Well we also ran into a problem after upgrading a number of those switches to v5.1.1.17. A network administrator had made VLAN changes to various ports on the switch prior to the upgrade but after ADAC had been enabled on the ports. After the upgrade the switch ports defaulted back to the original VLAN they were configured for when ADAC was first enabled. We performed some additional testing and found that this problem would occur if the switch was just reset (rebooted) so it doesn’t appear to be tied to the upgrade but rather the action of restarting the switch. Looking at how ADAC works I can understand the problem but I’m disappointed that Device Manager or the CLI interface doesn’t throw a warning when you try to change the VLAN configuration of a port with ADAC enabled.
The lesson here is that you should disable ADAC on any port where you intend to change the VLAN membership.
Anyone else seen this?
Cheers!
Related posts:
network architect and security professional, excited about helping folks make the most out of what technology as a whole has to offer.
Loading ...
#1 by Wiesiek on September 9, 2008 - 8:09 am
Michael,
Allthough I’ve been using ADAC on my 5520 switches to configure VoIP in my small network. I’m unable find the software version v5.1.1.17 on Nortel web site to confirm if there is any issues with it, when doing upgrades.
I guess this upgrade is only available to large scale customers.
Michael, going off the topic. I was wondering if you could share some thougths, configuration examples on security measures you have implemened in your VoIP network using ERS-5520 switches? Do you use any special hardware or software to secure the network.
Thanks for all the good stuff available here.
WK
#2 by Bruce on September 9, 2008 - 10:35 am
Yes, we’ve seen this issue as well. Plus, at some sites where we have Branch Offices deployed (CS1000 that redirects back to the main site), you need to define TLAN ports (the ADAC created QoS vlan) for the CS1000 sig server and VGMC card(s). But ADAC only lets you define 1 uplink port and 1 call server port. If the uplink port is part of an MLT, you’re OK – all the ports in the MLT will be members of the TLAN/vlan.
For the sig server and VGMC card, I set them up as access ports in the TLAN. But it turns out that membership in the ADAC created TLAN is dynamic. If the switch/stack is reset or the power is interrupted, those ports come back without any vlan assignment. Nortel is working on this, the current workaround is to add the MACs for VGMC cards, sig servers, etc. to the ADAC mac table.
BTW, this is a great blog!
#3 by Michael McNamara on September 9, 2008 - 6:00 pm
Hi Wiesiek,
You’ll need a support contract to download the latest software from Nortel’s website. The 5.1.1.17 image is just the SSH version of the 5.1.1 release. The software is available to anyone with a support contract, doesn’t matter how big or small an organization you might be working at/with.
The simple best practice is to place ACLs (IP Filters) on your routers to prevent general access to the ELAN/TLAN. The Nortel Call Server is very sensitive to traffic on the ELAN interface, as such if you’ve connected the ELAN to your production network you should take steps to make sure that only devices that need to communicate can communicate with that IP network.
Thanks for the comment!
—
Hi Bruce,
I know exactly what your referring to. Thankfully we connect our VGMCs, sig servers, etc to our core ERS 8600s and we only connect IP phones to the edge ERS 5520. We did have one situation quite sometime ago when we came upon the problem you mentioned above… trying to statically configure a port in the TLAN was not possible since ADAC would eventually remove the port from the VLAN.
Thanks for the comment!
#4 by Roberto on October 10, 2008 - 8:46 am
Oho yes, I found this way back when 5.0.0 was released two years ago (in fact I found it in the beta!). I had a heated discussion with Nortel about it. This *is* documented (badly) and is working as designed. The documentation states something along the lines of “any changes to the VLAN configuration of ADAC-enabled ports are dynamic”.
Apparently, we’re supposed to understand that “dynamic” means not saved to the config. The reason given was that it was to be consistent with the operation of EAP VLAN override via RADIUS and to ensure that a port could reliably revert to its original state when a phone is subsequently unplugged. A dubious argument to my mind and I suspect that the real reason is that this was the easiest way to implement the feature.
I submitted a feature request for Nortel asking that this behaviour be changed on the uplink port at least, as in a typical deployment, one would be modifying the configuration of the uplink port fairly regularly (adding a new VLAN to an edge stack for example). With this limitation, one would have to temporarily remove the ADAC configuration from the uplink port causing all IP phones on that stack to stop working temporarily!
This problem made ADAC unworkable for us, and we haven’t used it since in any deployments.
#5 by Michael McNamara on October 19, 2008 - 11:06 am
Thanks for the comment Roberto!
#6 by Michael McNamara on February 2, 2009 - 9:30 pm
I was just re-reading your comment Roberto. Why would you enable ADAC on your uplinks? You’d never be plugging a phone into your uplink ports?
As I previously said we’ve have great success with ADAC and have probably deployed around 500+ IP phones using ADAC.
Cheers!
#7 by Glen P on February 3, 2009 - 1:14 am
I’ve noticed behaviour that is related to this, but using LLDP on 5500/4500 switches. We’re currently using Nortel phones with 5520/4526’s and LLDP and the named “voice” VLAN. I’ve noticed if I want to do a change of the “voice” VLAN ID dynamically, I need to reset LLDP to defaults and start again so the switch knows the correct vlan to push out the right details to the phones, otherwise it keeps pushing out the old VLAN ID.
