Michael McNamara

technology, networking, virtualization and IP telephony

How to restrict SNMP community strings on the ERS8600

by

Here’s a guest post (re-post from discussion forums) from Forrequi detailing the steps he took to setup an SNMP community string that could be used by a third party to poll the temperature readings of the Nortel Ethernet Routing Switch 8600.

Today I’ve a little challenge on my network: configure a permission to a specific IP for read the temperature of two ERS8600. This specific host don’t become part of my management network, so I can’t use the same snmp read community. I don’t like to free everything on the core to be read, so I start to liberate only the specific OID (temperature of chassis) on my two ERS8600, and only for the specific IP of the host, with a new read community.

After some study on Nortel documentation (2008_04_04_SNMP_on_ERS_8600_TCG_NN48500564.pdf) I present us my little todo for everone that needs some similar, because this document is not the mos objective guide of the world. My steps:

Step1: Create a MIB view, called “only_temp”, restricted for the temperature OID:

config snmp-v3 mib-view create only_temp 1.3.6.1.4.1.2272.1.100.1.2.0 type include

View the changes:

config snmp-v3 mib-view info

Step2: Create a access group called “group_temp”, with snmpv1 and v2c, no authentication, reading the “only_temp” mib-view:

config snmp-v3 group-access create group_temp "" snmpv1 noAuthNoPriv
config snmp-v3 group-access create group_temp "" snmpv2c noAuthNoPriv
config snmp-v3 group-access view group_temp "" snmpv1 noAuthNoPriv read only_temp write only_temp
config snmp-v3 group-access view group_temp "" snmpv2c noAuthNoPriv read only_temp write only_temp

View the changes:

config snmp-v3 group-access info

Step3: Create the user “user_temp” inside the group:

config snmp-v3 group-member create user_temp snmpv1 group_temp
config snmp-v3 group-member create user_temp snmpv2c group_temp

View the changes:

config snmp-v3 group-member info

Step4: Create a new community “ers8600”, index “third” (the first and second already exist, adapt for you scenario), for the user “user_temp”

config snmp-v3 community create third ers8600 user_temp

View the changes:

config snmp-v3 community info

Step5: Create a new access-policy (policy 6 in my case) for the specific IP 10.10.10.1 (where the temperature has been monitored):

config sys access-policy policy 6 create
config sys access-policy policy 6 name policy6
config sys access-policy policy 6 accesslevel ro
config sys access-policy policy 6 network 10.10.10.1/255.255.255.255
config sys access-policy policy 6 snmp-group-add group_temp snmpv1
config sys access-policy policy 6 snmp-group-add group_temp snmpv2c
config sys access-policy policy 6 service telnet disable
config sys access-policy policy 6 service ssh disable
config sys access-policy policy 6 service tftp disable
config sys access-policy policy 6 service ftp disable
config sys access-policy policy 6 service snmpv3 enable

I hope this can help someone. Bye!

I think this was a great post and appreciate Forrequi sharing this with everyone!

Cheers!

Changing SNMP Community Strings

by

In this day and age it’s not a very good idea to leave the default SNMP community strings configured in any network electronics. The general default configuration uses public for read-only and private for read-write, these defaults apply to  the Nortel Ethernet Switch and the Nortel Ethernet Routing Switch.

You can certainly do this from Nortel’s Java Device Manager, however, you need to be careful that you don’t saw off the branch you’re standing on when you change the SNMP community string. It’s best to configure the SNMP community strings from the CLI interface to avoid any potential issues.

Here are the CLI commands to configure the SNMP community strings on the ERS 8600 and 1600 switch. In the example below we’ll set the read-only string to open and the read-write string to lock.

ERS-8610:5# config snmp-v3 community commname first new-commname open
ERS-8610:5# config snmp-v3 community commname second new-commname lock

Here are the CLI commands to configure the SNMP community strings on the ERS 4500, ERS 5500 and ES460/470 switches. In the example below we’ll set the read-only string to open and the read-write string to lock.

5520-48T-PWR (config)# snmp-server community open ro
5520-48T-PWR (config)# snmp-server community lock rw

Cheers!

