Let’s make sure that our QoS is setup properly for our 802.1Q uplink ports. ADAC/LLDP-MED will take care of the QoS settings for any IP phones.
qos if-group name allUpLinks class trusted interface fastEthernet 1/48,2/48 qos if-assign port 1/48,2/48 name allUpLinks exit
Let’s set the sysName, sysContact and sysLocation for the switch;
snmp-server name "sw-4548-testlab.acme.org" snmp-server location "Doctor Practice (New York, NY)" snmp-server contact "ACME IT Network Team"
Let’s enable Multicast and Broadcast rate-limiting on all interfaces to 5% of line-rate;
interface fastEthernet ALL rate-limit both 5 exit
If you are connecting to an Avaya core don’t forget to enable VLACP;
interface fastEthernet 1/48,2/48 vlacp port 1/48,2/48 timeout short vlacp port 1/48,2/48 timeout-scale 5 vlacp port 1/48,2/48 enable exit vlacp enable
Let’s set the QoS queue depth to 4 and the buffer management to large;
qos agent queue 4 qos agent buffer large
Let’s enable DHCP snooping and ARP inspection on VLANs 10 and 11 our closet and voice VLANs. You may want to leave ARP inspection and IP source guard disabled if you don’t have every device configured for DHCP or you aren’t prepared to manage the DHCP binding table which is used to validate both ARP packets and IP frames per port.
ip dhcp-snooping vlan 10 ip dhcp-snooping vlan 11 ip dhcp-snooping enable ip arp-inspection vlan 10 ip arp-inspection vlan 11 ip arp-inspection enable
Let’s set the 802.1Q uplink ports as trusted for DHCP snooping and ARP inspection;
interface fa 1/48,2/48 ip dhcp-snooping trusted ip arp-inspection trusted exit
Let’s set the edge ports as untrusted for DHCP snooping and ARP inspection, enable IP source guard;
interface fa 1/1-47,2/1-47 ip dhcp-snooping untrusted ip arp-inspection untrusted ip verify source exit
There are default LLDP-MED policies that will override ADAC so let’s disable them;
interface fa ALL no lldp med-network-policies exit
If you’d like to use a RADIUS server to provide centralized management authentication to either the CLI or EDM interface then you’ll need to configure the RADIUS server and secret key information;
radius-server host 10.10.1.25 radius-server host 10.10.1.26 secondary radius-server key test12345XYZ radius-server password fallback cli password switch telnet radius cli password stack telnet radius
Let me know if you have any problems.
Cheers!
Will done Man .
Really many thanks
Thanks for the comment Mohammed!
Shouldn’t the autopvid command take care of setting the pvid (first command on the 2nd page), as the ports are still in untagged at this stage?
If the ports are set for UnTagAll (access ports) and AutoPVID is enabled then yes. However, as a good practice I make sure to set the PVID regardless so there’s no potential issue.
Cheers!
In this command:
adac uplink-port 2/24
Shouldn’t the ports be 1/48,2/48?
Hi Raul,
You only need to provide one of the ports in an MLT and the additional ports will automatically be added.
Cheers!
Understood. I was making reference to the port 2/24. You had been using uplink ports 1/48,2/48 and in the adac config, used port 2/24 and I am confused why. Thanks!
Thanks… I’ve corrected the original.
HI Michael:
We have two avaya switch 4548GT, Actually we connect a any port via serial and with Ctrl+Y have access, we want configure password for access it.
How is the correct way to do it.
Thanks
Hi Roberto,
The answer will depend on the software release you are running. In the older software releases you needed the following commands;
cli password read-only ropassword
cli password read-write rwpassword
cli password serial local
The read-write username in RW, the read-only username is RO.
Cheers!
Hi Michael, I’m having a strange issue with these 4526GTX switches. When I try to change the management VLAN away from the default 1, I get the following error:
4526GTX-PWR(config)#vlan mgmt 199
% Can’t set the vlan 199 as management vlan, the vlan is member of inactive gro
up
I can’t find any references to VLAN “groups”, much less how to make the VLAN active. It is assigned to several ports as the PVID. Do you have any ideas?
Hi Dan,
Have you created the VLAN yet?
Cheers!
Hi Michael, yes I did create the VLAN, in fact I created all of my VLANs. This VLAN is untagged on ports 1-8, and tagged/pvid on my LACP ports 17-24. I didn’t give the VLAN an IP address as I believe it would get the IP from the mgmt VLAN setting, correct?
I think I found part of the problem. I started with a new configuration and followed this example, creating one VLAN (199) and making it the management VLAN. However, I then went on to try to set up MSTP for LACP, and that’s when I ran into problems:
4526GTX-PWR(config)#spanning-tree mstp msti 1 add-vlan 199
Can’t add the management vlan 199 to an inactive STP Group
So then I tried enabling the group:
4526GTX-PWR(config)#spanning-tree mstp msti 1 enable
% Cannot modify settings
% No vlans assigned, cannot enable STP Group.
So the question is, how do I properly trunk the management VLAN over LACP? Or do I need to do something different entirely?
Hi Michael,
first of all thank you for your awesome work :)
i´m having issues activating SSH and SSL. Both are not getting displayed in the config t menu. do i have to configure something first? in older versions i never had to. Im running version 5.9.0.004 with the new switch.
Best regards
Markus
Hi Markus,
You need to load the secure image on the switch before you’ll have the option to enable SSH or SSL.
Cheers!
Hello,
Where to find Avaya CA root certificates to install on browser to be able to use EDM without having to “add security exception”?
Thank you
Hmmm.. no idea, that would be a good question for Extreme support though.
Cheers!
Hi Michael,
that would explain a lot :D
thanks alot!!!
Markus
and oh yea, im having a hell of a time adding hostnames to the 5698tfd-pwr switches i mentioned in the last comment. “snmp-server name” does not work.
Base Unit Selection: Non-base unit using rear-panel switch
sysDescr: Ethernet Routing Switch 5698TFD-PWR
HW:06 FW:6.0.0.18 SW:v6.3.2.011
Mfg Date:07162012 HW Dev:none
Hello Michael….
Please can tou help me, in a sw5520 with V6.1.4.011, is possible to have two user (WR and another)?
what´s is the process?
Regards
You would need to use a RADIUS server to have multiple users.
Cheers!
Good day,
Please help me, I need to update to load a secure image but keet the configuration…
whts the process pls…
Best regards
Sorry Hector, I don’t have any of the Extreme/Avaya software, nor would I offer it if I did.
Do you mean you need the secure image but need to keep your configuration from the standard, non-secure image?
I have performed this without issue.
1> Go to the Avaya download site and get the secure image if you are entitled to download this
2> Make an ASCII and binary backup of your switch, just to be safe
3> Upload the new diagnostic image
4> Upload the new software image
5> After and check that everything is still there
6> Reconfigure anything that needs it, like enabling SSH access and disabling telnet