Meet Avaya ERS 4000
Hello! About a year ago, when I first encountered the iron of the former Nortel, and now Avaya, I discovered the absence of any sane information on setting up and troubleshooting this equipment on the network. Only official documentation, from which it is not always possible to clearly obtain the necessary information.
Therefore, today I present to your attention, as an acquaintance with the vendor and CLI syntax, analysis of the configuration of the Avaya 4850GTS-PWR + access level switch, which is geared towards the service of access to the network of ordinary residential apartments.
The Avaya syntax, at first glance, is very similar to Cisco, but the very principle of approach to the implementation of certain features is very different. So, we will unpack our switchboard, plug it in and insert the console cable.
Immediately first advice: pay attention to the power cord connector. For some models, it comes with a small cutout. If this is the case in your case, take care as the pupil of the eye, so that you do not have to think how you managed to lose it by cutting the same cutout with a standard power cable with a knife.
')
During the first boot process, you will be prompted to start the autoconfiguration. I recommend skipping this step, especially in cases where you need to configure more than one or two switches. Instead, it is much easier to fill the configuration from the template, which ultimately boils down to ctrl-C ctrl-V.
After the download is complete, we see the vendor banner and the suggestion to press ctrl + Y to continue, which we will do.
Go to the privileged mode with the command enable and immediately into the configuration of the configure terminal. On this, the “Déjà vu” that has arisen for many can be considered practically exhausted.
The first thing to do is to disable such a “useful” function as autosave, which periodically saves the configuration, even if it leads to the inaccessibility of the switch from the outside. Than it threatens, I think, understand. Therefore, just turn off.
Then immediately do two things that apply only after a reboot, in order to no longer be distracted during the configuration process.
First, we select the Spanning-tree mode. In my case, this is an RSTP:
Secondly, the QoS mode of operation. QoS on Avaya is a topic for a separate, rather big article, but for now I can only say that byscientific trial and error, it was found that the optimal solution for an access level switch is:
You can, of course, adjust the queues with your hands, but, again, there is no sense in this at the access level (unless, of course, all ports have hardcore users hanging around Terabytes of torrents around the clock).
Speaking of the second team. Avaya recommends using the maximum buffer if services such as streaming video are provided on your network (the banal IP_TV also falls under this). If the buffer is configured, for example, to regular, the television will work exactly until it is provided on a separate port from the network access. For example, if at that end there is a small, but very proud D-Link, in which a home computer and a TV are plugged, then the picture on the TV is more likely to “crumble”.
Create groups and assign interfaces to use QoS:
After the above, we save the configuration to a painfully familiar write memory (by the way, copy running-config startup-config does not work here. With this command you can copy the configuration only to USB, FTP, etc.)
And reboot with the boot command.
While our switch is testing memory and fans, I’ll tell you that the boot command can also be used to reset to factory settings. In this case, it will look like boot default. Be careful with this team. If additional licenses are installed on the switch, they will fly off when reset , so if you do not have a file with a license for this switch, it is better not to use it.
So. Our switch has booted, continue.
We will deal with security issues and set passwords. Avaya's password complexity requirements are almost identical, for example, to requirements in a Windows domain. If this is contrary to someone else's ideas about the beautiful, you can disable them with the command
Create a user:
where avaya is the name, avaya1 is the password, rw is the access level. You can put ro, then this user will not see further the status of the ports and the current configuration.
Set the authentication mode on the device:
Also, I think almost everything is clear. Local means that data will be checked against a local user database.
So, as locally you can create only one user per read and full access, which for me personally is not enough, we will reconfigure authentication to use the Radius server.
The Username fields must be set up anyway, they are used if the Radius server is unavailable.
Install the use of Radius for authentication:
By the way, to the topic of setting the radius. Before making any changes to the settings for connecting to Radius, you need to change the authentication to local, otherwise nothing but an error in the console output you will not see.
Next, set the name of the switch:
And at the same time, we will enable snmp-server for further monitoring:
snmp-server host in this case - the address of the remote server from which to monitor, version and community.
