Posts Tagged ERS5500
Nortel ERS 5500 Software 6.1.2 Available
Posted by Michael McNamara in EthernetRtngSwitch, Nortel on December 28, 2009
Nortel has released software 6.1.2 for the Nortel Ethernet Routing Switch 5000 series switches. This includes the Ethernet Routing Switch 5510/5520/5530/5698/5650/5632. While there are a number of fixes in this software release there are some very interesting new features primarily concerned with VLAN assigned through 802.1x authentication (both EAP and non-EAP clients) in conjunction with RADIUS. Here is a list of the new features;
- Dynamic VLAN assignment from RADIUS server for EAP and non-EAP authenticated devices
- 802.1X Authentication, NEAP / MAC-based Authentication, and Guest VLAN functionality on the same port
- 802.1X Authentication and NEAP functionality with Radius, but with Radius response using VLAN names instead of VLAN ids
- 802.1X Authentication and NEAP with Fail-Open functionality
- Support for DDI SFPs
As always I would strongly suggest you review the release notes for yourself.
Cheers!
How to configure SNMP v3 on Nortel Ethernet Routing Switches
Posted by Michael McNamara in EthernetRtngSwitch, Nortel on October 24, 2009
Here are the values I’m going to be using below;
SNMP v1,v2 read-only string = readme123
SNMP v1,v2 read-write string = writeme123
SNMP v3 userID = Manager (yes I use the same username as the old BayRS software)
SNMP v3 SHA authentication = winnie2009
SNMP v3 AES encryption = poobear2009
Nortel Ethernet Routing Switch 8600
One word of caution with the ERS8600; early default switch configurations included a SNMPv3 user called initial that had full read-write access to the entire switch. I’m not sure if Nortel has changed this behavior but I would strongly urge you to delete any default SNMP v3 users as well as change the default SNMP community strings.
Let’s set the SNMP community strings right away;
ERS-8610:5# config snmp-v3 community commname first new-commname readme123 ERS-8610:5# config snmp-v3 community commname second new-commname writeme123
Let’s load the proper AES, 3DES and DES encryption files;
ERS-8610:5# config load-encryption-module 3DES /flash/p80c5110.img ERS-8610:5# config load-encryption-module AES /flash/p80c5110.aes
Let’s create a new SNMP v3 user called Manager;
config snmp-v3 usm create Manager sha auth winnie priv-prot aes priv poo
Let’s create a new SNMP v3 group called admin;
config snmp-v3 group-access create admin "" usm authPriv
Let’s give this new group access to the root MIB;
config snmp-v3 group-access view admin "" usm authPriv read root write root notify root
Let’s add the user Manager to the group admin;
config snmp-v3 group-member create Manager usm admin
Let’s clear out any previous SNMP trap hosts;
config snmp-v3 target-addr delete TAddr1 config snmp-v3 target-addr delete TAddr2
Let’s configure two new SNMP trap hosts. I actually have two configured on all my switches, with one being our HP OpenView Network Node Manager server (10.1.31.1) and the second being our Nortel Enterprise Network Management System server (10.1.31.2);
config snmp-v3 target-addr create HPOpenView 10.1.31.1:162 TparamV1 taglist trapTag config snmp-v3 target-addr create NortelENMS 10.1.31.2:162 TparamV1 taglist trapTag
Let’s delete that default SNMP v3 user just in case it still exists;
config snmp-v3 usm delete initial
Let’s set the source IP address used to communicate with the SNMP trap hosts. I want this to be the CLIP (Circuitless IP Interface) that I use for all management purposes which in this example is 10.1.50.1. I should mention that the commands below may not appear in switch software earlier than 4.7.1 or 4.6.3.
config sys set snmp sender-ip 10.1.31.1 10.1.50.1 config sys set snmp sender-ip 10.1.31.2 10.1.50.1 config sys set snmp force-trap-sender true config sys set snmp force-iphdr-sender true
That should be everything for the Ethernet Routing Switch 8600.
Nortel Ethernet Routing Switch 1600
I’m not going to go into the line by line detail here as I did above. You should be able to follow the explanation provided above.
ERS-1648T:1# config load-module DES /flash/p16c2160.des ERS-1648T:1# config snmp-v3 community commname first new-commname readme123 ERS-1648T:1# config snmp-v3 community commname second new-commname writeme123 ERS-1648T:1# config snmp-v3 usm create Manager sha auth winnie2009 priv poobear2009 ERS-1648T:1# config snmp-v3 group-access create admin "" usm authPriv ERS-1648T:1# config snmp-v3 group-access view admin "" usm authPriv read root write root notify root ERS-1648T:1# config snmp-v3 group-member create Manager usm admin ERS-1648T:1# config snmp-v3 target-addr create HPOpenView 10.1.31.1:162 TparamV1 taglist trapTag ERS-1648T:1# config snmp-v3 target-addr create NortelNMS 10.1.31.2:162 TparamV1 taglist trapTag ERS-1648T:1# config snmp-v3 usm delete initial
That’s the ERS1600 series switch.
Nortel Ethernet Routing Switch 4500, 5500, 5600 Series
We need to create a new view so we’ll use the name snmpView;
5520-48T-PWR(config)# snmp-server view snmpView +1.3
If you have the secure image loaded then you have access to SHA authentication, DES, 3DES and AES encryption.
