I know what a pain it can be to sometimes locate vendor specific SNMP MIBS. In the past I've sometimes spent hours scouring the net and vendor sites looking for the MIBS.
I've decided to post some of the vendor specific SNMP MIBS that I work with on my homepage. You should be able to link straight to my homepage with this URL;
http://mysite.verizon.net/michaelfmcnamara/netmgmt.htm#mibs
You should be able to find SNMP MIBS for the following devices;
Nortel Ethernet Routing Switch 8600 (v4.1.4)
Nortel Ethernet Routing Switch 5500 Series (v5.1)
Motorola WS5100 Wireless LAN Switch (v3.0.3)
Motorola RFS7000 Wireless LAN Switch (v1.x)
APC UPS Management Cards (v387)
As time and disk space allow I will add additional vendor MIBS and additional devices.
Update 12/01/07
Polycom VXS8000 Video Conferencing System
Blue Coat ProxySG Appliance
Blue Coat ProxyAV Appliance
Update 12/07/07
Nortel Application Switch (v23.2.3.1)
Update 12/26/07
Nortel Ethernet Switch 460/470 (v3.7)
Nortel Ethernet Routing Switch 1600 (v2.1.4)
Nortel Succession Call Server (v4.5)
Update 12/29/2007
Motorola WS5000/WS5100 Wireless LAN Switch (v2.1.3)
Cheers!
Monday, November 26, 2007
SNMP MIBS
NVR Audit data initialized
There have been a few folks asking me if I know what the following log entry is on their Nortel Ethernet Routing Switch 5500 Series, "NVR Audit data initialized - incorrect magic number: 0xffffffff".
I believe this is documented from Nortel as a bug in their latest software. The switch is throwing an error because the audit data (a new feature in the v5.x software line) is not present in the configuration or NVRAM the first time the switch boots after an upgrade to v5.x. This error could also occur if you've just factory reset your switch to the default configuration. I believe the error can be safely ignored as I've seen it on all 42 of my 5500 series switches.
I do remember seeing something about this error documented from Nortel, unfortunately I can't seem to find that reference now.
ERS-5520#show loggingCheers!
Type Time Idx Src Message
---- ----------------------- ---- --- -------
S 00:00:00:00 1 NVR SNTP: Could not sync to NTP servers.
S 2007-04-05 17:18:08 GMT 2 NVR SNTP: Could not sync to NTP servers.
S 2007-04-05 17:22:07 GMT 3 NVR Audit data initialized - incorrect magic number: 0xffffffff
I 2007-04-19 01:21:03 GMT 4 Web server starts service on port 80.
I 2007-04-19 01:21:19 GMT 5 IGMP: Unknown Multicast Filter disabled
I 2007-04-19 01:21:19 GMT 6 PoE Port Detection Status: Port 1 Status: Delivering Power
I 2007-04-19 01:21:22 GMT 7 PoE Port Detection Status: Port 35 Status: Delivering Power
I 2007-04-19 01:21:49 GMT 8 Port 0/47 reenabled by VLACP
I 2007-04-19 01:21:49 GMT 9 Port 0/48 reenabled by VLACP
I 2007-04-19 01:23:05 GMT 10 SNTP: First synchronization successful.
I 2007-04-19 01:23:18 GMT 11 Warm Start Trap
I 2007-04-19 01:23:19 GMT 12 Link Up Trap Port: 1
I 2007-04-19 01:23:20 GMT 13 Trap: pethPsePortOnOffNotification
I 2007-04-19 01:23:20 GMT 14 Trap: bsAdacPortConfigNotification for Port: 47, Config: Applied
Sunday, November 25, 2007
Factory Reset Nortel Ethernet Switch
There can be times when you need to factory reset a switch. This process can be accomplished through the CLI but if you've lost the switch password you'll need to follow a special process. This process should work for any of the Ethernet Switches (450, 460, 470) and the Ethernet Routing Switches 2500 Series, 4500 Series, 5500 (5510, 5520, 5530) Series. There is a different process to recover lost passwords on the Ethernet Routing Switch 1600 and 8600.
Follow these steps:
- Connect to the console port of the switch (9600,8,N,1)
- Reboot the switch.
- When the first line of the diagnostics tests is displayed, press CTRL-C. The system then displays a menu.
- Select option "i" to factory default the switch.
- Select option "a" to run the agent code.
Cheers!
Friday, November 23, 2007
Layer 3 Access Port Adoption
The release of v3.x software for the Motorola WS5100 and v1.x software for the Motorola RFS7000 finally supports the deployment of Layer 3 Access Ports (APs that could be deployed across a Layer 3 network as opposed to those that can only be deployed across a Layer 2 network).
The latest release of firmware for the AP300 will first attempt to locate a wireless switch for adoption via a Layer 2 broadcast request. If it's unable to locate a wireless switch it will make a DHCP request for an IP address. If the DHCP response does not include option 189 (string) it will make a DNS request to try and locate the wireless switch.
There are two ways the Access Port can locate the Wireless LAN Switch (WS5100/RFS7000) in Layer 3 mode;
- DHCP Option
- DNS Query
You can also create a DNS alias which the AP can use to locate the switch through a DNS query. The default DNS anme requested by an AP300 is "Symbol-CAPWAP-Address".
You might also notice that the AP300 will also support LLDP (802.1ab) if your Ethernet switch supports it.
Cheers!
Wednesday, November 21, 2007
Motorola Switch Password Recovery
If for whatever reason you've lost the Web UI or "admin" password your only recourse is to factory default the wireless switch.
To access the switch using a password recovery username and password:
1. Connect a terminal (or PC running terminal emulation software) to the serial port on the front of the switch. The switch login screen displays. Use the following CLI command for normal login process:
WS51002. Enter a password recovery username of "restore" and password recovery password of "restoreDefaultPassword".
login: cli
User Access Verification3. Press Y to delete the current configuration and reset with factory defaults.