Now let's do, in fact, Vlan. We have quite a few vlans on the network, so I’ll show the very principle of setting them up on the device.
To begin, enable the automatic assignment of PVID interfaces (again, if this does not contradict your idea of ​​the beautiful).
Now create the necessary Vlans:
We will be defined with trunks:
And scatter Vlan on ports, removing all ports from Vlan 1
We define a Vlan to control the switch and restrict access to it, for example, the office network 192.168.2.0/24
Let's turn on multicast tracking in all Vlans and finally assign an ip-address to our switch:
Since at the other end I have Avaya VSP 7024XLS installed, we will collect the trunks in MLT (in principle, the same Ether-Channel from Cisco only in the profile).
And finally, let's set up a couple more utilities:
We allow to receive DHCP-OFFER only from the trunk side:
And protect yourself from the loop:
Turn on SSH and save our configuration:
Here is an example of a workable configuration on Avaya switches. It can equally be used for the entire ERS 4000 line, it is partially valid for both 5000 and 7000.
As a post-script a couple of common problems and methods for eliminating them:
1) For a long time, ip-addresses are received via DHCP and / or TV streaming is pulled up.
At this point, we recall the existence of the Spanning-tree, clutch at the head and quickly fix everything by defining the end ports:
Do not forget to protect yourself from various smart users with their hardware. Enable BPDU packet filtering (incompatible with some Linksys home router models):
2) TV stream works intermittently (true for any broadcast stream).
Check out such an excellent option as rate-limit . If there is a broadcast stream on the network, turn it off on trunks, otherwise part of the stream will be constantly chopped, especially when the load is high.
That's probably all. I will be glad to any of your questions and comments.
Therefore, today I present to your attention, as an acquaintance with the vendor and CLI syntax, analysis of the configuration of the Avaya 4850GTS-PWR + access level switch, which is geared towards the service of access to the network of ordinary residential apartments.
The Avaya syntax, at first glance, is very similar to Cisco, but the very principle of approach to the implementation of certain features is very different. So, we will unpack our switchboard, plug it in and insert the console cable.
Immediately first advice: pay attention to the power cord connector. For some models, it comes with a small cutout. If this is the case in your case, take care as the pupil of the eye, so that you do not have to think how you managed to lose it by cutting the same cutout with a standard power cable with a knife.
')
During the first boot process, you will be prompted to start the autoconfiguration. I recommend skipping this step, especially in cases where you need to configure more than one or two switches. Instead, it is much easier to fill the configuration from the template, which ultimately boils down to ctrl-C ctrl-V.
After the download is complete, we see the vendor banner and the suggestion to press ctrl + Y to continue, which we will do.
4850GTS-PWR+> Go to the privileged mode with the command enable and immediately into the configuration of the configure terminal. On this, the “Déjà vu” that has arisen for many can be considered practically exhausted.
4850GTS-PWR+>enable 4850GTS-PWR+#configure terminal Enter configuration commands, one per line. End with CNTL/Z. 4850GTS-PWR+(config)# The first thing to do is to disable such a “useful” function as autosave, which periodically saves the configuration, even if it leads to the inaccessibility of the switch from the outside. Than it threatens, I think, understand. Therefore, just turn off.
4850GTS-PWR+(config)#no autosave enable Then immediately do two things that apply only after a reboot, in order to no longer be distracted during the configuration process.
First, we select the Spanning-tree mode. In my case, this is an RSTP:
4850GTS-PWR+(config)#spanning-tree mode rstp New operational mode RSTP will take effect upon reset 4850GTS-PWR+(config)# Secondly, the QoS mode of operation. QoS on Avaya is a topic for a separate, rather big article, but for now I can only say that by
4850GTS-PWR+(config)#qos agent aq-mode mixed 4850GTS-PWR+(config)#qos agent buffer maximum QoS buffer setting isn't effective until after reset. 4850GTS-PWR+(config)# You can, of course, adjust the queues with your hands, but, again, there is no sense in this at the access level (unless, of course, all ports have hardcore users hanging around Terabytes of torrents around the clock).
