Here’s the configuration template that I’m currently using today for the Avaya Ethernet Routing Switch 5500, 4800 and 4500 series switches. This is essentially a best practices configuration for a typical closet/edge switch (Layer 2) with ADAC/LLDP-MED for completely automated, zero-touch IP telephony deployments.

With the firmware that currently ships with the Avaya 1100 and 1200 series IP phones you only need to unbox the phone and connect it to the network. You’ll also need to make sure that you have your provisioning files setup properly but you can easily attain a zero-touch configuration for greenfield deployments.

Please note there are a some options in this post which are only available in the later software releases for each switch model. These commands were tested on an Avaya Ethernet Routing Switch 4850GT-PWR+ running 5.6.2 software.

We need to be in privileged mode before we can enter configuration mode;

enable
configure terminal

Let’s start by setting the read-only and read-write passwords (the default usernames are RO=read-only and RW=read-write)

cli password read-only ropassword
cli password read-write rwpassword
cli password serial local
cli password telnet local

If you don’t care to see the banner when connecting via telnet then disable it;

banner disable

If you are working with an Avaya Ethernet Routing Switch 5000 series switch let’s disable the UI button on the outside of the switch. This feature is only available on the ERS 5000 series switches so this command won’t work with the ERS 4000 series switches.

no ui-button enable

Let’s set VLAN control to autopvid, this will instruct the switch to change the PVID to the VLAN assigned to the port for access (UntagAll) ports.

vlan configcontrol autopvid

If we have 2 or more switches in a stack configuration we’ll utilizing ports on both switches for our uplinks, 1/48 and 2/48. If we only had a single switch and not a stack of switches we would use 47 and 48. We need to enable 802.1Q trunking (TagAll) and filter (drop) and untagged frames that might accidentally be sent across the port.

vlan ports 1/48,2/48 tagging enable
vlan ports 1/48,2/48 filter-untagged-frame enable

As a best practice you should never use VLAN 1, too many reasons to list here. By default ever port is a member of VLAN 1 so let’s remove VLAN 1 from all ports;

vlan members remove 1 ALL

Let’s create a management VLAN and add that VLAN to our 802.1Q uplinks;

vlan create 200 name "10-107-255-0/24" type port
vlan members add 200 1/48,2/48

Let’s create a (default) closet VLAN and add that VLAN to all the ports in the stack;

vlan create 10 name "ICR1_1stFloor" type port 
vlan members add 10 1/ALL,2/ALL

Let’s create a voice VLAN which we’ll using in our ADAC and LLDP-MED configurations and we’ll add that VLAN to our uplinks;

vlan create 11 name "Voice" type port voice-vlan
vlan members add 11 1/48,2/48

Definitions

Now before I get started lets define some basic terms;

• Access port is defined as a port belonging to a single VLAN

• Trunk port as defined in Wikipedia is a port designed to carry multiple VLANs through a single network link through the use of a “trunking protocol”. To allow for multiple VLANs on one link, frames from individual VLANs must be identified. The most common and preferred method, IEEE 802.1Q adds a tag to the Ethernet frame header, labeling it as belonging to a certain VLAN. Since 802.1Q is an open standard, it is the only option in an environment with multiple-vendor equipment.

So by it’s definition an access port can only belong to one VLAN while a trunk port can belong to multiple VLANs.

It’s important to distinguish that we’re talking about single ports. A trunk group or trunk port group is made up of multiple ports which are combined into a single virtual port. Protocols such as MultiLink Trunking (Avaya), EtherChannel (Cisco) and LACP provide the ability to combine multiple trunk ports into a single virtual interface providing redundancy and additional bandwidth.

Basic Examples

In general the majority of edge switch ports will be configured as access ports. Any port used to connect a personal computer, laptop, server, printer, etc will be configured as an access port. Any port that connects to another switch will be configured as a trunk port.

Complex Examples

With the advent of virtualization VMware servers are often configured and connected to trunk ports. Where as servers would have traditionally been connected to access ports they can also be connected to trunk ports depending on their configurations. The advent of Voice Over IP (VoIP) to the desktop has also had an impact on how edge switches are configured when the desktop or laptop is connected to the IP phone which is in turn connected to the edge switch. I’ll cover that topic in more detail later on.

Avaya Ethernet Routing Switches

Ethernet Routing Switch 2500, 4000, 5000 Series

The Avaya Ethernet Routing Switch 2500, 4000 and 5000 series switches currently offer the following options.

• tagAll – sets the port as a trunk port tagging all frames with an 802.1Q header as they egress the port.
• untagAll – sets the port as an access port stripping all 802.1Q headers as they egress the port.
• tagPvidOnly – sets the port as a trunk port but only adds 802.1Q headers for the PVID VLAN as they egress the port.
• untagPvidOnly – sets the port as a trunk port but only adds 802.1Q headers for every VLAN other than the PVID VLAN as they egress the port.

What is the PVID? The PVID is the Default VLAN ID configured for that specific port. In a typical configuration where the port is an access (untagAll) port the PVID will be set to that VLAN automatically by the switch. In a trunk port configuration the PVID will be used to determine which VLAN to bridge any received untagged frames to if DiscardUntaggedFrames is not enabled. It’s recommended to enable DiscardUntaggedFrames on any port configured as a trunk (tagAll) port to avoid any potential configuration issues which might lead to a loop and a network outage. It’s also a best practice to configure the PVID on all trunk (tagAll) ports with the VLAN ID of your management VLAN.

Ethernet Routing Switch 1600, 8600, 8800 Series

You’ll notice on the Ethernet Routing Switch 1600, 8600 and 8800 series that the options are slightly different but achieve the same outcome.

• PerformTagging (Checked) – sets the port as a trunk port tagging all frames with an 802.1Q header as they egress the port.
• PerformTagging (Unchecked) – sets the port as an access port stripping all 802.1Q headers as they egress the port.

Additional options include DiscardTaggedFrames, DiscardUntaggedFrames and UntagDefaultVlan. These options can be used to achieve the same results as with the Avaya Ethernet Routing Switch 2500, 4000 and 5000 series switches with the exception of tagPvidOnly.

Is the PVID equivalent to the native vlan command in Cisco switches? It is if untagPvidOnly/UntagDefaultVlan is enabled. The PVID (DefaultVlanId) by itself only acts on untagged received frames. The untagPvidOnly/UntagDefaultVlan option acts on transmitted frames and so the combination of the two equates to the “switchport trunk native vlan #” on a Cisco switch.

