- Hewlett-Packard Switch User Manual

ManualsBrandsHP ManualsSwitchPROCURVE 3400CL-24G

Release Notes: Version M.10.72 Software

for the HP ProCurve Series 3400cl Switches

"M” software versions are supported on these switches:

Release M.10.41 supports the ProCurve Switch 3400cl-24G (J4905A), and 3400cl-48G (J4906A).

These release notes include information on the following:

■ Downloading switch software and documentation from the Web (page 1)

■ Clarification of operating details for certain software features (page 20)

■ A listing of software enhancements in recent releases (page 25)

■ A listing of software fixes included in releases M.08.51 through M.10.72 (page 145)

IMPORTANT:

3400cl switches MUST be running ROM version I.08.12 prior to loading M.10.20 or newer software. If your

switch is using a software version earlier than M.10.10, you need to install and boot the M.10.10 software

(included in the M.10.41 software package) to load the I.08.12 ROM version, before installing M.10.20 or

newer.

Security Note:

Downloading and booting software release M.08.89 or greater for the first time automatically enables

SNMP access to the hpSwitchAuth MIB objects. If this is not desirable for your network, ProCurve

recommends that you disable it after downloading and rebooting with the latest switch software. For more

information, refer to “Enforcing Switch Security” on page 10 and “Using SNMP To View and Configure

Switch Authentication Features” on page 35.

Configuration Compatibility Caution:

Configuration files created or saved using version M.10.65 or higher are NOT backward-compatible with

previous software versions. The user is advised to save a copy of the pre-M.10.65 startup-config file

BEFORE UPDATING to M.10.68 or greater, in case there is ever a need to revert back to an earlier version

of software.

ProCurve Switch M.08.51 through

M.08.95

M.08.99.x

and newer

M.08.96, M.08.97,

M.10.01

and newer

ProCurve Switch 3400cl-24G (J4905A)

ProCurve Switch 3400cl-48G (J4906A)

✔

ProCurve Switch 6400cl-6XG 10-GbE CX4(J8433A)

ProCurve Switch 6410cl-6XG 10-GbE X2(J8474A)

✔

Summary of content (197 pages)

