Articles

• United Boeing 787 Dreamliner: Butt-In-Seat Economy Plus Review – Stephen Foskett provides a detailed hands-on report from his recent travels in one of United Airlines newest airplanes as he traveled from San Fransisco, CA to Houston, TX.
• Impressions of Windows 8 – Bob Plankers gives his impressions of Windows 8. Personally I haven’t really looked at it beyond reading a few reviews here and there. I might jump on the ChromeOS bandwagon before I try Windows 8.
• Security Policies – Logging (SRX Traffic Logs) – Stefan Herbst details how to configure logging on the Juniper SRX appliances. The logging itself seems very powerful but I have a question, where can I see a log entry if my Ethernet port went down? The logging has an emense amount of detail for all the different services and subsystems but it seems to come up short (or I haven’t figured out how to configure it yet) how to just get the basics such as OSPF down, Ethernet down, tunnel down, Ethernet up, tunnel up, OSPF up, etc. without turning on debug and being overwhelmed with data.
• Bandwidth requirements for long distance vMotion – Duncan Epping tries to answer Kurt Bales question around vMotion bandwidth requirements. I personally didn’t realize there was a bandwidth requirement but I did know that there was a RTT requirement of 5ms or less between the ESX hosts.
• Robert Half International Salary Guides – Robert Half has a number of salary guides available that are very accurate for those of us in the continental United States and Canada.

Software Releases

Avaya Ethernet Routing Switch 5000 Software Release v6.2.5

Avaya has released software v6.2.5 for the Ethernet Routing Switch 5000 Series.

Here’s the list of fixes in this release;

• In an IST setup where 5xxx stack of two units is connected to 5xxx standalone. Whenever the non- base unit is powered off or rebooted, the base units IST ports are going down along with the peer ports resulting in IST going down (wi00927807)
• With DHCP snooping enabled, the TFTP transfer to the iMAC client is truncated (wi00952434)
• EDM users were able to disable/enable ports on devices that were not assigned to users (wi01035327)
• EDM was not properly showing port description for copper ports 91-96 on ERS5698 (wi01035332)
• An EDM Topology Error message was generated when accessing the topology tab (wi00958431)
• In a 2-unit stack the SLT is not behaving as expected after power on the BU of any of the stack in IST (wi00975074)
• 5xxx software exception with task tDCHP and DCHP relay related (wi00978796)
• A data access exception “Task Name tOspfTxHel” was resolved in this release (wi00975340)
• Missing egress OSPF hello packets at times caused OSPF adjacency to drop (wi00955758)
• In a 2-unit stack IST configuration, when the BU was rebooted there were intermittent ping loss (wi00984502)
• In an SMLT cluster made up of 2-unit stacks, inconsistent behavior was observed when a unit in one of the stacks failed (wi01002374)
• Ping or Telnet to any DNS hostname could cause instability in management VLAN requiring a reboot of the stack (wi00933202)
• “no qos dos” command was not available from Interface Configuration mode (wi00981561)
• EAPOL authentication issue when Radius Queue is Full (wi01014155)
• Stale EAP entries after the EAP clients have been disconnected (wi01014163)
• 6.2.4 code release was generating incorrect IPv4 ICMP redirect (wi00996235)
• NMAP scanning tool blocked new telnet session to the switch requiring a reboot to recover (wi00958131)
• An intermittent MAC Learning Issue was addressed in this release (wi00984022)
• Wake-on-LAN (WOL) did not work for NEAP clients (wi01034823)
• 5600s Intermittently locks and stops forwarding traffic requiring a reboot to recover (wi00980701)
• Read only user profiles were able to successfully edit port state & VLAN parameters using built in EDM (wi00989751)
• Fix a silent reset that was reproduced with heavy ARP traffic and the ARP cache getting cleared every 4 minutes (wi00993098)
• Addressed a console lockup issue that was reproduced under heavy ARP traffic and as the ARP cache was being cleared every 4 minutes (wi00994932)
• Intermittent bcmTx task Lock up when switch stops forwarding traffic (wi00980701)

You can find all the details in the release notes on the Avaya website.

Avaya Ethernet Routing Switch 4000 Software Release v5.6.2

Avaya has released software v5.6.2 for the Ethernet Routing Switch 4000 Series.

Here’s the list of fixes;

• wi01026335 100FX SFP, Display: The Avaya 100FX SFP (AA1419074-E6) is now correctly displayed as a supported SFP in variations of the switch which can support slow speed SFPs.
• wi01054301 801.2X, RADIUS Health Check: The RADIUS health check password is now correctly encrypted with the server key when sending a reachability packet to the RADIUS server.
• wi01047335 802.1X, Clear MAC Address: When issuing the clear mac-address-table address <x> command against an EAP/NEAP MAC address it is now correctly removed from the Layer2 MAC Address table.
• wi01049393 802.1X, RADIUS Reachability, ASCII Config: RADIUS Reachability username is now correctly output when generating an ASCII configuration file.
• wi01046960 802.1X, RADIUS Reachability, IPv6, Log Messages: Log messages related to RADIUS Server reachability are now correctly displayed when RADIUS servers are configured for IPv6.
• wi01032441, wi01032439 802.1X, RADIUS VLANs (RAV), DHCP Requests, Wrong VLAN: When the switch boots, DHCP traffic is now correctly blocked until EAP/NEAP authentication starts. Previously DHCP request would be forwarded by the switch before EAP authentication, which could result in the end device obtained an IP Address which may be in the wrong VLAN is RADIUS Assigned VLANs (RAVs) are used.
• wi01055405Diags, New Agent Software: The diagnostics software has been updated to correctly recognise 5.7.0 and later agent code releases.
• wi01053526 Diags, PoE+, 4850GTS, Shared Ports: An diagnostics internal loopback error which occurred when some devices were connected to the shared ports (47 or 48) on the 4850GTS or 4850GTS-PWR+ has now been addressed.
• wi01055434 Diags, PoE+, Warm Boot: The diagnostics now correctly keeps PoE+ disabled during a warm boot process until control is passed to the agent software.
• wi01034775 EDM, ECMP: The Maximum Path value in the ECMP configuration tab for EDM can now be changed from the default value of 1 and successfully applied to the switch.
• wi01029886 EDM, Help File, ASCII Config: EDM Help file path is now correctly output when generating an ASCII configuration file.
• wi01042035 EDM, Password Display: EDM now correctly shows console/web/telnet passwords when operating as a single unit or a stack.
• wi01042931 EDM, PoE Port status: EDM now correctly displays PoE status when requesting output for a large number of PoE ports, rather than displaying “Request timed out” error.
• wi01006349 EDM, Username, Software Exception: An issue which existed when a username longer than 2 characters was entered into EDM has now been addressed. The switch will no longer product a software exception.
• wi01034869 ERS 4500, PoE, Power failover: ERS 4500-PWR models (4526T-PWR, 4550T-PWR, 4524GT-PWR, 4526GTX-PWR, 4548GT-PWR) with Hardware revision 12 or later will now correctly maintain PoE when switching to redundant power when the PoE firmware 4500_PoE_400b15.img is loaded on the units. Note: this firmware should not be loaded on to ERS 4500-PWR+, ERS 4800-PWR+ or ERS 4500-PWR with Hardware revision lower than HW revision 12.
• wi01042478 ERS 4500, Shard Ports, Duplex Settings: User configured duplex settings are now correctly retained for the shared ports on ERS 4500 Gigabit models.
• wi01043265 ERS 4800, Port Mirroring: Traffic is now correctly not mirrored on the switch then Port Mirroring Allow Traffic is Disabled
• wi01010344, wi01006771 Memory Leak, IPFix: A memory leak which could cause a switch to reset between 22-28 days when IPFiX is enabled has been rectified. The switch will no longer reset with a task exception after this period of time when IPFix is enabled.
• wi01039472 QoS: The “show qos agent” output has been enhanced to provide information on the queue-set and buffer usage.
• wi01034053 SNMP Trap, IP Source Guard: SNMP Traps for IP Source Guard for the last unit in a stack are now correctly enabled by default.
• wi01042163 Static MAC Address, MLT: The switch will now correctly produce an error message if you try to enable an MLT which has a port with static MAC addresses configured.
• wi01028451, wi01049826 VLACP not working with Ethertype 8102: Interoperability issues with VLACP using Ethertype 8102 (default Ethertype for SLPP-guard) have now been addressed.

