Michael McNamara

This post applies to the following models;

• Nortel Business Policy Switch 2000
• Nortel Ethernet Switch 300 Series
• Nortel Ethernet Switch 460
• Nortel Ethernet Switch 470
• Nortel Ethernet Switch 2500 Series
• Nortel Ethernet Switch 4500 Series
• Nortel Ethernet Route Switch 5500 Series

It is possible that the switch agent image, that is stored in NVRAM on the switch, can become corrupt for some reason or another. In this case the switch will not boot up properly and will require some special intervention.

Diagnostic Version X.X.X.X
Press Control-C to Enter Diag

Test ROM Config - PASSED
Test FANs - PASSED
Test Internal Loopback - PASSED
Test ASIC1 Registers - PASSED
Test ASIC2 Registers - PASSED
Test PHY Registers - PASSED
Test USB Registers - PASSED
Agent code verification fails!

>> Break Recognized - Wait...
Press 'a' to run Agent code
Press 'd' to download Agent code
Press 'e' to display errors
Press 'c' to clear log message
Press 'i' to initialize config flash
Press 'p' to run POST tests...

You can use the boot diagnostic code to download the agent code to the switch using the "d" option. While the switch is booting using "Ctrl-C" to break the boot sequence and select "d" from the menu.

WARNING: the TFTP server needs to be physically connected to the switch in question

Download Agent Code

Enter Port Number [ ]:
Enter Speed: 10, 100, 1000 [ ]:
Enter Local IP Address [ 0.0.0.0 ]: 10.10.10.15 (IP given to Switch)
Enter Server IP Address [ 0.0.0.0 ]: 10.10.10.1 (IP of local TFTP server)
Enter Subnet Mask [ 255.255.255.0 ]:
Enter Filename: boss_1234.img
Wait..
TFTP: Sending Open: .aaaaa.a
TFTP: Open
...............................................................
.............................................................
Len= 0x20795E= 2128222. (@1200000)
Agent Version= 5.0.0.0 ModelMask= 0x1C
Program y/N [ N ]: y (Press y)
Erasing - Wait 56 sec..
Programming - Wait 96 sec..

Once the download is complete you'll need to run the agent code by selecting "a"

Starting Agent Code..

Decompressing the image ...
Target Name: vxTarget
User: target
Attaching network interface idtip0... done.
Attaching network interface lo0... done.

Completing initialization...

At this point the switch should be booting up although it may take ~ 2 minutes for the switch to fully initialize the software and configuration.

Cheers!

Protecting your network switches from un-authorized access should be high on everyone's list these days. It's clear that an insecure switch is a liability in any network topology. In the vast majority of cases this means at least changing the default username and passwords along with the SNMP community strings. In environments where you need additional access security you can use the Ethernet Routing Switch 8600 Access Policy to restrict administrative access to the switch. This allows you to easily define networks which should have access and what services they should have access to.

In the example below I'm allowing access from the network 10.1.1.0/24 for FTP, HTTP, SNMP(v3), SSH, TELNET and TFTP.

ERS-8610:5# config sys access-policy policy 10 create
ERS-8610:5# config sys access-policy policy 10 network 10.1.1.0/24
ERS-8610:5# config sys access-policy policy 10 service ftp enable
ERS-8610:5# config sys access-policy policy 10 service http enable
ERS-8610:5# config sys access-policy policy 10 service snmpv3 enable
ERS-8610:5# config sys access-policy policy 10 service ssh enable
ERS-8610:5# config sys access-policy policy 10 service telnet enable
ERS-8610:5# config sys access-policy policy 10 service tftp enable
ERS-8610:5# config sys access-policy policy 10 snmp-group-add admin snmpv1
ERS-8610:5# config sys access-policy policy 10 snmp-group-add admin snmpv2c
ERS-8610:5# config sys access-policy policy 10 snmp-group-add v1v2grp snmpv1
ERS-8610:5# config sys access-policy policy 10 snmp-group-add v1v2grp snmpv2c
ERS-8610:5# config sys access-policy policy 10 snmp-group-add readgrp snmpv1
ERS-8610:5# config sys access-policy policy 10 snmp-group-add readgrp snmpv2c
ERS-8610:5# config sys access-policy policy 10 enable

Just don't forget to enable the access policy;

ERS-8610:5# config sys access-policy enable true

You could also use host masks as opposed to network masks if you wish to allow only specific management stations access to the switch.

Cheers!

There was a recent comment about a Usenet positing I made back in 2002 in comp.protocols.snmp.

In the post I was responding to someone looking for information on how to decode the value returned from the ipNetToMediaIfIndex when querying an ERS 8600 switch. Thankfully Shane (Nortel) was able to help me come up with the forumla.

card = ( $value AND 62914560 ) / 4194304
port = (( $value AND 4128768) / 65536 ) + 1

With that formula you could now walk the ipNetToMediaTable and retreieve the entire ARP table providing you the card and port number, MAC address, and IP address for each entry in the table.

The next issue was how to deal with MultiLink Trunk interfaces. In this case (and with my current software code) I build a table of all the MLT interfaces prior to polling the ipNetToMediaTable. I still use Perl but it shouldn't be very hard to convert to PHP.

