Michael McNamara

The Nortel ERS 5500 Series switches support Layer 3 switching (routing) but only with static routes. The Advanced Routing License is required to provide the following features;

• OSPF (Open Shortest Path First) Routing
• VRRP (Virtual Routing Redundancy Protocol)
• ECMP (Equal Cost Multi-Path)
• SMLT (Split Multilink Trunking)
• IPFIX (IP Flow Information Export)

The license is based on a switch or stack - a single license will be required for a standalone switch or for a stack of up to eight units. A single license will enable all of the features described above.

I believe Nortel is selling the licenses in counts of 1, 10, 50 or 100. The licenses will be tied to the MAC address of the switch with some amount of flexibility should a switch fail or need to be replaced.

Did you know that there is a 30 day demo license available?

As of software release v5.1 there is a 30 day demo license available which you can load on the switch to evaluate the different features. I'm currently running two ERS 5500 series switches with the 30 day demo license testing the OSPF functionality.

The 30 day demo license can be found on Nortel website just below the v5.1 software release. Once you've retrieved the demo license (filename: 30daydemo.lic) you'll need to place it on a TFTP server (or you could try a USB flash drive if your working with an ERS 5530 switch).

ERS5530> enable
ERS5530# copy tftp license 10.101.20.1 30daydemo.lic

You would of course need to substitute your TFTP server IP address with 10.101.20.1 above. Once you've downloaded the license you'll need to restart the switch to activate the license. After the switch has restarted you can use the following command to check the license;

ERS5530#show license all
Number of licenses: 1
---------------------------------------------------------
License 1
---------------------------------------------------------
version: 0
md5_key: 9f8d802b 1459576e 7d0b8951 af8e1751
md5_file: 8375fe89 ea7eb5e2 fa155e7a 181410c8
time_base: 2007/06/22 08:19:01
time_modify: 2007/06/22 08:19:01
time_expiration: 28 days, 05:05:00
num_unique_ids: 1
flags: 0x0000000d SINGLE EXPIRE EMERGENCY
memo:

*** This is a temporary license valid for 30 days. A valid license is ***
*** required for uninterrupted operation of the switch. There may be ***
*** service impact if this temporary license is not removed in 30 days. ***

You can also delete the existing software licenses with the following command;

ERS5530# clear license all

Cheers!

The Nortel VPN (formerly Contivity) Routers are among some of the best in the industry. The majority of the product line came to Nortel (formerly Bay Networks) from the acquisition of New Oak back in 1999.

Since that time Nortel has added a few lower end SOHO solutions, Nortel VPN Router 200 series, to the product line which I believe are OEM'd from ZyXEL. I'm not very fond of the 200 series and I would NOT recommend them to anyone. I am, however, very fond of the 1100 series as it runs the same software that the larger models run.

Thankfully they all share the same default username and password. Unfortunately they don't all share the same software or configuration interface.

The default username is "admin".
The default password is "setup".

With the traditional Nortel (Contivity Switches) VPN routers there are two internal IP addresses assigned to the one physical internal interface. One IP address is for management and the other for routing traffic. The default management IP address for these models (Nortel VPN Router 1000 Series, 2000 Series, 4000 Series, 5000 Series) is;

http://192.168.1.2

The actual traffic interface is 192.168.1.1 and the default DHCP address range should be between 192.168.1.3 - 192.168.1.254.

Cheers!

This post applies to the following models;

• Nortel Business Policy Switch 2000
• Nortel Ethernet Switch 300 Series
• Nortel Ethernet Switch 460
• Nortel Ethernet Switch 470
• Nortel Ethernet Switch 2500 Series
• Nortel Ethernet Switch 4500 Series
• Nortel Ethernet Route Switch 5500 Series

It is possible that the switch agent image, that is stored in NVRAM on the switch, can become corrupt for some reason or another. In this case the switch will not boot up properly and will require some special intervention.

