Michael McNamara

If you've ever tried to connect to the web interface of a Nortel Ethernet Switch 460/470 or Ethernet Routing Switch 5510/5520/5530 you might have found that you need to provide a username.

In software release v3.7.x for the Nortel Ethernet Switch 460/470 you'll also find that you now need to provide a username when you telnet into the switch (in previous releases you were only prompted for a password, now you are prompted for a username and password).

Interestingly enough you cannot change the default usernames (at least I don't believe you can).

For the above mentioned switches there are only two levels of access, read-write and read-only.

The default username for the read-write user level is RW.
The default username for the read-only user level is RO.

Updated 1/16/08: I should have included the default passwords for those two accounts.
The default password for the read-write user level is "secure".
The default password for the read-only user level is "user".

Cheers!

Here's a question that I've been asked over and over again.

How can I upgrade the software of a Nortel ERS 8600 Switch?

It's actually very easy and only takes a few minutes (along with a reboot). If you have dual CPUs (8690SF, 8691SF, 8692SF) your going to need to upgrade both CPUs. If your running in a HA (High Availability) configuration you probably shouldn't be reading this. I'll assume that anyone with dual CPUs is running them in a standby configuration. I generally like to upgrade the standby CPU first and then upgrade the primary CPU, the switch will fail over to the standby CPU once the primary CPU starts to reboot.

You'll need a TFTP server to host the software files. I generally use the TFTP server that comes with Linux (CentOS), however, you can use TFTPD32 by Philippe Jounin on Windows XP/2003. Just drop the TFTPD32 files in the same directory with the Nortel ERS 8600 software release and run the executable.

For this example let's assume that the primary (active) CPU is in slot 5 and the standby CPU is in slot 6. Once you have the TFTP server setup we can telnet into the switch. If you don't have telnet enabled in the boot.cfg file you'll need to console up to the switch. You may also need to clean up the /flash/ filesystem depending on which switch fabric you have installed in the chassis. I believe the 8692SF comes with 64Mb of flash memory and a 64Mb PCMCIA card.

Trying 10.1.1.10...
Connected to 10.1.1.10 (10.1.1.10).
Escape character is '^]'.

**************************************************
* Copyright (c) 2007 Nortel, Inc. *
* All Rights Reserved *
* Ethernet Routing Switch 8010 *
* Software Release 4.1.5.4 *
**************************************************

Login: rwa
Password: ***

ERS-8610:5#

If your not sure which files you need you should consult the Nortel documentation. You will definitely need the boot (p80b4154.img) and agent (p80a5145.img) files at a minimum. I have daughter processors (SuperMezz cards) in my 8692SFs so I also need that software (p80m4154.img). I also have R cards in my chassis so I need the image for those (p80j4154.dld). I don't have any ATM cards so I don't have that software included below. The TFTP server I'm using has the IP address of 10.101.20.1.

Copy software to primary CPU

ERS-8610:5# copy 10.101.20.1:p80a4154.img /flash/p80a4154.img
ERS-8610:5# copy 10.101.20.1:p80b4154.img /flash/p80b4154.img
ERS-8610:5# copy 10.101.20.1:p80c4154.img /flash/p80c4154.img
ERS-8610:5# copy 10.101.20.1:p80c4154.aes /flash/p80c4154.aes
ERS-8610:5# copy 10.101.20.1:p80j4154.dld /flash/p80j4154.dld
ERS-8610:5# copy 10.101.20.1:p80m4154.img /flash/p80m4154.img

We make the configuration changes to the boot.cfg file;

ERS-8610:5# config bootconfig choice primary image-file "/flash/p80a4154.img"
ERS-8610:5# config bootconfig choice secondary image-file "/flash/p80a4150.img"
ERS-8610:5# save config
Save config to file /flash/config.cfg successful.
Save to standby file /flash/config.cfg successful.
ERS-8610:5# save bootconfig
Save bootconfig to file /flash/boot.cfg successful.
Save to standby file /flash/boot.cfg successful.

Copy software to standby CPU and upgrade

With the software now on the primary CPU in the /flash directory we can transfer the software to the standby CPU and upgrade that component. We'll telnet from the primary CPU to the standby CPU so we can issue our commands. Alternately we could also console up to the standby CPU.

ERS-8610:5# peer telnet
Trying 127.0.0.6 ...
Connected to 127.0.0.6
Escape character is '^]'
**************************************************
* Copyright (c) 2007 Nortel, Inc. *
* All Rights Reserved *
* Ethernet Routing Switch 8010 *
* Software Release 4.1.5.4 * **************************************************
Login: rwa
Password: ***
@ERS-8610:6#

Now that we're connected to the standby CPU let's copy the files from the primary CPU. It's important to note tftpd must be enabled on the primary CPU in the boot.cfg file; "flags tftpd true".

@ERS-8610:6# copy 127.0.0.5:p80a4154.img /flash/p80a4154.img
@ERS-8610:6# copy 127.0.0.5:p80b4154.img /flash/p80b4154.img
@ERS-8610:6# copy 127.0.0.5:p80c4154.img /flash/p80c4154.img
@ERS-8610:6# copy 127.0.0.5:p80c4154.aes /flash/p80c4154.aes
@ERS-8610:6# copy 127.0.0.5:p80j4154.dld /flash/p80j4154.dld
@ERS-8610:6# copy 127.0.0.5:p80m4154.img /flash/p80m4154.img

Now that we have the files let's perform the actual upgrade and reset the CPU.

@ERS-8610:6# boot /flash/p80b4154.img
Are you sure you want to re-boot the switch (y/n) ? y
@ERS-8610:6#

You should wait until the standby CPU upgraded the boot code and then loads the new agent code before doing anything with the primary CPU. It's also a great idea to confirm that the standby is up and operational before you do anything with the primary CPU.

Now all you need to-do is upgrade the primary CPU

ERS-8610:5# boot /flash/p80b4154.img
Are you sure you want to re-boot the switch (y/n) ? y
ERS-8610:5#

The switch will boot the boot image and upgrade the boot PROM afterwhich it will reboot again and load the new agent code we specified in the boot.cfg file. If you have a standby CPU the standby CPU will become the active CPU. If you don't have a standby CPU in the switch you'll just need to wait for the switch to come back online. This should only able about 3 minutes.

Cheers!

I've received a few inquires about how to reset the password and configuration on a Nortel Ethernet Routing Switch 8600. In a previous article I showed everyone how to reset the configuration (and password) of a Nortel Ethernet Switch (including the ERS 5500 series) but not a Nortel Ethernet Routing Switch.

As with the previous procedure you'll need access to the console port on the switch. Specifically you'll need to cable up (9600,8,N,1) to the CPU (8690SF, 8691SF, 8692SF) you wish to reset.

If you've lost the password... cold boot the chassis while connected to the console port. When the switch starts to boot you should see something similar to the following (depending on the version of software installed);

Copyright (c) 2007 Nortel, Inc.
CPU Slot 5: PPC 745 Map B
Version: 4.1.5.4
Creation Time: Dec 17 2007, 15:31:21
Hardware Time: DEC 26 2007, 16:19:24 UTC
Memory Size: 0x10000000
Start Type: cold
SMI ZOOMCF
can't open "/pcmcia/pcmboot.cfg" 0x380003
S_dosFsLib_FILE_NOT_FOUND
/flash/ - Volume is OK
Change volume Id from 0x0 to 0x1a5

Loaded boot configuration from file /flash/boot.cfg
Attaching network interface lo0... done.

Press to stop auto-boot...
1

You'll need to interrupt the boot process by hitting the "Return" key . You should be greeted with a monitor prompt;

monitor#

From here you'll be able to issue a command to clear the passwords stored in NV RAM;

monitor# reset-passwd
monitor#

Now just go ahead and reset the CPU and you should be able to login with the default username (rwa) and password (rwa).

monitor# reset

CPU Slot 5: PPC 745 Map B
Version: 4.1.5.4
Creation Time: Dec 17 2007, 15:31:21
Hardware Time: DEC 26 2007, 16:25:09 UTC
Memory Size: 0x10000000
Start Type: cold
SMI ZOOMCF
can't open "/pcmcia/pcmboot.cfg" 0x380003
S_dosFsLib_FILE_NOT_FOUND
/flash/ - Volume is OK
Change volume Id from 0x0 to 0x1a5

Loaded boot configuration from file /flash/boot.cfg
Attaching network interface lo0... done.