# rcMltNumMlts
$nummlts = $sess->get("rcMltNumMlts.0");

for ($i = 1; $i <= $nummlts; $i++) { # rcMltName $mltname[$i] = $sess->get("rcMltName.$i");
# rcMltId
$mltindex[$i] = $sess->get("rcMltId.$i");
# rcMltIfIndex
$mltifindex[$i] = $sess->get("rcMltIfIndex.$i");
print "DEBUG: MltId = $i and MltName = $mltname[$i] and MltIndex = $mltindex[$i] and MltIfIndex = $mltifindex[$i]
\n" if ($DEBUG);
};

Now that we have the rcMltTable in an array we can walk the ipNetToMediaTable and match up any entries. Here's the code I use (again it's Perl but you should be able to convert to PHP);

# Evaulate with bitwise operation
$card = (($vals[0] & 62914560) / 4194304);
$port = (($vals[0] & 4128768) / 65536) + 1;

# Evaulate to determine if port is a MLT
if ($card != 0) {
$intf = (((64 * $card) + $port) - 1);
print "DEBUG: $vals[1] address found on card $card port $port\n";
} else {
$mlt = 1;
print "DEBUG: $vals[1] address found on MLT $mltname[$port]\n";
} # end else

Hopefully that doesn't look too complicated. The important piece here is that you need to merge the rcMltTable with the ipNetToMediaTable to get your results. If you name the MLT with something meaningful you can then return that string to the application that is making the query.

I wrote a Perl application that would search the ARP table of an Ethernet Routing Switch 8600 dynamically for a specific IP address entry. Here's an example of the output;

Nortel Passport 8600 Gigabit Switch IP ARP Table Search

Initializing query for sw-ccr-8600.datacenter.acme.org for IP address 1.1.1.10...

sysDescr = ERS-8610 (4.1.3.0)
sysObjectID = .1.3.6.1.4.1.2272.30
sysUpTime = 169 Days 6 Hours 43 mins 11 secs
sysContact = Acme Network Infrastructure Team
sysName = sw-ccr-8600.datacenter.acme.org
sysLocation = USA

Please be patient it may take a while to complete the search...

DEVICE FOUND

1.1.1.10 (000AE4753FC9) address found on MLT SMLT-5500

We searched through 1183 forwarding records...

That's all folks!

I will look to publish the complete code on my website sometime in the near future.

Cheers!

This is a great document that outlines the Nortel Ethernet Switch product line and highlights the major feature sets.

Ethernet Switching Feature Matrix July 2007 Public Version.pdf

This is public information so hopefully I won't be getting any nasty email messages from anyone.

Cheers!

UPDATE: April 3, 2008

Here's a new version of the Ethernet Switching Feature Matrix dated November 2007.

If you've ever tried to connect to the web interface of a Nortel Ethernet Switch 460/470 or Ethernet Routing Switch 5510/5520/5530 you might have found that you need to provide a username.

In software release v3.7.x for the Nortel Ethernet Switch 460/470 you'll also find that you now need to provide a username when you telnet into the switch (in previous releases you were only prompted for a password, now you are prompted for a username and password).

Interestingly enough you cannot change the default usernames (at least I don't believe you can).

For the above mentioned switches there are only two levels of access, read-write and read-only.

The default username for the read-write user level is RW.
The default username for the read-only user level is RO.

Updated 1/16/08: I should have included the default passwords for those two accounts.
The default password for the read-write user level is "secure".
The default password for the read-only user level is "user".

Cheers!

Here's a question that I've been asked over and over again.

How can I upgrade the software of a Nortel ERS 8600 Switch?

It's actually very easy and only takes a few minutes (along with a reboot). If you have dual CPUs (8690SF, 8691SF, 8692SF) your going to need to upgrade both CPUs. If your running in a HA (High Availability) configuration you probably shouldn't be reading this. I'll assume that anyone with dual CPUs is running them in a standby configuration. I generally like to upgrade the standby CPU first and then upgrade the primary CPU, the switch will fail over to the standby CPU once the primary CPU starts to reboot.

You'll need a TFTP server to host the software files. I generally use the TFTP server that comes with Linux (CentOS), however, you can use TFTPD32 by Philippe Jounin on Windows XP/2003. Just drop the TFTPD32 files in the same directory with the Nortel ERS 8600 software release and run the executable.

For this example let's assume that the primary (active) CPU is in slot 5 and the standby CPU is in slot 6. Once you have the TFTP server setup we can telnet into the switch. If you don't have telnet enabled in the boot.cfg file you'll need to console up to the switch. You may also need to clean up the /flash/ filesystem depending on which switch fabric you have installed in the chassis. I believe the 8692SF comes with 64Mb of flash memory and a 64Mb PCMCIA card.

Trying 10.1.1.10...
Connected to 10.1.1.10 (10.1.1.10).
Escape character is '^]'.

**************************************************
* Copyright (c) 2007 Nortel, Inc. *
* All Rights Reserved *
* Ethernet Routing Switch 8010 *
* Software Release 4.1.5.4 *
**************************************************

Login: rwa
Password: ***

ERS-8610:5#

If your not sure which files you need you should consult the Nortel documentation. You will definitely need the boot (p80b4154.img) and agent (p80a5145.img) files at a minimum. I have daughter processors (SuperMezz cards) in my 8692SFs so I also need that software (p80m4154.img). I also have R cards in my chassis so I need the image for those (p80j4154.dld). I don't have any ATM cards so I don't have that software included below. The TFTP server I'm using has the IP address of 10.101.20.1.