Nortel ERS 8600 Software 5.1, 5.1.1 Pulled

by

In a move that I support Nortel has pulled 5.1 and 5.1.1 software for the Nortel Ethernet Routing Switch 8600 from their support website. The purpose behind removing the older software releases is to help remove the confusion surrounding which software folks should be upgrading to. I’m personally running 5.1.1 on two ERS8606 switches which have been running for almost 60 days now and I haven’t seen any issues or problems.

You can find the bulletin here.

Cheers!

Nortel ERS 8600 Software 5.1.1.1 Available

by

Nortel has released software 5.1.1.1 for the Ethernet Routing Switch 8600. Here some highlights from the release notes;

  • Previously certain IST message handling could be delayed by other system functions, thereby potentially causing IST instability (up/down/up). As well, system instability associated with SMLT (IST Peers) in association with high CPU utilization and potentially SLPP operations have both now been resolved. For those who disabled SLPP on their systems/network, SLPP can now be re-enabled with the 5.1.1.1 release. (Q02055292-02/Q02053200/Q02055101/Q02066500)
  • Static routes usage in a VRF configured system for non-default VRFs (non-VRF 0 usage) will no longer cause a spike in CPU utilization. Now even after reboot all the static routes will remain active and CPU utilization will remain normal. This situation was introduced in 5.1.1.0 code, so only applies to that specific release. (Q02060978-03)
  • Previously unicast traffic could be flooded with the VLAN when some SMLT/RSMLT associated link failed; this is now resolved. (Q02037171)

There were two additional items of interest in the release notes that were included under the “Important Notes” section. The first reference the configuration of the system-monitor flag, it should be set in the enabled position and can only be set via SNMP by Nortel’s Java Device Manager (JDM) or by sending the proper SNMP command. The second item referenced a possible crash of the SNMP task within the 8600 software if the retry value for SNMP trap hosts was set greater than 0. I would suggest everyone reference the release notes for additinoal information on both of those items.

You can find the complete release notes here.

Cheers!

LACP Configuration Examples (Part 2)

by

[ad name=”ad-articlebodysq”]In part 1 of this post I provided a pretty simple example of an LACP LAG between two Nortel switches. In this post I’ll provide another example with a small twist thrown in; we’ll terminate the LAG on two ERS 8600 switches using Nortel’s proprietary SMLT (Split MultiLink Trunking) technology. In this example I’ll substitute the Nortel Ethernet Switch 470 for a Ethernet Routing Switch 5520. You’ll notice that the LACP configurations (commands) are identical between the 470 and 5520 switches.

Example 2 – Ethernet Routing Switch 8600 to Ethernet Switch 5520 using LACP trunk with SMLT

As I said before a picture is worth a thousand words and can be very helpful in designing any network topology.

lacp-example2

As with the previous example we’ll start with the Ethernet Routing Switch 8600s and then progress to the Ethernet Routing Switch 5520s. In this example we’ll need to configure two ERS 8600 switches, I’ll assume that you already have an IST (InnerSwitch Trunk) built and running properly.

Let’s start by configuring a MLT group the same way we did so in the previous example. The ERS8600-A switch first;

ERS8600-A
config mlt 15 create
config mlt 15 name "SMLT_LACP"
config mlt 15 lacp key 15
config mlt 15 lacp enable

Now the ERS8600-B switch;

ERS8600-B
config mlt 15 create
config mlt 15 name "SMLT_LACP"
config mlt 15 lacp key 15
config mlt 15 lacp enable

In this example I’ve chosen to connect the uplinks to port 2/17 on each switch. I’ve chosen to use the same ports on both switches only to make the configuration easier to understand for myself. I would use whatever ports I wanted on either switch so long as they are all running at the same speed. In this case the ports are both 10/100Mbps ports and will auto-negotiate to 100Mbps with the MDI-X feature of the ERS 5520 switch.

I’ll enable tagging (802.1q) just like I did in my previous example and I’ll remove VLAN 1 and add VLAN 99. Outside of this example you would just add whatever VLANs you’ll be extended to the edge switch.