Diagnostic Version X.X.X.X
Press Control-C to Enter Diag

Test ROM Config - PASSED
Test FANs - PASSED
Test Internal Loopback - PASSED
Test ASIC1 Registers - PASSED
Test ASIC2 Registers - PASSED
Test PHY Registers - PASSED
Test USB Registers - PASSED
Agent code verification fails!

>> Break Recognized - Wait...
Press 'a' to run Agent code
Press 'd' to download Agent code
Press 'e' to display errors
Press 'c' to clear log message
Press 'i' to initialize config flash
Press 'p' to run POST tests...

You can use the boot diagnostic code to download the agent code to the switch using the "d" option. While the switch is booting using "Ctrl-C" to break the boot sequence and select "d" from the menu.

WARNING: the TFTP server needs to be physically connected to the switch in question

Download Agent Code

Enter Port Number [ ]:
Enter Speed: 10, 100, 1000 [ ]:
Enter Local IP Address [ 0.0.0.0 ]: 10.10.10.15 (IP given to Switch)
Enter Server IP Address [ 0.0.0.0 ]: 10.10.10.1 (IP of local TFTP server)
Enter Subnet Mask [ 255.255.255.0 ]:
Enter Filename: boss_1234.img
Wait..
TFTP: Sending Open: .aaaaa.a
TFTP: Open
...............................................................
.............................................................
Len= 0x20795E= 2128222. (@1200000)
Agent Version= 5.0.0.0 ModelMask= 0x1C
Program y/N [ N ]: y (Press y)
Erasing - Wait 56 sec..
Programming - Wait 96 sec..

Once the download is complete you'll need to run the agent code by selecting "a"

Starting Agent Code..

Decompressing the image ...
Target Name: vxTarget
User: target
Attaching network interface idtip0... done.
Attaching network interface lo0... done.

Completing initialization...

At this point the switch should be booting up although it may take ~ 2 minutes for the switch to fully initialize the software and configuration.

Cheers!

Protecting your network switches from un-authorized access should be high on everyone's list these days. It's clear that an insecure switch is a liability in any network topology. In the vast majority of cases this means at least changing the default username and passwords along with the SNMP community strings. In environments where you need additional access security you can use the Ethernet Routing Switch 8600 Access Policy to restrict administrative access to the switch. This allows you to easily define networks which should have access and what services they should have access to.

In the example below I'm allowing access from the network 10.1.1.0/24 for FTP, HTTP, SNMP(v3), SSH, TELNET and TFTP.

ERS-8610:5# config sys access-policy policy 10 create
ERS-8610:5# config sys access-policy policy 10 network 10.1.1.0/24
ERS-8610:5# config sys access-policy policy 10 service ftp enable
ERS-8610:5# config sys access-policy policy 10 service http enable
ERS-8610:5# config sys access-policy policy 10 service snmpv3 enable
ERS-8610:5# config sys access-policy policy 10 service ssh enable
ERS-8610:5# config sys access-policy policy 10 service telnet enable
ERS-8610:5# config sys access-policy policy 10 service tftp enable
ERS-8610:5# config sys access-policy policy 10 snmp-group-add admin snmpv1
ERS-8610:5# config sys access-policy policy 10 snmp-group-add admin snmpv2c
ERS-8610:5# config sys access-policy policy 10 snmp-group-add v1v2grp snmpv1
ERS-8610:5# config sys access-policy policy 10 snmp-group-add v1v2grp snmpv2c
ERS-8610:5# config sys access-policy policy 10 snmp-group-add readgrp snmpv1
ERS-8610:5# config sys access-policy policy 10 snmp-group-add readgrp snmpv2c
ERS-8610:5# config sys access-policy policy 10 enable

Just don't forget to enable the access policy;

ERS-8610:5# config sys access-policy enable true

You could also use host masks as opposed to network masks if you wish to allow only specific management stations access to the switch.

Cheers!

There was a recent comment about a Usenet positing I made back in 2002 in comp.protocols.snmp.