You can find all the details in the release notes on the Avaya website.

Avaya Ethernet Routing Switch 4850GTS-PWR+

I’m currently doing an in-depth evaluation of the ERS 4850GTS-PWR+ for my organization as we prepare to expand one of our facilities to meet the growing needs of the surrounding community. The ERS 4850GTS-PWR+ provides 48 10/100/1000 802.3at PoE+ & 2 SFP ports plus 2 SFP+ ports & HiStack ports. You can order the switch with a 300W or 1000W power supply depending on your needs. The switch chassis will accept a redundant 300W or 1000W hot swappable power supply.

I was provided 2 evaluation units, ERS 4826GTS-PWR+ by our (value added) reseller. Interestingly enough I had some issues running software release 5.6.0 when I would reboot (soft) the stack of 2 switches. In the majority of cases the stack would not recover after the reboot until I power (cold) cycled both switches. That issue appears to have been resolved in 5.6.1 software as I have yet to observe that problem since I upgraded. I’m testing the switch with a number of desktops, laptops, IP phones, wireless access points, etc. I have yet to find an 802.3at device that I can use to test with in the office, although I’m hoping that Motorola has some 802.3at access ports that I can test.

The ERS 4800 has the ASICs that can support Avaya’s VENA architecture where as the ERS 5500 and 5600s won’t be able to support VENA.

Cheers!

There are a number of significant bug fixes included in this release, please refer to the release notes for all the details.

If you have the opportunity to test 6.2.4 and would like to share your findings please make a post on the discussion forums.

Cheers!

MAC Address Security

There’s definitely a role for MAC address security in both large and small networks. It’s certainly not fool proof in today’s world but it’s definitely better than nothing. I would say that smaller networks can probably benefit more from MAC address security, it’s a relatively simple and cost effective (free) way to secure your network if you only have a few switches and only a few hundred devices. If you have a few hundred switches or a few thousand devices then MAC address security is still useful but not to the same degree. Why the difference between large and small networks? The solution doesn’t scale very well… here’s one large caveat – The MAC Address Security Table can hold up to 448 MAC Addresses. As the number of switches increases the management burden increases significantly. In a small network with only a few switches you can easily manually update the MAC security address table and provide a locked-down environment. In larger networks the limitation of the table size will only allow you to utilize an auto-learned MAC address per port configuration. This is still useful to larger organizations that wish to only allow 1 or 2 MAC addresses per switch port (no hubs on this network please). So MAC address filtering in combination with BPDU filtering can really help to provide some control over that edge switch port.

I personally use MAC security to restrict the number of devices that get connected to a single switch port. We also use MAC security at our smaller branch offices to tightly control what devices get connected to the network. Unfortunately since the ‘MAC Address Security Table’ can only hold 448 MAC addresses it’s really not big enough for even a mid-sized organization. If your looking to provide some port level security I would suggest you look at 802.1x authentication using RADIUS to authenticate the MAC addresses.

You can use MAC address security lists to create a list of authorized MAC addresses that are allowed to connect to any port associated with that list. This is very helpful if a user moves his/her device between ports the device will still be authorized since the MAC address is not tied to a physical port but rather a list which is then associated with a set of ports.

When a MAC address violation is detected you have a few options with how to respond. You can partition (isolate) the port where the MAC address violation was detected, this will essentially isolate all devices on the port. You can have the switch filter the destination MAC address (DA) of the offending device. Or you can just alarm via an SNMP trap and the system log and let an engineer or administrator determine what action to take.

Example; you have an IP phone which has a empty PC port on the back of the IP phone. If someone plugs something into the PC port you don’t want to allow that device on the network. If you have the switch configured to partition the port that switch will cut off the offending device and the IP phone. If you have the switch configured just to filter the DA then only communications to the offending device will be impeded.

How to setup a MAC security list?

In this example I’ll setup a MAC security list adding a single MAC address and associating the list with three different ports. This will allow the MAC address to connect to any of the three ports. I’ll also setup the switch so it will partition (isolate) any port where there is a violation recorded.

5520-48T-PWR(config)# mac-security enable
5520-48T-PWR(config)# mac-security security-list 1 add 1
5520-48T-PWR(config)# mac-security security-list 1 add 2
5520-48T-PWR(config)# mac-security security-list 1 add 3
5520-48T-PWR(config)# mac-security mac-address-table address 00-25-84-EB-47-5A security-list 1

If you want the switch to actually do something other than just alarm, you should enable intrusion-detect. I sent the timer to 2 minutes (120 seconds).

5520-48T-PWR(config)#mac-security intrusion-detect enable
5520-48T-PWR(config)# mac-security intruions-timer 120

If you don’t want to partition the port but instead just want to filter the offending MAC address just enable filtering.

5520-48T-PWR(config)#mac-security filtering enable

And finally you need to enable MAC security on the specific ports.

5520-48T-PWR(config)#inter fastEthernet 1-3
5520-48T-PWR(config-if)#mac-security enable
5520-48T-PWR(config-if)#exit

5520-48T-PWR#show mac-security config
MAC Address Security: Enabled
MAC Address Security SNMP-Locked: Disabled
Partition Port on Intrusion Detected: Disabled
DA Filtering on Intrusion Detected: Enabled
MAC Auto-Learning Age-Time:  60 minutes
MAC Auto-Learning Sticky Mode: Disabled
Current Learning Mode: Disabled
Learn by Ports: NONE

I connected an unauthorized device to port 3 and we can see from the logs that the switch is reporting an intrusion.

I    00:00:50:21       50       Link Up Trap for Port: 3
I    00:00:48:19       47       Trap:  s5EtrNewSbsMacAccessViolation
I    00:00:48:19       46       Link Down Trap for Port: 3
I    00:00:48:19       45       Bay Secure intruder MAC 00-24-7f-99-84-70 port 3

How to remove a MAC address or MAC security list?