ERS8600-A
config ethernet 2/17 perform-tagging enable
config vlan 1 ports remove 2/17
config vlan 99 ports add 2/17

Now the ERS8600-B switch;

ERS8600-B
config ethernet 2/17 perform-tagging enable
config vlan 1 ports remove 2/17
config vlan 99 ports add 2/17

Next we’ll enable LACP on the specific ports and group them using the same admin key;

ERS8600-A
config ethernet 2/17 lacp key 15
config ethernet 2/17 lacp aggregation true
config ethernet 2/17 lacp timeout short
config ethernet 2/17 lacp enable

Now the ERS8600-B switch;

ERS8600-B
config ethernet 2/17 lacp key 15
config ethernet 2/17 lacp aggregation true
config ethernet 2/17 lacp timeout short
config ethernet 2/17 lacp enable

Now because we’re going to be running in an SMLT configuration we need to make a few global changes. We need to enable LACP globally, but we also need to make sure that both switches use the same LACP identifier when communicating with the edge switch. This is necessary so the edge switch won’t know that it’s actually connected to two different switches upstream. If the LACP identifiers didn’t match between the two ERS8600 switches the edge switch would become confused.

ERS8600-A
config lacp smlt-sys-id 00:01:81:28:84:00
config lacp enable

Now the ERS8600-B switch;

ERS8600-B
config lacp smlt-sys-id 00:01:81:28:84:00
config lacp enable

We need to configure the MLT to operate in an SMLT configuration. We also need to make sure that any VLANs we are extending to the edge switch are also bridged across the IST between the two ERS 8600 switches. In this example I’m extending VLAN 99 so I need to add VLAN 99 to the IST which happens to be MLT 1.

ERS8600-A
config mlt 15 smlt create smlt-id 15
config vlan 99 add-mlt 1

Now the ERS8600-B switch;

ERS8600-B
config mlt 15 smlt create smlt-id 15
config vlan 99 add-mlt 1

That’s all the commands required for the two ERS8600 switches.

With that said there are some best practices that should be applied to all downlinks when utilizing SMLT.

While I left this out of the previous example these settings are applicable to both examples.

Let’s make sure that we enable CP-LIMIT which will shutdown the port if the switch receives too many broadcast or multicast frames per second. While some users don’t like this feature it’s better to cut off an offending closet than loose an entire network due to a loop or misconfigured switch. A word of warning here! You do not want CP-LIMIT enabled on any ports used in your IST, you also don’t want it enabled on the uplinks of any ERS8600 switches that reside at the edge as they might cut themselves off from the network. Instead enable it in the core on the downlinks to the edge switches and closet switches.

ERS8600-A
config ethernet 2/17 cp-limit enable multicast-limit 2500 broadcast-limit 2500

Now the ERS8600-B switch;

ERS8600-B
config ethernet 2/17 cp-limit enable multicast-limit 2500 broadcast-limit 2500

Another feature that helps protect the network is SLPP (Simple Loop Protection Protocol). In my opinion this feature is a must for any serious network. I can’t tell you how many times this feature has saved the networks I manage today. This feature will detect a misconfigured MLT/LACP at the edge switch and shutdown one of the downlink ports to preventing a loop. With SLPP you need to pay attention to the threshold setting. You want different thresholds between the two ERS8600 switches so that only one uplink gets shutdown.

ERS8600-A
config slpp add 99
config slpp operation enable
config ethernet 2/17 slpp packet-rx-threshold 50
config ethernet 2/17 slpp packet-rx enable

Now the ERS8600-B switch with a threshold of 5;

ERS8600-B
config slpp add 99
config slpp operation enable
config ethernet 2/17 slpp packet-rx-threshold 5
config ethernet 2/17 slpp packet-rx enable

That’s it for the two ERS8600 switches.

I’m literally going to cut and past the configuration of the ERS5520 from the previous example as it should be identical.

vlan ports 33,34 tagging tagAll

Let’s add VLAN 99 to the ports, I’ve already created the VLAN ahead of time.

vlan members add 99 33,34

Now we just need to configure the LACP parameters for each port and then enable LACP.

interface fastEthernet 33-34
lacp key 13
lacp mode active
lacp timeout-time short
lacp aggregation enable
exit

Hopefully that’s been helpful!

Cheers!

Recent Posts

Categories

SUBSCRIBE BY EMAIL