Username: restore
Password: restoreDefaultPasword
WARNING: This will wipe out the configuration (except license key) and user data under "flash:/" and reboot the device
Do you want to continue? (y/n):y
Once the switch has complete it's reboot you should be able to login with the default userID or "admin" and the default password of "symbol". If you had previously backed up the configuration of the switch you could restore your old configuration.
Tuesday, November 20, 2007
ERS 5520 Switch v5.1 Software
Nortel has just recently released v5.1 software for their Ethernet Routing Switch (ERS) 5500 Series.
There are some enhancements that affect how ADAC/LLDP function on the ERS 5520 switch. From the release notes;
IEEE 802.1ab and ADAC linkageIt looks like it will no longer be necessary to maintain the list of MAC prefixes for all Nortel Internet Telephones. If you recall from some of my previous posts I needed to manually update the list of MAC prefixes used by my ERS 5520 switches in order to get many of my i2002/i2004 Internet Telephones to be detected properly. The default list of MAC prefixes usually didn't cover all the i2002/i2004/i2007/1140e Internet Telephones I had installed throughout my organization. In previous articles we enabled ADAC like so;
Nortel introduced the 802.1ab and Auto Detection Auto Configuration(ADAC) features to Release 5.0 to address converged applications. In Release 5.1, the functionality of 802.1ab and ADAC is combined: ADAC uses 802.1ab/LLDP as the detection mechanism to determine the identity of the attached device (that is, a Nortel IP phone that supports 802.1ab Media Endpoint Devices type, length, and value descriptions [MED TLV]). The Auto Configuration functionality of ADAC applies the configuration to the port.
Configurable using NNCLI, ACG, and Device Manager.
5520-48T-PWR (config)# adac voice-vlan 50I haven't actually tested this myself yet but supposedly if LLDP detects an Internet Telephone it will pass that information to ADAC without the need of evaluating the device's MAC address.
5520-48T-PWR (config)# adac op-mode tagged-frames
5520-48T-PWR (config)# adac uplink-port 48
5520-48T-PWR (config)# adac mac-range-table low-end 00:18:b0:00:00:00 high-end 00:18:b0:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:16:ca:00:00:00 high-end 00:16:ca:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:17:65:00:00:00 high-end 00:17:65:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:0a:e4:75:00:00 high-end 00:0a:e4:75:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:14:c2:00:00:00 high-end 00:14:c2:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:19:69:00:00:00 high-end 00:19:69:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:19:e1:00:00:00 high-end 00:19:e1:ff:ff:ff
5520-48T-PWR (config)# adac enable
The 5.1 release also now supports the 1000Base-BX SFP;
BX SFP supportThe 1000BASE-BX bidirectional SFPs provide Gigabit Ethernet connectivity over a single fiber.
Many customers have high density gigabit requirements, but lack the fiber density to deploy. BX SFPs helps alleviate this issue by allowing a single strand of fiber to facilitate communication.
Nortel introduces support for 1000BaseBX10 module with release 5.1. The modules are single fiber, bidirectional SFP transceivers. Two types of modules are available:
• 1310nm (BX10-U) transceiver
• 1490nm (BX10-D) transceiver
The 1000BaseBX10-D device is always connected to a 1000BaseBX10-U device with a single strand of standard single-mode fiber. The operating transmission range is up to 10 km. The fiber uses a GBIC LC connector on each end.
If the 1000BaseBX10-U is not connected to the 1000BaseBX10-D device, the signals are not received properly and the Link LED does not illuminate. You can configure BX SFP Support through the NNCLI, ACG, or Device Manager.
As shown in the figure, the transmit (Tx) and receive (Rx) paths share the same fiber by using two different wavelengths. One model transmits at 1310 nm and receives at 1490 nm, while the mating model transmits at 1490 nm and receives at 1310 nm. You can only connect a mating pair.You can use 1000BASE-BX SFPs to double the number of your fiber links. For example, if you have 20 installed fiber pairs with 20 conventional ports connected, you can use 1000BASE-BX SFPs to expand to 40 ports, using the same fiber.
The long wavelength optical transceivers used in these models provide variable distance ranges using single mode fiber optic cabling.
Cheers!
Monday, November 19, 2007
WiFi Hotspot Portal
A few years ago I had a request to design a public WiFi hotspot portal for the patients and visitors within our five major facilities. I did a fair amount of research and found a number of interesting commercial and open-source solutions. Unfortunately none of them really filled our requirements or caught my fancy. So I embarked on building/coding our own solution using a wide array of open-source software that was already available. Since I was most familiar with Perl at the time I chose to code the solution using Perl and Javascript (browser side) using Linux as the operating system of choice.
I needed to provide a public WiFi hotspot across our existing corporate wireless infrastructure at our five major sites. It obviously needed to be secure from our internal network, it needed to be 100% automated (there were no resources available to support this offering) and it needed to work (there's a surprise requirement). We also needed to keep internal (corporate) laptops and wireless devices from connecting to the unencrypted network and circumventing current Internet access policies.
Because of security concerns I decided to only allow HTTP (TCP 80) and HTTPS (TCP 443) traffic from the public wireless network. I also tabled any ideas of content/URL filtering from the original design. Instead we would reliable on Blue Coat ProxySG/ProxyAV appliances and Websense to perform content filtering and AV scanning of the traffic in a later upgrade.
How did we do it?
