Michael McNamara

technology, networking, virtualization and IP telephony

ERS 8600 Access Policy

by

Protecting your network switches from un-authorized access should be high on everyone’s list these days. It’s clear that an insecure switch is a liability in any network topology. In the vast majority of cases this means at least changing the default username and passwords along with the SNMP community strings. In environments where you need additional access security you can use the Ethernet Routing Switch 8600 Access Policy to restrict administrative access to the switch. This allows you to easily define networks which should have access and what services they should have access to.

In the example below I’m allowing access from the network 10.1.1.0/24 for FTP, HTTP, SNMP(v3), SSH, TELNET and TFTP.

ERS-8610:5# config sys access-policy policy 10 create
ERS-8610:5# config sys access-policy policy 10 network 10.1.1.0/24
ERS-8610:5# config sys access-policy policy 10 service ftp enable
ERS-8610:5# config sys access-policy policy 10 service http enable
ERS-8610:5# config sys access-policy policy 10 service snmpv3 enable
ERS-8610:5# config sys access-policy policy 10 service ssh enable
ERS-8610:5# config sys access-policy policy 10 service telnet enable
ERS-8610:5# config sys access-policy policy 10 service tftp enable
ERS-8610:5# config sys access-policy policy 10 snmp-group-add admin snmpv1
ERS-8610:5# config sys access-policy policy 10 snmp-group-add admin snmpv2c
ERS-8610:5# config sys access-policy policy 10 snmp-group-add v1v2grp snmpv1
ERS-8610:5# config sys access-policy policy 10 snmp-group-add v1v2grp snmpv2c
ERS-8610:5# config sys access-policy policy 10 snmp-group-add readgrp snmpv1
ERS-8610:5# config sys access-policy policy 10 snmp-group-add readgrp snmpv2c
ERS-8610:5# config sys access-policy policy 10 enable

Just don’t forget to enable the access policy;

ERS-8610:5# config sys access-policy enable true

You could also use host masks as opposed to network masks if you wish to allow only specific management stations access to the switch.

Cheers!

ERS 8600 (ipNetToMediaIfIndex)

by

There was a recent comment about a Usenet positing I made back in 2002 in comp.protocols.snmp.

In the post I was responding to someone looking for information on how to decode the value returned from the ipNetToMediaIfIndex when querying an ERS 8600 switch. Thankfully Shane (Nortel) was able to help me come up with the forumla.

card = ( $value AND 62914560 ) / 4194304
port = (( $value AND 4128768) / 65536 ) + 1

With that formula you could now walk the ipNetToMediaTable and retreieve the entire ARP table providing you the card and port number, MAC address, and IP address for each entry in the table.

The next issue was how to deal with MultiLink Trunk interfaces. In this case (and with my current software code) I build a table of all the MLT interfaces prior to polling the ipNetToMediaTable. I still use Perl but it shouldn’t be very hard to convert to PHP.

# rcMltNumMlts
$nummlts = $sess->get("rcMltNumMlts.0");

for ($i = 1; $i <= $nummlts; $i++) {
  # rcMltName         
  $mltname[$i] = $sess->get("rcMltName.$i");
  # rcMltId
  $mltindex[$i] = $sess->get("rcMltId.$i");
  # rcMltIfIndex
  $mltifindex[$i] = $sess->get("rcMltIfIndex.$i");
  print "DEBUG: MltId = $i and MltName = $mltname[$i] and MltIndex = $mltindex[$i] and MltIfIndex = $mltifindex[$i]\n" if ($DEBUG);
};

Now that we have the rcMltTable in an array we can walk the ipNetToMediaTable and match up any entries. Here’s the code I use (again it’s Perl but you should be able to convert to PHP);

# Evaulate with bitwise operation
$card = (($vals[0] & 62914560) / 4194304);
$port = (($vals[0] & 4128768) / 65536) + 1;

# Evaulate to determine if port is a MLT
if ($card != 0) {
  $intf = (((64 * $card) + $port) - 1);
  print "DEBUG: $vals[1] address found on card $card port $port\n";
} else {
  $mlt = 1;
  print "DEBUG: $vals[1] address found on MLT $mltname[$port]\n";
} # end else

Hopefully that doesn’t look too complicated. The important piece here is that you need to merge the rcMltTable with the ipNetToMediaTable to get your results. If you name the MLT with something meaningful you can then return that string to the application that is making the query.

I wrote a Perl application that would search the ARP table of an Ethernet Routing Switch 8600 dynamically for a specific IP address entry. Here’s an example of the output;

Nortel Passport 8600 Gigabit Switch IP ARP Table Search

Initializing query for sw-ccr-8600.datacenter.acme.org for IP address 1.1.1.10...

sysDescr = ERS-8610 (4.1.3.0)
sysObjectID = .1.3.6.1.4.1.2272.30
sysUpTime = 169 Days 6 Hours 43 mins 11 secs
sysContact = Acme Network Infrastructure Team
sysName = sw-ccr-8600.datacenter.acme.org
sysLocation = USA

Please be patient it may take a while to complete the search...

DEVICE FOUND

1.1.1.10 (000AE4753FC9) address found on MLT SMLT-5500

We searched through 1183 forwarding records...

