Release Notes: Version F.05.22 Operating System for the HP ProCurve Series 2300 and 2500 Switches These release notes include information on the following: ■ Downloading switch software and Documentation from the Web (Page 1) ■ Enhancements in Release F.05.xx (Page 7) ■ Enhancements in Release F.04.08 (Page 63) ■ Enhancements in Release F.02.11 (Page 139) ■ Enhancements in Release F.02.
© Copyright 2001, 2004 Hewlett-Packard Company, LP. The information contained herein is subject to change without notice. Publication Number 5990-3102 March 2004 Edition 3 Applicable Products Disclaimer The information contained in this document is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Software Management Downloading Switch Documentation and Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Downloading Software to the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 TFTP Download from a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Xmodem Download From a PC or Unix Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Do These Steps Before You Configure 802.1x Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Overview: Configuring 802.1x Authentication on the Switch . . . . . . . . . . . . . . . . . . . . . . . . 27 Configuring Switch Ports as 802.1x Authenticators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 1. Enable 802.1x Authentication on Selected Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 3. Configure the 802.1x Authentication Method . .
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Further Information on SSH Client Public-Key Authentication . . . . . . . . . . . . . . . . . . . . . . 86 Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Time Protocol Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Change in Command Line (CLI) Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Restoring the Factory-Default Configuration, Including Usernames and Passwords . . . 157 Incomplete IP Multicast (IGMP) Filtering Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 GVRP Does Not Require a Common VLAN . . . . . . .
CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 CDP Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 General CDP Operation . . . . . . . . . . . . . . . . . . . . . . . .
SNTP Messages in the Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Operation and Enhancements for Multimedia Traffic Control (IGMP) . . . . . . . . . . . . . 220 How Data-Driven IGMP Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 IGMP Operates With or Without IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Fast-Leave IGMP . . . .
Release F.04.01 (Beta Release Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Release F.04.02 (Beta Release Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Release F.04.03 (Beta Release Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Release F.04.04 (Beta Release Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
— This page is intentionally unused.
Software Management Software Management C a u t i o n : A r c h i v e P r e - F. 0 5 . 1 7 C o n f i g u r a t i o n F i l e s A configuration file saved while using release F.05.17 or later software is not backward-compatible with earlier software versions. For this reason, HP recommends that you archive the most recent configuration on switches using software releases earlier than F.05.17 before you update any switches to software release F.05.17 or later.
Software Management Downloading Software to the Switch HP periodically provides switch operating system (OS) updates through the HP ProCurve web site (http://www.hp.com/go/hpprocurve). After you acquire the new OS file, you can use one of the following methods for downloading the operating system (OS) code to the switch: ■ For a TFTP transfer from a server, do either of the following: • ■ Click on Download OS in the Main Menu of the switch’s menu interface and use the (default) TFTP option.
Software Management 2. When the switch finishes downloading the OS file from the server, it displays this progress message: Validating and Writing System Software to FLASH . . . 3. After the switch reboots, it displays the CLI or Main Menu, depending on the Logon Default setting last configured in the menu’s Switch Setup screen. Xmodem Download From a PC or Unix Workstation This procedure assumes that: ■ The switch is connected via the Console RS-232 port on a PC operating as a terminal.
Software Management 5. If you increased the baud rate on the switch (step 1), use the same command to return it to its previous setting. (HP recommends a baud rate of 9600 bits per second for most applications.) (Remember to return your terminal emulator to the same baud rate as the switch.) Saving Configurations While Using the CLI The switch operates with two configuration files: ■ Running-Config File: Exists in volatile memory and controls switch operation.
Software Management HP ProCurve Switch Software Key Software Letter HP ProCurve Switch C 1600M, 2400M, 2424M, 4000M, and 8000M E Switch 5300xl Series (5304xl, 5308xl, 5348xl, and 5372xl) F Switch 2500 Series (2512 and 2524), Switch 2312, and Switch 2324 G Switch 4100GL Series (4104GL, 4108GL, and 4148GL) H Switch 2600 Series (2626, 2650, 2626-PWR, and 2650-PWR) and Switch 6108 I Switch 2800 Series (2824 and 2848) N/A Switch 9300 Series (9304M, 9308M, and 9315M), Switch 6208M-SX and Switch 63
— This page is intentionally unused.
Enhancements in Release F.05.xx Clarification of Time Zone Issue Enhancements in Release F.05.xx Enhancement Summary Page Syslog (Syslogd)capability Adds the ability to direct Event Log messaging to an external file as an aid in debugging network-level problems. Complies with RFC 3164. 7 Isolated Port Groups Originally added in release F.04.08 to provide an alternative to VLANs, this feature now offers two new isolation groups: group1 and group2.
Enhancements in Release F.05.xx Syslog Overview You can configure the switch to send Event Log messages to up to six Syslog servers. Messages are sent to the User log facility (default) on the configured server(s) or to another log facility that you specify. Two switches sending Event Log messages to the same facility on a single Syslog server. Figure 1.
Enhancements in Release F.05.xx Syslog Overview Syntax: [no] logging facility < facility-name > The logging facility specifies the destination subsystem the Syslog server(s) must use. (All Syslog servers configured on the switch must use the same subsystem.) HP recommends the default (user) subsystem unless your application specifically requires another subsystem.
Enhancements in Release F.05.xx Syslog Overview Viewing the Syslog Configuration Syntax: show debug This command displays the currently configured Syslog logging destination(s) and logging facility. For examples of show debug output, refer to figure 2 on page 10. Configuring Syslog Logging 1. If you want to use a Syslog server for recording Event Log messages: a.
Enhancements in Release F.05.xx Isolated Port Groups (Enhanced) See Figure 3 below for an example of adding an additional Syslog server. Continuing the example begun in figure 2, this command adds a second Syslog server. Lists the IP addresses of the Syslog servers configured on the switch. Messages must be sent to the same facility on each Syslog server Figure 3.
Enhancements in Release F.05.xx Isolated Port Groups (Enhanced) The Isolated Port Groups feature originally included in release F.04.08 has been enhanced in release F.05.xx with the inclusion of two new port isolation groups (group1 and group2). Isolated port groups provide an alternative to VLANs for isolating end nodes on your network, while simplifying network administration.
Enhancements in Release F.05.xx Isolated Port Groups (Enhanced) Table 1. Communication Allowed Between Port-Isolation Types within a Switch Group2 Ports Local Ports Public Ports Yes Yes No No Yes No Typical switch ports: For intra-switch operation, allows communication among end nodes on public and local ports, and between end nodes on public ports and the uplink port(s). Uplink Ports Yes Yes Yes Yes No Yes Allows communication between uplink ports and end nodes on public and private ports.
Enhancements in Release F.05.xx Isolated Port Groups (Enhanced) ■ Multiple VLANs are not allowed on the switch. If multiple VLANs exist on the switch, delete them and return the ports to the original default configuration as untagged members of VLAN 1. (VLAN configuration changes are not supported if port-isolation is running on the switch.) ■ Trunking is supported only on Uplink ports between switches. Remove any other port trunking from the switch. ■ LACP is allowed only on the Uplink ports.
Enhancements in Release F.05.xx Isolated Port Groups (Enhanced) 5. Remove port trunks you have configured from ports that you plan to configure in public, local, or private mode. 6. Disable LACP on all ports that you plan to configure in public, local, or private mode. To do so, use this command: no interface e < port-list > lacp. 7. Enable port isolation on the switch. 8. Configure the non-default port-isolation mode for each port that you do not want to operate in the Uplink mode. 9.
Enhancements in Release F.05.xx Isolated Port Groups (Enhanced) For example, suppose that the switch is in its default configuration (no multiple VLANs; GVRP disabled, all ports untagged members of the default VLAN—VID = 1) with two optional gigabit transceivers installed, and you wanted to use the switch ports as shown in table table 2, “Port Isolation Plan”: Table 2. Port Isolation Plan Port Use Allowed Traffic Blocked 1-3 Local ports only for isolated workgroup access.
Enhancements in Release F.05.xx Isolated Port Groups (Enhanced) 1 1 2 3 4 5 6 14 13 2 Mode Internal Traffic Destinations Allowed by Port Isolation Mode 1-3 Local Each Other and Ports 10 - 12 12 11 10 9 8 7 4-8 Group1 Each Other and Ports 13 and 14 (uplinks) 1 2 3 4 5 6 9 Private Gigabit Trunk (ports 13 & 14) 10 - 12 Public Each Other, Ports 1 - 3, and the Uplink Ports.
Enhancements in Release F.05.xx Isolated Port Groups (Enhanced) Remember to disable LACP on ports that will be configured for Public, Group1, Group2, Private, or Local mode. (Refer to “Operating Rules for Port Isolation” on page 13.) When you enter the command to enable port isolation, the switch displays a caution and prompts you to indicate how to proceed. Type [Y] to continue with enabling port isolation; [N] to leave port isolation disabled. See the Caution on page 12.
Enhancements in Release F.05.xx Isolated Port Groups (Enhanced) Messages Related to Port-Isolation Operation Message Meaning Port Isolation In the switch’s factory-default state or after you execute no port-isolation, you must enable is disabled. It port isolation (by executing port-isolation alone) before entering commands for changing the must be enabled mode on one or more ports. first. Troubleshooting Port-Isolation Operation Symptom Possible Cause Connectivity problems.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Configuring Port-Based Access Control (802.1x) Overview Feature Default Menu CLI Web Configuring Switch Ports as 802.1x Authenticators Disabled n/a page 28 n/a Configuring 802.1x Open VLAN Mode Disabled n/a page 34 n/a Configuring Switch Ports to Operate as 802.1x Supplicants Disabled n/a page 47 n/a Displaying 802.1x Configuration, Statistics, and Counters n/a n/a page 51 n/a How 802.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) ■ Temporary on-demand change of a port’s VLAN membership status to support a current client’s session. (This does not include ports that are members of a trunk.) ■ Session accounting with a RADIUS server, including the accounting update interval. ■ Use of Show commands to display session counters. ■ With port-security enabled for port-access control, limit a port to one 802.1x client session at a given time.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) How 802.1x Operates Authenticator Operation This operation provides security on a direct, point-to-point link between a single client and the switch, where both devices are 802.1x-aware. (If you expect desirable clients that do not have the necessary 802.1x supplicant software, you can provide a path for downloading such software by using the 802.1x Open VLAN mode—refer to “802.1x Open VLAN Mode” on page -34.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Switch “B” Port 5 Port 1 Switch “A” Port 1 Configured as an 802.1x Supplicant LAN Core RADIUS Server Figure 8. Example of Supplicant Operation 1. When port 1 on switch “A” is first connected to a port on switch “B”, or if the ports are already connected and either switch reboots, port 1 begins sending start packets to port 5 on switch “B”.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Terminology 802.1x-Aware: Refers to a device that is running either 802.1x authenticator software or 802.1x client software and is capable of interacting with other devices on the basis of the IEEE 802.1x standard. Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static VLAN previously configured on the switch by the System Administrator.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Tagged VLAN Membership: This type of VLAN membership allows a port to be a member of multiple VLANs simultaneously. If a client connected to the port has an operating system that supports 802.1q VLAN tagging, then the client can access VLANs for which the port is a tagged member. If the client does not support VLAN tagging, then it can access only a VLAN for which the port is an untagged member.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) ■ If a port on switch “A” is configured as both an 802.1x authenticator and supplicant and is connected to a port on another switch, “B”, that is not 802.1x-aware, access to switch “B” will occur without 802.1x security protection, but switch “B” will not be allowed access to switch “A”. This means that traffic on this link between the two switches will flow from “A” to “B”, but not the reverse.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) 3. Determine whether to use the optional 802.1x Open VLAN mode for clients that are not 802.1xaware; that is, for clients that are not running 802.1x supplicant software. (This will require you to provide downloadable software that the client can use to enable an authentication session.) For more on this topic, refer to “802.1x Open VLAN Mode” on page -34. 4.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) 6. Test both the authorized and unauthorized access to your system to ensure that the 802.1x authentication works properly on the ports you have configured for port-access. Note If you want to implement the optional port security feature (step 7) on the switch, you should first ensure that the ports you have configured as 802.1x authenticators operate as expected. 7.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) 1. Enable 802.1x Authentication on Selected Ports This task configures the individual ports you want to operate as 802.1x authenticators for point-topoint links to 802.1x-aware clients or switches. (Actual 802.1x operation does not commence until you perform step 5 on page 27 to activate 802.1x authentication on the switch.) Note When you enable 802.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Syntax: aaa port-access authenticator < port-list > (Syntax Continued) [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page). (Default: 60 seconds) [tx-period < 0 - 65535 >] Sets the period the port waits to retransmit the next EAPOL PDU during an authentication session.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Syntax: aaa port-access authenticator < port-list > (Syntax Continued) [reauth-period < 1 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second) [unauth-vid < vlan-id >] Configures an existing static VLAN to be the Unauthorized-Client VLAN.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) 3. Configure the 802.1x Authentication Method This task specifies how the switch will authenticate the credentials provided by a supplicant connected to a switch port configured as an 802.1x authenticator. Syntax: aaa authentication port-access < local | eap-radius | chap-radius > Determines the type of RADIUS authentication to use. local Use the switch’s local username and password for supplicant authentication.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) 4. Enter the RADIUS Host IP Address(es) If you selected either eap-radius or chap-radius for the authentication method, configure the switch to use 1 to 3 RADIUS servers for authentication. The following syntax shows the basic commands. For coverage of all commands related to RADIUS server configuration, refer to “Configuring RADIUS Authentication and Accounting” on page -97.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 802.1x Authentication Commands page 28 802.1x Supplicant Commands page 48 802.1x Open VLAN Mode Commands [no] aaa port-access authenticator [e] < port-list > page 43 [auth-vid < vlan-id >] [unauth-vid < vlan-id >] 802.1x-Related Show Commands page 51 RADIUS server configuration pages 33 This section describes how to use the 802.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) ■ 3rd Priority: If the port does not have an Authorized-Client VLAN configured, but does have a static, untagged VLAN membership in its configuration, then the switch assigns the port to this VLAN. If the port is not configured for any of the above, then it must be a tagged member of at least one VLAN. In this case, if the client is capable of operating in a tagged VLAN, then it can access that VLAN.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Table 3. 802.1x Open VLAN Mode Options 802.1x Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN • When the port detects a client, it automatically becomes an untagged member of this VLAN.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) 802.1x Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as AuthorizedThese must be configured on the switch before you configure an Client or Unauthorized-Client VLANs 802.1x authenticator port to use them. (Use the vlan < vlan-id > command or the VLAN Menu screen in the Menu interface.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Condition Rule Multiple Authenticator Ports Using the Same Unauthorized-Client and Authorized-Client VLANs You can use the same static VLAN as the Unauthorized-Client VLAN for all 802.1x authenticator ports configured on the switch. Similarly, you can use the same static VLAN as the Authorized-Client VLAN for all 802.1x authenticator ports configured on the switch.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Setting Up and Configuring 802.1x Open VLAN Mode Preparation. This section assumes use of both the Unauthorized-Client and Authorized-Client VLANs. Refer to Table 3 on page 36 for other options. Before you configure the 802.1x Open VLAN mode on a port: ■ Statically configure an “Unauthorized-Client VLAN” in the switch.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However, this is less desirable because it means that all clients use the same passwords and have the same access privileges. Also, you must use 802.1x supplicant software that supports the use of local switch passwords.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) 3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. Syntax: radius host < ip-address > Adds a server to the RADIUS configuration. [key < server-specific key-string >] Optional. Specifies an encryption key for use with the specified server. This key must match the key used on the RADIUS server.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Configuring 802.1x Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listing of the steps needed to prepare the switch for using Open VLAN mode, refer to “Preparation” on page -40. Syntax: aaa port-access authenticator [e] < port-list > [auth-vid < vlan-id >] Configures an existing, static VLAN to be the AuthorizedClient VLAN.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Inspecting 802.1x Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewing 802.1x Open VLAN Mode Status” on page -53. 802.1x Open VLAN Operating Notes ■ Although you can configure Open VLAN mode the same VLAN for both the UnauthorizedClient VLAN and the Authorized-Client VLAN, this is not recommended.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1x Devices If you are using port-security on authenticator ports, you can configure it to learn only the MAC address of the first 802.1x-aware device detected on the port. Then, only traffic from this specific device is allowed on the port. When this device logs off, another 802.1x-aware device can be authenticated on the port.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Note on Blocking a Non-802.1x Device If the port’s 802.1x authenticator control mode is configured to authorized (as shown below, instead of auto), then the first source MAC address from any device, whether 802.1x-aware or not, becomes the only authorized device on the port. aaa port-access authenticator < port-list > control authorized With 802.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches 802.1x Authentication Commands page 28 802.1x Supplicant Commands [no] aaa port-access < supplicant < [ethernet] < port-list > [auth-timeout | held-period | start-period | max-start | initialize | identity | secret | clear-statistics] page 48 page 49 802.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) • If, after the supplicant port sends the configured number of start request packets, it does not receive a response, it assumes that switch “B” is not 802.1x-aware, and transitions to the authenticated state. If switch “B” is operating properly and is not 802.1x-aware, then the link should begin functioning normally, but without 802.1x security.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Configuring a Supplicant Switch Port. Note that you must enable supplicant operation on a port before you can change the supplicant configuration. This means you must execute the supplicant command once without any other parameters, then execute it again with a supplicant parameter you want to configure.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Syntax: aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [auth-timeout < 1 - 300 >] Sets the period of time the port waits to receive a challenge from the authenticator. If the request times out, the port sends another authentication request, up to the number of attempts specified by the max-start parameter. (Default: 30 seconds).
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters 802.1x Authentication Commands page 28 802.1x Supplicant Commands page 47 802.1x Open VLAN Mode Commands page 34 802.1x-Related Show Commands show port-access authenticator below show port-access supplicant page 56 Details of 802.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Syntax: show port-access authenticator (Syntax Continued) config [[e] < port-list >] Shows: • Whether port-access authenticator is active • The 802.1x configuration of the ports configured as 802.1x authenticators If you do not specify < port-list >, the command lists all ports configured as 802.1x port-access authenticators. Does not display data for a specified port that is not enabled as an authenticator.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Viewing 802.1x Open VLAN Mode Status You can examine the switch’s current VLAN status by using the show port-access authenticator and show vlan < vlan-id > commands as illustrated in this section. Figure 11 shows an example of show port-access authenticator output, and table 3 describes the data that this command displays.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Note that because a temporary Open VLAN port assignment to either an authorized or unauthorized VLAN is an untagged VLAN membership, these assignments temporarily replace any other untagged VLAN membership that is statically configured on the port.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Status Indicator Meaning Current VLAN ID < vlan-id >: Lists the VID of the static, untagged VLAN to which the port currently belongs. No PVID: The port is not an untagged member of any VLAN. Syntax: show vlan < vlan-id > Displays the port status for the selected VLAN, including an indication of which port memberships have been temporarily overridden by Open VLAN mode.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Show Commands for Port-Access Supplicant Syntax: show port-access supplicant [[e] < port-list >] [statistics] show port-access supplicant [[e] < port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < portlist > ports configured on the switch as supplicants. The Supplicant State can include the following: Connecting - Starting authentication.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation Static VLAN Requirement. RADIUS authentication for an 802.1x client on a given port can include a (static) VLAN requirement. (Refer to the documentation provided with your RADIUS application.) The static VLAN to which a RADIUS server assigns a client must already exist on the switch. If it does not exist or is a dynamic VLAN (created by GVRP), authentication fails.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) ■ VLAN 33 becomes unavailable to port 2 for the duration of the session (because there can be only one untagged VLAN on any port). You can use the show vlan < vlan-id > command to view this temporary change to the active configuration, as shown below: ■ You can see the temporary VLAN assignment by using the show vlan < vlan-id > command with the < vlan-id > of the static VLAN that the authenticated client is using.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Even though port 2 is configured as Untagged on (static) VLAN 33 (see figure 13), it does not appear in the VLAN 33 listing while the 802.1x session is using VLAN 22 in the Untagged status. However, after the 802.1x session with VLAN 22 ends, the active configuration returns port 2 to VLAN 33. Figure 15. The Active Configuration for VLAN 33 Temporarily Drops Port 22 for the 802.1x Session When the 802.