It’s also important to point out that Avaya only supports 802.1Q tagging. So while Cisco supports ISL and 802.1Q there is no Avaya command similar to “switchport trunk encapsulation dot1q” since this is the default behavior with Avaya switches.

IP Telephony

There are some special considerations when desktops and laptops are physically connected to the PC port on back of an IP phone and then the IP phone is cabled to the edge switch.  In this scenario the common approach is to tag the voice VLAN while leaving the data VLAN untagged. Why? It’s important that we separate the voice traffic from the data traffic so we utilize two different VLANs, one VLAN will carry the voice traffic while one VLAN will carry the data traffic destined to the desktop or laptop. The desktop or laptop probably won’t be configured for 802.1Q tagging so it won’t understand an 802.1Q tagged frame. We need to guarantee that any frames being delivered to the PC port on the back of the IP phone are untagged, if they aren’t the laptop or desktop will just discard the frame. The IP phone will tag the voice frames with an 802.1Q header so the switch will properly bridge those frames to the voice VLAN. In this scenario we need to utilize the untagPvidOnly option in combination with configuring the PVID (DefaultVlanId) as the data VLAN. This way the voice VLAN will be tagged with an 802.1Q header so the phone understands it and the data VLAN will be untagged so the desktop or laptop understands it. The IP phone will be configured with the Voice VLAN ID so it knows which ID to use when communicating with the Call Server and Media Gateways.

Cheers!

• Avaya Ethernet Routing Switch 4550T-PWR+
• Avaya Ethernet Routing Switch 4526T-PWR+
• Avaya Ethernet Routing Switch 4850GTS
• Avaya Ethernet Routing Switch 4850GTS-PWR+
• Avaya Ethernet Routing Switch 4826GTS
• Avaya Ethernet Routing Switch 4826GTS-PWR+

Release 5.6 also introduces one new removable power supply for the Avaya Ethernet Routing Switch 4000 Series — the ERS4x00 PoE+ PSU, a stackable 1000W AC Power over Ethernet plus power supply unit. The PoE+ models include a 1000w power supply that enables full support for 48 ports when all ports are operating at class 3 802.3af PoE. On the six new hardware variants, the switch CPU speed is 533 MHz, and the FLASH is larger to allow for large images, backup images, and configurations. The standard ADS console port (DTE) on all new products is an RJ-45 Female Connector: (8 pin RJ45).

There have been a number of added features including the following;

• Cisco CLI Phase 1
• Disable MAC Learning
• Equal Cost MultiPath (ECMP)
• Internet Group Management Protocol (IGMP) Querier
• Internet Group Management Protocol (IGMP) version 3 Snooping and Proxy
• IP Phone automatic PoE changes
• Layer 3 Brouter Port
• Many to Many Port Mirroring
• MLT/DMLT/LAG Dynamic VLAN changes
• Network Time Protocol (NTP)
• Ping Source Address
• Secure File Transfer Protocol (SFTP)
• SFP Plus
• Show Flash command
• SSH Client
• SSH RSA Authentication
• Stack Health Monitoring and Recovery
• Static FDB MAC Entry
• Terminal Mode Permanent Setting
• VLAN Scaling
• Voice VLAN Integration

The resolved issues section of the release notes is mysteriously empty including this note, “This section will be updated on or before December 22, 2011.”

As always I suggest you review the release notes for yourself.

Cheers!

Up until recently if you wanted to change the default VLAN (the data VLAN for the IP phones) on a port that had ADAC enabled you had to first disable ADAC, change the VLAN assignment of the port and then re-enable ADAC. This was problematic for two major reasons; 1) disabling ADAC would remove the port from the voice VLAN and would interrupt the connectivity to the IP phone causing an outage, 2) if your network administrator forgot to disable ADAC before making the VLAN change the switch would eventually restore the port to it’s originally configured VLAN (usually on reboot of the switch) which would ultimately leave the end device in the wrong VLAN and unable to communicate.

I blogged about the problem back in 2008 here and here and there were many of you that found out the hard way that neither Java Device Manager nor the CLI would warn you before making any VLAN changes on a port which had ADAC enabled. It’s now 2011 and while I definitely have more grey hair (I guess I should be happy I still have hair) it seems that Avaya has finally gotten around to resolving this issue. It seems Avaya also took the opportunity to eliminate two birds with one stone with the ability to now define multiple uplinks/downlinks in ADAC. In the past you could only define a single uplink which would be problematic if you intended to use the switch as a distribution switch to feed other switches downstream. There was no way to provision the voice VLAN on the downlinks because ADAC would remove any manually added ports from the voice VLAN.

The Autodetection and Autoconfiguration ( ADAC) Enhancements provide increased flexibility in deployments that use ADAC as follows:

• expanded support for up to 8 ADAC uplinks and 8 call-server links – individual ports or any combination of MLT, DMLT or LAG – per switch or stack
• the ability to change the non-ADAC VLANs on a port without disabling ADAC

Here’s what the ADAC settings look like within Enterprise Device Manager.

Here are the platforms that support the new feature and the minimum software releases you need to be at.

• Ethernet Routing Switch 5000 v6.2
• Ethernet Routing Switch 4500 v5.4
• Ethernet Routing Switch 2500 v4.4

I must admit upfront that I have not yet tested this new feature… although both changes highlighted above are very very welcome to me as a user. I can’t tell you how many issues we had with network administrators or engineers forgetting to check the status of ADAC and having all sorts of issues after a reboot (or more often an extended power failure – which led to a… yes reboot).

Has anyone else had the opportunity to test this out?

Cheers!

• 802.1AB customization
• 802.1AB integration
• 802.1X non-EAP Accounting
• 802.1X non-EAP re-authentication
• 802.1AB new default parameters
• AUR enhancement
• DHCP Snooping External Save
• EAP Fail Open with multi-VLAN
• Layer 3 Virtual Router Redundancy Protocol
• RADIUS EAP or non-EAP requests from different servers
• SLPP Guard
• SNMP Trap enhancements
• STP BPDU filtering ignore-self
• Unified Authentication
• VLACP enhancements
• Enterprise Device Manager enhancements
• Web server client browser requests

The known issues and resolved issues are mysteriously blank although there is a note there that indicates those sections will be updated on May 20, 2011.

