Michael McNamara

technology, networking, virtualization and IP telephony

Simple Loop Prevention Protocol (SLPP)

by

With release v4.1 software of the Ethernet Routing Switch 8600 Nortel introduced a new mechanism to protect against Layer 2 network loops. The following excerpt is taken from the Nortel document “Converged Campus Technical Solution Guide”, authored July 2007 by Dan DeBacker.

Simple Loop Prevention Protocol (SLPP) provides active protection against Layer 2 network loops on a per-VLAN basis. SLPP uses a lightweight hello packet mechanism to detect network loops. SLPP packets are sent using Layer 2 multicast and a switch will only look at its own SLPP packets or at its peer SLPP packets. It will ignore SLPP packets from other parts of the network. Sending hello packets on a per VLAN basis allows SLPP to detect VLAN based network loops for un-tagged as well as tagged IEEE 802.1Q VLAN link configurations. Once a loop is detected, the port is shutdown. The SLPP functionality is configured using the following criteria:

  • SLPP TX Process – the network administrator decides on which VLANs a switch should send SLPP hello packets. The packets are then replicated out all ports which are members of the SLPP-enabled VLAN. It is recommended to enable SLPP on all VLANs.
  • SLPP RX Process – the network administrator decides on which ports the switch should act when receiving an SLPP packet that is sent by the same switch or by its SMLT peer. You should enable this process only on Access SMLT/SLT ports and never on IST ports or Core SMLT/SLT ports in the case of a square/full mesh core design.
  • SLPP Action – the action operationally disables the ports receiving the SLPP packet. The administrator can also tune the network failure behavior by choosing how many SLPP packets need to be received before a switch starts taking an action. These values need to be staggered to avoid edge switch isolation – see the recommendations at the end of this section.

Loops can be introduced into the network in many ways. One way is through the loss of an MLT configuration caused by user error or malfunctioning equipment. This scenario may not always introduce a broadcast storm, but because all MAC addresses are learned through the looping ports, does significantly impact Layer 2 MAC learning. Spanning Tree would not in all cases be able to detect such a configuration issue, whereas SLPP reacts and disables the malfunctioning links, limiting network impact to a minimum. The desire is to prevent a loop from causing network problems while also attempting to not totally isolate the edge where the loop was detected. Total edge closet isolation is the last resort in order to protect the rest of the network from the loop. With this in mind, the concept of an SLPP Primary switch and SLPP Secondary switch has been adopted. These are strictly design terms and are not configuration parameters. The Rx thresholds are staggered between the primary and secondary switch, therefore the primary switch will disable an uplink immediately upon a loop occurring. If this resolves the loop issue, the edge closet still has connectivity back through the SLPP secondary switch. If the loop is not resolved, the SLPP secondary switch will disable the uplink and isolate the closet to protect the rest of the network from the loop.

I’ve deployed SLPP at one site with with a two tier network design utilizing SMLT with an IST core. It’s very important to remember that SLPP operates per VLAN id so you need to take that into consideration. You also don’t want to overload your switch fabric (CPU) by enabling SLPP on every VLAN, especially if you have a large number of VLANs.

Here’s an example of how to deploy SLPP between two core ERS 8600s (switch cluster).

ERS 8600 Core Switch A

ERS-8610:5# config slpp add 200
ERS-8610:5# config slpp operation enable
ERS-8610:5# config ethernet 1/1-1/8 slpp packet-rx enable
ERS-8610:5# config ethernet 1/1-1/8 slpp packet-rx-threshold 5

ERS 8600 Core Switch B

ERS-8610:5# config slpp add 200
ERS-8610:5# config slpp operation enable
ERS-8610:5# config ethernet 1/1-1/8 slpp packet-rx enable
ERS-8610:5# config ethernet 1/1-1/8 slpp packet-rx-threshold 50

This will cause both core ERS 8600 switches to transmit SLPP PDUs on VLAN 200. They will watch for those PDUs to return on port 1/1-1/8. It’s important in the example above to point out the different thresholds. You don’t want both core ERS 8600 switches cutting off both uplinks to the edge closets. Hence the core A switch will admin-down any port where it receives 5 of it’s own SLPP PDU packets. The core B switch will admin-down any port where it receives 50 of it’s own SLPP PDU packets. This configuration will generally disable one of the uplinks from the switch cluster (removing the loop) but won’t leave the edge switch disconnected from both core ERS 8600 switches.

Cheers!

SNMP MIBS

by

I know what a pain it can be to sometimes locate vendor specific SNMP MIBS. In the past I’ve sometimes spent hours scouring the net and vendor sites looking for the MIBS.

I’ve decided to post some of the vendor specific SNMP MIBS that I work with on my homepage. You should be able to link straight to my homepage with this URL;

http://blog.michaelfmcnamara.com/mibs/

You should be able to find SNMP MIBS for the following devices;

Nortel Ethernet Routing Switch 8600 (v4.1.4)
Nortel Ethernet Routing Switch 5500 Series (v5.1)
Motorola WS5100 Wireless LAN Switch (v3.0.3)
Motorola RFS7000 Wireless LAN Switch (v1.x)
APC UPS Management Cards (v387)

As time and disk space allow I will add additional vendor MIBS and additional devices.