PAGE 1
Release Notes: Version M.10.72 Software for the HP ProCurve Series 3400cl Switches "M” software versions are supported on these switches: ProCurve Switch M.08.51 through M.08.99.x M.08.96, M.08.97, and newer M.08.95 M.10.01 and newer ProCurve Switch 3400cl-24G (J4905A) ProCurve Switch 3400cl-48G (J4906A) ✔ ✔ ProCurve Switch 6400cl-6XG 10-GbE CX4(J8433A) ProCurve Switch 6410cl-6XG 10-GbE X2(J8474A) ✔ ✔ ✔ ✔ ✔ ✔ Release M.10.41 supports the ProCurve Switch 3400cl-24G (J4905A), and 3400cl-48G (J4906A).
PAGE 2
© Copyright 2004 - 2009 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice. Publication Number 5991-4764 May, 2009 Applicable Product ProCurve Switch 3400cl-24G ProCurve Switch 3400cl-48G (J4905A) (J4906A) Trademark Credits Microsoft®, Windows®, and Windows NT® are US registered trademarks of Microsoft Corporation. Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated. Java™ is a US trademark of Sun Microsystems, Inc.
PAGE 3
Contents Software Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Download Switch Documentation and Software from the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 View or Download the Software Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 4
Connection-Rate Filtering Based On Virus-Throttling Technology . . . . . . . . . . . . . . . . . . . . . . . 19 Identity-Driven Management (IDM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Clarifications and Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Operating Notes for Jumbo Traffic-Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 5
QoS Pass-Through Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Release M.08.94 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 DHCP Option 82: Using the Management VLAN IP Address for the Remote ID . . . . . . . . . . . . 42 UDP Broadcast Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 6
Release M.10.26 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Release M.10.27 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Release M.10.28 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Release M.10.29 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 7
Release M.10.65 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 MSTP VLAN Configuration Enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Release M.10.66 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Configure Logging via SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 8
Release M.08.76 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Release M.08.77 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Release M.08.78 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Release M.08.79 . . . . . . . . . . . . . .
PAGE 9
Release M.10.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Release M.10.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Release M.10.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Release M.10.13 . . . . . . . . . . . . . .
PAGE 10
Release M.10.42 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Release M.10.43 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Release M.10.44 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Release M.10.45 . . . . . . . . . . . . . .
PAGE 11
Software Management Software Updates Software Management Software Updates Check the ProCurve Networking Web site frequently for free software updates for the various ProCurve switches you may have in your network. Download Switch Documentation and Software from the Web You can download software updates and the corresponding product documentation from the ProCurve Networking Web site as described below. View or Download the Software Manual Set Go to: www.procurve.
PAGE 12
Software Management Downloading Software to the Switch Note Downloading new software does not change the current switch configuration. The switch configuration is contained in a separate file that can also be transferred, for example, for archive purposes or to be used in another switch of the same model. This section describes how to use the CLI to download software to the switch. You can also use the menu interface for software downloads.
PAGE 13
Software Management Downloading Software to the Switch TFTP Download from a Server Syntax: copy tftp flash [ < primary | secondary > ] Note that if you do not specify the flash destination, the TFTP download defaults to the primary flash. For example, to download a software file named M_08_8x.swi from a TFTP server with the IP address of 10.28.227.103: 1. Execute the copy command as shown below: ProCurve switch # copy tftp flash 10.28.227.103 M_08_8x.
PAGE 14
Software Management Downloading Software to the Switch ■ The terminal emulator you are using includes the Xmodem binary transfer feature. (For example, in the HyperTerminal application included with Windows NT, you would use the Send File option in the Transfer dropdown menu.) Using Xmodem and a terminal emulator, you can download a switch software file to either primary or secondary flash using the CLI. Syntax: copy xmodem flash [< primary | secondary >] 1.
PAGE 15
Software Management Saving Configurations While Using the CLI Saving Configurations While Using the CLI The switch operates with two configuration files: ■ Running-Config File: Exists in volatile memory and controls switch operation. Rebooting the switch erases the current running-config file and replaces it with an exact copy of the current startup-config file. To save a configuration change, you must save the running configuration to the startup-config file.
PAGE 16
Software Management Install Recommendations for I.08.12 Boot ROM Update Install Recommendations for I.08.12 Boot ROM Update When installing the M.10.17 software to load the I.08.12 ROM version, ProCurve recommends that you use the “fastboot” feature and the “reload” command after updating to M.10.17, as shown below. ProCurve3400cl#config ProCurve3400cl(config)# fastboot ProCurve3400cl(config)# copy tftp flash M_10_17.
PAGE 17
Software Management ProCurve Switch, Routing Switch, and Router Software Keys ProCurve Switch, Routing Switch, and Router Software Keys Software Letter ProCurve Networking Products C 1600M, 2400M, 2424M, 4000M, and 8000M CY Switch 8100fl Series (8108fl and 8116fl) E Switch 5300xl Series (5304xl, 5308xl, 5348xl, and 5372xl) F Switch 2500 Series (2512 and 2524), Switch 2312, and Switch 2324 G Switch 4100gl Series (4104gl, 4108gl, and 4148gl) H Switch 2600 Series, Switch 2600-PWR Series: H.07.
PAGE 18
Software Management ProCurve Switch, Routing Switch, and Router Software Keys 8 Software Letter ProCurve Networking Products numeric Switch 9408sl, Switch 9300 Series (9304M, 9308M, and 9315M), Switch 6208M-SX and Switch 6308M-SX (Uses software version number only; no alphabetic prefix. For example 07.6.04.
PAGE 19
Software Management Minimum Software Versions for Series 3400cl Switch Features Minimum Software Versions for Series 3400cl Switch Features For Software Features. To view a tabular listing of major switch software features and the minimum software version each feature requires: 1. Visit the ProCurve Networking Web site at www.procurve.com. 2. Click on Software updates. 3. Click on Minimum Software Version Required by Feature. For Switch 3400cl Hardware Accessories.
PAGE 20
Enforcing Switch Security Switch Management Access Security Enforcing Switch Security ProCurve switches are designed as “plug and play” devices, allowing quick and easy installation in your network. However, when preparing the switch for network operation, ProCurve strongly recommends that you enforce a security policy to help ensure that the ease in getting started is not used by unauthorized persons as an opportunity for access and possible malicious actions.
PAGE 21
Enforcing Switch Security Switch Management Access Security It is important to evaluate the level of management access vulnerability existing in your network and take steps to ensure that all reasonable security precautions are in place. This includes both configurable security options and physical access to the switch hardware. Local Manager Password In the default configuration, there is no password protection.
PAGE 22
Enforcing Switch Security Switch Management Access Security SNMP Access (Simple Network Management Protocol) In the default configuration, the switch is open to access by management stations running SNMP management applications capable of viewing and changing the settings and status data in the switch’s MIB (Management Information Base). Thus, controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy.
PAGE 23
Enforcing Switch Security Switch Management Access Security Caution: Downloading and booting from the M.08.89 or greater software version for the first time enables SNMP access to the authentication configuration MIB (the default action). If SNMPv3 and other security safeguards are not in place, the switch’s authentication configuration MIB is exposed to unprotected SNMP access and you should use the above command to disable this access. 2.
PAGE 24
Enforcing Switch Security Switch Management Access Security For the commands to implement the above actions, refer to “Front-Panel Security” in the chapter titled “Configuring Usernames and Passwords” in the Access Security Guide for your switch. Other Provisions for Management Access Security Authorized IP Managers.
PAGE 25
Enforcing Switch Security Network Access Security Network Access Security This section outlines provisions for protecting access through the switch to the network. For more detailed information on these features, refer to the indicated manuals.
PAGE 26
Enforcing Switch Security Network Access Security Secure Shell (SSH) SSH provides Telnet-like functions through encrypted, authenticated transactions of the following types: ■ client public-key authentication: uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a stored public key can gain access to the switch.
PAGE 27
Enforcing Switch Security Network Access Security Switch Model Source-Port Filters Protocol Filters Multicast Filters Series 6400cl X -- -- Series 5400zl X X X Series 5300xl X X X Series 4200vl X -- -- Series 3500yl X X X Series 3400cl X -- -- Series 2800 X -- -- Series 2600 X -- -- ■ source-port filters: Inbound traffic from a designated, physical source-port will be forwarded or dropped on a per-port (destination) basis.
PAGE 28
Enforcing Switch Security Network Access Security Access Control Types 6200yl 5400zl 3500yl 5300xl 3400cl 2800 4100gl 4200vl 6400cl 2600 2600-pwr client-based access control (up to 32 authenticated clients per port) X X* -- -- -- port-based access control (one authenticated client opens the port) X X X X X switch operation as a supplicant X X X X X * On the 5300xl switches, this feature is available with software release E.09.02 and greater.
PAGE 29
Enforcing Switch Security Network Access Security keys.) KMS provides specific instances of routing protocols with one or more Send or Accept keys that must be active at the time of a request. Refer to the chapter titled “Key Management System” in the Access Security Guide for your switch model.
PAGE 30
Clarifications and Updates Operating Notes for Jumbo Traffic-Handling Clarifications and Updates Operating Notes for Jumbo Traffic-Handling In the Management and Configuration Guide, (Oct., 2005 version) on page 14-33 ( page 347 of the .pdf file) where it states: When a port is not a member of any jumbo-enabled VLAN, it drops all jumbo traffic. If the port is receiving “excessive” inbound jumbo traffic, the port generates an Event Log message to notify you of this condition.
PAGE 31
Clarifications and Updates IGMP Command Update IGMP Command Update The following information updates and clarifies information in Chapter 4, “Multimedia Traffic Control with IP Multicast (IGMP)” in the Advanced Traffic Management Guide—part number 5990-6051, September 2004 edition. Please refer to this chapter for a detailed explanation of IGMP operation. The 3400cl switches support the following standards and RFCs: ■ RFC2236 (IGMP V.2, with backwards support for IGMP V.
PAGE 32
Clarifications and Updates General Switch Traffic Security Guideline Setting Fast-Leave and Forced Fast-Leave from the CLI. In earlier switch models, including the 5300xl switches, fast-leave and forced fast-leave options for a port were configured with a lengthy setmib command. The following commands now allow a port to be configured for fast-leave or forced fast-leave operation with a conventional CLI command instead of the setmib command. Note that these commands must be executed in a VLAN context.
PAGE 33
Clarifications and Updates The Management VLAN IP Address 4. Port security 5. Authorized IP Managers 6. Application features at higher levels in the OSI model, such as SSH. (The above list does not address the mutually exclusive relationship that exists among some security features.) The Management VLAN IP Address The optional Management VLAN, if used, must be configured with a manual IP address. It does not operate with DHCP/Bootp configured for the IP address. Interoperating with 802.
PAGE 34
Known Issues Rate-Limiting Known Issues Release M.10.17 The following is a known issue related to installation of Release M.10.17 software, which includes a required update to ROM version I.08.12. When there is an active 10-GbE link in port 26 of the ProCurve 3400cl-24G switch, or port 50 of the ProCurve 3400cl-48G switch, there may be a problem with that link initializing following a software update into the required M.10.17 software version.
PAGE 35
Enhancements Release M.08.69 Enhancements Enhancements Enhancments are listed in chronological order, oldest to newest software release. To review the list of enhancements included since the last general release that was published, begin with “Release M.10.21 Enhancements” on page 95. Release M.08.69 Enhancements Release M.08.69 included the following enhancements: ■ Support for Web RADIUS authentication with CLI. ■ A new scripting mode. ■ Source Port Filter user interface, described in Chapter 9.
PAGE 36
Enhancements Release M.08.78 Enhancements Release M.08.78 Enhancements Using Fastboot To Reduce Boot Time The fastboot command allows a boot sequence that skips the internal power-on self-tests, resulting in a faster boot time. Syntax: [no] fastboot Used in the global configuration mode to enable the fastboot option. The no version of the command disables fastboot operation. Syntax: show fastboot Shows the status of the fastboot feature, either enabled or disabled.
PAGE 37
Enhancements Release M.08.80 through M.08.83 Enhancements The following shows a sample output from this new command. ProCurve# show interface port-utilization Port ---1 2 3 4 5 6 7 8 9 Mode ---100FDx 1000FDx 100FDx 1000FDx 1000FDx 1000FDx 1000FDx 1000FDx 100FDx | | | + | | | | | | | | | ------KBits/s ------100000 0 536 0 0 0 0 0 0 Rx ------Pkts/s ------525 0 44 0 0 0 5 5 30 -----Util -----12 0 00.
PAGE 38
Enhancements Release M.08.84 Enhancements Release M.08.84 Enhancements Release M.08.84 includes the following enhancement: Added the show tech transceivers command to allow removable transceiver serial numbers to be read without removal of the transceivers from the switch. : Release M.08.85 through M.08.88 Enhancements Software fixes only; no new enhancements. Release M.08.89 Enhancements Release M.08.
PAGE 39
Enhancements Release M.08.89 Enhancements IP address of 10.10.100.27 is assigned a host name of accounts015 and another IP address of 10.10.100.33 is assigned a host name of sales021, then the switch configured with the domain suffix evergreen.trees.
PAGE 40
Enhancements Release M.08.89 Enhancements ■ The host’s domain must be reachable from the switch. This requires that the DNS server for the switch must be able to communicate with the DNS server(s) in the path to the domain in which the target host operates. ■ The fully qualified domain name must be used, and the domain suffix must correspond to the domain in which the target host operates, regardless of the domain suffix configured in the switch. Example.
PAGE 41
Enhancements Release M.08.89 Enhancements Configuring a DNS Entry The switch allows one DNS server entry, which includes the DNS server IP address and the chosen domain name suffix. Configuring the entry enables the use of ping and traceroute with a target’s host name instead of the target’s IP address. Syntax: [no] ip dns server-address < ip-addr > Configures the IP address of a DNS server accessible to the switch.
PAGE 42
Enhancements Release M.08.89 Enhancements Switch “A” Configured with DNS Resolver 10.28.192.1 Router “B” Document Server 10.28.192.2 docservr 10.28.229.1 (10.28.229.219) DNS Server for pubs.outdoors.com 10.28.229.10 Domain: pubs.outdoors.com Host Name for IP address 10.28.229.219 = “docservr” Figure 5.
PAGE 43
Enhancements Release M.08.89 Enhancements ProCurve# ping docservr 10.28.229.219 is alive, time = 1 ms ProCurve# traceroute docservr First-Hop Router (“B”) traceroute to 10.28.229.219 1 hop min, 30 hops max, 5 sec. timeout, 3 probes 1 10.28.192.2 1 ms 0 ms 0 ms 2 10.28.229.219 0 ms 0 ms 0 ms Traceroute Target Figure 7.
PAGE 44
Enhancements Release M.08.89 Enhancements ProCurve# show ip Internet (IP) Service IP Routing : Disabled Default Gateway Default TTL Arp Age Domain Suffix DNS server : : : : : 10.28.192.2 64 20 pubs.outdoors.com 10.28.229.10 DNS Resolver Configuration in the show ip command output VLAN | IP Config IP Address Subnet Mask ------------ + ---------- --------------- --------------DEFAULT_VLAN | Manual 10.28.192.1 255.255.255.0 Figure 9.
PAGE 45
Enhancements Release M.08.89 Enhancements Event Log Messages Message Meaning DNS server address not configured The switch does not have an IP address configured for the DNS server. DNS server not responding The DNS server failed to respond or is unreachable. An incorrect server IP address can produce this result. Unknown host < host-name > The host name did not resolve to an IP address. Some reasons for this occurring include: • The host name was not found. • The named domain was not found.
PAGE 46
Enhancements Release M.08.89 Enhancements S e c u r i t y N o t es Passwords and keys configured in the hpSwitchAuth MIB are not returned via SNMP, and the response to SNMP queries for such information is a null string. However, SNMP sets can be used to configure password and key MIB objects. To help prevent unauthorized access to the switch’s authentication MIB, ProCurve recommends enhancing security according to the guidelines under “Enforcing Switch Security” on page 10.
PAGE 47
Enhancements Release M.08.89 Enhancements For example, to disable SNMP access to the switch’s authentication MIB and then display the result in the Excluded MIB field, you would execute the following two commands. ProCurve(config)# snmp-server mib hpswitchauthmib excluded ProCurve(config)# show snmp-server This command disables SNMP security MIB access.
PAGE 48