Please refer to the release notes for all the specific details and tidbits.

It appears that Avaya is trying to address the performance issues with EDM that many of us have documented;

Enterprise Device Manager enhancements

In Release 5.5 Enterprise Device Manager (EDM) is enhanced with improved data retrieval and request handling for significantly faster GUI response. In the navigation tree the IP Routing folder is renamed IP and the paths in related procedures have been updated. The Switch Summary tab contents have been enhanced to include basic switch information and stack information. A toolbar has been added above the EDM navigation tree. The 5 buttons in the toolbar add the following functions:

• Switch Summary — you can use the Switch Summary toolbar button to open or reopen the switch summary tab.
• Refresh Status — in addition to the existing refresh methods you can use the Refresh Status toolbar button to refresh the device status.
• Edit Selected — in addition to the existing edit methods, and depending on which object you select on the Device Physical View, you can use this toolbar button to open Edit > Chassis, Edit > Unit, or Edit > Ports tabs. If you do not select an object from the Device Physical View and you click the Edit Select toolbar button, the Edit > Chassis tab opens.
• Graph Selected — depending on which object you select on the Device Physical View, you can use this toolbar button to open Graph > Chassis or Graph > Port tabs. If you do not make a selection on the Device Physical View, or if you select Unit, the Graph > Chassis tab opens.
• Help Setup Guide — this button connects you to the help setup guide for embedded EDM and it replaces the link that appeared on the top right of work panes.

Cheers!

In the diagram to the right you can see that I have both switches connected over VLAN 1 by a MultiLink Trunk. I’m going to create VLAN 25 and VLAN 75 on the ERS 4548 while I create VLAN 100 and VLAN 200 on the ERS 5520. I’ll also announce a default route from the ERS 4548 to the ERS 5520 via RIP.

Ethernet Routing Switch 4548

Let’s start by enabling RIP globally and specify the IP interfaces we’ll want to participate in RIP;

router rip
router rip enable
network 192.168.1.25
network 192.168.25.1
network 192.168.75.1

Next we’ll configure RIP on VLAN 1 and enable default-supply since this switch will be advertising a default route for the network. We’ll also set the RIP interface to only utilize RIP v2. This will be the interface that will communicate with the ERS 5520 switch.

interface vlan 1
ip rip enable
ip rip default-supply enable
ip rip receive version rip2
ip rip send version rip2
exit

Next we’ll configure RIP on VLAN 25 only since we don’t expect to connect any switches or routers to this VLAN we’ll essentially place RIP in a passive mode by disabling listen and supply. In the mindset of being consistent we’ll set the interface to only utilize RIP v2 even though it won’t be transmitting or listening.

interface vlan 25
ip rip enable
no ip rip listen enable
no ip rip supply enable
ip rip receive version rip2
ip rip send version rip2
exit

We need to repeat the same configuration above but for VLAN 75 since we don’t expect to share any routing information with any switches or routers on VLAN 75.

interface vlan 75
ip rip enable
no ip rip listen enable
no ip rip supply enable
ip rip receive version rip2
ip rip send version rip2
exit

As I mentioned earlier, we’re going to advertise a default route from the ERS 4548 to the rest of the network. In order to accomplish that task we need a route policy (it’s called a route map on the stackable switches but a route policy on the chassis switches). We need to make sure that we match 0.0.0.0/0 and not just inject 0.0.0.0/0. This approach will allow RIP to stop advertising 0.0.0.0/0 if the route disappears from the routing table on our originating switch. In the examples below there will be a static default route to 0.0.0.0/0 via 192.168.1.1.

ip prefix-list default_route 0.0.0.0/0
route-map rip_pol_1 1
route-map rip_pol_1 1 enable
route-map rip_pol_1 permit 1 enable
route-map rip_pol_1 permit 1 match network default_route

Now that we have the route-map we need to apply it to the RIP interface on VLAN 1 since that’s the interface that will be communicating with the ERS 5520.

interface vlan 1
ip rip out-policy rip_pol_1
exit

Ethernet Routing Switch 5520

Let’s start by enabling RIP globally and specify the IP interfaces we’ll want to participate in RIP;

router rip
router rip enable
network 192.168.1.50
network 192.168.100.1
network 192.168.200.1

Next we’ll configure RIP on VLAN 1 and enable default-listen since this switch will be learning a default route from the ERS 4548 on this interface. We’ll also set the RIP interface to only utilize RIP v2.

interface vlan 1
ip rip enable
ip rip default-listen enable
ip rip receive version rip2
ip rip send version rip2
exit

Next we’ll configure RIP on VLAN 100 only since we don’t expect to connect any switches or routers to this VLAN we’ll essentially place RIP in a passive mode by disabling listen and supply. In the mindset of being consistent we’ll set the interface to only utilize RIP v2 even though it won’t be transmitting or listening.

interface vlan 100
ip rip enable
ip rip receive version rip2
ip rip send version rip2
no ip rip listen enable
no ip rip supply enable
exit

We need to repeat the same configuration above but for VLAN 200 since we don’t expect to share any routing information with any switches or routers on VLAN 200.

interface vlan 200
ip rip enable
ip rip receive version rip2
ip rip send version rip2
no ip rip listen enable
no ip rip supply enable
exit

Those are the commands that you’ll need to get both switches exchanging dynamic routing information via RIP v2.

Ethernet Routing Switch 4548 (show commands)

Here are some operational commands that can be used to check the status of RIP and the routing table.

4548GT-PWR#show ip rip
Default Import Metric:  8
Domain:
HoldDown Time:  120
Queries:  1
Rip:  Enabled
Route Changes:  8
Timeout Interval:  180
Update Time:  30

You can see below the status of the RIP interface on VLAN 1, notice the status of Dflt Supply is set to true and the policy ‘RIP Out Policy’ is applied that we previously configured.

4548GT-PWR(config)#show ip rip interface vlan 1
IP Address      Enable Send           Receive      Advertise When Down
--------------- ------ -------------- ------------ -------------------
192.168.1.25    true   ripVersion2    rip2         false

RIP  Dflt   Dflt   Trigger AutoAgg
IP Address      Cost Supply Listen Update  Enable  Supply Listen Poison Proxy
--------------- ---- ------ ------ ------- ------- ------ ------ ------ -----
192.168.1.25    1    true   false  false   false   true   false  false  false

IP Address      RIP In Policy
--------------- ---------------------------------------------------------------
192.168.1.25

IP Address      RIP Out Policy
--------------- ---------------------------------------------------------------
192.168.1.25    rip_pol_1

IP Address      Holddown Timeout
--------------- -------- -------
192.168.1.25    120      180

Finally the routing table for the ERS 4548, you can see the static default route (notice the S for static) and you can see the two RIP routes (notice the R for RIP).

4548GT-PWR#show ip route
===============================================================================
Ip Route
===============================================================================
DST             MASK            NEXT            COST    VLAN PORT PROT TYPE PRF
-------------------------------------------------------------------------------
0.0.0.0         0.0.0.0         192.168.1.1     1        1    1     S  IB     5
192.168.1.0     255.255.255.0   192.168.1.25    1        1    ----  C  DB     0
192.168.25.0    255.255.255.0   192.168.25.1    1        25   ----  C  DB     0
192.168.75.0    255.255.255.0   192.168.75.1    1        75   ----  C  DB     0
192.168.100.0   255.255.255.0   192.168.1.50    2        1    T#1   R  IB   100
192.168.200.0   255.255.255.0   192.168.1.50    2        1    T#1   R  IB   100
Total Routes: 6
-------------------------------------------------------------------------------
TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, U=Unresolv
ed Route, N=Not in HW

Here’s the configuration we used on the ERS 4548 in this post.

4548GT-PWR#show running-config module l3-protocols
! Embedded ASCII Configuration Generator Script
! Model = Ethernet Routing Switch 4548GT-PWR
! Software version = v5.4.1.012
!
! Displaying only parameters different to default
!================================================
enable
configure terminal
!
! *** L3 Protocols ***
!

! --- Proxy ARP ---

! --- UDP Broadcast Forwarding ---

! --- Route Policies ---

ip prefix-list "default_route" 0.0.0.0/0
route-map "rip_pol_1" 1
route-map "rip_pol_1" 1 enable
route-map "rip_pol_1" 1 match network "default_route"

! --- OSPF ---

! --- RIP ---

router rip
router rip enable
exit
enable
configure terminal
interface vlan 1
ip rip default-supply enable
ip rip out-policy "rip_pol_1"
ip rip enable
exit
interface vlan 25
no ip rip listen enable
ip rip receive version rip2
ip rip send version rip2
no ip rip supply enable
ip rip enable
exit
interface vlan 75
no ip rip listen enable
ip rip receive version rip2
ip rip send version rip2
no ip rip supply enable
ip rip enable
exit

Ethernet Routing Switch 5520 (show commands)

Here are some operational commands that can be used to check the status of RIP and the routing table.

5520-48T-PWR#show ip rip
Default Import Metric:  8
Domain:
HoldDown Time:  120
Queries:  1
Rip:  Enabled
Route Changes:  6
Timeout Interval:  180
Update Time:  30

You can see below the status of the RIP interface on VLAN 1, notice the status of Dflt Listen is set to true.

5520-48T-PWR#show ip rip interface vlan 1
IP Address      Enable Send           Receive      Advertise When Down
--------------- ------ -------------- ------------ -------------------
192.168.1.50    true   ripVersion2    rip2         false

RIP  Dflt   Dflt   Trigger AutoAgg
IP Address      Cost Supply Listen Update  Enable  Supply Listen Poison Proxy
--------------- ---- ------ ------ ------- ------- ------ ------ ------ -----
192.168.1.50    1    false  true   false   false   true   true   false  false

IP Address      RIP In Policy
--------------- ---------------------------------------------------------------
192.168.1.50

IP Address      RIP Out Policy
--------------- ---------------------------------------------------------------
192.168.1.50

IP Address      Holddown Timeout
--------------- -------- -------
192.168.1.50    120      180

Finally the routing table for the ERS 4548, you can see the two RIP routes (notice the R for RIP).

5520-48T-PWR#show ip route
===============================================================================
Ip Route
===============================================================================
DST             MASK            NEXT            COST    VLAN PORT PROT TYPE PRF
-------------------------------------------------------------------------------
0.0.0.0         0.0.0.0         192.168.1.25    2        1    T#1   R  IB   100
192.168.1.0     255.255.255.0   192.168.1.50    1        1    ----  C  DB     0
192.168.25.0    255.255.255.0   192.168.1.25    2        1    T#1   R  IB   100
192.168.75.0    255.255.255.0   192.168.1.25    2        1    T#1   R  IB   100
192.168.100.0   255.255.255.0   192.168.100.1   1        100  ----  C  DB     0
192.168.200.0   255.255.255.0   192.168.200.1   1        200  ----  C  DB     0
Total Routes: 6
-------------------------------------------------------------------------------
TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Route, U=Unresolved Route, N=Not in HW

Here’s the configuration we used on the ERS 5520 in this post.

5520-48T-PWR#show running-config module l3-protocols
! Embedded ASCII Configuration Generator Script
! Model = Ethernet Routing Switch 5520-48T-PWR
! Software version = v6.2.1.002
!
! Displaying only parameters different to default
!================================================
enable
configure terminal
!
! *** L3 Protocols ***
!

! --- Proxy ARP ---

! --- UDP Broadcast Forwarding ---

! --- VRRP ---

! --- Route Policies ---

! --- OSPF ---

! --- RIP ---

router rip
router rip enable
exit
enable
configure terminal
interface vlan 1
ip rip default-listen enable
ip rip receive version rip2
ip rip send version rip2
ip rip enable
exit
interface vlan 100
no ip rip listen enable
ip rip receive version rip2
ip rip send version rip2
no ip rip supply enable
ip rip enable
exit
interface vlan 200
no ip rip listen enable
ip rip receive version rip2
ip rip send version rip2
no ip rip supply enable
ip rip enable
exit

Cheers!

In any event I tried to use the Help while I was using EDM and quickly discovered that I had to set it up. You’ll need to download the help files from Avaya’s website (I’ve included links at the bottom of this post). And you’ll need to upload the files to a permanent TFTP server somewhere on your network. I use the word permanent because every time someone clicks on the Help box the switch will download the content via TFTP and serve it up to the user via HTTP so your TFTP server will need to be continuously running, it can’t be hosted on your laptop.

I uploaded both archives to my TFTP server and then set out to configure both switches.

Avaya Ethernet Routing Switch 4500 Series

If you want to configure it via the CLI interface you can issue the following commands;

enable
config t
edm help-file-path ERS_4500_Help_EDM tftp address 192.168.1.6

In the example above my TFTP server was at 192.168.1.6 and the files were stored in /tftpboot/ERS_4500_Help_EDM on my CentOS Linux server. If you want to configure it via the EDM interface you can go to Configuration -> Edit -> File System -> Help File Path and enter “tftp://192.168.1.6/ERS_4500_Help_EDM” as the path. You should substitute the IP address above with the IP address of your TFTP server.

Once you’ve configured the path you could be able to click on any of the Help links.

Avaya Ethernet Routing Switch 5000 Series

If you want to configure it via the CLI interface you can use the following commands which are identical to the ERS 4500 with the exception of the path;

enable
config t
edm help-file-path ERS5000_Help_EDM tftp address 192.168.1.6

In the example above my TFTP server was at 192.168.1.6 and the files were stored in /tftpboot/ERS5000_Help_EDM on my CentOS Linux server. If you want to configure it via the EDM interface you can go to Configuration -> Edit -> File System -> Help File Path and enter “tftp://192.168.1.6/ERS_4500_Help_EDM” as the path (same as the ERS 4500). Again, you should substitute the IP address above with the IP address of your TFTP server.

The process is identical on both switches with the exception of the TFTP path.

Interestingly enough I get a HTTP/404 error when I clicked on the Help link (next to the Refresh button and above the path) in the figure above. The browser tried to load http://192.168.1.50/releaseNotes.html which results in a HTTP/404 “Not Found” error from the built-in web server on the switch. This only happens on the Ethernet Routing Switch 5520 and it works as expected on the Ethernet Routing Switch 4500.

Do you think there’s any chance Avaya will start paying users to report bugs?

Cheers!

References;

ERS5000_Help_EDM.zip
ERS_4500_Help_EDM.zip

I’m curious if anyone out there is using Avaya’s IP Flow Manager and has any thoughts and/or comments to share.

I remember a few folks either here or on the forums commenting that they were using nTop to collect the IPFIX flow information. Anyone have any thoughts about nTop/nProbe?

Cheers!

New features;

• 802.1AB (LLDP) MED Network Policy CLI
• 802.1D Compliancy Support
• ADAC and Auto QoS Interoperability
• ADAC Enhancements
• Additional SFP Support
• Automatic QoS and 802.1AB MED Interoperability
• DHCP Client
• DHCP Option 82 Support
• DHCP Snooping Improvements
• Dual Syslog Server Support
• Dynamic Route Table Allocation
• EAP and non-EAP MultiVLAN capability
• Energy Saver
• Erasable NNCLI Audit Log
• IPFIX
• MLT and LAG Scaling
• Non-Local Static Routes
• Open Shortest Path First
• QoS Agent Operational Mode
• QoS DSCP Mutation
• QoS Egress Queue Shaping
• QoS IP/L2 Filter Options
• QoS Queue Set Support
• RADIUS Accounting Enhancements (RFC2866)
• RADIUS Server Reachability
• Routing Information Protocol
• Routing Policies
• Running Configuration NNCLI Display Commands
• Show Software Status
• Software Licensing
• Sticky MAC Address
• Time Delay Reflectometer
• Traffic Profile Filter Set Support

There are a large number of resolved and known issues, too many to post here, so I would advise anyone interested to review the release notes.

I will point out a few items that stand out… thissoftware release marks the introduction of Enterprise Device Manager for the Ethernet Routing Switch 4500 replacing the legacy Java Device Manager.

Enterprise Device Manager (EDM) replaces both the integrated Web-based Management and separate Device Manager applications previously used to manage and configure the Ethernet Routing Switch 4500 Series switches.
EDM is a fully integrated graphical user interface delivered as a Web-based application that runs in a Web browser. To enhance ease of use, the EDM application has the look and feel of Device Manager (previously known as JDM).
EDM navigation has been enhanced. To access command tabs from the EDM navigation tree, the documented procedures specify using a double-click to open the tab in the work area. With the enhancement, you can access all objects in the navigation tree with a single click.

ATTENTION
With the introduction of Enterprise Device Manager (EDM) the use of Device Manager (sometimes referred to as JDM) is no longer supported because the use of JDM to control the switch could lead to potential corruption of the switch configuration.
ATTENTION
If you upgrade the software on your switch, and if you are managing the switch with EDM, then you should refresh the browser cache on your end device to ensure that EDM loads the latest tabs for all respective features.

I believe that the Java Device Manager was one of Nortel/Avaya’s greatest assets and a great selling point to customers. JDM was a single tool capable of managing almost every Nortel/Avaya switch, from the legacy BayStack 350 to the enterprise leading Ethernet Routing Switch 8600. I’m not too excited about the introduction of Enterprise Device Manager, I’ll need to kick the tires before I make up my mind.

Has anyone else tried the new Enterprise Device Manager? Comments? Thoughts?

I also noticed that Nortel/Avaya are now supporting a 1000BaseXD DDI SFP (1550 nm). This is a great option for customers looking to operate a fiber metro area network (up to 40km) before jumping to the 1000BaseZX which covers ~ 70km. I’ve successfully used the 1000BaseCWDM DDI SFP (1470 nm) to cover up to 40km. It’s great to finally have all the optical transceivers available in an SFP form factor as opposed to the large GBIC form factor.

This software release also adds OSPF on the ERS 4500 although the Advanced License is required to enable OSPF. You should take care to note that the maximum number of routes is capped at 512 IPv4 routes. As a comparison the ERS 5500 series allows you 2000 IPv4 routes.

Cheers!

Update: Thursday May 20, 2010 @ 2:50 PM EDT
I’ve update the article to reflect the correct software version… Thanks Jeremy.

You can certainly do this from Nortel’s Java Device Manager, however, you need to be careful that you don’t saw off the branch you’re standing on when you change the SNMP community string. It’s best to configure the SNMP community strings from the CLI interface to avoid any potential issues.

Here are the CLI commands to configure the SNMP community strings on the ERS 8600 and 1600 switch. In the example below we’ll set the read-only string to open and the read-write string to lock.

ERS-8610:5# config snmp-v3 community commname first new-commname open
ERS-8610:5# config snmp-v3 community commname second new-commname lock

Here are the CLI commands to configure the SNMP community strings on the ERS 4500, ERS 5500 and ES460/470 switches. In the example below we’ll set the read-only string to open and the read-write string to lock.

5520-48T-PWR (config)# snmp-server community open ro
5520-48T-PWR (config)# snmp-server community lock rw

Cheers!

ERS5520-PWR#reload ?
cancel           Cancel a previous scheduled reload
force            Do not ask for confirmation
minutes-to-wait  Minutes to wait before reboot
<cr>

Cheers!

I recently received a message from someone looking for someway to automated the re-configuration of over 100 switches with the correct Daylight Saving Time configuration. I explained to the person that the best long term solution would probably be to use the SNMP MIB but a quick and dirty solution might be to use Expect and call it from a Bash script looping over all the switches that needed to be re-configured. In short Expect is a scripting language that mimics user input at a TTY.  The Except script is written to issue a set of commands, as if a human were typing them, and expects various responses.

The script I wrote below only support a limited number of switches. If you have a particular switch you’re welcome to modify the script to support that particular switch. The script will attempt to determine if the switch is running the software that has the features we’re looking to implement. I didn’t have a whole lot of time to test so buyer beware!

Here’s the expect script that I authored;

#!/usr/bin/expect -f
#
##############################################################################
#
# Filename: /usr/local/etc/set-nortel-timezone.exp
#
# Purpose:  Expect script designed to telnet into Nortel Ethernet Switches
#           and execute the CLI commands to confgure the appropriate timezone
#           information, including Day Light Saving time.
#
# Switches: Ethernet Switch 460 v3.7.x
#           Ethernet Switch 470 v3.7.x
#           Ethernet Switch 4500 v5.2.x
#           Ethernet Switch 5500 v5.1.x
#
# Author:   Michael McNamara
#
# Date:     June 1, 2008
#
# Version:  1.1
#
# Changes:
#
#           June 8, 2008 (M.McNamara)
#           - added documentation and ARGV command line checks
#           June 14, 2008 (M.McNamara)
#           - added check for switch version and exit if v3.6 switch software
#           - added check for Username introduced in v3.7 switch software
#
#
##############################################################################
#
# This Expect script was generated by autoexpect on Wed Jul 27 17:25:28 2005
# Expect and autoexpect were both written by Don Libes, NIST.
#
set force_conservative 1  ;# set to 1 to force conservative mode even if
                          ;# script wasn't run conservatively originally
if {$force_conservative} {
        set send_slow {1 .1}
        proc send {ignore arg} {
                sleep .1
                exp_send -s -- $arg
        }
}

if {[llength $argv] != 2} {

   puts "usage: set-nortel-timezone.exp < SWITCH > < PASSWORD >>"

exit 1

}

#
set PATH "/usr/local/etc/"
set TELNET "/usr/bin/telnet"

set SWITCH [lindex $argv 0]
set PASSWORD [lindex $argv 1]

set TODAY [timestamp -format %y%m%d ]
set WEEKDAY [timestamp -format %a ]
set DATE [timestamp -format %c ]

set send_human {.1 .3 1 .05 2}

#log_file $PATH/$SWITCH.expect.log
log_file /usr/local/etc/password.expect.log
log_user 0      # Disable logging to STDOUT
#log_user 1     # Enable logging to STDOUT

set timeout 10
spawn $TELNET $SWITCH
match_max 100000

expect "Trying"
expect {
   "Connected"  {

      expect "SW:v3.6" {
         send_log "\n\nThis version of software doesn't support the CLI commands!\n"
         send_user "\n\nThis version of software doesn't support the CLI commands!\n"
         exit 1
      }
      sleep 1
      send -- ""
                }
   Timeout      {
      send_log "We're unable to connect to the switch $SWITCH"
      send_user "We're unable to connect to the switch $SWITCH"
      exit 1;
                }
}

expect {
   "Username"   {
      send -- "RW\r"
   }
}

expect "Enter Password"
send -- "$PASSWORD\r"

expect {
   "Main Menu"  {
                }
   "Incorrect Password" {
      send_log "$SWITCH : Incorrect Password"
      exit 1
   }
   "Incorrect Credentials" {
      send_log "$SWITCH: Incorrect Credentials"
      exit 1
   }
}
sleep 1

# Let's get into the CLI interface from the menu prompts
send -- "C"

# Depending on the version of software we sometimes need a CR/LF
send -- "\r"
sleep 1

# Let's wait for the CLI prompt which includes the #
expect "#"
send -- "config term\r"
send -- "clock time-zone EST -5\r"
send -- "clock summer-time EDT date 9 Mar 2008 2:00 2 Nov 2008 2:00 +60\r"
send -- "exit\r"
send -- "logout\r"
expect eof

You can download the entire Expect script from this URL; set-nortel-timezone.exp.

The command line arguments are fairly straight forward;

usage: set-nortel-timezone.exp <SWITCH> <PASSWORD>

Where the SWITCH is the fully qualified domain name (FQDN) or the IP address of the switch in question and the PASSWORD is the Read-Write password for the switch.

If you had hundreds of switches to reconfigure you could wrap this Except script in a Bash shell script similar to the following;

#!/bin/bash
#
#####################################################################
#
# Language: Bash Shell Script
#
# Filename: /usr/local/etc/set-nortel-timezone.sh
#
# Purpose:  This script will kickoff the Expect script that will
#           configure the Daylight Saving Time features for each switch
#
# Author:   Michael McNamara
#
# Date:     June 1, 2008
#
# Version:  1.0
#
# Changes:
#
#           June 10, 2006 (M.McNamara)
#           -  added remote sites into shell script processing
#
#####################################################################
#

# Variables
PATH_TO=/usr/local/etc
UPGRADE=set-nortel-timezone.exp
MAIL_LIST=''
PAGER_LIST=''
ERROR_FLAG=0
MAILEXE='/usr/bin/mutt'
LOCKFILE=/tmp/trace.lck

# Check paramaters
if [ "$#" != 2 ]
then
  echo "Usage: `basename $0` <password>"
  exit 1
fi

PASSWORD=$1

#####################################################################
#####################################################################
# YOU SHOULD EDIT THE "SWITCHES" VARIABLE BELOW TO INCLUDE ALL THE
# SWITCHES THAT YOU WISH TO HAVE THE EXPECT SCRIPT RUN AGAINST
#####################################################################
#####################################################################

SWITCHES='sw1-5520.acme.org sw2-5520.acme.org sw3-5520.acme.org'

for SWITCH in $SWITCHES
do
        $PATH_TO/$UPGRADE $SWITCH $PASSWORD
done

exit

You can download the Bash shell script from this URL; set-nortel-timezone.sh.