That's all folks!

I will look to publish the complete code on my website sometime in the near future.

Cheers!

Nortel Ethernet Switch Features

by

This is a great document that outlines the Nortel Ethernet Switch product line and highlights the major feature sets.

Ethernet Switching Feature Matrix July 2007 Public Version.pdf

This is public information so hopefully I won’t be getting any nasty email messages from anyone.

Cheers!

UPDATE: April 3, 2008

Here’s a new version of the Ethernet Switching Feature Matrix dated November 2007.


HP GbE2 Switch Blade

by

As with many Data Centers we’ve been deploying a large number of blade servers and switches. We’re primarily an HP shop from a server,desktop and laptop perspective and we’ve been working with HP Blade System for the past two years.

HP actually OEM’s two different GbE2 switches for their Blade enclosures. One is based off a Nortel (Blade Technologies) solution and the other is based off a Cisco solution. We’re using the Nortel version and we’ll be focusing on that hardware in this post. If your unfamiliar with the Alteon CLI your going to need a few minutes to catch on. It’s pretty simple but very different from either the Nortel CLI or the Cisco CLI. Another important point is that the enclosure can actually accommodate two HP GbE2 switches. There’s an “A” side and a “B” side. You only need an “A” side switch to provide connectivity for the servers that will be housed in the enclosure but for high-availability solutions you’ll definitely need two switches installed into the enclosure.

In the following post I’ll outline how to configure a HP GbE2 Switch Blade trunking both ports into a MultiLink trunk. We’ll only using one HP GbE2 switch for this example and ignore the “B” switch. You should console up to the HP GbE2 using a serial cable (straight thru cable 9600, 8, N 1). The default password is “admin”.

[Main Menu]
Jul 19  8:07:04 NOTICE  mgmt: admin login from host 10.101.20.1
info     - Information Menu
stats    - Statistics Menu
cfg      - Configuration Menu
oper     - Operations Command Menu
boot     - Boot Options Menu
maint    - Maintenance Menu
diff     - Show pending config changes  [global command]
apply    - Apply pending config changes [global command]
save     - Save updated config to FLASH [global command]
revert   - Revert pending or applied changes [global command]
exit     - Exit  [global command, always available]

>> Main#

Set Admin password
We’ll start out by setting the administrator password on the switch.

>> Main# /cfg/sys/access/user/admpw
Changing ADMINISTRATOR password; validation required:
Enter current admin password:
Enter new administrator password:
Re-enter new administrator password:
New administrator password accepted.

Set IP Address
Next we’ll setup an IP address on one of the interfaces.

>> Main# cfg/l3/if 1

[IP Interface 1 Menu]
addr     - Set IP address
mask     - Set subnet mask
vlan     - Set VLAN number
relay    - Enable/disable BOOTP relay
ena      - Enable IP interface
dis      - Disable IP interface
del      - Delete IP interface
cur      - Display current interface configuration

>> IP Interface 1#>> addr 10.101.255.118
Current IP address:     0.0.0.0
New pending IP address: 10.101.255.118
Pending new subnet mask:    255.0.0.0

>> IP Interface 1# mask 255.255.255.0
Current subnet mask:     0.0.0.0
New pending subnet mask: 255.255.255.0

>> IP Interface 1# vlan 200
Current VLAN:     1
New pending VLAN: 200

>> IP Interface 1# ena
Current status: disabled
New status:     enabled

Set IP Default Gateway
Next we’ll setup a default gateway for the switch.

>> Main# cfg/l3/gw 1
[Default gateway 1 Menu]
addr     - Set IP address
intr     - Set interval between ping attempts
retry    - Set number of failed attempts to declare gateway DOWN
arp      - Enable/disable ARP only health checks
ena      - Enable default gateway
dis      - Disable default gateway
del      - Delete default gateway
cur      - Display current default gateway configuration

>> Default gateway 1# addr 10.101.255.1
Current IP address:     0.0.0.0
New pending IP address: 10.101.255.1

>> Default gateway 1# ena
Current status: disabled
New status:     enabled

Create Trunk Interface
We’ll create a Multilink trunk interface (Etherchannel) utilizing ports 19 and 20. Switch ports 19-22 are GBIC interfaces which are populated by 1000BaseSX SFPs.

>> Main# /cfg/l2/trunk 1
[Trunk group 2 Menu]
add      - Add port to trunk group
rem      - Remove port from trunk group
ena      - Enable trunk group
dis      - Disable trunk group
del      - Delete trunk group
cur      - Display current Trunk Group configuration

>> Trunk group 2# add 19
Port 19 added.
>> Trunk group 2# add 20
Port 20 added.
>> Trunk group 2# ena
Current status: disabled
New status:     enabled

Enable 802.1q (tagging) on fiber uplinks
The external uplinks are ports 19 and 20. The internal crossconnect links between the two HP GbE2 switches are on ports 17 and 18. We need to enable 802.1q VLAN tagging on the uplink ports so we can bridge multiple VLANs across the uplinks.

