Tag Archives: omniswitch

Changing DHCP server config on AOS 7

This posting is ~3 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

The embedded DHCP server on AOS 7 and AOS 8 is a less known feature. But it’s pretty handy in some cases, e.g. if you have no servers on premises, or you don’t want that a a non redundant firewall or router acts as DHCP server. Because you can run two or more switches as a virtual chassis, you can easily make the DHCP server role highly available.

Configuring the DHCP server

The configuration is pretty easy.

Edit the dhcpd.conf as necessary. Then start the DHCP server.

The “enable” enables the DHCP server, but it’s not started. “restart” is used to start or restart the DHCP server.

Change the dhcpd.conf

But how do you change the dhcpd.conf? Sure, simply use VI and edit it. Not quite… After starting the DHCP server, the owner of the dhcpd.conf changes from “admin” to “root”. So with your normal “admin” user, you don’t have the permission to write the file.

In order to change the dhcpd.conf, we need an account with more privileges. In this case, the maintenance shell can help.

Maintenance Shell commands should only be used by Alcatel-Lucent Enterprise personnel or under the direction of Alcatel-Lucent Enterprise.

With higher privileges it’s no problem to edit the dhcpd.conf. Make sure to leave the maintenance shell after the change, and don’t forget to restart the DHCP server.

I assume that this behaviour is caused by a bug. I don’t know, if AOS 8 shows the same behaviour. I will update this blog post with further information, as soon as I get them.

Dynamic VLAN assignment with AOS 6

This posting is ~3 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Manually assigning ports to VLANs can be a time consuming and error prone process. Depending on the size of the network, there is a point where it doesn’t make sense to do this manually. Especially in SMB networks, VLANs are assigned manually, because the effort of automating the VLAN assignment exceeds the effort for manually assigning VLANs. Those environments are often very static. I know many SMB networks where VLAN have not been addressed for a long time. With declining costs for Layer 3 switches, the separation of workloads in VLANs for SMB customers became affordable. Server virtualization was another mainspring for VLANs and inter-VLAN routing. To be honest: I’m talking about SMB customers, not enterprise customers or enterprise-grade SMB customers (latter is my special term for SMB customers with enormous IT budgets…). But the main driver for VLANs was Voice over IP (VoIP). With the increasing proliferation of VoIP, even the smallest SMB customer were forced to use VLANs. But this led to situations, where customers had to change the switch config every time a new client or IP phone was added to the network. Common workarounds:

  • pre-configuring switches, eg. port 1 to 12 for clients and 13 to 24 for IP phones
  • connecting clients behind IP phones and pre-configuring all switch ports (untagged client and tagged VoIP VLAN)

Suitable for small environments, but difficult to handle if environments grow over time. And I’m not a friend of connecting clients behind IP phones… Enterprise, or enterprise-grade SMB customers tend to implement 802.1x to manage access to their network. With 802.1x it’s possible to assign ports to VLANs depending on the user identity. But 802.1x is complex. If you have the the knowhow, the time and the budget, please do 802.1x! But you should take the complexity into account. Today I want to show options, offisde of 802.1x, to dynamically assign ports to VLANs with Alcatel-Lucent Enterprise OmniSwitches.

First of all: We have to differ between AOS 6, AOS 7 and AOS 8. Alcatel-Lucent Enterprise (ALE) currently uses three different software releases, depending on the switch platform.

Switch modelAOS release
OmniSwitch 6250AOS 6
OmniSwitch 6350AOS 6
OmniSwitch 6450AOS 6
OmniSwitch 6850EAOS 6
OmniSwitch 6855AOS 6
OmniSwitch 6860(E)AOS 8
OmniSwitch 6900AOS 7
OmniSwitch 9000(E)AOS 6
OmniSwitch 9900AOS 6
OmniSwitch 10KAOS 7

Depending on the specific AOS release, there are various ways to enable dynamic VLAN assignment. The main reason for the different AOS releases is, that ALE shifts its networking core platform from Windriver VxWorks (AOS 6) to Linux (AOS 7 and AOS 8) (source #1, source #2).

This blog post will focus on

  • OmniSwitch 6250/ 6350/ 6450 running AOS 6.7.1

I plan to publish similar blog posts for

  • OmniSwitch 6900/ 10k running AOS 7.3.4
  • OmniSwitch 6860/ 6860E running AOS 8.2.1

Dynamic VLAN assignment with AOS 6

In general, there are three different ways to dynamically assign ports to VLANs with AOS 6:

  • VLAN mobility
  • User Network Profiles (UNP)
  • LLDP Media Endpoint Detection (LLDP-MED)

Let’s take a look at VLAN mobility. VLAN mobility is used to dynamically assign one or more VLANs to a port, based on traffic characteristics that were received on that port. The following information can be used to classify traffic:

  • 802.1Q VLAN ID tag
  • DHCP MAC address
  • DHCP MAC range
  • DHCP port
  • DHCP generic
  • MAC address
  • MAC address range
  • Network address
  • Protocol
  • Port

You can’t use VLAN mobility on ports that

  • is an 802.1Q tagged port
  • belongs to a Link Aggregation Group (LAG)
  • has Spanning Tree enabled and the BPDU ignore status is disabled
  • is used to mirror traffic

To allow the switch to dynamically assign ports to VLANs, VLAN mobility has to be enabled. By default, all ports are non-mobile ports. A non-mobile port is statically assigned to a specific VLAN.

To enable VLAN mobility for a port:

You can also use a port range.

To disable VLAN mobility use the “no” form of the command.

If a device sends ethernet frames with a 802.1Q VLAN ID tag, you can use the VLAN ID tag to dynamically assign a port to a VLAN. With VLAN mobility enabled, you only have to enable the “mobile-tag” option for the desired VLAN.

As soon as the switch receives a frame with a 802.1Q VLAN ID tag for VLAN 199, the port that received this frame is dynamically assigned to VLAN 199. That’s VLAN mobility based on 802.1Q VLAN ID tags. But you can also use VLAN rules. VLAN rules are created per VLAN. You can have one or more rules per VLAN. You can use the

  • Source MAC address
  • Source MAC address ranges
  • Switch ports, or
  • the DHCP request itself

to dynamically assign a port to a VLAN. This rule matches to DHCP requests from a single MAC address.

If a DHCP request with the specified MAC address is received, the port is dynamically assigned to VLAN 199. Because managing MAC addresses is not very handy, you can use MAC address ranges:

To use all DHCP requests on a specific port, use the DHCP port rule:

To use all received DHCP requests, use the DHCP generic rule:

To remove a rule, use the “no” form of the command.

Once the device has received an IP address from the DHCP server, the VLAN port assignment is dropped! Because of this, you can combine DHCP and network address rules. A network address rule dynamically assigns the VLAN depending on the IP subnet.

This rule assigns VLAN 199 to a port, that receives traffic from a client in the subnet 192.168.20.0/24. If the DHCP server in VLAN 199 assigns IP addresses from this subnet, you can easily combine the DHCP and network address rule.

A MAC address rule assigns the VLAN depending on a single MAC address

 or on a range of MAC addresses.

Less frequently used are port and protocol rules. A port rule doesn’t require incoming traffic to trigger dynamic VLAN assignment. The specified mobile port is immediately assigned to the specified VLAN. Port rules only apply to outgoing broadcast traffic. You still need rules for the incoming traffic. To create a VLAN port rule:

A protocol rule uses the protocol type in an ethernet frame to assign VLANs to ports. Valid values for the port type are:

  • IP Ethernet-II
  • IP SNAP
  • Ethernet II
  • DECNet
  • AppleTalk
  • Ethertype
  • DSAP/SSAP
  • SNAP

A protocol rule is created by issuing

As always, the “no” form of the command removes the rule.

or

User Network Profiles (UNP) is a feature of Access Guardian. Access Guardian refers to security functions, like

  • Authentication and Classification
  • Host Integrity Check (HIC)
  • User Network Profiles (UNP), and
  • Virtual Network Profile (VPN)

UNP are available in AOS 6, AOS 7 and AOS 8. In AOS 6 we need a

  • policy condition
  • policy action
  • policy rule, and a
  • policy list

These four characteristics belong to the QoS feature of AOS. But a UNP needs a policy list, more specific the policy rules that are part of the policy list, to classify traffic and devices. The policy condition is necessary to identifiy a devices on which this policy should match.