Enhancements in Release F.05.xx Configuring Port-Based Access Control (802.1x) Notes Any port VLAN-ID changes you make on 802.1x-aware ports during an 802.1x-authenticated session do not take effect until the session ends. With GVRP enabled, a temporary, untagged static VLAN assignment created on a port by 802.1x authentication is advertised as an existing VLAN.
Enhancements in Release F.05.xx IGMP Version 3 Support Message Meaning LACP has been disabled on 802.1x port(s). To maintain security, LACP is not allowed on ports configured for 802.1x authenticator operation. If you configure port security on a port on which LACP (active or passive) is configured, the switch removes the LACP configuration, displays a notice that LACP is disabled on the port(s), and enables 802.1x on that port. Error configuring port < port-number >: LACP and 802.
— This page is intentionally unused.
Enhancements in Release F.04.08 Enhancements in Release F.04.08 Enhancement Summary Page Friendly Port Names Enables you to assign optional, meaningful names to physical ports on the switch. 64 SSH Security Provide remote access to management functions on the switches via encrypted paths between the switch and management station clients capable of SSHv1 operation.
Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Using Friendly (Optional) Port Names Feature Configure Friendly Port Names Display Friendly Port Names Default Menu CLI Web Standard Port Numbering n/a page 65 n/a n/a n/a page 66 n/a This feature enables you to assign alphanumeric port names of your choosing to augment automatically assigned numeric port names.
Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Configuring Friendly Port Names Syntax: interface [e] name no interface [e] name Assigns a port name to port-list. Deletes the port name from port-list. Configuring a Single Port Name. Suppose that you have connected port 3 on the switch to Bill Smith’s workstation, and want to assign Bill’s name and workstation IP address (10.25.101.73) as a port name for port 3: Figure 17.
Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Displaying Friendly Port Names with Other Port Data You can display friendly port name data in the following combinations: ■ show name: Displays a listing of port numbers with their corresponding friendly port names and also quickly shows you which ports do not have friendly name assignments. (show name data comes from the running-config file.
Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Port Without a "Friendly" Name Friendly port names assigned in previous examples. Figure 20. Example of Friendly Port Name Data for Specific Ports on the Switch Including Friendly Port Names in Per-Port Statistics Listings. A friendly port name configured to a port is automatically included when you display the port’s statistics output.
Enhancements in Release F.04.08 Using Friendly (Optional) Port Names For a given port, if a friendly port name does not exist in the running-config file, the Name line in the above command output appears as: Name : not assigned To Search the Configuration for Ports with Friendly Port Names. This option tells you which friendly port names have been saved to the startup-config file. (The show config command does not include ports that have only default settings in the startup-config file.
Enhancements in Release F.04.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) N o te SSH in the HP ProCurve Series 2500 switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit http://www.openssh.com. Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication show in figure 23. It occurs if the switch has SSH enabled but does not have login access (login rsa) configured to authenticate the client’s key.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Terminology ■ SSH Server: An HP Series 2500 switch with SSH enabled. ■ Key Pair: A pair of keys generated by the switch or an SSH client application. Each pair includes a public key (that can be read by anyone) and a private key that is held internally in the switch or by a client. ■ PEM (Privacy Enhanced Mode): Refers to an ASCII-formatted client public-key that has been encoded for greater security.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) keys by default, check the application software for a key conversion utility or use a third-party key conversion utility. Beginning of actual SSHv2 public key in PEM-Ecoded ASCII format. Comment describing public key identity. Figure 25. Example of Public Key in PEM-Encoded ASCII Format Common for SSHv2 Clients Key Size Key Size Modulus Figure 26.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) The general steps for configuring SSH include: A. Client Preparation 1. Install an SSH client application on a management station you want to use for access to the switch. (Refer to the documentation provided with your SSH client application.) 2. Optional—If you want the switch to authenticate a client public-key on the client: a.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 6. Use your SSH client to access the switch using the switch’s IP address or DNS name (if allowed by your SSH client application). Refer to the documentation provided with the client application. General Operating Rules and Notes ■ Any SSH client application you use must offer backwards-compatibility to SSHv1 keys and operation.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH-Related Commands in This Section show ip ssh page 82 show ip client-public-key [< babble | fingerprint >] page 89 show ip host-public-key [< babble | fingerprint >] page 79 show authentication page 85 crypto key < generate | zeroize > [rsa] page 77 ip ssh page 81 key-size < 512 | 768 | 1024 > page 81 port < 1 - 65535 > page 81 timeout < 5 ..
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 1. Assigning a Local Login (Operator) and Enable (Manager) Password At a minimum, HP recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration. To Configure Local Passwords. You can configure both the Operator and Manager password with one command.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) To Generate or Erase the Switch’s Public/Private RSA Host Key Pair. Because the host key pair is stored in flash instead of the running-config file, it is not necessary to use write memory to save the key pair. Erasing the key pair automatically disables SSH. Syntax: crypto key generate [rsa] Generates a public/private key pair for the switch. If a switch key pair already exists, replaces it with a new key pair. (See the Note, above.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 3. Providing the Switch’s Public Key to Clients When an SSH client contacts the switch for the first time, the client will challenge the connection unless you have already copied the key into the client’s "known host" file. Copying the switch’s key in this way reduces the chance that an unauthorized device can pose as the switch to learn your access passwords.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 3. Ensure that there are no line breaks in the text string. (A public key must be an unbroken ASCII string. Line breaks are not allowed.) For example, if you are using Windows® Notepad, ensure that Word Wrap (in the Edit menu) is disabled, and that the key text appears on a single line. Figure 30. Example of a Correctly Formatted Public Key (Unbroken ASCII String) 4. Add any data required by your SSH client application.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Phonetic "Hash" of Switch’s Public Key Hexadecimal "Hash" of the Same Switch Public Key Figure 32. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’s Public Key Note The two commands shown in figure 32 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s "known host" file.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if you have not copied the switch’s public key into the switch, your client’s first connection to the switch will question the connection and, for security reasons, give you the option of accepting or refusing.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Note on Port Number The ip ssh key-size command affects only a per-session, internal server key the switch creates, uses, and discards. This key is not accessible from the user interface. The switch’s public (host) key is a separate, accessible key that is always 896 bits. HP recommends using the default IP port number (22). However, you can use ip ssh port to specify any TCP port for SSH connections except those reserved for other purposes.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 5. Configuring the Switch for SSH Authentication Note that all methods in this section result in authentication of the switch’s public key by an SSH client. However, only Option B, below results in the switch also authenticating the client’s public key. Also, for a more detailed discussion of the topics in this section, refer to “Further Information on SSH Client Public-Key Authentication” on page -86.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) (For more on these topics, refer to “Further Information on SSH Client Public-Key Authentication” on page 86.) With steps 1 - 3, above, completed and SSH properly configured on the switch, if an SSH client contacts the switch, login authentication automatically occurs first, using the switch and client public-keys.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Configures Manager username and password. Copies a public key file named "Client-Keys.pub" into the switch. Configures the switch to allow SSH access only a client whose public key matches one of the keys in the public key file downloaded to the switch. Configures the primary and secondary password methods for Manager (enable) access. (Becomes available after SSH access is granted to a client.) Figure 34.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication The section titled “5. Configuring the Switch for SSH Authentication” on page 83 lists the steps for configuring SSH authentication on the switch. However, if you are new to SSH or need more details on client public-key authentication, this section may be helpful.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) b. Uses MD5 to create a hash version of this information. c. 7. Returns the hash version to the switch. The switch computes its own hash version of the data in step 6 and compares it to the client’s hash version. If they match, then the client is authenticated. Otherwise, the client is denied access. Using client public-key authentication requires these steps: 1.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 1. Use your SSH client application to create a public/private key pair. Refer to the documentation provided with your SSH client application for details. The Series 2500 switches support the following client-public-key properties: Property Supported Value Comments Key Format ASCII See figure 30 on page 79. The key must be one unbroken, non-encoded ASCII string.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) N o t e o n P u b l i c K e ys The actual content of a public key entry in a public key file is determined by the SSH client application generating the key. (Although you can manually add or edit any comments the client application adds to the end of the key, such as the smith@fellow at the end of the key in figure 36, above.) The file on the TFTP server must contain non-encoded ASCII text of each public key you want copied.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Replacing or Clearing the Public Key File. The client public-key file remains in the switch’s flash memory even if you erase the startup-config file, reset the switch, or reboot the switch. ■ You can replace the existing client public-key file by copying a new client public-key file into the switch ■ You can remove the existing client public-key file by executing the clear public-key command.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. Indicates an error in communicating with the tftp server or not finding the file to download. Causes include such factors as: • Incorrect IP configuration on the switch • Incorrect IP address in the command • Case (upper/lower) error in the filename used in the command • Incorrect configuration on the TFTP server • The file is not in the expected location.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Message Meaning Generating new RSA host key. If the cache is depleted, this could take up to two minutes. After you execute the crypto key generate [rsa] command, the switch displays this message while it is generating the key. Host RSA key file corrupt or not found. Use 'crypto key generate rsa' to create new host key. The switch’s key is missing or corrupt. Use the crypto key generate [rsa] command to generate a new key for the switch.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Symptom Possible Cause An attempt to copy a client public-key file into the switch has failed and the switch lists one of the following messages: The public key file you are trying to download has one of the following problems: • A key in the file is too long. The maximum key length is 1024 characters, including spaces. This could also mean that two or more keys are merged together instead of being separated by a .