We carved out an ESSID ("public") from our Motorola Wireless LAN infrastructure at each facility. We setup the wireless network without any encryption or security so as to minimize any end-user difficulties in connecting to the wireless network. We took CentOS and built a WiFi portal server/gateway/firewall/router using an HP Proliant DL360. We essentially turned our Linux server into a cheap and very efficient firewall/gateway for the WiFi Hotspot. We connected one NIC of the Linux server to the wireless WLAN and the other to our internal network. This allowed use to use the Linux server to provide IP addresses to the wireless devices through DHCP. It also allowed use to have the Linux server provide DNS for name resolution. And most importantly it allowed use to use IPtables to provide firewalling between the wireless network and our internal network. This solution also allowed us to implement bandwidth shaping/throttling to prevent the public WiFi Hotspot wireless users from utilizing too much of our Internet link (DS-3 ~ 45Mbps).
Once a device associates with the wireless network the Linux portal server will issue the device a DHCP address from the 192.168.16.0/20 network. When the user opens their web browser they will be redirected to the Linux portal web server and the registration page as it appears below;
Once the user clicks on the "I AGREE" button the Linux server will kick off the "register.pl" script to check the IP/MAC address and decide if they should be granted access. If they are granted access they will be redirected to our Internet homepage after which they'll be free to surf to any URL. If the user is denied access they will be directed to an error page.
It is also possible that the user may attempt to register multiple times due to their web browser caching the portal page contents as the contents of a legitimate Internet website. Example: A user opens their web browser to www.cnn.com and is greeted with the portal page. User registers that is then re-directed to www.acme.org. The user then types www.cnn.com back into the browser address bar, but instead of getting the legit content for the CNN website the user is greeted again by the portal page. The user not knowing any better clicks the “I AGREE” button for the second time in as many minutes. Previously this problem would have gone on and on over and over, now the system will detect that the user is already registered and will through an error alerting the user to “refresh” their web browser. In order to refresh the browser the user should just type in the URL of the website they are attempting to visit and click “Go” (or hit “enter”). If they are greeted with the portal page they should click the “refresh” button from the browser button bar. That will instruct the web browser to ignore any cached content and attempt to retrieve all the data direct from the source website.
Every night at midnight the firewall rules will be reset to the defaults. Requiring any that wishes to access the WiFi Hotspot to agree to the AUP again. This is done to prevent folks from continually sitting/camping on the WiFi Hotspot.
Initially I thought we might be able to use a VPN or GRE tunnel to connect the five public WLANs to a single Linux server. Unfortunately I was a little ahead of the times and VPN/GRE tunnels were just starting to be supported in the various wireless switches (Motorola in this case). So I decided to take an easier approach and installed five HP Prolaint DL360 servers, one for each site.
I'm very happy to report that the solution works very well and virtually supports itself.
The only issue that we've seen is the need to continually update the blacklist file to keep corporate wireless devices from connecting to the public network. Thankfully I've written a small Bash Shell script to help with that process.
I hope to write a more detailed account of how to set this up on my website sometime in the future. If your interested in hearing more or have questions please drop me a line.
Cheers!
Thursday, November 15, 2007
WS5100 v1.x to v2.1 Upgrade
The purpose of this post is to outline how to upgrade a Symbol 5x00 Wireless LAN switch. In the example provided we will upgrade a switch running v1.4.3.0-R12 to v2.1.1. This upgrade is a major upgrade in that it literally replaces the core operating system with Linux. The upgrade is done in two steps. The first step you upgrade to v2.1 and in the second step you upgrade to v2.1.1.
You’ll be using the CLI interface to perform the upgrade; there will be no need for the web Java GUI until after the upgrade is complete.
[root@madmax ~]# telnet sw16r-wireless.tlh.acme.orgWhen prompted for the “user name” use “cli". When prompted for the “userid” use the default of “admin” and "symbol" as the password.
Trying 10.115.255.253...
Connected to sw16r-wireless.tlh.acme.org (10.115.255.253).
Escape character is '^]'.
user name: cli
Symbol Wireless Switch WS 5000 Series.It’s advised to start out by backing up the switch configuration and then uploading that configuration to the TFTP server on the network. You’ll first need to delete the existing configuration file. (If the switch is a standby switch there is no need to backup the configuration file).
Please enter your username and password to access the Command Line Interface.
userid: admin
password: *********
Retrieving user and system information...
Setting user permissions flags..
Checking KDC access permissions...
Welcome...
Creating the Event list...
System information...
System Name : sw16r-wireless
Description : WS5000 Wireless Network
Switch Location : Data Center
Software Ver. : 1.4.3.0-012R
Licensed to : Symbol Technologies
Copyright : Copyright (c) 2000-2005. All rights reserved.
Serial Number : 00A0F865B362
Number of Licenses : 0
Max Access Ports : 30
Max Mobile Clients : 4096
Active Switch Policy : Wireless Switch Policy
Emergency Switch Policy : Not defined
Switch Uptime : 35d:23h:41m
# of Unassigned Access Ports : 0
sw16r-wireless>
sw16r-wireless> del sw16-wireless.cfgNow you can go ahead and download the new system image and accompanying files via FTP. I’ve already placed the system image on the FTP server. The following files will need to be downloaded from the FTP server (10.101.20.1); WS5000_v2.1.0.0-029R.sys.kdi, dominfo, PreUpgradeScript, WS5k_domfix.cfg. You can confirm that the file gets copied down by listing the directory contents using “dir”.
Removing sw16-wireless.cfg.... done.
sw16r-wireless> save configuration sw16-wireless.cfg
Saving running configuration in: sw16-wireless.cfg
Saving wireless network management configuration...
Configuration saved successfully.
sw16r-wireless> copy sw16-wireless.cfg tftp://10.101.20.1/sw16-wireless-tlh.cfg
Copying 'sw16-wireless-tlh.cfg' from Switch to tftp://10.101.20.1...