Copy software to primary CPU

ERS-8610:5# copy 10.101.20.1:p80a4154.img /flash/p80a4154.img
ERS-8610:5# copy 10.101.20.1:p80b4154.img /flash/p80b4154.img
ERS-8610:5# copy 10.101.20.1:p80c4154.img /flash/p80c4154.img
ERS-8610:5# copy 10.101.20.1:p80c4154.aes /flash/p80c4154.aes
ERS-8610:5# copy 10.101.20.1:p80j4154.dld /flash/p80j4154.dld
ERS-8610:5# copy 10.101.20.1:p80m4154.img /flash/p80m4154.img

We make the configuration changes to the boot.cfg file;

ERS-8610:5# config bootconfig choice primary image-file "/flash/p80a4154.img"
ERS-8610:5# config bootconfig choice secondary image-file "/flash/p80a4150.img"
ERS-8610:5# save config
Save config to file /flash/config.cfg successful.
Save to standby file /flash/config.cfg successful.
ERS-8610:5# save bootconfig
Save bootconfig to file /flash/boot.cfg successful.
Save to standby file /flash/boot.cfg successful.

Copy software to standby CPU and upgrade

With the software now on the primary CPU in the /flash directory we can transfer the software to the standby CPU and upgrade that component. We'll telnet from the primary CPU to the standby CPU so we can issue our commands. Alternately we could also console up to the standby CPU.

ERS-8610:5# peer telnet
Trying 127.0.0.6 ...
Connected to 127.0.0.6
Escape character is '^]'
**************************************************
* Copyright (c) 2007 Nortel, Inc. *
* All Rights Reserved *
* Ethernet Routing Switch 8010 *
* Software Release 4.1.5.4 * **************************************************
Login: rwa
Password: ***
@ERS-8610:6#

Now that we're connected to the standby CPU let's copy the files from the primary CPU. It's important to note tftpd must be enabled on the primary CPU in the boot.cfg file; "flags tftpd true".

@ERS-8610:6# copy 127.0.0.5:p80a4154.img /flash/p80a4154.img
@ERS-8610:6# copy 127.0.0.5:p80b4154.img /flash/p80b4154.img
@ERS-8610:6# copy 127.0.0.5:p80c4154.img /flash/p80c4154.img
@ERS-8610:6# copy 127.0.0.5:p80c4154.aes /flash/p80c4154.aes
@ERS-8610:6# copy 127.0.0.5:p80j4154.dld /flash/p80j4154.dld
@ERS-8610:6# copy 127.0.0.5:p80m4154.img /flash/p80m4154.img

Now that we have the files let's perform the actual upgrade and reset the CPU.

@ERS-8610:6# boot /flash/p80b4154.img
Are you sure you want to re-boot the switch (y/n) ? y
@ERS-8610:6#

You should wait until the standby CPU upgraded the boot code and then loads the new agent code before doing anything with the primary CPU. It's also a great idea to confirm that the standby is up and operational before you do anything with the primary CPU.

Now all you need to-do is upgrade the primary CPU

ERS-8610:5# boot /flash/p80b4154.img
Are you sure you want to re-boot the switch (y/n) ? y
ERS-8610:5#

The switch will boot the boot image and upgrade the boot PROM afterwhich it will reboot again and load the new agent code we specified in the boot.cfg file. If you have a standby CPU the standby CPU will become the active CPU. If you don't have a standby CPU in the switch you'll just need to wait for the switch to come back online. This should only able about 3 minutes.

Cheers!

I've received a few inquires about how to reset the password and configuration on a Nortel Ethernet Routing Switch 8600. In a previous article I showed everyone how to reset the configuration (and password) of a Nortel Ethernet Switch (including the ERS 5500 series) but not a Nortel Ethernet Routing Switch.

As with the previous procedure you'll need access to the console port on the switch. Specifically you'll need to cable up (9600,8,N,1) to the CPU (8690SF, 8691SF, 8692SF) you wish to reset.

If you've lost the password... cold boot the chassis while connected to the console port. When the switch starts to boot you should see something similar to the following (depending on the version of software installed);

Copyright (c) 2007 Nortel, Inc.
CPU Slot 5: PPC 745 Map B
Version: 4.1.5.4
Creation Time: Dec 17 2007, 15:31:21
Hardware Time: DEC 26 2007, 16:19:24 UTC
Memory Size: 0x10000000
Start Type: cold
SMI ZOOMCF
can't open "/pcmcia/pcmboot.cfg" 0x380003
S_dosFsLib_FILE_NOT_FOUND
/flash/ - Volume is OK
Change volume Id from 0x0 to 0x1a5

Loaded boot configuration from file /flash/boot.cfg
Attaching network interface lo0... done.

