Tag Archives: alcatel-lucent

Changing DHCP server config on AOS 7

This posting is ~3 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

The embedded DHCP server on AOS 7 and AOS 8 is a less known feature. But it’s pretty handy in some cases, e.g. if you have no servers on premises, or you don’t want that a a non redundant firewall or router acts as DHCP server. Because you can run two or more switches as a virtual chassis, you can easily make the DHCP server role highly available.

Configuring the DHCP server

The configuration is pretty easy.

Edit the dhcpd.conf as necessary. Then start the DHCP server.

The “enable” enables the DHCP server, but it’s not started. “restart” is used to start or restart the DHCP server.

Change the dhcpd.conf

But how do you change the dhcpd.conf? Sure, simply use VI and edit it. Not quite… After starting the DHCP server, the owner of the dhcpd.conf changes from “admin” to “root”. So with your normal “admin” user, you don’t have the permission to write the file.

In order to change the dhcpd.conf, we need an account with more privileges. In this case, the maintenance shell can help.

Maintenance Shell commands should only be used by Alcatel-Lucent Enterprise personnel or under the direction of Alcatel-Lucent Enterprise.

With higher privileges it’s no problem to edit the dhcpd.conf. Make sure to leave the maintenance shell after the change, and don’t forget to restart the DHCP server.

I assume that this behaviour is caused by a bug. I don’t know, if AOS 8 shows the same behaviour. I will update this blog post with further information, as soon as I get them.

Dynamic VLAN assignment with AOS 6

This posting is ~3 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Manually assigning ports to VLANs can be a time consuming and error prone process. Depending on the size of the network, there is a point where it doesn’t make sense to do this manually. Especially in SMB networks, VLANs are assigned manually, because the effort of automating the VLAN assignment exceeds the effort for manually assigning VLANs. Those environments are often very static. I know many SMB networks where VLAN have not been addressed for a long time. With declining costs for Layer 3 switches, the separation of workloads in VLANs for SMB customers became affordable. Server virtualization was another mainspring for VLANs and inter-VLAN routing. To be honest: I’m talking about SMB customers, not enterprise customers or enterprise-grade SMB customers (latter is my special term for SMB customers with enormous IT budgets…). But the main driver for VLANs was Voice over IP (VoIP). With the increasing proliferation of VoIP, even the smallest SMB customer were forced to use VLANs. But this led to situations, where customers had to change the switch config every time a new client or IP phone was added to the network. Common workarounds:

  • pre-configuring switches, eg. port 1 to 12 for clients and 13 to 24 for IP phones
  • connecting clients behind IP phones and pre-configuring all switch ports (untagged client and tagged VoIP VLAN)

Suitable for small environments, but difficult to handle if environments grow over time. And I’m not a friend of connecting clients behind IP phones… Enterprise, or enterprise-grade SMB customers tend to implement 802.1x to manage access to their network. With 802.1x it’s possible to assign ports to VLANs depending on the user identity. But 802.1x is complex. If you have the the knowhow, the time and the budget, please do 802.1x! But you should take the complexity into account. Today I want to show options, offisde of 802.1x, to dynamically assign ports to VLANs with Alcatel-Lucent Enterprise OmniSwitches.

First of all: We have to differ between AOS 6, AOS 7 and AOS 8. Alcatel-Lucent Enterprise (ALE) currently uses three different software releases, depending on the switch platform.

Switch modelAOS release
OmniSwitch 6250AOS 6
OmniSwitch 6350AOS 6
OmniSwitch 6450AOS 6
OmniSwitch 6850EAOS 6
OmniSwitch 6855AOS 6
OmniSwitch 6860(E)AOS 8
OmniSwitch 6900AOS 7
OmniSwitch 9000(E)AOS 6
OmniSwitch 9900AOS 6
OmniSwitch 10KAOS 7

Depending on the specific AOS release, there are various ways to enable dynamic VLAN assignment. The main reason for the different AOS releases is, that ALE shifts its networking core platform from Windriver VxWorks (AOS 6) to Linux (AOS 7 and AOS 8) (source #1, source #2).

This blog post will focus on

  • OmniSwitch 6250/ 6350/ 6450 running AOS 6.7.1

I plan to publish similar blog posts for

  • OmniSwitch 6900/ 10k running AOS 7.3.4
  • OmniSwitch 6860/ 6860E running AOS 8.2.1

Dynamic VLAN assignment with AOS 6

In general, there are three different ways to dynamically assign ports to VLANs with AOS 6:

  • VLAN mobility
  • User Network Profiles (UNP)
  • LLDP Media Endpoint Detection (LLDP-MED)

Let’s take a look at VLAN mobility. VLAN mobility is used to dynamically assign one or more VLANs to a port, based on traffic characteristics that were received on that port. The following information can be used to classify traffic:

  • 802.1Q VLAN ID tag
  • DHCP MAC address
  • DHCP MAC range
  • DHCP port
  • DHCP generic
  • MAC address
  • MAC address range
  • Network address
  • Protocol
  • Port

You can’t use VLAN mobility on ports that

  • is an 802.1Q tagged port
  • belongs to a Link Aggregation Group (LAG)
  • has Spanning Tree enabled and the BPDU ignore status is disabled
  • is used to mirror traffic

To allow the switch to dynamically assign ports to VLANs, VLAN mobility has to be enabled. By default, all ports are non-mobile ports. A non-mobile port is statically assigned to a specific VLAN.

To enable VLAN mobility for a port:

You can also use a port range.

To disable VLAN mobility use the “no” form of the command.