In the post I was responding to someone looking for information on how to decode the value returned from the ipNetToMediaIfIndex when querying an ERS 8600 switch. Thankfully Shane (Nortel) was able to help me come up with the forumla.

card = ( $value AND 62914560 ) / 4194304
port = (( $value AND 4128768) / 65536 ) + 1

With that formula you could now walk the ipNetToMediaTable and retreieve the entire ARP table providing you the card and port number, MAC address, and IP address for each entry in the table.

The next issue was how to deal with MultiLink Trunk interfaces. In this case (and with my current software code) I build a table of all the MLT interfaces prior to polling the ipNetToMediaTable. I still use Perl but it shouldn't be very hard to convert to PHP.

# rcMltNumMlts
$nummlts = $sess->get("rcMltNumMlts.0");

for ($i = 1; $i <= $nummlts; $i++) { # rcMltName $mltname[$i] = $sess->get("rcMltName.$i");
# rcMltId
$mltindex[$i] = $sess->get("rcMltId.$i");
# rcMltIfIndex
$mltifindex[$i] = $sess->get("rcMltIfIndex.$i");
print "DEBUG: MltId = $i and MltName = $mltname[$i] and MltIndex = $mltindex[$i] and MltIfIndex = $mltifindex[$i]
\n" if ($DEBUG);
};

Now that we have the rcMltTable in an array we can walk the ipNetToMediaTable and match up any entries. Here's the code I use (again it's Perl but you should be able to convert to PHP);

# Evaulate with bitwise operation
$card = (($vals[0] & 62914560) / 4194304);
$port = (($vals[0] & 4128768) / 65536) + 1;

# Evaulate to determine if port is a MLT
if ($card != 0) {
$intf = (((64 * $card) + $port) - 1);
print "DEBUG: $vals[1] address found on card $card port $port\n";
} else {
$mlt = 1;
print "DEBUG: $vals[1] address found on MLT $mltname[$port]\n";
} # end else

Hopefully that doesn't look too complicated. The important piece here is that you need to merge the rcMltTable with the ipNetToMediaTable to get your results. If you name the MLT with something meaningful you can then return that string to the application that is making the query.

I wrote a Perl application that would search the ARP table of an Ethernet Routing Switch 8600 dynamically for a specific IP address entry. Here's an example of the output;

Nortel Passport 8600 Gigabit Switch IP ARP Table Search

Initializing query for sw-ccr-8600.datacenter.acme.org for IP address 1.1.1.10...

sysDescr = ERS-8610 (4.1.3.0)
sysObjectID = .1.3.6.1.4.1.2272.30
sysUpTime = 169 Days 6 Hours 43 mins 11 secs
sysContact = Acme Network Infrastructure Team
sysName = sw-ccr-8600.datacenter.acme.org
sysLocation = USA

Please be patient it may take a while to complete the search...

DEVICE FOUND

1.1.1.10 (000AE4753FC9) address found on MLT SMLT-5500

We searched through 1183 forwarding records...

That's all folks!

I will look to publish the complete code on my website sometime in the near future.

Cheers!

This is a great document that outlines the Nortel Ethernet Switch product line and highlights the major feature sets.

Ethernet Switching Feature Matrix July 2007 Public Version.pdf

This is public information so hopefully I won't be getting any nasty email messages from anyone.

Cheers!

UPDATE: April 3, 2008

Here's a new version of the Ethernet Switching Feature Matrix dated November 2007.

As with many Data Centers we've been deploying a large number of blade servers and switches. We're primarily an HP shop from a server,desktop and laptop perspective and we've been working with HP Blade System for the past two years.

HP actually OEM's two different GbE2 switches for their Blade enclosures. One is based off a Nortel (Alteon) solution and the other is based off a Cisco solution. We're using the Nortel version and we'll be focusing on that hardware in this post. If your unfamiliar with the Alteon CLI your going to need a few minutes to catch on. It's pretty simple but very different from either the Nortel CLI or the Cisco CLI. Another important point is that the enclosure can actually accommodate two HP GbE2 switches. There's an "A" side and a "B" side. You only need an "A" side switch to provide connectivity for the servers that will be housed in the enclosure but for high-availability solutions you'll definitely need two switches installed into the enclosure.