5520-48T-PWR(config)#show mac-security mac-address-table
Number of addresses: 3

Unit Port Allowed MAC Address   Type
---- ---- ------------------- ---------

Security List Allowed MAC Address   Type
------------- ------------------- ---------
1             00-1E-CA-F3-1D-B4   Static
1             00-24-7F-99-84-70   Static
1             00-25-84-EB-47-5A   Static

Let’s remove these MAC addresses from the MAC address table.

5520-48T-PWR(config)#no mac-security mac-address-table address 00-1E-CA-F3-1D-B4
5520-48T-PWR(config)#show mac-security mac-address-table
Number of addresses: 2

Unit Port Allowed MAC Address   Type
---- ---- ------------------- ---------

Security List Allowed MAC Address   Type
------------- ------------------- ---------
1             00-24-7F-99-84-70   Static
1             00-25-84-EB-47-5A   Static

Let’s remove the entire MAC security list.

5520-48T-PWR(config)#no mac-security security-list 1

How to enable automatic learning?

You can also have the switch auto-learn the MAC addresses either temporarily (leave auto-learning enabled) or permanently (disable auto-learning after you have all the MAC address in the table). Here are some commands to enable continual MAC address learning and restrict the number of MAC addresses to 2.

5520-48T-PWR(config)#interface fa 3
5520-48T-PWR(config-if)#mac-security auto-learning port 3 max-addrs 2
5520-48T-PWR(config-if)#mac-security auto-learning port 3 enable
5520-48T-PWR(config-if)#exit
5520-48T-PWR(config)#show mac-security port 3
Port  Trunk  Security  Auto-Learning  MAC Number Security Locked-out
----  -----  --------  -------------  ---------- -------------------
   3         Enabled      Enabled         2       Disabled
5520-48T-PWR(config)#show mac-security mac-address-table
Number of addresses: 2

Unit Port Allowed MAC Address   Type
---- ---- ------------------- ---------
0    3    00-1E-0B-79-D5-BC   Automatic
0    3    00-1E-CA-F3-1D-B4   Automatic

Security List Allowed MAC Address   Type
------------- ------------------- ---------

Cheers!

References;

http://support.avaya.com/css/P8/documents/100123951
http://support.avaya.com/css/P8/documents/100122355
http://support.avaya.com/css/P8/documents/100095744

As you may recall there were some serious issues with 6.1.6 software (still surprised the software wasn’t pulled by Avaya) which now appear to have been resolved in wi00879571. Thanks to @svl0r for bringing this fix to our attention.

The following issues have been resolved with this software release;

• The switch did not learn MAC address of the format xx:59:xx:xx:xx:xx (wi00870509).
• It was not possible to give an IP address to the switch with the last octet of “0” (wi00872987).
• Stack instability resulting from upgrade to 6.1.6 (from 5.0.8) through 6.0.0.004 with VLACP enabled is now
  resolved (wi00879571).
• Switch is stuck in reboot loop due to CLI Password Telnet Radius setting in configuration file (wi00873593).
• 5600 v6.1.2 ports became unresponsive; the ports in this situation would not transmit data and the “dropped on
  no resources “counter kept incrementing (wi00854625).
• HCInMulticastPkt counter was incorrect (wi00858797).
• Stack failure with SW Exception: Task tVLACP, Typ e Data Access, PC 0x00e1f1cc, SP 0x0744bdc0 is resolved
  in this release (wi00904011).
• When autosave was disabled, non base units did not properly save configuration under certain conditions
  (wi00898364).
• Stack failure logging Software Exception Task Name “tMCMgr” has been addressed (wi00895189).

As always please consult the release notes for all the details.

Cheers!

Up until recently if you wanted to change the default VLAN (the data VLAN for the IP phones) on a port that had ADAC enabled you had to first disable ADAC, change the VLAN assignment of the port and then re-enable ADAC. This was problematic for two major reasons; 1) disabling ADAC would remove the port from the voice VLAN and would interrupt the connectivity to the IP phone causing an outage, 2) if your network administrator forgot to disable ADAC before making the VLAN change the switch would eventually restore the port to it’s originally configured VLAN (usually on reboot of the switch) which would ultimately leave the end device in the wrong VLAN and unable to communicate.

I blogged about the problem back in 2008 here and here and there were many of you that found out the hard way that neither Java Device Manager nor the CLI would warn you before making any VLAN changes on a port which had ADAC enabled. It’s now 2011 and while I definitely have more grey hair (I guess I should be happy I still have hair) it seems that Avaya has finally gotten around to resolving this issue. It seems Avaya also took the opportunity to eliminate two birds with one stone with the ability to now define multiple uplinks/downlinks in ADAC. In the past you could only define a single uplink which would be problematic if you intended to use the switch as a distribution switch to feed other switches downstream. There was no way to provision the voice VLAN on the downlinks because ADAC would remove any manually added ports from the voice VLAN.

The Autodetection and Autoconfiguration ( ADAC) Enhancements provide increased flexibility in deployments that use ADAC as follows:

• expanded support for up to 8 ADAC uplinks and 8 call-server links – individual ports or any combination of MLT, DMLT or LAG – per switch or stack
• the ability to change the non-ADAC VLANs on a port without disabling ADAC

Here’s what the ADAC settings look like within Enterprise Device Manager.

Here are the platforms that support the new feature and the minimum software releases you need to be at.

• Ethernet Routing Switch 5000 v6.2
• Ethernet Routing Switch 4500 v5.4
• Ethernet Routing Switch 2500 v4.4

I must admit upfront that I have not yet tested this new feature… although both changes highlighted above are very very welcome to me as a user. I can’t tell you how many issues we had with network administrators or engineers forgetting to check the status of ADAC and having all sorts of issues after a reboot (or more often an extended power failure – which led to a… yes reboot).

Has anyone else had the opportunity to test this out?

Cheers!

Here are some of the highlights from skimming the release notes;

• SLPP Guard
  The Switch Clustering implementations on the VSP9000, ERS8800/8600, and ERS5000 provide a Simple Loop Prevention Protocol (SLPP) packet, which operates to help prevent loops from occurring when Switch Clustering is used.
  Simple Loop Prevention Protocol (SLPP) Guard can be used to provide additional loop protection to protect wiring closets from incorrect or faulty connections. When SLPP Guard is enabled, this loop prevention mechanism extends into and across multiple wiring closets. If an edge switch configured for SLPP Guard receives an SLPP packet on a port, the feature can immediately disable the port administratively, and generate appropriate log messages and SNMP traps.

The following issues were resolved in this release;

• Stack upgrade failure from 6.1.4.011s to 6.2.1.003s with a large config file (wi00882592)
• Loss of IST VLAN on three unit stack after a base unit failure (wi00885609)
• Some links get disabled after upgrade from 5.1.x to 6.x (wi00731564)
• IST Peers FDB table were out of sync (wi00892974)
• “show spanning-tree rstp port role” command displayed ‘Oper Status’ incorrectly as “disabled” after reboot (wi00899325)
• After upgrading from 5.1.4 to 6.2.1 EDM routing/IGMP/SNOOPING table expanded indefinitely causing high CPU utilization (wi00886347)
• Using show running-configuration with 744 VLANs configured, spiked the CPU utilization to 100% for about 12-15 minutes (wi00907462)

Cheers!