Enhancements Releases M.08.90 and M.08.91 Enhancements ProCurve(config)# show run Running configuration: ; J4905A Configuration Editor; Created on release #M.10.05 hostname "ProCurve" snmp-server mib hpSwitchAuthMIB excluded ip default-gateway 10.10.24.55 snmp-server community "public" Operator vlan 1 name "DEFAULT_VLAN" untagged 1-26 ip address 10.10.24.100 255.255.255.0 exit password manager Indicates that SNMP access to the authentication configuration MIB (hpSwitchAuth) is disabled. Figure 11.
PAGE 49
Enhancements Releases M.08.90 and M.08.91 Enhancements The “legacy-path-cost” CLI command does not affect or replace functionality of the “spanningtree force-version” command. The “spanning-tree force-version” controls whether MSTP will send and process 802.1w RSTP, or 802.1D STP BPDUs. Regardless of what the “legacy-path-cost” parameter is set to, MSTP will interoperate with legacy STP bridges (send/receive Config and TCN BPDUs).
PAGE 50
Enhancements Releases M.08.90 and M.08.91 Enhancements Note Changing the QoS Pass-Through Mode can be done without rebooting the switch. However, the switch ports are toggled down and back up, allowing the QoS queues to be reconfigured. This may affect routing and spanning tree operation. ProCurve Networking recommends that QoS queues be reconfigured during periods of non-peak traffic.
PAGE 51
Enhancements Releases M.08.90 and M.08.91 Enhancements QoS Pass-Through Mode SNMP MIB Object. A read-write MIB object, 1.3.6.1.4.1.11.2.14.11.5.1.7.1.24.1, has been added to the ProCurve switch MIB. The QoS Pass-Through Mode can be changed using either an SNMP network management application or the CLI setmib command. Syntax: setMIB hpSwitchQosPassThroughModeConfig.0 -i [ 1 | 2 | 3 | 4 ] Specifies the QoS queue mode to be used by the switch.
PAGE 52
Enhancements Release M.08.94 Enhancements The current QoS Pass-Through Mode also is displayed in the show running-config command output. Operating Notes ■ To use the same QoS queue structure used in pre-M.08.78 software, set the QoS Pass-Through Mode to balanced. ■ The optimized mode matches the QoS Pass-through mode on the ProCurve Series 2800 switches. This mode is used when the QoS Pass-Through Mode command is entered with no arguments, qos-passthrough-mode. Release M.08.94 Enhancements Release M.
PAGE 53
Enhancements Release M.08.94 Enhancements Syntax: dhcp-relay option 82 < append | replace | drop > [ validate ] [ ip | mac | mgmt-vlan ] [ ip | mac | mgmt-vlan ] : Specifies the remote ID suboption the routing switch will use in Option 82 fields added or appended to DHCP client packets. The choice depends on how you want to define DHCP policy areas in the client requests sent to the DHCP server. If a remote ID suboption is not configured, then the routing switch defaults to the mac option.
PAGE 54
Enhancements Release M.08.94 Enhancements Table 3. DHCP Operation for the Topology in Figure 12 Client Remote ID giaddr* DHCP Server X 10.38.10.1 10.39.10.1 A only If a DHCP client is in the Management VLAN, then its DHCP requests can go only to a DHCP server that is also in the Management VLAN. Routing to other VLANs is not allowed. Y 10.38.10.1 10.29.10.1 B or C Z 10.38.10.1 10.15.10.
PAGE 55
Enhancements Releases M.08.95 through M.10.01 Enhancements Releases M.08.95 through M.10.01 Enhancements Software fixes only; no new enhancements. Release M.08.96 Enhancements ■ Enabled use of login "Message of the Day" (MOTD) banner. For details on using this feature, refer to “Custom Login Banners for the Console and Web Browser Interfaces” in Chapter 2 of the Management and Configuration Guide for 3400cl and 6400cl switches. Releases M.08.97 through M.10.
PAGE 56
Enhancements Release M.10.02 Enhancements ■ An ACL must be configured on the RADIUS server (instead of the switch) by creating and assigning one or more Access Control Entries to the username/password pair or MAC address of the client for which you want ACL support. ■ Where 802.1X is used for client authentication, then either the client device must be running 802.1X supplicant software or the capability must exist for the client to download this software from the network through use of the 802.
PAGE 57
Enhancements Release M.10.02 Enhancements Table 4. Contrasting Dynamic and Static ACLs RADIUS-Based (Dynamic) ACLs Port-Based (Static) ACLs Operates on the 3400cl switches. Operates on both the 3400cl and 6400cl switches. Configured in client accounts on a RADIUS server. Configured in the switch itself.
PAGE 58
Enhancements Release M.10.02 Enhancements Terminology ACE: See Access Control Entry, below. Access Control Entry (ACE): An ACE is a policy consisting of a packet-handling action and criteria to define the packets on which to apply the action.
PAGE 59
Enhancements Release M.10.02 Enhancements packet (from the authenticated client) that is not explicitly permitted or denied by other ACEs configured sequentially earlier in the ACL. Unless otherwise noted, “implicit deny IP any” refers to the “deny” action enforced by both standard and extended ACLs. Inbound Traffic: For the purpose of defining where the switch applies ACLs to filter traffic, inbound traffic is any IP packet that enters the switch from a given client on a given port.
PAGE 60
Enhancements Release M.10.02 Enhancements the client MAC address is the selection criteria, only the client having that MAC address can use the corresponding ACL. When a RADIUS server authenticates a client, it also assigns the ACL configured with that client’s credentials to the port. The ACL then filters the client’s inbound IP traffic and denies (drops) any such traffic from the client that is not explicitly permitted by the ACL.
PAGE 61
Enhancements Release M.10.02 Enhancements Example. Suppose the ACL in Figure 3 is assigned to filter the traffic from an authenticated client on a given port in the switch: For an inbound packet with a destination IP address of 18.28.156.3, the ACL: Permit in ip from any to 18.28.136.24 Permit in ip from any to 18.28.156.7 1. Compares the packet to this ACE first. Deny in ip from any to 18.28.156.3 2.
PAGE 62
Enhancements Release M.10.02 Enhancements 1. If a match is not found with the first ACE in an ACL, the switch proceeds to the next ACE and so on. Test packet against criteria in first ACE. Is there a match? Yes Perform action (permit or deny). End No Test the packet against criteria in second ACE. Is there a match? Yes Perform action (permit or deny). End 2.
PAGE 63
Enhancements Release M.10.02 Enhancements For example, suppose you want to configure a RADIUS-based ACL to invoke these policies in the 11.11.11.0 network: 1. Permit inbound client traffic with a DA of 11.11.11.42. 2. Permit inbound Telnet traffic for DA 11.11.11.101. 3. Deny inbound Telnet traffic for all other IP addresses in the 11.11.11.0 network. 4. Permit inbound HTTP traffic for any IP address in the 11.11.11.0 network. 5. Deny all other inbound traffic.
PAGE 64
Enhancements Release M.10.02 Enhancements General Steps These steps suggest a process for using ACLs to establish client access policies. The topics following this section provide details. 1. Determine the polices you want to enforce for client traffic inbound on the switch. 2.
PAGE 65
Enhancements Release M.10.02 Enhancements ■ Is it important to keep track of the number of matches for a particular client or ACE? If so, you can use the optional cnt (counter) feature in ACEs where you want to know this information. This is especially useful if you want to verify that the switch is denying unwanted client packets. (Note that configuring a high number of counters can exhaust the counter resources. Refer to Table 5 on page 57.
PAGE 66
Enhancements Release M.10.02 Enhancements ■ Explicitly Denying Any IP Traffic: Entering a deny in ip from any to any ACE in an ACL denies all IP traffic not previously permitted or denied by that ACL. Any ACEs listed after that point have no effect. ■ Implicitly Denying Any IP Traffic: For any packet being filtered by an ACL, there will always be a match. Included in every ACL is an implicit deny in ip from any to any.
PAGE 67
Enhancements Release M.10.02 Enhancements Limits for RADIUS-Based ACLs, Associated ACEs, and Counters Table 5 describes limits the switch supports in ACLs applied by a RADIUS server. Exceeding a limit causes the related client authentication to fail. Table 5.
PAGE 68
Enhancements Release M.10.02 Enhancements Item Limit Notes Per-Port Mask Usage ACLs consume per-port (internal) mask resources rapidly and can be affected by IGMP usage on the same switch. For more on this topic, refer to the “ACL Resource Usage and Monitoring” and “Extended ACLs” subsections in the chapter titled “Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches” of the Advanced Traffic Management Guide for your 3400cl switch.
PAGE 69
Enhancements Release M.10.02 Enhancements VENDOR BEGIN-VENDOR ATTRIBUTE END-VENDOR HP 11 ProCurve (HP) Vendor-Specific ID HP ProCurve (HP) Vendor-Specific HP-IP-FILTER-RAW 61 STRING Attribute for RADIUS-Based ACLs HP Figure 6. Example of Configuring the VSA for RADIUS-Based ACLs in a FreeRADIUS Server 2. Enter the switch IP address, NAS (Network Attached Server) type, and the key in the FreeRADIUS clients.conf file. For example, if the switch IP address is 10.10.10.
PAGE 70
Enhancements Release M.10.02 Enhancements Client’s Username (802.1X or Web Authentication) Client’s Password (802.1X or Web Authentication) mobile011 Auth-Type:= Local, User-Password == run101112 HP-IP-FILTER-RAW = “permit in tcp from any to 10.10.10.