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Note The Series 2500 switches do not support RADIUS security for SNMP (network management) access or web browser interface access. For steps to block unauthorized access through the web browser interface, see “Controlling Web Browser Interface Access When Using RADIUS Authentication” on page 105. Accounting. RADIUS accounting on the Series 2500 switches collects resource consumption data and forwards it to the RADIUS server.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Switch Operating Rules for RADIUS ■ You must have at least one RADIUS server accessible to the switch. ■ The switch supports authentication and accounting using up to three RADIUS servers. The switch accesses the servers in the order in which they are listed by the show radius command ( page 112). If the first server does not respond, the switch tries the next one, and so-on.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting • If you need to replace the default UDP destination port (1812) the switch uses for authentication requests to a specific RADIUS server, select it before beginning the configuration process. • If you need to replace the default UDP destination port (1813) the switch uses for accounting requests to a specific Radius server, select it before beginning the configuration process.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Outline of the Steps for Configuring RADIUS Authentication There are three main steps to configuring RADIUS authentication: 1. 2. Configure RADIUS authentication for controlling access through one or more of the following • Serial port • Telnet • SSH • Port-Access (802.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting zero and then trying to log on again. As an alternative, you can reboot the switch, (thus resetting the dead-time counter to assume the server is available) and then try to log on again. • Number of Login Attempts: This is actually an aaa authentication command. It controls how many times in one session a RADIUS client (as well as clients using other forms of access) can try to log in with the correct username and password.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting For example, suppose you have already configured local passwords on the switch, but want to use RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (which would be the switch’s local passwords): The switch now allows Telnet and SSH authentication only through RADIUS. Figure 39.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting 2. Configure the Switch To Access a RADIUS Server This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. (If you want to configure RADIUS accounting on the switch, go to “Configuring RADIUS Accounting” on page 105 instead of continuing here.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting For example, suppose you have configured the switch as shown in figure 40 and you now need to make the following changes: 1. Change the encryption key for the server at 10.33.18.127 to "source0127". 2. Add a RADIUS server with an IP address of 10.33.18.119 and a server-specific encryption key of "source0119". Figure 40.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting 3. Configure the Switch’s Global RADIUS Parameters You can configure the switch for the following global RADIUS parameters: ■ Number of login attempts: In a given session, specifies how many tries at entering the correct username and password pair are allowed before access is denied and the session terminated. (This is a general aaa authentication parameter and is not specific to RADIUS.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting radius-server retransmit < 1 .. 5 > If a RADIUS server fails to respond to an authentication request, specifies how many retries to attempt before closing the session. (Default: 3; Range: 1 - 5) Note Where the switch has multiple RADIUS servers configured to support authentication requests, if the first server fails to respond, then the switch tries the next server in the list, and so-on.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting After two attempts failing due to username or password entry errors, the switch will terminate the session. Global RADIUS parameters from figure 42. Server-specific encryption key for the RADIUS server that will not use the global encryption key. These two servers will use the global encryption key. Figure 43.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting For local authentication, the switch uses the Operator-level and Manager-level username/password set(s) previously configured locally on the switch. (These are the usernames and passwords you can configure using the CLI password command, the web browser interface, or the menu interface— which enables only local password configuration).
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting RADIUS Accounting Commands [no] aaa accounting update periodic < 1 ..
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting ■ System accounting: Provides records containing the information listed below when system events occur on the switch, including system reset, system boot, and enabling or disabling of system accounting.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Outline of the Steps for Configuring RADIUS Accounting 1. Configure the switch for accessing a RADIUS server. You can configure a list of up to three RADIUS servers (one primary, two backup). The switch operates on the assumption that a server can operate in both accounting and authentication mode. (Refer to the documentation for your RADIUS server application.) 2. 3.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting 1. Configure the Switch To Access a RADIUS Server Before you configure the actual accounting parameters, you should first configure the switch to use a RADIUS server. This is the same as the process described on page 100.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Because the radius-server command includes an acct-port element with a non-default 1750, the switch assigns this value to the accounting port UDP port numbers. Because auth-port was not included in the command, the authentication UDP port is set to the default 1812. Figure 44.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Determine how you want the switch to send accounting data to a RADIUS server: ■ Start-Stop: • Send a start record accounting notice at the beginning of the accounting session and a stop record notice at the end of the session. Both notices include the latest data the switch has collected for the requested accounting type (Network, Exec, or System). • Do not wait for an acknowledgement.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting ■ Updates: In addition to using a Start-Stop or Stop-Only trigger, you can optionally configure the switch to send periodic accounting record updates to a RADIUS server. ■ Suppress:The switch can suppress accounting for an unknown user having no username. Syntax: [no] aaa accounting update periodic < 1 .. 525600 > Sets the accounting update period for all accounting sessions on the switch.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Figure 47. Example of General RADIUS Information from Show Radius Command Figure 48.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the AccountingRequest that matched it from this RADIUS accounting server. PendingRequests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting RADIUS Authentication Syntax: show authentication Displays the primary and secondary authentication methods configured for the Console, Telnet, Port-Access (802.1x), and SSH methods of accessing the switch. Also displays the number of access attempts currently allowed in a session. show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch’s interactions with this server.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting RADIUS Accounting Syntax: show accounting Lists configured accounting interval, "Empty User" suppression status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) configured in the switch (using the radius-server host command). show accounting sessions Lists the accounting sessions currently active on the switch. Figure 51.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the list. Adding or deleting a RADIUS server IP address leaves an empty position, but does not change the position of any other server addresses in the list.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Removes the "003" and "001" addresses from the RADIUS server list. Inserts the "003" address in the first position in the RADIUS server list, and inserts the "001" addresss in the last position in the list. Shows the new order in which the switch searches for a RADIUS server. Figure 55. Example of New RADIUS Server Search Order Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Troubleshooting RADIUS Operation Symptom Possible Cause The switch does not receive a response to RADIUS authen- There can be several reasons for not receiving a response tication requests. In this case, the switch will attempt to an authentication request.
Enhancements in Release F.04.08 IP Preserve: Retaining VLAN-1 IP Addressing Across Configuration File Downloads IP Preserve: Retaining VLAN-1 IP Addressing Across Configuration File Downloads IP Preserve enables you to copy a configuration file to multiple Series 2500 switches while retaining the individual IP address and subnet mask on VLAN 1 in each switch, and the Gateway IP address assigned to the switch.
Enhancements in Release F.04.08 IP Preserve: Retaining VLAN-1 IP Addressing Across Configuration File Downloads For example, consider Figure 57: DHCP Server TFTP Server Management Station config.txt IP Address to VLAN 1 Switch 1 Switch 2 Switch 3 Switch 4 VLAN 1: 10.31.22.101 (Manually configured) VLAN 1: 10.31.22.102 (Manually configured) VLAN 1: 10.31.22.103 (Manually configured) VLAN 1: DHCP Switches 1 through 3 copy and implement the config.
Enhancements in Release F.04.08 IP Preserve: Retaining VLAN-1 IP Addressing Across Configuration File Downloads If you apply this configuration file to figure 57, switches 1 - 3 will still retain their manually assigned IP addressing. However, switch 4 will be configured with the IP addressing included in the file. Because switch 4 (figure 57) received its most recent IP addressing from a DHCP/ Bootp server, the switch ignores the ip preserve command and implements the IP addressing included in this file.
Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets Configuring Port-Based Priority for Incoming Packets Feature Default Assigning a priority level to traffic on the basis of incoming port Disabled Menu n/a CLI page 125 Web n/a When network congestion occurs, it is important to move traffic on the basis of relative importance.
Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets Outbound Port Queues and Packet Priority Settings Series 2500 switch ports use two outbound port queues, Normal and High. As described below, these two queues map to the eight priority settings specified in the 802.1p standard. Table 8. Mapping Priority Settings to Device Queues 802.
Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets Operating Rules for Port-Based Priority on Series 2500 Switches ■ In the switch’s default configuration, port-based priority is configured as "0" (zero) for inbound traffic on all ports. ■ On a given port, when port-based priority is configured as "0" (zero) or 1 - 7, an inbound, untagged packet adopts the specified priority and is sent to the corresponding outbound queue on the outbound port.
Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets For example, suppose you wanted to configure ports 10 -12 on the switch to prioritize all untagged, inbound VLAN traffic as "Low" (priority level = 1; refer to table 8 on page 124). Configures port-based priority on ports 9 -12 to "1" (Low) and saves the configuration changes to the startup-config file. Ports 9 - 12 are now configured to assign a priority level of "1" (Low) to untagged, incoming traffic.
Enhancements in Release F.04.08 Using the "Kill" Command To Terminate Remote Sessions Using the "Kill" Command To Terminate Remote Sessions Using the kill command, you can terminate remote management sessions. (Kill does not terminate a Console session on the serial port, either through a direct connection or via a modem.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) Configuring Rapid Reconfiguration Spanning Tree (RSTP) This section is related to the information on “Spanning Tree Protocol” in your Series 2500 Switches Management and Configuration Guide (5969-2354), but it primarily describes the new information associated with the new Spanning Tree standard, IEEE 802.1w (RSTP), which is supported by the F.04.08 release of your switch software.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) The IEEE 802.1d version of Spanning Tree (STP) can take a fairly long time to resolve all the possible paths and to select the most efficient path through the network. The IEEE 802.1w Rapid Reconfiguration Spanning Tree (RSTP) significantly reduces the amount of time it takes to establish the network path. The result is reduced network downtime and improved network robustness.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) Configuring RSTP The default switch configuration has Spanning Tree disabled with RSTP as the selected protocol. That is, when Spanning Tree is enabled, RSTP is the version of Spanning Tree that is enabled, by default.
