Michael McNamara

I know what a pain it can be to sometimes locate vendor specific SNMP MIBS. In the past I've sometimes spent hours scouring the net and vendor sites looking for the MIBS.

I've decided to post some of the vendor specific SNMP MIBS that I work with on my homepage. You should be able to link straight to my homepage with this URL;

http://mysite.verizon.net/michaelfmcnamara/netmgmt.htm#mibs

You should be able to find SNMP MIBS for the following devices;

Nortel Ethernet Routing Switch 8600 (v4.1.4)
Nortel Ethernet Routing Switch 5500 Series (v5.1)
Motorola WS5100 Wireless LAN Switch (v3.0.3)
Motorola RFS7000 Wireless LAN Switch (v1.x)
APC UPS Management Cards (v387)

As time and disk space allow I will add additional vendor MIBS and additional devices.

Update 12/01/07

Polycom VXS8000 Video Conferencing System
Blue Coat ProxySG Appliance
Blue Coat ProxyAV Appliance

Update 12/07/07

Nortel Application Switch (v23.2.3.1)

Update 12/26/07

Nortel Ethernet Switch 460/470 (v3.7)
Nortel Ethernet Routing Switch 1600 (v2.1.4)
Nortel Succession Call Server (v4.5)

Update 12/29/2007

Motorola WS5000/WS5100 Wireless LAN Switch (v2.1.3)


Cheers!

There have been a few folks asking me if I know what the following log entry is on their Nortel Ethernet Routing Switch 5500 Series, "NVR Audit data initialized - incorrect magic number: 0xffffffff".

I believe this is documented from Nortel as a bug in their latest software. The switch is throwing an error because the audit data (a new feature in the v5.x software line) is not present in the configuration or NVRAM the first time the switch boots after an upgrade to v5.x. This error could also occur if you've just factory reset your switch to the default configuration. I believe the error can be safely ignored as I've seen it on all 42 of my 5500 series switches.

I do remember seeing something about this error documented from Nortel, unfortunately I can't seem to find that reference now.

ERS-5520#show logging
Type Time Idx Src Message
---- ----------------------- ---- --- -------
S 00:00:00:00 1 NVR SNTP: Could not sync to NTP servers.
S 2007-04-05 17:18:08 GMT 2 NVR SNTP: Could not sync to NTP servers.
S 2007-04-05 17:22:07 GMT 3 NVR Audit data initialized - incorrect magic number: 0xffffffff
I 2007-04-19 01:21:03 GMT 4 Web server starts service on port 80.
I 2007-04-19 01:21:19 GMT 5 IGMP: Unknown Multicast Filter disabled
I 2007-04-19 01:21:19 GMT 6 PoE Port Detection Status: Port 1 Status: Delivering Power
I 2007-04-19 01:21:22 GMT 7 PoE Port Detection Status: Port 35 Status: Delivering Power
I 2007-04-19 01:21:49 GMT 8 Port 0/47 reenabled by VLACP
I 2007-04-19 01:21:49 GMT 9 Port 0/48 reenabled by VLACP
I 2007-04-19 01:23:05 GMT 10 SNTP: First synchronization successful.
I 2007-04-19 01:23:18 GMT 11 Warm Start Trap
I 2007-04-19 01:23:19 GMT 12 Link Up Trap Port: 1
I 2007-04-19 01:23:20 GMT 13 Trap: pethPsePortOnOffNotification
I 2007-04-19 01:23:20 GMT 14 Trap: bsAdacPortConfigNotification for Port: 47, Config: Applied

Cheers!

There can be times when you need to factory reset a switch. This process can be accomplished through the CLI but if you've lost the switch password you'll need to follow a special process. This process should work for any of the Ethernet Switches (450, 460, 470) and the Ethernet Routing Switches 2500 Series, 4500 Series, 5500 (5510, 5520, 5530) Series. There is a different process to recover lost passwords on the Ethernet Routing Switch 1600 and 8600.

Follow these steps:

1. Connect to the console port of the switch (9600,8,N,1)
   
2. Reboot the switch.
3. When the first line of the diagnostics tests is displayed, press CTRL-C. The system then displays a menu.
4. Select option "i" to factory default the switch.
5. Select option "a" to run the agent code.

Upon boot up, the switch will be in a factory default configuration.

Cheers!

The release of v3.x software for the Motorola WS5100 and v1.x software for the Motorola RFS7000 finally supports the deployment of Layer 3 Access Ports (APs that could be deployed across a Layer 3 network as opposed to those that can only be deployed across a Layer 2 network).

The latest release of firmware for the AP300 will first attempt to locate a wireless switch for adoption via a Layer 2 broadcast request. If it's unable to locate a wireless switch it will make a DHCP request for an IP address. If the DHCP response does not include option 189 (string) it will make a DNS request to try and locate the wireless switch.