5520-48T-PWR(config)# snmp-server user Manager sha winnie2009 aes poobear2009 read-view snmpView write-view snmpView notify-view snmpView
If you receive an error using the command above (see below) you may not have the secure software image loaded on the switch. If you want to use SHA authentication, DES, 3DES or AES encryption you’ll need to load the secure image. Example SW:v6.1.0.006 will only allow you to use the md5 authentication with no encryption while SW:v6.1.0.007 will allow both MD5 and SHA authentication along with DES, 3DES or AES encryption.
5520-48T-PWR(config)#snmp-server user Manager sha winnie2009 aes poobear2009 read-view snmpView write-view snmpView notify-view snmpView
snmp-server user Manager sha winnie2009 aes poobear2009 read-view snmpView writ
^
% Invalid input detected at '^' marker.
You can use the following command to just use MD5 authentication with no encyrption;
5520-48T-PWR(config)#snmp-server user Manager md5 winnie2009 read-view snmpView write-view snmpView notify-view snmpView
Java Device Manager
With all that done you can now use Nortel’s Java Device Manager to manage the switch using SNMP v3.
In the example to the left I’m going to connect to the ERS8600 switch at the management IP address of 10.1.50.1.
We are going to use the SNMP v3 user of Manager which we configured above.
We will also use the Authentication Protocol of SHA-96 using the Authentication Password of winnie2009 which we configured above.
We will use the Privacy Protocol of AES which we configured above along with the Privacy Password of poobear2009.
Cheers
Changing SNMP Community Strings
Posted by Michael McNamara in EthernetRtngSwitch, EthernetSwitch, Nortel on October 20, 2009
In this day and age it’s not a very good idea to leave the default SNMP community strings configured in any network electronics. The general default configuration uses public for read-only and private for read-write, these defaults apply to the Nortel Ethernet Switch and the Nortel Ethernet Routing Switch.
You can certainly do this from Nortel’s Java Device Manager, however, you need to be careful that you don’t saw off the branch you’re standing on when you change the SNMP community string. It’s best to configure the SNMP community strings from the CLI interface to avoid any potential issues.
Here are the CLI commands to configure the SNMP community strings on the ERS 8600 and 1600 switch. In the example below we’ll set the read-only string to open and the read-write string to lock.
ERS-8610:5# config snmp-v3 community commname first new-commname open ERS-8610:5# config snmp-v3 community commname second new-commname lock
Here are the CLI commands to configure the SNMP community strings on the ERS 4500, ERS 5500 and ES460/470 switches. In the example below we’ll set the read-only string to open and the read-write string to lock.
5520-48T-PWR (config)# snmp-server community open ro 5520-48T-PWR (config)# snmp-server community lock rw
Cheers!
User Interface Button (UI Button)
Posted by Michael McNamara in EthernetRtngSwitch, Nortel on July 30, 2009
You can guess where I’m going with this one right? I’ll spare everyone the story… although here’s what the little devil of a button can do according to the documentation.
Assigning IP parameters using the UI button
- Press and hold the UI button for 3 seconds.
The unit will now be in configuration mode. The Status LED will now change to a blinking green status. - Press the UI button 5 times.
The Base LED and the Up and Down LEDs will now be steady amber to indicate that the button press was recognized. - Press the UI button and hold in for 3 seconds to confirm the command.
The In-Use IP address will now be changed to 192.168.192.168. The color and status of the Status LED will turn to steady green once the command has been accepted. If the command is rejected, the Status LED turns amber blinking. - Initial IP configuration using the UI button is now complete.
To continue with switch configuration, access the switch through the NNCLI, Web-based Management Interface, or Device Manager.
Setting a base unit using the UI button
- Press and hold the UI button for three seconds.
The unit is now in configuration mode. The color and status of the Status LED turns to blinking green. - Press the UI button once.
The Base LED is illuminated and the Up and Down LEDs are off to indicate that the button press was recognized. - Press and hold the UI button for three seconds to confirm the command.
The Status LED returns to a steady green state to confirm command acceptance. If the command is rejected, the Status LED moves to a blinking amber state.
Setting non-base units using the UI button
- Press and hold the UI button for three seconds.
The unit is now in configuration mode. The color and status of the Status LED turns to blinking green. - Press the UI button twice.
The Base LED will turn off and the Up and Down LEDs are turned off. - Press and hold the UI button for three seconds to confirm the commands.
Resetting a stack using the UI button
- Press and hold the UI button for three seconds.
The unit is now in configuration mode. The color and status of the Status LED turns to blinking green. - Press the UI button three times.
The Base, Up, and Down LEDs will move to a blinking amber state and blink in unison. - Press and hold the UI button for three seconds to confirm the command.
Abandoning a command
- Wait approximately twenty seconds after entering the command (without confirming it) and the input is ignored.
- Exit configuration mode by pressing the UI button nine or more times.
Note: Wait sixty seconds after the last configuration change before resetting the unit. The system can take up to this long to save configuration changes to the NVRAM. Stacks can be reset immediately after the last configuration change without any loss of information.
I’ve already added the following command into my default configuration template, “no ui-button enable” and I’ll be reconfiguring every ERS 5500/5600 series switch we have installed. I would strongly suggest that folks disable this feature. If you haven’t seen the button there’s a picture of it below, the Nortel logo is the actual button.
Cheers!
About Me
network architect and security professional, excited about helping folks make the most out of what technology as a whole has to offer.
POLL
Loading ...
RECENT COMMENTS