While running through the initial configuration I realized that you must have an Advanced License to enable PIM-SM on the Ethernet Routing Switch 5000 series. Since I don’t have any “spare” Advanced Licenses I downloaded the evaluation license from Avaya’s support website and loaded it on my test switch.

Here’s the configuration I used for the Ethernet Routing Switch 5520;

interface vlan 100
ip address 192.168.100.1 255.255.255.0 2
ip pim enable
interface vlan 200
ip address 192.168.200.1 255.255.255.0 3
ip pim enable
exit
ip pim enable
ip pim static-rp
ip pim static-rp 239.255.1.1/32 192.168.200.1

With PIM-SM configured I setup VLC on the Windows XP desktop (192.168.200.10) to Multicast the video stream to 239.255.1.1. I then setup the Windows XP laptop (192.168.100.10) to receive the Multicast stream on udp://239.255.1.1:1234. It took me a few minutes to work through some of the new menus on VLC but I eventually got it working.

I was able to confirm everything was working properly with the “show ip pim mroute” command.

5520-48T-PWR(config)#show ip pim
PIM Admin Status:  Enabled
PIM Oper Status:  Enabled
PIM Boot Strap Period:  60
PIM C-RP-Adv Message Send Interval:  60
PIM Discard Data Timeout:  60
PIM Join Prune Interval:  60
PIM Register Suppression Timer:  60
PIM Uni Route Change Timeout:  5
PIM Mode:  Sparse
PIM Static-RP:  Enabled
Forward Cache Timeout:  210

5520-48T-PWR(config)#show ip pim static-rp
Group Address   Group Mask      RP Address      Status
--------------- --------------- --------------- -------
239.255.1.1     255.255.255.255 192.168.200.1   Valid

5520-48T-PWR(config)#show ip pim mroute
 Src: 0.0.0.0       Grp: 239.255.1.1  RP: 192.168.200.1 Upstream: NULL
 Flags: WC RP
 Incoming  Port: Vlan200-null,
 Outgoing Ports: Vlan100-21
 Joined   Ports:
 Pruned   Ports:
 Leaf     Ports: Vlan100-21
 Asserted Ports:
 Prune Pending Ports:
 Assert Winner Ifs:
 Assert Loser Ifs:
TIMERS:
  Entry   JP   RS  Assert
    178    0    0       0
 VLAN-Id:   100   200
  Join-P:     0     0
  Assert:     0     0
  Src: 192.168.200.10  Grp: 239.255.1.1  RP: 192.168.200.1 Upstream: NULL
 Flags: SPT CACHE SG
 Incoming  Port: Vlan200-31,
 Outgoing Ports: Vlan100-21
 Joined   Ports:
 Pruned   Ports:
 Leaf     Ports: Vlan100-21
 Asserted Ports:
 Prune Pending Ports:
 Assert Winner Ifs:
 Assert Loser Ifs:
TIMERS:
  Entry   JP   RS  Assert
    179    0    0       0
 VLAN-Id:   100   200
  Join-P:     0     0
  Assert:     0     0

Total Num of Entries Displayed 2
Flags Legend:
        SPT = Shortest path tree
        WC = (*,Grp) entry
        RP = Rendezvous Point tree
        CACHE = Kernel Cache
        ASSERTED = Asserted
        SG = (Src,Grp) entry
        FWD_TO_RP = Forwarding to RP
        FWD_TO_DR = Forwarding to DR
        SG_NODATA = SG Due to Join
        IPMC_ERR = IPMC Add Failed

Cheers!

Here are some of the highlights from skimming the release notes;

• VLACP Unidirectional Fault Detection with support for the DOWN and HOLD subtypes (previously implemented in the 6.1.6 software stream)
• additional 802.1AB (LLDP) TLVs for Avaya IP phones

The following issues were resolved in this release;

• Inconsistency between CLI MAC_Security Addr & MAC_Addr_Table (wi00895275)
• MAC- security MAC-Address table would not clear when disabling port or turning off Mac-Security (wi00895279)
• After Upgrading from 6.1.1 to 6.2.1, QoS configurations were lost (wi00838747)
• IST stack Ping recovery takes up to 2 minutes when moving PC (wi00822726)
• Unicast acknowledge (option 85) changed to multicast acknowledge by DHCP-relay agent (wi00835596)
• Autonegotiation could not be disabled (wi00824799)
• EAPOL table entries showed MACs that were aged out (wi00831481)
• In a stack configuration and after adding ports (from a newly added switch) to an existing VLAN, the stack became unstable (wi00731609)
• SMLT/FDB tables were not completely synchronized when one of the IST peers was reset (wi00774925)
• SLPP packets were sent with priority 0 (wi00555285)
• Not able to set PID of Vlan protocol_userdef to 24577 to 24585 (wi00848161) This fix allows the creation of protocol VLANs using decOtherEther2
• protocol PIDs or of using the PIDs for decOtherEther2 protocol VLANs, but not both. The protocol PIDs are 24576 to 24578, 24581 to 24585, 32824.
• Incorrect ghost SMLT was created when IST/SMLT stats were displayed (wi00601469)
• After upgrading from 5.0.5 to 6.2.0, ARPs were not properly generated (wi00851317) This issue was a byproduct of the use of IPFIX on a single port. A fix was implemented for the 5600 HW but, due to HW differences, cannot be implemented for the 5500, a workaround is to use more than one port when using IPFIX. The issue only appeared for the port using IPFIX.
• IGMP static member (mrouter port) not forwarding multicast after port down/up (wi00895225)
• Switch does not learn MAC of format xx:59:xx:xx:xx:xx (wi00870510)
• Units reset when PIM is enabled (wi00848276)
• Cannot give an IP address to the switch with the last octet as “0” (wi00872983)
• IST peer 5632 HD encountered memory leak one hour after upgrade to 6.2.1 (wi00859217)
• QoS BPDU Blocker settings were not saved on unit 2 after it was rebooted (wi00872260)
• 5600 ports become unresponsive under certain conditions with no packets transmitted out with “drop on no resources” counter incrementing (wi00854625)

I’m curious to see what performance gains we can expect to see from Enterprise Device Manager (EDM) from this software release. I had heard that they were re-writing it and some of that was supposed to be in software release 5.5 for the Ethernet Routing Switch 4500 series, perhaps some of those changes made it into this software release for the Ethernet Routing Switch 5000 series.

Cheers!

I thought I would run through a few quick commands to demonstrate how to enable Spanning Tree over an MLT interface. In the spirit of making things interesting I’ll utilize Multiple Spanning Tree Protocol (MSTP) over the default legacy Spanning Tree Protocol (STP) or the optional Rapid Spanning Tree Protocols (RSTP). I won’t try to explain Spanning Tree as there are plenty of resources available on the Internet.

For this example I have an Avaya Ethernet Routing Switch 5520 and an Avaya Ethernet Switch 460 (formerly Nortel BayStack 460). I’ll setup 2 MLT links between the two switches utilizing 4 ports in total. I’ll utilize VLANS 1, 100, 200 and Multiple Spanning Tree Instances (MSTI) 1 and 2 with CIST 0.

Ethernet Routing Switch 5520

By default only legacy STP is enabled so we need to enable MSTP and reload the switch;

config t
spanning-tree mode mst
copy config nvram
boot -y

Once the switch has restarted we can continue the configuration. Let’s make all 4 ports 802.1q tagged ports;

config t
vlan ports 11,12,17,18 tagging tagAll

Now we’ll create the MultiLink Trunk interfaces and add the port members. You might notice in the code below the command “mlt # bpdu all-ports”. By default Avaya/Nortel switches only send BPDU frames on the single port in a MLT. This is completely opposite of the behavior from Cisco and other network manufacturers so as a best practice I enable this option. If we were connecting Avaya switches and didn’t enable this feature we would need to ensure that the lowest number ifIndex on one switch connected to the lowest number ifIndex on the other switch. This is important because Nortel/Avaya switches only send BPDU frames on the lower ifIndex port in an MLT. For example if we had say ports 3 and 7 on switch A and ports 10 and 14 on switch B we would need to connect 3(A) to 10(B) and 7(A) to 14(B) to ensure that the BPDU frames would be exchanged on matching ports between the switches.

mlt 1 name "Primary Group"
mlt 1 member 11,12
mlt 1 learning enable
mlt 1 bpdu all-ports
mlt 1 enable
mlt 2 name "Secondary Group"
mlt 2 member 11,12
mlt 2 learning enable
mlt 2 bpdu all-ports
mlt 2 enable

Now we’ll create the MSTI instances 1,2 along with VLANS 100,200 respectively;

spanning-tree mstp msti 1
spanning-tree mstp msti 1 enable
spanning-tree mstp msti 2
spanning-tree mstp msti 2 enable
spanning-tree mstp region region-name acme region-version 1
spanning-tree mstp priority 8000 (this is 32768 in decimal)
spanning-tree mstp msti 1 priority 8000 (this is 32768 in decimal)
spanning-tree mstp msti 2 priority 8000 (this is 32768 in decimal)
vlan create 100 type port msti 1
vlan create 200 type port msti 2
vlan members add 100 11,12
vlan members add 200 17,18

As a best practice we’ll enable edge-port (FastStart) and BPDU filtering on the remaining ports;

inter fa 1-10,13-16,19-48
spanning-tree mstp edge-port true
spanning-tree bpdu-filtering enable

Ethernet Switch 460

By default only legacy STP is enabled so we need to enable MSTP and reload the switch;

config t
spanning-tree op-mode mstp
copy config nvram
boot -y

Once the switch has restarted we can continue the configuration. Let’s make all 4 ports 802.1q tagged ports;

config t
vlan ports 11,12,17,18 tagging tagAll

Now we’ll create the MultiLink Trunk interfaces and add the port members. Just as we did with the ERS 5520 we’ll enable “mlt # bpdu all-ports”.

mlt 1 name "Primary Trunk Group"
mlt 1 member 11,12
mlt 1 learning enable
mlt 1 bpdu all-ports
mlt 1 enable
mlt 2 name "Secondary Trunk Group"
mlt 2 member 11,12
mlt 2 learning enable
mlt 2 bpdu all-ports
mlt 2 enable

Now we’ll create the MSTI instances 1,2 along with VLANS 100,200 respectively;

spanning-tree mstp msti 1
spanning-tree mstp msti 1 enable
spanning-tree mstp msti 2
spanning-tree mstp msti 2 enable
spanning-tree mstp region region-name acme region-version 1
spanning-tree mstp priority f000 (this is 61440 in decimal)
spanning-tree mstp msti 1 priority f000 (this is 61440 in decimal)
spanning-tree mstp msti 2 priority f000 (this is 61440 in decimal)
vlan create 100 type port msti 1
vlan create 200 type port msti 2
vlan members add 100 11,12
vlan members add 200 17,18

As a best practice we’ll enable edge-port (FastStart) and BPDU filtering on the remaining ports;

inter fa 1-10,13-16,19-24
spanning-tree mstp edge-port true
spanning-tree bpdu-filtering enable

Results

Let’s have a look at some of the show commands to see how things are running;

5520-48T-PWR#show autotopology nmm-table
LSlot                                                                     RSlot
LPort IP Addr          Seg ID  MAC Addr     Chassis Type     BT LS   CS   RPort
----- --------------- -------- ------------ ---------------- -- --- ----  -----
0/ 0 192.168.1.24    0x000000 001F0ACEBC01 5520-48T-PWR     12 Yes HTBT    NA
1/11 192.168.1.23    0x00010b 000FCDF59601 460-24T-PWR      12 Yes HTBT   1/11
1/12 192.168.1.23    0x00010c 000FCDF59601 460-24T-PWR      12 Yes HTBT   1/12

460-24T-PWR#show autotopology nmm-table
LSlot                                                                     RSlot
LPort IP Addr          Seg ID  MAC Addr     Chassis Type     BT LS   CS   RPort
----- --------------- -------- ------------ ---------------- -- --- ----  -----
0/ 0 192.168.1.23    0x000000 000FCDF59601 460-24T-PWR      12 Yes HTBT    NA
1/11 192.168.1.24    0x00010b 001F0ACEBC01 5520-48T-PWR     12 Yes HTBT   1/11
1/12 192.168.1.24    0x00010c 001F0ACEBC01 5520-48T-PWR     12 Yes HTBT   1/12

We can see that the SONMP table is exchanging packets across MLT 1 (11,12). That would lead me to guess that ports 17,18 are in discarding (blocking) mode. Let’s see if that’s the case;

5520-48T-PWR#show spanning-tree mstp port role 11,12,17,18
Port     Role       State     STP Status  Oper Status
----  ----------  ----------  ----------  -----------
11    Designated  Forwarding  Enabled     Enabled
12    Designated  Forwarding  Enabled     Enabled
17    Designated  Forwarding  Enabled     Enabled
18    Designated  Forwarding  Enabled     Enabled

460-24T-PWR#show spanning-tree mstp port role 11,12,17,18
Port     Role       State     STP Status  Oper Status
----  ----------  ----------  ----------  -----------
11    Root        Forwarding  Enabled     Enabled
12    Root        Forwarding  Enabled     Enabled
17    Alternate   Discarding  Enabled     Enabled
18    Alternate   Discarding  Enabled     Enabled

From the output above we can determine that the Ethernet Routing Switch 5520 is the root bridge and that MLT 2 (17,18) is an alternate path that’s currently discarding traffic on the Ethernet Switch 460. Lets confirm who’s the root bridge;

5520-48T-PWR#show spanning-tree mstp status
Bridge Address:          00:1F:0A:CE:BC:00
Cist Root:               80:00:00:1F:0A:CE:BC:00
Cist Regional Root:      80:00:00:1F:0A:CE:BC:00
Cist Root Port:          0
Cist Root Cost:          0
Cist Regional Root Cost: 0
Cist Max Age:            20 seconds
Cist Forward Delay:      15 seconds

460-24T-PWR#show spanning-tree mstp status
Bridge Address:          00:0F:CD:F5:96:00
Cist Root:               80:00:00:1F:0A:CE:BC:00
Cist Regional Root:      80:00:00:1F:0A:CE:BC:00
Cist Root Port:          MLT 1
Cist Root Cost:          0
Cist Regional Root Cost: 100000
Cist Max Age:            20 seconds
Cist Forward Delay:      15 seconds

The root bridge is definitely the ERS 5520 as it should be since we set the bridge priority in our configuration above.

Hopefully you’ll agree that was pretty easy. You could of course set path costs/priorities so that you can administratively choose which path is the designated and alternate and for which MST instance. In a future post I will demonstrate how you can connect a Cisco Catalyst 3750-E to an Avaya switch while supporting MSTP.

Cheers!
References;

Avaya Ethernet Routing Switch RSTP/MSTP Technical Configuration Guide

In summary if the switch will continually reboot with a data exception error after the upgrade to 6.1.6 if it was originally configured running 4.x or 5.x software. You can recover from the problem by performing a factory reset of the switch and re-configure it from factory defaults. If you have the ASCII backup I believe you can upload that configuration after factory resetting the switch as opposed to manually re-keying the entire configuration by hand.

If your switch was originally configured running 6.x software then you apparently won’t have any issue upgrading to 6.1.6 software.

I’m not sure how this missed the QA folks… but I’m sure it’s probably hitting the fan right now back at Avaya.

Thanks to telecom116 for bringing the original issue to our attention.

Cheers!

The following issues have been resolved with this software release;

• The dhcp-relay agent changed the MAC destination address of acknowledgments from a unicast address to a multicast address (wi00835598).
• After a reboot, some client ports with active connections would autonegotiate to a lower speed (10/100) than expected (1000).This issue affected some Intel 82556 and Broadcom NICs (wi00555121).

I’ve personally seen issue wi00555121 above while working with a large HP MAS (Medical Archive Solution) implementation. I also believe that someone (either on this blog or in the discussion forums) also brought up issue wi00835598.

The new feature includes VLACP enhancements with support for DOWN and HOLD subtypes which were introduced in 5.1.4.0 software for the Ethernet Routing Switch 8600. The goal of the new VLACP subtypes it to provide a means to allow the core ample time to get up to speed before the edge starts forwarding traffic. I’ve personally seen many an occasion where one Ethernet Routing Switch 8600 in a cluster goes down with minimal packet loss but upon recovery there are all sorts of packet loss and network interruption. This new feature is designed to mitigate that problem by allowing link to come up… VLACP to come active but hold the actual network traffic back until the core is ready to start bridging/routing packets.

VLACP Enhancements – support for DOWN and HOLD subtypes

The VLACP implementation prior to this release did not detect a unidirectional communication outage. A VLACP partner will now send VLACP PDUs with the subtype DOWN (value of 2) when no PDUs are received from its link partner. These PDUs indicate the remote VLACP partner is down and the link partner should logically bring down its port. Shortly after reboot, a VLACP partner will send PDUs with the subtype HOLD (value of 3) to its link partner. In this case, receiving a PDU with subtype HOLD indicates the VLACP partner should logically bring down its port for a VLACP hold time. When receiving VLACP PDUs with HOLD or DOWN subtypes, the VLACP partner will respond with normal PDUs (LACP subtype). The interval between PDUs is configurable by the user. The VLACP support for HOLD subtype is disabled by default, it will be enabled only when a positive value for VLACP HOLD Time is configured. VLACP is an Avaya proprietary protocol and hence this enhancement will not work when connecting to devices from other vendors.

You’ll recall from the Ethernet Routing Switch 8600 5.1.4.0 release notes that Avaya introduce a new VLACP subtype on the core side;

VLACP HOLD Enhancement

During SMLT node failure scenarios, traffic loss may be observed in certain scaled SMLT configurations with hundreds of SLTs, hundreds of ports and tens of VLANs. The root cause for the traffic loss was that the ERS8600 ports would come up prematurely at the physical layer causing the remote end to start sending traffic toward the ERS8600 that just came up. On the ERS8600 that just rebooted, the communication between the line cards and the CP may take several seconds in such scaled configurations. This resulted in black-holing the traffic arriving on such ports which were physically up but all operational configuration was not yet performed on those ports by the CP. The VLACP SUBTYPE HOLD feature introduces a new VLACP PDU with a new subtype HOLD to help reduce traffic loss in such scenarios.
The goal of this new implementation is to “hold down” all VLACP enabled links for a specific period of time after a reboot. This prevents remote VLACP enabled devices that understand the new VLACP HOLD PDU from sending data to the ERS8600. This will ensure that all VLACP enabled ports on the ERS8600 have had sufficient time to come up with all operational configuration and are ready to receive and forward the ingress traffic.
ERS8600 switches with 5.1.4.0 release are capable of both sending and receiving VLACP HOLD PDUs. Future code revisions of the Baystack switch family will support receipt and processing of VLACP HOLD PDUs, but will not generate them. Please refer to the applicable product release notes for information regarding product specific software levels required for support of this VLACP enhancement. VLACP is an Avaya proprietary protocol and hence this enhancement in not applicable when connecting to switches from other vendors.
By default, the VLACP HOLD feature will be disabled. The feature is enabled by configuring a positive value for VLACP HOLD Time. The VLACP Hold Time value configured should be selected based on the specific recovery implementation requirements, size and recovery characteristics for your network implementation.

You can find the release notes here. (I’m going to try linking to Avaya’s support website instead of hosting the files myself).

Cheers!

The following issues have been resolved;

• The new unit config control feature (NUQC) did not work properly, for instance, when a third unit was added to the stack, it was not correctly configured (wi00554951).
• A SW exception in the SNMP task that caused a base unit reset is now addressed (wi00554965).
• An EAP enabled port with User based Policy configured timed out when a PC client went to sleep mode (wi00554946).
• With LACP configured, some times the standby links were not properly recognized (wi00600984).
• Some times POE powered IP phones would get the wrong VLAN ID after a stack reset (wi00686407).
• A security vulnerability to DoS attack has now been fixed (wi00496350).
• A memory leak that caused stack instability is resolved (wi00555049).
• The LACP link was not properly removed from the aggregation during a unidirectional link failure (wi00488102).
• A static route that went inactive, did not recover until a unit reset (wi00692259).
• A log message was not generated when SLPP disabled a port (wi00554966).
• The DHCP snooping entries were not properly removed with IP source guard configured (wi00554988).
• The OutDiscards were wrongly counted as filtered packets (wi00692574).
• Some times the GBIC info was not displayed on remote units if the GBIC was removed (wi00555110).
• With EAP enabled ports at default values, the authentication failed on the first attempt (wi00691680).
• The RIP updates with the destination address of 255.255.255.255 were not recognized (wi00703945).
• Certain laptops did not work properly with DHCP snooping enabled (wi00733255).
• Some VRRP Configurations were lost when a non-base unit was powered off and then the base unit was powered off/on (wi00731771).
• The static ARP entries were removed after clearing ARPs or a power loss (wi00733359).
• When a SFP was connected to a non-base unit and then removed, it would still show up at its original location (wi00827484).
• The switch became unresponsive when displaying PIM configuration in “show running-config” (wi00555038).
• A problem with updating the remote GBIC info caused a SW exception, this issue is now resolved (wi00824536).
• Some times rebooting the non-base unit caused a broadcast storm on remaining DMLT links (wi00496279)
• The Dynamic ARP inspection/DHCP snooping blocked certain clients during PXE boot (wi00692082).
• The Switch becomes unresponsive when displaying PIM configuration (wi00555038).

