ADAC and VLAN Configurations

27th August 2008

posted in EthernetRtngSwitch, Nortel | 577 views | Print This Post

We’ve just recently come across this problem and I thought it would be a great topic to share and perhaps even solicit some feedback from others. As you might already know I’ve been deploying ADAC across a large number of Nortel Ethernet Routing Switch 5520s with great success. ADAC allows the switch to control the phones voice VLAN configuration.

Well we also ran into a problem after upgrading a number of those switches to v5.1.1.17. A network administrator had made VLAN changes to various ports on the switch prior to the upgrade but after ADAC had been enabled on the ports. After the upgrade the switch ports defaulted back to the original VLAN they were configured for when ADAC was first enabled. We performed some additional testing and found that this problem would occur if the switch was just reset (rebooted) so it doesn’t appear to be tied to the upgrade but rather the action of restarting the switch. Looking at how ADAC works I can understand the problem but I’m disappointed that Device Manager or the CLI interface doesn’t throw a warning when you try to change the VLAN configuration of a port with ADAC enabled.

The lesson here is that you should disable ADAC on any port where you intend to change the VLAN membership.

Anyone else seen this?

Cheers!

This entry was posted on Wednesday, August 27th, 2008 at 6:30 pm and is filed under EthernetRtngSwitch, Nortel. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

1 On September 9th, 2008, Wiesiek said:

Michael,
Allthough I’ve been using ADAC on my 5520 switches to configure VoIP in my small network. I’m unable find the software version v5.1.1.17 on Nortel web site to confirm if there is any issues with it, when doing upgrades.

I guess this upgrade is only available to large scale customers.

Michael, going off the topic. I was wondering if you could share some thougths, configuration examples on security measures you have implemened in your VoIP network using ERS-5520 switches? Do you use any special hardware or software to secure the network.

Thanks for all the good stuff available here.

WK

2 On September 9th, 2008, Bruce said:

Yes, we’ve seen this issue as well. Plus, at some sites where we have Branch Offices deployed (CS1000 that redirects back to the main site), you need to define TLAN ports (the ADAC created QoS vlan) for the CS1000 sig server and VGMC card(s). But ADAC only lets you define 1 uplink port and 1 call server port. If the uplink port is part of an MLT, you’re OK - all the ports in the MLT will be members of the TLAN/vlan.

For the sig server and VGMC card, I set them up as access ports in the TLAN. But it turns out that membership in the ADAC created TLAN is dynamic. If the switch/stack is reset or the power is interrupted, those ports come back without any vlan assignment. Nortel is working on this, the current workaround is to add the MACs for VGMC cards, sig servers, etc. to the ADAC mac table.

BTW, this is a great blog!

3 On September 9th, 2008, Michael McNamara said:

Hi Wiesiek,

You’ll need a support contract to download the latest software from Nortel’s website. The 5.1.1.17 image is just the SSH version of the 5.1.1 release. The software is available to anyone with a support contract, doesn’t matter how big or small an organization you might be working at/with.

The simple best practice is to place ACLs (IP Filters) on your routers to prevent general access to the ELAN/TLAN. The Nortel Call Server is very sensitive to traffic on the ELAN interface, as such if you’ve connected the ELAN to your production network you should take steps to make sure that only devices that need to communicate can communicate with that IP network.

Thanks for the comment!

—

Hi Bruce,

I know exactly what your referring to. Thankfully we connect our VGMCs, sig servers, etc to our core ERS 8600s and we only connect IP phones to the edge ERS 5520. We did have one situation quite sometime ago when we came upon the problem you mentioned above… trying to statically configure a port in the TLAN was not possible since ADAC would eventually remove the port from the VLAN.

Thanks for the comment!

4 On October 10th, 2008, Roberto said:

Oho yes, I found this way back when 5.0.0 was released two years ago (in fact I found it in the beta!). I had a heated discussion with Nortel about it. This *is* documented (badly) and is working as designed. The documentation states something along the lines of “any changes to the VLAN configuration of ADAC-enabled ports are dynamic”.

Apparently, we’re supposed to understand that “dynamic” means not saved to the config. The reason given was that it was to be consistent with the operation of EAP VLAN override via RADIUS and to ensure that a port could reliably revert to its original state when a phone is subsequently unplugged. A dubious argument to my mind and I suspect that the real reason is that this was the easiest way to implement the feature.

I submitted a feature request for Nortel asking that this behaviour be changed on the uplink port at least, as in a typical deployment, one would be modifying the configuration of the uplink port fairly regularly (adding a new VLAN to an edge stack for example). With this limitation, one would have to temporarily remove the ADAC configuration from the uplink port causing all IP phones on that stack to stop working temporarily!

This problem made ADAC unworkable for us, and we haven’t used it since in any deployments.

5 On October 19th, 2008, Michael McNamara said: