Michael McNamara

Protecting your network switches from un-authorized access should be high on everyone's list these days. It's clear that an insecure switch is a liability in any network topology. In the vast majority of cases this means at least changing the default username and passwords along with the SNMP community strings. In environments where you need additional access security you can use the Ethernet Routing Switch 8600 Access Policy to restrict administrative access to the switch. This allows you to easily define networks which should have access and what services they should have access to.

In the example below I'm allowing access from the network 10.1.1.0/24 for FTP, HTTP, SNMP(v3), SSH, TELNET and TFTP.

ERS-8610:5# config sys access-policy policy 10 create
ERS-8610:5# config sys access-policy policy 10 network 10.1.1.0/24
ERS-8610:5# config sys access-policy policy 10 service ftp enable
ERS-8610:5# config sys access-policy policy 10 service http enable
ERS-8610:5# config sys access-policy policy 10 service snmpv3 enable
ERS-8610:5# config sys access-policy policy 10 service ssh enable
ERS-8610:5# config sys access-policy policy 10 service telnet enable
ERS-8610:5# config sys access-policy policy 10 service tftp enable
ERS-8610:5# config sys access-policy policy 10 snmp-group-add admin snmpv1
ERS-8610:5# config sys access-policy policy 10 snmp-group-add admin snmpv2c
ERS-8610:5# config sys access-policy policy 10 snmp-group-add v1v2grp snmpv1
ERS-8610:5# config sys access-policy policy 10 snmp-group-add v1v2grp snmpv2c
ERS-8610:5# config sys access-policy policy 10 snmp-group-add readgrp snmpv1
ERS-8610:5# config sys access-policy policy 10 snmp-group-add readgrp snmpv2c
ERS-8610:5# config sys access-policy policy 10 enable

Just don't forget to enable the access policy;

ERS-8610:5# config sys access-policy enable true

You could also use host masks as opposed to network masks if you wish to allow only specific management stations access to the switch.

Cheers!

There was a recent comment about a Usenet positing I made back in 2002 in comp.protocols.snmp.

In the post I was responding to someone looking for information on how to decode the value returned from the ipNetToMediaIfIndex when querying an ERS 8600 switch. Thankfully Shane (Nortel) was able to help me come up with the forumla.

card = ( $value AND 62914560 ) / 4194304
port = (( $value AND 4128768) / 65536 ) + 1

With that formula you could now walk the ipNetToMediaTable and retreieve the entire ARP table providing you the card and port number, MAC address, and IP address for each entry in the table.

The next issue was how to deal with MultiLink Trunk interfaces. In this case (and with my current software code) I build a table of all the MLT interfaces prior to polling the ipNetToMediaTable. I still use Perl but it shouldn't be very hard to convert to PHP.

# rcMltNumMlts
$nummlts = $sess->get("rcMltNumMlts.0");

for ($i = 1; $i <= $nummlts; $i++) { # rcMltName $mltname[$i] = $sess->get("rcMltName.$i");
# rcMltId
$mltindex[$i] = $sess->get("rcMltId.$i");
# rcMltIfIndex
$mltifindex[$i] = $sess->get("rcMltIfIndex.$i");
print "DEBUG: MltId = $i and MltName = $mltname[$i] and MltIndex = $mltindex[$i] and MltIfIndex = $mltifindex[$i]
\n" if ($DEBUG);
};

Now that we have the rcMltTable in an array we can walk the ipNetToMediaTable and match up any entries. Here's the code I use (again it's Perl but you should be able to convert to PHP);

# Evaulate with bitwise operation
$card = (($vals[0] & 62914560) / 4194304);
$port = (($vals[0] & 4128768) / 65536) + 1;

# Evaulate to determine if port is a MLT
if ($card != 0) {
$intf = (((64 * $card) + $port) - 1);
print "DEBUG: $vals[1] address found on card $card port $port\n";
} else {
$mlt = 1;
print "DEBUG: $vals[1] address found on MLT $mltname[$port]\n";
} # end else

Hopefully that doesn't look too complicated. The important piece here is that you need to merge the rcMltTable with the ipNetToMediaTable to get your results. If you name the MLT with something meaningful you can then return that string to the application that is making the query.