As always I strongly suggest you review the release notes if you are interested in deploying 6.1.5 to your production network.

Cheers!

Please review the release notes for all the details.

Here are some of the new features;

• Enterprise Device Manager
• 802.1AB (LLDP) MED Network Policy
• 802.1X authentication and Wake on LAN
• 802.1X or Non-EAP and Guest VLAN on same port
• 802.1X or Non-EAP Last Assigned RADIUS VLAN
• 802.1X or Non-EAP with Fail Open VLAN
• 802.1X or Non-EAP with VLAN name
• Autodetection and Autoconfiguration (ADAC) Uplink Enhancements
• Automatic QoS 802
• Automatic QoS and ADAC Interoperability
• Cisco CLI commands
• Content-based forward to next hop (formerly source address-based route selection)
• DHCP enhancements
• DHCP option 82 support
• Dual Syslog Server support
• EAP/NEAP separation
• Energy Saver
• Enhanced QoS engine
• Filter Limiting
• Full IGMPv3
• IPv4 Tunneling for IPv6
• IPv6 Automatic Address Assignment
• IPv6 Routing DHCP Relay
• IPv6 Static Routing
• MAC Security enhancement
• Multicast group scaling
• Multiple Hosts with Multiple VLANs for EAP-enabled Ports
• PIM-SM support
• Port Mirroring – Bi-directional monitor port
• QoS DSCP mutation
• QoS Egress Queue Shaping
• QoS Lossless Buffering Mode for Data Center Applications
• Route scaling
• Running configuration NNCLI display command enhancements
• Secure Shell File Transfer Protocol (SFTP over SSH)
• SFP support
• Split Multi-link Trunk (SMLT) consistency with the Ethernet Routing Switch 8600
• Split Multi-link Trunk (SMLT) over Link Aggregation Control Protocol (LACP)
• Trace command
• Unicast storm control
• VLAN Scaling

Here are some of the issues that have been resolved in this release;

• Q01219391 MAC Address table does not age out all MAC sources learned after the aging time has expired.
• Q01470123 Passive static device behind a phone displayed as unknown after switch reboot.
• Q01470123-01 Passive static device behind a phone displayed as unknown after switch reboot.
• Q01728560 ADAC port configuration types not defined in manual.
• Q01775378 Error message when disabling spanning tree learning.
• Q01859874 Typed commands should not be sent remotely when log level is serious or critical.
• Q01860782 A message is needed to confirm the successful upload of an ASCII configuration to USB with the PUSH button.
• Q01862906 The Time Domain Reflectometer in the JDM displays an incorrect message for the Pin Short cable error.
• Q01863512 MAC security Lifetime setting cannot be modified from the JDM.
• Q01865091 MAC authorized clients are not reauthorized after a former base unit reenters the stack.
• Q01895467 Some LLDP commands fail when configuring a device with an ASCII configuration file.
• Q01895723 Metric for external routes jumps to 127174722 when a dummy vlink is created and deleted.
• Q01906362 An NEAP client can change ports without a link down or age out timer event.
• Q01909890 QoS-IGMP problems with known and unknown multicast options on 56xx ports.
• Q01901336 Multicast traffic not forwarded through non-local static routes.
• Q01923408-02 Management VLAN IP address should always be used in relation to RADIUS.
• Q01927698 PIM interfaces become disabled on a device.
• Q01938607 Incorrect error message displayed during software download from an unreachable server.
• Q01942783 Restoring a device with an ASCII configuration file fails when Layer 3 settings are present.
• Q01943527 Inconsistency between IPv4 and IPv6 in binary configuration file.
• Q01945909 Some ARP, OSPF, or VRRP packets are unexpectedly mirrored when using XrxYtx mirroring mode and the monitored port is in the Management VLAN or in SMLT VLANs.
• Q01946214 MAC addresses are lost when a base unit fails.
• Q01946284 LLDP-Med does not work in certain circumstances
• Q01947050 ADAC system message logged after a stack is reset.
• Q01948343 On a pure 56xx stack, port mirroring mode XrxYtx multiplies unicast traffic on port Y in certain scenarios.
• Q01950071 VLACP enabling does not work in some circumstances.
• Q01950147 The EAP-TLS or PEAP-MsChapV2 clients could be unexpectedly transitioned to the EAP Held state on a multihost enabled port.
• Q01950311 Voice traffic is blocked on a non-base unit when ARP inspection is enabled on a VoIP VLAN.
• Q01951600 Error performing MIB walk on 5632.
• Q01954041 LLDP Med-Network-Policies Voice Tagging command issue.
• Q01955272 PIM OIF may not get installed on IR.
• Q01956922 Continuous IPv6 ping out stops working after 2147 ICMPv6 messages.
• Q01978465 Telnet session hangs on ERS 5510-48T during an ASCII configuration download.
• Q02005019 ACG will fail when ports are added to VLANs if an STG was created, VLANs were added, the STG enabled and then ports added to VLANs (configuration control flexible and 1 port in 2 different VLANs).
• Q02020938 After booting to default settings the syslog will display the message ASCII failed at line 1. This can be ignored. This only happens after a boot to default settings and not during a normal operation or reset of the switch. This does not affect subsequent ASCII downloads. The successful application of configurations can be confirmed using the show logging command. The bogus message will be the first in chronological order.

I would highly recommend you review the release notes for all the details. There are a lot of known issues that should be thoroughly reviewed before you made any decisions about upgrading.

There was one section that caught my eye on page 11 of the release notes;

Currently when ADAC is operational, a user can not change the non-ADAC VLANs on the port (without disabling ADAC, changing the VLAN and then re-enabling ADAC), which leads to usability issues that limit the deployment of ADAC.

The ADAC enhancements provide the ability to change the non-ADAC VLANs on a port irrespective of the ADAC status of the port. Any such changes in the underlying port VLAN assignment are saved as normal to NVRAM and ASCIII configurations.

I posted about this issue with ADAC way back in August of 2008. This one issue has been a real bear and the only real issue we’ve experienced with our ADAC deployments. While it might be the only issue, it can create some enormous problems if the engineers are following the procedure to disable ADAC, make the VLAN change and then enable ADAC again. I’ll be very interested to see if this problem is finally resolved.