PAGE 71
Enhancements Release M.10.02 Enhancements The following syntax and operating information refers to ACLs configured in a RADIUS server . ACE Syntax: < permit | deny > in < ip | ip-protocol-value > from any to < ip-addr > [/< mask > ] | any > [ tcp/udp-ports] [cnt ] < permit | deny >: Specifies whether to forward or drop the identified IP traffic type from the authenticated client. in: Required keyword specifying that the ACL applies only to the traffic inbound from the authenticated client.
PAGE 72
Enhancements Release M.10.02 Enhancements [ cnt ]: Optional counter specifier for a RADIUS-based ACL. When used in an ACL, the counter increments each time there is a “match” with a permit or deny ACE. (Refer to the entry describing the maximum number of (optional) internal counters in the table on page 57.) Counter values appear in RADIUS accounting log for client if RADIUS networking accounting is configured on the switch.
PAGE 73
Enhancements Release M.10.02 Enhancements 3. Configure an authentication method. Options include 802.1X, Web authentication, and MAC authentication. (You can configure 802.1X and either Web or MAC authentication to operate simultaneously on the same ports.) 802.1X Option: Syntax: aaa port-access authenticator < port-list > aaa authentication port-access chap-radius aaa port-access authenticator active These commands configure 802.
PAGE 74
Enhancements Release M.10.02 Enhancements Displaying the Current RADIUS-Based ACL Activity on the Switch These commands output data indicating the current ACL activity imposed per-port by RADIUS server responses to client authentication. Syntax: show access-list radius < port-list > For the specified ports, this command lists the explicit ACEs, switch port, and client MAC address for the ACL dynamically assigned by a RADIUS server as a response to client authentication.
PAGE 75
Enhancements Release M.10.02 Enhancements Syntax: show port-access authenticator < port-list > For ports,in < port-list > that are configured for authentication, this command indicates whether there are any RADIUS-assigned features active on the port(s). (Any ports in < port-list > that are not configured for authentication do not appear in this listing.) Port: Port number of port configured for authentication.
PAGE 76
Enhancements Release M.10.02 Enhancements ProCurve(config)# show port-access authenticator 10-11 Port Access Authenticator Status Port-access authenticator activated [No] : No Port ---10 11 Status -----Open Closed Current VLAN ID -------1 1 Current Port COS ----------7 No-override % Curr. Rate Limit Inbound -------------No-override No-override RADIUS ACL Applied? ----------- Indicates a RADIUS ACL is currently applied as part of Yes an active session with an No authenticated client. Figure 10.
PAGE 77
Enhancements Release M.10.02 Enhancements Message Meaning ACE parsing error, destination IP, < ace-# > client < mac-address > port < port-# >. Notifies of a problem with the destination IP field in the indicated ACE of the access list for the indicated client on the indicated switch port. ACE parsing error, tcp/udp ports, < ace-# > client < mac-address > port < port-# >.
PAGE 78
Enhancements Release M.10.02 Enhancements • An ACE in the ACL for a given authenticated client exceeds 80 characters. • An ACL assigned to an authenticated client causes the number of optional counters needed on the ACL to exceed the per-ACL maximum (32). SFlow Show Commands In earlier software releases, the only method for checking whether sFlow is enabled on the switch was via an snmp request. Beginning with software release M.10.
PAGE 79
Enhancements Release M.10.02 Enhancements ProCurve# show sflow agent Version 1.3;HP;M.10.03 Agent Address 10.0.10.228 Figure 13. Viewing sFlow Agent Information The show sflow destination command includes information about the management-station’s destination address, receiver port, and owner. ProCurve# show sflow destination sflow Enabled Datagrams Sent 221 Destination Address 10.0.10.41 Receiver Port 6343 Owner admin Timeout (seconds) 333 Max Datagram Size 1400 Datagram Version Support 5 Figure 14.
PAGE 80
Enhancements Release M.10.04 Enhancements ProCurve# show sflow sampling-polling 1-5 sflow destination Enabled Port | Sampling Enabled ----- + ------1 | Yes 2 | No 3 | Yes 4 | Yes 5 | Yes Rate -------6500000 50 2000 200 20000 Header -----128 128 100 100 128 Dropped | Polling Samples | Enabled Interval ---------- + ------- -------5671234 Yes 60 0 Yes 300 24978 No 30 4294967200 Yes 40 34 Yes 500 Figure 15.
PAGE 81
Enhancements Release M.10.04 Enhancements Parameter Name Description ip-address-count The number of destination IP addresses learned in the IP forwarding table. Some attacks fill the IP forwarding table causing legitimate traffic to be dropped. system-resource-usage (Denial of Service logging) The percentage of system resources in use. Some Denial-of-Service (DoS) attacks will cause excessive system resource usage, resulting in insufficient resources for legitimate traffic.
PAGE 82
Enhancements Release M.10.04 Enhancements ■ W W W W W Alerts are automatically rate limited to prevent filling the log file with redundant information.
PAGE 83
Enhancements Release M.10.04 Enhancements Configuring Instrumentation Monitor The following commands and parameters are used to configure the operational thresholds that are monitored on the switch. By default, the instrumentation monitor is disabled. Syntax: [no] instrumentation monitor [parameterName|all] [] [log] : Enables/disables instrumentation monitoring log so that event log messages are generated every time there is an event which exceeds a configured threshold.
PAGE 84
Enhancements Release M.10.
PAGE 85
Enhancements Release M.10.
PAGE 86
Enhancements Release M.10.04 Enhancements Enabling/Disabling TFTP The TFTP server and client can be enabled and/or disabled independently. Syntax: [no] tftp < client | server > Enables or disables the TFTP client. client: Enables or disables the TFTP client. (Default: disabled) server: Enables or disables the TFTP server. (Default: disabled) Note: Both the tftp command (with no arguments) and the tftp client command can be used to enable or disable the tftp client.
PAGE 87
Enhancements Release M.10.04 Enhancements Note The router rip command exists in previous software versions. In this implementation, however, RIP must be enabled in order to open the port on the switch. Enabling/Disabling Stacking To enable/disable stacking, use the following command. Syntax: [no] stack Enables stacking (SNMP) on the switch. (Default: disabled) Note The stack command exists in previous software versions.
PAGE 88
Enhancements Release M.10.04 Enhancements The following shows RSTP sample output from the enhanced command.
PAGE 89
Enhancements Release M.10.05 Enhancements ■ ■ • TC Flag Received counter shows the number of TC notifications (RSTP or MSTP style BPDU with the TC flag set) received on the port. • TC ACK Flag Transmitted is an 802.1D mode counter. It will only increment when the port is operating in 802.1D mode and an 802.1D style PDU is sent out of the port. • TC ACK Flag Received is an 802.1D mode counter. It will only increment when the port is operating in 802.1D mode and an 802.
PAGE 90
Enhancements Release M.10.07 Enhancements Release M.10.07 Enhancements Release M.10.07 includes the following enhancement: ■ Added support for PIM Dense Mode. For details, refer to Chapter 5, “PIM-DM (Dense Mode) on the 5300xl Switches” in the Advanced Traffic Management Guide for the ProCurve Series 6400cl/5300xl/4200vl/3400cl Switches. Release M.10.08 Enhancements Software fixes only, no new enhancements. Release M.10.09 Enhancements Release M.10.
PAGE 91
Enhancements Release M.10.09 Enhancements Scenario 1 (No UDLD): Without UDLD, the switch ports remain enabled despite the link failure. Traffic continues to be load-balanced to the ports connected to the failed link. Scenario 2 (UDLD-enabled): When UDLD is enabled, the feature blocks the ports connected to the failed link. Trunk Third Party Switch ProCurve Switch ProCurve Switch Link Failure Figure 20.
PAGE 92
Enhancements Release M.10.09 Enhancements Configuration Considerations ■ UDLD is configured on a per-port basis and must be enabled at both ends of the link. See the note below for a list of ProCurve switches that support UDLD. ■ To configure UDLD on a trunk group, you must configure the feature on each port of the group individually. Configuring UDLD on a trunk group’s primary port enables the feature on that port only. ■ Dynamic trunking is not supported.
PAGE 93
Enhancements Release M.10.09 Enhancements Enabling UDLD. UDLD is enabled on a per port basis. For example, to enable UDLD on port a1, enter: ProCurve(config)#interface al link-keepalive To enable the feature on a trunk group, enter the appropriate port range. For example: ProCurve(config)#interface al-a4 link-keepalive Note When at least one port is UDLD-enabled, the switch will forward out UDLD packets that arrive on non-UDLD-configured ports out of all other non-UDLD-configured ports in the same vlan.
PAGE 94
Enhancements Release M.10.09 Enhancements Notes ■ You must configure the same VLANs that will be used for UDLD on all devices across the network; otherwise, the UDLD link cannot be maintained. ■ If a VLAN ID is not specified, then UDLD control packets are sent out of the port as untagged packets. ■ To re-assign a VLAN ID, re-enter the command with the new VLAN ID number. The new command will overwrite the previous command setting.