Press to stop auto-boot...
Loading /flash/p80a4154.img ... 8761414 to 25459172 (25459172)
Starting at 0x10000...

SMI ZOOMCF
Booting PMC280 Mezz HW please wait
. The BootCode address is 0x2b00100 3303
.
Mezz taking over console and modem......
Mezz CPU Booted successfully


Initializing backplane net with anchor at 0x4100... done.
Backplane anchor at 0x4100... ..
Mounting /flash: .done.


Ethernet Routing Switch 8600 System Software Release 4.1.5.4
Copyright (c) 1996-2007 Nortel, Inc.

CPU5 [10/26/99 11:26:25] SW INFO System boot
CPU5 [10/26/99 11:26:25] SW INFO ERS System Software Release 4.1.5.4
CPU5 [10/26/99 11:26:26] SW INFO CPU card entering warm-standby mode...
CPU5 [10/26/99 11:26:27] SW INFO Loading configuration from /flash/config.cfg

CPU5 [10/26/99 11:26:27] SW INFO PCMCIA card detected in Stand-by CPU "ERS-8610"
slot 5, Chassis S/N SSPND*****

**************************************************
* Copyright (c) 2007 Nortel, Inc. *
* All Rights Reserved *
* Ethernet Routing Switch 8010 *
* Software Release 4.1.5.4 *
**************************************************

Login:

You should now be able to login with the default RWA username of "rwa" and the default password for "rwa".

If you wish to reset the configuration... you only need to delete the config.cfg file from the flash and reset the switch.

You should NOT delete the boot.cfg file unless you have a copy of the software on the PCMCIA card and know how to start the software using the boot command from monitor mode.

I believe the same monitor command is available for the Ethernet Routing Switch 1600 Series.

Cheers!

While writing the previous article I recalled all the problems I had trying to decode the Motorola (formerly Symbol) WISP, WISPe, CAPWAP protcool used between the Wireless LAN Switch and their Access Ports.

As of WireShark version 0.99.7 there is decode support for the Lightweight Access Point Protocol (LWAPP) protocol used by Airspace (Cisco) and a few other wireless vendors.

The legacy Motorola Wireless LAN WS5000, WS5100 switches (version 1.x and 2.x) utilize the WIreless Switch Protocol (WISP) while the Motorola Wireless LAN WS5100, RFS7000 (version 3.x and 1.x respectively) utilize the WIreless Switch Protocol Enhanced (WISPe). The WISPe protocol from Motorola very closely mimics the Control and Provisioning of Wireless Access Points (CAPWAP) that is currently being developed by the IETF.

Now that I've got that history lesson out of the way. Have you every needed to decode the protocol running between the Wireless Switch and the Access Ports?

As you know by now I have a large number of Motorola Wireless LAN switches and Access Ports deployed throughout my organization. Unfortunatley the latest version of WireShark does not support the decoding of WISP, WISPe, or CAPWAP.

Thankfully Ethereal v0.10.14 has decoders for the WISP and CAPWAP protocols. I will say this warning though. I have downloaded multiple copies of Ethereal v0.10.14 and some seem to support WISP and CAPWAP while others don't appear to support it. If I find a link for a working version I'll update this article.

Here's an example of the WISP protocol between a Motorola Wireless LAN Switch (WS5000 v2.x) and an Access Port 300 (AP300). (click on the image to enlarge it)

In the above trace you can see that the AP300 has just been reset and is in the process of booting. It starts by issuing EAPOL and LLDP packets before sending it's first WISP "Hello". You can see that the WS5000 responds to the "Hello" with a "Parent" command after which the Ap300 starts to download its runtime software with the "LoadMe" command.

Here's an example of the CAPWAP protocol between a Motorola Wireless LAN Switch (WS5100 v3.x) and an Access Port 300 (AP300). (click on the image to enlarge it)

Note: this trace was not performed at the port level so we don't see the EAPOL or LLDP traffic. We can see the AP300 making "Discovery", "Join" and "Cfg" requests of the WS5100 switch.

Cheers!

UPDATE: March 29, 2008

Here's a link for Ethereal v0.10.14 that I believe should decode both WISP and CAPWAP;

ftp://192.104.254.176//files/wisp-ethereal-setup-0.10.14.exe

The folks behind WireShark have released version 0.99.7 for Windows. WireShark (formerly Ethereal) is the de facto standard network protocol analyzer today. I personally use WireShark and WildPacket's OmniPeek depending on the situation or scenario.

Why the excitement behind the new release?

Well for those of us that have tried in vein for many years to decode the UNISTIM protocol the latest release of WireShark promises to deliver us from our purgatory. The complete release notes can be found here. I'll include just the pertinent part here;

New Protocol Support

ANSI TCAP, application/xcap-error (MIME type), CFM, DPNSS, EtherCAT, ETSI e2/e4, H.282, H.460, H.501, IEEE 802.1ad and 802.1ah, IMF (RFC 2822), RSL, SABP, T.125, TNEF, TPNCP, UNISTIM, Wake on LAN, WiMAX ASN Control Plane, X.224,

You can find a entry for UNISTIM on WireShark's Wiki here along with an entry on Wikipedia here.

In summary UNIStim is Nortel's proprietary VoIP signaling protocol between their Internet Telephones (i2002,i2004,i2007,1120e,1140e,1150e) and the Nortel Call Server (PBX) switch. The Internet Telephones and Call Server still utilize the Real-time Transport Protocol (RTP) for the actual voice path between two Internet phones or from a Voice Gateway Media Card (VGMC) to an Internet phone.

Let me provide an example of the new decode; (click on the image to see it blown up)

This trace was taken by mirroring the port connecting to an i2004 Internet Telephone. In the trace you will see that the top frames are a RTP stream between the i2004 (10.101.245.132) and a VGMC (10.117.240.43). The frame I've highlighted shows the Signaling Server (10.101.240.20) sending a UNIStim signal to the i2004 to close the audio channel. You can see that in the next packet the far end (10.117.240.43) has already closed the TCP socket generating an ICMP unreachable message back to the i2004 phone.

Many thanks to Gerald Combs and all the contributors over at WireShark!

Cheers!

When I last spoke about my home desktop computer I mentioned that I was waiting for the release of the new Logitech G15 keyboard. I'm happy to report that the new G15 has been released and I'm happily typing this article on it right now.

I found a wealth of plug-ins for the built-in LCD display and I've found some very interesting uses for the macro keys. Overall I'm very happy with the new Logitech G15 keyboard. It complements the new Logitech G5 mouse I've had on my desktop for the past six months. The version of the G5 I have includes two thumb buttons on the mouse, great for those of us that game.

I had the opportunity to upgrade my headset a few weeks ago. I had been using the Plantronics GameCom 1 3.5mm headset with the on-board audio from my Nforce4 Ultra motherboard. Unfortunately the cable got wrapped around my three year olds foot just before she ran out of the room. All the kings horses and all the kings men weren't going to put it back together so I decided to order the Plantronics GameComPro 1 USB headset.

The Plantronics GameCom 3.5mm headset is definitely hands down the best value and product in the price range ($19.99). I've used this headset for about two years now (replacing them as they get broken) and it's very comfortable. I use this headset in conjunction with the on-board audio from my Nforce4 Ultra motherboard. It works very well and provides good sound both as an output and input (microphone). Just remember that you'll need either a dedicated sound card or on-board audio built into your motherboard. I know the audiophiles would argue that the on-board audio isn't anywhere near the quality of a dedicated sound card but for those of us that just need basic audio, this should work fine.

The Plantronics GameComPro1 USB headset is also a very nice product. It is a USB solution that houses it's own DSP (essentially it's own soundcard). It has the same basic design as the GameCom headset above and I would rate it in line with the sound from my on-board audio. Unfortunately the DSP doesn't have a Mixer so you might have issues trying to use a USB headset with FRAPS to record voice/sounds with various applications/games. For those that don't have either a sound card or on-board audio from their motherboard this is a great option.

