technology, networking and IP telephony
ADAC and VLAN Configurations
We’ve just recently come across this problem and I thought it would be a great topic to share and perhaps even solicit some feedback from others. As you might already know I’ve been deploying ADAC across a large number of Nortel Ethernet Routing Switch 5520s with great success. ADAC allows the switch to control the phones voice VLAN configuration.
Well we also ran into a problem after upgrading a number of those switches to v5.1.1.17. A network administrator had made VLAN changes to various ports on the switch prior to the upgrade but after ADAC had been enabled on the ports. After the upgrade the switch ports defaulted back to the original VLAN they were configured for when ADAC was first enabled. We performed some additional testing and found that this problem would occur if the switch was just reset (rebooted) so it doesn’t appear to be tied to the upgrade but rather the action of restarting the switch. Looking at how ADAC works I can understand the problem but I’m disappointed that Device Manager or the CLI interface doesn’t throw a warning when you try to change the VLAN configuration of a port with ADAC enabled.
The lesson here is that you should disable ADAC on any port where you intend to change the VLAN membership.
Anyone else seen this?
Cheers!
Related posts:
- #2 written by Bruce 3 years ago
Yes, we’ve seen this issue as well. Plus, at some sites where we have Branch Offices deployed (CS1000 that redirects back to the main site), you need to define TLAN ports (the ADAC created QoS vlan) for the CS1000 sig server and VGMC card(s). But ADAC only lets you define 1 uplink port and 1 call server port. If the uplink port is part of an MLT, you’re OK – all the ports in the MLT will be members of the TLAN/vlan.
For the sig server and VGMC card, I set them up as access ports in the TLAN. But it turns out that membership in the ADAC created TLAN is dynamic. If the switch/stack is reset or the power is interrupted, those ports come back without any vlan assignment. Nortel is working on this, the current workaround is to add the MACs for VGMC cards, sig servers, etc. to the ADAC mac table.
BTW, this is a great blog!
Hi Wiesiek,
You’ll need a support contract to download the latest software from Nortel’s website. The 5.1.1.17 image is just the SSH version of the 5.1.1 release. The software is available to anyone with a support contract, doesn’t matter how big or small an organization you might be working at/with.
The simple best practice is to place ACLs (IP Filters) on your routers to prevent general access to the ELAN/TLAN. The Nortel Call Server is very sensitive to traffic on the ELAN interface, as such if you’ve connected the ELAN to your production network you should take steps to make sure that only devices that need to communicate can communicate with that IP network.
Thanks for the comment!
—
Hi Bruce,
I know exactly what your referring to. Thankfully we connect our VGMCs, sig servers, etc to our core ERS 8600s and we only connect IP phones to the edge ERS 5520. We did have one situation quite sometime ago when we came upon the problem you mentioned above… trying to statically configure a port in the TLAN was not possible since ADAC would eventually remove the port from the VLAN.
Thanks for the comment!
- #4 written by Roberto 3 years ago
Oho yes, I found this way back when 5.0.0 was released two years ago (in fact I found it in the beta!). I had a heated discussion with Nortel about it. This *is* documented (badly) and is working as designed. The documentation states something along the lines of “any changes to the VLAN configuration of ADAC-enabled ports are dynamic”.
Apparently, we’re supposed to understand that “dynamic” means not saved to the config. The reason given was that it was to be consistent with the operation of EAP VLAN override via RADIUS and to ensure that a port could reliably revert to its original state when a phone is subsequently unplugged. A dubious argument to my mind and I suspect that the real reason is that this was the easiest way to implement the feature.
I submitted a feature request for Nortel asking that this behaviour be changed on the uplink port at least, as in a typical deployment, one would be modifying the configuration of the uplink port fairly regularly (adding a new VLAN to an edge stack for example). With this limitation, one would have to temporarily remove the ADAC configuration from the uplink port causing all IP phones on that stack to stop working temporarily!
This problem made ADAC unworkable for us, and we haven’t used it since in any deployments.
- #7 written by Glen P 3 years ago
I’ve noticed behaviour that is related to this, but using LLDP on 5500/4500 switches. We’re currently using Nortel phones with 5520/4526′s and LLDP and the named “voice” VLAN. I’ve noticed if I want to do a change of the “voice” VLAN ID dynamically, I need to reset LLDP to defaults and start again so the switch knows the correct vlan to push out the right details to the phones, otherwise it keeps pushing out the old VLAN ID.
Rebooting the switch doesn’t appear to help, only resetting LLDP to defaults and redoing the LLDP part of the config (even though nothing has changed).
Glen.
- #9 written by RD 2 years ago
I am not sure if this directly relates to the above comments, but we have recently deployed some 1120/1440s and were using ADAC to do Qos and asign the Voice VLan to the ports. This proved to be a major problem with our stack of 5650s. Since there can only be 1 Adac uplink port per stack, if that stack member died, all of our phones in the stack went dead (power was still there but they were unable to reach the servers). This would remain like this until that switch was powered backup.
Anyone have any thoughts on this? Solutions aside from making sure both VLANs (data dn voice) are physically assigned to each port and onlyusing ADAC for QoS?
Hi RD,
You can create a Multi-Link Trunk and configure ADAC to use the first port in the trunk group (it will automatically be applied to all members of the trunk group). You can refer to this post, http://blog.michaelfmcnamara.com/2007/10/nortel-ers-5520-pwr-switch/ for an example of how to configure a 5520 switch with ADAC and LLDP-MED. When we have multiple switches in a stack we generally use ports 1/48 and 2/48 as the MLT members for the uplinks to the core network. In this way if we loose either of those switches we’ll still have an uplink to the core network.
