Release Notes: Version F.05.70 Software for the ProCurve Series 2300 and 2500 Switches These release notes include information on the following: ■ Downloading switch software and Documentation from the Web (Page 1) ■ Enhancements in Release F.05.xx (Page 6) ■ Enhancements in Release F.04.08 (Page 72) ■ Enhancements in Release F.02.11 (Page 148) ■ Enhancements in Release F.02.
© Copyright 2001-2009 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice. Publication Number 5990-3102 March, 2009 Applicable Products ProCurve Switch 2512 (J4812A) ProCurve Switch 2524 (J4813A) ProCurve Switch 2312 (J4817A) ProCurve Switch 2324 (J4818A) Trademark Credits Microsoft, Windows, Windows 95, and Microsoft Windows NT are registered trademarks of Microsoft Corporation.
Disclaimer The information contained in this document is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Contents Software Management Download Switch Documentation and Software from the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 View or Download the Software Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Downloading Software to the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 TFTP Download from a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Port Isolation on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Steps for Configuring Port Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Configuring and Viewing Port-Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Messages Related to Port-Isolation Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 How RADIUS/802.1X Authentication Affects VLAN Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Messages Related to 802.1X Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 IGMP Version 3 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Messages Related to Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Troubleshooting Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Using the "Kill" Command To Terminate Remote Sessions . . . . . . . . . . . . . . . . . . . . . . . 136 Configuring Rapid Reconfiguration Spanning Tree (RSTP) . . . . . . . . . . . . . . . . . . . . . . 137 Overview . . . . . . . . . . . . . . . . . .
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Troubleshooting TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 CDP (Updated by Software Version F.05.50) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 New Time Synchronization Protocol Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Port Security: Changes to Retaining Learned Static Addresses Across a Reboot . . . . . 217 Recommended Port Security Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Retention of Static Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Username Assignment and Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Release F.02.13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Release F.04.01 (Beta Release Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Release F.04.02 (Beta Release Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Release F.04.03 (Beta Release Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Release F.05.37 (Not a General Release) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Release F.05.38 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Release F.05.39 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Release F.05.40 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software Management Software Management C a u t i o n : A r c h i v e P r e - F. 0 5 . 1 7 C o n f i g u r a t i o n F i l e s A configuration file saved while using release F.05.17 or later software is not backward-compatible with earlier software versions. For this reason, HP recommends that you archive the most recent configuration on switches using software releases earlier than F.05.17 before you update any switches to software release F.05.17 or later.
Software Management ■ Use the download utility in ProCurve Manager Plus. Note Downloading new software does not change the current switch configuration. The switch configuration is contained in a separate file that can also be transferred, for example, for archive purposes or to be used in another switch of the same model. TFTP Download from a Server Syntax:copy tftp flash For example, to download a software file named F_05_34.
Software Management Xmodem Download From a PC or Unix Workstation This procedure assumes that: ■ The switch is connected via the Console RS-232 port on a PC operating as a terminal. (Refer to the Installation Guide you received with the switch for information on connecting a PC as a terminal and running the switch console interface.) ■ The switch software is stored on a disk drive in the PC. ■ The terminal emulator you are using includes the Xmodem binary transfer feature.
Software Management Saving Configurations While Using the CLI The switch operates with two configuration files: ■ Running-Config File: Exists in volatile memory and controls switch operation. Rebooting the switch erases the current running-config file and replaces it with an exact copy of the current startup-config file. To save a configuration change, you must save the running configuration to the startup-config file.
Software Management ProCurve Switch, Routing Switch, and Router Software Keys Software Letter C 1600M, 2400M, 2424M, 4000M, and 8000M CY Switch 8100fl Series (8108fl and 8116fl) E Switch 5300xl Series (5304xl, 5308xl, 5348xl, and 5372xl) F Switch 2500 Series (2512 and 2524), Switch 2312, and Switch 2324 G Switch 4100gl Series (4104gl, 4108gl, and 4148gl) H Switch 2600 Series, Switch 2600-PWR Series: H.07.81 and earlier, or H.08.55 and greater, Switch 2600-8-PWR requires H.08.80 or greater.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.61 through F.05.70 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.61 through F.05.70 No new enhancements, software fixes only. Enhancements in Release F.05.05 through F.05.60 Enhancement Summary Page LLDP Implements the industry standard Link Layer Discovery Protocol (LLDP) on your switch, as an alternative to the Cisco Discovery Protocol (CDP).
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Implementation of LLDP For network device discovery solutions, software version F.05.50 implements a limited version of the industry standard Link Layer Discovery Protocol (LLDP) on your switch, as an alternative to the Cisco Discovery Protocol (CDP).
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 MIB (Management Information Base): An internal database the switch maintains for configuration and performance information. Neighbor: See “LLDP Neighbor”. Non_LLDP Device: A device that is not capable of LLDP operation.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Table 1. Viewable Data Available for LLDP Advertisements Data Type Description Chassis ID Uses base MAC address of the switch. Port Id Uses port number of the physical port. System Description Includes switch model name and running software version, and ROM version. System Name Uses the switch’s assigned name. Remote Management Address Type Shows the network address type.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 LLDP Operating Rules Port Trunking. LLDP manages trunked ports individually. That is, trunked ports are configured individually for LLDP operation, in the same manner as non-trunked ports. Also, LLDP sends separate advertisements on each port in a trunk, and not on a per-trunk basis. IP Address Advertisements.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 LLDP Operation and Commands In the default configuration, LLDP is enabled to transmit on all active ports. The LLDP configuration includes global settings that apply to all active ports on the switch, and per-port settings that affect only the operation of the specified ports.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Viewing LLDP-detected Devices Note Selected LLDP information (such as system name, port description, port type, chassis type) received by a Series 2500 switch from a remote neighbor is not viewable. With version F.05.60, LLDP advertisements from remote neighbor devices can be received. Use the show lldp info remote-device command to display information received from LLDP remote devices.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Additional information from the remote device can be displayed by specifying the local port number in the command.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring Per-Port LLDP Transmit/Receive This command controls LLDP transmit/receive traffic on active ports. Syntax lldp admin-status < port-list > < enable | disable > enable: With LLDP enabled on the switch in the default LLDP configuration, each port is configured to transmit/receive LLDP packets. This option lets you enable the specified port(s) to transmit/receive LLDP packets. (For versions F.05.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 New Console Option Starting with Release F.05.23, a new console option removes terminal escape sequences, which allows scripts to better interact with the Command Line Interface. The command console local-terminal none changes the current terminal session to "raw" mode. To return to the default VT-100 mode, use the command console local-terminal vt100.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syslog Overview The switch’s Event Log records switch-level progress, status, and warning messages. The SystemLogging (Syslog) feature provides a means for recording these messages on a remote server. The Syslog feature complies with RFC 3168. UNIX users know this capability as ’Syslogd’.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 no logging < syslog-ip-address > removes only the specified Syslog logging destination from the switch.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syntax: [no] logging facility < facility-name > The logging facility specifies the destination subsystem the Syslog server(s) must use. (All Syslog servers configured on the switch must use the same subsystem.) HP recommends the default (user) subsystem unless your application specifically requires another subsystem.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Viewing the Syslog Configuration Syntax: show debug This command displays the currently configured Syslog logging destination(s) and logging facility. For examples of show debug output, refer to figure 5 on page 19. Configuring Syslog Logging 1. If you want to use a Syslog server for recording Event Log messages: a.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 See Figure 6 below for an example of adding an additional Syslog server. Continuing the example begun in figure 2, this command adds a second Syslog server. Lists the IP addresses of the Syslog servers configured on the switch. Messages must be sent to the same facility on each Syslog Figure 6.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 The Isolated Port Groups feature originally included in release F.04.08 has been enhanced in release F.05.xx with the inclusion of two new port isolation groups (group1 and group2). Isolated port groups provide an alternative to VLANs for isolating end nodes on your network, while simplifying network administration.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Table 2.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Operating Rules for Port Isolation ■ Port Isolation is intended only for networks that do not use VLAN tagging. (The switch must be in the default VLAN configuration before you configure port-isolation.) ■ Multiple VLANs are not allowed on the switch. If multiple VLANs exist on the switch, delete them and return the ports to the original default configuration as untagged members of VLAN 1.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring Port Isolation on the Switch Steps for Configuring Port Isolation 1. Remove all non-default VLANs from the switch and ensure that all ports are untagged members of the default VLAN (VID = 1). 2. Identify the devices you will connect to the switch’s ports. 3.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring and Viewing Port-Isolation Syntax: [ no ] port-isolation Without any port-list or mode parameters, enables port isolation on the switch and sets all ports to the Uplink mode. The no version disables port isolation and also causes all individual ports to be set to the (default) Uplink mode the next time you enable port isolation.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 For example, suppose that the switch is in its default configuration (no multiple VLANs; GVRP disabled, all ports untagged members of the default VLAN—VID = 1) with two optional gigabit transceivers installed, and you wanted to use the switch ports as shown in table table 3, “Port Isolation Plan”: Table 3.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 1 1 2 3 4 5 6 14 13 2 Mode Internal Traffic Destinations Allowed by Port Isolation Mode 1-3 Local Each Other and Ports 10 - 12 12 11 10 9 8 7 4-8 Group1 Each Other and Ports 13 and 14 (uplinks) 1 2 3 4 5 6 9 Private Gigabit Trunk (ports 13 & 14) 10 - 12 Public Each Other, Ports 1 - 3, and the Uplink Ports.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Remember to disable LACP on ports that will be configured for Public, Group1, Group2, Private, or Local mode. (Refer to “Operating Rules for Port Isolation” on page 23.) When you enter the command to enable port isolation, the switch displays a caution and prompts you to indicate how to proceed. Type [Y] to continue with enabling port isolation; [N] to leave port isolation disabled. See the Caution on page 21.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Troubleshooting Port-Isolation Operation Symptom Possible Cause Connectivity • A port may be configured as a tagged member of a VLAN, or multiple VLANs may be configured problems. on the switch. Ensure that all ports are untagged members of VLAN 1 (the default VLAN) and that no other VLANs are configured on the switch. • Illegal port trunking.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 General Features 802.1X on the Series 2500 switches includes the following: ■ Switch operation as both an authenticator (for supplicants having a point-to-point connection to the switch) and as a supplicant for point-to-point connections to other 802.1X-aware switches. • Authentication of 802.1X clients using a RADIUS server and either the EAP or CHAP protocol.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Authenticating One Switch to Another. 802.1X authentication also enables the switch to operate as a supplicant when connected to a port on another switch running 802.1X authentication. Switch Running 802.1X and Operating as an Authenticator 802.1X-Aware Client (Supplicant) LAN Core Switch Running 802.1X and Connected as a Supplicant RADIUS Server Figure 10. Example of an 802.1X Application Accounting .