Press to stop auto-boot...
1

You'll need to interrupt the boot process by hitting the "Return" key . You should be greeted with a monitor prompt;

monitor#

From here you'll be able to issue a command to clear the passwords stored in NV RAM;

monitor# reset-passwd
monitor#

Now just go ahead and reset the CPU and you should be able to login with the default username (rwa) and password (rwa).

monitor# reset

CPU Slot 5: PPC 745 Map B
Version: 4.1.5.4
Creation Time: Dec 17 2007, 15:31:21
Hardware Time: DEC 26 2007, 16:25:09 UTC
Memory Size: 0x10000000
Start Type: cold
SMI ZOOMCF
can't open "/pcmcia/pcmboot.cfg" 0x380003
S_dosFsLib_FILE_NOT_FOUND
/flash/ - Volume is OK
Change volume Id from 0x0 to 0x1a5

Loaded boot configuration from file /flash/boot.cfg
Attaching network interface lo0... done.

Press to stop auto-boot...
Loading /flash/p80a4154.img ... 8761414 to 25459172 (25459172)
Starting at 0x10000...

SMI ZOOMCF
Booting PMC280 Mezz HW please wait
. The BootCode address is 0x2b00100 3303
.
Mezz taking over console and modem......
Mezz CPU Booted successfully


Initializing backplane net with anchor at 0x4100... done.
Backplane anchor at 0x4100... ..
Mounting /flash: .done.


Ethernet Routing Switch 8600 System Software Release 4.1.5.4
Copyright (c) 1996-2007 Nortel, Inc.

CPU5 [10/26/99 11:26:25] SW INFO System boot
CPU5 [10/26/99 11:26:25] SW INFO ERS System Software Release 4.1.5.4
CPU5 [10/26/99 11:26:26] SW INFO CPU card entering warm-standby mode...
CPU5 [10/26/99 11:26:27] SW INFO Loading configuration from /flash/config.cfg

CPU5 [10/26/99 11:26:27] SW INFO PCMCIA card detected in Stand-by CPU "ERS-8610"
slot 5, Chassis S/N SSPND*****

**************************************************
* Copyright (c) 2007 Nortel, Inc. *
* All Rights Reserved *
* Ethernet Routing Switch 8010 *
* Software Release 4.1.5.4 *
**************************************************

Login:

You should now be able to login with the default RWA username of "rwa" and the default password for "rwa".

If you wish to reset the configuration... you only need to delete the config.cfg file from the flash and reset the switch.

You should NOT delete the boot.cfg file unless you have a copy of the software on the PCMCIA card and know how to start the software using the boot command from monitor mode.

I believe the same monitor command is available for the Ethernet Routing Switch 1600 Series.

Cheers!

The Nortel Ethernet Routing Switch 8600 by default has six user accounts each with different levels of access. The "super-user" account is the rwa account and has access to the entire switch.

Default User ID: rwa
Default Password: rwa

Default User ID: rw
Default Password: rw

Default User ID: l3
Default Password: l3

Default User ID: l2
Default Password: l2

Default User ID: l1
Default Password: l1

Default User ID: ro
Default Password: ro

With the release of Nortel's Application Switch Blade for the ERS 8600 there are actually six additional access levels. If you the network administrator of an ERS 8600 is probably best to reset the passwords and/or disable the various access-levels that you are not using. You can accomplish this with the following commands. To change the passwords use the following commands;

ERS-8600:5# config cli password rwa rwa
ERS-8600:5# config cli password rw rw
ERS-8600:5# config cli password l3 l3
ERS-8600:5# config cli password l2 l2
ERS-8600:5# config cli password l1 l1
ERS-8600:5# config cli password ro ro

In software release v4.x and higher the passwords will automatically be synced across both CPUs if there is more than one in the switch. In previous releases you would need to issue the commands above on both CPUs.

You can also disable the different access-levels with the following commands;

ERS-8600:5# config cli password access-level rw disable
ERS-8600:5# config cli password access-level l3 disable
ERS-8600:5# config cli password access-level l2 disable
ERS-8600:5# config cli password access-level l1 disable
ERS-8600:5# config cli password access-level l4admin disable
ERS-8600:5# config cli password access-level slbadmin disable
ERS-8600:5# config cli password access-level oper disable
ERS-8600:5# config cli password access-level l4oper disable
ERS-8600:5# config cli password access-level slboper disable
ERS-8600:5# config cli password access-level ssladmin disable

And don't forget to save your configuration and boot configuration with the following commands;

ERS-8600:5# save config
ERS-8600:5# save bootconfig

You should always change the default passwords in order to secure the network.

Cheers!

In my previous post I outlined all the commands that you would need to configure a Nortel Ethernet Routing Switch 5520 to support deploying Nortel's i2002/i2004 Internet Telephones using LLDP-MED in conjunction with ADAC (Automatic Detection and Automatic Configuration). If you followed the steps your probably well on your way to getting things work. Unfortunately things can sometimes go wrong even with the best documentation and understanding of the product.

In this post I'm going to outline some of the basic commands you can use to troubleshoot any issues you might have between the ERS5520 and the i2002/i2004 phones.