Beside the MAC address, you can use source and destionation IP addresses, switch ports, source and destination TCP/ UDP ports, VLANs and many more. To use one or more IP addresses, simple use a network group.

The group “sales” consists of two subnets. To remove a subnet, use the “no” form of the command.

The policy action is used to determine, what should happen with the traffic. In this case: Priorize the traffic.

The rule binds condition and action.

A policy list is used to group one or more policy rules.

A UNP binds a name, a VLAN and a policy list together.

A third way to dynamically assign ports to VLANs is LLDP Media Endpoint Detection (LLDP-MED). LLDP Media Endpoint Detection was developed to increase the interoperability of VoIP devices with other devices on the network (eg. PC, switches etc). AOS uses LLDP-MED network policies to advertise information to devices. A network policy contains information about VLAN ID and L2/ L3 priorities. First, we have to enable network policy support, either for a port or for the chassis.

To enable network policies for the chassis use the keyword “chassis” instead of a port.

To create a network policy enter:

The created policy (ID 1) will advertise the VLAN 100, L2 priority 5 and DSCP 46 to voice devices. The next step is to bind the policy to a port or the chassis.

Or for a specific port.

Furthermore, you need to enable VLAN mobility on the ports. If the IP phones sends tagged VLAN frames, you also have to enable the “mobile tag” feature for the VLAN.

The IP phone receives the configuration information over of the network policy. VLAN mobility and “mobile tag” will make sure, that the VoIP phone is pushed to the correct VLAN.

Summary

Manually assigning VLANs can be a time consuming and error prone process. AOS 6 offers

  • VLAN mobility
  • User Network Profiles, and
  • LLDP-MED

to dynamically assign ports to VLANs. Each of the options has its pros and cons. Especially the combination of VLAN mobility and LLDP-MED is really easy to implement. I will publish more blog posts about the same topic, but with AOS 7 and AOS 8.

ALE OmniSwitch stack does not form due to incompatible licenses

This posting is ~4 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Today I saw an interesting behaviour of two Alcatel-Lucent Enterprise OmniSwitch 6450. Both switches has been configured as a stack, but one of the switches showed a flashing ID after the startup, and the stack was not formed. While I checked the logs and the status of the stack, I noticed that the slot number was incorrect. Furthermore the status showed “INC-LIC”.

According to the stack status and the switch logs, there seems to be a problem with the licenses. So I checked the installed licenses on both switches. On switch showed Metro license:

The other switch not:

Don’t be confused because of the slot numbering. I pulled the stacking cable.

The solution was easy: I removed the metro license and after a reboot of the switch, from which I removed the license, the stack formed properly.

First hands-on experience with Alcatel-Lucent OmniSwitches

This posting is ~4 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.
Disclaimer: Thanks to ALE Deutschland GmbH, the german subsidiary of Alcatel-Lucent Enterprise, for loaning me two OmniSwitch 6450 switches.

Who’s Alcatel-Lucent Enterprise?

I’m quite sure that you know Alcatel-Lucent, a leading vendor for telecommunication and networking equipment. But do you know Alcatel-Lucent Enterprise (ALE)? In April 2015, Nokia placed an offer to buy Alcatel-Lucent for ~ 15 billion euro. Six months before, in October 2014, Alcatel-Lucent sold his enterprise business to China Huaxin. Since october 2014, ALE offers communication, cloud and networking solutions for business of all sizes. More than 2700 employees in 100 countries and 2900 partners serve solutions for more than 830000 customers worldwide. ALE offers solutions for unified communications and collaboration, which benefit from intelligent and converged networks. Solutions that scale from the local office to the cloud. Unified communication and collaboration solutions include business telephony solutions (e.g. voice, video and conferencing across the enterprise), mobility solutions (e.g. wired and wireless voice and unified communications across the enterprise and across devices) and collaboration solutions (e.g. cloud or on-premises web conferencing).

I will focus on the OmniSwitch campus access switches in this blog post.