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 iv. If the client is successfully authenticated and authorized to connect to the network, then the server notifies the switch to allow access to the client. Otherwise, access is denied and the port remains blocked. • If 802.1X (port-access) on the switch is configured for local authentication, then: i.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 2. The RADIUS server then responds with an MD5 access challenge that switch “B” forwards to port 1 on switch “A”. 3. Port 1 replies with an MD5 hash response based on its username and password or other unique credentials. Switch “B” forwards this response to the RADIUS server. 4. The RADIUS server then analyzes the response and sends either a “success” or “failure” packet back through switch “B” to port 1.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 EAP (Extensible Authentication Protocol): EAP enables network access that supports multiple authentication methods. EAPOL: Extensible Authentication Protocol Over LAN, as defined in the 802.1X standard. Friendly Client: A client that does not pose a security risk if given access to the switch and your network. MD5: An algorithm for calculating a unique digital signature over a stream of bytes.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 General Operating Rules and Notes ■ When a port on the switch is configured as either an authenticator or supplicant and is connected to another device, rebooting the switch causes a re-authentication of the link. ■ When a port on the switch is configured as an authenticator, it will block access to a client that either does not provide the proper authentication credentials or is not 802.1X-aware.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 General Setup Procedure for Port-Based Access Control (802.1X) Do These Steps Before You Configure 802.1X Operation 1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 3. Configure the 802.1X authentication type. Options include: • Local Operator username and password (the default). This option allows a client to use the switch’s local username and password as valid 802.1X credentials for network access. • EAP RADIUS: This option requires your RADIUS server application to support EAP authentication for 802.1X.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring Switch Ports as 802.1X Authenticators 802.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 1. Enable 802.1X Authentication on Selected Ports This task configures the individual ports you want to operate as 802.1X authenticators for point-topoint links to 802.1X-aware clients or switches. (Actual 802.1X operation does not commence until you perform step 5 on page 37 to activate 802.1X authentication on the switch.) Note When you enable 802.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syntax: aaa port-access authenticator < port-list > (Syntax Continued) [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page).
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syntax: aaa port-access authenticator < port-list > (Syntax Continued) [reauth-period < 1 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second) [unauth-vid < vlan-id >] Configures an existing static VLAN to be the UnauthorizedClient VLAN.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 3. Configure the 802.1X Authentication Method This task specifies how the switch will authenticate the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenticator. Syntax: aaa authentication port-access < local | eap-radius | chap-radius > Determines the type of RADIUS authentication to use.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 4. Enter the RADIUS Host IP Address(es) If you selected either eap-radius or chap-radius for the authentication method, configure the switch to use 1 to 3 RADIUS servers for authentication. The following syntax shows the basic commands. For coverage of all commands related to RADIUS server configuration, refer to “Configuring RADIUS Authentication and Accounting” on page -102.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 802.1X Open VLAN Mode 802.1X Authentication Commands page 38 802.1X Supplicant Commands page 58 802.1X Open VLAN Mode Commands [no] aaa port-access authenticator [e] < port-list > page 53 [auth-vid < vlan-id >] [unauth-vid < vlan-id >] 802.1X-Related Show Commands page 61 RADIUS server configuration pages 43 This section describes how to use the 802.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 ■ 3rd Priority: If the port does not have an Authorized-Client VLAN configured, but does have a static, untagged VLAN membership in its configuration, then the switch assigns the port to this VLAN. If the port is not configured for any of the above, then it must be a tagged member of at least one VLAN. In this case, if the client is capable of operating in a tagged VLAN, then it can access that VLAN.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Table 4. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN • When the port detects a client, it automatically becomes an untagged member of this VLAN.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as AuthorizedThese must be configured on the switch before you configure an Client or Unauthorized-Client VLANs 802.1X authenticator port to use them. (Use the vlan < vlan-id > command or the VLAN Menu screen in the Menu interface.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Condition Rule Multiple Authenticator Ports Using the Same Unauthorized-Client and Authorized-Client VLANs You can use the same static VLAN as the Unauthorized-Client VLAN for all 802.1X authenticator ports configured on the switch. Similarly, you can use the same static VLAN as the Authorized-Client VLAN for all 802.1X authenticator ports configured on the switch.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of both the Unauthorized-Client and Authorized-Client VLANs. Refer to Table 4 on page 46 for other options. Before you configure the 802.1X Open VLAN mode on a port: ■ Statically configure an “Unauthorized-Client VLAN” in the switch.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However, this is less desirable because it means that all clients use the same passwords and have the same access privileges. Also, you must use 802.1X supplicant software that supports the use of local switch passwords.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. Syntax: radius host < ip-address > Adds a server to the RADIUS configuration. [key < server-specific key-string >] Optional. Specifies an encryption key for use with the specified server. This key must match the key used on the RADIUS server.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listing of the steps needed to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 50. Syntax: aaa port-access authenticator [e] < port-list > [auth-vid < vlan-id >] Configures an existing, static VLAN to be the AuthorizedClient VLAN.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Inspecting 802.1X Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewing 802.1X Open VLAN Mode Status” on page 63. 802.1X Open VLAN Operating Notes ■ Although you can configure Open VLAN mode the same VLAN for both the UnauthorizedClient VLAN and the Authorized-Client VLAN, this is not recommended.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices If you are using port-security on authenticator ports, you can configure it to learn only the MAC address of the first 802.1X-aware device detected on the port. Then, only traffic from this specific device is allowed on the port. When this device logs off, another 802.1X-aware device can be authenticated on the port.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Note on Blocking a Non-802.1X Device If the port’s 802.1X authenticator control mode is configured to authorized (as shown below, instead of auto), then the first source MAC address from any device, whether 802.1X-aware or not, becomes the only authorized device on the port. aaa port-access authenticator < port-list > control authorized With 802.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 802.1X Authentication Commands page 38 802.1X Supplicant Commands [no] aaa port-access < supplicant < [ethernet] < port-list > [auth-timeout | held-period | start-period | max-start | initialize | identity | secret | clear-statistics] page 58 page 59 802.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 • If, after the supplicant port sends the configured number of start request packets, it does not receive a response, it assumes that switch “B” is not 802.1X-aware, and transitions to the authenticated state. If switch “B” is operating properly and is not 802.1X-aware, then the link should begin functioning normally, but without 802.1X security.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring a Supplicant Switch Port. Note that you must enable supplicant operation on a port before you can change the supplicant configuration. This means you must execute the supplicant command once without any other parameters, then execute it again with a supplicant parameter you want to configure.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syntax: aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [auth-timeout < 1 - 300 >] Sets the period of time the port waits to receive a challenge from the authenticator. If the request times out, the port sends another authentication request, up to the number of attempts specified by the max-start parameter. (Default: 30 seconds).
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Displaying 802.1X Configuration, Statistics, and Counters 802.1X Authentication Commands page 38 802.1X Supplicant Commands page 57 802.1X Open VLAN Mode Commands page 44 802.1X-Related Show Commands show port-access authenticator below show port-access supplicant page 66 Details of 802.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syntax: show port-access authenticator (Syntax Continued) config [[e] < port-list >] Shows: • Whether port-access authenticator is active • The 802.1X configuration of the ports configured as 802.1X authenticators If you do not specify < port-list >, the command lists all ports configured as 802.1X port-access authenticators. Does not display data for a specified port that is not enabled as an authenticator.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Viewing 802.1X Open VLAN Mode Status You can examine the switch’s current VLAN status by using the show port-access authenticator and show vlan < vlan-id > commands as illustrated in this section. Figure 14 shows an example of show port-access authenticator output, and table 4 describes the data that this command displays.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Note that because a temporary Open VLAN port assignment to either an authorized or unauthorized VLAN is an untagged VLAN membership, these assignments temporarily replace any other untagged VLAN membership that is statically configured on the port.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Status Indicator Meaning Current VLAN ID < vlan-id >: Lists the VID of the static, untagged VLAN to which the port currently belongs. No PVID: The port is not an untagged member of any VLAN. Syntax: show vlan < vlan-id > Displays the port status for the selected VLAN, including an indication of which port memberships have been temporarily overridden by Open VLAN mode.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Show Commands for Port-Access Supplicant Syntax: show port-access supplicant [[e] < port-list >] [statistics] show port-access supplicant [[e] < port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < portlist > ports configured on the switch as supplicants. The Supplicant State can include the following: Connecting - Starting authentication.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 How RADIUS/802.1X Authentication Affects VLAN Operation Static VLAN Requirement. RADIUS authentication for an 802.1X client on a given port can include a (static) VLAN requirement. (Refer to the documentation provided with your RADIUS application.) The static VLAN to which a RADIUS server assigns a client must already exist on the switch.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 ■ VLAN 33 becomes unavailable to port 2 for the duration of the session (because there can be only one untagged VLAN on any port).