File: sw16-wireless-tlh.cfg copied successfully to 10.101.20.1
Once you’ve backed up the switch configuration you need to make room for the new image. Delete all the files from the flash memory. You can use the “dir” command and “del” command.
sw16r-wireless> dir
Date & Time Bytes File Name
Mar 29 2005 15480 WS5000Defaults_v1.4.1.0-014R.cfg
Jan 24 10:46 19591051 WS5000_v1.4.3.0-012R.sys.img
Jan 24 10:48 16138 WS5K_v1.4.1.0-014R-Upg.cfg
Oct 3 2005 6517 cmd_template.sym
Oct 3 07:22 17345 sw16-wireless-tlh.cfg
sw16r-wireless> del WS5000Defaults_v1.4.1.0-014R.cfg
Removing WS5000Defaults_v1.4.1.0-014R.cfg.... done.
sw16r-wireless> del WS5000_v1.4.3.0-012R.sys.img
Removing WS5000_v1.4.3.0-012R.sys.img.... done.
sw16r-wireless> del WS5K_v1.4.1.0-014R-Upg.cfg
Removing WS5K_v1.4.1.0-014R-Upg.cfg.... done.
sw16r-wireless> del cmd_template.sym
Removing cmd_template.sym.... done.
sw16r-wireless> del sw16-wireless-tlh.cfg
Removing sw16-wireless-tlh.cfg.... done.
sw16r-wireless> copy ftp system -u mcnammThe next step is to execute the PreUpgradeScript and check if there is adequate space for the upgrade. You’ll need to enter “service mode” to execute the following commands. You can enter “service mode” by entering the command “service”. The password may either be “password” or the switch admin password.
Enter the file name to be copied from FTP server : PreUpgradeScript
IP address of the FTP server : 10.101.20.1
Enter the user password : **********
Copying 'PreUpgradeScript' from ftp://10.101.20.1 to Switch...
Data connection mode : BINARY (Connecting as 'mcnamm')
Status : Transfer completed successfully
19633 bytes received in 0.0098 seconds (2e+03 Kbytes/s)
/bin/dedos: line 69: syntax error near unexpected token `dir'
/bin/dedos: line 69: `dedos -R# recursive from dir'
sw16r-wireless> copy ftp system -u mcnamm
Enter the file name to be copied from FTP server : dominfo
IP address of the FTP server : 10.101.20.1
Enter the user password : **********
Copying 'dominfo' from ftp://10.101.20.1 to Switch...
Data connection mode : BINARY (Connecting as 'mcnamm')
Status : Transfer completed successfully
48346 bytes received in 0.015 seconds (3.2e+03 Kbytes/s)
sw16r-wireless> copy ftp system -u mcnamm
Enter the file name to be copied from FTP server : WS5k_domfix.cfg
IP address of the FTP server : 10.101.20.1
Enter the user password : **********
Copying 'WS5k_domfix.cfg' from ftp://10.101.20.1 to Switch...
Data connection mode : BINARY (Connecting as 'mcnamm')
Status : Transfer completed successfully
1410387 bytes received in 0.15 seconds (9.5e+03 Kbytes/s)
Verifying configuration file...
Valid configuration file. Completing verification.
sw16r-wireless> copy ftp system -u mcnamm
Enter the file name to be copied from FTP server : WS5000_v2.1.0.0-029R.sys.kdi
IP address of the FTP server : 10.101.20.1
Enter the user password : **********
Copying 'WS5000_v2.1.0.0-029R.sys.kdi' from ftp://10.101.20.1 to Switch...
Data connection mode : BINARY (Connecting as 'mcnamm')
Status : Transfer completed successfully
39661568 bytes received in 22 seconds (1.8e+03 Kbytes/s)
sw16r-wireless> dir
Date & Time Bytes File Name
Oct 3 07:28 19633 PreUpgradeScript
Oct 3 07:29 39661568 WS5000_v2.1.0.0-029R.sys.kdi
Oct 3 07:28 1410387 WS5k_domfix.cfg
Oct 3 07:28 48346 dominfo
sw16r-wireless>
sw16r-wireless> serviceIf you receive the “OK” you can go ahead with the upgrade. It may be necessary (with Wireless LAN Switch 5000s) to run the “PreUpgradeScript freemem” prior to downloading the WS5000_v2.1.0.sys.kdi image. The 5000 switches only have 128Mb of flash space available.
Enter CLI Service Mode password: ********
Enabling CLI Service Mode commands...... done.
SM-sw16r-wireless> launch -c chmod +x /image/PreUpgradeScript
SM-sw16r-wireless> launch -c /image/PreUpgradeScript freemem
PreUpgradeScript : freemem - computing Free memory
DOM firmware upgrade will NOT be performed
Finding out the Free Space Needed ... !!
Total Free Space on the System: 148 (in MB)
OK. Required space to do the upgrade exists .. !!
SM-sw16r-wireless> launch -c /image/PreUpgradeScript upgradeNow you’ll need to wait.; it should take between 5 and 10 minutes for the switch to upgrade and reboot. After the switch has rebooted you can re-establish your telnet session;
PreUpgradeScript : upgrade - upgrading the system
Deciding on DOM firmware upgrade, based on switch platform
This is a butterfly 1.4.x series switch
This is WS5100 switch, no need for firmware upgrade
Verifying checksum for : dominfo
Checksum verification for dominfo : passed
Showing details of DOM
Model Number______________________: Kouwell DOM
Serial Number_____________________: HyFlash 00004020
Controller Revision Number________: 14/05/02
Able to do Double Word Transfer___: No
Controller buffer size (bytes)____: 512
Transfer Speed____________________: > 10 Mbit/sec
Drive Type________________________: Removable
IORDY Supported___________________: No
Can IORDY be disabled by device___: No
LBA Mode supported________________: Yes
DMA Supported_____________________: No
Number of ECC bytes transferred___: 4
Number of sectors per interrupt___: 1
Number of Cylinders_______________: 980
Number of Heads___________________: 16
Number of Sectors per Track_______: 32
Enter the Image Name: WS5000_v2.1.0.0-029R.sys.kdi
Verifying Image Checksum
Image Checksum Verification Passed
Saving the Configuration before upgrading
Saving wireless network management configuration...