Q. How can I check the log file?
A. show logging

ERS-5520#show logging
Type Time Idx Src Message
---- ----------------------- ---- --- -------
S 00:00:00:00 1 NVR SNTP: Could not sync to NTP servers.
S 2007-04-05 17:18:08 GMT 2 NVR SNTP: Could not sync to NTP servers.
S 2007-04-05 17:22:07 GMT 3 NVR Audit data initialized - incorrect magic number: 0xffffffff
I 2007-04-19 01:21:03 GMT 4 Web server starts service on port 80.
I 2007-04-19 01:21:19 GMT 5 IGMP: Unknown Multicast Filter disabled
I 2007-04-19 01:21:19 GMT 6 PoE Port Detection Status: Port 1 Status: Delivering Power
I 2007-04-19 01:21:22 GMT 7 PoE Port Detection Status: Port 35 Status: Delivering Power
I 2007-04-19 01:21:49 GMT 8 Port 0/47 reenabled by VLACP
I 2007-04-19 01:21:49 GMT 9 Port 0/48 reenabled by VLACP
I 2007-04-19 01:23:05 GMT 10 SNTP: First synchronization successful.
I 2007-04-19 01:23:18 GMT 11 Warm Start Trap
I 2007-04-19 01:23:19 GMT 12 Link Up Trap Port: 1
I 2007-04-19 01:23:20 GMT 13 Trap: pethPsePortOnOffNotification
I 2007-04-19 01:23:20 GMT 14 Trap: bsAdacPortConfigNotification for Port: 47, Config: Applied

Q. How can I check the state of a port?
A. show interfaces

ERS-5520#show interfaces 47,48
Status Auto Flow
Port Trunk Admin Oper Link LinkTrap Negotiation Speed Duplex Control
---- ----- ------- ---- ---- -------- ----------- -------- ------ -------
47 1 Enable Up Up Enabled Enabled 1000Mbps Full Asymm
48 1 Enable Up Up Enabled Enabled 1000Mbps Full Asymm

Q. How can I check the VLACP state of a port?
A. show vlacp interface

ERS-5520#show vlacp interface 47,48
===============================================================================
VLACP Information
===============================================================================
PORT ADMIN OPER HAVE FAST SLOW TIMEOUT TIMEOUT ETH MAC
ENABLED ENABLED PARTNER TIME TIME TYPE SCALE TYPE ADDRESS
-------------------------------------------------------------------------------
0/47 true true yes 500 30000 short 3 8103 01:80:c2:00:11:00
0/48 true true yes 500 30000 short 3 8103 01:80:c2:00:11:00

Q. How can I check what FDB entries have been learned on a specific port?
A. show mac-address-table port

ERS-5520#show mac-address-table port 47
Mac Address Table Aging Time: 300
Number of addresses: 9

MAC Address Source MAC Address Source
----------------- -------- ----------------- --------
00-00-5E-00-01-01 Trunk: 1 00-15-40-45-68-00 Trunk: 1
00-17-D1-57-30-00 Trunk: 1 00-17-D1-57-30-10 Trunk: 1
00-17-D1-57-32-03 Trunk: 1 00-18-B0-CC-F0-00 Trunk: 1
00-18-B0-CC-F0-10 Trunk: 1 00-18-B0-CC-F2-01 Trunk: 1
00-1B-25-4C-74-00 Trunk: 1

Q. How can I check the FDB table for a specific MAC address?
A. show mac-address-table address

ERS-5520#show mac-address-table address 00:18:b0:cc:f0:10
Mac Address Table Aging Time: 300
Number of addresses: 1

MAC Address Source MAC Address Source
----------------- -------- ----------------- --------
00-18-B0-CC-F0-10 Trunk: 1

Q. How can I check to see if ADAC has been configured/enabled?
A. show adac

ERS-5520#show adac
ADAC Global Configuration
---------------------------------------
ADAC: Enabled
Operating Mode: Tagged Frames
Traps Control Status: Enabled
Voice-VLAN ID: 12
Call Server Port: None
Uplink Port: 48

Q. How can I check to see if ADAC has been applied to a specific port?
A. show adac interface

ERS-5520#show adac interface 20
Port Auto-Detection Auto-Configuration
---- -------------- ------------------
20 Enabled Applied

Q. How can I check to see the LLDP information with a specific port?
A. show lldp port neighbor detail

ERS-5520#show lldp port 20 neighbor detail
-------------------------------------------------------------------------------
lldp neighbor
-------------------------------------------------------------------------------
Port: 20 Index: 5 Time: 8 days, 13:47:49
ChassisId: Network address ipV4 192.168.100.101
PortId: MAC address 00:17:65:ff:e0:fc
SysCap: TB / TB (Supported/Enabled)
PortDesc: Nortel IP Phone
SysDescr: Nortel IP Telephone 2002, Firmware:0604DAS


PVID: 0 PPVID Supported: not supported(0)
VLAN Name List: none PPVID Enabled: none

Dot3-MAC/PHY Auto-neg: supported/enabled OperMAUtype: 100BaseTXFD
PSE MDI power: not supported/disabled Port class: PD
PSE power pair: signal/not controllable Power class: 2
LinkAggr: not aggregatable/not aggregated AggrPortID: 0
MaxFrameSize: 1522
PMD auto-neg: 10Base(T, TFD), 100Base(TX, TXFD)

