:37 am
Hi, just found the posts here.
Michael Gagnon raised a question regarding loop backs abnd better detection, however I don’t believe it was answered.
I work for a company which has all 5520’s at the edge and an 8600 at the core. We randomly see the issue of a loop back with will bring that edge device down and is often very difficult to locate the looped device.
We are already using Rate limiting on the trunks to protect the network, as well as Spanning Tree, however as mentioned earlier in the posts we eventually CP-Limit kicks in and the 8600 will block the port. This takes our edge offline and we need to troubleshoot the issue by placing the switch back online.
Also – The syslog does not seem to every indicate where the problem originated from.
Does anyone have any advise that could help us identify and/or prevent the broadcast storm which occurs.
Any advise would be most appreciated
#19 by Michael McNamara on May 14, 2009 - 6:37 pm
Hi Luke,
I believe the basic answers to your questions can be found throughout the different comments.
I generally follow a “defense in layers” approach… utilizing the different features such as STP, SLPP, Rate Limiting, BPDU Guard, CP-Limit and Ext CP-Limit to provide an overall defense against any situation where a high rate of broadcast/multicast frames might endanger the general operation of the network.
In short Spanning Tree running on the edge switch (edge ports only please, no STP on the uplinks) should cure 99% of any loop induced problems by preventing any the loop from either within that specific switch/stack/closet or downstream of that switch/stack/closet (someone plugging in an unmanaged hub/switch). SLPP helps to protect against and MLT configuration issue on the edge switch by disabling one of the MLT downlinks. I use rate limiting on all ports not just trunk uplinks. This prevents any single port from injecting too many multicast/broadcast frames into the network although you need to test this feature carefully if you have multicast applications. Ultimately CP-Limit protects the core network from an single switch/stack/closet flooding the CPUs with too many broadcast/multicast frames.
In my experience Spanning Tree (Fast Learning) has resolved 99.9% of issues in my environment (I have over 24,000 switch ports in my environment). In a few instances I’m happy to sacrifice a switch/stack/closet using CP-Limit to protect the rest of the network. The log on the ERS 5500 series switches will not show you “where the problem is”, what would be the need for us network engineers? If you are using Spanning Tree you can look at the switch port interfaces to see which port is in a blocking mode as opposed to forwarding mode.
Hopefully that answers some of your questions.
Good Luck!
#20 by Nadya on July 29, 2009 - 5:07 am
Hi Michael,
Thanks a lot for this post!
Maybe you also can answer to my question: is there any way to configure the LLDP on the switch so that it will send two Network Policy TLVs – one for the Voice Application and one the Voice Signaling Application? This is needed to provide different dscp values to IP phones – one will be used by the phone for control traffic (between the IP phone and the Signaling Server) and the other for media traffic (between the Ip phones)
Many thanks,
Nadya
#21 by Michael McNamara on July 30, 2009 - 9:41 pm
Hi Nadya,
I believe this is already the case with Nortel’s IP phones and their integration with ADAC/LLDP but I can’t be 100% sure. You’d need to run a packet capture against the data stream to see if the control traffic is tagged differently than the actual RTP stream. The Nortel IP phones themselves have configuration options for Control Priority Bits, Media Priority Bits, Control DSCP and Media DSCP. Are they both being set to the same Expedite Forward (EF) when using ADAC/LLDP with an Nortel IP phone? I’m not really sure although I could probably get a quick packet trace. Is there a way to set different 802.1p bits and DSCP entries? I don’t really know the answer to be truthful.
I’ll look at a few packet traces to see if the packets are marked differently.
Sorry I couldn’t really help!
#22 by Nadya on July 31, 2009 - 4:52 am
Mike, thank you for the answer!
The reason why I’m asking you is that I work at the company which is Nortel partner and we develop FirmWare for the Nortel IP phones.
You are correct that IP phones themselves have configuration options and in the current FW releases when some DSCP and 802.1p Priority is sent by the switch in the Network Policy TLV (for Voice Application type), the IP phone applies these values to both – Control and Media traffic.
Currently official IP phones FW supports only Network Policy TLV for Voice application type.
So I modified IP phones FW so that it sends and accepts two Networks Policy TLVs (for voice and voice signaling applications), now I need to configure the switch somehow to send to the phones two Network Policy TLVs as well.
Looks like nobody knows the answer, most likely it is not possible in current Baystack software :)
Many thanks for your help!
#23 by Michael McNamara on July 31, 2009 - 9:40 am
Hi Nadya,
Very interesting… thanks for the post!
Mike
#24 by Thomas K Mathew on August 14, 2009 - 4:38 am
Hi mike,
I m having a technical problem.
We are using Nortel switches(8600).We are maiantaing MRTG for inter buliding links.When we create an access point to secure the telnet,MRTG will stops functioning.But i wil be able to telenet to system and i am also able to ping, but MRTG is not fuctioning.We need a solution where we wil be able to use MRTG when we use access policy to secure telnet.Wil u plz help me
#25 by Michael McNamara on August 22, 2009 - 10:14 am
Hi Thomas,
I had thought I replied to your post (perhaps you posted in the forums?) but I see you have a reply here without any response… sorry for that.