Cheers!

The Nortel Ethernet Routing Switch 8600 by default has six user accounts each with different levels of access. The "super-user" account is the rwa account and has access to the entire switch.

Default User ID: rwa
Default Password: rwa

Default User ID: rw
Default Password: rw

Default User ID: l3
Default Password: l3

Default User ID: l2
Default Password: l2

Default User ID: l1
Default Password: l1

Default User ID: ro
Default Password: ro

With the release of Nortel's Application Switch Blade for the ERS 8600 there are actually six additional access levels. If you the network administrator of an ERS 8600 is probably best to reset the passwords and/or disable the various access-levels that you are not using. You can accomplish this with the following commands. To change the passwords use the following commands;

ERS-8600:5# config cli password rwa rwa
ERS-8600:5# config cli password rw rw
ERS-8600:5# config cli password l3 l3
ERS-8600:5# config cli password l2 l2
ERS-8600:5# config cli password l1 l1
ERS-8600:5# config cli password ro ro

In software release v4.x and higher the passwords will automatically be synced across both CPUs if there is more than one in the switch. In previous releases you would need to issue the commands above on both CPUs.

You can also disable the different access-levels with the following commands;

ERS-8600:5# config cli password access-level rw disable
ERS-8600:5# config cli password access-level l3 disable
ERS-8600:5# config cli password access-level l2 disable
ERS-8600:5# config cli password access-level l1 disable
ERS-8600:5# config cli password access-level l4admin disable
ERS-8600:5# config cli password access-level slbadmin disable
ERS-8600:5# config cli password access-level oper disable
ERS-8600:5# config cli password access-level l4oper disable
ERS-8600:5# config cli password access-level slboper disable
ERS-8600:5# config cli password access-level ssladmin disable

And don't forget to save your configuration and boot configuration with the following commands;

ERS-8600:5# save config
ERS-8600:5# save bootconfig

You should always change the default passwords in order to secure the network.

Cheers!

The Nortel Ethernet Routing Switch 8600 supports utilizing the standby CPU to capture (PCAP) both ingress and egress (E-modules only) packets on selected I/O ports. The switch must have a standby CPU in order to perform PCAP.

You can configure IP/MAC filters to be applied to the PCAP engine but for this article I'll just show you how to perform the basic packet capture and how to retrieve the data so it can be analyzed with either Wireshark or OmniPeek. I currently use both applications for their different strengths and weaknesses.

First we'll configure the basic PCAP engine settings which should be fairly straight forward. The buffer-size is measured in megabytes so we'll be specifying 10MBs. The fragment-size is specified in bytes and in this example we want to capture the entire frame.

ERS-8600:5# config diag pcap buffer-wrap false
ERS-8600:5# config diag pcap buffer-size 10
ERS-8600:5# config diag pcap fragment-size 1522

Now we need to enable PCAP on the specific switch ports we're interested in capturing. We also want to specify the mode as both (both = ingress and egress packets | rx = ingress packets | tx = egress packets).

ERS-8600:5# config ethernet 2/1 pcap enable mode both

Now we're ready to start the capture.

ERS-8600:5# config diag pcap enable true

Now see if we're actually capturing any packets with the following command;

ERS-8600:5# show diag pcap stats
Stat Information for PCAP
=========================
Packet Capacity Count : 340909
Number of packets received in PCAP engine : 10
Number of packets accumulated in PCAP engine : 10
Number of packets dropped in PCAP engine by filters : 0
Number of packets dropped in Hardware : 0

Now stop the packet capture and retrieve it from the switch;

ERS-8606:5# config diag pcap enable false

Now you just need to copy the contents of the PCAP engine to the PCMCIA card;

ERS-8606:5# copy PCAP00 /pcmcia/capture.cap

You can now remove the PCMCIA card from the CPU and load it into your laptop or better yet you can just FTP the file from the PCMCIA card by making an FTP connection to the switch (you'll need to have FTP enabled in the boot.cfg file).

When your ready to capture again don't forget to resetting the PCAP engine with the following commands;

ERS-8606:5# config diag pcap enable false
ERS-8606:5# config diag pcap reset-stat

If something happens to the PCAP engine (which occasionally happens to me) you can usually resolve the problem by resetting the standby CPU. You can access the stanby CPU from the console port by telneting into it from the primary CPU. You can use the peer telnet command;

8606:5# peer telnet
Trying 127.0.0.6 ...
Connected to 127.0.0.6
*********************************************
* Copyright (c) 2003 Nortel Networks, Inc. *
* All Rights Reserved *
* ERS 8006 *
* Software Release 4.1.1.0 *
*********************************************
Login: rwa
Password: ***
@8606:6#

Note: You might notice that the primary CPU (slot 5 in the chassis) has the internal IP address of 127.0.0.5 while the standby CPU (slot 6 in the chassis) has the internal IP address of 127.0.0.6.

I don't believe you can perform PCAP with the new R modules although I could be wrong.

Cheers!

The Nortel Ethernet Routing Switch 8600 supports port mirroring feature to analyze traffic ingressing/egressing a specific switch port. The ERS 8600 also supports remote port mirroring by moving mirrored traffic across a switch network to a remote switch port.

This allows you to deploy a centralized network analyzer or probe to capture packets for the entire Local Area Network (LAN). This is accomplished by encapsulating the mirrored packets in a remote mirroring encapsulation wrapper. The encapsulation frame is bridged through the network by a seperate port-based VLAN to the remote mirroring termination port.

The following example is taken from the Nortel document "Using Diagnostic Tools".
We'll mirror port 1/15 on S1 to port 1/15 on S3 using the remote mirroring feature of the ERS 8600 Switch. As I mentioned above the packets to be mirrored will be encapsulated and put onto a specific port-based VLAN to be bridged across the network. In the following example we'll create VLAN 99 for this purpose.

Configure S3:

ERS-8610:5# config vlan 99 create byport 1
ERS-8610:5# config vlan 99 ports add 1/15, 2/8
ERS-8610:5# config ethernet 1/15 remote-mirroring create
ERS-8610:5# config ethernet 1/15 remote-mirroring add-vlan-id 99
ERS-8610:5# config ethernet 1/15 remote-mirroring mode termination
ERS-8610:5# config ethernet 1/15 remote-mirroring enable true

We'll need to determine the MAC address of the switch port that will be connecting to the network analyzer (sniffer). We'll need this information in order to configure the originating switch properly.

ERS-8610:5# config ethernet 1/15 remote-mirroring info port 1/15
Enable = TRUE
Mode = termination
srcmac = 00:e0:7b:82:9c:0e
dstmac = 00:e0:7b:82:9d:9c
ether-type = 0x8103
vlan-id-list =10

We'll need to record the "dstmac" MAC address above as we'll need it when configuring the origin switch.

Configure S1:

ERS-8610:5# config vlan 99 create byport 1
ERS-8610:5# config vlan 99 ports add 1/1
ERS-8610:5# config diag mirror-by-port 1 create in-port 1/15 out-port 1/1 mode both enable true remote-mirror-vlan-id 99
ERS-8610:5# config ethernet 1/1 remote-mirroring create
ERS-8610:5# config ethernet 1/1 remote-mirroring dstmac 00:e0:7b:82:9d:9c
ERS-8610:5# config ethernet 1/1 remote-mirroring enable true

Configure S2:

ERS-8610:5# config vlan 99 create byport 1
ERS-8610:5# config vlan 99 ports add 1/1,2/8

I've actually used this feature to mirror traffic from the ELAN interface on a Nortel Succession 1000M (Option 81C) from a closet ERS 8600 to a core ERS 8600 where I had a network analyzer setup to perform network traces.

I was and still am impressed with the feature.

Cheers!

When troubleshooting switches connected using MultiLink Trunks (MLT), Distributed MultiLink Trunks (DMLT) and Split MultiLink Trunks (SMLT) it can be difficult to determine which path a specific set of IP packets are taking between two switches.