MED-Capabilities: CNLDI / CNDI (Supported/Current)
MED-Device type: Endpoint Class 3
MED-Application Type: Voice VLAN ID: 12
L2 Priority: 6 DSCP Value: 46 Tagged Vlan, Policy defined
Med-Power Type: PD Device Power Source: Unknown
Power Priority: High Power Value: 5.4 Watt
HWRev: FWRev: 0604DAS
SWRev: SerialNumber:
ManufName: Nortel-01 ModelName: IP Phone 2002
AssetID:
-------------------------------------------------------------------------------
Port: 20 Index: 6 Time: 8 days, 13:48:20
ChassisId: Network address ipV4 10.119.241.50
PortId: MAC address 00:17:65:ff:e0:fc
SysCap: TB / TB (Supported/Enabled)
PortDesc: Nortel IP Phone
SysDescr: Nortel IP Telephone 2002, Firmware:0604DAS


PVID: 0 PPVID Supported: not supported(0)
VLAN Name List: 12 PPVID Enabled: none

Dot3-MAC/PHY Auto-neg: supported/enabled OperMAUtype: 100BaseTXFD
PSE MDI power: not supported/disabled Port class: PD
PSE power pair: signal/not controllable Power class: 2
LinkAggr: not aggregatable/not aggregated AggrPortID: 0
MaxFrameSize: 1522
PMD auto-neg: 10Base(T, TFD), 100Base(TX, TXFD)

MED-Capabilities: CNLDI / CNDI (Supported/Current)
MED-Device type: Endpoint Class 3
MED-Application Type: Voice VLAN ID: 12
L2 Priority: 6 DSCP Value: 46 Tagged Vlan, Policy defined
Med-Power Type: PD Device Power Source: Unknown
Power Priority: High Power Value: 5.4 Watt
HWRev: FWRev: 0604DAS
SWRev: SerialNumber:
ManufName: Nortel-01 ModelName: IP Phone 2002
AssetID:
-------------------------------------------------------------------------------
Sys capability: O-Other; R-Repeater; B-Bridge; W-WLAN accesspoint; r-Router;
T-Telephone; D-DOCSIS cable device; S-Station only.
Med Capabilities-C: N-Network Policy; L-Location Identification; I-Inventory;
S-Extended Power via MDI - PSE; D-Extended Power via MDI - PD.

Those are some of the commands that you might have to execute if you needed to perform troubleshooting between an ERS5520 and a i2002/i2004 phone.

Your DHCP server logs will be your friend during your troubleshooting. If you don't see the phone making a DHCP request (or a request in the proper VLAN) then you should check that ADAC was applied to the switch port. ADAC is the component that will automatically add the switch port (the switch port the phone is connected to) into the Voice VLAN. If ADAC is not applied (or enabled) on the port then you'll be able to see that the switch port in question is only a member of the Data VLAN. You need to remember that ADAC works on MAC address ranges. You need to check that the MAC address of your phone is in the ADAC MAC address table.

5520-48T-PWR#show adac mac-range-table
Lowest MAC Address Highest MAC Address
------------------------ -------------------------
00-0A-E4-01-10-20 00-0A-E4-01-23-A7
00-0A-E4-01-70-EC 00-0A-E4-01-84-73
00-0A-E4-01-A1-C8 00-0A-E4-01-AD-7F
00-0A-E4-01-DA-4E 00-0A-E4-01-ED-D5
00-0A-E4-02-1E-D4 00-0A-E4-02-32-5B
00-0A-E4-02-5D-22 00-0A-E4-02-70-A9
00-0A-E4-02-D8-AE 00-0A-E4-02-FF-BD
00-0A-E4-03-87-E4 00-0A-E4-03-89-0F
00-0A-E4-03-90-E0 00-0A-E4-03-B7-EF
00-0A-E4-04-1A-56 00-0A-E4-04-41-65
00-0A-E4-04-80-E8 00-0A-E4-04-A7-F7
00-0A-E4-04-D2-FC 00-0A-E4-05-48-2B
00-0A-E4-05-B7-DF 00-0A-E4-06-05-FE
00-0A-E4-06-55-EC 00-0A-E4-07-19-3B
00-0A-E4-08-0A-02 00-0A-E4-08-7F-31
00-0A-E4-08-B2-89 00-0A-E4-09-75-D8
00-0A-E4-09-BB-9D 00-0A-E4-09-CF-24
00-0A-E4-09-FC-2B 00-0A-E4-0A-71-5A
00-0A-E4-0A-9D-DA 00-0A-E4-0B-61-29
00-0A-E4-0B-BB-FC 00-0A-E4-0B-BC-0F
00-0A-E4-0B-D9-BE 00-0A-E4-0C-9D-0D

Total Ranges: 21

If the MAC address of your i2002/i2004 phone does not match any of the MAC address ranges in the switch you'll need to add a range to include those MAC addresses. If the MAC address of your i2002 phone was 00:18:b0:11:22:33 you could use the following commands;

5520-48T-PWR> enable
5520-48T-PWR# config terminal
5520-48T-PWR (config)# adac mac-range-table low-end 00:18:b0:00:00:00 high-end 00:18:b0:ff:ff:ff

You might think you could configure a port mirror and run a quick packet capture to understand what's going on... unfortunately you cannot configure any port with port mirroring that has ADAC enabled.

Thats all for now.

The last step is the DHCP server so stay tuned.