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Even though port 2 is configured as Untagged on (static) VLAN 33 (see figure 16), it does not appear in the VLAN 33 listing while the 802.1X session is using VLAN 22 in the Untagged status. However, after the 802.1X session with VLAN 22 ends, the active configuration returns port 2 to VLAN 33. Figure 18. The Active Configuration for VLAN 33 Temporarily Drops Port 22 for the 802.1X Session When the 802.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Notes Any port VLAN-ID changes you make on 802.1X-aware ports during an 802.1X-authenticated session do not take effect until the session ends. With GVRP enabled, a temporary, untagged static VLAN assignment created on a port by 802.1X authentication is advertised as an existing VLAN.
Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Message Meaning LACP has been disabled on 802.1X port(s). To maintain security, LACP is not allowed on ports configured for 802.1X authenticator operation. If you configure port security on a port on which LACP (active or passive) is configured, the switch removes the LACP configuration, displays a notice that LACP is disabled on the port(s), and enables 802.1X on that port.
Enhancements in Release F.04.08 Enhancements in Release F.04.08 Enhancement Summary Page Friendly Port Names Enables you to assign optional, meaningful names to physical ports on the switch. 73 SSH Security Provide remote access to management functions on the switches via encrypted paths between the switch and management station clients capable of SSHv1 operation.
Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Using Friendly (Optional) Port Names Feature Configure Friendly Port Names Display Friendly Port Names Default Menu CLI Web Standard Port Numbering n/a page 74 n/a n/a n/a page 75 n/a This feature enables you to assign alphanumeric port names of your choosing to augment automatically assigned numeric port names.
Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Configuring Friendly Port Names Syntax: interface [e] name no interface [e] name Assigns a port name to port-list. Deletes the port name from port-list. Configuring a Single Port Name. Suppose that you have connected port 3 on the switch to Bill Smith’s workstation, and want to assign Bill’s name and workstation IP address (10.25.101.73) as a port name for port 3: Figure 20.
Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Displaying Friendly Port Names with Other Port Data You can display friendly port name data in the following combinations: ■ show name: Displays a listing of port numbers with their corresponding friendly port names and also quickly shows you which ports do not have friendly name assignments. (show name data comes from the running-config file.
Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Port Without a "Friendly" Name Friendly port names assigned in previous examples. Figure 23. Example of Friendly Port Name Data for Specific Ports on the Switch Including Friendly Port Names in Per-Port Statistics Listings. A friendly port name configured to a port is automatically included when you display the port’s statistics output.
Enhancements in Release F.04.08 Using Friendly (Optional) Port Names For a given port, if a friendly port name does not exist in the running-config file, the Name line in the above command output appears as: Name : not assigned To Search the Configuration for Ports with Friendly Port Names. This option tells you which friendly port names have been saved to the startup-config file. (The show config command does not include ports that have only default settings in the startup-config file.
Enhancements in Release F.04.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Note SSH in the ProCurve Series 2500 switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit http://www.openssh.com. Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication show in figure 26. It occurs if the switch has SSH enabled but does not have login access (login rsa) configured to authenticate the client’s key.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Terminology ■ SSH Server: An HP Series 2500 switch with SSH enabled. ■ Key Pair: A pair of keys generated by the switch or an SSH client application. Each pair includes a public key (that can be read by anyone) and a private key that is held internally in the switch or by a client. ■ PEM (Privacy Enhanced Mode): Refers to an ASCII-formatted client public-key that has been encoded for greater security.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) keys by default, check the application software for a key conversion utility or use a third-party key conversion utility. Beginning of actual SSHv2 public key in PEM-Encoded ASCII format. Comment describing public key identity. Figure 28. Example of Public Key in PEM-Encoded ASCII Format Common for SSHv2 Clients Key Size Key Size Modulus Figure 29.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) The general steps for configuring SSH include: A. Client Preparation 1. Install an SSH client application on a management station you want to use for access to the switch. (Refer to the documentation provided with your SSH client application.) 2. Optional—If you want the switch to authenticate a client public-key on the client: a.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 6. Use your SSH client to access the switch using the switch’s IP address or DNS name (if allowed by your SSH client application). Refer to the documentation provided with the client application. General Operating Rules and Notes ■ Any SSH client application you use must offer backwards-compatibility to SSHv1 keys and operation.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH-Related Commands in This Section show ip ssh page 91 show ip client-public-key [< babble | fingerprint >] page 98 show ip host-public-key [< babble | fingerprint >] page 88 show authentication page 94 crypto key < generate | zeroize > [rsa] page 86 ip ssh page 90 key-size < 512 | 768 | 1024 > page 90 port < 1 - 65535 > page 90 timeout < 5 ..
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 1. Assigning a Local Login (Operator) and Enable (Manager) Password At a minimum, HP recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, Web, or serial port access could modify the switch’s configuration. To Configure Local Passwords. You can configure both the Operator and Manager password with one command.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) To Generate or Erase the Switch’s Public/Private RSA Host Key Pair. Because the host key pair is stored in flash instead of the running-config file, it is not necessary to use write memory to save the key pair. Erasing the key pair automatically disables SSH. Syntax: crypto key generate [rsa] Generates a public/private key pair for the switch. If a switch key pair already exists, replaces it with a new key pair. (See the Note, above.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 3. Providing the Switch’s Public Key to Clients When an SSH client contacts the switch for the first time, the client will challenge the connection unless you have already copied the key into the client’s "known host" file. Copying the switch’s key in this way reduces the chance that an unauthorized device can pose as the switch to learn your access passwords.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 3. Ensure that there are no line breaks in the text string. (A public key must be an unbroken ASCII string. Line breaks are not allowed.) For example, if you are using Windows® Notepad, ensure that Word Wrap (in the Edit menu) is disabled, and that the key text appears on a single line. Figure 33. Example of a Correctly Formatted Public Key (Unbroken ASCII String) 4. Add any data required by your SSH client application.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Phonetic "Hash" of Switch’s Public Key Hexadecimal "Hash" of the Same Switch Public Key Figure 35. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’s Public Key Note The two commands shown in figure 35 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s "known host" file.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if you have not copied the switch’s public key into the switch, your client’s first connection to the switch will question the connection and, for security reasons, give you the option of accepting or refusing.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Note on Port Number The ip ssh key-size command affects only a per-session, internal server key the switch creates, uses, and discards. This key is not accessible from the user interface. The switch’s public (host) key is a separate, accessible key that is always 896 bits. HP recommends using the default IP port number (22). However, you can use ip ssh port to specify any TCP port for SSH connections except those reserved for other purposes.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 5. Configuring the Switch for SSH Authentication Note that all methods in this section result in authentication of the switch’s public key by an SSH client. However, only Option B, below results in the switch also authenticating the client’s public key. Also, for a more detailed discussion of the topics in this section, refer to “Further Information on SSH Client Public-Key Authentication” on page -95.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) (For more on these topics, refer to “Further Information on SSH Client Public-Key Authentication” on page 95.) With steps 1 - 3, above, completed and SSH properly configured on the switch, if an SSH client contacts the switch, login authentication automatically occurs first, using the switch and client public-keys.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Configures Manager username and password. Copies a public key file named "Client-Keys.pub" into the switch. Configures the switch to allow SSH access only a client whose public key matches one of the keys in the public key file downloaded to the switch. Configures the primary and secondary password methods for Manager (enable) access. (Becomes available after SSH access is granted to a client.) Figure 37.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication The section titled “5. Configuring the Switch for SSH Authentication” on page 92 lists the steps for configuring SSH authentication on the switch. However, if you are new to SSH or need more details on client public-key authentication, this section may be helpful.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) b. Uses MD5 to create a hash version of this information. c. 7. Returns the hash version to the switch. The switch computes its own hash version of the data in step 6 and compares it to the client’s hash version. If they match, then the client is authenticated. Otherwise, the client is denied access. Using client public-key authentication requires these steps: 1.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 1. Use your SSH client application to create a public/private key pair. Refer to the documentation provided with your SSH client application for details. The Series 2500 switches support the following client-public-key properties: Property Supported Value Comments Key Format ASCII See figure 33 on page 88. The key must be one unbroken, non-encoded ASCII string.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Note on Public Keys The actual content of a public key entry in a public key file is determined by the SSH client application generating the key. (Although you can manually add or edit any comments the client application adds to the end of the key, such as the smith@fellow at the end of the key in figure 39, above.) The file on the TFTP server must contain non-encoded ASCII text of each public key you want copied.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Replacing or Clearing the Public Key File. The client public-key file remains in the switch’s flash memory even if you erase the startup-config file, reset the switch, or reboot the switch. ■ You can replace the existing client public-key file by copying a new client public-key file into the switch ■ You can remove the existing client public-key file by executing the clear public-key command.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. Indicates an error in communicating with the tftp server or not finding the file to download. Causes include such factors as: • Incorrect IP configuration on the switch • Incorrect IP address in the command • Case (upper/lower) error in the filename used in the command • Incorrect configuration on the TFTP server • The file is not in the expected location.
Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Message Meaning Generating new RSA host key. If the cache is depleted, this could take up to two minutes. After you execute the crypto key generate [rsa] command, the switch displays this message while it is generating the key. Host RSA key file corrupt or not found. Use 'crypto key generate rsa' to create new host key. The switch’s key is missing or corrupt. Use the crypto key generate [rsa] command to generate a new key for the switch.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Symptom Possible Cause An attempt to copy a client public-key file into the switch has failed and the switch lists one of the following messages: The public key file you are trying to download has one of the following problems: • A key in the file is too long. The maximum key length is 1024 characters, including spaces. This could also mean that two or more keys are merged together instead of being separated by a .