A simple comparison

ALE has sent me two OmniSwitch 6450 (OS6450) to play with. The OS6450 is stackable gigabit and fast ethernet switch for the network and metro access. Depending on the model, the OS6450 has 24 or 48 RJ-45 ports and two SFP+ tranceiver slots for 1 GigE or 10 GigE uplinks. There is also a model with 22 SFP slots, as well as models with PoE+ and without PoE. Up to 8 switches can be added to a single stack. The HW for the fast ethernet switches is gigabit ethernet capable, so a simple software license can upgrade a fast ethernet to a gigabit ethernet switch. You can also upgrade a 1 GbE uplink to a 10 GbE uplink by adding a license key. Optional metro ethernet features (e.g. IEEE 802.1ad Provider Bridge, IEEE 802.1ag Ethernet OAM or ITU-T G.8032 Ethernet Ring Protection) can easily added with a software license. The OS6450 can do basic L3 routing (static and RIP) and it supports IPv4, IPv6 and OpenFlow. A complete overview over the ALE campus and data center switch products can be found in this product brochure.

With which devices can the OS6450 be compared? I have chosen two switches from competitors and set them into comparsion with a OS6450: The HP 2920-48G-POE+ and a Cisco Catalyst 2960X-48LPD-L. All switches have 48 gigabit ethernet ports and PoE+ support. Please note that this is only a comparison based on specs. Just to get a feeling for the range.

OS6450-P48HP 2920-48G-POE+Cisco Catalyst 2960X-48LPD-L
Ports

48x RJ-45 10/100/1000 ports

2x SFP+ Transceivoer Slots (10 Gigabit capable with additional software license)

2x Expansion slots for Stacking, SFP(+) or RJ-45 Uplinks

44x RJ-45 10/100/1000 ports + 4x SFP+/ RJ-45 dual personality

2x Expansion slots with 2 Ports for Stacking, SFP(+) or RJ-45 Uplinks

48x RJ-45 10/100/1000 ports

2x SFP+ Transceiver Slots

One expansion slot for FlexStack module

Power SuppliesInternal power supply, internal RPS possibleInternal power supply, external RPS possibleInternal power supply, external RPS possible
Switching throughput131.0 Mpps131.0 Mpps 131.0 Mpps
Switching capacity176 Gbps176 Gbps 216 Gbps
Stacking capacity40 Gb/s 80 Gb/s 80 Gb/s
Switching latency< 4 µs< 4 µs< 4 µs
MAC table size16000 entries16000 entries16000 entries
Max. VLANs40002561023 (active)
Routing ProtocolsStatic routing and RIP, IPv4 and IPv6Static routing and RIP, IPv4 and IPv6 Static routing, IPv4 and IPv6
Routing Table (unicast, direct routes)256 entries for IPv4 and 128 entries for IPv62048 entries for IPv4 and 256 entries for IPv62000 entries (IPv4) and 2000 entries (IPv6)
Protocols and FeaturesNearly no difference. All switches support a common set of features and protocols.
DatasheetLink to ALELink to HPLink to Cisco

As you can see: Not much differences. And that proves once again: Switches are commodities. And because of this, it’s not a question of hardware, it’s about the ecosystem around, OPEX and your connection to your favorite VAR.

If it is not the hardware, why should I draw ALE into consideration? ALE offers the vision of the Application Fluent Network…

The Application Fluent Network

To support the requirements in the best possible way, ALE has developed the vision and the products for the Application Fluent Network. The Application Fluent Network is based upon three components:

  • a resilient architecture,
  • streamlined operations, and
  • automatic control

A resilient architecture is often a simplified, lean architecture. In the context of networking, a simplified and lean architecture is often based upon two (core and access layer), and not three tiers (core, distribution, access). Streamlined operations mean automatic provisioning of switches and enpoints, such as WiFi access points, converged management for data and voice, centralized troubleshooting and a common OS for all switches. Automatic control describes how the requirements of users and application, like VLAN, ACL or QoS settings, are automatically applied by profiles, policies and auto-sensing of users and endpoints.