Configuration saved successfully.
Creating the configuration tar
tar: Removing leading / from absolute path names in the archive.
image/upgrade.cfg
Copying the image
Rebooting the system
Shutting down snmpd agent.....done.
Shutting down apache server...done.
Shutting down cell controller.......done.
Shutting down database main thread...done.
Rebooting the switch...
Connection closed by foreign host.
[root@linux ~]# telnet sw16r-wireless.tlh.acme.orgYou’re all done.
Trying 10.115.255.253...
Connected to sw16r-wireless.tlh.acme.org (10.115.255.253).
Escape character is '^]'.
=========== WS5000 Switch ===========
Copyright(c) Symbol Technologies, Inc. 2005.
All rights reserved.
user name: cli
Symbol Wireless Switch WS 5000 Series.
Please enter your username and password to access the Command Line Interface.
userid: admin
password: *********
Retrieving user and system information...
Setting user permissions flags..
Checking KDC access permissions...
Welcome...
Creating the Event list...
System information...
System Name : sw16r-wireless
Description : WS5000 Wireless Network
Switch Location : Data Center
Software Ver. : 2.1.0.0-029R
Licensed to : Symbol Technologies
Copyright : Copyright (c) 2000-2005. All rights reserved.
Serial Number : 00A0F865B362
Number of Licenses : 0
Max Access Ports : 30
Max Mobile Clients : 4096
MU Idle Timeout value : 1800 seconds
Active Switch Policy : Wireless Switch Policy
Emergency Switch Policy : Not defined
Switch Uptime : 00d:00h:03m
Global RF stats : Disabled
# of Unassigned Access Ports : 0
CLI AutoInstall Status : Enabled
sw16r-wireless> copy tftp system
Enter the file name to be copied from TFTP server : WS5000_v2.1.1.0-006R.sys.img
IP address of the TFTP server : 10.101.20.1
Copying 'WS5000_v2.1.1.0-006R.sys.img' from tftp://10.101.20.1 to Switch...
File: WS5000_v2.1.1.0-006R.sys.img copied successfully from 10.101.20.1
Verifying imagefile...
Valid imagefile. Completing verification.
sw16r-wireless> restore system WS5000_v2.1.1.0-006R.sys.img
This command will reset the system and boot up with the new restored image.
Do you want to continue (yes/no) : yes
Restoring system image and configuration from WS5000_v2.1.1.0-006R.sys.img
It might take a few minutes.......
Saving wireless network management configuration...
Configuration saved successfully.
Stopping Postgres database.. done
Creating Default Configuration file for 2.1.1.0-006R..
Rebooting the switch...
Shutting down dhcp daemon.. done
Shutting down apache server in the SSL mode...done.
Cell controller not running.
Shutting down Postgres....done.
Connection closed by foreign host.
The only issue I’ve discovered is that you need to re-configure the SNMP community string and TIMEZONE on any upgraded switch.
Enjoy.
Wednesday, November 14, 2007
WS5100 v1.x,v2.x Standby Switch
Motorola's WS5000/WS5100 Wireless LAN Switches (v1.x,2.x software) allow you to provision a standby backup switch that would take over for the primary if some problem affected the primary Wireless LAN switch. This is a an active/passive solution, the primary will be active while the standby listens for heartbeats from the primary in a standby mode. If the standby stops receiving the heartbeats from the primary switch it will switch to an active mode and adopt the Access Ports and start providing service to the mobile units.
First we’ll telnet into the primary switch (sw16-wireless.reh.acme.org) and backup its configuration copying it up to the TFTP server. Second we’ll telnet into the standby switch (sw16r-wireless.reh.acme.org) and then download the primary switch configuration via TFTP and then restore the configuration into the system.
Let’s start with the primary switch;
[root@linux root]# telnet sw16-wireless.reh.acme.orgWhen prompted for the “user name” use “cli".
Trying 10.115.255.12...
Connected to sw16-wireless.reh.acme.org (10.115.255.12).
Escape character is '^]'.
user name:cliWhen prompted for the “userid” use defaults of “admin” and "symbol" for the password.
Symbol Wireless Switch WS 5000 Series.
Please enter your username and password to access the Command Line Interface.
userid: adminLet’s start out by backing up the switch configuration;
password: *********
Retrieving user and system information...
Setting user permissions flags..
Checking KDC access permissions...
Welcome...
Creating the Event list...
System information...
System Name : sw16-wireless.reh.acme.org
Description : WS5000 Wireless Network
Switch Location : Data Center
Software Ver. : 1.4.0.0-026R
Licensed to : Symbol Technologies
Copyright : Copyright (c) 2000-2005. All rights reserved.
Serial Number : 00A0F8658FC0
Number of Licenses : 30
Max Access Ports : 30
Max Mobile Clients : 4096
Active Switch Policy : Wireless Switch Policy
Emergency Switch Policy : Not defined
Switch Uptime : 00d:01h:01m
# of Unassigned Access Ports : 0
sw16-wireless.reh.acme.org>
sw16-wireless.reh.acme.org> save configuration sw16-wireless-reh.cfgLet’s make sure the configuration file can be found on the file system;
Saving running configuration in: sw16-wireless-reh.cfg
Saving wireless network management configuration ...
sw16-wireless.reh.acme.org> dirLet’s upload that configuration to the TFTP server (10.101.20.1) on the network;
Date & Time Bytes File Name
Jan 25 18:11 15155 WS5000Defaults_v1.4.0.0-026R.cfg
Jan 25 18:35 18819400 WS5000_v1.4.0.0-026R.sys.img
Jan 25 17:05 6517 cmd_template.sym
Mar 28 12:24 16878 sw16-wireless-reh.cfg
sw16-wireless-reh.acme.org> copy sw16-wireless-reh.cfg tftp://10.101.20.1/sw16-wireless-reh.cfg
Copying 'sw16-wireless-reh.cfg' from Switch to tftp://10.101.20.1...