In this post I'll try to outline how you can configure the Nortel Ethernet Routing Switch 5520 in a VoIP environment using Nortel i2002/i2004 Internet Telephones (this procedure will also work the same with the i2007/1120E/1140E phones).

You'll obviously need a ERS 5520 switch and you'll need SW 5.0.6.22 or later and FW 5.0.0.3 or later (there are known issues with earlier software versions that create inconsistent results using LLDP with the i2002/i2004 phones). I would strongly advise that you start with a default configuration. From the CLI issue the following commands to reset the switch to factory defaults;

5520-48T-PWR> enable
5520-48T-PWR# boot default

The switch should reboot with a default configuration. Let's proceed with the configuration;

5520-48T-PWR> enable
5520-48T-PWR# configure terminal

Enable AUTOPVID;

5520-48T-PWR (config)# vlan configcontrol autopvid

We'll be uplinking this switch using a MultiLink trunk on ports 47 and 48 so we'll enable tagging on the fiber uplinks;

5520-48T-PWR (config)# vlan ports 47,48 tagging enable

Let's create the data VLAN (VID 100) and management VLAN (VID 200) on the switch;

5520-48T-PWR (config)# vlan members remove 1 ALL
5520-48T-PWR (config)# vlan create 200 name "10-1-200-0/24" type port
5520-48T-PWR (config)# vlan members add 200 47,48
5520-48T-PWR (config)# vlan create 100 name "10-1-100-0/24" type port
5520-48T-PWR (config)# vlan members add 100 1-48
5520-48T-PWR (config)# vlan port 1-46 pvid 100
5520-48T-PWR (config)# vlan port 47,48 pvid 200

Let’s make VLAN 200 the management VLAN and assign the IP address;

5520-48T-PWR (config)# vlan mgmt 200
5520-48T-PWR (config)# ip address switch 10.1.200.10 netmask 255.255.255.0 default-gateway 10.1.200.1

Let’s setup Simple Network Management Protocol (SNMP);

5520-48T-PWR (config)# snmp-server authentication-trap disable
5520-48T-PWR (config)# snmp-server community ro
5520-48T-PWR (config)# snmp-server community rw
5520-48T-PWR (config)# snmp-server host

Let’s configure the logging so it will overwrite the oldest events;

5520-48T-PWR (config)#logging volatile overwrite
5520-48T-PWR (config)#logging enable

Let’s setup Simple Network Time Protocol (SNTP);

5520-48T-PWR (config)# sntp server primary address
5520-48T-PWR (config)# sntp server secondary address
5520-48T-PWR (config)# sntp enable

Let’s setup the MultiLink trunk that will connect the switch back to the backbone;

5520-48T-PWR (config)# mlt 1 disable
5520-48T-PWR (config)# mlt 1 name "MLT-8600"
5520-48T-PWR (config)# mlt 1 learning disable
5520-48T-PWR (config)# mlt 1 member 47,48
5520-48T-PWR (config)# mlt 1 enable

Let’s setup ADAC (Automatic Detection and Automatic Configuration) for our i2002/i2004 phones. We’ll using VLAN 50 as our voice VLAN and we’ll use port 48 as our uplink (the switch will add 47 automatically because of the MLT configuration).

5520-48T-PWR (config)# adac voice-vlan 50
5520-48T-PWR (config)# adac op-mode tagged-frames
5520-48T-PWR (config)# adac uplink-port 48
5520-48T-PWR (config)# adac mac-range-table low-end 00:18:b0:00:00:00 high-end 00:18:b0:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:16:ca:00:00:00 high-end 00:16:ca:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:17:65:00:00:00 high-end 00:17:65:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:0a:e4:75:00:00 high-end 00:0a:e4:75:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:14:c2:00:00:00 high-end 00:14:c2:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:19:69:00:00:00 high-end 00:19:69:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:19:e1:00:00:00 high-end 00:19:e1:ff:ff:ff
5520-48T-PWR (config)# adac enable

We need to strip the 802.1q tag from any packets in the PVID VLAN from going to the phone. In this design we’re expecting to connect IP phones to ports 1 – 46.

5520-48T-PWR (config)# vlan port 1-46 tagging untagpvidOnly

Let’s configure LLDP for the ports we expect to connect IP phones (1 – 46);

5520-48T-PWR (config)# interface fastEthernet 1-46
5520-48T-PWR (config-if)# vlan ports 1-46 filter-unregistered-frames disable
5520-48T-PWR (config-if)# lldp tx-tlv port-desc sys-cap sys-desc sys-name
5520-48T-PWR (config-if)# lldp status txAndRx config-notification
5520-48T-PWR (config-if)# lldp tx-tlv med extendedPSE med-capabilities network-policy
5520-48T-PWR (config-if)# poe poe-priority high
5520-48T-PWR (config-if)# spanning-tree learning fast
5520-48T-PWR (config-if)# adac enable
5520-48T-PWR (config-if)# exit

The option in RED above was added after an issue was discovered when trying to upgrade the firmware on the IP phones. The “filter-unregistered-frames” is enabled by default and should be disabled to avoid and issues with upgrading the firmare on the IP phones. We are attempting to investigate further with Nortel and our voice vendor Shared Technologies.