Update 12/01/07

Polycom VXS8000 Video Conferencing System
Blue Coat ProxySG Appliance
Blue Coat ProxyAV Appliance

Update 12/07/07

Nortel Application Switch (v23.2.3.1)

Update 12/26/07

Nortel Ethernet Switch 460/470 (v3.7)
Nortel Ethernet Routing Switch 1600 (v2.1.4)
Nortel Succession Call Server (v4.5)

Update 12/29/2007

Motorola WS5000/WS5100 Wireless LAN Switch (v2.1.3)

Cheers!

Update July 24, 2008

I’ve moved the files to my new host and changed the pointers on this page.

Cheers!

NVR Audit data initialized

by

There have been a few folks asking me if I know what the following log entry is on their Nortel Ethernet Routing Switch 5500 Series, “NVR Audit data initialized – incorrect magic number: 0xffffffff”.

I believe this is documented from Nortel as a bug in their latest software. The switch is throwing an error because the audit data (a new feature in the v5.x software line) is not present in the configuration or NVRAM the first time the switch boots after an upgrade to v5.x. This error could also occur if you’ve just factory reset your switch to the default configuration. I believe the error can be safely ignored as I’ve seen it on all 42 of my 5500 series switches.

I do remember seeing something about this error documented from Nortel, unfortunately I can’t seem to find that reference now.

ERS-5520# show logging
Type Time Idx Src Message
---- ----------------------- ---- --- -------
S 00:00:00:00 1 NVR SNTP: Could not sync to NTP servers.
S 2007-04-05 17:18:08 GMT 2 NVR SNTP: Could not sync to NTP servers.
S 2007-04-05 17:22:07 GMT 3 NVR Audit data initialized - incorrect magic number: 0xffffffff
I 2007-04-19 01:21:03 GMT 4 Web server starts service on port 80.
I 2007-04-19 01:21:19 GMT 5 IGMP: Unknown Multicast Filter disabled
I 2007-04-19 01:21:19 GMT 6 PoE Port Detection Status: Port 1 Status: Delivering Power
I 2007-04-19 01:21:22 GMT 7 PoE Port Detection Status: Port 35 Status: Delivering Power
I 2007-04-19 01:21:49 GMT 8 Port 0/47 reenabled by VLACP
I 2007-04-19 01:21:49 GMT 9 Port 0/48 reenabled by VLACP
I 2007-04-19 01:23:05 GMT 10 SNTP: First synchronization successful.
I 2007-04-19 01:23:18 GMT 11 Warm Start Trap
I 2007-04-19 01:23:19 GMT 12 Link Up Trap Port: 1
I 2007-04-19 01:23:20 GMT 13 Trap: pethPsePortOnOffNotification
I 2007-04-19 01:23:20 GMT 14 Trap: bsAdacPortConfigNotification for Port: 47, Config: Applied

Cheers!

Factory Reset Nortel Ethernet Switch

by

There can be times when you need to factory reset a switch. This process can be accomplished through the CLI but if you’ve lost the switch password you’ll need to follow a special process. This process should work for any of the Ethernet Switches (450, 460, 470) and the Ethernet Routing Switches 2500 Series, 4500 Series, 5500 (5510, 5520, 5530) Series. There is a different process to recover lost passwords on the Ethernet Routing Switch 1600 and 8600. Please note that by factory resetting the switch you will loose all configuration settings. It will be as if it just arrived from the “factory”.

Follow these steps:

  1. Connect to the console port of the switch (9600,8,N,1)
  2. Reboot the switch.
  3. When the first line of the diagnostics tests is displayed, press CTRL-C. The system then displays a menu.
  4. Select option “i” to factory default the switch.
  5. Select option “a” to run the agent code.

Upon boot up, the switch will be in a factory default configuration.

Cheers!

Layer 3 Access Port Adoption

by

The release of v3.x software for the Motorola WS5100 and v1.x software for the Motorola RFS7000 finally supports the deployment of Layer 3 Access Ports (APs that could be deployed across a Layer 3 network as opposed to those that can only be deployed across a Layer 2 network).

The latest release of firmware for the AP300 will first attempt to locate a wireless switch for adoption via a Layer 2 broadcast request. If it’s unable to locate a wireless switch it will make a DHCP request for an IP address. If the DHCP response does not include option 189 (string) it will make a DNS request to try and locate the wireless switch.

There are two ways the Access Port can locate the Wireless LAN Switch (WS5100/RFS7000) in Layer 3 mode;

  • DHCP Option
  • DNS Query

You can use DHCP and configure option 189 (string) with the IP address of the Motorola Wireless LAN Switch. You should note that you may need to enclose the string in quotation marks depending on your DHCP server software.

You can also create a DNS alias which the AP can use to locate the switch through a DNS query. The default DNS name requested by an AP300 is “Symbol-CAPWAP-Address”.

You might also notice that the AP300 will also support LLDP (802.1ab) if your Ethernet switch supports it.

Cheers!

Update: August 27, 2008
I should point out that you may need to “prime” the AP300 with the latest firmware by connecting it to a WS5100/RFS7000 over a Layer 2 network. If the AP300 has an older firmware it won’t be able to connect up over a Layer 3 network so you may need to connect it over a Layer 2 network first to allow the AP300 to upgrade after which you’ll be able to connect it over a Layer 2/3 network. The AP300 will automatically upgrade once it connects to the WS5100/RFS7000, there’s nothing that needs to be done by the user or administrator. The WS5100/RFS7000 will need to be running v3.x or v1.x respectively.

Cheers!

Recent Posts

Categories

SUBSCRIBE BY EMAIL