Enhancements in Release F.04.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) Figure 62. Example of the Spanning Tree Configuration Display Enabling or Disabling RSTP. Issuing the command to enable Spanning Tree on the switch implements, by default, the RSTP version of Spanning Tree for all physical ports on the switch. Disabling Spanning Tree removes protection against redundant network paths.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) Reconfiguring Whole-Switch Spanning Tree Values. You can configure one or more of the following parameters, which affect the Spanning Tree operation of the whole switch: Table 9. Whole-Switch RSTP Parameters Parameter Default Description protocol-version RSTP Identifies which of the Spanning Tree protocols will be used when Spanning Tree is enabled on the switch.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) Note Executing the spanning-tree command alone enables Spanning Tree. Executing the command with one or more of the whole-switch RSTP parameters shown in the table on the previous page, or with any of the per-port RSTP parameters shown in the table on page 135, does not enable Spanning Tree. It only configures the Spanning Tree parameters, regardless of whether Spanning Tree is actually running (enabled) on the switch.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) Reconfiguring Per-Port Spanning Tree Values. You can configure one or more of the following parameters, which affect the Spanning Tree operation of the specified ports only: Table 10. Per-Port RSTP Parameters Parameter Default Description edge-port Yes Identifies ports that are connected to end nodes. During Spanning Tree establishment, these ports transition immediately to the Forwarding state.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) Syntax: Abbreviations: spanning-tree [ethernet] path-cost <1 - 200000000> point-to-point-mac priority <0 - 15> span path <1 - 200000000> forc pri <0 - 15> [no] spanning-tree [ethernet] edge-port mcheck [no] span edge mch Defaults: see the table on the previous page.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) Menu: Configuring RSTP 1. From the console CLI prompt, enter the menu command. HP ProCurve Switch # menu 2. From the switch console Main Menu, select 2. Switch Configuration ... 4. Spanning Tree Operation 3. Press [E] (for Edit) to highlight the Protocol Version parameter field. 4. Press the Space bar to select the version of Spanning Tree you wish to run: RSTP or STP.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) 7. Press the [Tab] key or use the arrow keys to go to the next parameter you want to change, then type in the new value or press the Space bar to select a value. (To get help on this screen, press [Enter] to select the Actions –> line, then press [H], for Help, to display the online help.) 8. Repeat step 6 for each additional parameter you want to change.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Enhancements in Release F.02.11 Enhancement Summary Page Adds the fast-uplink spanning tree (STP) mode to spanning-tree operation In an 802.1D STP environment with redundant links, an active link failure typically below results in a convergence time of 30 seconds for a backup link to become the active, forwarding link. Fast-uplink STP reduces this time to approximately ten seconds.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) To use fast-uplink STP on a Series 2500 switch, configure fast-uplink (Mode = Uplink) only on the switch’s upsteam ports; (that is, two or more ports forming a group of redundant links in the direction of the STP root switch). If the active link in this group goes down, fast-uplink STP selects a different upstream port as the root port and resumes moving traffic in as little as ten seconds.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) When single-instance spanning tree (STP) is running in a network and a forwarding port goes down, a blocked port typically requires a period of (2 x (forward delay) + link down detection) to transition to forwarding. In a normal spanning tree environment, this transition is usually 30 seconds (with the Forward Delay parameter set to its default of 15 seconds).
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Operating Rules for Fast Uplink ■ A switch with ports configured for fast uplink must be an edge switch and not either an interior switch or the STP root switch. Configure fast-uplink on only the edge switch ports used for providing redundant STP uplink connections in a network. (Configuring Fast-Uplink STP on ports in interior switches can create network performance problems.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Menu: Viewing and Configuring Fast-Uplink STP You can use the menu to quickly display the entire STP configuration and to make any STP configuration changes. To View and/or Configure Fast-Uplink STP. This procedure uses the Spanning Tree Operation screen to enable STP and to set the Mode for fast-uplink STP operation. 1. From the Main Menu select: 2. Switch Configuration . . . 4. Spanning Tree Operation 2.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) 3. If the Protocol Version is set to RSTP (as shown in figure 67), do the following: a. Press [E] (Edit) to move the cursor to the Protocol Version field. b. Press the Space bar once to change the Protocol Version field to STP. c. Press [Enter] to return to the command line. d. Press [S] (for Save) to save the change and exit from the Spanning Tree Operation screen.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) In this example, ports 2 and 3 have already been configured as a port trunk (Trk1), which appears at the end of the port listing. All ports (and the trunk) are in their default STP configuration. Note: Ports 10-14 do not appear in this simulation. In the actual menu screen, you must scroll the cursor down the port list to view the trunk configuration. Figure 69. The Spanning Tree Operation Screen 4.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) STP is enabled. Port 1 and Trk1 are now configured for fast-uplink STP. Figure 70. Example of STP Enabled with Two Redundant Links Configured for Fast-Uplink STP 5. 146 Press [S] (for Save) to save the configuration changes to flash (non-volatile) memory.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) To View Fast-Uplink STP Status. Continuing from figures 69 and 70 in the preceding procedure, this task uses the same screen that you would use to view STP status for other operating modes. 1. From the Main Menu, select: 1. Status and Counters . . . 7. Spanning Tree Information Indicates which uplink is the active path to the STP root device. Note: A switch using fast-uplink STP must never be the STP root device. Figure 71.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) In figure 72: • Port 1 and Trk1 (trunk 1; formed from ports 2 and 3) are redundant fast-uplink STP links, with trunk 1 forwarding (the active link) and port 1 blocking (the backup link). (To view the configuration for port 1 and Trk1, see figure 70 on page 146.) • If the link provided by trunk 1 fails (on both ports), then port 1 begins forwarding in fastuplink STP mode.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Indicates that Trk1 (Trunk 1) provides the currently active path to the STP root device. Redundant STP link in the Blocking state. Links to PC or Workstation End Nodes Redundant STP link in the Forwarding state. (See the "Root Port field, above. This is the currently active path to the STP root device.) Figure 74.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) STP Enabled on the Switch Fast-Uplink STP Configured on Port 1 and Trunk 1 (Trk1) Figure 75. Example of a Configuration Supporting the STP Topology Shown in Figure 73 Using the CLI To Configure Fast-Uplink STP. This example uses the CLI to configure the switch for the fast-uplink operation shown in figures 73, 74, and 75.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Syntax: spanning-tree e mode uplink Enables STP on the switch and configures fast-uplink STP on the designated interfaces (port or trunk). HP2512(config)# spanning-tree e 1,trk1 mode uplink Operating Notes Effect of Reboots on Fast-Uplink STP Operation. When configured, fast-uplink STP operates on the designated ports in a running Series 2500 switch.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Fast-Uplink Troubleshooting Some of the problems that can result from incorrect useage of Fast-Uplink STP include temporary loops and generation of duplicate packets. Problem sources can include: ■ Fast-Uplink is configured on a switch that is the STP root device. ■ Either the Hello Time or the Max Age setting (or both) is too long on one or more switches.
Enhancements in Release F.02.11 The Show Tech Command for Listing Switch Configuration and Operating Details The Show Tech Command for Listing Switch Configuration and Operating Details The show tech command provides a tool for gathering information to help with troubleshooting.
Enhancements in Release F.02.11 The Show Tech Command for Listing Switch Configuration and Operating Details 1. In Hyperterminal, click on Transfer | Capture Text... Figure 77. The Capture Text window of the Hypertext Application Used with Microsoft Windows Software 2. In the File field, enter the path and file name under which you want to store the show tech output. Figure 78. Example of a Path and Filename for Creating a Text File from show tech Output 3.
Updates and Corrections for the Management and Configuration Guide Updates and Corrections for the Management and Configuration Guide This section lists updates to the Management and Configuration Guide (p/n 5969-2354; August 2000). Changes in Commands for Viewing the Current Configuration Files . . . . . . . . . . . . page 155 Change in CLI Command for Listing Intrusion Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . page 156 Changes for Listing Port and Trunk Group Statistics . . . . . . . . .
Updates and Corrections for the Management and Configuration Guide • Running configuration has been changed and needs to be saved. This message indicates that the two configurations are different. Change in CLI Command for Listing Intrusion Alerts With port security configured, the switch formerly used show interfaces to display a port status listing that includes intrusion alerts (as described on page 7-28 in the manual).
Updates and Corrections for the Management and Configuration Guide This change affects the following commands: Interface Commands VLAN Commands broadcast-limit disable enable flow-control lacp monitor speed-duplex unknown-vlans forbid tagged untagged Restoring the Factory-Default Configuration, Including Usernames and Passwords Page 11-20 in the Management and Configuration guide incorrectly implies that the erase startup-config command clears passwords.
Updates and Corrections for the Management and Configuration Guide GVRP Does Not Require a Common VLAN Delete the note at the top of page 9-78 in the Management and Configuration Guide. GVRP does not require a common VLAN (VID) connecting all of the GVRP-aware devices in the network to carry GVRP packets.
Updates and Corrections for the Management and Configuration Guide Note Duplicate MAC addresses are likely to occur in VLAN environments where XNS and DECnet are used. For this reason, using VLANs in XNS and DECnet environments is not currently supported. On page 11-10 of the Management and Configuration Guide, under "Duplicate MAC Addresses Across VLANs", the text suggests that duplicate MAC addresses on separate VLANs can cause VLAN operating problems.
Updates and Corrections for the Management and Configuration Guide Also on page 9-54, add the following item to the bulleted list: ■ When TimeP is enabled and configured for DHCP operation, the switch learns of TimeP servers from DHCP and Bootp packets received on the primary VLAN. Misleading Statement About VLANs On page 9-56 in the Management and Configuration Guide, the last sentence in item 1 implies that by default the switch is configured for eight VLANs.