I wrote a Perl application that would search the ARP table of an Ethernet Routing Switch 8600 dynamically for a specific IP address entry. Here's an example of the output;

Nortel Passport 8600 Gigabit Switch IP ARP Table Search

Initializing query for sw-ccr-8600.datacenter.acme.org for IP address 1.1.1.10...

sysDescr = ERS-8610 (4.1.3.0)
sysObjectID = .1.3.6.1.4.1.2272.30
sysUpTime = 169 Days 6 Hours 43 mins 11 secs
sysContact = Acme Network Infrastructure Team
sysName = sw-ccr-8600.datacenter.acme.org
sysLocation = USA

Please be patient it may take a while to complete the search...

DEVICE FOUND

1.1.1.10 (000AE4753FC9) address found on MLT SMLT-5500

We searched through 1183 forwarding records...

That's all folks!

I will look to publish the complete code on my website sometime in the near future.

Cheers!

Here's a question that I've been asked over and over again.

How can I upgrade the software of a Nortel ERS 8600 Switch?

It's actually very easy and only takes a few minutes (along with a reboot). If you have dual CPUs (8690SF, 8691SF, 8692SF) your going to need to upgrade both CPUs. If your running in a HA (High Availability) configuration you probably shouldn't be reading this. I'll assume that anyone with dual CPUs is running them in a standby configuration. I generally like to upgrade the standby CPU first and then upgrade the primary CPU, the switch will fail over to the standby CPU once the primary CPU starts to reboot.

You'll need a TFTP server to host the software files. I generally use the TFTP server that comes with Linux (CentOS), however, you can use TFTPD32 by Philippe Jounin on Windows XP/2003. Just drop the TFTPD32 files in the same directory with the Nortel ERS 8600 software release and run the executable.

For this example let's assume that the primary (active) CPU is in slot 5 and the standby CPU is in slot 6. Once you have the TFTP server setup we can telnet into the switch. If you don't have telnet enabled in the boot.cfg file you'll need to console up to the switch. You may also need to clean up the /flash/ filesystem depending on which switch fabric you have installed in the chassis. I believe the 8692SF comes with 64Mb of flash memory and a 64Mb PCMCIA card.

Trying 10.1.1.10...
Connected to 10.1.1.10 (10.1.1.10).
Escape character is '^]'.

**************************************************
* Copyright (c) 2007 Nortel, Inc. *
* All Rights Reserved *
* Ethernet Routing Switch 8010 *
* Software Release 4.1.5.4 *
**************************************************

Login: rwa
Password: ***

ERS-8610:5#

If your not sure which files you need you should consult the Nortel documentation. You will definitely need the boot (p80b4154.img) and agent (p80a5145.img) files at a minimum. I have daughter processors (SuperMezz cards) in my 8692SFs so I also need that software (p80m4154.img). I also have R cards in my chassis so I need the image for those (p80j4154.dld). I don't have any ATM cards so I don't have that software included below. The TFTP server I'm using has the IP address of 10.101.20.1.

Copy software to primary CPU

ERS-8610:5# copy 10.101.20.1:p80a4154.img /flash/p80a4154.img
ERS-8610:5# copy 10.101.20.1:p80b4154.img /flash/p80b4154.img
ERS-8610:5# copy 10.101.20.1:p80c4154.img /flash/p80c4154.img
ERS-8610:5# copy 10.101.20.1:p80c4154.aes /flash/p80c4154.aes
ERS-8610:5# copy 10.101.20.1:p80j4154.dld /flash/p80j4154.dld
ERS-8610:5# copy 10.101.20.1:p80m4154.img /flash/p80m4154.img

We make the configuration changes to the boot.cfg file;

ERS-8610:5# config bootconfig choice primary image-file "/flash/p80a4154.img"
ERS-8610:5# config bootconfig choice secondary image-file "/flash/p80a4150.img"
ERS-8610:5# save config
Save config to file /flash/config.cfg successful.
Save to standby file /flash/config.cfg successful.
ERS-8610:5# save bootconfig
Save bootconfig to file /flash/boot.cfg successful.
Save to standby file /flash/boot.cfg successful.

Copy software to standby CPU and upgrade

With the software now on the primary CPU in the /flash directory we can transfer the software to the standby CPU and upgrade that component. We'll telnet from the primary CPU to the standby CPU so we can issue our commands. Alternately we could also console up to the standby CPU.

ERS-8610:5# peer telnet
Trying 127.0.0.6 ...
Connected to 127.0.0.6
Escape character is '^]'
**************************************************
* Copyright (c) 2007 Nortel, Inc. *
* All Rights Reserved *
* Ethernet Routing Switch 8010 *
* Software Release 4.1.5.4 * **************************************************
Login: rwa
Password: ***
@ERS-8610:6#

Now that we're connected to the standby CPU let's copy the files from the primary CPU. It's important to note tftpd must be enabled on the primary CPU in the boot.cfg file; "flags tftpd true".

@ERS-8610:6# copy 127.0.0.5:p80a4154.img /flash/p80a4154.img
@ERS-8610:6# copy 127.0.0.5:p80b4154.img /flash/p80b4154.img
@ERS-8610:6# copy 127.0.0.5:p80c4154.img /flash/p80c4154.img
@ERS-8610:6# copy 127.0.0.5:p80c4154.aes /flash/p80c4154.aes
@ERS-8610:6# copy 127.0.0.5:p80j4154.dld /flash/p80j4154.dld
@ERS-8610:6# copy 127.0.0.5:p80m4154.img /flash/p80m4154.img

Now that we have the files let's perform the actual upgrade and reset the CPU.

@ERS-8610:6# boot /flash/p80b4154.img
Are you sure you want to re-boot the switch (y/n) ? y
@ERS-8610:6#

You should wait until the standby CPU upgraded the boot code and then loads the new agent code before doing anything with the primary CPU. It's also a great idea to confirm that the standby is up and operational before you do anything with the primary CPU.

Now all you need to-do is upgrade the primary CPU

ERS-8610:5# boot /flash/p80b4154.img
Are you sure you want to re-boot the switch (y/n) ? y
ERS-8610:5#

The switch will boot the boot image and upgrade the boot PROM afterwhich it will reboot again and load the new agent code we specified in the boot.cfg file. If you have a standby CPU the standby CPU will become the active CPU. If you don't have a standby CPU in the switch you'll just need to wait for the switch to come back online. This should only able about 3 minutes.

Cheers!

I've received a few inquires about how to reset the password and configuration on a Nortel Ethernet Routing Switch 8600. In a previous article I showed everyone how to reset the configuration (and password) of a Nortel Ethernet Switch (including the ERS 5500 series) but not a Nortel Ethernet Routing Switch.

As with the previous procedure you'll need access to the console port on the switch. Specifically you'll need to cable up (9600,8,N,1) to the CPU (8690SF, 8691SF, 8692SF) you wish to reset.

If you've lost the password... cold boot the chassis while connected to the console port. When the switch starts to boot you should see something similar to the following (depending on the version of software installed);

Copyright (c) 2007 Nortel, Inc.
CPU Slot 5: PPC 745 Map B
Version: 4.1.5.4
Creation Time: Dec 17 2007, 15:31:21
Hardware Time: DEC 26 2007, 16:19:24 UTC
Memory Size: 0x10000000
Start Type: cold
SMI ZOOMCF
can't open "/pcmcia/pcmboot.cfg" 0x380003
S_dosFsLib_FILE_NOT_FOUND
/flash/ - Volume is OK
Change volume Id from 0x0 to 0x1a5

Loaded boot configuration from file /flash/boot.cfg
Attaching network interface lo0... done.

Press to stop auto-boot...
1

You'll need to interrupt the boot process by hitting the "Return" key . You should be greeted with a monitor prompt;

monitor#

From here you'll be able to issue a command to clear the passwords stored in NV RAM;

monitor# reset-passwd
monitor#

Now just go ahead and reset the CPU and you should be able to login with the default username (rwa) and password (rwa).

monitor# reset

CPU Slot 5: PPC 745 Map B
Version: 4.1.5.4
Creation Time: Dec 17 2007, 15:31:21
Hardware Time: DEC 26 2007, 16:25:09 UTC
Memory Size: 0x10000000
Start Type: cold
SMI ZOOMCF
can't open "/pcmcia/pcmboot.cfg" 0x380003
S_dosFsLib_FILE_NOT_FOUND
/flash/ - Volume is OK
Change volume Id from 0x0 to 0x1a5

Loaded boot configuration from file /flash/boot.cfg
Attaching network interface lo0... done.