PAGE 95
Enhancements Release M.10.09 Enhancements Displaying Summary UDLD Information. To display summary information on all UDLD-enabled ports, enter the show link-keepalive command. For example: ProCurve(config)# show link-keepalive Total link-keepalive enabled ports: 4 Keepalive Retries: 3 Keepalive Interval: 1 sec Port 1 is UDLD-enabled, and tagged for a specific VLAN.
PAGE 96
Enhancements Release M.10.09 Enhancements Displaying Detailed UDLDP Status Information. To display detailed UDLD information for specific ports, enter enter the show link-keepalive statistics command. For example: Ports 1 and 2 are UDLD-enabled and show the number of health check packets sent and received on each port.
PAGE 97
Enhancements Release M.10.09 Enhancements Configuration Warnings and Event Log Messages Warning Messages. The following table shows the warning messages that may be issued and their possible causes, when UDLD is configured for tagged ports. Table 6. Warning Messages caused by configuring UDLD for Tagged Ports CLI Command Example Warning Message Possible Problem link-keepalive 6 Possible configuration problem detected on port 6. UDLD VLAN configuration does not match the port's VLAN configuration.
PAGE 98
Enhancements Release M.10.10 Enhancements Release M.10.10 Enhancements Release M.10.10 includes the following enhancement: Spanning Tree Per-Port BPDU Filtering The STP BPDU filter feature allows control of spanning-tree participation on a per-port basis. It can be used to exclude specific ports from becoming part of spanning tree operations. A port with the BPDU filter enabled will ignore incoming BPDU packets and stay locked in the spanning-tree forwarding state.
PAGE 99
Enhancements Release M.10.10 Enhancements Caution Ports configured with the BPDU filter mode remain active (learning and forward frames); however, spanning-tree cannot receive or transmit BPDUs on the port. The port remains in a forwarding state, permitting all broadcast traffic. This can create a network storm if there are any loops (that is, trunks or redundant links) using these ports. If you suddenly have a high load, disconnect the link and remove ("no") the bpdu-filter.
PAGE 100
Enhancements Release M.10.10 Enhancements The show spanning-tree command has also been extended to display BPDU filtered ports. ProCurve# show spanning-tree Multiple Spanning Tree (MST) Information STP Enabled : Yes Force Version : MSTP-operation IST Mapped VLANs : 1-7 Row showing ports with BPDU filters enabled ... Protected Ports : Filtered Ports : A6-A7 .... Figure 24.
PAGE 101
Enhancements Releases M.10.11 through M.10.12 Enhancements Releases M.10.11 through M.10.12 Enhancements Software fixes only, no new enhancements. Release M.10.13 Enhancements Release M.10.13 includes the following enhancement: ■ Enhancement (PR_1000354065) - Added DHCP protection feature. No additional documentation is available at this time Releases M.10.14 through M.10.16 Enhancements Software fixes only, no new enhancements. Release M.10.17 Enhancements Release M.10.
PAGE 102
Enhancements Release M.10.17 Enhancements STP Domain SNMP Trap Management Station SNMP Trap SNMP Trap Switch Event Log: port X is disable by STP BPDU protection Fake STP BPDU End User Figure 27. Example of BPDU Protection Enabled at the Network Edge Terminology BPDU — Acronym for bridge protocol data unit. BPDUs are data messages that are exchanged between the switches within an extended LAN that use a spanning tree protocol topology.
PAGE 103
Enhancements Release M.10.17 Enhancements STP — Spanning Tree Protocol, part of the original IEEE 802.1D specification. The 2004 edition completely deprecates STP. Both RSTP and MSTP have fallback modes to handle STP. SNMP — Simple Network Management Protocol, used to remotely manage network devices. Note The switches covered in these Release Notes, use the IEEE 802.1s Multiple Spanning Tree Protocol (MSTP) standard.
PAGE 104
Enhancements Release M.10.17 Enhancements Viewing BPDU Protection Status The show spanning-tree command has additional information on BPDU protection as shown below. ProCurve# show spanning-tree 1-10 Multiple Spanning Tree (MST) Information STP Enabled : Yes Force Version : MSTP-operation IST Mapped VLANs : 1-7 Ports with BPDU protection enabled ...
PAGE 105
Enhancements Release M.10.21 Enhancements Release M.10.21 Enhancements Software fixes only, no new enhancements. Release M.10.22 Enhancements Release M.10.22 includes the following enhancement: ■ Enhancement (PR_1000376406) — Loop Protection feature additions, including packet authentication, loop detected trap, and receiver port configuration.
PAGE 106
Enhancements Release M.10.22 Enhancements [trap ] Allows you to configure loop protection traps The “loop-detected” trap indicates that a loop was detected on a port. [disable-timer <0-604800>] How long (in seconds) a port is disabled when a loop has been detected. A value of zero disables the auto re-enable functionality. Default: Timer is disabled [transmit-interval <1-10>] Allows you to configure the time in seconds between the transmission of loop protection packets.
PAGE 107
Enhancements Release M.10.23 Enhancements Release M.10.23 Enhancements Release M.10.23 includes the following enhancement: ■ Enhancement (PR_1000379804) — Historical information about MAC addresses that have been moved has been added to the "show tech" command output. Release M.10.24 Enhancements Release M.10.24 includes the following enhancement: ■ Enhancement (PR_1000335860) — This enhancement provides a configuration option for the source IP address field of SNMP response and generated trap PDUs.
PAGE 108
Enhancements Release M.10.27 Enhancements Release M.10.27 Enhancements Release M.10.27 includes the following enhancement: ■ Enhancement (PR_1000374085) — This enhancement expands the use of the Controlled Directions parameter to also support MAC/Web authentication.
PAGE 109
Enhancements Release M.10.27 Enhancements Notes: ■ The aaa port-access controlled-direction in command allows Wake-on-LAN traffic to be transmitted on a MAC-authenticated outbound port that has not yet transitioned to the authenticated state; the controlled-direction both setting prevents transmission of outbound Wake-on-LAN traffic on a MAC-authenticated port until authentication occurs.
PAGE 110
Enhancements Release M.10.28 Enhancements Release M.10.28 Enhancements Software fixes only, no new enhancements. Release M.10.29 Enhancements Release M.10.29 includes the following enhancement: ■ Enhancement (PR_1000376626) — Enhance CLI "qos dscp-map he" help and "show dscpmap" text to warn the user that inbound classification based on DSCP codepoints only occurs if "qos type-of-service diff-services" is also configured. Release M.10.30 Enhancements Software fixes only, no new enhancements. Release M.
PAGE 111
Enhancements Release M.10.32 Enhancements ■ The parameter specifies the type of algorithm (if any) used to hash the password. Valid values are plaintext or sha-1. ■ The parameter is the clear ASCII text string or SHA-1 hash of the password. You can enter a manager, operator, or 802.1X port-access password in clear ASCII text or hashed format.
PAGE 112
Enhancements Release M.10.33 Enhancements To schedule a reload in 3 hours: ProCurve# reload after 03:00 To schedule a reload for the same time the following day: ProCurve# reload after 01:00:00 To schedule a reload for the same day at 12:05: ProCurve# reload at 12:05 To schedule a reload on some future date: ProCurve# reload at 12:05 01/01/2007 Release M.10.33 Enhancements Release M.10.33 includes the following enhancement: ■ Enhancement (PR_1000408960) — RADIUS-Assigned GVRP VLANs.
PAGE 113
Enhancements Release M.10.33 Enhancements ■ The port is temporarily assigned as a member of an untagged (static or dynamic) VLAN for use during the client session according to the following order of options. a. The port joins the VLAN to which it has been assigned by a RADIUS server during client authentication. b. If RADIUS authentication does not include assigning the port to a VLAN, then the switch assigns the port to the authorized-client VLAN configured for the authentication method. c.
PAGE 114
Enhancements Release M.10.33 Enhancements When the authentication session ends, the switch removes the temporary untagged VLAN assignment and re-activates the temporarily disabled, untagged VLAN assignment. ■ If GVRP is already enabled on the switch, the temporary untagged (static or dynamic) VLAN created on the port for the authentication session is advertised as an existing VLAN.
PAGE 115
Enhancements Release M.10.33 Enhancements Figure 8. Example of an Active VLAN Configuration In Figure Figure 8, if RADIUS authorizes an 802.1X client on port A2 with the requirement that the client use VLAN 22, then: ■ VLAN 22 becomes available as Untagged on port A2 for the duration of the session. ■ VLAN 33 becomes unavailable to port A2 for the duration of the session (because there can be only one untagged VLAN on any port).
PAGE 116
Enhancements Release M.10.33 Enhancements Figure 10. Active Configuration for VLAN 33 Temporarily Drops Port 22 for the 802.1X Session When the 802.1X client session on port A2 ends, the port removes the temporary untagged VLAN membership. The static VLAN (VLAN 33) that is “permanently” configured as untagged on the port becomes available again. Therefore, when the RADIUS-authenticated 802.