There are two ways the Access Port can locate the Wireless LAN Switch (WS5100/RFS7000) in Layer 3 mode;

• DHCP Option
  
• DNS Query
  

You can use DHCP and configure option 189 (string) with the IP address of the Motorola Wireless LAN Switch. You should note that you may need to enclose the string in quotation marks depending on your DHCP server software.

You can also create a DNS alias which the AP can use to locate the switch through a DNS query. The default DNS anme requested by an AP300 is "Symbol-CAPWAP-Address".

You might also notice that the AP300 will also support LLDP (802.1ab) if your Ethernet switch supports it.

Cheers!

If for whatever reason you've lost the Web UI or "admin" password your only recourse is to factory default the wireless switch.

To access the switch using a password recovery username and password:
1. Connect a terminal (or PC running terminal emulation software) to the serial port on the front of the switch. The switch login screen displays. Use the following CLI command for normal login process:

WS5100
login: cli

2. Enter a password recovery username of "restore" and password recovery password of "restoreDefaultPassword".

User Access Verification
Username: restore
Password: restoreDefaultPasword
WARNING: This will wipe out the configuration (except license key) and user data under "flash:/" and reboot the device
Do you want to continue? (y/n):y

3. Press Y to delete the current configuration and reset with factory defaults.

Once the switch has complete it's reboot you should be able to login with the default userID or "admin" and the default password of "symbol". If you had previously backed up the configuration of the switch you could restore your old configuration.

Nortel has just recently released v5.1 software for their Ethernet Routing Switch (ERS) 5500 Series.

There are some enhancements that affect how ADAC/LLDP function on the ERS 5520 switch. From the release notes;

IEEE 802.1ab and ADAC linkage
Nortel introduced the 802.1ab and Auto Detection Auto Configuration(ADAC) features to Release 5.0 to address converged applications. In Release 5.1, the functionality of 802.1ab and ADAC is combined: ADAC uses 802.1ab/LLDP as the detection mechanism to determine the identity of the attached device (that is, a Nortel IP phone that supports 802.1ab Media Endpoint Devices type, length, and value descriptions [MED TLV]). The Auto Configuration functionality of ADAC applies the configuration to the port.
Configurable using NNCLI, ACG, and Device Manager.

It looks like it will no longer be necessary to maintain the list of MAC prefixes for all Nortel Internet Telephones. If you recall from some of my previous posts I needed to manually update the list of MAC prefixes used by my ERS 5520 switches in order to get many of my i2002/i2004 Internet Telephones to be detected properly. The default list of MAC prefixes usually didn't cover all the i2002/i2004/i2007/1140e Internet Telephones I had installed throughout my organization. In previous articles we enabled ADAC like so;

5520-48T-PWR (config)# adac voice-vlan 50
5520-48T-PWR (config)# adac op-mode tagged-frames
5520-48T-PWR (config)# adac uplink-port 48
5520-48T-PWR (config)# adac mac-range-table low-end 00:18:b0:00:00:00 high-end 00:18:b0:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:16:ca:00:00:00 high-end 00:16:ca:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:17:65:00:00:00 high-end 00:17:65:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:0a:e4:75:00:00 high-end 00:0a:e4:75:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:14:c2:00:00:00 high-end 00:14:c2:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:19:69:00:00:00 high-end 00:19:69:ff:ff:ff
5520-48T-PWR (config)# adac mac-range-table low-end 00:19:e1:00:00:00 high-end 00:19:e1:ff:ff:ff
5520-48T-PWR (config)# adac enable

I haven't actually tested this myself yet but supposedly if LLDP detects an Internet Telephone it will pass that information to ADAC without the need of evaluating the device's MAC address.

The 5.1 release also now supports the 1000Base-BX SFP;

BX SFP support
Many customers have high density gigabit requirements, but lack the fiber density to deploy. BX SFPs helps alleviate this issue by allowing a single strand of fiber to facilitate communication.
Nortel introduces support for 1000BaseBX10 module with release 5.1. The modules are single fiber, bidirectional SFP transceivers. Two types of modules are available:
• 1310nm (BX10-U) transceiver
• 1490nm (BX10-D) transceiver
The 1000BaseBX10-D device is always connected to a 1000BaseBX10-U device with a single strand of standard single-mode fiber. The operating transmission range is up to 10 km. The fiber uses a GBIC LC connector on each end.
If the 1000BaseBX10-U is not connected to the 1000BaseBX10-D device, the signals are not received properly and the Link LED does not illuminate. You can configure BX SFP Support through the NNCLI, ACG, or Device Manager.

The 1000BASE-BX bidirectional SFPs provide Gigabit Ethernet connectivity over a single fiber.

