This is a follow-up post to my wildly popular article entitled, Nortel ERS 5520 PwR Switch which I posted back in October 2007 providing a working configuration for an Avaya Ethernet Routing Switch 5520 for IP telephony deployments.
Here’s the configuration template that I’m currently using today for the Avaya Ethernet Routing Switch 5500, 4800 and 4500 series switches. This is essentially a best practices configuration for a typical closet/edge switch (Layer 2) with ADAC/LLDP-MED for completely automated, zero-touch IP telephony deployments.
With the firmware that currently ships with the Avaya 1100 and 1200 series IP phones you only need to unbox the phone and connect it to the network. You’ll also need to make sure that you have your provisioning files setup properly but you can easily attain a zero-touch configuration for greenfield deployments.
Please note there are a some options in this post which are only available in the later software releases for each switch model. These commands were tested on an Avaya Ethernet Routing Switch 4850GT-PWR+ running 5.6.2 software.
We need to be in privileged mode before we can enter configuration mode;
enable configure terminal
Let’s start by setting the read-only and read-write passwords (the default usernames are RO=read-only and RW=read-write)
cli password read-only ropassword cli password read-write rwpassword cli password serial local cli password telnet local
If you don’t care to see the banner when connecting via telnet then disable it;
banner disable
If you are working with an Avaya Ethernet Routing Switch 5000 series switch let’s disable the UI button on the outside of the switch. This feature is only available on the ERS 5000 series switches so this command won’t work with the ERS 4000 series switches.
no ui-button enable
Let’s set VLAN control to autopvid, this will instruct the switch to change the PVID to the VLAN assigned to the port for access (UntagAll) ports.
vlan configcontrol autopvid
If we have 2 or more switches in a stack configuration we’ll utilizing ports on both switches for our uplinks, 1/48 and 2/48. If we only had a single switch and not a stack of switches we would use 47 and 48. We need to enable 802.1Q trunking (TagAll) and filter (drop) and untagged frames that might accidentally be sent across the port.
vlan ports 1/48,2/48 tagging enable vlan ports 1/48,2/48 filter-untagged-frame enable
As a best practice you should never use VLAN 1, too many reasons to list here. By default ever port is a member of VLAN 1 so let’s remove VLAN 1 from all ports;
vlan members remove 1 ALL
Let’s create a management VLAN and add that VLAN to our 802.1Q uplinks;
vlan create 200 name "10-107-255-0/24" type port vlan members add 200 1/48,2/48
Let’s create a (default) closet VLAN and add that VLAN to all the ports in the stack;
vlan create 10 name "ICR1_1stFloor" type port vlan members add 10 1/ALL,2/ALL
Let’s create a voice VLAN which we’ll using in our ADAC and LLDP-MED configurations and we’ll add that VLAN to our uplinks;
vlan create 11 name "Voice" type port voice-vlan vlan members add 11 1/48,2/48
Will done Man .
Really many thanks
Thanks for the comment Mohammed!
Shouldn’t the autopvid command take care of setting the pvid (first command on the 2nd page), as the ports are still in untagged at this stage?
If the ports are set for UnTagAll (access ports) and AutoPVID is enabled then yes. However, as a good practice I make sure to set the PVID regardless so there’s no potential issue.
Cheers!
In this command:
adac uplink-port 2/24
Shouldn’t the ports be 1/48,2/48?
Hi Raul,
You only need to provide one of the ports in an MLT and the additional ports will automatically be added.
Cheers!
Understood. I was making reference to the port 2/24. You had been using uplink ports 1/48,2/48 and in the adac config, used port 2/24 and I am confused why. Thanks!
Thanks… I’ve corrected the original.
HI Michael:
We have two avaya switch 4548GT, Actually we connect a any port via serial and with Ctrl+Y have access, we want configure password for access it.
How is the correct way to do it.
Thanks
Hi Roberto,
The answer will depend on the software release you are running. In the older software releases you needed the following commands;
cli password read-only ropassword
cli password read-write rwpassword
cli password serial local
The read-write username in RW, the read-only username is RO.
Cheers!
Hi Michael, I’m having a strange issue with these 4526GTX switches. When I try to change the management VLAN away from the default 1, I get the following error:
4526GTX-PWR(config)#vlan mgmt 199
% Can’t set the vlan 199 as management vlan, the vlan is member of inactive gro
up
I can’t find any references to VLAN “groups”, much less how to make the VLAN active. It is assigned to several ports as the PVID. Do you have any ideas?
Hi Dan,
Have you created the VLAN yet?
Cheers!
Hi Michael, yes I did create the VLAN, in fact I created all of my VLANs. This VLAN is untagged on ports 1-8, and tagged/pvid on my LACP ports 17-24. I didn’t give the VLAN an IP address as I believe it would get the IP from the mgmt VLAN setting, correct?
I think I found part of the problem. I started with a new configuration and followed this example, creating one VLAN (199) and making it the management VLAN. However, I then went on to try to set up MSTP for LACP, and that’s when I ran into problems:
4526GTX-PWR(config)#spanning-tree mstp msti 1 add-vlan 199
Can’t add the management vlan 199 to an inactive STP Group
So then I tried enabling the group:
4526GTX-PWR(config)#spanning-tree mstp msti 1 enable
% Cannot modify settings
% No vlans assigned, cannot enable STP Group.
So the question is, how do I properly trunk the management VLAN over LACP? Or do I need to do something different entirely?
Hi Michael,
first of all thank you for your awesome work :)
i´m having issues activating SSH and SSL. Both are not getting displayed in the config t menu. do i have to configure something first? in older versions i never had to. Im running version 5.9.0.004 with the new switch.
Best regards
Markus
Hi Markus,
You need to load the secure image on the switch before you’ll have the option to enable SSH or SSL.
Cheers!
Hello,
Where to find Avaya CA root certificates to install on browser to be able to use EDM without having to “add security exception”?
Thank you
Hmmm.. no idea, that would be a good question for Extreme support though.
Cheers!
Hi Michael,
that would explain a lot :D
thanks alot!!!
Markus
and oh yea, im having a hell of a time adding hostnames to the 5698tfd-pwr switches i mentioned in the last comment. “snmp-server name” does not work.
Base Unit Selection: Non-base unit using rear-panel switch
sysDescr: Ethernet Routing Switch 5698TFD-PWR
HW:06 FW:6.0.0.18 SW:v6.3.2.011
Mfg Date:07162012 HW Dev:none
Hello Michael….
Please can tou help me, in a sw5520 with V6.1.4.011, is possible to have two user (WR and another)?
what´s is the process?
Regards
You would need to use a RADIUS server to have multiple users.
Cheers!
Good day,
Please help me, I need to update to load a secure image but keet the configuration…
whts the process pls…
Best regards
Sorry Hector, I don’t have any of the Extreme/Avaya software, nor would I offer it if I did.
Do you mean you need the secure image but need to keep your configuration from the standard, non-secure image?
I have performed this without issue.
1> Go to the Avaya download site and get the secure image if you are entitled to download this
2> Make an ASCII and binary backup of your switch, just to be safe
3> Upload the new diagnostic image
4> Upload the new software image
5> After and check that everything is still there
6> Reconfigure anything that needs it, like enabling SSH access and disabling telnet