Speaking of the second team. Avaya recommends using the maximum buffer if services such as streaming video are provided on your network (the banal IP_TV also falls under this). If the buffer is configured, for example, to regular, the television will work exactly until it is provided on a separate port from the network access. For example, if at that end there is a small, but very proud D-Link, in which a home computer and a TV are plugged, then the picture on the TV is more likely to “crumble”.
Create groups and assign interfaces to use QoS:
4850GTS-PWR+(config)#qos if-group name UPLINK class trusted 4850GTS-PWR+(config)#qos if-group name USER class untrusted 4850GTS-PWR+(config)#qos if-assign port 1-48 name USER 4850GTS-PWR+(config)#qos if-assign port 49-50 name UPLINK 4850GTS-PWR+(config)# After the above, we save the configuration to a painfully familiar write memory (by the way, copy running-config startup-config does not work here. With this command you can copy the configuration only to USB, FTP, etc.)
And reboot with the boot command.
4850GTS-PWR+(config)#write memory 4850GTS-PWR+(config)#boot Reboot the unit(s) (y/n) ? y While our switch is testing memory and fans, I’ll tell you that the boot command can also be used to reset to factory settings. In this case, it will look like boot default. Be careful with this team. If additional licenses are installed on the switch, they will fly off when reset , so if you do not have a file with a license for this switch, it is better not to use it.
So. Our switch has booted, continue.
We will deal with security issues and set passwords. Avaya's password complexity requirements are almost identical, for example, to requirements in a Windows domain. If this is contrary to someone else's ideas about the beautiful, you can disable them with the command
4850GTS-PWR+(config)#no password security Create a user:
4850GTS-PWR+(config)#username avaya avaya1 rw where avaya is the name, avaya1 is the password, rw is the access level. You can put ro, then this user will not see further the status of the ports and the current configuration.
Set the authentication mode on the device:
4850GTS-PWR+(config)#cli password serial local 4850GTS-PWR+(config)#cli password telnet local Also, I think almost everything is clear. Local means that data will be checked against a local user database.
So, as locally you can create only one user per read and full access, which for me personally is not enough, we will reconfigure authentication to use the Radius server.
4850GTS-PWR+(config)#username admin admin1 rw 4850GTS-PWR+(config)#username user user1 ro 4850GTS-PWR+(config)#radius-server password fallback 4850GTS-PWR+(config)#radius-server host 192.168.1.2 4850GTS-PWR+(config)#radius-server key avaya The Username fields must be set up anyway, they are used if the Radius server is unavailable.
Install the use of Radius for authentication:
4850GTS-PWR+(config)#cli password serial radius 4850GTS-PWR+(config)#cli password telnet radius By the way, to the topic of setting the radius. Before making any changes to the settings for connecting to Radius, you need to change the authentication to local, otherwise nothing but an error in the console output you will not see.
Next, set the name of the switch:
4850GTS-PWR+(config)#snmp-server name Avaya_4850_test Avaya_4850_test(config)# And at the same time, we will enable snmp-server for further monitoring:
Avaya_4850_test(config)#snmp-server community Public rw Avaya_4850_test(config)#snmp-server host 192.168.1.2 v2c Public Avaya_4850_test(config)#snmp-server enable snmp-server host in this case - the address of the remote server from which to monitor, version and community.
Now let's do, in fact, Vlan. We have quite a few vlans on the network, so I’ll show the very principle of setting them up on the device.
To begin, enable the automatic assignment of PVID interfaces (again, if this does not contradict your idea of ​​the beautiful).