>> Main# /cfg/port 17
------------------------------------------------------------
[Port 19 Menu]
gig      - Gig Phy Menu
aclqos   - Acl/Qos Configuration Menu
8021ppri - Set default 802.1p priority
pvid     - Set default port VLAN id
name     - Set port name
rmon     - Enable/Disable RMON for port
tag      - Enable/disable VLAN tagging for port
tagpvid  - Enable/disable tagging on pvid
brate    - Set BroadCast Threshold
mrate    - Set MultiCast Threshold
drate    - Set Dest. Lookup Fail Threshold
ena      - Enable port
dis      - Disable port
cur      - Display current port configuration
>> Port 17# tag e 
Current VLAN tag support: disabled
New VLAN tag support:     enabled
Port 17 changed to tagged.

I’m going to just provide the commands for the remaining ports and skip showing the enter text of the menu to help save on the length of this document.

>> Port 17# /cfg/port 18/tag e
Current VLAN tag support: disabled
New VLAN tag support:     enabled
Port 18 changed to tagged.
>> Port 19# /cfg/port 19/tag e
Current VLAN tag support: disabled
New VLAN tag support:     enabled
Port 19 changed to tagged.
>> Port 19# /cfg/port 20/tag e
Current VLAN tag support: disabled
New VLAN tag support:     enabled
Port 20 changed to tagged.

Create VLAN 200 for management of the switch itself.

>> Main# /cfg/l2/vlan 200
VLAN number 200 with name "VLAN 200" created.
------------------------------------------------------------
[VLAN 200 Menu]
name     - Set VLAN name
stg      - Assign VLAN to a Spanning Tree Group
add      - Add port to VLAN
rem      - Remove port from VLAN
def      - Define VLAN as list of ports
ena      - Enable VLAN
dis      - Disable VLAN
del      - Delete VLAN
cur      - Display current VLAN configuration

>> VLAN 200# name "10-101-255-0/24”
Current VLAN name:
New VLAN name:     10-101-255-0/24
>> VLAN 200# add 17
Current ports for VLAN 200:     empty
Pending new ports for VLAN 200:     17
>> VLAN 200# add 18
Current ports for VLAN 200:     empty
Pending new ports for VLAN 200:     17-18
>> VLAN 200# add 19
Current ports for VLAN 200:     empty
Pending new ports for VLAN 200:     17-19
>> VLAN 200# add 20
Current ports for VLAN 200:     empty
Pending new ports for VLAN 200:     17-20

Spanning Tree Protocol (Disable STP on trunk uplinks)

>> Main# /cfg/l2/stp 1
------------------------------------------------------------
[Spanning Tree Group 1 Menu]
brg      - Bridge parameter menu
port     - Port parameter menu
add      - Add VLAN(s) to Spanning Tree Group
remove   - Remove VLAN(s) from Spanning Tree Group
clear    - Remove all VLANs from Spanning Tree Group
on       - Globally turn Spanning Tree ON
off      - Globally turn Spanning Tree OFF
default  - Default Spanning Tree and Member parameters
cur      - Display current bridge parameters

>> Spanning Tree Group 1# port 19
------------------------------------------------------------
[Spanning Tree Port 19 Menu]
prior    - Set port Priority (0-255)
cost     - Set port Path Cost (1-65535 (802.1d) / 1-200000000 (MSTP/RSTP) / 0 for    auto)
link     - Set port link type (auto, p2p, or shared; default: auto)
edge     - Enable/disable edge
portfastfwd  - Enable/disable Port Fast Forwarding
modeon       - Turn port's Spanning Tree ON
off      - Turn port's Spanning Tree OFF
cur      - Display current port Spanning Tree parameters
>> Spanning Tree Port 19# off
Current Port 19 Spanning Tree setting: ON
New Port 19 Spanning Tree setting:     OFF
>> Main# /cfg/l2/stp 1/port 20/off
Current Port 20 Spanning Tree setting: ON
New Port 20 Spanning Tree setting:     OFF

Network Time Protocol

>> Main# /cfg/sys/ntp
----------------------------------------------------------
[NTP Server Menu]
prisrv   - Set primary NTP server address
secsrv   - Set secondary NTP server address
intrval  - Set NTP server resync intervalt
zone    - Set NTP timezone offset from GMT
dlight   - Enable/Disable daylight savings time
on       - Turn NTP service ON
off      - Turn NTP service OFF
cur      - Display current NTP configuration
>> NTP Server# prisrv 10.101.20.1
Current NTP server address: 0.0.0.0
Enter new NTP server address: 10.101.20.1
>> NTP Server# secsrv 10.111.20.1
Current NTP server address: 0.0.0.0
Enter new NTP server address: 10.111.20.1
>> NTP Server# tzone -5:00
Current GMT timezone offset:    -8:00
Enter new GMT timezone offset in hours [-12:00, +12:00]: -5:00
>> NTP Server# on 
Current status: OFFNew status:     ON
>> NTP Server# dlight e
Current status: disabledNew status:     enable

Set PVID on Uplink Ports

>> Main# /cfg/port 17/pvid 200 >> Main# /cfg/port 18/pvid 200 >> Main# /cfg/port 19/pvid 200 >> Main# /cfg/port 20/pvid 200