Let’s disable the two remaining ports that share the GBIC interfaces incase we need those in the future;

5520-48T-PWR (config)# interface fastEthernet 45-46
5520-48T-PWR (config-if)# shutdown
5520-48T-PWR (config-if)# exit

Let’s setup a QoS interface group to trust all traffic that will ingress on the fiber uplinks. By default the ERS 5520 switch will strip all QoS tags on all ports. Thankfully ADAC will take care of the QoS settings for all VoIP traffic.

5520-48T-PWR (config)# qos if-group name allUpLinks class trusted
5520-48T-PWR (config)# interface fastEthernet 47,48
5520-48T-PWR (config)# qos if-assign port 47,48 name allUpLinks
5520-48T-PWR (config)# exit

Let’s set the SNMP information;

5520-48T-PWR (config)# snmp-server name "sw-icr1-1east.sub.domain.org"
5520-48T-PWR (config)# snmp-server location "Acme Internet Phone Company (ICR1)"
5520-48T-PWR (config)# snmp-server contact "Network Infrastructure Team"

Let’s enable rate limiting for all broadcast and multicast traffic to 10% of the link;

5520-48T-PWR (config)# interface fastEthernet ALL
5520-48T-PWR (config-if)# rate-limit both 10
5520-48T-PWR (config-if)# exit

Let’s setup VLACP (Virtual Link Aggregation Protocol) on the uplinks to the core;

5520-48T-PWR (config)# interface fastEthernet 47,48
5520-48T-PWR (config-if)# vlacp port 47,48 timeout short
5520-48T-PWR (config-if)# vlacp port 47,48 enable
5520-48T-PWR (config-if)# exit
5520-48T-PWR (config)# vlacp enable

That's it your done! Well hopefully your done.

In my next post I'll tell you what DHCP options you'll need to configure on your DHCP server in order for the phones to boot properly and connect to the Nortel Call Server.

I'd like to take some time to discuss Voice over IP and share some of my real world experiences with the technology. I should note to everyone that my experiences with VoIP are strictly limited to Nortel equipment. While I'm somewhat knowledgeable about Cisco Callmanager (mostly thanks to my cousin who maintains the Call Center for a large automotive manufacturer) my personal experiences are limited to Nortel.

We've been using VoIP for almost the past 6 years with very good success. Our first forey into VoIP was using Nortel's IP Line ITG (Internet Telephony Gateway) with a Nortel Meridian 1 Option 61C switch. We had Nortel's first generation i2004 phones (the purple "barney" phones as we fondly referred to them). A few hardware and software upgrades later that same system is now known as Nortel's Succession 4.5 1000M Call Server. We've been running IP Trunks (H.323) between 5 different Succession 4.5 1000M Call Servers for well over 4 years now with great success. We've only just in the past year started really rolling out VoIP to the desktop where it makes sense (example; new construction).

What do you need to run VoIP with Nortel?

These days you can run VoIP on all sorts of different platforms from small office (BCM 50) to very large multi-site enterprises (CS 2100). I'll describe the equipment that I'm currently using;

• Nortel Succession 4.5 Call Server 1000M
• Nortel Succession 4.5 Signaling Server (two for high availability)
  
• Nortel Succession Voice Gateway Media Cards (five for high availability and capacity)
• Nortel Succession Internet License (Incremental Software Management - ISM)

You'll need a phone of course;

• Nortel i2002 Internet Telephone
• Nortel i2004 Internet Telephone
• Nortel 1140E Internet Telephone
• Nortel i2050 Software internet Telephone

You'll also need some back-end network electronics/switches;

• Nortel Ethernet Routing Switch 8600 (core)
  
• Nortel Ethernet Routing Switch 5520 PoE (edge)
  

And to make life easy you'll also need a DHCP server which you can configure with custom vendor DHCP options.

If your a data person you're most likely going to need some help from either a voice/telecom person or voice reseller. Likewise if your a voice/telecom person you're going to need some help from either a data person or a data reseller. I happen to be a data person that has learned the voice/telecom side of things from my years of exposure and from the failure of several voice resellers, nothing like picking up the books and learning something new.

Since I'm a data person I'm going to focus on the actual network electronics and the phone configuration. In the past year I've deployed more than 250 IP phones at more than 5 locations. That number doesn't include the 100 or so Nortel 2211 Wireless Internet Telephones which we'll discuss at some later date.

I currently have a Nortel 1140E (pictured right) on my desk at work along with a Nortel i2007 on my desk at home (Nortel 1150 VPN Router with Branch Office Tunnel - BOT) and an i2050 software IP phone on my laptop with a USB headset adapter that really makes the phone work.

We recently built a health center with 140+ IP phones which are all connecting to a hospital that is more than 17 miles away. We built a 10GB Wide Area Network over dark fiber utilizing Nortel Ethernet Routing Switch 8600s with 8683XLR cards and 10GBase-ER/EW XFP GBICs. We also installed and provisioned a Nortel 1000B Branch Office at the health center to provide a failover solution should the IP phones get disconnected from the Main Office Call Server. This site has been live for the past 5 months now and I'm very satisfied with the result of our work and efforts. The solution is very reliable and thanks to the design of the data network we've yet to experience an unscheduled outage.

Stay tuned for more...