PAGE 117
Enhancements Release M.10.33 Enhancements Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions Syntax: aaa port-access gvrp-vlans Enables the use of dynamic VLANs (learned through GVRP) in the temporary untagged VLAN assigned by a RADIUS server on an authenticated port in an 802.1X, MAC, or Web authentication session. Enter the no form of this command to disable the use of GVRPlearned VLANs in an authentication session.
PAGE 118
Enhancements Release M.10.34 Enhancements 3. If you disable the use of dynamic VLANs in an authentication session using the no aaa port-access gvrp-vlans command, client sessions that were authenticated with a dynamic VLAN continue and are not deauthenticated. (This behavior differs form how static VLAN assignment is handled in an authentication session. If you remove the configuration of the static VLAN used to create a temporary client session, the 802.
PAGE 119
Enhancements Release M.10.35 Enhancements Release M.10.35 Enhancements Release M.10.35 includes the following enhancement: ■ Enhancement (PR_1000419928) — The Dynamic ARP Protection feature was added. Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and responses are relayed or used to update the local ARP cache.
PAGE 120
Enhancements Release M.10.35 Enhancements • If a binding is invalid, the switch drops the packet, preventing other network devices from receiving the invalid IP-to-MAC information. DHCP snooping intercepts and examines DHCP packets received on switch ports before forwarding the packets. DHCP packets are checked against a database of DHCP binding information. Each binding consists of a client MAC address, port number, VLAN identifier, leased IP address, and lease time.
PAGE 121
Enhancements Release M.10.35 Enhancements Configuring Trusted Ports In a similar way to DHCP snooping, dynamic ARP protection allows you to configure VLAN interfaces in two categories: trusted and untrusted ports. ARP packets received on trusted ports are forwarded without validation. By default, all ports on a switch are untrusted. If a VLAN interface is untrusted: ■ The switch intercepts all ARP requests and responses on the port.
PAGE 122
Enhancements Release M.10.35 Enhancements To configure one or more Ethernet interfaces that handle VLAN traffic as trusted ports, enter the arp protect trust command at the global configuration level. The switch does not check ARP requests and responses received on a trusted port. Syntax: [no] arp protect trust port-list Specifies a port number or a range of port numbers. Separate individual port numbers or ranges of port numbers with a comma; for example: c1-c3, c6.
PAGE 123
Enhancements Release M.10.35 Enhancements An example of the ip source binding command is shown here: ProCurve(config)# ip source binding 0030c1-7f49c0 interface vlan 100 10.10.20.1 interface A4 Note Note that the ip source binding command is the same command used by the Dynamic IP Lockdown feature to configure static bindings. The Dynamic ARP Protection and Dynamic IP Lockdown features share a common list of source IP-to-MAC bindings.
PAGE 124
Enhancements Release M.10.35 Enhancements Verifying the Configuration of Dynamic ARP Protection To display the current configuration of dynamic ARP protection, including the additional validation checks and the trusted ports that are configured, enter the show arp protect command: ProCurve(config)# show arp protect ARP Protection Information Enabled Vlans : 1-4094 Validate : dst-mac, src-mac Port ----B1 B2 B3 B4 B5 Trust ----Yes Yes No No No Figure 13.
PAGE 125
Enhancements Release M.10.36 Enhancements Monitoring Dynamic ARP Protection When dynamic ARP protection is enabled, you can monitor and troubleshoot the validation of ARP packets with the debug arp protect command. Use this command when you want to debug the following conditions: ■ The switch is dropping valid ARP packets that should be allowed. ■ The switch is allowing invalid ARP packets that should be dropped. ProCurve(config)# debug arp protect 1.
PAGE 126
Enhancements Release M.10.37 Enhancements Configuring MSTP Port Connectivity Parameters With release K.12.04, all ports are configured as auto-edge-ports by default, and the spanning tree edge-port option has been removed. This section describes selected spanning-tree command parameters for enhanced operation. Basic port connectivity parameters affect spanning-tree links at the global level.
PAGE 127
Enhancements Release M.10.37 Enhancements [root-guard] MSTP only. When a port is enabled as root-guard, it cannot be selected as the root port even if it receives superior STP BPDUs. The port is assigned an “alternate” port role and enters a blocking state if it receives superior STP BPDUs. The BPDUs received on a root-guard port are ignored. All other BPDUs are accepted and the external devices may belong to the spanning tree as long as they do not claim to be the Root device.
PAGE 128
Enhancements Release M.10.38 Enhancements point-to-point-mac This parameter informs the switch of the type of device to which a specific port connects. True (default): Indicates a point-to-point link to a device such as a switch, bridge, or end-node. False: Indicates a connection to a hub (which is a shared LAN segment). Auto: Causes the switch to set False on the port if it is not running at full duplex. (Connections to hubs are half-duplex.) priority < 0..
PAGE 129
Enhancements Release M.10.38 Enhancements Send SNMP v2c Informs Enabling and Configuring SNMP Informs You can use the snmp-server informs command (SNMPv2c and SNMPv3 versions) to send notifications when certain events occur. When an SNMP Manager receives an informs request, it can send an SNMP response back to the sending agent. This lets the agent know that the informs request reached its destination and that traps can be sent successfully to that destination.
PAGE 130
Enhancements Release M.10.39 Enhancements Select whether SNMP traps or informs are sent to this management station. For more information on SNMP informs, see “Enabling and Configuring SNMP Informs” on page 119. [version <1 | 2c | 3>] Select the version of SNMP being used. Note: SNMP informs are supported on version 2c or 3 only. [] Options for sending switch Event Log messages to a trap receiver.
PAGE 131
Enhancements Release M.10.39 Enhancements ■ Enhancement (PR_1000428213) — This software enhancement adds the ability to configure a secondary authentication method to be used when the RADIUS server is unavailable for the primary port-access method. RADIUS Server Unavailable Overview In certain situations, RADIUS servers can become isolated from the network. Users are not able to access the network resources configured with RADIUS access protection and are rejected.
PAGE 132
Enhancements Release M.10.39 Enhancements You can configure local, chap-radius or eap-radius as the primary password authentication method for the port-access method. You also need to select none or authorized as a secondary, or backup, method. Syntax: aaa authentication port-access Configures local, chap-radius, or eap-radius as the primary password authentication method for port-access. The default primary authentication is local.
PAGE 133
Enhancements Release M.10.
PAGE 134
Enhancements Release M.10.39 Enhancements Enhancement (PR_1000415155) — The ARP age timer was enhanced from the previous limit of 240 minutes to allow for configuration of values up to 1440 minutes (24 hours) or "infinite" (99,999,999 seconds or 3.2 years). ■ ARP Age Timer Increase The ARP age is the amount of time the switch keeps a MAC address learned through ARP in the ARP cache.
PAGE 135
Enhancements Release M.10.39 Enhancements You can also view the value of the Arp Age timer in the configuration file. ProCurve(config)# show running-config Running configuration: ; J9091A Configuration Editor; Created on release #K.12.XX hostname "8200LP" module 2 type J8702A module 3 type J8702A module 4 type J8702A ip default-gateway 15.255.120.1 ip arp-age 1000 snmp-server community "public" Unrestricted snmp-server host 16.180.1.
PAGE 136
Enhancements Release M.10.40 Enhancements If the ARP cache should become full because entries are not cleared (due to increased timeout limits) you can use the clear arp command to remove all non-permanent entries in the ARP cache. To remove a specific entry in the ARP cache, enter this command: Syntax: [no] arp IP-ADDRESS Allows removal of any dynamic entry in the ARP cache. Release M.10.40 Enhancements Software fixes only, no new enhancements. Release M.10.
PAGE 137
Enhancements Release M.10.43 Enhancements Protection Against IP Source Address Spoofing Many network attacks occur when an attacker injects packets with forged IP source addresses into the network. Also, some network services use the IP source address as a component in their authentication schemes. For example, the BSD “r” protocols (rlogin, rcp, rsh) rely on the IP source address for packet authentication. SNMPv1 and SNMPv2c also frequently use authorized IP address lists to limit management access.
PAGE 138
Enhancements Release M.10.43 Enhancements Prerequisite: DHCP Snooping Dynamic IP lockdown requires that you enable DHCP snooping as a prerequisite for its operation on ports and VLAN traffic: ■ Dynamic IP lockdown only enables traffic for clients whose leased IP addresses are already stored in the lease database created by DHCP snooping or added through a static configuration of an IP-to-MAC binding.
PAGE 139