Enhancements in Release F.02.02 Documentation for Enhancements in Release F.02.02 Enhancements in Release F.02.02 Documentation for Enhancements in Release F.02.02 Software release F.02.02 contains these enhancements: Enhancement Summary Page TACACS+ TACACS+ authentication enables you to use a central server to allow or deny access to Series 2500 switches (and other TACACS-aware devices) in your network.
Enhancements in Release F.02.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security With authentication configured on the switch and TACACS+ configured and operating on a server in your network, an attempt to log on through Telnet or the switch’s serial port will be passed to the TACACS+ server for verification before permission is granted.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Terminology Used in TACACS Applications: ■ NAS (Network Access Server): This is an industry term for a TACACS-aware device that communicates with a TACACS server for authentication services. Some other terms you may see in literature describing TACACS operation are communication server, remote access server, or terminal server.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security General System Requirements To use TACACS+ authentication, you need the following: ■ Release F.02.02 or later software running on your Series 2500 switch. Ensure that software release F.02.02 or later is running on your switch. Use any of the following methods to view the current software version: CLI: HP2512> show version Menu Interface: From the Main Menu, click on 1. Status and Counters . . . 1.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security TACACS+ Operation TACACS+ in Series 2500 switches manages authentication of logon attempts through either the Console port or Telnet. For both Console and Telnet you can configure a login (read-only) and an enable (read/write) privilege level access.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security 2. Ensure that the switch is configured to operate on your network and can communicate with your first-choice TACACS+ server. (At a minimum, this requires IP addressing and a successful ping test from the switch to the server.) 3. Determine the following: ■ ■ ■ 4. The IP address(es) of the TACACS+ server(s) you want the switch to use for authentication.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Caution You should ensure that the switch has a local Manager password. Otherwise, if authentication through a TACACS+ server fails for any reason, then unauthorized access will be available through the console port or Telnet. 6. Using a terminal device connected to the switch’s console port, configure the switch for TACACS+ authentication only for telnet login access and telnet enable access.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Configuring TACACS+ on the Switch The switch offers three command areas for TACACS+ operation: ■ show authentication and show tacacs: Displays the switch’s TACACS+ configuration and status.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Viewing the Switch’s Current Authentication Configuration This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary access methods configured for each type of access. Syntax: show authentication This example shows the default authentication configuration.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Configuring the Switch’s Authentication Methods The aaa authentication command configures the access control for console port and Telnet access to the switch.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Table 13. Primary/Secondary Authentication Table Access Method and Privilege Level Console — Login Console — Enable Telnet — Login Telnet — Enable Authentication Options Effect on Access Attempts Primary Secondary local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator, or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. HP2512(config)# aaa authentication console login tacacs local Console Login Primary (Operator, or ReadOnly Access) Secondary Console Enable (Manager, or Read/Write) Access: Primary using TACACS+ server.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Configuring the Switch’s TACACS+ Server Access The tacacs-server command configures these parameters: ■ The host IP address(es) for up to three TACACS+ servers; one first-choice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server. ■ An optional encryption key.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Name Default Range host [key none n/a Specifies the IP address of a device running a TACACS+ server application. Optionally, can also specify the unique, perserver encryption key to use when each assigned server has its own, unique key.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Adding, Removing, or Changing the Priority of a TACACS+ Server. Suppose that the switch was already configured to use TACACS+ servers at 10.28.227.10 and 10.28.227.15. In this case, 10.28.227.15 was entered first, and so is listed as the first-choice server: First-Choice TACACS+ Server Figure 82.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security To configure westside as a global encryption key: HP2512(config) tacacs-server key westside To configure westside as a per-server encryption key: HP2512(config)tacacs-server host 10.28.227.63 key westside An encryption key can contain up to 100 characters, without spaces, and is likely to be case-sensitive in most TACACS+ server applications.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security How Authentication Operates General Authentication Process Using a TACACS+ Server Authentication through a TACACS+ server operates generally as described below. For specific operating details, refer to the documentation you received with your TACACS+ server application.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security • If the username/password pair received from the requesting terminal matches a username/password pair previously stored in the server, then the server passes access permission through the switch to the terminal. • If the username/password pair entered at the requesting terminal does not match a username/password pair previously stored in the server, access is denied.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Using the Encryption Key General Operation When used, the encryption key (sometimes termed "key", "secret key", or "secret") helps to prevent unauthorized intruders on the network from reading username and password information in TACACS+ packets moving between the switch and a TACACS+ server.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security For example, you would use the next command to configure a global encryption key in the switch to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Messages The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For information on such messages, refer to the documentation you received with the application. Table 14.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Troubleshooting TACACS+ Operation All Users Are Locked Out of Access to the Switch. If the switch is functioning properly, but no username/password pairs result in console or Telnet access to the switch, the problem may be due to how the TACACS+ server and/or the switch are configured.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security ■ The time quota for the account has been exhausted. ■ The time credit for the account has expired. ■ The access attempt is outside of the timeframe allowed for the account. ■ The allowed number of concurrent logins for the account has been exceeded For more help, refer to the documentation provided with your TACACS+ server application. Unknown Users Allowed to Login to the Switch.
Enhancements in Release F.02.
Enhancements in Release F.02.02 CDP This section describes CDP operation in the Series 2500 switches. For information on how to use an SNMP utility to retrieve the CDP information from the switch’s CDP Neighbors table (in the switch’s MIB), refer to the documentation provided with the particular SNMP utility. For information on the object identifiers in the CDP MIB, see “CDP Neighbor Data and MIB Objects” on page 196.
Enhancements in Release F.02.02 CDP Outgoing Packets A Series 2500 switch running CDP periodically transmits a one-hop CDP packet out each of its ports. This packet contains data describing the switch and, if the one-hop destination is another device running CDP, the receiving device stores the sending device’s data in a CDP Neighbors table. The receiving device also transmits a similar one-hop CDP packet out each of its ports to make itself known to other CDP devices to which it is connected.
Enhancements in Release F.02.02 CDP have expired. (The hold time for any data entry in the switch’s CDP Neighbors table is configured in the device transmitting the CDP packet, and cannot be controlled in the switch receiving the packet.) The Series 2500 switches purge expired CDP neighbor entries every three seconds. Non-CDP devices such as some hubs and other devices that do not have CDP capability are transparent to CDP operation.
Enhancements in Release F.02.02 CDP Using the example in figure 87: The CDP Neighbor table for switches "A" and "B" would appear similar to these: Switch A: Switch B: (Note that no CDP devices appear on port 5, which is connected to a device on which CDP is present, but disabled.) Figure 88.
Enhancements in Release F.02.02 CDP Figure 87 (page 188) illustrates how multiple CDP neighbors can appear on a single port. In this case, switch "A" has three CDP neighbors on port 1 because the intervening devices are not CDP-capable and simply forward CDP neighbors data out all ports (except the port on which the data was received).
Enhancements in Release F.02.02 CDP CDP Enable/Disable on the Switch Packet Hold Time in CDP Neighbor Table Interval for Transmitting Outbound CDP Packets on All Ports Per-Port CDP Enable/Disable Figure 89. Example of a CDP Configuration Listing Viewing the Current Contents of the Switch’s CDP Neighbors Table This command lists the neighboring CDP devices the switch has detected. Devices are listed by the port on which they were detected.
Enhancements in Release F.02.02 CDP Figure 91 illustrates a topology of CDP-enabled devices for the CDP Neighbors table listing in figure 90. HP Switch 2512 HP Switch 2512 (0030c1-7fcc40) HP Switch 4000M Non-CDP-Capaable Hub HP Switch 4000M (0060b0-889e43) (0060b0-761a45) Management Workstation Management Workstation 099a05-09df9b 099a05-09df11 HP Switch 2524 (0030c5-38dc59) Figure 91.
Enhancements in Release F.02.02 CDP Configuring CDP Operation Enabling or Disabling CDP Operation on the Switch.
Enhancements in Release F.02.02 CDP Enabling or Disabling CDP Operation on Individual Ports. In the factory-default configuration, the switch has all ports enabled and transmitting CDP packets. Disabling CDP on a port prevents that port from sending outbound CDP packets and causes it to drop inbound CDP packets without recording their data in the CDP Neighbors table.
Enhancements in Release F.02.02 CDP Changing the Hold Time (CDP Packet Time-To-Live) for a Switch’s CDP Packet Information. The default hold time for the switch’s CDP packet information in the CDP Neighbors table of another CDP device is 180 seconds (range: 5 - 254). This parameter is controlled in the transmitting switch, and applies to all outbound CDP packets the switch transmits. Syntax: cdp holdtime < 5 . .
Enhancements in Release F.02.02 CDP 3. If 1 and 2 do not apply, then the switch determines which VLANs on the neighbor’s port have IP addresses and uses the IP address of the VLAN with the lowest VID (VLAN Identification number) in this group. 4. If a CDP switch does not detect an IP address on the connecting port of a CDP neighbor, then the loopback IP address is used (127.0.0.1).
Enhancements in Release F.02.02 CDP Table 16. CDP Neighbors Data CDP Neighbor Data Displayed Neighbors Table MIB Address Type No Yes Always "1" (IP address only). CDP Cache Address No Yes IP address of source device. Software Version Yes Yes ASCII String Device Name (ASCII string) Yes Yes In HP ProCurve switches, this is the value configured for the System Name parameter. Device MAC Address Yes Yes Included in the Device Name entry.
Enhancements in Release F.02.02 CDP CDP Operating Notes Neighbor Maximum. The Series 2500 switches support up to 60 neighbors in the CDP Neighbors table. Even though the switches offer only 12 or 24 ports, multiple CDP devices can be neighbors on the same port if they are connected to the switch through a non-CDP device. CDP Version Data. The Series 2500 switches use CDP-V1, but do not include IP prefix information, which is a router function; not a switch application. Port Trunking with CDP.
