Michael McNamara

technology, networking and IP telephony

Please contact me before adding me as a contact Please contact me before adding me as a contact

  • Home
  • About
    • Polls
    • Stats
  • MIBS
  • Tools
  • Privacy
  • Archives
  • Forums
  • Scripting

Happy St. Patrick’s Day

Mar 17th

Posted by Michael McNamara in PersonalComputing

No comments

It’s really amazing how fast the days, weeks and months go by. If you’re looking for to listen to some traditional and folk music straight from Dublin, Ireland browse over to www.liveireland.com.

Cheers!

BLOG

How to set passwords from the CLI?

Mar 11th

Posted by Michael McNamara in EthernetRtngSwitch

7 comments

There have been quite a few comments posted to the Factory Reset Nortel Ethernet Switch article. One of those comments requested some help in how to set the passwords from the CLI (command line interface). You’ll obviously need the read-write password in order to login to the switch and reset the passwords. Without the read-write password you’ll need to factory reset the switch.

Note: I’m still trying to figure out the best way to display the CLI stuff… if I use the PRE HTML tag the font is really too small, if I don’t use the PRE HTML tag the formatting (spacing) gets lost making it difficult to compare the post with the real world output from a CLI interface.

Nortel Ethernet Routing Switch 5500 Series (v5.1)

Here’s how to set the passwords on the Nortel Ethernet Routing Switch 5500 Series (v5.1 software).

5520-48T-PWR>enable
5520-48T-PWR#config term
Enter configuration commands, one per line.  End with CNTL/Z.

What’s the syntax to set the read-only and read-write passwords?

5520-48T-PWR(config)#cli password ?
read-only   Modify read-only password
read-write  Modify read-write password
serial      Enable/disable serial port password.
telnet      Enable/disable telnet and web password.

We’ll use the commands below to set the read-only (RO) password to “readonlypassword” and the ready-write (RW) passwords to “readwritepassword”;

5520-48T-PWR(config)#cli password read-only readonlypassword
5520-48T-PWR(config)#cli password read-write readwritepassword

What is the syntax to enable the passwords on the serial and telnet interfaces?

5520-48T-PWR(config)#cli password serial ?
local   Use local password.
none    Disable password.
radius  Use RADIUS password authentication.
tacacs  Use TACACS+ AAA services

5520-48T-PWR(config)#cli password telnet ?
local   Use local password.
none    Disable password.
radius  Use RADIUS password authentication.
tacacs  Use TACACS+ AAA services

We’ll use the commands below to set the serial and telnet interface to use the local passwords we’ve just configured above. You could also use RADIUS and TACACS authentication if you set it up.

5520-48T-PWR(config)#cli password serial local
5520-48T-PWR(config)#cli password telnet local

And let’s not forget to save the configuration file (even though the switch should auto-save it).

5520-48T-PWR(config)#copy config nvram
5520-48T-PWR(config)#exit
5520-48T-PWR#disable
5520-48T-PWR>

Nortel Ethernet Routing Switch 4500 Series (v5.0)

The Nortel Ethernet Routing Switch 4500 Series (v5.0 software) is piratically identical to the 5500 series except that it does not yet support TACACS authentication.

4548GT-PWR(config)#cli password ?
read-only   Modify read-only password
read-write  Modify read-write password
serial      Enable/disable serial port password.
telnet      Enable/disable telnet and web password.

4548GT-PWR(config)#cli password serial ?
local   Use local password.
none    Disable password.
radius  Use RADIUS password authentication.

4548GT-PWR(config)#cli password telnet ?
local   Use local password.
none    Disable password.
radius  Use RADIUS password authentication.

Nortel Ethernet Switch 460/470 (v3.7.2)

The Nortel Ethernet Switch 460/470 (v3.7.2 software) is identical to the ERS 4500 series.

470-48T>enable
470-48T#config term
Enter configuration commands, one per line.  End with CNTL/Z.