File: sw16-wireless-reh.cfg copied successfully to 10.101.20.1
sw16-wireless.reh.acme.org>The configuration file is now successfully on the TFTP server. We can now turn our attention to the standby switch. Let’s start by telneting into that switch (sw16r-wireless.reh.acme.org);
[root@linux root]# telnet sw16r-wireless.reh.acme.orgAfter we’re logged into the standby switch lets copy the primary switch configuration by TFTP;
Trying 10.115.255.13...
Connected to sw16r-wireless.reh.acme.org (10.115.255.13).
Escape character is '^]'.
user name:cli
Symbol Wireless Switch WS 5000 Series.
Please enter your username and password to access the Command Line Interface.
userid: admin
password: *********
Retrieving user and system information...
Setting user permissions flags..
Checking KDC access permissions...
Welcome...
Creating the Event list...
System information...
System Name : sw16r-wireless
Description : WS5000 Wireless Network
Switch Location : Data Center
Software Ver. : 1.4.0.0-026R
Licensed to : Symbol Technologies
Copyright : Copyright (c) 2000-2005. All rights reserved.
Serial Number : 00A0F8658FC8
Number of Licenses : 0
Max Access Ports : 0
Max Mobile Clients : 4096
Active Switch Policy : Wireless Switch Policy
Emergency Switch Policy : Not defined
Switch Uptime : 00d:00h:11m
# of Unassigned Access Ports : 0
sw16r-wireless>
sw16r-wireless.reh.acme.org> copy tftp systemLet’s just confirm that the configuration file appears on the file system;
Enter the file name to be copied from TFTP server : sw16-wireless-reh.cfg
Copying 'sw16-wireless-reh.cfg' from tftp://10.101.20.1 to Switch...
File: sw16-wireless-reh.cfg copied successfully from 10.101.20.1
Verifying configuration file...
Valid configuration. Completing verification.
sw16r-wireless.reh.acme.org> dirLet’s go ahead and restore the standby switch configuration from the primary switch configuration file;
Date & Time Bytes File Name
Jan 25 15:11 15155 WS5000Defaults_v1.4.0.0-026R.cfg
Jan 25 15:35 18819400 WS5000_v1.4.0.0-026R.sys.img
Jan 25 14:05 6517 cmd_template.sym
Mar 28 01:35 16878 sw16-wireless-reh.cfg
sw15r-wireless.reh.acme.org> restore standby sw15-wireless-reh.cfgThe standby switch should reboot at this point and should retain its original IP addressing. There is one last step required to make the standby switch a “hot” standby. The standby feature must be configured and enabled on both the primary and standby switches. The order in which you enable the standby feature is critical, so start on the standby switch by issuing the following commands;
This command will reset the system and boot up with the new configuration.
Do you want to continue (yes/no) : yes
Restoring Stand By configuration from sw15-wireless-reh.cfg
Do you want to change Interface 1 static IP address(10.115.254.11)?
Creating the Event list...
Enter (yes/no) : no
INFO: Static IP address not changed.
Do you want to change Interface 2 static IP address(10.115.255.11)?
Creating the Event list...
Enter (yes/no) : no
INFO: Static IP address not changed.
Shutting down database main thread...done.
Rebooting the switch...
Connection closed by foreign host.
sw16r-wireless.reh.acme.org> configureWith the standby configured properly go ahead and issue the following commands on the primary;
sw16r-wireless.reh.acme.org.(Cfg)> standby
sw16r-wireless.(Cfg).StandBy> set autorevert enable
Configuring Standby....
Status : Success.
Standby Management:
StandBy mode : Standby
Standby Status : Disable
State : Startup
Failover Reason :
Standby Connectivity status : Not Connected
Standby AutoRevert Mode : Enable
Standby AutoRevert Delay : 15 Minutes
Interface (Ethernet) 1
----------------------
StandBy Heart-Beat MAC : Auto Discovery Enabled
Heart-Beat status : Enable
Received Heart-Beat : No
Interface (Ethernet) 2
----------------------
StandBy Heart-Beat MAC : Auto Discovery Enabled
Heart-Beat status : Disable
Received Heart-Beat : No
sw16r-wireless.(Cfg).StandBy> enable
Enabling...
Status : Success.
Standby Management:
StandBy mode : Standby
Standby Status : Enable
State : Startup
Failover Reason :
Standby Connectivity status : Not Connected
Standby AutoRevert Mode : Enable
Standby AutoRevert Delay : 15 Minutes
Interface (Ethernet) 1
----------------------
StandBy Heart-Beat MAC : Auto Discovery Enabled
Heart-Beat status : Enable
Received Heart-Beat : No
Interface (Ethernet) 2
----------------------
StandBy Heart-Beat MAC : Auto Discovery Enabled
Heart-Beat status : Disable
Received Heart-Beat : No
sw16-wireless.reh.acme.org> configureThen confirm that the primary has connected with the standby switch by issuing the following command and confirm that the “Standby Status” is “Enable” and that the “State” is “Connected”;
sw16-wireless.reh.acme.org.(Cfg)> standby
sw16-wireless.reh.acme.org.(Cfg).StandBy> set autorevert enable
Configuring Standby....
Status : Success.