Enhancements in Release F.02.02 CDP The Same CDP Switch or Router Appears on More Than One Port in the CDP Neighbors Table. Where CDP is running, a switch or router that is the STP root transmits outbound CDP packets over all links, including redundant links that STP may be blocking in non-root devices. In this case, the non-root device shows an entry in its CDP Neighbors table for every port on which it receives a CDP packet from the root device.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options New Time Synchronization Protocol Options Using time synchronization ensures a uniform time among interoperating devices. This helps you to manage and troubleshoot switch operation by attaching meaningful time data to event and error messages. Formerly, TimeP was the only time protocol available for time synchronization in Series 2500 switches. Beginning with software release F.02.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options SNTP Time Synchronization SNTP provides two operating modes: ■ Broadcast Mode: The switch acquires time updates by accepting the time value from the first SNTP time broadcast detected. (In this case, the SNTP server must be configured to broadcast time updates to the network broadcast address. Refer to the documentation provided with your SNTP server application.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options The switch retains the parameter settings for both time protocols even if you change from one protocol to the other. Thus, if you select a time protocol the switch uses the parameters you last configured for the selected protocol. Note that simply selecting a time synchronization protocol does not enable that protocol on the switch unless you also enable the protocol itself (step 2, above).
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Table 17. SNTP Parameters SNTP Parameter Operation Time Sync Method Used to select either SNTP, TIMEP, or None as the time synchronization method. SNTP Mode Disabled The Default. SNTP does not operate, even if specified by the Menu interface Time Sync Method parameter or the CLI timesync command. Unicast Directs the switch to poll a specific server for SNTP time synchronization. Requires at least one server address.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Time Protocol Selection Parameter – TIMEP – SNTP – None Figure 96. The System Information Screen (Default Values) 2. Press [E] (for Edit). The cursor moves to the System Name field. 3. Use [v] to move the cursor to the Time Sync Method field. 4. Use the Space bar to select SNTP, then press [v] once to display and move to the SNTP Mode field. 5.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Note: This step replaces any previously configured server IP address. If you will be using backup SNTP servers (requires use of the CLI), then see “SNTP Unicast Time Polling with Multiple SNTP Servers” on page 217. iii. Press [v] to move the cursor to the Server Version field. Enter the value that matches the SNTP server version running on the device you specified in the preceding step (step ii).
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Viewing the Current SNTP Configuration This command lists both the time synchronization method (TimeP, SNTP, or None) and the SNTP configuration, even if SNTP is not the selected time protocol. Syntax: show sntp For example, if you configured the switch with SNTP as the time synchronization method, then enabled SNTP in broadcast mode with the default poll interval, show sntp lists the following: Figure 97.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Enabling SNTP in Broadcast Mode. Because the switch provides an SNTP polling interval (default: 720 seconds), you need only these two commands for minimal SNTP broadcast configuration: Syntax: timesync sntp sntp broadcast Selects SNTP as the time synchronization method. Configures Broadcast as the SNTP mode.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Syntax: timesync sntp sntp unicast sntp server [version] no sntp server Selects SNTP as the time synchronization method. Configures the SNTP mode for Unicast operation. Specifies the SNTP server. The default server version is 3. Deletes the specified SNTP server. Note Deleting an SNTP server when only one is configured disables SNTP unicast operation.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Deletes unicast SNTP server entry. Re-enters the unicast server with a nondefault protocol version. show sntp displays the result. Figure 101. Example of Specifying the SNTP Protocol Version Number Changing the SNTP Poll Interval. This command lets you specify how long the switch waits between time polling intervals. The default is 720 seconds and the range is 30 to 720 seconds.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Disabling the SNTP Mode. If you want to prevent SNTP from being used even if selected by timesync (or the Menu interface’s Time Sync Method parameter), configure the SNTP mode as disabled. Syntax: no sntp Disables SNTP by changing the SNTP mode configuration to Disabled. For example, if the switch is running SNTP in Unicast mode with an SNTP server at 10.28.227.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Table 18. Timep Parameters SNTP Parameter Operation Time Sync Method Used to select either TIMEP (the default), SNTP, or None as the time synchronization method. Timep Mode Disabled The Default. Timep does not operate, even if specified by the Menu interface Time Sync Method parameter or the CLI timesync command.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Time Protocol Selection Parameter – TIMEP (the default) – SNTP – None Figure 104. The System Information Screen (Default Values) 2. Press [E] (for Edit). The cursor moves to the System Name field. 3. Use [v] to move the cursor to the Time Sync Method field. 4. If TIMEP is not already selected, use the Space bar to select TIMEP, then press [v] once to display and move to the TimeP Mode field. 5.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options iii. Press [>] to move the cursor to the Poll Interval field, then go to step 6. 6. In the Poll Interval field, enter the time in minutes that you want for a TimeP Poll Interval. Press [Enter] to return to the Actions line, then [S] (for Save) to enter the new time protocol configuration in both the startup-config and running-config files.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options If SNTP is the selected time synchronization method ), show timep still lists the TimeP configuration even though it is not currently in use: Even though, in this example, SNTP is the current time synchronization method, the switch maintains the TimeP configuration. Figure 106.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options For example, suppose: ■ Time synchronization is configured for SNTP. ■ You want to: 1. View the current time synchronization. 2. Select TimeP as the time synchronization mode. 3. Enable TimeP for DHCP mode. 4. View the TimeP configuration. The commands and output would appear as follows: 1 show timep displays the TimeP configuration and also shows that SNTP is the currently active time synchronization mode.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options HP2512(config)# timesync timep HP2512(config)# ip timep manual 10.28.227.141 Selects TimeP. Activates TimeP in Manual mode. Figure 108. Example of Configuring Timep for Manual Operation Changing the TimeP Poll Interval. This command lets you specify how long the switch waits between time polling intervals. The default is 720 minutes and the range is 1 to 9999 minutes.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Disabling the TimeP Mode. Disabling the TimeP mode means to configure it as disabled. (Disabling TimeP prevents the switch from using it as the time synchronization protocol, even if it is the selected Time Sync Method option.) Syntax: no ip timep Disables TimeP by changing the TimeP mode configuration to Disabled.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Adding and Deleting SNTP Server Addresses Adding Addresses. As mentioned earlier, you can configure one SNTP server address using either the Menu interface or the CLI. To configure a second and third address, you must use the CLI. For example, suppose you have already configured the primary address in the above table (10.28.227.141).
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Menu Interface Operation with Multiple SNTP Server Addresses Configured When you use the Menu interface to configure an SNTP server IP address, the new address writes over the current primary address, if one is configured. If there are multiple addresses configured, the switch re-orders the addresses according to the criteria described under “Address Prioritization” on page 217.
Enhancements in Release F.02.02 Operation and Enhancements for Multimedia Traffic Control (IGMP) Operation and Enhancements for Multimedia Traffic Control (IGMP) How Data-Driven IGMP Operates The information in this section supplements the information provided under "Multimedia Traffic Control with IP Multicast (IGMP)" beginning on page 9-91 in the Management and Configuration Guide included with your Series 2500 switch and also available at http://www.hp.com/go/hpprocurve.
Enhancements in Release F.02.02 Operation and Enhancements for Multimedia Traffic Control (IGMP) multicast packets to ports from which a join request for that group has not been received. (If the switch or router has not received any join requests for a given multicast group, it drops the traffic it receives for that group.
Enhancements in Release F.02.02 Operation and Enhancements for Multimedia Traffic Control (IGMP) IGMP Function Available With IP Addressing Available Operating Differences Without an IP Address Configured on the VLAN Without IP Addressing? Drop multicast group traffic for which there have been no join requests from IGMP clients connected to ports on the VLAN. Yes None Forward multicast group traffic to any port on the VLAN that has received a join request for that multicast group.
Enhancements in Release F.02.02 Operation and Enhancements for Multimedia Traffic Control (IGMP) unnecessary multicast traffic from that group to the former IGMP client. This improves performance by reducing the amount of multicast traffic going through the port to the IGMP client after the client leaves a multicast group. IGMP in the Series 2500 switches automatically uses this Fast-Leave feature. Automatic Fast-Leave Operation. If a Series 2500 switch port is : a. Connected to only one end node b.
Enhancements in Release F.02.
Enhancements in Release F.02.02 Operation and Enhancements for Multimedia Traffic Control (IGMP) For example: In this example, the 2 at the end of each port listing shows that Fast ForcedLeave is disabled on all ports in the switch. Figure 114. Listing the Forced Fast-Leave State for Ports in an HP2512 Switch To list the Forced Fast-Leave state for a single port. Syntax: getmib hpSwitchIgmpPortForcedLeaveState.1. getmib 1.3.6.1.4.1.11.2.14.11.5.1.7.1.15.3.1.5.1.
Enhancements in Release F.02.02 Operation and Enhancements for Multimedia Traffic Control (IGMP) CLI: Configuring Per-Port Forced Fast-Leave IGMP In the factory-default configuration, Forced Fast-Leave is disabled for all ports on the switch. To enable (or disable) this feature on individual ports, use the switch’s MIB commands, as shown below. Syntax: or setmib hpSwitchIgmpPortForcedLeaveState.1. -i < 1 | 2 > setmib 1.3.6.1.4.1.11.2.14.11.5.1.7.1.15.3.1.5.1.
Enhancements in Release F.02.02 The Switch Excludes Well-Known or Reserved Multicast Addresses from IP Multicast Filtering If the switch becomes the Querier for a particular VLAN (for example, the DEFAULT_VLAN), then subsequently detects queries transmitted from another device on the same VLAN, the switch ceases to operate as the Querier for that VLAN.
Enhancements in Release F.02.02 Switch Memory Operation Groups of Consecutive Addresses in the Range of 224.0.0.X to 239.0.0.X* Groups of Consecutive Addresses in the Range of 224.128.0.X to 239.128.0.X* 231.0.0.x 231.128.0.x 239.0.0.x 239.128.0.x * X is any value from 0 to 255.