470-48T(config)#cli password ?
read-only   Modify read-only password
read-write  Modify read-write password
serial      Enable/disable serial port password.
telnet      Enable/disable telnet and web password.

470-48T(config)#cli password serial ?
local   Use local password.
none    Disable password.
radius  Use RADIUS password authentication.

470-48T(config)#cli password telnet ?
local   Use local password.
none    Disable password.
radius  Use RADIUS password authentication.

Hopefully this should help a few folks out.

Cheers!

ERS4500, ERS5500, ES460, ES470, PASSWORDS

How to find a wireless device ?

Mar 8th

Posted by Michael McNamara in WirelessLANSwitch

4 comments

In this post I’ll review how you can find a specific wireless device on your Motorola WS5100 Wireless LAN Switch. We’re going to use the poor mans “locationing” as opposed to the features and integration that Motorola is currently building into the WS5100 and RFS7000 switches to support products such as AeroScout.

We want to locate the following device wireless-laptop.acme.org so we need to start by identifying the IP address of the device. Thanks to Dynamic DNS we can be assured that our DNS servers will have that information.

C:\> nslookup wireless-laptop.acme.org.
Server:         10.1.1.1
Address:        10.1.1.1#53

Name:   wireless-laptop.acme.org
Address: 10.1.195.55

In most circumstances we’d now need to identify the MAC address of the wireless device. We can skip that step since the WS5100 will have the IP address of the client for us to search against.

WS5100# show wireless mobile-unit
Number of mobile-units associated: 23
index   MAC-address       radio type wlan vlan/tunnel  ready  IP-address    last active
  1     00-1B-77-30-DF-80  30    11a  1      vlan 18   Y     10.1.195.57   1 Sec
  2     00-20-E0-1A-0F-E5  58    11a  1      vlan 18   Y     10.1.195.48   20 Sec
  3     00-13-E8-86-DF-F3  30    11a  1      vlan 18   Y     10.1.195.96   0 Sec
  4     00-15-00-32-8C-EC  19    11a  1      vlan 18   Y     10.1.195.31   31 Sec
  5     00-15-00-32-D6-46  29    11a  1      vlan 18   Y     10.1.195.50   16 Sec
  6     00-15-00-32-D3-67  1     11g  2      vlan 17   Y     10.1.194.54   4 Sec
  7     00-A0-F8-D4-46-9C  2     11b  4      vlan 22   Y     10.1.206.53   223 Sec
  8     00-A0-F8-D4-48-FD  1     11b  4      vlan 22   Y     10.1.206.207  215 Sec
  9     00-1B-77-2A-99-05  30    11a  1      vlan 18   Y     10.1.195.55   7 Sec
  10    00-18-DE-7A-76-D0  30    11a  1      vlan 18   Y     10.1.195.67   16 Sec
  11    00-16-6F-1D-F1-B9  1     11g  2      vlan 17   Y     10.1.194.44   6 Sec
  12    00-1B-77-31-11-77  30    11a  1      vlan 18   Y     10.1.195.68   4 Sec
  13    00-90-7A-04-16-5F  1     11b  3      vlan 21   Y     10.1.198.52   11 Sec
  14    00-A0-F8-D6-3C-2A  1     11b  4      vlan 22   Y     10.1.206.70   652 Sec
  15    00-A0-F8-D4-45-A5  2     11b  4      vlan 22   Y     10.1.206.252  170 Sec
  16    00-13-E8-5B-ED-73  30    11a  1      vlan 18   Y     10.1.195.106  4 Sec
  17    00-13-E8-5B-EE-39  30    11a  1      vlan 18   Y     10.1.195.111  23 Sec
  18    00-18-DE-7A-9E-3A  30    11a  1      vlan 18   Y     10.1.195.77   20 Sec
  20    00-90-7A-03-5E-C7  1     11b  3      vlan 21   Y     10.1.198.50   23 Sec
  21    00-13-E8-86-C8-55  30    11a  1      vlan 18   Y     10.1.195.107  5 Sec
  22    00-A0-F8-D4-48-5F  1     11b  4      vlan 22   Y     10.1.206.145  124 Sec
  24    00-13-E8-86-C7-E7  30    11a  1      vlan 18   Y     10.1.195.110  10 Sec
  26    00-1B-77-2A-5C-6C  30    11a  1      vlan 18   Y     10.1.195.81   37 Sec