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Note The Series 2500 switches do not support RADIUS security for SNMP (network management) access or Web browser interface access. For steps to block unauthorized access through the Web browser interface, see “Controlling Web Browser Interface Access When Using RADIUS Authentication” on page 114. Accounting. RADIUS accounting on the Series 2500 switches collects resource consumption data and forwards it to the RADIUS server.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Switch Operating Rules for RADIUS ■ You must have at least one RADIUS server accessible to the switch. ■ The switch supports authentication and accounting using up to three RADIUS servers. The switch accesses the servers in the order in which they are listed by the show radius command ( page 121). If the first server does not respond, the switch tries the next one, and so-on.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting • If you need to replace the default UDP destination port (1812) the switch uses for authentication requests to a specific RADIUS server, select it before beginning the configuration process. • If you need to replace the default UDP destination port (1813) the switch uses for accounting requests to a specific Radius server, select it before beginning the configuration process.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Outline of the Steps for Configuring RADIUS Authentication There are three main steps to configuring RADIUS authentication: 1. 2. Configure RADIUS authentication for controlling access through one or more of the following • Serial port • Telnet • SSH • Port-Access (802.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting zero and then trying to log on again. As an alternative, you can reboot the switch, (thus resetting the dead-time counter to assume the server is available) and then try to log on again. • Number of Login Attempts: This is actually an aaa authentication command. It controls how many times in one session a RADIUS client (as well as clients using other forms of access) can try to log in with the correct username and password.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting For example, suppose you have already configured local passwords on the switch, but want to use RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (which would be the switch’s local passwords): The switch now allows Telnet and SSH authentication only through RADIUS. Figure 42.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting 2. Configure the Switch To Access a RADIUS Server This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. (If you want to configure RADIUS accounting on the switch, go to “Configuring RADIUS Accounting” on page 114 instead of continuing here.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting For example, suppose you have configured the switch as shown in figure 43 and you now need to make the following changes: 1. Change the encryption key for the server at 10.33.18.127 to "source0127". 2. Add a RADIUS server with an IP address of 10.33.18.119 and a server-specific encryption key of "source0119". Figure 43.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting 3. Configure the Switch’s Global RADIUS Parameters You can configure the switch for the following global RADIUS parameters: ■ Number of login attempts: In a given session, specifies how many tries at entering the correct username and password pair are allowed before access is denied and the session terminated. (This is a general aaa authentication parameter and is not specific to RADIUS.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting radius-server retransmit < 1 .. 5 > If a RADIUS server fails to respond to an authentication request, specifies how many retries to attempt before closing the session. (Default: 3; Range: 1 - 5) Note Where the switch has multiple RADIUS servers configured to support authentication requests, if the first server fails to respond, then the switch tries the next server in the list, and so-on.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting After two attempts failing due to username or password entry errors, the switch will terminate the session. Global RADIUS parameters from figure 45. Server-specific encryption key for the RADIUS server that will not use the global encryption key. These two servers will use the global encryption key. Figure 46.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting For local authentication, the switch uses the Operator-level and Manager-level username/password set(s) previously configured locally on the switch. (These are the usernames and passwords you can configure using the CLI password command, the Web browser interface, or the menu interface— which enables only local password configuration).
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting RADIUS Accounting Commands [no] aaa accounting update periodic < 1 ..
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting ■ System accounting: Provides records containing the information listed below when system events occur on the switch, including system reset, system boot, and enabling or disabling of system accounting.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Outline of the Steps for Configuring RADIUS Accounting 1. Configure the switch for accessing a RADIUS server. You can configure a list of up to three RADIUS servers (one primary, two backup). The switch operates on the assumption that a server can operate in both accounting and authentication mode. (Refer to the documentation for your RADIUS server application.) 2. 3.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting 1. Configure the Switch To Access a RADIUS Server Before you configure the actual accounting parameters, you should first configure the switch to use a RADIUS server. This is the same as the process described on page 109.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Because the radius-server command includes an acct-port element with a non-default 1750, the switch assigns this value to the accounting port UDP port numbers. Because auth-port was not included in the command, the authentication UDP port is set to the default 1812. Figure 47.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Determine how you want the switch to send accounting data to a RADIUS server: ■ Start-Stop: • Send a start record accounting notice at the beginning of the accounting session and a stop record notice at the end of the session. Both notices include the latest data the switch has collected for the requested accounting type (Network, Exec, or System). • Do not wait for an acknowledgement.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting ■ Updates: In addition to using a Start-Stop or Stop-Only trigger, you can optionally configure the switch to send periodic accounting record updates to a RADIUS server. ■ Suppress: The switch can suppress accounting for an unknown user having no username. Syntax: [no] aaa accounting update periodic < 1 .. 525600 > Sets the accounting update period for all accounting sessions on the switch.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Figure 50. Example of General RADIUS Information from Show Radius Command Figure 51.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the AccountingRequest that matched it from this RADIUS accounting server. PendingRequests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting RADIUS Authentication Syntax: show authentication Displays the primary and secondary authentication methods configured for the Console, Telnet, Port-Access (802.1X), and SSH methods of accessing the switch. Also displays the number of access attempts currently allowed in a session. show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch’s interactions with this server.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting RADIUS Accounting Syntax: show accounting Lists configured accounting interval, "Empty User" suppression status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) configured in the switch (using the radius-server host command). show accounting sessions Lists the accounting sessions currently active on the switch. Figure 54.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the list. Adding or deleting a RADIUS server IP address leaves an empty position, but does not change the position of any other server addresses in the list.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Removes the "003" and "001" addresses from the RADIUS server list. Inserts the "003" address in the first position in the RADIUS server list, and inserts the "001" address in the last position in the list. Shows the new order in which the switch searches for a RADIUS server. Figure 58. Example of New RADIUS Server Search Order Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >.
Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Troubleshooting RADIUS Operation Symptom Possible Cause The switch does not receive a response to RADIUS authen- There can be several reasons for not receiving a response tication requests. In this case, the switch will attempt to an authentication request.
Enhancements in Release F.04.08 IP Preserve: Retaining VLAN-1 IP Addressing Across Configuration File Downloads IP Preserve: Retaining VLAN-1 IP Addressing Across Configuration File Downloads IP Preserve enables you to copy a configuration file to multiple Series 2500 switches while retaining the individual IP address and subnet mask on VLAN 1 in each switch, and the Gateway IP address assigned to the switch.
Enhancements in Release F.04.08 IP Preserve: Retaining VLAN-1 IP Addressing Across Configuration File Downloads For example, consider Figure 60: DHCP Server TFTP Server Management Station config.txt IP Address to VLAN 1 Switch 1 Switch 2 Switch 3 Switch 4 VLAN 1: 10.31.22.101 (Manually configured) VLAN 1: 10.31.22.102 (Manually configured) VLAN 1: 10.31.22.103 (Manually configured) VLAN 1: DHCP Switches 1 through 3 copy and implement the config.
Enhancements in Release F.04.08 IP Preserve: Retaining VLAN-1 IP Addressing Across Configuration File Downloads If you apply this configuration file to figure 60, switches 1 - 3 will still retain their manually assigned IP addressing. However, switch 4 will be configured with the IP addressing included in the file. Because switch 4 (figure 60) received its most recent IP addressing from a DHCP/ Bootp server, the switch ignores the ip preserve command and implements the IP addressing included in this file.
Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets Configuring Port-Based Priority for Incoming Packets Feature Default Assigning a priority level to traffic on the basis of incoming port Disabled Menu n/a CLI page 134 Web n/a When network congestion occurs, it is important to move traffic on the basis of relative importance.
Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets Outbound Port Queues and Packet Priority Settings Series 2500 switch ports use two outbound port queues, Normal and High. As described below, these two queues map to the eight priority settings specified in the 802.1p standard. Table 8. Mapping Priority Settings to Device Queues 802.
Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets Operating Rules for Port-Based Priority on Series 2500 Switches ■ In the switch’s default configuration, port-based priority is configured as "0" (zero) for inbound traffic on all ports. ■ On a given port, when port-based priority is configured as "0" (zero) or 1 - 7, an inbound, untagged packet adopts the specified priority and is sent to the corresponding outbound queue on the outbound port.
Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets For example, suppose you wanted to configure ports 10 -12 on the switch to prioritize all untagged, inbound VLAN traffic as "Low" (priority level = 1; refer to table 8 on page 133). Configures port-based priority on ports 9 -12 to "1" (Low) and saves the configuration changes to the startup-config file. Ports 9 - 12 are now configured to assign a priority level of "1" (Low) to untagged, incoming traffic.
Enhancements in Release F.04.08 Using the "Kill" Command To Terminate Remote Sessions Using the "Kill" Command To Terminate Remote Sessions Using the kill command, you can terminate remote management sessions. (Kill does not terminate a Console session on the serial port, either through a direct connection or via a modem.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) Configuring Rapid Reconfiguration Spanning Tree (RSTP) This section is related to the information on “Spanning Tree Protocol” in your Series 2500 Switches Management and Configuration Guide (5969-2354), but it primarily describes the new information associated with the new Spanning Tree standard, IEEE 802.1w (RSTP), which is supported by the F.04.08 release of your switch software.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) The IEEE 802.1D version of Spanning Tree (STP) can take a fairly long time to resolve all the possible paths and to select the most efficient path through the network. The IEEE 802.1w Rapid Reconfiguration Spanning Tree (RSTP) significantly reduces the amount of time it takes to establish the network path. The result is reduced network downtime and improved network robustness.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) Configuring RSTP The default switch configuration has Spanning Tree disabled with RSTP as the selected protocol. That is, when Spanning Tree is enabled, RSTP is the version of Spanning Tree that is enabled, by default.
Enhancements in Release F.04.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) Figure 65. Example of the Spanning Tree Configuration Display Enabling or Disabling RSTP. Issuing the command to enable Spanning Tree on the switch implements, by default, the RSTP version of Spanning Tree for all physical ports on the switch. Disabling Spanning Tree removes protection against redundant network paths.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) Reconfiguring Whole-Switch Spanning Tree Values. You can configure one or more of the following parameters, which affect the Spanning Tree operation of the whole switch: Table 9. Whole-Switch RSTP Parameters Parameter Default Description protocol-version RSTP Identifies which of the Spanning Tree protocols will be used when Spanning Tree is enabled on the switch.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) Note Executing the spanning-tree command alone enables Spanning Tree. Executing the command with one or more of the whole-switch RSTP parameters shown in the table on the previous page, or with any of the per-port RSTP parameters shown in the table on page 144, does not enable Spanning Tree. It only configures the Spanning Tree parameters, regardless of whether Spanning Tree is actually running (enabled) on the switch.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) Reconfiguring Per-Port Spanning Tree Values. You can configure one or more of the following parameters, which affect the Spanning Tree operation of the specified ports only: Table 10. Per-Port RSTP Parameters Parameter Default Description edge-port Yes Identifies ports that are connected to end nodes. During Spanning Tree establishment, these ports transition immediately to the Forwarding state.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) Syntax: Abbreviations: spanning-tree [ethernet] path-cost <1 - 200000000> point-to-point-mac priority <0 - 15> span path <1 - 200000000> forc pri <0 - 15> [no] spanning-tree [ethernet] edge-port mcheck [no] span edge mch Defaults: see the table on the previous page.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) Menu: Configuring RSTP 1. From the console CLI prompt, enter the menu command. ProCurve Switch # menu 2. From the switch console Main Menu, select 2. Switch Configuration ... 4. Spanning Tree Operation 3. Press [E] (for Edit) to highlight the Protocol Version parameter field. 4. Press the Space bar to select the version of Spanning Tree you wish to run: RSTP or STP.
Enhancements in Release F.04.08 Configuring Rapid Reconfiguration Spanning Tree (RSTP) 7. Press the [Tab] key or use the arrow keys to go to the next parameter you want to change, then type in the new value or press the Space bar to select a value. (To get help on this screen, press [Enter] to select the Actions –> line, then press [H], for Help, to display the online help.) 8. Repeat step 6 for each additional parameter you want to change.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Enhancements in Release F.02.11 Enhancement Summary Page Adds the fast-uplink spanning tree (STP) mode to spanning-tree operation In an 802.1D STP environment with redundant links, an active link failure typically below results in a convergence time of 30 seconds for a backup link to become the active, forwarding link. Fast-uplink STP reduces this time to approximately ten seconds.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) To use fast-uplink STP on a Series 2500 switch, configure fast-uplink (Mode = Uplink) only on the switch’s upstream ports; (that is, two or more ports forming a group of redundant links in the direction of the STP root switch). If the active link in this group goes down, fast-uplink STP selects a different upstream port as the root port and resumes moving traffic in as little as ten seconds.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) When single-instance spanning tree (STP) is running in a network and a forwarding port goes down, a blocked port typically requires a period of (2 x (forward delay) + link down detection) to transition to forwarding. In a normal spanning tree environment, this transition is usually 30 seconds (with the Forward Delay parameter set to its default of 15 seconds).
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Operating Rules for Fast Uplink ■ A switch with ports configured for fast uplink must be an edge switch and not either an interior switch or the STP root switch. Configure fast-uplink on only the edge switch ports used for providing redundant STP uplink connections in a network. (Configuring Fast-Uplink STP on ports in interior switches can create network performance problems.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Menu: Viewing and Configuring Fast-Uplink STP You can use the menu to quickly display the entire STP configuration and to make any STP configuration changes. To View and/or Configure Fast-Uplink STP. This procedure uses the Spanning Tree Operation screen to enable STP and to set the Mode for fast-uplink STP operation. 1. From the Main Menu select: 2. Switch Configuration . . . 4. Spanning Tree Operation 2.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) 3. If the Protocol Version is set to RSTP (as shown in figure 70), do the following: a. Press [E] (Edit) to move the cursor to the Protocol Version field. b. Press the Space bar once to change the Protocol Version field to STP. c. Press [Enter] to return to the command line. d. Press [S] (for Save) to save the change and exit from the Spanning Tree Operation screen.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) In this example, ports 2 and 3 have already been configured as a port trunk (Trk1), which appears at the end of the port listing. All ports (and the trunk) are in their default STP configuration. Note: Ports 10-14 do not appear in this simulation. In the actual menu screen, you must scroll the cursor down the port list to view the trunk configuration. Figure 72. The Spanning Tree Operation Screen 4.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) STP is enabled. Port 1 and Trk1 are now configured for fast-uplink STP. Figure 73. Example of STP Enabled with Two Redundant Links Configured for Fast-Uplink STP 5. 155 Press [S] (for Save) to save the configuration changes to flash (non-volatile) memory.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) To View Fast-Uplink STP Status. Continuing from figures 72 and 73 in the preceding procedure, this task uses the same screen that you would use to view STP status for other operating modes. 1. From the Main Menu, select: 1. Status and Counters . . . 7. Spanning Tree Information Indicates which uplink is the active path to the STP root device. Note: A switch using fast-uplink STP must never be the STP root device. Figure 74.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) In figure 75: • Port 1 and Trk1 (trunk 1; formed from ports 2 and 3) are redundant fast-uplink STP links, with trunk 1 forwarding (the active link) and port 1 blocking (the backup link). (To view the configuration for port 1 and Trk1, see figure 73 on page 155.) • If the link provided by trunk 1 fails (on both ports), then port 1 begins forwarding in fastuplink STP mode.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Indicates that Trk1 (Trunk 1) provides the currently active path to the STP root device. Redundant STP link in the Blocking state. Links to PC or Workstation End Nodes Redundant STP link in the Forwarding state. (See the "Root Port field, above. This is the currently active path to the STP root device.) Figure 77.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) STP Enabled on the Switch Fast-Uplink STP Configured on Port 1 and Trunk 1 (Trk1) Figure 78. Example of a Configuration Supporting the STP Topology Shown in Figure 76 Using the CLI To Configure Fast-Uplink STP. This example uses the CLI to configure the switch for the fast-uplink operation shown in figures 76, 77, and 78.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Syntax: spanning-tree e mode uplink Enables STP on the switch and configures fast-uplink STP on the designated interfaces (port or trunk). HP2512(config)# spanning-tree e 1,trk1 mode uplink Operating Notes Effect of Reboots on Fast-Uplink STP Operation. When configured, fast-uplink STP operates on the designated ports in a running Series 2500 switch.
Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Fast-Uplink Troubleshooting Some of the problems that can result from incorrect usage of Fast-Uplink STP include temporary loops and generation of duplicate packets. Problem sources can include: ■ Fast-Uplink is configured on a switch that is the STP root device. ■ Either the Hello Time or the Max Age setting (or both) is too long on one or more switches.
Enhancements in Release F.02.11 The Show Tech Command for Listing Switch Configuration and Operating Details The Show Tech Command for Listing Switch Configuration and Operating Details The show tech command provides a tool for gathering information to help with troubleshooting.
Enhancements in Release F.02.11 The Show Tech Command for Listing Switch Configuration and Operating Details 1. In Hyperterminal, click on Transfer | Capture Text... Figure 80. The Capture Text window of the Hypertext Application Used with Microsoft Windows Software 2. In the File field, enter the path and file name under which you want to store the show tech output. Figure 81. Example of a Path and Filename for Creating a Text File from show tech Output 3.
Enhancements in Release F.02.02 Documentation for Enhancements in Release F.02.02 Enhancements in Release F.02.02 Documentation for Enhancements in Release F.02.02 Software release F.02.02 contains these enhancements: Enhancement Summary Page TACACS+ TACACS+ authentication enables you to use a central server to allow or deny access to Series 2500 switches (and other TACACS-aware devices) in your network.
Enhancements in Release F.02.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security With authentication configured on the switch and TACACS+ configured and operating on a server in your network, an attempt to log on through Telnet or the switch’s serial port will be passed to the TACACS+ server for verification before permission is granted.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Terminology Used in TACACS Applications: ■ NAS (Network Access Server): This is an industry term for a TACACS-aware device that communicates with a TACACS server for authentication services. Some other terms you may see in literature describing TACACS operation are communication server, remote access server, or terminal server.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security General System Requirements To use TACACS+ authentication, you need the following: ■ Release F.02.02 or later software running on your Series 2500 switch. Ensure that software release F.02.02 or later is running on your switch. Use any of the following methods to view the current software version: CLI: HP2512> show version Menu Interface: From the Main Menu, click on 1. Status and Counters . . . 1.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security TACACS+ Operation TACACS+ in Series 2500 switches manages authentication of logon attempts through either the Console port or Telnet. For both Console and Telnet you can configure a login (read-only) and an enable (read/write) privilege level access.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security 2. Ensure that the switch is configured to operate on your network and can communicate with your first-choice TACACS+ server. (At a minimum, this requires IP addressing and a successful ping test from the switch to the server.) 3. Determine the following: ■ ■ ■ 4. The IP address(es) of the TACACS+ server(s) you want the switch to use for authentication.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Caution You should ensure that the switch has a local Manager password. Otherwise, if authentication through a TACACS+ server fails for any reason, then unauthorized access will be available through the console port or Telnet. 6. Using a terminal device connected to the switch’s console port, configure the switch for TACACS+ authentication only for telnet login access and telnet enable access.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Configuring TACACS+ on the Switch The switch offers three command areas for TACACS+ operation: ■ show authentication and show tacacs: Displays the switch’s TACACS+ configuration and status.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Viewing the Switch’s Current Authentication Configuration This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary access methods configured for each type of access. Syntax: show authentication This example shows the default authentication configuration.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Configuring the Switch’s Authentication Methods The aaa authentication command configures the access control for console port and Telnet access to the switch.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Table 13. Primary/Secondary Authentication Table Access Method and Privilege Level Console — Login Console — Enable Telnet — Login Telnet — Enable Authentication Options Effect on Access Attempts Primary Secondary local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator, or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. HP2512(config)# aaa authenticationconsole login tacacs local Console Login (Operator, or ReadOnly Access) Primary Secondary Console Enable (Manager, or Read/Write) Access: Primary using TACACS+ server.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Configuring the Switch’s TACACS+ Server Access The tacacs-server command configures these parameters: ■ The host IP address(es) for up to three TACACS+ servers; one first-choice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server. ■ An optional encryption key.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Name Default Range host [key none n/a Specifies the IP address of a device running a TACACS+ server application. Optionally, can also specify the unique, perserver encryption key to use when each assigned server has its own, unique key.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Adding, Removing, or Changing the Priority of a TACACS+ Server. Suppose that the switch was already configured to use TACACS+ servers at 10.28.227.10 and 10.28.227.15. In this case, 10.28.227.15 was entered first, and so is listed as the first-choice server: First-Choice TACACS+ Server Figure 85.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security To configure westside as a global encryption key: HP2512(config) tacacs-server key westside To configure westside as a per-server encryption key: HP2512(config)tacacs-server host 10.28.227.63 key westside An encryption key can contain up to 100 characters, without spaces, and is likely to be case-sensitive in most TACACS+ server applications.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security How Authentication Operates General Authentication Process Using a TACACS+ Server Authentication through a TACACS+ server operates generally as described below. For specific operating details, refer to the documentation you received with your TACACS+ server application.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security • If the username/password pair received from the requesting terminal matches a username/password pair previously stored in the server, then the server passes access permission through the switch to the terminal. • If the username/password pair entered at the requesting terminal does not match a username/password pair previously stored in the server, access is denied.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Using the Encryption Key General Operation When used, the encryption key (sometimes termed "key", "secret key", or "secret") helps to prevent unauthorized intruders on the network from reading username and password information in TACACS+ packets moving between the switch and a TACACS+ server.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security For example, you would use the next command to configure a global encryption key in the switch to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Messages The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For information on such messages, refer to the documentation you received with the application. Table 14.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security Troubleshooting TACACS+ Operation All Users Are Locked Out of Access to the Switch. If the switch is functioning properly, but no username/password pairs result in console or Telnet access to the switch, the problem may be due to how the TACACS+ server and/or the switch are configured.
Enhancements in Release F.02.02 TACACS+ Authentication for Centralized Control of Switch Access Security ■ The time quota for the account has been exhausted. ■ The time credit for the account has expired. ■ The access attempt is outside of the timeframe allowed for the account. ■ The allowed number of concurrent logins for the account has been exceeded For more help, refer to the documentation provided with your TACACS+ server application. Unknown Users Allowed to Login to the Switch.
Enhancements in Release F.02.02 CDP (Updated by Software Version F.05.50) CDP (Updated by Software Version F.05.50) Software version F.02.02 for the Series 2500 switches, implemented CDP-v1 (Cisco Discovery Protocol, version 1) to help discover devices in a network. Software version F.05.50 and beyond updates this network discovery method to the industry standard Link Layer Discovery Protocol (LLDP).
Enhancements in Release F.02.02 New Time Synchronization Protocol Options TimeP Time Synchronization You can either manually assign the switch to use a TimeP server or use DHCP to assign the TimeP server. In either case, the switch can get its time synchronization updates from only one, designated Timep server. This option enhances security by specifying which time server to use.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options • 3. TimeP: DHCP or Manual Configure the remaining parameters for the time protocol you selected. The switch retains the parameter settings for both time protocols even if you change from one protocol to the other. Thus, if you select a time protocol the switch uses the parameters you last configured for the selected protocol.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Table 15. SNTP Parameters SNTP Parameter Operation Time Sync Method Used to select either SNTP, TIMEP, or None as the time synchronization method. SNTP Mode Disabled The Default. SNTP does not operate, even if specified by the Menu interface Time Sync Method parameter or the CLI timesync command. Unicast Directs the switch to poll a specific server for SNTP time synchronization. Requires at least one server address.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Time Protocol Selection Parameter – TIMEP – SNTP – None Figure 88. The System Information Screen (Default Values) 2. Press [E] (for Edit). The cursor moves to the System Name field. 3. Use [v] to move the cursor to the Time Sync Method field. 4. Use the Space bar to select SNTP, then press [v] once to display and move to the SNTP Mode field. 5.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Note: This step replaces any previously configured server IP address. If you will be using backup SNTP servers (requires use of the CLI), then see “SNTP Unicast Time Polling with Multiple SNTP Servers” on page 205. iii. Press [v] to move the cursor to the Server Version field. Enter the value that matches the SNTP server version running on the device you specified in the preceding step (step ii).
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Viewing the Current SNTP Configuration This command lists both the time synchronization method (TimeP, SNTP, or None) and the SNTP configuration, even if SNTP is not the selected time protocol. Syntax: show sntp For example, if you configured the switch with SNTP as the time synchronization method, then enabled SNTP in broadcast mode with the default poll interval, show sntp lists the following: Figure 89.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Enabling SNTP in Broadcast Mode. Because the switch provides an SNTP polling interval (default: 720 seconds), you need only these two commands for minimal SNTP broadcast configuration: Syntax: timesync sntp sntp broadcast Selects SNTP as the time synchronization method. Configures Broadcast as the SNTP mode.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Syntax: timesync sntp sntp unicast sntp server [version] no sntp server Selects SNTP as the time synchronization method. Configures the SNTP mode for Unicast operation. Specifies the SNTP server. The default server version is 3. Deletes the specified SNTP server. Note Deleting an SNTP server when only one is configured disables SNTP unicast operation.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Deletes unicast SNTP server entry. Re-enters the unicast server with a nondefault protocol version. show sntp displays the result. Figure 93. Example of Specifying the SNTP Protocol Version Number Changing the SNTP Poll Interval. This command lets you specify how long the switch waits between time polling intervals. The default is 720 seconds and the range is 30 to 720 seconds.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Disabling the SNTP Mode. If you want to prevent SNTP from being used even if selected by timesync (or the Menu interface’s Time Sync Method parameter), configure the SNTP mode as disabled. Syntax: no sntp Disables SNTP by changing the SNTP mode configuration to Disabled. For example, if the switch is running SNTP in Unicast mode with an SNTP server at 10.28.227.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Table 16. Timep Parameters SNTP Parameter Operation Time Sync Method Used to select either TIMEP (the default), SNTP, or None as the time synchronization method. Timep Mode Disabled The Default. Timep does not operate, even if specified by the Menu interface Time Sync Method parameter or the CLI timesync command.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Time Protocol Selection Parameter – TIMEP (the default) – SNTP – None Figure 96. The System Information Screen (Default Values) 2. Press [E] (for Edit). The cursor moves to the System Name field. 3. Use [v] to move the cursor to the Time Sync Method field. 4. If TIMEP is not already selected, use the Space bar to select TIMEP, then press [v] once to display and move to the TimeP Mode field. 5.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options iii. Press [>] to move the cursor to the Poll Interval field, then go to step 6. 6. In the Poll Interval field, enter the time in minutes that you want for a TimeP Poll Interval. Press [Enter] to return to the Actions line, then [S] (for Save) to enter the new time protocol configuration in both the startup-config and running-config files.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options If SNTP is the selected time synchronization method ), show timep still lists the TimeP configuration even though it is not currently in use: Even though, in this example, SNTP is the current time synchronization method, the switch maintains the TimeP configuration. Figure 98.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options For example, suppose: ■ Time synchronization is configured for SNTP. ■ You want to: 1. View the current time synchronization. 2. Select TimeP as the time synchronization mode. 3. Enable TimeP for DHCP mode. 4. View the TimeP configuration. The commands and output would appear as follows: 1 show timep displays the TimeP configuration and also shows that SNTP is the currently active time synchronization mode.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options HP2512(config)# timesync timep HP2512(config)# ip timep manual 10.28.227.141 Selects TimeP. Activates TimeP in Manual mode. Figure 100. Example of Configuring Timep for Manual Operation Changing the TimeP Poll Interval. This command lets you specify how long the switch waits between time polling intervals. The default is 720 minutes and the range is 1 to 9999 minutes.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Disabling the TimeP Mode. Disabling the TimeP mode means to configure it as disabled. (Disabling TimeP prevents the switch from using it as the time synchronization protocol, even if it is the selected Time Sync Method option.) Syntax: no ip timep Disables TimeP by changing the TimeP mode configuration to Disabled.
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Adding and Deleting SNTP Server Addresses Adding Addresses. As mentioned earlier, you can configure one SNTP server address using either the Menu interface or the CLI. To configure a second and third address, you must use the CLI. For example, suppose you have already configured the primary address in the above table (10.28.227.141).
Enhancements in Release F.02.02 New Time Synchronization Protocol Options Menu Interface Operation with Multiple SNTP Server Addresses Configured When you use the Menu interface to configure an SNTP server IP address, the new address writes over the current primary address, if one is configured. If there are multiple addresses configured, the switch re-orders the addresses according to the criteria described under “Address Prioritization” on page 205.
Enhancements in Release F.02.02 Operation and Enhancements for Multimedia Traffic Control (IGMP) Operation and Enhancements for Multimedia Traffic Control (IGMP) How Data-Driven IGMP Operates The information in this section supplements the information provided under "Multimedia Traffic Control with IP Multicast (IGMP)" beginning on page 9-91 in the Management and Configuration Guide included with your Series 2500 switch and also available at http://www.procurve.com.