The Nortel Ethernet Routing Switch 8600 has a feature called ping snoop that can be used to determine the specific path that specific IP traffic takes over an MLT, DMLT or SMLT path. Ping snoop works by enabling a filter that copies the ICMP messages to the CPU. The CPU then monitors the ICMP stream and outputs messages on the console indicating what ports are being traversed by the IP traffic.

There are different commands depending on the type of IO modules that are involved.

With non-R modules;

config diag ping-snoop create src-ip 30.30.30.0/24 dst-ip 30.30.30.0/24
config diag ping-snoop add-ports 1/47,2/1
config diag ping-snoop enable true
config log screen on

With R modules;

config filter acl 4096 port add 1/2
config filter acl 4096 enable
config filter acl 4096 ace 1 create name echo_reply
config filter acl 4096 ace 1 ip src-ip eq 10.119.255.20/32
config filter acl 4096 ace 1 ip dst-ip eq 10.101.241.25/32
config filter acl 4096 ace 1 protocol icmp-msg-type eq echoreply
config filter acl 4096 ace 1 enable
config filter acl 4096 ace 2 create name echo_request
config filter acl 4096 ace 2 ip src-ip eq 10.101.241.25/32
config filter acl 4096 ace 2 ip dst-ip eq 10.119.255.20/32
config filter acl 4096 ace 2 protocol icmp-msg-type eq echo-request
config filter acl 4096 ace 2 enable
config log screen on

In the above examples you need to substitute the appropriate IP addresses and switch ports.

I've used the ping snoop feature on numerous occasions to isolate the specific uplink that a TCP/UDP conversation was utilizing when traversing two switches that have multiple uplinks between each other [configured as MLT/DMLT/SMLT uplink].

Here's a sample output from a Nortel ERS 8600 v4.1.1 switch;

sw-ccr-8600:5# CPP Task=tMainTask CPU5 [12/11/07 07:36:25] CPU INFO ICMP Reply received on port 8/14 with Src=10.124.240.32 Dst=10.124.240.20
sw-ccr-8600:5# CPP Task=tMainTask CPU5 [12/11/07 07:36:26] CPU INFO ICMP Reply received on port 8/14 with Src=10.124.240.32 Dst=10.124.240.20
sw-ccr-8600:5# CPP Task=tMainTask CPU5 [12/11/07 07:36:27] CPU INFO ICMP Reply received on port 8/14 with Src=10.124.240.32 Dst=10.124.240.20
sw-ccr-8600:5# CPP Task=tMainTask CPU5 [12/11/07 07:36:28] CPU INFO ICMP Reply received on port 8/14 with Src=10.124.240.32 Dst=10.124.240.20

I might be wrong about this but I believe the ping snoop feature only works on ingress packets (packets that are ingressing into the IO module/port you have configured for ping snoop).

Cheers!

There are only a few phone types defined within the Succession Call Server for all Internet telephones.

The vast majority of Internet telephones are defined as either "i2002" or "i2004". The 1150e is a special phone designed for Call Centers and is defined as an IPACD The Wireless LAN phones (2210/2211/2212) should be defined as "i2004". Here's a list of phones and how their associated TN should be defined;

Internet Telephone	TN Type
i2001	i2001
i2002	i2002
i2004	i2004
i2007	i2004
1110e	i2001
1120e	i2002
1140e	i2004
1150e	IPACD
2210	i2004
2211	i2004
2212	i2004

It took me quite a few minutes to figure out how to define the 1150e the first time we purchased one a few months ago.

Cheers!

Virtual Link Aggregation Control Protocol (VLACP) is extension of the Link Aggregation Control Protocol (LACP) developed by Nortel to detect end-to-end failure over an Ethernet network. We've been deploying VLACP within our network for the past year with great success. We were eager to deploy VLACP because the Nortel Ethernet Switch 470 Gigabit Ethernet fiber ports (GBIC) did not support autonegotiation and are required to be hard set to 1000/Full Duplex when connecting to a Nortel Ethernet Routing Switch 8600. Without autonegotiation there is no mechanism to provide link failure notification (RFI, FEFI) on the specific interface. The problem can arise if you have a GBIC malfunction or a single fiber strand breaks leaving one side of the link up and the other side down. VLACP mitigates this problem by providing a mechanism to detect the path failure and can be applied to provide end-to-end failure notification over a telco carrier network.

Here's what Nortel has to stay in their document, "Link Aggregation Control Protocol (LACP) 802.3ad and VLACP Technical Configuration Guide" dated August 2007;

Virtual LACP (VLACP) is an extension to LACP, used to detect end-to-end failure. VLACP takes the point-to-point hello mechanism of LACP and uses it to periodically send hello packets to ensure end-to-end reachability and provide failure detection (across any L2 domain). When Hello packets are not received, VLACP transitions to a failure state and the port will be brought down. The benefit of this over LACP is that VLACP timers can be reduced to 400 milliseconds between
a pair of ERS8600 switches. This will allow for approximately one second failure detection and switchover. Note that the lowest VLACP timer on an ES460/470 is 500ms. VLACP can also be used with Nortel’s proprietary aggregation mechanism (MLT) to complement its capabilities and provide quick failure detection. VLACP is recommended for all SMLT access links when the links are configured as MLT to ensure both end devices are able to communicate. By using VLACP over Single-Port SMLT, enhanced failure detection is extended beyond the limits of the number of SMLT or LACP instances that can be created on the ERS8600. VLACP can also be used as a loop prevention mechanism in SMLT configurations and should be used when setting up the IST. It also protects against CPU failures by causing traffic to be switched or rerouted to the SMLT peer in the case the CPU fails or gets hung up. Please refer to the Technical Configuration Guide for Switch Clustering using Split-Multilink Trunking (SMLT) with ERS8600 for more details.

NOTE: In regards to the ERS8600, although either the CLI or JDM interface allows you to configure the short timers to less than 400ms, Nortel does not support this configuration unless the ERS8600 is equipped with the SuperMezz daughter module for the 8692SF. The SuperMezz allow for very quick sub 100ms failure detection.

Although functions such as Remote fault indication (RFI) or Far-end fault indication (FEFI) can be used to indicate link failure, there are some limitations with these mechanisms. The first limitation is that with either of these mechanisms, they terminate at the next Ethernet hop. Hence, failures cannot be detected on an end-to-end basis over multiple hops such as LAN Extension services. The second limitation is both of these mechanisms required Auto-Negotiation to be enabled on the Ethernet interface. Hence, if an Ethernet interface does not support Auto-Negotiation; neither of these mechanisms can be used. The third limitation is if an Ethernet interface should fail and still provide a transmit signal, RFI nor FEFI will be able to detect a failure. Hence, the far-end interface will still think the link up and continue to transmit traffic. VLACP will only work for port-to-port applications when there is a guarantee for a logical port-port match. It will not work in a port-to-multi-port scenario where there is no guarantee for a pointpoint match.

NOTE: Please note that VLACP does not perform link aggregation. Is it simply used to detect end-to-end link failures and can be enabled over single links or even MLT trunks. VLACP does not require LACP to be enabled; LACP and VLACP are independent features.

NOTE: When configuring VLACP, both ends of the link must be configured with the same EtherType, Multicast MAC address, and same timers. By default, the VLACP parameters across all ES and ERS switches are the same with the exception of the FastPeriodicTimer which is set to 200ms on the ERS8600 and 500ms on all other switches. When connecting, for example, an ERS8600 to and ERS5500, the recommendation is to use 500ms FastPeriodicTimers with ShortTimeout in order to achieve fast failover. Also, when using the ES460/470 in the 3.6.x software release, the VLACP EtherType must be configured with a different value on each MLT link. The EtherType must match the EtherType value at the far end of the MLT link.

NOTE: If VLACP is used with LACP, there is no difference in how VLACP and LACP bring down a port if no LACP or VLACP PDUs are received. VLACP will declare the VLACP status as down and will report the event in the log file whereas LACP will not synchronize, not activate Collecting and Distributing on this port, and not report a message in the log file. The end result is the same where the port will block traffic; the physical layer for this port will remain up. Although you can enable VLACP with LACP, there is no practical reason why you would do so.