I’ve only tested this on CentOS v5.2 but it should work on any Linux host with Expect installed although you may need to modify the path locations.

Cheers!

I’m currently using two CentOS Linux servers to provide time services to over 10,000 devices in the network. My two servers are themselves syncing up with pool.ntp.org over the Internet. With CentOS I didn’t need to build the software, I only needed to install the NTP package through YUM and then configure it appropriately. It was really easy, much easier than it was say 10 years ago when you had to compile the NTP software (University of Delaware) by hand hoping you didn’t run into some missing library of version mismatch with the compiler.

We would first need to install the NTP software using YUM;
[root@hostname ]# yum install ntp

We would need to start the NTP daemons;
[root@hostname ]# service ntpd start

We would need to configure the server so the NTP software would start after every reboot;
[root@hostname ]# chkconfig ntpd on

With that step done we’d have ourselves and internal NTP server which would sync itself to the Internet (default configuration file in /etc/ntp.conf) and then our internal devices would sync to it.

Here are the CLI commands for configuring the ERS 8600 switch properly;

config bootconfig tz dst-name "EDT"
config bootconfig tz name "EST"
config bootconfig tz offset-from-utc 300
config bootconfig tz dst-end M11.1.0/0200
config bootconfig tz dst-start M3.2.0/0200

config ntp server create a.b.c.d
config ntp server create a.b.c.d
config ntp server create a.b.c.d
config ntp enable true

I’ve add the two configuration statements for the new Daylight Saving Time changes that were enacted in 2007. Please also note that I’m in the Eastern timezone (EDT/EST) so if you’re not in the Eastern timezone you would need to supplement your timezone abbreviation appropriately.

Here are the commands for an ES460,ES470,ERS4500 or ERS5500 series switch

5520-48T-PWR# config terminal
5520-48T-PWR (config)# sntp server primary a.b.c.d
5520-48T-PWR (config)# sntp server secondary a.b.c.d
5520-48T-PWR (config)# sntp enable
5520-48T-PWR (config)# exit5520-48T-PWR#

The ERS 4500/5500 Series now supports Daylight Saving Time. This feature is NOT supported on the ES460 and ES470 switches. –-CORRECTION: this feature is support on the ES460/470 as of v3.7.x software, please see update at the bottom of this post for additional information. If you wanted to configure the timezone on the ERS4500/ERS5500 switch you would use the following commands;

5520-48T-PWR>enable
5520-48T-PWR# config terminal
5520-48T-PWR (config)# clock time-zone EST -5
5520-48T-PWR (config)# clock summer-time EDT date 9 Mar 2008 2:00 2 Nov 2008 2:00 +60
5520-48T-PWR (config)# exit
5520-48T-PWR#

You can use “show sntp” and “show clock” the ERS 5500 Series switch to check out your changes;

5530-24TFD#show sntp
SNTP Status:                      Enabled
Primary server address:         10.1.20.1
Secondary server address:     10.1.20.1
Sync interval:                      24 hours
Last sync source:                 10.1.20.1
Primary server sync failures:    0
Secondary server sync failures: 0
Last sync time:                  2008-06-14 14:47:31 GMT-04:00
Next sync time:                  2008-06-15 14:47:31 GMT-04:00
Current time:                     2008-06-15 13:52:24 GMT-04:00

5530-24TFD#show clock
Current SNTP time  :    2008-06-15 13:52:29 GMT-04:00
Summer time is set to:
start: 28 March 2007 at 02:00
end: 30 August 2008 at 15:00
Offset: 60 minutes. Timezone will be 'EDT'Time Zone is set to 'EST', offset from UTC is -05:00

Hopefully this will provide a brief look into NTP,SNTP and you’ll agree that it really isn’t that hard to setup and configure properly.

Cheers!

Update: June 17, 2008

After posting the article above I decided I would confirm that the Daylight Saving Time feature was not available on the Nortel Ethernet Switch 460/470. I found that as of v3.7.x software the feature is supported on the switches. The configuration commands are identical to the ERS4500/ERS5500 switches. Here’s an example specifically for the Eastern timezone.

470-48T>enable470-48T#config term
Enter configuration commands, one per line.  End with CNTL/Z.
470-48T(config)#clock time-zone EST -5 00
470-48T(config)#clock summer-time EDT date 9 Mar 2008 02:00 2 Nov 2008 2:00 +60
470-48T(config)#show clock summer-time
Summer time is set to:start: 9 March 2008 at 02:00end: 2 November 2008 at 02:00
Offset: 60 minutes. Timezone will be 'EDT'
470-48T(config)#exit

Cheers!

Note: I’m still trying to figure out the best way to display the CLI stuff… if I use the PRE HTML tag the font is really too small, if I don’t use the PRE HTML tag the formatting (spacing) gets lost making it difficult to compare the post with the real world output from a CLI interface.

Nortel Ethernet Routing Switch 5500 Series (v5.1)

Here’s how to set the passwords on the Nortel Ethernet Routing Switch 5500 Series (v5.1 software).

5520-48T-PWR>enable
5520-48T-PWR#config term
Enter configuration commands, one per line.  End with CNTL/Z.

What’s the syntax to set the read-only and read-write passwords?

5520-48T-PWR(config)#cli password ?
read-only   Modify read-only password
read-write  Modify read-write password
serial      Enable/disable serial port password.
telnet      Enable/disable telnet and web password.

We’ll use the commands below to set the read-only (RO) password to “readonlypassword” and the ready-write (RW) passwords to “readwritepassword”;

5520-48T-PWR(config)#cli password read-only readonlypassword
5520-48T-PWR(config)#cli password read-write readwritepassword

What is the syntax to enable the passwords on the serial and telnet interfaces?

5520-48T-PWR(config)#cli password serial ?
local   Use local password.
none    Disable password.
radius  Use RADIUS password authentication.
tacacs  Use TACACS+ AAA services

5520-48T-PWR(config)#cli password telnet ?
local   Use local password.
none    Disable password.
radius  Use RADIUS password authentication.
tacacs  Use TACACS+ AAA services

We’ll use the commands below to set the serial and telnet interface to use the local passwords we’ve just configured above. You could also use RADIUS and TACACS authentication if you set it up.