As shown in the figure, the transmit (Tx) and receive (Rx) paths share the same fiber by using two different wavelengths. One model transmits at 1310 nm and receives at 1490 nm, while the mating model transmits at 1490 nm and receives at 1310 nm. You can only connect a mating pair.

You can use 1000BASE-BX SFPs to double the number of your fiber links. For example, if you have 20 installed fiber pairs with 20 conventional ports connected, you can use 1000BASE-BX SFPs to expand to 40 ports, using the same fiber.

The long wavelength optical transceivers used in these models provide variable distance ranges using single mode fiber optic cabling.

Cheers!

A few years ago I had a request to design a public WiFi hotspot portal for the patients and visitors within our five major facilities. I did a fair amount of research and found a number of interesting commercial and open-source solutions. Unfortunately none of them really filled our requirements or caught my fancy. So I embarked on building/coding our own solution using a wide array of open-source software that was already available. Since I was most familiar with Perl at the time I chose to code the solution using Perl and Javascript (browser side) using Linux as the operating system of choice.

I needed to provide a public WiFi hotspot across our existing corporate wireless infrastructure at our five major sites. It obviously needed to be secure from our internal network, it needed to be 100% automated (there were no resources available to support this offering) and it needed to work (there's a surprise requirement). We also needed to keep internal (corporate) laptops and wireless devices from connecting to the unencrypted network and circumventing current Internet access policies.

Because of security concerns I decided to only allow HTTP (TCP 80) and HTTPS (TCP 443) traffic from the public wireless network. I also tabled any ideas of content/URL filtering from the original design. Instead we would reliable on Blue Coat ProxySG/ProxyAV appliances and Websense to perform content filtering and AV scanning of the traffic in a later upgrade.

How did we do it?
We carved out an ESSID ("public") from our Motorola Wireless LAN infrastructure at each facility. We setup the wireless network without any encryption or security so as to minimize any end-user difficulties in connecting to the wireless network. We took CentOS and built a WiFi portal server/gateway/firewall/router using an HP Proliant DL360. We essentially turned our Linux server into a cheap and very efficient firewall/gateway for the WiFi Hotspot. We connected one NIC of the Linux server to the wireless WLAN and the other to our internal network. This allowed use to use the Linux server to provide IP addresses to the wireless devices through DHCP. It also allowed use to have the Linux server provide DNS for name resolution. And most importantly it allowed use to use IPtables to provide firewalling between the wireless network and our internal network. This solution also allowed us to implement bandwidth shaping/throttling to prevent the public WiFi Hotspot wireless users from utilizing too much of our Internet link (DS-3 ~ 45Mbps).

Once a device associates with the wireless network the Linux portal server will issue the device a DHCP address from the 192.168.16.0/20 network. When the user opens their web browser they will be redirected to the Linux portal web server and the registration page as it appears below;

Once the user clicks on the "I AGREE" button the Linux server will kick off the "register.pl" script to check the IP/MAC address and decide if they should be granted access. If they are granted access they will be redirected to our Internet homepage after which they'll be free to surf to any URL. If the user is denied access they will be directed to an error page.

It is also possible that the user may attempt to register multiple times due to their web browser caching the portal page contents as the contents of a legitimate Internet website. Example: A user opens their web browser to www.cnn.com and is greeted with the portal page. User registers that is then re-directed to www.acme.org. The user then types www.cnn.com back into the browser address bar, but instead of getting the legit content for the CNN website the user is greeted again by the portal page. The user not knowing any better clicks the “I AGREE” button for the second time in as many minutes. Previously this problem would have gone on and on over and over, now the system will detect that the user is already registered and will through an error alerting the user to “refresh” their web browser. In order to refresh the browser the user should just type in the URL of the website they are attempting to visit and click “Go” (or hit “enter”). If they are greeted with the portal page they should click the “refresh” button from the browser button bar. That will instruct the web browser to ignore any cached content and attempt to retrieve all the data direct from the source website.

Every night at midnight the firewall rules will be reset to the defaults. Requiring any that wishes to access the WiFi Hotspot to agree to the AUP again. This is done to prevent folks from continually sitting/camping on the WiFi Hotspot.

Initially I thought we might be able to use a VPN or GRE tunnel to connect the five public WLANs to a single Linux server. Unfortunately I was a little ahead of the times and VPN/GRE tunnels were just starting to be supported in the various wireless switches (Motorola in this case). So I decided to take an easier approach and installed five HP Prolaint DL360 servers, one for each site.

I'm very happy to report that the solution works very well and virtually supports itself.

The only issue that we've seen is the need to continually update the blacklist file to keep corporate wireless devices from connecting to the public network. Thankfully I've written a small Bash Shell script to help with that process.

I hope to write a more detailed account of how to set this up on my website sometime in the future. If your interested in hearing more or have questions please drop me a line.

Cheers!