There was an interim solution before VLACP developed by Nortel called Single Fiber Fault Detection (SFFD) specifically designed to allow remote fault detection on Gigabit Ethernet fiber ports that did not support autonegotiation. Unfortunately we had some issues with SFFD and never really deployed the feature beyond our testlab environment.

Ethernet Routing Switch 5510
Here's how you would configure VLACP on the MLT uplinks to an ERS 8600 Switch. You'll need to connect to the 5510 switch and enter the "Command Line Interface" if you have the menu up.

5510> enable
5510# configure terminal
5510(config)# interface fastEthernet 47,48
5510(config-if)# vlacp port 47,48 timeout short
5510(config-if)# vlacp port 47,48 enable
5510(config-if)# exit
5510(config)# vlacp enable
5510(config)# exit

Ethernet Routing Switch 8600
Here's how you would configure VLACP on the MLT uplinks to the ERS 5510 Switch above.

ERS-8610:6# config ethernet 1/1, 2/1 vlacp enable
ERS-8610:6# config ethernet 1/1, 2/1 vlacp timeout short
ERS-8610:6# config ethernet 1/1, 2/1 vlacp fast-periodic-time 500
ERS-8610:6# config vlacp enable

In this example we're using ports 1/1 and 2/1 as the uplinks to ports 47 and 48 on the ERS 5510 respectively. The VLACP short timeout timers on the ERS 8600 default to 200ms so we need to configure them to match the minimum possible with the ERS 5500 series switches of 500ms.

If the interface appears to be bouncing you should definitely check the timers.

Cheers!

If you loose the administrator password for the Motorola Wireless LAN Switch (WS5000, WS5100) you can factory default the configuration and administrator password with the following procedure.

You'll need to console up to the physical switch with a null serial cable. I believe the majority of Motorola (Symbol) equipment defaults to 19200-8-N-1. You need to login to the console as the username "restore" with the password of "restoreDefaultPassword". Here's an example;

WS5100 login: cli

User Access Verification

Username: restore
Password: restoreDefaultPasword

WARNING: This will wipe out the configuration (except license key) and
user data under "flash:/" and reboot the device
Do you want to continue? (y/n): y

After the switch reboots you'll need to use the default administrator username and password to log into the switch. They are username "admin" and password "Symbol". I've seen some cases where the password was "symbol", the difference being the case of the first letter.

Cheers!

With release v4.1 software of the Ethernet Routing Switch 8600 Nortel introduced a new mechanism to protect against Layer 2 network loops. The following excerpt is taken from the Nortel document "Converged Campus Technical Solution Guide", authored July 2007 by Dan DeBacker.

Simple Loop Prevention Protocol (SLPP) provides active protection against Layer 2 network loops on a per-VLAN basis. SLPP uses a lightweight hello packet mechanism to detect network loops. SLPP packets are sent using Layer 2 multicast and a switch will only look at its own SLPP packets or at its peer SLPP packets. It will ignore SLPP packets from other parts of the network. Sending hello packets on a per VLAN basis allows SLPP to detect VLAN based network loops for un-tagged as well as tagged IEEE 802.1Q VLAN link configurations. Once a loop is detected, the port is shutdown. The SLPP functionality is configured using the following criteria:

• SLPP TX Process – the network administrator decides on which VLANs a switch should send SLPP hello packets. The packets are then replicated out all ports which are members of the SLPP-enabled VLAN. It is recommended to enable SLPP on all VLANs.
• SLPP RX Process – the network administrator decides on which ports the switch should act when receiving an SLPP packet that is sent by the same switch or by its SMLT peer. You should enable this process only on Access SMLT/SLT ports and never on IST ports or Core SMLT/SLT ports in the case of a square/full mesh core design.
• SLPP Action – the action operationally disables the ports receiving the SLPP packet. The administrator can also tune the network failure behavior by choosing how many SLPP packets need to be received before a switch starts taking an action. These values need to be staggered to avoid edge switch isolation – see the recommendations at the end of this section.

Loops can be introduced into the network in many ways. One way is through the loss of an MLT configuration caused by user error or malfunctioning equipment. This scenario may not always introduce a broadcast storm, but because all MAC addresses are learned through the looping ports, does significantly impact Layer 2 MAC learning. Spanning Tree would not in all cases be able to detect such a configuration issue, whereas SLPP reacts and disables the malfunctioning links, limiting network impact to a minimum. The desire is to prevent a loop from causing network problems while also attempting to not totally isolate the edge where the loop was detected. Total edge closet isolation is the last resort in order to protect the rest of the network from the loop. With this in mind, the concept of an SLPP Primary switch and SLPP Secondary switch has been adopted. These are strictly design terms and are not configuration parameters. The Rx thresholds are staggered between the primary and secondary switch, therefore the primary switch will disable an uplink immediately upon a loop occurring. If this resolves the loop issue, the edge closet still has connectivity back through the SLPP secondary switch. If the loop is not resolved, the SLPP secondary switch will disable the uplink and isolate the closet to protect the rest of the network from the loop.

I've deployed SLPP at one site with with a two tier network design utilizing SMLT with an IST core. It's very important to remember that SLPP operates per VLAN id so you need to take that into consideration. You also don't want to overload your switch fabric (CPU) by enabling SLPP on every VLAN, especially if you have a large number of VLANs.

Here's an example of how to deploy SLPP between two core ERS 8600s (switch cluster).

ERS 8600 Core Switch A

ERS-8610:5# config slpp add 200
ERS-8610:5# config slpp operation enable
ERS-8610:5# config ethernet 1/1-1/8 slpp packet-rx enable
ERS-8610:5# config ethernet 1/1-1/8 slpp packet-rx-threshold 5

ERS 8600 Core Switch B

ERS-8610:5# config slpp add 200
ERS-8610:5# config slpp operation enable
ERS-8610:5# config ethernet 1/1-1/8 slpp packet-rx enable
ERS-8610:5# config ethernet 1/1-1/8 slpp packet-rx-threshold 50

This will cause both core ERS 8600 switches to transmit SLPP PDUs on VLAN 200. They will watch for those PDUs to return on port 1/1-1/8. It's important in the example above to point out the different thresholds. You don't want both core ERS 8600 switches cutting off both uplinks to the edge closets. Hence the core A switch will admin-down any port where it receives 5 of it's own SLPP PDU packets. The core B switch will admin-down any port where it recieves 50 of it's down SLPP PDU packets. This configuration will generally disable one of the uplinks from the switch cluster (removing the loop) but won't leave the edge switch disconnected from both core ERS 8600 switches.

Cheers!

I know what a pain it can be to sometimes locate vendor specific SNMP MIBS. In the past I've sometimes spent hours scouring the net and vendor sites looking for the MIBS.

I've decided to post some of the vendor specific SNMP MIBS that I work with on my homepage. You should be able to link straight to my homepage with this URL;

http://mysite.verizon.net/michaelfmcnamara/netmgmt.htm#mibs

You should be able to find SNMP MIBS for the following devices;

Nortel Ethernet Routing Switch 8600 (v4.1.4)
Nortel Ethernet Routing Switch 5500 Series (v5.1)
Motorola WS5100 Wireless LAN Switch (v3.0.3)
Motorola RFS7000 Wireless LAN Switch (v1.x)
APC UPS Management Cards (v387)

As time and disk space allow I will add additional vendor MIBS and additional devices.

Update 12/01/07

Polycom VXS8000 Video Conferencing System
Blue Coat ProxySG Appliance
Blue Coat ProxyAV Appliance

Update 12/07/07

Nortel Application Switch (v23.2.3.1)

Update 12/26/07

Nortel Ethernet Switch 460/470 (v3.7)
Nortel Ethernet Routing Switch 1600 (v2.1.4)
Nortel Succession Call Server (v4.5)

Update 12/29/2007

Motorola WS5000/WS5100 Wireless LAN Switch (v2.1.3)


Cheers!

There have been a few folks asking me if I know what the following log entry is on their Nortel Ethernet Routing Switch 5500 Series, "NVR Audit data initialized - incorrect magic number: 0xffffffff".