I spent a few minutes playing with Enterprise Device Manager but I think this change will drive more folks to the CLI interface where Avaya/Nortel has alot of work to-do. I’m also excited to see that Avaya/Nortel is finally bringing together their Automatic QoS and ADAC features, I’m curious to see what changes they’ve made an how I might be able to tweak my switch configurations to better automate the deployment of IP telephony.

Cheers!

Is the Ethernet Routing Switch 5510/5520/5530 capable of performing basic IP filtering? Yes.

Prior to software release 5.0 you had to-do all filtering in QoS policies. It seems a lot of confusion comes from the fact that in order to perform IP filtering similar to an ACL in a Cisco router you had to create a QoS policy. With the release of 5.0 software you can now create fairly straight forward ACLs. You can only do this from the CLI or WEB interface, there’s no support for ACLs in Java Device Manager.

Let me walk you through a simple example.

I started with a ERS-5520-PwR and factory reset the switch I gave it a management IP address of 192.168.1.50 (VLAN 1);

5520-48T-PWR(config)#ip address switch 192.168.1.50
5520-48T-PWR(config)#ip default-gateway 192.168.1.1
5520-48T-PWR(config)#ip address netmask 255.255.255.0

I created VLAN 100 and moved ports 13-48 to VLAN 100 making sure to set the PVID;

5520-48T-PWR(config)#vlan members remove 1 13-48
5520-48T-PWR(config)#vlan create 100 type port
5520-48T-PWR(config)#vlan members add 100 14-48
5520-48T-PWR(config)#vlan ports 13-48 pvid 100

I enabled IP routing on the switch (remember out of the box it’s just a Layer 2 switch);

5520-48T-PWR(config)#ip routing

I enabled IP routing for VLAN 1 and then gave VLAN 100 an IP address/interface;

5520-48T-PWR(config)#interface vlan 1
5520-48T-PWR(config-if)#ip routing
5520-48T-PWR(config)#exit

5520-48T-PWR(config)#interface vlan 100
5520-48T-PWR(config-if)#ip address 192.168.100.1 255.255.255.0 2
5520-48T-PWR(config-if)#ip routing
5520-48T-PWR(config)#exit

Let’s just making sure that everything looks right before we get the real meat of this post;

5520-48T-PWR#show vlan ip
==============================================================================
Vid  ifIndex Address         Mask            MacAddress        Offset Routing
==============================================================================
Primary Interfaces
------------------------------------------------------------------------------
1    10001   192.168.1.50    255.255.255.0   00:1F:0A:CE:XX:40 1      Enabled
100  10100   192.168.100.1   255.255.255.0   00:1F:0A:CE:XX:41 2      Enabled
------------------------------------------------------------------------------
% Total of Primary Interfaces: 2

The two IP interfaces are configured properly and have routing enabled. Let’s make sure that the routing table is correct;

5520-48T-PWR#show ip route
===============================================================================
                                        Ip Route
===============================================================================
DST             MASK            NEXT            COST    VLAN PORT PROT TYPE PRF
-------------------------------------------------------------------------------
0.0.0.0         0.0.0.0         192.168.1.1     10       1    1     S  IB     5
192.168.1.0     255.255.255.0   192.168.1.50    1        1    ----  C  DB     0
192.168.100.0   255.255.255.0   192.168.100.1   1        100  ----  C  DB     0
Total Routes: 3
-------------------------------------------------------------------------------
TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Route, U=Unresolved Route, N=Not in HW

Here’s where the real work starts. I created an ACL named “testacl” and then assigned it to port 23.

5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 protocol 6 dst-port-min 80 dst-port-max 80
5520-48T-PWR(config)#qos ip-acl name testacl drop-action enable
5520-48T-PWR(config)#qos acl-assign port 23 acl-type ip name testacl

In the statements above I created an ACL that will allow traffic sourced from 192.168.100.0/24 to a destination TCP port of 80 to pass unrestricted while blocking (dropping) all other traffic. I’ve assigned that ACL to port 23 where I have a test PC connected to the switch.

Let’s just pretend that you forgot to allow DNS (UDP/53) queries in your IP filter so let’s back out the ACL and recreate it.

First we need to determine the ACL number that was assigned to our ACL called “testacl”.  We can do that by issuing the following command;

5520-48T-PWR#show qos acl
Id               Name              State   ACL  Unit/Port Storage
Type             Type
_____ ____________________________ ________ ____ _________ ________
1     testacl                      Enabled  IP   1/23      NonVol

We also need to know how many rules are in the IP ACL that’s being referenced above. We can do that with the following command;

5520-48T-PWR#show qos ip-acl

Id: 1
Name: testacl
Block:
Address Type: IPv4
Destination Addr/Mask: Ignore
Source Addr/Mask: 192.168.100.0/24
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: TCP
Destination L4 Port Min: 80
Destination L4 Port Max: 80
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 2
Name: testacl
Block:
Address Type: IPv4
Destination Addr/Mask: Ignore
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: Yes
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Now we can remove the ACL from port 23 and then delete it from the switch;

5520-48T-PWR(config)#no qos acl-assign 1
5520-48T-PWR(config)#no qos ip-acl 2
5520-48T-PWR(config)#no qos ip-acl 1

Now we’ll rebuild the ACL allowing DNS queries to the broadband router;

5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 protocol 6 dst-port-min 80 dst-port-max 80
5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 dst-ip 192.168.1.1/32 protocol 17 dst-port-min 53 dst-port-max 53
5520-48T-PWR(config)#qos ip-acl name testacl drop-action enable
5520-48T-PWR(config)#qos acl-assign port 23 acl-type ip name testacl

Now that we have our filter let’s see what it looks like (I’m not a fan of this output format);

5520-48T-PWR#show qos ip-acl

Id: 1
Name: testacl
Block:
Address Type: IPv4
Destination Addr/Mask: Ignore
Source Addr/Mask: 192.168.100.0/24
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: TCP
Destination L4 Port Min: 80
Destination L4 Port Max: 80
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 2
Name: testacl
Block:
Address Type: IPv4
Destination Addr/Mask: 192.168.1.1/32
Source Addr/Mask: 192.168.100.0/24
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: UDP
Destination L4 Port Min: 53
Destination L4 Port Max: 53
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 3
Name: testacl
Block:
Address Type: IPv4
Destination Addr/Mask: Ignore
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: Yes
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

That’s a basic ACL filter using Layer 3 parameters. There is a Technical Configuration Guide available from Nortel/Avaya that provides additional examples and covers Filtering and QoS configuration of the Ethernet Routing Switch 5500 series switches. The guide is a little dated by still a very useful resource in my opinion.

Cheers!

Reference;
2008_04_01_Filters_and_QOS_Configurati0on_for_Ethernet_Routing_Switch_5500_TCG_NN48500559.pdf

I’m curious if anyone out there is using Avaya’s IP Flow Manager and has any thoughts and/or comments to share.

I remember a few folks either here or on the forums commenting that they were using nTop to collect the IPFIX flow information. Anyone have any thoughts about nTop/nProbe?

Cheers!