The only downside of ADAC is that neither Device Manager nor the CLI interface warn users that try to make configuration changes to ports with ADAC enabled. You can find additional information at this post http://blog.michaelfmcnamara.com/2009/02/adac-and-vlan-configurations-part-2/.
Good Luck!
I had a similar error where we changed the PVID of ADAC enabled ports on a 4550T-PWR stack whilst phones were plugged in. The switches went into a reboot cycle and only a hard power cycle would bring them back up properly. The resolve as you so rightly pointed out was
1. Disable ADAC on all telephony ports.
2. Change PVID on all required ports.
3. Re-Enable ADAC on ports.Downtime was unavoidable but only lasted 3-5 minutes in total.
Best advice is to plan,plan,plan and get the settled config before putting into production.
- #15 written by Deepak 2 years ago
Hi Michael,
I am trying to connect Nortel IP Phone 1120E for full DHCP with cisco 6509 switch ( which is a DHCP server ) . But I am not able to get this Full DHCP working without configuring the Voice VLAN ID in the IP Phone settings.
option 128 ascii “Nortel-i2004-A,10.2.224.15:4100,1,2;10.2.224.15:4100,1,2.”
option 191 VLAN-A:501.where 501 is Voice DHCP VLAN.
Any clues ?
Hi Deepak,
You need DHCP addresses in the data (default) VLAN with option 191 defined. You need DHCP addresses with option 128 defined in the voice VLAN.
The IP phone will issue a DHCP request in the default VLAN. If it receives a response with option 191 it will issue a DHCP release and issue a DHCP request in the voice VLAN (VLAN tag equal to the value returned in option 191). The switch port needs to be configured as untag default VLAN (allowing trunking but only tagging the non PVID ports).
Good Luck!
Hi Michael,
If I hard code a Nortel IP Phone with an IP Address on the Voice VLAN and the IP Phone is connected to Port 1/3 which is associated with the command “vlan ports 1/1-47 tagging unTagPvidOnly”, shouldn’t the Phone work just fine without manual intervention of changing the Port’s PVID to be that of the Voice VLAN ID instead of the Data/Native VLAN?
This unfortunately didn’t work. The PVID for Port 1/3 had to be changed to the Voice VLAN ID.
Any ideas?
Hi Eric,
The unTagPvidOnly setting will only impact devices that you have connected to the PC port of the IP phone. Because those devices generally won’t understand the 802.1q header so the the PVID needs to be set to the data VLAN and the switch will strip the 802.1q headers off the Ethernet frames before it sends them down the IP phone and ultimately out the PC port.
How do you make it work? You need to set the Voice VLAN ID within the IP phone and you need to make sure that the port (1/3) is a member of that VLAN. With that done the IP phone will boot either with a static IP address of with a DHCP address if you have a DHCP pool available in that VLAN.
Good Luck!
Thanks Mike,
I just confirmed with the Client that the IP Phone wasn’t programmed with the Voice VLAN manually. So that most likely explains why it didn’t work as expected.
I just want to use this opportunity to say that I have been reviewing your Blog for months now and it has been been very informative in every way one can imagine.
I really appreciate the effort you have put into it and thanks again for the great work overall.
I guess, I speak for most of us when I say that your work as regards to your Blog is inspiring.
Thanks again!
- #20 written by Deepak 2 years ago
- #22 written by Deepak 2 years ago
Hi Deepak,
You can’t set that option with the legacy Nortel-i2004-A option. You need to use the Nortel-i2004-B option which requires UNIStim v2.3 or later firmware on the IP phones. You can find additional information on the Nortel-i2004-B option in this post. If you only have a few phones you can probably just enable bluetooth from the phone itself.
Cheers!
- #25 written by JamesAttanasio 1 year ago
Hello Michael and everybody reading this.
Our infrastrucure :
Network : Nortel stacks with 5520 switches (firmware 6.0.1.002)
IP Phones : Cisco 7911Data vlan configured on every port. Adac is configured to dynamicaly assigned voice vlan to a port. Unfortunately this not working well : We often see phones that go in the data vlan and stay.
Our switch configuration looks equal as yours but…something must be wrong.
It is interesting to note that :
a. disabling/enabling adac on the port can put the phone in the voicevlan.
b. disabling/enabling poe can also put he ipphone in the voice vlan.
c: this can happened on every port. - #26 written by Hemant Shingane 1 year ago
Michael,
I am very happy about your blog because i got lot of information on Nortel Switches.
I am facing one problem in ERS 5520 that whenever i remove the cable form port, i am not getting any cli messages (alter) on cli prompt . But in cisco switch wherever i disconnected port form cisco switch, i am getting alter messages on cli prompt. So i need a solution on ERS 5520 as well as ers8600.
Thanks
Hemant Shingane Thanks for the comment Eric.
If you haven’t already drop by the discussion forums, it’s a great place to share your questions or help answer a few.
Cheers!
- Comment Feed for this Post
Michael,
Allthough I’ve been using ADAC on my 5520 switches to configure VoIP in my small network. I’m unable find the software version v5.1.1.17 on Nortel web site to confirm if there is any issues with it, when doing upgrades.
I guess this upgrade is only available to large scale customers.
Michael, going off the topic. I was wondering if you could share some thougths, configuration examples on security measures you have implemened in your VoIP network using ERS-5520 switches? Do you use any special hardware or software to secure the network.
Thanks for all the good stuff available here.
WK