Standby Management:
StandBy mode : Primary
Standby Status : Disable
State : Startup
Failover Reason :
Standby Connectivity status : Not Connected
Standby AutoRevert Mode : Enable
Standby AutoRevert Delay : 15 Minutes
Interface (Ethernet) 1
----------------------
StandBy Heart-Beat MAC : Auto Discovery Enabled
Heart-Beat status : Enable
Received Heart-Beat : No
Interface (Ethernet) 2
----------------------
StandBy Heart-Beat MAC : Auto Discovery Enabled
Heart-Beat status : Disable
Received Heart-Beat : No
sw16-wireless.reh.acme.org.(Cfg).StandBy> enable
Enabling...
Status : Success.
Standby Management:
StandBy mode : Primary
Standby Status : Enable
State : Find standby
Failover Reason :
Standby Connectivity status : Not Connected
Standby AutoRevert Mode : Enable
Standby AutoRevert Delay : 15 Minutes
Interface (Ethernet) 1
----------------------
StandBy Heart-Beat MAC : Auto Discovery Enabled
Heart-Beat status : Enable
Received Heart-Beat : No
Interface (Ethernet) 2
----------------------
StandBy Heart-Beat MAC : Auto Discovery Enabled
Heart-Beat status : Disable
Received Heart-Beat : No
sw16-wireless.reh.acme.org.(Cfg).StandBy> showThat’s all folks.
Standby Management:
StandBy mode : Primary
Standby Status : Enable
State : Connected
Failover Reason :
Standby Connectivity status : Connected
Standby AutoRevert Mode : Enable
Standby AutoRevert Delay : 15 Minutes
Interface (Ethernet) 1
----------------------
StandBy Heart-Beat MAC : Auto Discovery Enabled
Heart-Beat status : Enable
Received Heart-Beat : Yes
Interface (Ethernet) 2
----------------------
StandBy Heart-Beat MAC : Auto Discovery Enabled
Heart-Beat status : Disable
Received Heart-Beat : No
sw16-wireless.reh.acme.org.(Cfg).StandBy>
Saturday, November 10, 2007
Time Domain Reflectometer (TDR)
We have quite a few Nortel Ethernet Routing Switch 5500s deployed throughout our organization. There's a great new benefit in using the new hardware to help us test the cable plant remotely.
Here’s the text from the Nortel manual;
Testing cables with the Time Domain ReflectometerUnfortunately this feature is ONLY available on the 5510, 5520 and 5530 switches.
With Release 5.0 software, the Nortel Ethernet Routing Switch 5500 Series is equipped with a Time Domain Reflectometer (TDR). The TDR provides a diagnostic capability to test connected cables for defects (such as short pin and pin open). You can obtain TDR test results from the CLI or the JDM. The cable diagnostic tests only apply to Ethernet copper ports; fiber ports cannot be tested. You can initiate a test on multiple ports at the same time. When you test a cable with the TDR, if the cable has a 10/100 MB/s link, the link is broken during the test and restored only when the test is complete. Use of the TDR does not affect 1 GB/s links.
Note: The accuracy margin of cable length diagnosis is between three to five meters. Nortel suggests the shortest cable for length information be five meters long.
Using Device Manager you’ll find the option on the port settings (a tab to the right labeled “TDR”). You can also use the following CLI commands;
tdr test <portlist>show tdr <portlist>
Wednesday, November 7, 2007
WS5100 v3.x Getting Started
The following document is provided as a basic guide on how to configure the Motorola WS5100 Wireless LAN Switch with release 3.x software. You should use the initial username of “cli” at the login prompt. At the username/password prompts you should use “admin” and “superuser” respectively.
You should connect to the console port a serial cable (null) with 19200,8,N,1.
The example below will configure Ethernet 2 as a trunk port with the management interface in VLAN 200 (10.107.255.199/24) and the default gateway as 10.107.255.1. The order of the commands is very important when you start to trunk the interface.
Please press Enter to activate this console.Once you've complete those steps you should be able to ping the device. At that point you can connect to the web based console to complete the configuration.
WS5100 release 3.0.3.0-003R
Login as 'cli' to access CLI.
WS5100 login: cli
User Access Verification
Username: admin
Password: *********
Welcome to CLI
WS5100>
WS5100> enable
WS5100# configure terminal
WS5100(config)# interface eth2
WS5100(config-if)# switchport mode trunk
WS5100(config-if)# switchport trunk native vlan 200
WS5100(config-if)# switchport trunk native tagged
WS5100(config-if)# switchport trunk allowed vlan none
WS5100(config-if)# switchport trunk allowed vlan add 200
WS5100(config-if)# exit
WS5100(config)# interface vlan 200
WS5100(config-if)# ip address 10.107.255.199/24
WS5100(config-if)# management
WS5100(config-if)# exit
WS5100(config)# interface vlan 1
WS5100(config-if)# no ip address
WS5100(config-if)# shutdown
WS5100(config-if)# exit
WS5100(config)# ip default-gateway 10.107.255.1
WS5100(config)# end
WS5100# write memory
https://10.107.255.199You should of course substitute the IP addresses above with your own addresses.
Cheers!
802.11 Dissassociation Codes
These codes can be extremely useful in troubleshooting wireless issues.