In the following post I'll outline how to configure a HP GbE2 Switch Blade trunking both ports into a MultiLink trunk. We'll only using one HP GbE2 switch for this example and ignore the "B" switch. You should console up to the HP GbE2 using a serial cable (straight thru cable 9600, 8, N 1). The default password is “admin”.

[Main Menu]
Jul 19  8:07:04 NOTICE  mgmt: admin login from host 10.101.20.1
info     - Information Menu
stats    - Statistics Menu
cfg      - Configuration Menu
oper     - Operations Command Menu
boot     - Boot Options Menu
maint    - Maintenance Menu
diff     - Show pending config changes  [global command]
apply    - Apply pending config changes [global command]
save     - Save updated config to FLASH [global command]
revert   - Revert pending or applied changes [global command]
exit     - Exit  [global command, always available]

>> Main#

Set Admin password
We'll start out by setting the administrator password on the switch.

>> Main# /cfg/sys/access/user/admpw 
Changing ADMINISTRATOR password; validation required: 
Enter current admin password: 
Enter new administrator password: 
Re-enter new administrator password: 
New administrator password accepted.

Set IP Address
Next we'll setup an IP address on one of the interfaces.

>> Main# cfg/l3/if 1

[IP Interface 1 Menu]
addr     - Set IP address
mask     - Set subnet mask
vlan     - Set VLAN number
relay    - Enable/disable BOOTP relay
ena      - Enable IP interface
dis      - Disable IP interface
del      - Delete IP interface
cur      - Display current interface configuration

>> IP Interface 1#>> addr 10.101.255.118
Current IP address:     0.0.0.0
New pending IP address: 10.101.255.118
Pending new subnet mask:    255.0.0.0

>> IP Interface 1# mask 255.255.255.0
Current subnet mask:     0.0.0.0
New pending subnet mask: 255.255.255.0

>> IP Interface 1# vlan 200
Current VLAN:     1
New pending VLAN: 200

>> IP Interface 1# ena
Current status: disabled New status:     enabled

Set IP Default Gateway
Next we'll setup a default gateway for the switch.

>> Main# cfg/l3/gw 1
[Default gateway 1 Menu]
addr     - Set IP address
intr     - Set interval between ping attempts
retry    - Set number of failed attempts to declare gateway DOWN
arp      - Enable/disable ARP only health checks
ena      - Enable default gateway
dis      - Disable default gateway
del      - Delete default gateway
cur      - Display current default gateway configuration

>> Default gateway 1# addr 10.101.255.1
Current IP address:     0.0.0.0
New pending IP address: 10.101.255.1

>> Default gateway 1# ena
Current status: disabled
New status:     enabled

Create Trunk Interface
We'll create a Multilink trunk interface (Etherchannel) utilizing ports 19 and 20. Switch ports 19-22 are GBIC interfaces which are populated by 1000BaseSX SFPs.

>> Main# /cfg/l2/trunk 1
[Trunk group 2 Menu]
add      - Add port to trunk group
rem      - Remove port from trunk group
ena      - Enable trunk group
dis      - Disable trunk group
del      - Delete trunk group
cur      - Display current Trunk Group configuration

>> Trunk group 2# add 19
Port 19 added.
>> Trunk group 2# add 20
Port 20 added.
>> Trunk group 2# ena
Current status: disabled
New status:     enabled

Enable 802.1q (tagging) on fiber uplinks
The external uplinks are ports 19 and 20. The internal crossconnect links between the two HP GbE2 switches are on ports 17 and 18. We need to enable 802.1q VLAN tagging on the uplink ports so we can bridge multiple VLANs across the uplinks.