I believe this is documented from Nortel as a bug in their latest software. The switch is throwing an error because the audit data (a new feature in the v5.x software line) is not present in the configuration or NVRAM the first time the switch boots after an upgrade to v5.x. This error could also occur if you've just factory reset your switch to the default configuration. I believe the error can be safely ignored as I've seen it on all 42 of my 5500 series switches.

I do remember seeing something about this error documented from Nortel, unfortunately I can't seem to find that reference now.

ERS-5520#show logging
Type Time Idx Src Message
---- ----------------------- ---- --- -------
S 00:00:00:00 1 NVR SNTP: Could not sync to NTP servers.
S 2007-04-05 17:18:08 GMT 2 NVR SNTP: Could not sync to NTP servers.
S 2007-04-05 17:22:07 GMT 3 NVR Audit data initialized - incorrect magic number: 0xffffffff
I 2007-04-19 01:21:03 GMT 4 Web server starts service on port 80.
I 2007-04-19 01:21:19 GMT 5 IGMP: Unknown Multicast Filter disabled
I 2007-04-19 01:21:19 GMT 6 PoE Port Detection Status: Port 1 Status: Delivering Power
I 2007-04-19 01:21:22 GMT 7 PoE Port Detection Status: Port 35 Status: Delivering Power
I 2007-04-19 01:21:49 GMT 8 Port 0/47 reenabled by VLACP
I 2007-04-19 01:21:49 GMT 9 Port 0/48 reenabled by VLACP
I 2007-04-19 01:23:05 GMT 10 SNTP: First synchronization successful.
I 2007-04-19 01:23:18 GMT 11 Warm Start Trap
I 2007-04-19 01:23:19 GMT 12 Link Up Trap Port: 1
I 2007-04-19 01:23:20 GMT 13 Trap: pethPsePortOnOffNotification
I 2007-04-19 01:23:20 GMT 14 Trap: bsAdacPortConfigNotification for Port: 47, Config: Applied

Cheers!

There can be times when you need to factory reset a switch. This process can be accomplished through the CLI but if you've lost the switch password you'll need to follow a special process. This process should work for any of the Ethernet Switches (450, 460, 470) and the Ethernet Routing Switches 2500 Series, 4500 Series, 5500 (5510, 5520, 5530) Series. There is a different process to recover lost passwords on the Ethernet Routing Switch 1600 and 8600.

Follow these steps:

1. Connect to the console port of the switch (9600,8,N,1)
   
2. Reboot the switch.
3. When the first line of the diagnostics tests is displayed, press CTRL-C. The system then displays a menu.
4. Select option "i" to factory default the switch.
5. Select option "a" to run the agent code.

Upon boot up, the switch will be in a factory default configuration.

Cheers!

The release of v3.x software for the Motorola WS5100 and v1.x software for the Motorola RFS7000 finally supports the deployment of Layer 3 Access Ports (APs that could be deployed across a Layer 3 network as opposed to those that can only be deployed across a Layer 2 network).

The latest release of firmware for the AP300 will first attempt to locate a wireless switch for adoption via a Layer 2 broadcast request. If it's unable to locate a wireless switch it will make a DHCP request for an IP address. If the DHCP response does not include option 189 (string) it will make a DNS request to try and locate the wireless switch.

There are two ways the Access Port can locate the Wireless LAN Switch (WS5100/RFS7000) in Layer 3 mode;

• DHCP Option
  
• DNS Query
  

You can use DHCP and configure option 189 (string) with the IP address of the Motorola Wireless LAN Switch. You should note that you may need to enclose the string in quotation marks depending on your DHCP server software.

You can also create a DNS alias which the AP can use to locate the switch through a DNS query. The default DNS anme requested by an AP300 is "Symbol-CAPWAP-Address".

You might also notice that the AP300 will also support LLDP (802.1ab) if your Ethernet switch supports it.

Cheers!

If for whatever reason you've lost the Web UI or "admin" password your only recourse is to factory default the wireless switch.

To access the switch using a password recovery username and password:
1. Connect a terminal (or PC running terminal emulation software) to the serial port on the front of the switch. The switch login screen displays. Use the following CLI command for normal login process:

WS5100
login: cli

2. Enter a password recovery username of "restore" and password recovery password of "restoreDefaultPassword".

User Access Verification
Username: restore
Password: restoreDefaultPasword
WARNING: This will wipe out the configuration (except license key) and user data under "flash:/" and reboot the device
Do you want to continue? (y/n):y

3. Press Y to delete the current configuration and reset with factory defaults.

Once the switch has complete it's reboot you should be able to login with the default userID or "admin" and the default password of "symbol". If you had previously backed up the configuration of the switch you could restore your old configuration.

Nortel has just recently released v5.1 software for their Ethernet Routing Switch (ERS) 5500 Series.

There are some enhancements that affect how ADAC/LLDP function on the ERS 5520 switch. From the release notes;

IEEE 802.1ab and ADAC linkage
Nortel introduced the 802.1ab and Auto Detection Auto Configuration(ADAC) features to Release 5.0 to address converged applications. In Release 5.1, the functionality of 802.1ab and ADAC is combined: ADAC uses 802.1ab/LLDP as the detection mechanism to determine the identity of the attached device (that is, a Nortel IP phone that supports 802.1ab Media Endpoint Devices type, length, and value descriptions [MED TLV]). The Auto Configuration functionality of ADAC applies the configuration to the port.
Configurable using NNCLI, ACG, and Device Manager.

It looks like it will no longer be necessary to maintain the list of MAC prefixes for all Nortel Internet Telephones. If you recall from some of my previous posts I needed to manually update the list of MAC prefixes used by my ERS 5520 switches in order to get many of my i2002/i2004 Internet Telephones to be detected properly. The default list of MAC prefixes usually didn't cover all the i2002/i2004/i2007/1140e Internet Telephones I had installed throughout my organization. In previous articles we enabled ADAC like so;

5520-48T-PWR (config)# adac voice-vlan 50
5520-48T-PWR (config)# adac op-mode tagged-frames
5520-48T-PWR (config)# adac uplink-port 48
5520-48T-PWR (config)# adac mac-range-table low-end 00:18:b0:00:00:00 high-end 00:18:b0:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:16:ca:00:00:00 high-end 00:16:ca:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:17:65:00:00:00 high-end 00:17:65:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:0a:e4:75:00:00 high-end 00:0a:e4:75:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:14:c2:00:00:00 high-end 00:14:c2:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:19:69:00:00:00 high-end 00:19:69:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:19:e1:00:00:00 high-end 00:19:e1:ff:ff:ff
5520-48T-PWR (config)# adac enable

I haven't actually tested this myself yet but supposedly if LLDP detects an Internet Telephone it will pass that information to ADAC without the need of evaluating the device's MAC address.

The 5.1 release also now supports the 1000Base-BX SFP;

BX SFP support
Many customers have high density gigabit requirements, but lack the fiber density to deploy. BX SFPs helps alleviate this issue by allowing a single strand of fiber to facilitate communication.
Nortel introduces support for 1000BaseBX10 module with release 5.1. The modules are single fiber, bidirectional SFP transceivers. Two types of modules are available:
• 1310nm (BX10-U) transceiver
• 1490nm (BX10-D) transceiver
The 1000BaseBX10-D device is always connected to a 1000BaseBX10-U device with a single strand of standard single-mode fiber. The operating transmission range is up to 10 km. The fiber uses a GBIC LC connector on each end.
If the 1000BaseBX10-U is not connected to the 1000BaseBX10-D device, the signals are not received properly and the Link LED does not illuminate. You can configure BX SFP Support through the NNCLI, ACG, or Device Manager.

The 1000BASE-BX bidirectional SFPs provide Gigabit Ethernet connectivity over a single fiber.

As shown in the figure, the transmit (Tx) and receive (Rx) paths share the same fiber by using two different wavelengths. One model transmits at 1310 nm and receives at 1490 nm, while the mating model transmits at 1490 nm and receives at 1310 nm. You can only connect a mating pair.