| Value | 802.11 or Symbol/WPA Reason Code | Description |
| 0 | REASON_CODE_80211_SUCCESS | Reserved internally to indicate success |
| 1. | REASON_CODE_80211_UNSPECIFIED_ERROR | Unspecified Reason |
| 3. | DISASSOCIATION_REASON_CODE_STATION_LEAVING_ESS | Deauthenticated because sending station has left or is leaving IBSS or ESS |
| 4. | DISASSOCIATION_REASON_CODE_INACTIVITY | Disassociated due to inactivity |
| 5. | DISASSOCIATION_REASON_CODE_STATION_LIMIT_EXCEEDED | Disassociated because AP is unable to handle all currently associated stations |
| 6. | DISASSOCIATION_REASON_CODE_CLASS_2_PKT_FROM_NON_AUTH | Class 2 frame received from non-authenticated station |
| 7. | DISASSOCIATION_REASON_CODE_CLASS_3_PKT_FROM_NON_ASSOC | Class 3 frame received from non-associated station |
| 8. | DISASSOCIATION_REASON_CODE_STATION_LEAVING_BSS | Disassociated because sending station has left or is leaving BSS |
| 9. | DISASSOCIATION_REASON_CODE_STATION_NOT_AUTHENTICATED | Station requesting re-association is not authenticated with responding station |
| 13. | DISASSOCIATION_REASON_CODE_INVALID_INFORMATION_ELEMENT | Invalid Information Element |
| 14. | DISASSOCIATION_REASON_CODE_MIC_FAILURE | Michael MIC failure |
| 15. | DISASSOCIATION_REASON_CODE_4WAY_HANDSHAKE_TIMEOUT | 4-Way Handshake timeout |
| 16. | DISASSOCIATION_REASON_CODE_GROUP_KEY_UPDATE_TIMEOUT | Group key update timeout |
| 17. | DISASSOCIATION_REASON_CODE_4WAY_IE_DIFFERENCE | Information element in 4-Way Handshake different from Re-associated request/Proberesponse/Beacon |
| 18. | DISASSOCIATION_REASON_CODE_MULTICAST_CIPHER_INVALID | Multicast Cipher is not valid |
| 19. | DISASSOCIATION_REASON_CODE_UNICAST_CIPHER_INVALID | Unicast Cipher is not valid |
| 20. | DISASSOCIATION_REASON_CODE_AKMP_NOT_VALID | AKMP is not valid |
| 21. | DISASSOCIATION_REASON_CODE_UNSUPPORTED_RSNE_VERSION | Unsupported RSN IE version |
| 22. | DISASSOCIATION_REASON_CODE_INVALID_RSNE_CAPABILITIES | Invalid RSN IE Capabilities |
| 23. | DISASSOCIATION_REASON_CODE_8021X_AUTHENTICATION_FAILED | IEEE 802.1X Authentication failed |
| 44. | DISASSOCIATION_REASON_CODE_PSP_TX_PKT_BUFFER_EXCEEDED | Symbol defined (non 802.11 standard) code. The Wireless Switch has exceeded it’s time limit in attempting to deliver buffered PSP frames to the Mobile Unit without receiving a single 802.11 PS Poll or NULL data frame. The Wireless Switch begins the timer when it sets the Mobile Unit’s bit in the TIM section of the 802.11 beacon frame for the BSS. The time limit is at least 15 seconds. The Mobile Unit is probably gone (or may be faulty). |
| 77. | DISASSOCIATION_REASON_CODE_TRANSMIT_RETRIES_EXCEEDED | Symbol defined (non 802.11 standard) codes. The Wireless Switch has exceeded it’s retry limit in attempting to deliver a 802.1x EAP message to the Mobile Unit without receiving a single 802.11 ACK. The retry limit varies according to traffic type but is at least 64 times. The Mobile Unit is either gone or has incorrect 802.1x EAP authentication settings. |
Tuesday, November 6, 2007
Motorola Wireless LAN
I've worked primarily with Motorola (formerly Symbol) since the early 802.11b FHSS (Frequency Hopping Spread Spectrum) days. When 802.11b DSSS (Direct Sequence Spread Spectrum) came to the forefront I worked with the Symbol 4121/4131 Access Points (some of which were OEM'd for Nortel Networks at the time). The Access Points were very versatile and had a very extensive SNMP mib. I was able to write several Perl scripts to help manage the large number of Access Points that we had deployed at numerous locations and facilities.
Symbol was th
e industry's first company to design a switched-wireless networking architecture, pioneering the thin or lightweight Access Points (or Access Ports as they would come to be known as). The Symbol WS5000 Wireless LAN Switch was driven by LynuxWorks operating system. Later software releases of the WS5000 and later the WS5100 would use an internally developed version of Linux (I know their using Linux I'm just not 100% sure who's developing it for them). The primary wireless design constraint with the Motorola WS5100 is the maximum 48 port Access Port adoption limit. The hardware can only support 48 simultaneous Access Ports in a single switch. At one hospital we have over 200 Access Ports and over 18 WS5100s deployed, 9 primary WS5100s and 9 standby WS5100s .
Motorola has just recently released the RFS7000 Wireless LAN Switch that promises to support up to 256 Access Ports. I won't go into all the features, I'll let you find that out from Motorola's web site. Motorola's recent Wi-NG software release (v3.x) also offers clustering options allowing around 2,500 Access Ports within a single cluster. In previous releases you needed to have a primary and standby WS51000 for every switch, with clustering you can now have N+1 redundancy within the cluster. The new software also sports a very Cisco like command line interface which is great step up from the previous CLI interface in their v2.x software release. Network administrators will also be happy to know that the same version of software will now run on all "Motorola Wireless LAN Infrastructure", including the WS2000, WS5100, RFS7000 and AP5131. I've worked with all three types of thin Access Ports currently available from Motorola; the AP100 (802.11b), the Ap200 (802.11a/b), and the latest AP300 (802.11a/b/g). We've deployed these Access Ports using Nortel ES460, ERS5520 switches providing Power over Ethernet (PoE).
The web based console on the early (v2.x software) releases was a Java based application that was horrible to work with from a configuration and troubleshooting perspective. It was slow and would continually crash and lockup. In order to alleviate this problem I wrote a web based application so our network engineers and help desk could monitor the wireless network without having to launch the Java application. I wrote the application in Perl at the time because that was the language I was most familiar with and the most comfortable. The application uses SNMP to query the wireless LAN switch and then outputs the data to the user.
You can find the source code along with some additional details on my website under the Perl section. The application will only work against v2.x software releases. Motorola completely re-designed their software in their v3.x software release along with the associated SNMP mibs.
I just recently started looking a Meru Networks as an alternative solution to Motorola.