5520-48T-PWR(config)#cli password serial local
5520-48T-PWR(config)#cli password telnet local

And let’s not forget to save the configuration file (even though the switch should auto-save it).

5520-48T-PWR(config)#copy config nvram
5520-48T-PWR(config)#exit
5520-48T-PWR#disable
5520-48T-PWR>

Nortel Ethernet Routing Switch 4500 Series (v5.0)

The Nortel Ethernet Routing Switch 4500 Series (v5.0 software) is piratically identical to the 5500 series except that it does not yet support TACACS authentication.

4548GT-PWR(config)#cli password ?
read-only   Modify read-only password
read-write  Modify read-write password
serial      Enable/disable serial port password.
telnet      Enable/disable telnet and web password.

4548GT-PWR(config)#cli password serial ?
local   Use local password.
none    Disable password.
radius  Use RADIUS password authentication.

4548GT-PWR(config)#cli password telnet ?
local   Use local password.
none    Disable password.
radius  Use RADIUS password authentication.

Nortel Ethernet Switch 460/470 (v3.7.2)

The Nortel Ethernet Switch 460/470 (v3.7.2 software) is identical to the ERS 4500 series.

470-48T>enable
470-48T#config term
Enter configuration commands, one per line.  End with CNTL/Z.

470-48T(config)#cli password ?
read-only   Modify read-only password
read-write  Modify read-write password
serial      Enable/disable serial port password.
telnet      Enable/disable telnet and web password.

470-48T(config)#cli password serial ?
local   Use local password.
none    Disable password.
radius  Use RADIUS password authentication.

470-48T(config)#cli password telnet ?
local   Use local password.
none    Disable password.
radius  Use RADIUS password authentication.

Hopefully this should help a few folks out.

Cheers!

In software release v3.7.x for the Nortel Ethernet Switch 460/470 you’ll also find that you now need to provide a username when you telnet into the switch (in previous releases you were only prompted for a password, now you are prompted for a username and password).

Interestingly enough you cannot change the default usernames (at least I don’t believe you can).

For the above mentioned switches there are only two levels of access, read-write and read-only.

The default username for the read-write user level is RW.
The default username for the read-only user level is RO.

Updated 1/16/08: I should have included the default passwords for those two accounts.
The default password for the read-write user level is “secure”.
The default password for the read-only user level is “user”.

Cheers!

As with the previous procedure you’ll need access to the console port on the switch. Specifically you’ll need to cable up (9600,8,N,1) to the CPU (8690SF, 8691SF, 8692SF) you wish to reset.

If you’ve lost the password… cold boot the chassis while connected to the console port. When the switch starts to boot you should see something similar to the following (depending on the version of software installed);

Copyright (c) 2007 Nortel, Inc.
CPU Slot 5:    PPC 745 Map B
Version:       4.1.5.4
Creation Time: Dec 17 2007, 15:31:21
Hardware Time: DEC 26 2007, 16:19:24 UTC
Memory Size:   0x10000000
Start Type:    cold
SMI ZOOMCF
can't open "/pcmcia/pcmboot.cfg" 0x380003
S_dosFsLib_FILE_NOT_FOUND
/flash/  - Volume is OK
Change volume Id from 0x0 to 0x1a5

Loaded boot configuration from file /flash/boot.cfg
Attaching network interface lo0... done.

Press  to stop auto-boot...
1

You’ll need to interrupt the boot process by hitting the “Return” key . You should be greeted with a monitor prompt;

monitor#

From here you’ll be able to issue a command to clear the passwords stored in NV RAM;

monitor# reset-passwd
monitor#

Now just go ahead and reset the CPU and you should be able to login with the default username (rwa) and password (rwa).

monitor# reset

CPU Slot 5:    PPC 745 Map B
Version:       4.1.5.4
Creation Time: Dec 17 2007, 15:31:21
Hardware Time: DEC 26 2007, 16:25:09 UTC
Memory Size:   0x10000000
Start Type:    cold
SMI ZOOMCF
can't open "/pcmcia/pcmboot.cfg" 0x380003
S_dosFsLib_FILE_NOT_FOUND
/flash/  - Volume is OK
Change volume Id from 0x0 to 0x1a5

Loaded boot configuration from file /flash/boot.cfg
Attaching network interface lo0... done.

Press  to stop auto-boot...
Loading /flash/p80a4154.img ... 8761414 to 25459172 (25459172)
Starting at 0x10000...

SMI ZOOMCF
Booting PMC280 Mezz HW please wait
. The BootCode address is 0x2b00100 3303
.
Mezz taking over console and modem......
Mezz CPU Booted successfully

Initializing backplane net with anchor at 0x4100... done.
Backplane anchor at 0x4100... ..
Mounting /flash: .done.

Ethernet Routing Switch 8600  System Software Release 4.1.5.4
Copyright (c) 1996-2007 Nortel, Inc.

CPU5 [10/26/99 11:26:25] SW INFO System boot
CPU5 [10/26/99 11:26:25] SW INFO ERS System Software Release 4.1.5.4
CPU5 [10/26/99 11:26:26] SW INFO CPU card entering warm-standby mode...
CPU5 [10/26/99 11:26:27] SW INFO Loading configuration from /flash/config.cfg

CPU5 [10/26/99 11:26:27] SW INFO PCMCIA card detected in Stand-by CPU "ERS-8610"
slot 5, Chassis S/N SSPND*****

**************************************************
* Copyright (c) 2007 Nortel, Inc.                *
* All Rights Reserved                            *
* Ethernet Routing Switch 8010                   *
* Software Release 4.1.5.4                       *
**************************************************

Login:

You should now be able to login with the default RWA username of “rwa” and the default password for “rwa”.

If you wish to reset the configuration… you only need to delete the config.cfg file from the flash and reset the switch.

You should NOT delete the boot.cfg file unless you have a copy of the software on the PCMCIA card and know how to start the software using the boot command from monitor mode.

I believe the same monitor command is available for the Ethernet Routing Switch 1600 Series.

Cheers!

Follow these steps:

1. Connect to the console port of the switch (9600,8,N,1)
2. Reboot the switch.
3. When the first line of the diagnostics tests is displayed, press CTRL-C. The system then displays a menu.
4. Select option “i” to factory default the switch.
5. Select option “a” to run the agent code.

Upon boot up, the switch will be in a factory default configuration.

Cheers!