Enhancements in Release F.02.02 Port Security: Changes to Retaining Learned Static Addresses Across a Reboot ■ After you configure the authorized MAC addresses you want on a port, execute the write memory command to make these addresses permanent in the switch’s configuration. (See the "Assigned/Authorized Address" bullet under "Retention of Static Addresses" in the next subsection.) Retention of Static Addresses Beginning with release F.02.
Enhancements in Release F.02.02 Username Assignment and Prompt Username Assignment and Prompt Prior to release F.02.02, assigning a manager or operator username to the switch required you to use the web browser interface. Also, only the web browser interface required you to enter a username at logon if one was configured for the privilege level you were accessing. Beginning with release F.02.
Software Fixes Software Fixes Release F.01.07 was the first software release for the HP ProCurve Series 2500 switches. Release F.01.08 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 232 Release F.01.09 (Beta Release Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 232 Release F.01.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software Fixes Release F.01.08 Fixed in release F.01.08: ■ 100/1000-T transceiver — When using this 100/1000-T transceiver and negotiating to 100 Mbps, the port may report that it is operating at 100 full duplex, when it is actually operating at 100 half duplex. ■ Web-Browser Interface — The product label in the web-browser display for the Switch 2512 is incorrectly displayed as Switch 2524. Release F.01.09 (Beta Release Only) Fixed in release F.01.
Software Fixes Note The startup-config file saved under version F.02.02 is NOT backward-compatible with previous software versions. HP recommends that you save a copy of the pre-02.02 startup-config file BEFORE UPGRADING to F.02.02 or greater, in case there is ever a need to revert back to pre-02.02 software.
Software Fixes ■ LACP — Resolves several issues with LACP, including: conversation on a trunk may momentarily fail if a trunk member port goes down, difficulty accessing the MIB, configuration issues, port priority issues, problems with dynamic negotiation, and switch crashes with messages similar to: -> Software Exception at woody_dev.c: 450 in AdMgrCtrl -> ppmgr_setDefaultPriority: invalid port number and -> Software exception at woody_pktDriver.
Software Fixes Release F.02.04 (Beta Release Only) The switch's CDP packets have been modified to better interoperate with older Cisco IOS versions. Certain legal CDP packets sent from the ProCurve switch could result in Cisco routers, running older IOS versions, to crash. Note The ProCurve switch's CDP packets are legal both before and after this modification. Fixed in release F.02.04: ■ Buffer Leak — A message buffer leak occurs when the switch receives a TACACS+ 'DISC' character.
Software Fixes ■ IGMP — If there are several IGMP groups in several VLANs, and the switch is acting as Querier, the switch may stop sending IGMP Queries on some of its VLANs. ■ IGMP — All Querier intervals on the switch will be cut in half if IGMP, after already being enabled, is disabled and then re-enabled. ■ IGMP — The switch does not fully support 256 IGMP groups, as intended. For example, with 15 VLANs and 40 IGMP groups, the 40th group gets flooded.
Software Fixes ■ Uplink Note Contact your local Customer Care Center before activating this feature to receive proper configuration instructions. Failure to configure this feature properly will result in unexpected connectivity problems. Release F.02.06 (Beta Release Only) Textual modifications made to the Isolated Port Groups feature. Release F.02.
Software Fixes I 01/01/90 00:00:19 ports: port 13: Xcvr Hot-Swap detected. Need reboot. ■ XRMON — Various XRMON counters display incorrect values. Possible symptoms include network management applications reporting a too high network utilization (TopTools may report "crossed octets"). Release F.02.08 (Beta Release Only) Fixed in F.02.08: ■ Crash — If a transceiver is repeatedly installed and removed, the switch may crash with a message similar to: -> Software exception at woodyDma_recv.
Software Fixes ■ Transceivers — Removing and re-inserting both transceivers simultaneously many times with network cables attached and without an intervening reboot may cause the switch to crash with a message similar to: -> Software exception in ISR at buffers.c:1627 Release F.02.12 Fixed in release F.02.12 ■ Monitoring Port — When a config file containing a Monitoring Port configuration is loaded onto the switch via TFTP or XModem, the Monitoring Port feature does not work properly. Release F.02.
Software Fixes ■ IGMP — Interoperability issues with some Cisco devices cause IGMP groups to be aged out of the switch's IGMP tables prematurely. ■ Menu/Web-Browser Interface — Display of mirror port configuration is inconsistent between menu and WEB interface. ■ Port Configuration — Changing a port setting from one Auto mode to another may not be reflected in Auto-negotiation's advertised capability without a switch reset, or module hotswap.
Software Fixes Release F.04.04 (Beta Release Only) Fixed in release F.04.04 Modification of Lab troubleshooting commands. Release F.04.08 Fixed in release F.04.08 Modification of Lab troubleshooting commands. Release F.04.09 (Beta Release Only) Fixed in release F.04.09 ■ Agent Hang — Agent processes (such as console, telnet, STP, ping, etc.) may stop functioning when the IGMP querier function is disabled, and then re-enabled, on a VLAN that does not have an IP address configured.
Software Fixes Software version F.05.xx updates this configuration method, but if you use the same values for indicating time zones as you did for previous HP ProCurve switches, the time will be set incorrectly on your HP ProCurve Switches 2512 and 2524. For example, for previous HP ProCurve switches, the US Pacific time zone was configured by entering +480. With software version F.05.xx, the US Pacific time zone must now be configured by entering -480. Note The startup-config file saved under version F.
Software Fixes ■ CLI — The CLI command "show tech" causes an error message when the command is executed from within config mode. ■ CLI — The prompt for saving the config does not handle a DISC character appropriately. ■ CLI/Timezone — The switch time is wrong if CLI used to set timezone and timezone may not operate properly after switch is rebooted. West of GMT is now a negative offset and east of GMT is now a positive offset.
Software Fixes ■ LACP/802.1x — 802.1x and LACP trunks can co-exist on the same port. (Fix is to make these trunks mutually exclusive.) ■ LACP — LACP maintains a dynamic trunk with only 1 port configured for the trunk group. ■ Link-up polling interval — A delay of up to 1.7 seconds between plugging in a cable (linkbeat established) and traffic being forwarded to and from that port may cause problems with some time sensitive applications.
Software Fixes ■ STP/Running-Config — STP path-cost is not written to the configuration when using the CLI. ■ STP/Startup-Config — When a startup-config file containing an 802.1d STP configuration is reloaded that was saved off from the switch, an error similar to the following occurs: Line: 13. Invalid input: stp802.1d Corrupted download file.
Software Fixes than 30 seconds after a physical topology change; iii. After a physical topology change, the spanning tree may take a long time to re-converge, and may never re-converge; iv. Possible flooding storms (which users may mistakenly report as broadcast storms). Release F.05.12 (Beta Release Only) Adds the following enhancement: ■ 246 Changes to 802.
Software Fixes Release F.05.13 (Beta Release Only) Adds the following enhancement: ■ Changes to Isolated Port Groups to add two new groups: group1 and group2. Release F.05.15 (Beta Release Only) Adds the following enhancements: ■ Increased IGMP V3 interoperability by allowing the switch to keep (and not prune) V3 groups. This lets the switch interoperate in an IGMP V3 environment without pruning off the V3 groups (due to the Data-Driven IGMP feature) or always flooding.
Software Fixes ■ IGMP — Checking whether an IP DA and/or an IGMP Group Address is a valid IP multicast address before taking any IGMP action on it. ■ IGMP — Fixed Group-Specific Query (GSQ) timing in Normal Leave case to be a minimum of 1 second (as IGMP standard specifies and as the GSQs advertise). This occurs when the Querier forces an interval between GSQs.
Software Fixes ■ STP — Under some conditions, an 802.1w non-Root switch will have a zero Root Path Cost. ■ TACACS+ — The TACACS server IP is shown on the 'splash screen'. ■ TELNET — TCP port 1506 is always open. ■ UI — In the absence of a time server, the switch may report that it is the year "26". ■ Web — Web browser port utililization pop-up does not display the bandwidth number. Shows x% of 0Mb instead of x% of 100Mb or x% of 1Gb.
Software Fixes ■ Trunking — With ports 25 and 26 configured in a trunk group, the show trunk 25 , 26 command displays incorrect information for Trunk Group Name and Trunk Group Type. Example output: Port Name Type Group Type 25 1000SX Trk1 Trunk 26 1000SX 1000SX 1000SX ■ Web — Sun java v1.3.x and v1.4.x interoperability issue: high CPU utilization. ■ Web — Sun java v1.3.x and v1.4.x interoperability issue resulting in high CPU utilization on the switch.
Software Fixes ■ Crash/Bus Error (PR_92466) — Bus error related to 802.1X/unauthorized VLAN. ■ Agent Hang (PR_92802) — Agent 'hang'. Fix for agent 'hang' (ping and TELNET hang, but not the Console). Release F.05.20 (Never Released) Fixed in release F.05.20 ■ Crash/Bus Error (PR_98514) — HW Addr=0x00000000 IP=0x002a22d8 Task='tNetTask' Task ID=0xe2e740. ■ SSH (PR_96648) — Fix implemented for CERT Advisory CA-2003-24 and associated vulnerability note "VU#333628" at http://www.cert.
Software Fixes ■ Web (PR_81848) — 'Clear changes' button does not work for the Default Gateway or VLAN selections. ■ Web (PR_82039) — If the user selects GVRP mode, selects a port and then selects nothing as an option for the port mode, all ports below the selected port disappear. This does not affect the switch configuration. ■ Web (PR_82199) — VLAN port modification shows misleading mode. In the Configuration - VLANs - Modify page, select a port, then set the "mode" modify pull-down menu to "tagged".
— This page is intentionally unused.
© Copyright 2001, 2004 Hewlett-Packard Company, LP. Reproduction, adaptation, or translation without prior written permission is prohibited except as allowed under the copyright laws. The information contained in this document is subject to change without notice.