You can use 1000BASE-BX SFPs to double the number of your fiber links. For example, if you have 20 installed fiber pairs with 20 conventional ports connected, you can use 1000BASE-BX SFPs to expand to 40 ports, using the same fiber.

The long wavelength optical transceivers used in these models provide variable distance ranges using single mode fiber optic cabling.

Cheers!

A few years ago I had a request to design a public WiFi hotspot portal for the patients and visitors within our five major facilities. I did a fair amount of research and found a number of interesting commercial and open-source solutions. Unfortunately none of them really filled our requirements or caught my fancy. So I embarked on building/coding our own solution using a wide array of open-source software that was already available. Since I was most familiar with Perl at the time I chose to code the solution using Perl and Javascript (browser side) using Linux as the operating system of choice.

I needed to provide a public WiFi hotspot across our existing corporate wireless infrastructure at our five major sites. It obviously needed to be secure from our internal network, it needed to be 100% automated (there were no resources available to support this offering) and it needed to work (there's a surprise requirement). We also needed to keep internal (corporate) laptops and wireless devices from connecting to the unencrypted network and circumventing current Internet access policies.

Because of security concerns I decided to only allow HTTP (TCP 80) and HTTPS (TCP 443) traffic from the public wireless network. I also tabled any ideas of content/URL filtering from the original design. Instead we would reliable on Blue Coat ProxySG/ProxyAV appliances and Websense to perform content filtering and AV scanning of the traffic in a later upgrade.

How did we do it?
We carved out an ESSID ("public") from our Motorola Wireless LAN infrastructure at each facility. We setup the wireless network without any encryption or security so as to minimize any end-user difficulties in connecting to the wireless network. We took CentOS and built a WiFi portal server/gateway/firewall/router using an HP Proliant DL360. We essentially turned our Linux server into a cheap and very efficient firewall/gateway for the WiFi Hotspot. We connected one NIC of the Linux server to the wireless WLAN and the other to our internal network. This allowed use to use the Linux server to provide IP addresses to the wireless devices through DHCP. It also allowed use to have the Linux server provide DNS for name resolution. And most importantly it allowed use to use IPtables to provide firewalling between the wireless network and our internal network. This solution also allowed us to implement bandwidth shaping/throttling to prevent the public WiFi Hotspot wireless users from utilizing too much of our Internet link (DS-3 ~ 45Mbps).

Once a device associates with the wireless network the Linux portal server will issue the device a DHCP address from the 192.168.16.0/20 network. When the user opens their web browser they will be redirected to the Linux portal web server and the registration page as it appears below;

Once the user clicks on the "I AGREE" button the Linux server will kick off the "register.pl" script to check the IP/MAC address and decide if they should be granted access. If they are granted access they will be redirected to our Internet homepage after which they'll be free to surf to any URL. If the user is denied access they will be directed to an error page.

It is also possible that the user may attempt to register multiple times due to their web browser caching the portal page contents as the contents of a legitimate Internet website. Example: A user opens their web browser to www.cnn.com and is greeted with the portal page. User registers that is then re-directed to www.acme.org. The user then types www.cnn.com back into the browser address bar, but instead of getting the legit content for the CNN website the user is greeted again by the portal page. The user not knowing any better clicks the “I AGREE” button for the second time in as many minutes. Previously this problem would have gone on and on over and over, now the system will detect that the user is already registered and will through an error alerting the user to “refresh” their web browser. In order to refresh the browser the user should just type in the URL of the website they are attempting to visit and click “Go” (or hit “enter”). If they are greeted with the portal page they should click the “refresh” button from the browser button bar. That will instruct the web browser to ignore any cached content and attempt to retrieve all the data direct from the source website.

Every night at midnight the firewall rules will be reset to the defaults. Requiring any that wishes to access the WiFi Hotspot to agree to the AUP again. This is done to prevent folks from continually sitting/camping on the WiFi Hotspot.

Initially I thought we might be able to use a VPN or GRE tunnel to connect the five public WLANs to a single Linux server. Unfortunately I was a little ahead of the times and VPN/GRE tunnels were just starting to be supported in the various wireless switches (Motorola in this case). So I decided to take an easier approach and installed five HP Prolaint DL360 servers, one for each site.

I'm very happy to report that the solution works very well and virtually supports itself.

The only issue that we've seen is the need to continually update the blacklist file to keep corporate wireless devices from connecting to the public network. Thankfully I've written a small Bash Shell script to help with that process.

I hope to write a more detailed account of how to set this up on my website sometime in the future. If your interested in hearing more or have questions please drop me a line.

Cheers!

The purpose of this post is to outline how to upgrade a Symbol 5x00 Wireless LAN switch. In the example provided we will upgrade a switch running v1.4.3.0-R12 to v2.1.1. This upgrade is a major upgrade in that it literally replaces the core operating system with Linux. The upgrade is done in two steps. The first step you upgrade to v2.1 and in the second step you upgrade to v2.1.1.

You’ll be using the CLI interface to perform the upgrade; there will be no need for the web Java GUI until after the upgrade is complete.

[root@madmax ~]# telnet sw16r-wireless.tlh.acme.org
Trying 10.115.255.253...
Connected to sw16r-wireless.tlh.acme.org (10.115.255.253).
Escape character is '^]'.
user name: cli

When prompted for the “user name” use “cli". When prompted for the “userid” use the default of “admin” and "symbol" as the password.

Symbol Wireless Switch WS 5000 Series.
Please enter your username and password to access the Command Line Interface.

userid: admin
password: *********

Retrieving user and system information...

Setting user permissions flags..
Checking KDC access permissions...

Welcome...

Creating the Event list...
System information...

System Name : sw16r-wireless
Description : WS5000 Wireless Network
Switch Location : Data Center
Software Ver. : 1.4.3.0-012R
Licensed to : Symbol Technologies
Copyright : Copyright (c) 2000-2005. All rights reserved.
Serial Number : 00A0F865B362
Number of Licenses : 0
Max Access Ports : 30
Max Mobile Clients : 4096
Active Switch Policy : Wireless Switch Policy
Emergency Switch Policy : Not defined
Switch Uptime : 35d:23h:41m
# of Unassigned Access Ports : 0

sw16r-wireless>

It’s advised to start out by backing up the switch configuration and then uploading that configuration to the TFTP server on the network. You’ll first need to delete the existing configuration file. (If the switch is a standby switch there is no need to backup the configuration file).

sw16r-wireless> del sw16-wireless.cfg
Removing sw16-wireless.cfg.... done.

sw16r-wireless> save configuration sw16-wireless.cfg
Saving running configuration in: sw16-wireless.cfg

Saving wireless network management configuration...
Configuration saved successfully.

sw16r-wireless> copy sw16-wireless.cfg tftp://10.101.20.1/sw16-wireless-tlh.cfg

Copying 'sw16-wireless-tlh.cfg' from Switch to tftp://10.101.20.1...
File: sw16-wireless-tlh.cfg copied successfully to 10.101.20.1

Once you’ve backed up the switch configuration you need to make room for the new image. Delete all the files from the flash memory. You can use the “dir” command and “del” command.

sw16r-wireless> dir
Date & Time Bytes File Name

Mar 29 2005 15480 WS5000Defaults_v1.4.1.0-014R.cfg
Jan 24 10:46 19591051 WS5000_v1.4.3.0-012R.sys.img
Jan 24 10:48 16138 WS5K_v1.4.1.0-014R-Upg.cfg
Oct 3 2005 6517 cmd_template.sym
Oct 3 07:22 17345 sw16-wireless-tlh.cfg

sw16r-wireless> del WS5000Defaults_v1.4.1.0-014R.cfg

Removing WS5000Defaults_v1.4.1.0-014R.cfg.... done.

sw16r-wireless> del WS5000_v1.4.3.0-012R.sys.img
Removing WS5000_v1.4.3.0-012R.sys.img.... done.

sw16r-wireless> del WS5K_v1.4.1.0-014R-Upg.cfg
Removing WS5K_v1.4.1.0-014R-Upg.cfg.... done.

sw16r-wireless> del cmd_template.sym
Removing cmd_template.sym.... done.

sw16r-wireless> del sw16-wireless-tlh.cfg
Removing sw16-wireless-tlh.cfg.... done.