Press to stop auto-boot...
Loading /flash/p80a4154.img ... 8761414 to 25459172 (25459172)
Starting at 0x10000...

SMI ZOOMCF
Booting PMC280 Mezz HW please wait
. The BootCode address is 0x2b00100 3303
.
Mezz taking over console and modem......
Mezz CPU Booted successfully


Initializing backplane net with anchor at 0x4100... done.
Backplane anchor at 0x4100... ..
Mounting /flash: .done.


Ethernet Routing Switch 8600 System Software Release 4.1.5.4
Copyright (c) 1996-2007 Nortel, Inc.

CPU5 [10/26/99 11:26:25] SW INFO System boot
CPU5 [10/26/99 11:26:25] SW INFO ERS System Software Release 4.1.5.4
CPU5 [10/26/99 11:26:26] SW INFO CPU card entering warm-standby mode...
CPU5 [10/26/99 11:26:27] SW INFO Loading configuration from /flash/config.cfg

CPU5 [10/26/99 11:26:27] SW INFO PCMCIA card detected in Stand-by CPU "ERS-8610"
slot 5, Chassis S/N SSPND*****

**************************************************
* Copyright (c) 2007 Nortel, Inc. *
* All Rights Reserved *
* Ethernet Routing Switch 8010 *
* Software Release 4.1.5.4 *
**************************************************

Login:

You should now be able to login with the default RWA username of "rwa" and the default password for "rwa".

If you wish to reset the configuration... you only need to delete the config.cfg file from the flash and reset the switch.

You should NOT delete the boot.cfg file unless you have a copy of the software on the PCMCIA card and know how to start the software using the boot command from monitor mode.

I believe the same monitor command is available for the Ethernet Routing Switch 1600 Series.

Cheers!

The Nortel Ethernet Routing Switch 8600 by default has six user accounts each with different levels of access. The "super-user" account is the rwa account and has access to the entire switch.

Default User ID: rwa
Default Password: rwa

Default User ID: rw
Default Password: rw

Default User ID: l3
Default Password: l3

Default User ID: l2
Default Password: l2

Default User ID: l1
Default Password: l1

Default User ID: ro
Default Password: ro

With the release of Nortel's Application Switch Blade for the ERS 8600 there are actually six additional access levels. If you the network administrator of an ERS 8600 is probably best to reset the passwords and/or disable the various access-levels that you are not using. You can accomplish this with the following commands. To change the passwords use the following commands;

ERS-8600:5# config cli password rwa rwa
ERS-8600:5# config cli password rw rw
ERS-8600:5# config cli password l3 l3
ERS-8600:5# config cli password l2 l2
ERS-8600:5# config cli password l1 l1
ERS-8600:5# config cli password ro ro

In software release v4.x and higher the passwords will automatically be synced across both CPUs if there is more than one in the switch. In previous releases you would need to issue the commands above on both CPUs.

You can also disable the different access-levels with the following commands;

ERS-8600:5# config cli password access-level rw disable
ERS-8600:5# config cli password access-level l3 disable
ERS-8600:5# config cli password access-level l2 disable
ERS-8600:5# config cli password access-level l1 disable
ERS-8600:5# config cli password access-level l4admin disable
ERS-8600:5# config cli password access-level slbadmin disable
ERS-8600:5# config cli password access-level oper disable
ERS-8600:5# config cli password access-level l4oper disable
ERS-8600:5# config cli password access-level slboper disable
ERS-8600:5# config cli password access-level ssladmin disable

And don't forget to save your configuration and boot configuration with the following commands;

ERS-8600:5# save config
ERS-8600:5# save bootconfig

You should always change the default passwords in order to secure the network.

Cheers!

The Nortel Ethernet Routing Switch 8600 supports utilizing the standby CPU to capture (PCAP) both ingress and egress (E-modules only) packets on selected I/O ports. The switch must have a standby CPU in order to perform PCAP.

You can configure IP/MAC filters to be applied to the PCAP engine but for this article I'll just show you how to perform the basic packet capture and how to retrieve the data so it can be analyzed with either Wireshark or OmniPeek. I currently use both applications for their different strengths and weaknesses.

First we'll configure the basic PCAP engine settings which should be fairly straight forward. The buffer-size is measured in megabytes so we'll be specifying 10MBs. The fragment-size is specified in bytes and in this example we want to capture the entire frame.

ERS-8600:5# config diag pcap buffer-wrap false
ERS-8600:5# config diag pcap buffer-size 10
ERS-8600:5# config diag pcap fragment-size 1522

Now we need to enable PCAP on the specific switch ports we're interested in capturing. We also want to specify the mode as both (both = ingress and egress packets | rx = ingress packets | tx = egress packets).

ERS-8600:5# config ethernet 2/1 pcap enable mode both

Now we're ready to start the capture.

ERS-8600:5# config diag pcap enable true

Now see if we're actually capturing any packets with the following command;

ERS-8600:5# show diag pcap stats
Stat Information for PCAP
=========================
Packet Capacity Count : 340909
Number of packets received in PCAP engine : 10
Number of packets accumulated in PCAP engine : 10
Number of packets dropped in PCAP engine by filters : 0
Number of packets dropped in Hardware : 0

Now stop the packet capture and retrieve it from the switch;

ERS-8606:5# config diag pcap enable false

Now you just need to copy the contents of the PCAP engine to the PCMCIA card;

ERS-8606:5# copy PCAP00 /pcmcia/capture.cap

You can now remove the PCMCIA card from the CPU and load it into your laptop or better yet you can just FTP the file from the PCMCIA card by making an FTP connection to the switch (you'll need to have FTP enabled in the boot.cfg file).

When your ready to capture again don't forget to resetting the PCAP engine with the following commands;

ERS-8606:5# config diag pcap enable false
ERS-8606:5# config diag pcap reset-stat

If something happens to the PCAP engine (which occasionally happens to me) you can usually resolve the problem by resetting the standby CPU. You can access the stanby CPU from the console port by telneting into it from the primary CPU. You can use the peer telnet command;

8606:5# peer telnet
Trying 127.0.0.6 ...
Connected to 127.0.0.6
*********************************************
* Copyright (c) 2003 Nortel Networks, Inc. *
* All Rights Reserved *
* ERS 8006 *
* Software Release 4.1.1.0 *
*********************************************
Login: rwa
Password: ***
@8606:6#

Note: You might notice that the primary CPU (slot 5 in the chassis) has the internal IP address of 127.0.0.5 while the standby CPU (slot 6 in the chassis) has the internal IP address of 127.0.0.6.

I don't believe you can perform PCAP with the new R modules although I could be wrong.

Cheers!

The Nortel Ethernet Routing Switch 8600 supports port mirroring feature to analyze traffic ingressing/egressing a specific switch port. The ERS 8600 also supports remote port mirroring by moving mirrored traffic across a switch network to a remote switch port.

This allows you to deploy a centralized network analyzer or probe to capture packets for the entire Local Area Network (LAN). This is accomplished by encapsulating the mirrored packets in a remote mirroring encapsulation wrapper. The encapsulation frame is bridged through the network by a seperate port-based VLAN to the remote mirroring termination port.

The following example is taken from the Nortel document "Using Diagnostic Tools".
We'll mirror port 1/15 on S1 to port 1/15 on S3 using the remote mirroring feature of the ERS 8600 Switch. As I mentioned above the packets to be mirrored will be encapsulated and put onto a specific port-based VLAN to be bridged across the network. In the following example we'll create VLAN 99 for this purpose.