>> Main# /cfg/port 17
------------------------------------------------------------
[Port 19 Menu]
gig      - Gig Phy Menu
aclqos   - Acl/Qos Configuration Menu
8021ppri - Set default 802.1p priority
pvid     - Set default port VLAN id
name     - Set port name
rmon     - Enable/Disable RMON for port
tag      - Enable/disable VLAN tagging for port
tagpvid  - Enable/disable tagging on pvid
brate    - Set BroadCast Threshold
mrate    - Set MultiCast Threshold
drate    - Set Dest. Lookup Fail Threshold
ena      - Enable port
dis      - Disable port
cur      - Display current port configuration
>> Port 17# tag e 
Current VLAN tag support: disabled
New VLAN tag support:     enabled
Port 17 changed to tagged.

I’m going to just provide the commands for the remaining ports and skip showing the enter text of the menu to help save on the length of this document.

>> Port 17# /cfg/port 18/tag e
Current VLAN tag support: disabled
New VLAN tag support:     enabled
Port 18 changed to tagged.
>> Port 19# /cfg/port 19/tag e
Current VLAN tag support: disabled
New VLAN tag support:     enabled
Port 19 changed to tagged.
>> Port 19# /cfg/port 20/tag e
Current VLAN tag support: disabled
New VLAN tag support:     enabled
Port 20 changed to tagged.

Create VLAN 200 for management of the switch itself.

>> Main# /cfg/l2/vlan 200
VLAN number 200 with name "VLAN 200" created.
------------------------------------------------------------
[VLAN 200 Menu]
name     - Set VLAN name
stg      - Assign VLAN to a Spanning Tree Group
add      - Add port to VLAN
rem      - Remove port from VLAN
def      - Define VLAN as list of ports
ena      - Enable VLAN
dis      - Disable VLAN
del      - Delete VLAN
cur      - Display current VLAN configuration

>> VLAN 200# name "10-101-255-0/24”
Current VLAN name:
New VLAN name:     10-101-255-0/24
>> VLAN 200# add 17
Current ports for VLAN 200:     empty Pending new ports for VLAN 200:     17
>> VLAN 200# add 18
Current ports for VLAN 200:     empty Pending new ports for VLAN 200:     17-18
>> VLAN 200# add 19
Current ports for VLAN 200:     empty Pending new ports for VLAN 200:     17-19
>> VLAN 200# add 20
Current ports for VLAN 200:     empty Pending new ports for VLAN 200:     17-20

Spanning Tree Protocol (Disable STP on trunk uplinks)

>> Main# /cfg/l2/stp 1
------------------------------------------------------------
[Spanning Tree Group 1 Menu]
brg      - Bridge parameter menu
port     - Port parameter menu
add      - Add VLAN(s) to Spanning Tree Group
remove   - Remove VLAN(s) from Spanning Tree Group
clear    - Remove all VLANs from Spanning Tree Group
on       - Globally turn Spanning Tree ON
off      - Globally turn Spanning Tree OFF
default  - Default Spanning Tree and Member parameters
cur      - Display current bridge parameters

>> Spanning Tree Group 1# port 19
------------------------------------------------------------
[Spanning Tree Port 19 Menu]
prior    - Set port Priority (0-255)
cost     - Set port Path Cost (1-65535 (802.1d) / 1-200000000 (MSTP/RSTP) / 0 for    auto)
link     - Set port link type (auto, p2p, or shared; default: auto)
edge     - Enable/disable edge port
fastfwd  - Enable/disable Port Fast Forwarding mode
on       - Turn port's Spanning Tree ON
off      - Turn port's Spanning Tree OFF
cur      - Display current port Spanning Tree parameters
>> Spanning Tree Port 19# off
Current Port 19 Spanning Tree setting: ON
New Port 19 Spanning Tree setting:     OFF
>> Main# /cfg/l2/stp 1/port 20/off
Current Port 20 Spanning Tree setting: ON
New Port 20 Spanning Tree setting:     OFF