Rebooting the switch doesn’t appear to help, only resetting LLDP to defaults and redoing the LLDP part of the config (even though nothing has changed).
Glen.
#8 by Michael McNamara on February 3, 2009 - 11:44 pm
Hi Glen,
Thanks for the feedback and comment!
#9 by RD on May 9, 2009 - 9:38 am
I am not sure if this directly relates to the above comments, but we have recently deployed some 1120/1440s and were using ADAC to do Qos and asign the Voice VLan to the ports. This proved to be a major problem with our stack of 5650s. Since there can only be 1 Adac uplink port per stack, if that stack member died, all of our phones in the stack went dead (power was still there but they were unable to reach the servers). This would remain like this until that switch was powered backup.
Anyone have any thoughts on this? Solutions aside from making sure both VLANs (data dn voice) are physically assigned to each port and onlyusing ADAC for QoS?
#10 by Michael McNamara on May 9, 2009 - 1:59 pm
Hi RD,
You can create a Multi-Link Trunk and configure ADAC to use the first port in the trunk group (it will automatically be applied to all members of the trunk group). You can refer to this post, http://blog.michaelfmcnamara.com/2007/10/nortel-ers-5520-pwr-switch/ for an example of how to configure a 5520 switch with ADAC and LLDP-MED. When we have multiple switches in a stack we generally use ports 1/48 and 2/48 as the MLT members for the uplinks to the core network. In this way if we loose either of those switches we’ll still have an uplink to the core network.
The only downside of ADAC is that neither Device Manager nor the CLI interface warn users that try to make configuration changes to ports with ADAC enabled. You can find additional information at this post http://blog.michaelfmcnamara.com/2009/02/adac-and-vlan-configurations-part-2/.
Good Luck!
#11 by RD on May 10, 2009 - 9:32 am
Thanks Michael. I’ll give it a try.
#12 by RD on May 13, 2009 - 7:52 am
Thanks Michael. Worked like a charm (with a little editing). For anyone else reading, it was only successful when the referrenced uoplink port in the MLT was the last numerically. Not sure if tht is teh case for everyone else.
#13 by Peter Donnelly on May 21, 2009 - 3:06 pm
I had a similar error where we changed the PVID of ADAC enabled ports on a 4550T-PWR stack whilst phones were plugged in. The switches went into a reboot cycle and only a hard power cycle would bring them back up properly. The resolve as you so rightly pointed out was
1. Disable ADAC on all telephony ports.
2. Change PVID on all required ports.
3. Re-Enable ADAC on ports.
Downtime was unavoidable but only lasted 3-5 minutes in total.
Best advice is to plan,plan,plan and get the settled config before putting into production.
#14 by Michael McNamara on May 26, 2009 - 9:06 pm
Thanks for the comment Peter!
#15 by Deepak on September 25, 2009 - 3:13 am
Hi Michael,
I am trying to connect Nortel IP Phone 1120E for full DHCP with cisco 6509 switch ( which is a DHCP server ) . But I am not able to get this Full DHCP working without configuring the Voice VLAN ID in the IP Phone settings.
option 128 ascii “Nortel-i2004-A,10.2.224.15:4100,1,2;10.2.224.15:4100,1,2.”
option 191 VLAN-A:501.
where 501 is Voice DHCP VLAN.
Any clues ?
#16 by Michael McNamara on September 25, 2009 - 8:22 am
Hi Deepak,
You need DHCP addresses in the data (default) VLAN with option 191 defined. You need DHCP addresses with option 128 defined in the voice VLAN.
The IP phone will issue a DHCP request in the default VLAN. If it receives a response with option 191 it will issue a DHCP release and issue a DHCP request in the voice VLAN (VLAN tag equal to the value returned in option 191). The switch port needs to be configured as untag default VLAN (allowing trunking but only tagging the non PVID ports).
Good Luck!
#17 by Deepak on September 25, 2009 - 12:14 pm
Hi Michael,
You are the Champ .. It works now !!
I was using option 191 is voice VLAN instead of data VLAN .
Thank you so much . You made my day .. Have a wonderful weekend !
#18 by Michael McNamara on September 25, 2009 - 12:58 pm
I’m happy I was able to help.
Cheers!
#19 by Deepak on October 15, 2009 - 7:16 pm
Hi Michael,
How do I enable bluetooth in option 128 ? Tried with bt=1
option 128 ascii “Nortel-i2004-A,10.2.224.15:4100,1,2;10.2.224.15:4100,1,2;bt,1.”
#20 by Michael McNamara on October 15, 2009 - 7:40 pm
Hi Deepak,
You can’t set that option with the legacy Nortel-i2004-A option. You need to use the Nortel-i2004-B option which requires UNIStim v2.3 or later firmware on the IP phones. You can find additional information on the Nortel-i2004-B option in this post. If you only have a few phones you can probably just enable bluetooth from the phone itself.
Cheers!
#21 by Deepak on October 16, 2009 - 12:59 pm
Thanks Michael . I have tried with B option already with bt set to y but it stops at DHCP option . I will play around with option B.