Configure S3:

ERS-8610:5# config vlan 99 create byport 1
ERS-8610:5# config vlan 99 ports add 1/15, 2/8
ERS-8610:5# config ethernet 1/15 remote-mirroring create
ERS-8610:5# config ethernet 1/15 remote-mirroring add-vlan-id 99
ERS-8610:5# config ethernet 1/15 remote-mirroring mode termination
ERS-8610:5# config ethernet 1/15 remote-mirroring enable true

We'll need to determine the MAC address of the switch port that will be connecting to the network analyzer (sniffer). We'll need this information in order to configure the originating switch properly.

ERS-8610:5# config ethernet 1/15 remote-mirroring info port 1/15
Enable = TRUE
Mode = termination
srcmac = 00:e0:7b:82:9c:0e
dstmac = 00:e0:7b:82:9d:9c
ether-type = 0x8103
vlan-id-list =10

We'll need to record the "dstmac" MAC address above as we'll need it when configuring the origin switch.

Configure S1:

ERS-8610:5# config vlan 99 create byport 1
ERS-8610:5# config vlan 99 ports add 1/1
ERS-8610:5# config diag mirror-by-port 1 create in-port 1/15 out-port 1/1 mode both enable true remote-mirror-vlan-id 99
ERS-8610:5# config ethernet 1/1 remote-mirroring create
ERS-8610:5# config ethernet 1/1 remote-mirroring dstmac 00:e0:7b:82:9d:9c
ERS-8610:5# config ethernet 1/1 remote-mirroring enable true

Configure S2:

ERS-8610:5# config vlan 99 create byport 1
ERS-8610:5# config vlan 99 ports add 1/1,2/8

I've actually used this feature to mirror traffic from the ELAN interface on a Nortel Succession 1000M (Option 81C) from a closet ERS 8600 to a core ERS 8600 where I had a network analyzer setup to perform network traces.

I was and still am impressed with the feature.

Cheers!

When troubleshooting switches connected using MultiLink Trunks (MLT), Distributed MultiLink Trunks (DMLT) and Split MultiLink Trunks (SMLT) it can be difficult to determine which path a specific set of IP packets are taking between two switches.

The Nortel Ethernet Routing Switch 8600 has a feature called ping snoop that can be used to determine the specific path that specific IP traffic takes over an MLT, DMLT or SMLT path. Ping snoop works by enabling a filter that copies the ICMP messages to the CPU. The CPU then monitors the ICMP stream and outputs messages on the console indicating what ports are being traversed by the IP traffic.

There are different commands depending on the type of IO modules that are involved.

With non-R modules;

config diag ping-snoop create src-ip 30.30.30.0/24 dst-ip 30.30.30.0/24
config diag ping-snoop add-ports 1/47,2/1
config diag ping-snoop enable true
config log screen on

With R modules;

config filter acl 4096 port add 1/2
config filter acl 4096 enable
config filter acl 4096 ace 1 create name echo_reply
config filter acl 4096 ace 1 ip src-ip eq 10.119.255.20/32
config filter acl 4096 ace 1 ip dst-ip eq 10.101.241.25/32
config filter acl 4096 ace 1 protocol icmp-msg-type eq echoreply
config filter acl 4096 ace 1 enable
config filter acl 4096 ace 2 create name echo_request
config filter acl 4096 ace 2 ip src-ip eq 10.101.241.25/32
config filter acl 4096 ace 2 ip dst-ip eq 10.119.255.20/32
config filter acl 4096 ace 2 protocol icmp-msg-type eq echo-request
config filter acl 4096 ace 2 enable
config log screen on

In the above examples you need to substitute the appropriate IP addresses and switch ports.

I've used the ping snoop feature on numerous occasions to isolate the specific uplink that a TCP/UDP conversation was utilizing when traversing two switches that have multiple uplinks between each other [configured as MLT/DMLT/SMLT uplink].