Network Time Protocol

>> Main# /cfg/sys/ntp
----------------------------------------------------------
[NTP Server Menu]
prisrv   - Set primary NTP server address
secsrv   - Set secondary NTP server address
intrval  - Set NTP server resync interval
tzone    - Set NTP timezone offset from GMT
dlight   - Enable/Disable daylight savings time
on       - Turn NTP service ON
off      - Turn NTP service OFF
cur      - Display current NTP configuration
>> NTP Server# prisrv 10.101.20.1
Current NTP server address: 0.0.0.0 Enter new NTP server address: 10.101.20.1
>> NTP Server# secsrv 10.111.20.1
Current NTP server address: 0.0.0.0 Enter new NTP server address: 10.111.20.1
>> NTP Server# tzone -5:00
Current GMT timezone offset:    -8:00
Enter new GMT timezone offset in hours [-12:00, +12:00]: -5:00
>> NTP Server# on 
Current status: OFF
New status:     ON
>> NTP Server# dlight e
Current status: disabled
New status:     enable

Set PVID on Uplink Ports

>> Main# /cfg/port 17/pvid 200
>> Main# /cfg/port 18/pvid 200
>> Main# /cfg/port 19/pvid 200
>> Main# /cfg/port 20/pvid 200
pre>

Remove VLAN 1 from Uplink Ports

>> Layer 2# vlan 1 
------------------------------------------------------------
[VLAN 1 Menu]
name     - Set VLAN name
stg      - Assign VLAN to a Spanning Tree Group
add      - Add port to VLAN
rem      - Remove port from VLAN
def      - Define VLAN as list of ports
ena      - Enable VLAN      dis      - Disable VLAN
del      - Delete VLAN
cur      - Display current VLAN configuration
>> VLAN 1# rem 17 
Current ports for VLAN 1:     1-18 21-24
Pending new ports for VLAN 1:     1-16 18 21-24
>> VLAN 1# rem 18
Current ports for VLAN 1:     1-18 21-24
Pending new ports for VLAN 1:     1-16 21-24
>> VLAN 1# rem 19
Current ports for VLAN 1:     1-18 21-24
Pending new ports for VLAN 1:     1-16 21-24
>> VLAN 1# rem 20
Current ports for VLAN 1:     1-18 21-24
Pending new ports for VLAN 1:     1-16 21-24

Simple Network Management Protocol (SNMP)

>> Main# /cfg/sys/ssnmp/name swA-hpenc06-rack44.acme.org
Current SNMP "sysName": ""
Pending new "sysName": "swA-hpenc06-rack44.mdc.mlhs.org"

>> Main# /cfg/sys/ssnmp/rcomm readonly
Current SNMP read community string:     "public"
Pending new read community string:      "readonly"

>> Main# /cfg/sys/ssnmp/wcomm readwrite
Current SNMP write community string:    "private"
Pending new write community string: "readwrite"

>> Main# /cfg/sys/ssnmp/auth dis
Current SNMP "sysAuthenTrap" setting: disabled
New SNMP "sysAuthenTrap" setting:     disabled

Disable BOOTP

>> Main# /cfg/sys/bootp d
Warning: Enabling bootp will overwrite IP interface 1 and
IP gateway 1's configurations.

Current BOOTP: enabled
New BOOTP:     disabled

Save Configuration & Apply Configuration
The most important part of this exercise is apply the changes we've made and saving the configuration. Unlike Cisco or even Nortel switches the changes we've made above don't take affect until they are 'applied' to the switch with the "apply" command.

>> System# apply
------------------------------------------------------------------
Apply complete; don't forget to "save" updated configuration.

>> Jul 19 13:26:12 INFO    mgmt: new configuration applied
System# save
Request will first copy the FLASH "active" config to "backup",
then overlay FLASH "active" with new config.
Confirm saving to FLASH [y/n]: y
New config successfully saved to FLASH.

>>
Jul 19 13:26:19 INFO    mgmt: new configuration saved

Hopefully that will give you a good idea of how to configure an HP GbE2 switch in a basic configuration.

Cheers!