Enhancements in Release F.02.02 Operation and Enhancements for Multimedia Traffic Control (IGMP) multicast packets to ports from which a join request for that group has not been received. (If the switch or router has not received any join requests for a given multicast group, it drops the traffic it receives for that group.
Enhancements in Release F.02.02 Operation and Enhancements for Multimedia Traffic Control (IGMP) IGMP Function Available With IP Addressing Available Operating Differences Without an IP Address Configured on the VLAN Without IP Addressing? Drop multicast group traffic for which there have been no join requests from IGMP clients connected to ports on the VLAN. Yes None Forward multicast group traffic to any port on the VLAN that has received a join request for that multicast group.
Enhancements in Release F.02.02 Operation and Enhancements for Multimedia Traffic Control (IGMP) unnecessary multicast traffic from that group to the former IGMP client. This improves performance by reducing the amount of multicast traffic going through the port to the IGMP client after the client leaves a multicast group. IGMP in the Series 2500 switches automatically uses this Fast-Leave feature. Automatic Fast-Leave Operation. If a Series 2500 switch port is : a. Connected to only one end node b.
Enhancements in Release F.02.
Enhancements in Release F.02.02 Operation and Enhancements for Multimedia Traffic Control (IGMP) For example: In this example, the 2 at the end of each port listing shows that Fast ForcedLeave is disabled on all ports in the switch. Figure 106. Listing the Forced Fast-Leave State for Ports in an HP2512 Switch To list the Forced Fast-Leave state for a single port. Syntax: getmib hpSwitchIgmpPortForcedLeaveState.1. getmib 1.3.6.1.4.1.11.2.14.11.5.1.7.1.15.3.1.5.1.
Enhancements in Release F.02.02 Operation and Enhancements for Multimedia Traffic Control (IGMP) CLI: Configuring Per-Port Forced Fast-Leave IGMP In the factory-default configuration, Forced Fast-Leave is disabled for all ports on the switch. To enable (or disable) this feature on individual ports, use the switch’s MIB commands, as shown below. Syntax: or setmib hpSwitchIgmpPortForcedLeaveState.1. -i < 1 | 2 > setmib 1.3.6.1.4.1.11.2.14.11.5.1.7.1.15.3.1.5.1.
Enhancements in Release F.02.02 Operation and Enhancements for Multimedia Traffic Control (IGMP) Querier Operation The function of the IGMP Querier is to poll other IGMP-enabled devices in an IGMP-enabled VLAN to elicit group membership information. The switch performs this function if there is no other device in the VLAN, such as a multicast router, to act as Querier.
Enhancements in Release F.02.02 The Switch Excludes Well-Known or Reserved Multicast Addresses from IP Multicast Filtering The Switch Excludes Well-Known or Reserved Multicast Addresses from IP Multicast Filtering Each multicast host group is identified by a single IP address in the range of 224.0.0.0 through 239.255.255.255. Specific groups of consecutive addresses in this range are termed "well-known" addresses and are reserved for predefined host groups.
Enhancements in Release F.02.02 Port Security: Changes to Retaining Learned Static Addresses Across a Reboot Port Security: Changes to Retaining Learned Static Addresses Across a Reboot Recommended Port Security Procedures ■ Before configuring port security, use the switch’s TFTP features to save a copy of the configuration.
Enhancements in Release F.02.02 Port Security: Changes to Retaining Learned Static Addresses Across a Reboot To remove an address learned using either of the preceding methods, do one of the following: ■ • Delete the address by using the no port-security mac-address command. • Download a previously saved configuration file that does not include the unwanted MAC address assignment. • Reset the switch to its factory-default configuration.
Enhancements in Release F.02.02 Username Assignment and Prompt Username Assignment and Prompt Prior to release F.02.02, assigning a manager or operator username to the switch required you to use the Web browser interface. Also, only the Web browser interface required you to enter a username at logon if one was configured for the privilege level you were accessing. Beginning with release F.02.
Updates and Corrections for the Management and Configuration Guide Updates and Corrections for the Management and Configuration Guide This section lists updates to the Management and Configuration Guide (p/n 5969-2354; August 2000). Changes in Commands for Viewing the Current Configuration Files . . . . . . . . . . . . page 220 Change in CLI Command for Listing Intrusion Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . page 221 Changes for Listing Port and Trunk Group Statistics . . . . . . . . .
Updates and Corrections for the Management and Configuration Guide • Running configuration has been changed and needs to be saved. This message indicates that the two configurations are different. Change in CLI Command for Listing Intrusion Alerts With port security configured, the switch formerly used show interfaces to display a port status listing that includes intrusion alerts (as described on page 7-28 in the manual).
Updates and Corrections for the Management and Configuration Guide This change affects the following commands: Interface Commands VLAN Commands broadcast-limit disable enable flow-control lacp monitor speed-duplex unknown-vlans forbid tagged untagged Restoring the Factory-Default Configuration, Including Usernames and Passwords Page 11-20 in the Management and Configuration guide incorrectly implies that the erase startup-config command clears passwords.
Updates and Corrections for the Management and Configuration Guide GVRP Does Not Require a Common VLAN Delete the note at the top of page 9-78 in the Management and Configuration Guide. GVRP does not require a common VLAN (VID) connecting all of the GVRP-aware devices in the network to carry GVRP packets.
Updates and Corrections for the Management and Configuration Guide Note Duplicate MAC addresses are likely to occur in VLAN environments where XNS and DECnet are used. For this reason, using VLANs in XNS and DECnet environments is not currently supported. On page 11-10 of the Management and Configuration Guide, under "Duplicate MAC Addresses Across VLANs", the text suggests that duplicate MAC addresses on separate VLANs can cause VLAN operating problems.
Updates and Corrections for the Management and Configuration Guide Also on page 9-54, add the following item to the bulleted list: ■ When TimeP is enabled and configured for DHCP operation, the switch learns of TimeP servers from DHCP and Bootp packets received on the primary VLAN. Misleading Statement About VLANs On page 9-56 in the Management and Configuration Guide, the last sentence in item 1 implies that by default the switch is configured for eight VLANs.
Software Fixes Software Fixes Release F.01.07 was the first software release for the ProCurve Series 2500 switches Release F.01.08 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Release F.01.09 (Beta Release Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Release F.01.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software Fixes Release F.05.19 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Release F.05.20 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Release F.05.21 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Release F.05.22 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software Fixes Release F.05.64 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Release F.05.65 (Not a Public Release) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Release F.05.66 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Release F.05.67 (Not a Public Release) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software Fixes Release F.01.08 Fixed in release F.01.08: ■ 100/1000-T transceiver — When using this 100/1000-T transceiver and negotiating to 100 Mbps, the port may report that it is operating at 100 full duplex, when it is actually operating at 100 half duplex. ■ Web-Browser Interface — The product label in the Web-browser display for the Switch 2512 is incorrectly displayed as Switch 2524. Release F.01.09 (Beta Release Only) Fixed in release F.01.
Software Fixes Note The startup-config file saved under version F.02.02 is NOT backward-compatible with previous software versions. HP recommends that you save a copy of the pre-02.02 startup-config file BEFORE UPGRADING to F.02.02 or greater, in case there is ever a need to revert back to pre-02.02 software.
Software Fixes ■ LACP — Resolves several issues with LACP, including: conversation on a trunk may momentarily fail if a trunk member port goes down, difficulty accessing the MIB, configuration issues, port priority issues, problems with dynamic negotiation, and switch crashes with messages similar to: -> Software Exception at woody_dev.c: 450 in AdMgrCtrl -> ppmgr_setDefaultPriority: invalid port number and -> Software exception at woody_pktDriver.
Software Fixes Release F.02.04 (Beta Release Only) The switch's CDP packets have been modified to better interoperate with older Cisco IOS versions. Certain legal CDP packets sent from the ProCurve switch could result in Cisco routers, running older IOS versions, to crash. Note The ProCurve switch's CDP packets are legal both before and after this modification. Fixed in release F.02.04: ■ Buffer Leak — A message buffer leak occurs when the switch receives a TACACS+ 'DISC' character.
Software Fixes ■ IGMP — If there are several IGMP groups in several VLANs, and the switch is acting as Querier, the switch may stop sending IGMP Queries on some of its VLANs. ■ IGMP — All Querier intervals on the switch will be cut in half if IGMP, after already being enabled, is disabled and then re-enabled. ■ IGMP — The switch does not fully support 256 IGMP groups, as intended. For example, with 15 VLANs and 40 IGMP groups, the 40th group gets flooded.
Software Fixes Note Contact your local Customer Care Center before activating this feature to receive proper configuration instructions. Failure to configure this feature properly will result in unexpected connectivity problems. Release F.02.06 (Beta Release Only) Textual modifications made to the Isolated Port Groups feature. Release F.02.
Software Fixes ■ XRMON — Various XRMON counters display incorrect values. Possible symptoms include network management applications reporting a too high network utilization (TopTools may report "crossed octets"). Release F.02.08 (Beta Release Only) Fixed in F.02.08: ■ Crash — If a transceiver is repeatedly installed and removed, the switch may crash with a message similar to: -> Software exception at woodyDma_recv.c:154 -- in 'eDrvPoll' Release F.02.09 Fixed in F.02.
Software Fixes Release F.02.12 Fixed in release F.02.12 ■ Monitoring Port — When a config file containing a Monitoring Port configuration is loaded onto the switch via TFTP or XModem, the Monitoring Port feature does not work properly. Release F.02.13 Fixed in release F.02.13 ■ Monitoring Port — Monitoring Port configuration changes made within a particular switch interface (e.g., Web-browser interface), are not correctly displayed within the other switch interfaces (e.g., CLI and Menu). Release F.04.