I’m guessing that when you enable the Access Policy your not making allowances in the policy for the server/desktop running MRTG to be allowed to perform SNMP queries against the switch.
Have a look at this post for an example of how to configure an Access Policy; http://blog.michaelfmcnamara.com/2008/01/ers-8600-access-policy/
Good Luck!
#26 by mike haakenson on August 22, 2009 - 5:11 am
Michael,
What about enabling SLPP on the edge switch ports?
#27 by Michael McNamara on August 22, 2009 - 10:19 am
Hi Mike,
In an SMLT configuration it’s best practice to enable SLPP on the edge ports at the core switch (not the edge switch).
I have an article that describes SLPP here;
http://blog.michaelfmcnamara.com/2007/12/simple-loop-prevention-protocol-slpp/
While SLPP is applicable it doesn’t get configured on the edge ERS5520 itself but rather on the core switch.
If you are running any of the ERS 5500 series switches in a Layer 3 configuration with the Advanced Routing License then those switches themselves can act as core switches as opposed to just being a Layer 2 edge switch.
Thanks for the comment!
#28 by Todd on September 29, 2009 - 2:10 pm
Michael, I just wanted to thank you for this post. Nortel is limited when it comes to online information and your site is a great resource.
I just found your site today and have already forwarded it off to probably 10 people.
Thanks in advance for any solutions your provide me, I’ll be sure to give credit where credit is due!
#29 by Michael McNamara on September 29, 2009 - 6:45 pm
Hi Todd,
I really appreciate the comment and I’m happy to hear that you found the information useful.
Cheers!
#30 by Todd on October 7, 2009 - 4:57 pm
Hi Michael, I hope all is well. I have a quick design idea/question for you. I read from your posts, also from Nortel docs that STP on MLT links should be a no-no. I have a bit different scenario. Imagine if you will 3 ‘Edge Closets’ with 3 stacked 5520’s in each closet. Each Edge Closet uses MLT to connect two fiber connections to the core respectfully. So all is fine and dandy, I can have STP disabled and we are good. But I have a small enough campus I was able to run Ethernet cable to the edge closets between them. So again, I have 2 fiber connections using a mlt link for each edge closet connecting to the core. But edge closet 1 and 2 have an Ethernet cable run to edge closet 3. The reason is if (knock on wood) someone cut the fiber my mlt is worth nothing and both links are down, thus my edge closet. With STP if the fiber is cut in edge closet 1 the Ethernet cable will provide a link to the core (the Ethernet port is blocking via stp, but when the fiber mlt link is disabled the Ethernet port is brought online to edge closet 3), not the best for ‘best practice’ but will be enough for them to be online for a period of time until the primary link is repaired. Again I use STP for this config,
Now if I would disable stp on the mlt ports, I would imagine it would create a loop and down the network goes…. anywho, i did my best to explain this…. hope it makes sense. let me know your thoughts when you have time.
Thanks!
Todd
#31 by Michael McNamara on October 7, 2009 - 9:00 pm
Hi Todd,
Before I respond let me encourage you to post any furture questions/follow-ups on the forums; http://forums.networkinfrastructure.info/nortel-ethernet-switching/.
You can most certainly run Spanning Tree in an MLT configuration. You cannot run Spanning Tree in an SMLT configuration. I’ve made the personal decision to avoid using Spanning Tree where ever possible and instead rely on Layer 3 routing and Nortel’s proprietary IST/SMLT technology.
With respect to your specific configuration you can certainly enable and run STP between your closets and your core switch (you didn’t say what switch you had in the core). You only need to be mindful of how Nortel’s proprietary Spanning Tree works, unless you configure all your switches for RSTP or MSTP (you’ll need to make sure that your running a software version that supports RSTP and/or MSTP on both your core and edge switches). In short you need to align the ports in your MLT from the lowest ifNum to the highest ifNum. Example; port 1/48 on the 5520 connects to port 1/8 on the core while port 2/48 connects to port 2/8 on the core. If you were to cross those ports using Nortel’s proprietary Spanning Tree you would probably experience issues since Nortel only broadcasts BPDUs on one port (the lowest ifNum in the MLT) while other vendors like Cisco broadcast BPDUs on all ports in the EtherChannel (MLT).
You would definitely need to-do your homework though and make sure that you set the root bridge priority on your core switch properly. You might also need to tweak the STP path costs to make sure that the interconnects between your edge switches are the ports that go into blocking and not your MLT uplinks.
I’ve avoided such configuration because I believe it leads to overly complex networks that often tend to fail on their own or through some unforeseen circumstances. As an alternative you could also have ports configured and cables ready (just unplugged) such that if you had an actual disaster you could quickly wire up the ports to an alternate edge switch. It would require manually connecting the patch cables but it would restore you to service much faster than waiting for the cabling vendor to re-splice your fiber pairs.
Cheers!
#32 by Todd on October 12, 2009 - 4:15 pm
Good advice, thanks for the info.