If a device sends ethernet frames with a 802.1Q VLAN ID tag, you can use the VLAN ID tag to dynamically assign a port to a VLAN. With VLAN mobility enabled, you only have to enable the “mobile-tag” option for the desired VLAN.

As soon as the switch receives a frame with a 802.1Q VLAN ID tag for VLAN 199, the port that received this frame is dynamically assigned to VLAN 199. That’s VLAN mobility based on 802.1Q VLAN ID tags. But you can also use VLAN rules. VLAN rules are created per VLAN. You can have one or more rules per VLAN. You can use the

  • Source MAC address
  • Source MAC address ranges
  • Switch ports, or
  • the DHCP request itself

to dynamically assign a port to a VLAN. This rule matches to DHCP requests from a single MAC address.

If a DHCP request with the specified MAC address is received, the port is dynamically assigned to VLAN 199. Because managing MAC addresses is not very handy, you can use MAC address ranges:

To use all DHCP requests on a specific port, use the DHCP port rule:

To use all received DHCP requests, use the DHCP generic rule:

To remove a rule, use the “no” form of the command.

Once the device has received an IP address from the DHCP server, the VLAN port assignment is dropped! Because of this, you can combine DHCP and network address rules. A network address rule dynamically assigns the VLAN depending on the IP subnet.

This rule assigns VLAN 199 to a port, that receives traffic from a client in the subnet 192.168.20.0/24. If the DHCP server in VLAN 199 assigns IP addresses from this subnet, you can easily combine the DHCP and network address rule.

A MAC address rule assigns the VLAN depending on a single MAC address

 or on a range of MAC addresses.

Less frequently used are port and protocol rules. A port rule doesn’t require incoming traffic to trigger dynamic VLAN assignment. The specified mobile port is immediately assigned to the specified VLAN. Port rules only apply to outgoing broadcast traffic. You still need rules for the incoming traffic. To create a VLAN port rule:

A protocol rule uses the protocol type in an ethernet frame to assign VLANs to ports. Valid values for the port type are:

  • IP Ethernet-II
  • IP SNAP
  • Ethernet II
  • DECNet
  • AppleTalk
  • Ethertype
  • DSAP/SSAP
  • SNAP

A protocol rule is created by issuing

As always, the “no” form of the command removes the rule.

or

User Network Profiles (UNP) is a feature of Access Guardian. Access Guardian refers to security functions, like

  • Authentication and Classification
  • Host Integrity Check (HIC)
  • User Network Profiles (UNP), and
  • Virtual Network Profile (VPN)

UNP are available in AOS 6, AOS 7 and AOS 8. In AOS 6 we need a

  • policy condition
  • policy action
  • policy rule, and a
  • policy list

These four characteristics belong to the QoS feature of AOS. But a UNP needs a policy list, more specific the policy rules that are part of the policy list, to classify traffic and devices. The policy condition is necessary to identifiy a devices on which this policy should match.

Beside the MAC address, you can use source and destionation IP addresses, switch ports, source and destination TCP/ UDP ports, VLANs and many more. To use one or more IP addresses, simple use a network group.

The group “sales” consists of two subnets. To remove a subnet, use the “no” form of the command.

The policy action is used to determine, what should happen with the traffic. In this case: Priorize the traffic.

The rule binds condition and action.

A policy list is used to group one or more policy rules.

A UNP binds a name, a VLAN and a policy list together.

A third way to dynamically assign ports to VLANs is LLDP Media Endpoint Detection (LLDP-MED). LLDP Media Endpoint Detection was developed to increase the interoperability of VoIP devices with other devices on the network (eg. PC, switches etc). AOS uses LLDP-MED network policies to advertise information to devices. A network policy contains information about VLAN ID and L2/ L3 priorities. First, we have to enable network policy support, either for a port or for the chassis.

To enable network policies for the chassis use the keyword “chassis” instead of a port.

To create a network policy enter:

The created policy (ID 1) will advertise the VLAN 100, L2 priority 5 and DSCP 46 to voice devices. The next step is to bind the policy to a port or the chassis.

Or for a specific port.

Furthermore, you need to enable VLAN mobility on the ports. If the IP phones sends tagged VLAN frames, you also have to enable the “mobile tag” feature for the VLAN.

The IP phone receives the configuration information over of the network policy. VLAN mobility and “mobile tag” will make sure, that the VoIP phone is pushed to the correct VLAN.

Summary

Manually assigning VLANs can be a time consuming and error prone process. AOS 6 offers

  • VLAN mobility
  • User Network Profiles, and
  • LLDP-MED

to dynamically assign ports to VLANs. Each of the options has its pros and cons. Especially the combination of VLAN mobility and LLDP-MED is really easy to implement. I will publish more blog posts about the same topic, but with AOS 7 and AOS 8.

ALE OmniSwitch stack does not form due to incompatible licenses

This posting is ~3 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Today I saw an interesting behaviour of two Alcatel-Lucent Enterprise OmniSwitch 6450. Both switches has been configured as a stack, but one of the switches showed a flashing ID after the startup, and the stack was not formed. While I checked the logs and the status of the stack, I noticed that the slot number was incorrect. Furthermore the status showed “INC-LIC”.

According to the stack status and the switch logs, there seems to be a problem with the licenses. So I checked the installed licenses on both switches. On switch showed Metro license:

The other switch not:

Don’t be confused because of the slot numbering. I pulled the stacking cable.

The solution was easy: I removed the metro license and after a reboot of the switch, from which I removed the license, the stack formed properly.