Avaya_4850_test(config)#vlan configcontrol automatic Now create the necessary Vlans:
Avaya_4850_test(config)#Vlan create 3 name Data type port Avaya_4850_test(config)#vlan create 4 name TV type port Avaya_4850_test(config)#Vlan create 5 name Management type port We will be defined with trunks:
Avaya_4850_test(config)#vlan ports 1-48 tagging unTagAll Avaya_4850_test(config)#vlan ports 49-50 tagging tagAll And scatter Vlan on ports, removing all ports from Vlan 1
Avaya_4850_test(config)#vlan members remove 1 ALL Avaya_4850_test(config)#vlan members add 3 1-20,49-50 Avaya_4850_test(config)#vlan members add 4 20-40,49-50 Avaya_4850_test(config)#vlan members add 5 49-50 We define a Vlan to control the switch and restrict access to it, for example, the office network 192.168.2.0/24
Avaya_4850_test(config)#vlan mgmt 5 Avaya_4850_test(config)#ipmgr source-ip 1 192.168.2.0 mask 255.255.255.0 Let's turn on multicast tracking in all Vlans and finally assign an ip-address to our switch:
Avaya_4850_test(config)#interface vlan 3 Avaya_4850_test(config-if)#ip igmp snooping Avaya_4850_test(config-if)#exit Avaya_4850_test(config)#interface vlan 4 Avaya_4850_test(config-if)#ip igmp snooping Avaya_4850_test(config-if)#exit Avaya_4850_test(config)#interface vlan 5 Avaya_4850_test(config-if)#ip address 192.168.5.4 255.255.255.0 Avaya_4850_test(config-if)#ip default-gateway 192.168.5.1 Avaya_4850_test(config-if)#ip igmp snooping Avaya_4850_test(config-if)#exit Since at the other end I have Avaya VSP 7024XLS installed, we will collect the trunks in MLT (in principle, the same Ether-Channel from Cisco only in the profile).
Avaya_4850_test(config)#mlt 1 name UPLINK member 49-50 learning disable Avaya_4850_test(config)#mlt 1 enable And finally, let's set up a couple more utilities:
We allow to receive DHCP-OFFER only from the trunk side:
Avaya_4850_test(config)#ip dhcp-snooping enable Avaya_4850_test(config)#ip dhcp-snooping vlan 3 Avaya_4850_test(config)#ip dhcp-snooping vlan 4 Avaya_4850_test(config)#interface FastEthernet ALL Avaya_4850_test(config-if)#ip dhcp-snooping port 49-50 trusted Avaya_4850_test(config-if)#ip dhcp-snooping port 1-48 untrusted Avaya_4850_test(config-if)#exit And protect yourself from the loop:
Avaya_4850_test(config)#interface FastEthernet all Avaya_4850_test(config-if)#slpp-guard port 1-48 enable Avaya_4850_test(config-if)#exit Turn on SSH and save our configuration:
Avaya_4850_test(config)#ssh Avaya_4850_test(config)#write memory Here is an example of a workable configuration on Avaya switches. It can equally be used for the entire ERS 4000 line, it is partially valid for both 5000 and 7000.
As a post-script a couple of common problems and methods for eliminating them:
1) For a long time, ip-addresses are received via DHCP and / or TV streaming is pulled up.
At this point, we recall the existence of the Spanning-tree, clutch at the head and quickly fix everything by defining the end ports:
Avaya_4850_test#conf t Avaya_4850_test(config)#Inter fa all Avaya_4850_test(config-if)#spanning-tree rstp port 1-40 learning enable Avaya_4850_test(config-if)#spanning-tree rstp port 1-40 edge-port true Do not forget to protect yourself from various smart users with their hardware. Enable BPDU packet filtering (incompatible with some Linksys home router models):
Avaya_4850_test(config)#spanning-tree bpdu-filtering port 1-48 enable timeout 300 2) TV stream works intermittently (true for any broadcast stream).
Check out such an excellent option as rate-limit . If there is a broadcast stream on the network, turn it off on trunks, otherwise part of the stream will be constantly chopped, especially when the load is high.
That's probably all. I will be glad to any of your questions and comments.
Source: https://habr.com/ru/post/229755/
All Articles