Now you can go ahead and download the new system image and accompanying files via FTP. I’ve already placed the system image on the FTP server. The following files will need to be downloaded from the FTP server (10.101.20.1); WS5000_v2.1.0.0-029R.sys.kdi, dominfo, PreUpgradeScript, WS5k_domfix.cfg. You can confirm that the file gets copied down by listing the directory contents using “dir”.

sw16r-wireless> copy ftp system -u mcnamm
Enter the file name to be copied from FTP server : PreUpgradeScript
IP address of the FTP server : 10.101.20.1
Enter the user password : **********

Copying 'PreUpgradeScript' from ftp://10.101.20.1 to Switch...
Data connection mode : BINARY (Connecting as 'mcnamm')

Status : Transfer completed successfully
19633 bytes received in 0.0098 seconds (2e+03 Kbytes/s)
/bin/dedos: line 69: syntax error near unexpected token `dir'
/bin/dedos: line 69: `dedos -R # recursive from dir'

sw16r-wireless> copy ftp system -u mcnamm
Enter the file name to be copied from FTP server : dominfo
IP address of the FTP server : 10.101.20.1
Enter the user password : **********

Copying 'dominfo' from ftp://10.101.20.1 to Switch...
Data connection mode : BINARY (Connecting as 'mcnamm')

Status : Transfer completed successfully
48346 bytes received in 0.015 seconds (3.2e+03 Kbytes/s)

sw16r-wireless> copy ftp system -u mcnamm
Enter the file name to be copied from FTP server : WS5k_domfix.cfg
IP address of the FTP server : 10.101.20.1
Enter the user password : **********

Copying 'WS5k_domfix.cfg' from ftp://10.101.20.1 to Switch...
Data connection mode : BINARY (Connecting as 'mcnamm')

Status : Transfer completed successfully
1410387 bytes received in 0.15 seconds (9.5e+03 Kbytes/s)
Verifying configuration file...
Valid configuration file. Completing verification.

sw16r-wireless> copy ftp system -u mcnamm
Enter the file name to be copied from FTP server : WS5000_v2.1.0.0-029R.sys.kdi
IP address of the FTP server : 10.101.20.1
Enter the user password : **********

Copying 'WS5000_v2.1.0.0-029R.sys.kdi' from ftp://10.101.20.1 to Switch...
Data connection mode : BINARY (Connecting as 'mcnamm')

Status : Transfer completed successfully
39661568 bytes received in 22 seconds (1.8e+03 Kbytes/s)

sw16r-wireless> dir
Date & Time Bytes File Name

Oct 3 07:28 19633 PreUpgradeScript
Oct 3 07:29 39661568 WS5000_v2.1.0.0-029R.sys.kdi
Oct 3 07:28 1410387 WS5k_domfix.cfg
Oct 3 07:28 48346 dominfo

sw16r-wireless>

The next step is to execute the PreUpgradeScript and check if there is adequate space for the upgrade. You’ll need to enter “service mode” to execute the following commands. You can enter “service mode” by entering the command “service”. The password may either be “password” or the switch admin password.

sw16r-wireless> service
Enter CLI Service Mode password: ********
Enabling CLI Service Mode commands...... done.

SM-sw16r-wireless> launch -c chmod +x /image/PreUpgradeScript

SM-sw16r-wireless> launch -c /image/PreUpgradeScript freemem
PreUpgradeScript : freemem - computing Free memory
DOM firmware upgrade will NOT be performed
Finding out the Free Space Needed ... !!
Total Free Space on the System: 148 (in MB)
OK. Required space to do the upgrade exists .. !!

If you receive the “OK” you can go ahead with the upgrade. It may be necessary (with Wireless LAN Switch 5000s) to run the “PreUpgradeScript freemem” prior to downloading the WS5000_v2.1.0.sys.kdi image. The 5000 switches only have 128Mb of flash space available.

SM-sw16r-wireless> launch -c /image/PreUpgradeScript upgrade
PreUpgradeScript : upgrade - upgrading the system
Deciding on DOM firmware upgrade, based on switch platform
This is a butterfly 1.4.x series switch
This is WS5100 switch, no need for firmware upgrade
Verifying checksum for : dominfo
Checksum verification for dominfo : passed
Showing details of DOM

Model Number______________________: Kouwell DOM
Serial Number_____________________: HyFlash 00004020
Controller Revision Number________: 14/05/02

Able to do Double Word Transfer___: No
Controller buffer size (bytes)____: 512
Transfer Speed____________________: > 10 Mbit/sec
Drive Type________________________: Removable
IORDY Supported___________________: No
Can IORDY be disabled by device___: No
LBA Mode supported________________: Yes
DMA Supported_____________________: No
Number of ECC bytes transferred___: 4
Number of sectors per interrupt___: 1

Number of Cylinders_______________: 980
Number of Heads___________________: 16
Number of Sectors per Track_______: 32

Enter the Image Name: WS5000_v2.1.0.0-029R.sys.kdi
Verifying Image Checksum
Image Checksum Verification Passed
Saving the Configuration before upgrading
Saving wireless network management configuration...
Configuration saved successfully.
Creating the configuration tar
tar: Removing leading / from absolute path names in the archive.
image/upgrade.cfg
Copying the image
Rebooting the system
Shutting down snmpd agent.....done.
Shutting down apache server...done.
Shutting down cell controller.......done.
Shutting down database main thread...done.
Rebooting the switch...
Connection closed by foreign host.

Now you’ll need to wait.; it should take between 5 and 10 minutes for the switch to upgrade and reboot. After the switch has rebooted you can re-establish your telnet session;

[root@linux ~]# telnet sw16r-wireless.tlh.acme.org
Trying 10.115.255.253...
Connected to sw16r-wireless.tlh.acme.org (10.115.255.253).
Escape character is '^]'.
=========== WS5000 Switch ===========

Copyright(c) Symbol Technologies, Inc. 2005.
All rights reserved.

user name: cli

Symbol Wireless Switch WS 5000 Series.
Please enter your username and password to access the Command Line Interface.

userid: admin
password: *********

Retrieving user and system information...

Setting user permissions flags..
Checking KDC access permissions...

Welcome...

Creating the Event list...
System information...

System Name : sw16r-wireless
Description : WS5000 Wireless Network
Switch Location : Data Center
Software Ver. : 2.1.0.0-029R
Licensed to : Symbol Technologies
Copyright : Copyright (c) 2000-2005. All rights reserved.
Serial Number : 00A0F865B362
Number of Licenses : 0
Max Access Ports : 30
Max Mobile Clients : 4096
MU Idle Timeout value : 1800 seconds
Active Switch Policy : Wireless Switch Policy
Emergency Switch Policy : Not defined
Switch Uptime : 00d:00h:03m
Global RF stats : Disabled
# of Unassigned Access Ports : 0
CLI AutoInstall Status : Enabled


sw16r-wireless> copy tftp system
Enter the file name to be copied from TFTP server : WS5000_v2.1.1.0-006R.sys.img
IP address of the TFTP server : 10.101.20.1

Copying 'WS5000_v2.1.1.0-006R.sys.img' from tftp://10.101.20.1 to Switch...
File: WS5000_v2.1.1.0-006R.sys.img copied successfully from 10.101.20.1
Verifying imagefile...
Valid imagefile. Completing verification.

sw16r-wireless> restore system WS5000_v2.1.1.0-006R.sys.img

This command will reset the system and boot up with the new restored image.
Do you want to continue (yes/no) : yes

Restoring system image and configuration from WS5000_v2.1.1.0-006R.sys.img
It might take a few minutes.......

Saving wireless network management configuration...
Configuration saved successfully.
Stopping Postgres database.. done
Creating Default Configuration file for 2.1.1.0-006R..

Rebooting the switch...

Shutting down dhcp daemon.. done
Shutting down apache server in the SSL mode...done.
Cell controller not running.
Shutting down Postgres....done.
Connection closed by foreign host.

You’re all done.

The only issue I’ve discovered is that you need to re-configure the SNMP community string and TIMEZONE on any upgraded switch.

Enjoy.