Here's a sample output from a Nortel ERS 8600 v4.1.1 switch;

sw-ccr-8600:5# CPP Task=tMainTask CPU5 [12/11/07 07:36:25] CPU INFO ICMP Reply received on port 8/14 with Src=10.124.240.32 Dst=10.124.240.20
sw-ccr-8600:5# CPP Task=tMainTask CPU5 [12/11/07 07:36:26] CPU INFO ICMP Reply received on port 8/14 with Src=10.124.240.32 Dst=10.124.240.20
sw-ccr-8600:5# CPP Task=tMainTask CPU5 [12/11/07 07:36:27] CPU INFO ICMP Reply received on port 8/14 with Src=10.124.240.32 Dst=10.124.240.20
sw-ccr-8600:5# CPP Task=tMainTask CPU5 [12/11/07 07:36:28] CPU INFO ICMP Reply received on port 8/14 with Src=10.124.240.32 Dst=10.124.240.20

I might be wrong about this but I believe the ping snoop feature only works on ingress packets (packets that are ingressing into the IO module/port you have configured for ping snoop).

Cheers!

With release v4.1 software of the Ethernet Routing Switch 8600 Nortel introduced a new mechanism to protect against Layer 2 network loops. The following excerpt is taken from the Nortel document "Converged Campus Technical Solution Guide", authored July 2007 by Dan DeBacker.

Simple Loop Prevention Protocol (SLPP) provides active protection against Layer 2 network loops on a per-VLAN basis. SLPP uses a lightweight hello packet mechanism to detect network loops. SLPP packets are sent using Layer 2 multicast and a switch will only look at its own SLPP packets or at its peer SLPP packets. It will ignore SLPP packets from other parts of the network. Sending hello packets on a per VLAN basis allows SLPP to detect VLAN based network loops for un-tagged as well as tagged IEEE 802.1Q VLAN link configurations. Once a loop is detected, the port is shutdown. The SLPP functionality is configured using the following criteria:

• SLPP TX Process – the network administrator decides on which VLANs a switch should send SLPP hello packets. The packets are then replicated out all ports which are members of the SLPP-enabled VLAN. It is recommended to enable SLPP on all VLANs.
• SLPP RX Process – the network administrator decides on which ports the switch should act when receiving an SLPP packet that is sent by the same switch or by its SMLT peer. You should enable this process only on Access SMLT/SLT ports and never on IST ports or Core SMLT/SLT ports in the case of a square/full mesh core design.
• SLPP Action – the action operationally disables the ports receiving the SLPP packet. The administrator can also tune the network failure behavior by choosing how many SLPP packets need to be received before a switch starts taking an action. These values need to be staggered to avoid edge switch isolation – see the recommendations at the end of this section.

Loops can be introduced into the network in many ways. One way is through the loss of an MLT configuration caused by user error or malfunctioning equipment. This scenario may not always introduce a broadcast storm, but because all MAC addresses are learned through the looping ports, does significantly impact Layer 2 MAC learning. Spanning Tree would not in all cases be able to detect such a configuration issue, whereas SLPP reacts and disables the malfunctioning links, limiting network impact to a minimum. The desire is to prevent a loop from causing network problems while also attempting to not totally isolate the edge where the loop was detected. Total edge closet isolation is the last resort in order to protect the rest of the network from the loop. With this in mind, the concept of an SLPP Primary switch and SLPP Secondary switch has been adopted. These are strictly design terms and are not configuration parameters. The Rx thresholds are staggered between the primary and secondary switch, therefore the primary switch will disable an uplink immediately upon a loop occurring. If this resolves the loop issue, the edge closet still has connectivity back through the SLPP secondary switch. If the loop is not resolved, the SLPP secondary switch will disable the uplink and isolate the closet to protect the rest of the network from the loop.

I've deployed SLPP at one site with with a two tier network design utilizing SMLT with an IST core. It's very important to remember that SLPP operates per VLAN id so you need to take that into consideration. You also don't want to overload your switch fabric (CPU) by enabling SLPP on every VLAN, especially if you have a large number of VLANs.

Here's an example of how to deploy SLPP between two core ERS 8600s (switch cluster).