Note: if you have a lot of mobile units you can use grep;

WS5100# show wireless mobile-unit | grep "10.1.195.55"
   9     00-1B-77-2A-99-05  30    11a  1      vlan 18   Y     10.1.195.55   7 Sec

Now that we have the MU (Mobile Unit) index (the first number on the line) we can get the full details;

WS5100# show wireless mobile-unit 9

MAC: 00-1B-77-2A-99-05, IP Address: 10.1.195.55, Type: 11a, State: data-ready
Radio Config Index: 30, Bssid: 00-15-70-12-1D-78
Wlan: 1, Vlan: vlan 18, Voice: N, Powersave: N, Classification: normal
Encryption Type: tkip (key index: 1) Authentication Type: eap
Last Assoc: 7990 seconds ago, Last Activity: 23 seconds ago, Roam-Count: 18
DHCP state : DHCPNONE AP Scan Support: N
Session Timeout: 100 days 00:00:00  Idle Timeout: 0 days 00:30:00

In the information above we can see that the MU is associated to radio 30, so let’s look at radio 30;

WS5100# show wireless radio 30

Radio: 30, Mac: <00-15-70-11-34-32>, Type: 11a, ap Index: 7, vlan 198
Current Channel: 36 [5180 MHz], Configured Channel: acs
Current Power: 17 dBm, Max ESS: 16, Max BSS: 4, Num Mu: 11
BSS: 00-15-70-12-1D-78, State: normal
Current Data-Rates/Speed:  basic6 9 basic12 18 basic24 36 48 54
Last Adoption: 0 days 20:55:16 ago

Configuration:
Adoption-pref-id: 0
Max-mobile-unit: 256, Detector: N, On-channel-scan: N
WLAN-BSS mapping: [BSS 1]: 1
RTS-thres: 2346 bytes, Beacon-intvl: 100 K-uSec
Dtim-count: [BSS 1]: 10 beacons
Dtim-count: [BSS 2]: 10 beacons
Dtim-count: [BSS 3]: 10 beacons
Dtim-count: [BSS 4]: 10 beacons
CCA level: 1, CCA Mode: 1, mobile-unit power: 0 dBm
Short-Preamble: disabled, Antenna-Mode: diversity (both antennas)
Placement: indoor, Channel-Mode: acs, Power: 20 dBm
Data-Rates/Speed:  basic6 9 basic12 18 basic24 36 48 54
WMM [best-effort]: aifsn: 3 txop-limit: 0 cwmin: 4 cwmax: 6
admission-control: disabled, max-mobile-unit: 32
WMM [background]: aifsn: 7 txop-limit: 0 cwmin: 4 cwmax: 10
admission-control: disabled, max-mobile-unit: 32
WMM [video]: aifsn: 1 txop-limit: 94 cwmin: 3 cwmax: 4
admission-control: disabled, max-mobile-unit: 32
WMM [voice]: aifsn: 1 txop-limit: 47 cwmin: 2 cwmax: 3
admission-control: disabled, max-mobile-unit: 32

It doesn’t look like the Motorola switch shows us the radio description above so we’ll need to use another command to get the description;