ale-application-fluent-network

Alcatel-Lucent Enterprise/ al-enterprise.com

Needless to say that software defined networking (SDN) is an important part of the Application Fluent Network. Most switch models offer RESTful API, Python, OpenFlow and OpenStack integration. If you are interested to see, how ALE OmniSwitches can be integrated with VMware NSX, check this whitepaper: VMware NSX and OmniSwitch 6900 interoperability setup. You can’t manage what you don’t know. To address this, ALE developed the OmniSwitch 6860. On the first look a classy high-density gigabit ethernet switch. But under the hood, ALE added a hardware-based application recognition engine. This engine allows the switch to detect the traffic of more than 2000 applications in real time. This capability can be used to apply policies to business-critical applications like Citrix XenApp/ XenDesktop (ICA protocols) or communications applications using Session Initiation Protocol (SIP). If you want to read more about this, check out this whitepaper: Delivering application analytics for an Application Fluent Network.

Lab setup

The two OS6450 are stacked, so the two physical switches form a virtual chassis/ logical switch. My lab equipment is connected to both switches, e.g. each ESXi host has two 1 GbE links to each OS6450. My Synology DS414slim is connected with a LACP LAG, spanning both switches. The OS6450 is configured with multiple VLANs and it does L3 routing between the VLANs and to my lab firewall.

The setup was really easy. With the correct slot number assignment, the stack is formed automatically. Both switches had a stacking module, so all I had to do was plug in the stacking cable and turn on the switches on.

The switches are running AOS 6.6.5 R02. The current release is 6.7.1 R01. Unfortunately there is no public download available. You need access to the business partner portal. Contact your VAR so he can assist you.

I’m a CLI guy. For the configuration, I’ve used the CLI. The CLI is nothing special. The command set differs from Cisco or HP, but the same applies to Juniper Junos or Arista EOS. If you have understood the technology, then the rest is syntax. Get the CLI guide and everything will be fine. Let’s go through the configuration of my stack.

There is no configuration mode. Each command you enter will be immediately effective. AOS knows to different operation modes:

  • working, and
  • certified

In working mode you can modify the configuration, but not in certified mode. During the boot process, working and certified config were compared and if they differ, the switch will use the certified config. If you have changed the switch config and you messed it up… just reboot the switch. Just a few lines to get a brief overview over the CLI and configuration steps.

First, the switch needs a name, a system contact, date/ time etc.

To add an NTP server, just enter:

To create a VLAN with the ID 2 and the name “Management” enter:

To assign a specific VLAN to a port, use this command.:

With this command, the port 13 on the first and second chassis is assigned to VLAN 2. This is similar to an access port (Cisco IOS or HP Comware). If you need 802.1Q VLAN tags, use

to configure a port for the VLANs 2 to 6, 100 and 200. For inter-VLAN routing you need to add IP interfaces to the VLANs. With

you create an interface with the IPv4 address 192.168.200.62 in VLAN 2. If you need an IPv6 address, you need two steps. First, you have to create an IPv6 interface. During this step, a IPv6 link-local IP address is assigned. In a second step, an IPv6 address is assigned (in this case a unique local address).

To configure Spanning Tree and set the bridge priority to 0, enter:

Bridge mode flat implies a single spanning tree instance, whereas mode 1×1 is similar to Ciscos PVST. With

you can enable PVST+ interoperability mode. IP helper addresses are also something really fundamental. It’s no problem to configure multiple addresses.

The first command enables per-vlan IP helper addresses. The next commands configure 192.168.200.65 as helper address for VLAN 3 and 4. To save the configuration use

and

The first command saves the running configuration to the working configuration. The next command saves the working configuration to the certified configuration and synchronizes the configuration between the stack members. Sometimes you need to take a look into the logs. With

you get a listing of all alarm messages. But you can also use one of the other log levels:

AOS also has a web interface, called Web View. I haven’t played much with it. It’s not a beauty, but it’s fast and suitable suitable for all non-networking nerds.

aos_webview

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Click on the picture to enlarge it.

What is coming?

This is only a first look. I really like the OmniSwitches, and I like the approach to score with added value, and not with “feature fucking”. The next step is to get OmniVista 2500 Network Management System up and running in my lab. I will certainly write about it. Stay tuned for more ALE OmniSwitch content on vcloudnine.de.