ERS 8600 Core Switch A

ERS-8610:5# config slpp add 200
ERS-8610:5# config slpp operation enable
ERS-8610:5# config ethernet 1/1-1/8 slpp packet-rx enable
ERS-8610:5# config ethernet 1/1-1/8 slpp packet-rx-threshold 5

ERS 8600 Core Switch B

ERS-8610:5# config slpp add 200
ERS-8610:5# config slpp operation enable
ERS-8610:5# config ethernet 1/1-1/8 slpp packet-rx enable
ERS-8610:5# config ethernet 1/1-1/8 slpp packet-rx-threshold 50

This will cause both core ERS 8600 switches to transmit SLPP PDUs on VLAN 200. They will watch for those PDUs to return on port 1/1-1/8. It's important in the example above to point out the different thresholds. You don't want both core ERS 8600 switches cutting off both uplinks to the edge closets. Hence the core A switch will admin-down any port where it receives 5 of it's own SLPP PDU packets. The core B switch will admin-down any port where it recieves 50 of it's down SLPP PDU packets. This configuration will generally disable one of the uplinks from the switch cluster (removing the loop) but won't leave the edge switch disconnected from both core ERS 8600 switches.

Cheers!

I'd like to take some time to discuss Voice over IP and share some of my real world experiences with the technology. I should note to everyone that my experiences with VoIP are strictly limited to Nortel equipment. While I'm somewhat knowledgeable about Cisco Callmanager (mostly thanks to my cousin who maintains the Call Center for a large automotive manufacturer) my personal experiences are limited to Nortel.

We've been using VoIP for almost the past 6 years with very good success. Our first forey into VoIP was using Nortel's IP Line ITG (Internet Telephony Gateway) with a Nortel Meridian 1 Option 61C switch. We had Nortel's first generation i2004 phones (the purple "barney" phones as we fondly referred to them). A few hardware and software upgrades later that same system is now known as Nortel's Succession 4.5 1000M Call Server. We've been running IP Trunks (H.323) between 5 different Succession 4.5 1000M Call Servers for well over 4 years now with great success. We've only just in the past year started really rolling out VoIP to the desktop where it makes sense (example; new construction).

What do you need to run VoIP with Nortel?

These days you can run VoIP on all sorts of different platforms from small office (BCM 50) to very large multi-site enterprises (CS 2100). I'll describe the equipment that I'm currently using;

• Nortel Succession 4.5 Call Server 1000M
• Nortel Succession 4.5 Signaling Server (two for high availability)
  
• Nortel Succession Voice Gateway Media Cards (five for high availability and capacity)
• Nortel Succession Internet License (Incremental Software Management - ISM)

You'll need a phone of course;

• Nortel i2002 Internet Telephone
• Nortel i2004 Internet Telephone
• Nortel 1140E Internet Telephone
• Nortel i2050 Software internet Telephone

You'll also need some back-end network electronics/switches;

• Nortel Ethernet Routing Switch 8600 (core)
  
• Nortel Ethernet Routing Switch 5520 PoE (edge)
  

And to make life easy you'll also need a DHCP server which you can configure with custom vendor DHCP options.

If your a data person you're most likely going to need some help from either a voice/telecom person or voice reseller. Likewise if your a voice/telecom person you're going to need some help from either a data person or a data reseller. I happen to be a data person that has learned the voice/telecom side of things from my years of exposure and from the failure of several voice resellers, nothing like picking up the books and learning something new.

Since I'm a data person I'm going to focus on the actual network electronics and the phone configuration. In the past year I've deployed more than 250 IP phones at more than 5 locations. That number doesn't include the 100 or so Nortel 2211 Wireless Internet Telephones which we'll discuss at some later date.

I currently have a Nortel 1140E (pictured right) on my desk at work along with a Nortel i2007 on my desk at home (Nortel 1150 VPN Router with Branch Office Tunnel - BOT) and an i2050 software IP phone on my laptop with a USB headset adapter that really makes the phone work.

We recently built a health center with 140+ IP phones which are all connecting to a hospital that is more than 17 miles away. We built a 10GB Wide Area Network over dark fiber utilizing Nortel Ethernet Routing Switch 8600s with 8683XLR cards and 10GBase-ER/EW XFP GBICs. We also installed and provisioned a Nortel 1000B Branch Office at the health center to provide a failover solution should the IP phones get disconnected from the Main Office Call Server. This site has been live for the past 5 months now and I'm very satisfied with the result of our work and efforts. The solution is very reliable and thanks to the design of the data network we've yet to experience an unscheduled outage.

Stay tuned for more...