WS5100# show wireless radio config 30

Radio: 30, Description: Main Building Lobby, MAC: 00-15-70-11-34-32
Radio Type: 11a, AP Type: ap300
Adoption-pref-id: 0
Max-mobile-unit: 256, Detector: N, On-channel-scan: N
WLAN-BSS mapping: [BSS 1]: 1
RTS-thres: 2346 bytes, Beacon-intvl: 100 K-uSec
Dtim-count: [BSS 1]: 10 beacons
Dtim-count: [BSS 2]: 10 beacons
Dtim-count: [BSS 3]: 10 beacons
Dtim-count: [BSS 4]: 10 beacons
CCA level: 1, CCA Mode: 1, mobile-unit power: 0 dBm
Short-Preamble: disabled, Antenna-Mode: diversity (both antennas)
Placement: indoor, Channel-Mode: acs, Power: 20 dBm
Data-Rates/Speed:  basic6 9 basic12 18 basic24 36 48 54
WMM [best-effort]: aifsn: 3 txop-limit: 0 cwmin: 4 cwmax: 6
admission-control: disabled, max-mobile-unit: 32
WMM [background]: aifsn: 7 txop-limit: 0 cwmin: 4 cwmax: 10
admission-control: disabled, max-mobile-unit: 32
WMM [video]: aifsn: 1 txop-limit: 94 cwmin: 3 cwmax: 4
admission-control: disabled, max-mobile-unit: 32
WMM [voice]: aifsn: 1 txop-limit: 47 cwmin: 2 cwmax: 3
admission-control: disabled, max-mobile-unit: 32

So it looks like the device we’re looking for, wireless-laptop.acme.org (10.1.193.55), is connected to radio 30 (802.11a) which has a description of “Main Building Lobby”. While this will give you an idea of the basic location it doesn’t provide you a specific location. While there are new APIs in the WS5100 and RFS7000 that can provide locationing by means of triangulation between multiple Access Ports, they require external applications and management software.

Obviously you’ll need to make sure that you’ve put descriptive locations on each radio (AP300) through the Motorola console when configuring/installing the APs.

Cheers!

MU, WLAN, WS5100

Ethernet Frames Maligned

Mar 2nd

Posted by Michael McNamara in EthernetRtngSwitch

No comments

I thought I would share this story with everyone. We had discovered an issue with Ethernet frames being maligned/corrupted between the Motorola Access Port 300 (AP300) and the Motorola Wireless (WS5100) LAN Switch.

We had a ticket open with Motorola trying to understand why a significant number of our AP300s were rebooting themselves at odd hours during the early morning. Motorola had requested that we provide network traces at the Access Point and Wireless Switch. Surprisingly Motorola came back and pointed out that the payload in some of the Ethernet frames was getting modified between the Wireless Switch and the Access Port.

The fundamental equipment involved in this problem were as follows; Nortel Ethernet Switch 460 (ES 460), Ethernet Switch 470 (ES 470), Ethernet Routing Switch 5520 (ERS 5520), Ethernet Routing Switch 8600 (ERS8600); Motorola Wireless LAN Switch 5100 (WS5100) and Access Ports 300(AP300).

The Motorola WS5100s and AP300s are physically connected over the same Layer 2 Ethernet network. The “Ethernet 1” port on the WS5100 is connected to a Virtual Local Area Network (VLAN) which provides a single broadcast domain for all AP 300s to connect to the WS5100. The “Ethernet 2” port on the WS5100 is used as a trunk interface to bridge between the WLANs (wireless) and VLANs (wired) segments. We essentially have core switches and edge switches (distribution is collapsed down into the core). The core switch can be a single ERS8600 or a pair of ERS8600s (Layer 3) connected via an IST (Inter-Switch Trunk). At the edge we generally deploy ES470(Layer 2) or ERS5520(Layer 2). We have deployed ES460s (PoE) into closets where ES470s are already present to specifically support PoE and the wireless network.

Here is a quick topology of the network with respect to the WS5100s and AP300s.
We recently started deploying the ERS5520s (in place of the ES470s) which directly support PoE allowing us to deploy one less piece of equipment at the edge and also provides one less bridge (hop) to switch through.We have been plagued by a problem that is affecting the Motorola AP300s causing them to randomly reset and re-adopt at different times of the day without warning or cause. In searching for the cause of this problem we’ve documented numerous Ethernet frames being maligned as they travel from the AP300 to the WS5100.