Software Fixes ■ Port Configuration — Changing a port setting from one Auto mode to another may not be reflected in Auto-negotiation's advertised capability without a switch reset, or module hotswap. ■ Port Monitoring — Port monitoring does not work correctly after a TFTP transfer of the configuration from the switch to the server and then back to the switch. ■ Stack Management — Master switch was not properly making security checks when passing information along to a member switch.
Software Fixes Release F.04.08 Fixed in release F.04.08 Modification of Lab troubleshooting commands. Release F.04.09 (Beta Release Only) Fixed in release F.04.09 ■ Agent Hang — Agent processes (such as console, telnet, STP, ping, etc.) may stop functioning when the IGMP querier function is disabled, and then re-enabled, on a VLAN that does not have an IP address configured. ■ Agent Hang — Agent processes (such as console, telnet, STP, ping, etc.) may stop functioning.
Software Fixes Note The startup-config file saved under version F.05.05, or later, is NOT backward-compatible with previous software versions. The user is advised to save a copy of the pre-05.05 startup-config file BEFORE UPGRADING to F.05.05 or greater, in case there is ever a need to revert back to pre- 05.05 software.
Software Fixes ■ Crash — If dynamic trunks are configured and the switch is rebooted, the switch may crash with a message similar to: ->Software exception at rstp_dyn_reconfit.c:243 in -- 'Lpmgr' ■ Crash — The "show config" CLI command may cause the switch to crash with a message similar to: ->Software exception "xlate.c:1358 in 'mSess1' ■ Crash — When hot-swapping transceivers multiple times, the switch may crash with a message similar to: -> Software exception at port_sm.
Software Fixes ■ Link-up polling interval — A delay of up to 1.7 seconds between plugging in a cable (linkbeat established) and traffic being forwarded to and from that port may cause problems with some time sensitive applications. For example, AppleTalk dynamic address negotiation can be affected, resulting in multiple devices using the same AppleTalk address. ■ Loop/VTP — The switch will incorrectly forward VTP packets from third party devices if that packet is received on a blocked port.
Software Fixes ■ STP/Startup-Config — When a startup-config file containing an 802.1D STP configuration is reloaded that was saved off from the switch, an error similar to the following occurs: Line: 13. Invalid input: stp802.1d Corrupted download file. ■ TACACS+ — When logging into the switch via TACACS+ encrypted authentication, the packet header has the 'encryption' field set to 'TAC_PLUS_CLEAR' when the body of the packet is actually encrypted.
Software Fixes Release F.05.12 (Beta Release Only) Adds the following enhancement: ■ Changes to 802.1X to support Open VLAN Mode Release F.05.13 (Beta Release Only) Adds the following enhancement: ■ Changes to Isolated Port Groups to add two new groups: group1 and group2. Release F.05.14 This update is only for the ProCurve 2312, ProCurve 2324, and their associated transceiver modules. Fixed in release F.05.
Software Fixes ■ Performance/Crash (PR_4967) — Slow performance may occur when using 10/100 ports or the 100FX transceiver operating at half-duplex. This also may occur when using 100FX, Gigabit Stacking, Gigabit-SX, or Gigabit-LX transceivers operating at full-duplex. Note: The Gigabit transceivers can only operate in full-duplex mode. The Interpacket Gap (IPG) is too long for half-duplex and too short for full-duplex.
Software Fixes ■ Crash — When setting the host name to a very long (~20 characters) string, the switch may crash with a bus error similar to: -> Bus error: HW Addr=0x29283030 IP=0x002086ac Task='mSnmpCtrl' Task ID=0x165ae00. ■ Flow control — Users are allowed to configure flow control for half-duplex ports, even though the switch does not support flow control ("back pressure") for half-duplex links. ■ Flow control — Users are allowed to configure 802.3x flow control for half-duplex ports.
Software Fixes ■ SNMP — The OID ifAlias is defaulted to "not assigned", causing Network Node Manager to log error messages. (The fix is to default ifAlias to a zero-length string, as stated in the MIB, or make each port have a unique value.) ■ SNMP — The switch does not support community names other than PUBLIC in traps.
Software Fixes ■ RSTP/LACP — Turning LACP off, then back on, leaves LACP in Passive mode. This can Trunking — With ports 25 and 26 configured in a trunk group, the show trunk 25 , 26 command displays incorrect information for Trunk Group Name and Trunk Group Type. Example output: Port Name Type Group Type 25 1000SX Trk1 Trunk 26 1000SX 1000SX 1000SX ■ Web — Sun java v1.3.x and v1.4.x interoperability issue: high CPU utilization. ■ Web — Sun java v1.3.x and v1.4.
Software Fixes Release F.05.19 (Never Released) Fixed in release F.05.19 ■ Counters (PR_92221) — Counters for J4834A 100/1000 xcvr do not clear . ■ Crash/Bus Error (PR_92466) — Bus error related to 802.1X/unauthorized VLAN. ■ Agent Hang (PR_92802) — Agent 'hang'. Fix for agent 'hang' (ping and TELNET hang, but not the Console). Release F.05.20 (Never Released) Fixed in release F.05.20 ■ Crash/Bus Error (PR_98514) — HW Addr=0x00000000 IP=0x002a22d8 Task='tNetTask' Task ID=0xe2e740.
Software Fixes ■ Syslog (PR_1000003656) — The syslog capability added to F.05.22. ■ Syslog (PR_1000004080) — A timep event log message on syslog is truncated. ■ Web (PR_81848) — 'Clear changes' button does not work for the Default Gateway or VLAN selections. ■ Web (PR_82039) — If the user selects GVRP mode, selects a port and then selects nothing as an option for the port mode, all ports below the selected port disappear. This does not affect the switch configuration.
Software Fixes Release F.05.24 (Not a General Release) Fixed in release F.05.24 ■ Web (PR_1000007144) — When using the Web user interface, VLAN Configuration, Add/ Remove VLANs, GVRP Mode, clicking on the help link gives the message, The page you requested is no longer located here. Release F.05.25 (Not a General Release) Fixed in release F.05.25 ■ Web/IP Stack Management (PR_1000011548) — In the close-up view of a stack, incorrect pictures are presented for newer switch models. Release F.05.
Software Fixes ■ SNMP (PR_1000190654) — When switch has the IP address configured on a VLAN other than the "default VLAN", Find/Fix/Inform (FFI) SNMP traps list a 0.0.0.0 IP address in the URL. ■ Web/Crash (PR_1000092011) — While using the Web user interface, switch may crash with a "software exception" message similar to: exception.
Software Fixes Release F.05.32 (Not a General Release) Fixed in release F.05.32 ■ TFTP/Config (PR_1000215024) — After a new configuration is loaded from a TFTP server, the switch reboots so the new configuration will take effect. If that same configuration is loaded from a TFTP server, the switch recognizes that the configuration is unchanged and the switch does not reboot. Loading the same configuration repeatedly (without rebooting) causes a memory leak. Release F.05.33 Fixed in release F.05.
Software Fixes Release F.05.37 (Not a General Release) Fixed in release F.05.36 ■ CLI (PR_83354) — The command "show mac vlan " displays all MAC addresses known on the switch (from all VLANs) instead of just those in the specified VLAN. Release F.05.38 (Never Released) Fixed in release F.05.38 ■ TCP (PR_1000246186) — Switch is susceptible to VU#498440.
Release F.05.51 (Never Released) Fixed in release F.05.51 ■ Crash (PR_1000297510) — When using the Web User Interface and the switch is set as commander for stacking, the switch may crash with a message similar to: PPC Bus Error exception vector 0x300: Stack-frame=0x01731de8 HW Addr=0x02800007 IP=0x0022dc30 Task='tHttpd' Task ID=0x1731fb0 fp: 0x0167d180 sp:0x01731ea8 lr:0x Release F.05.52 Fixed in release F.05.
Software Fixes Release F.05.55 Fixed in release F.05.55 ■ LLDP (PR_1000310666) — The command "show LLDP" does not display information learned from CDPv2 packets. ■ Menu (PR_1000318531) — When using the 'Menu' interface, the Switch hostname may be displayed incorrectly. ■ RSTP (PR_99049) — Switch does not detect and block network topology loops on a single port. For example, the port connects to a hub that has a loop or the port connects to an inactive node via IBM 'Type 1' cable. Release F.05.
Software Fixes Release F.05.59 Fixed in release F.05.59 ■ Daylight savings (PR_1000364740) — Due to the passage of the Energy Policy Act of 2005, Pub. L. no. 109-58, 119 Stat 594 (2005), starting in March 2007 daylight time in the United States will begin on the second Sunday in March and end on the first Sunday in November. Release F.05.60 Fixed in release F.05.
Software Fixes Daylight Savings (PR_1000467724) — DST is outdated for the Western-European Time Zone. This change corrects the schedule for the Western Europe Time Zone: DST to start the last Sunday in March and DST to end the last Sunday in October. Release F.05.64 (Never Released) No issues fixed in release F.05.64 Release F.05.65 (Not a Public Release) Fixed in release F.05.65 Security (PR_1000388616) — Possible cross-site scripting vulnerability in the Web Management Interface. Release F.05.
Software Fixes Release F.05.69 Fixed in release F.05.69 ■ ProCurve Manager (PR_1000768253) — The ProCurve Manager 2.2 Auto Update 5 test communication parameters feature fails intermittently. ■ Stacking Transceivers (PR_1000784489) — Stacking-kit ports (J4116A) display an inaccurate duplex output. ■ TACACS+ (PR_0000003839) — The TACACS-server configuration parameter accepts an address from an invalid/reserved IP range: 0.0.0.1 to 0.255.255.255. Release F.05.70 Fixed in release F.05.
© Copyright 2001-2009 Hewlett-Packard Company, LP. The information contained in this document is subject to change without notice.