With respect to the examples I’m going to draw the following topology applies;

It should be noted that we do use the ES460s and ERS5520s to remark the 802.1p bits in the Ethernet frame so we can provide some measure of QoS with respect to the Nortel (Spectralink) Wireless LAN phones that we currently have deployed. In essence we mark all Ethernet packets on the “APVLAN” with a QoS level of 4 (“Gold”, BoSS-65530).

Network Trace Analysis

I will refer to the following two trace files;

“ers460side1.pcap” closet ES460 trace
“ers8600side1.pcap” core ERS8600 trace

I tried to merge up the two traces so each trace is synchronous with the other. We’ll focus on packet 3, you can see in the closet ES460 trace that bytes 15 and 16 are 0×20 and 0×12 respectively.

Looking at the other trace you can see that bytes 15 and 16 are different than in the first trace. You can see that the bits in 16 have been shifted to bytes 26.

You can again see the same problem in packet 4;


You can see it again in packets 6, 7, 10, 39, 43, 45, etc.

In the end the problem turned out to be a software/hardware issue with the Nortel Ethernet Routing Switch 8600. If DiffServ was enabled on the Ethernet port that was being mirrored, the mirrored data was somehow getting corrupted in the process of copying the packets. Once we disabled DiffServ on the Ethernet port the problem disappeared. We opened a case with Nortel but were told that it would be handled as an enhancement request, not a correction request (go figure!).

I personally no longer trust either the port mirror or packet capture facilities of the Nortel ERS 8600 and rely on physical taps so there can be no doubt or questions about the validity of the capture data.

We still have issues with our Motorola AP300s rebooting from time to time but they have been much better since Motorola released v2.1.3 software for the WS5000/WS5100s. We are currently working with Motorola to resolve issues in their v3.x software line that is causing our Nortel 2211 (Spectralink) wireless phones to occasionally reboot while idle and roaming.

Cheers!

ERS8600, PCAP, PORT MIRROR, WS5100
« First...304050«6061626364»70...Last »
  • POLL

    Is troubleshooting a dying skillset?

    View Results

    Loading ... Loading ...
  • My latest tweets

    Loading tweets...
    Follow me on Twitter!
  • GOOGLE READER

    • Eight great virtual appliances for VMware, free for the downloading
    • Cyber Thieves Steal Nearly $1,000,000 from University of Virginia College
    • Crooks Who Stole $600,000 From Catholic Diocese Said Money Was for Clergy Sex Abuse Victims
    • Skype launches Skype Connect for businesses
    • Cisco patches bug that caused partial Internet blackout
    • uTorrent patches application against DLL vulnerability
    • Adobe fixes 20 vulnerabilities in Shockwave Player
    Shared Items
  • RECENT COMMENTS

    • Dennett on RSMLT Configurations
    • Michael McNamara on When is enough tech really enough?
    • Gabe on When is enough tech really enough?
    • Dennett on RSMLT Configurations
    • Dennett on RSMLT Configurations
    • Michael McNamara on RSMLT Configurations
    • Dennett on RSMLT Configurations
  • RSS Recent Discussions

    • Re: 8600 untag non vlan_default September 2, 2010
    • Re: Nortel 8600 Link Load September 2, 2010
    • Re: 8600 untag non vlan_default September 2, 2010
    • Re: 8600 untag non vlan_default September 2, 2010
    • Re: 8600 CPU dormant mode September 2, 2010
  • Michael McNamara at Blogged
  • Links

    • Brian Madden's Blog
    • Combat Networks Blog
    • Discussion Forums
    • Etherealmind
    • Mark Starry's Blog
    • Scott Lowe's Blog
    • TheTelecomBlog.com
  • License

    Creative Commons License
    Michael's blog by Michael McNamara is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
Mystique theme by digitalnature | Powered by WordPress
RSS Feeds XHTML 1.1 Top