Enhancements Release M.10.43 Enhancements In this example, the following DHCP leases have been learned by DHCP snooping on port 5. VLANs 2 and 5 are enabled for DHCP snooping. IP Address MAC Address VLAN ID 10.0.8.5 001122-334455 2 10.0.8.7 001122-334477 2 10.0.10.3 001122-334433 5 Figure 17. Sample DHCP Snooping Entries The following example shows an IP-to-MAC address and VLAN binding that have been statically configured in the lease database on port 5. IP Address MAC Address VLAN ID 10.
PAGE 140
Enhancements Release M.10.43 Enhancements Enabling Dynamic IP Lockdown To enable dynamic IP lockdown on all ports or specified ports, enter the ip source-lockdown command at the global configuration level. Use the no form of the command to disable dynamic IP lockdown. Syntax: [no] ip source-lockdown [port-list] Enables dynamic IP lockdown globally on all ports or on specified ports on the routing switch.
PAGE 141
Enhancements Release M.10.43 Enhancements • Remove the trusted-port configuration. ■ You can configure dynamic IP lockdown only from the CLI; this feature cannot be configured from the Web management or menu interface. ■ If you enable dynamic IP lockdown on a port, you cannot add the port to a trunk. ■ Dynamic IP lockdown must be removed from a trunk before the trunk is removed.
PAGE 142
Enhancements Release M.10.43 Enhancements Adding a Static Binding To add the static configuration of an IP-to-MAC binding for a port to the lease database, enter the ip source-binding command at the global configuration level. Use the no form of the command to remove the IP-to-MAC binding from the database.
PAGE 143
Enhancements Release M.10.43 Enhancements An example of the show ip source-lockdown status command output is shown in Figure 20. Note that the operational status of all switch ports is displayed. This information indicates whether or not dynamic IP lockdown is supported on a port.
PAGE 144
Enhancements Release M.10.43 Enhancements ProCurve(config)# show ip source-lockdown bindings Dynamic IP Lockdown (DIPLD) Bindings Mac Address ----------001122-334455 005544-332211 . . . . . . . . Figure 21. IP Address VLAN Port -----------------10.10.10.1 1111 X11 10.10.10.2 2222 Trk11 . . . . . . . . . . . . . . . . Not in HW --------YES . . .
PAGE 145
Enhancements Release M.10.44 through M.10.64 Enhancements ProCurve(config)# debug dynamic-ip-lockdown DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT 01/01/90 00:01:25 4) -> 192.168.2.1 01/01/90 00:06:25 4) -> 192.168.2.1 01/01/90 00:11:25 4) -> 192.168.2.1 01/01/90 00:16:25 4) -> 192.168.2.1 01/01/90 00:21:25 4) -> 192.168.2.1 01/01/90 00:26:25 4) -> 192.168.2.1 01/01/90 00:31:25 4) -> 192.168.2.
PAGE 146
Enhancements Release M.10.65 Enhancements Release M.10.65 Enhancements Release M.10.65 includes the following enhancement: ■ Enhancement (PR_0000001316) — The MSTP VLAN Assignment is enhanced. MSTP VLAN Configuration Enhancement Caution When this software version is installed, the prior VLAN ID-to-MSTI mappings do not change. However, this enhancement is not backward-compatible.
PAGE 147
Enhancements Release M.10.65 Enhancements All switches in a region must be configured with the same VLAN ID-to-MSTI mappings and the same MSTP configuration identifiers (region name and revision number). ■ Flexibility: By preconfiguring identical VLAN ID-to-MSTI mappings on all switches in an MST region, you can combine switches that support different maximum numbers of VLANs.
PAGE 148
Enhancements Release M.10.65 Enhancements Each MST instance supports a different set of VLANs. A VLAN that is mapped to an MST instance cannot be a member of another MST instance. The MSTP VLAN Configuration enhancement allows you to ensure that the same VLAN ID-to-MSTI assignments exist on each MSTP switch in a region. Before a static VLAN is configured or a dynamic VLAN is learned on the switch, you can use the spanning-tree instance vlan command to map VLANs to each MST instance in the region.
PAGE 149
Enhancements Release M.10.65 Enhancements ProCurve(config)# show spanning-tree mst-config MST Configuration Identifier Information MST Configuration Name: MSTP1 MST Configuration Revision: 1 MST Configuration Digest: 0x51B7EBA6BEED8702D2BA4497D4367517 IST Mapped VLANs : Instance ID Mapped VLANs -------- --------------1 1-10 Figure 23.
PAGE 150
Enhancements Release M.10.66 Enhancements ■ If you enter the spanning-tree instance vlan command before a static or dynamic VLAN is configured on the switch to preconfigure VLAN ID-to-MSTI mappings, no error message is displayed. Later, each newly configured VLAN that has already been associated with an MSTI is automatically assigned to the MSTI.
PAGE 151
Enhancements Release M.10.66 Enhancements Adding a Description for a Syslog Server You can associate a user-friendly description with each of the IP addresses (IPv4 only) configured for syslog using the CLI or SNMP. The CLI command is: Syntax: logging control-descr ] no logging [control-descr] An optional user-friendly description that can be associated with a server IP address. If no description is entered, this is blank.
PAGE 152
Enhancements Release M.10.66 Enhancements ProCurve(config)# logging priority-descr severe-pri Figure 30. Example of the Logging Command with a Priority Description Note A notification is sent to the SNMP agent if there are any changes to the syslog parameters either through the CLI or with SNMP. Command Differences for the ProCurve Series 2600/2800/3400cl/6400cl Switches CLI Commands.
PAGE 153
Enhancements Release M.10.67 Enhancements Release M.10.67 Enhancements Software fixes only, no new enhancements. Release M.10.68 Enhancements Release M.10.68 includes the following enhancement: ■ Enhancement (PR_0000003127) — A Link Trap and LACP Global enable/disable feature has been added. LACP and Link Traps Global Disable Two SNMP commands are added to allow disabling of LACP and link traps on multiple ports at one time.
PAGE 154
Enhancements Release M.10.69 Enhancements hpSwitchLinkUpDownTrapAllPortsStatus OBJECT-TYPE SYNTAX INTEGER { enable (1), disable (2) } ACCESS read-write STATUS current DESCRIPTION “Used to either enable/disable the Link Up/Link Down traps for all the ports.” ::= { hpSwitchPortConfig 3 } Release M.10.69 Enhancements Release M.10.69 includes the following enhancement (Not a public release).
PAGE 155
Software Fixes in Release M.08.51 - M.10.72 Release M.08.52 Software Fixes in Release M.08.51 - M.10.72 Software fixes are listed in chronological order, oldest to newest. To review the list of fixes included since the last general release that was published, go to “Release M.10.21” on page 165. Unless otherwise noted, each new release includes the software fixes added in all previous releases. Release M.08.51 was the first software release for the HP ProCurve 3400cl Series. Release M.08.
PAGE 156
Software Fixes in Release M.08.51 - M.10.72 Release M.08.61 2. In show CDP the Yes is changed to Yes,(Receive Only). ■ CLI (PR_1000192677) — Show access-list ports does not list the all keyword. The command only shows [PORT-LIST] as input for the command. ■ Console/TELNET (PR_1000195647) — When a console or TELNET session hangs, issuing the 'kill' command also hangs. ■ Crash (PR_1000193582) — Software Exception when clicking on the Identity Tab of a Member Switch in the Web user interface.
PAGE 157
Software Fixes in Release M.08.51 - M.10.72 Release M.08.62 ■ Web UI (PR_1000177915) — Device View from the Web user interface is missing. ■ Web UI/Port Security (PR_1000195894) — The Web user interface does not allow the user to select multiple ports when configuring port-security. Release M.08.62 Problems Resolved in Release M.08.62 ■ Crash (PR_1000207542) — The switch may crash with a bus error or task hang.
PAGE 158
Software Fixes in Release M.08.51 - M.10.72 Release M.08.64 Release M.08.64 Problems Resolved in Release M.08.64 (Not a general release) ■ IP Routing (PR_1000220668)— Fatal exception when routing with more than 8 trunks configured and IP routing enabled. Release M.08.65 Problems Resolved in Release M.08.65 (Never released) ■ Crash (PR_1000194486) — The switch may crash with a message similar to: Software exception at bcm 1 CpuLearn.c:1308.
PAGE 159
Software Fixes in Release M.08.51 - M.10.72 Release M.08.68 Release M.08.68 Problems Resolved in Release M.08.68 (Not a general release) ■ Switching (PR_1000232312) — In cases where traffic is being L2 switched or L3 routed from one port at Gigabit speeds to a group of ports (i.e. to a VLAN) where one of the outbound ports is running at a slower speed, traffic may have been dropped even to egress ports running at Gigabit speeds. This PR addresses the dropped packets for the Gig-to-Gig port traffic.
PAGE 160
Software Fixes in Release M.08.51 - M.10.72 Release M.08.70 ■ Port Security (PR_1000203984) — CLI port-security "mac-address" command will save address above the limit. ■ SNMP (PR_1000212170) — The Switch transmits Warm and Cold Start traps with an agent address of 0.0.0.0. ■ Spanning Tree (PR_1000214598) - The switch will not accept the spanning-tree 1 mode fast command within the CLI. ■ System Hang (PR_1000200341) - Added an exception handler to prevent a case where the system may hang.
PAGE 161
Software Fixes in Release M.08.51 - M.10.72 Release M.08.72 ■ LLDP (PR_1000241315) — CLI command "show LLDP" does not display information correctly. ■ Web Auth (PR_1000230444) — Using port-based web authentication on the Switch will cause some users to never receive the web authentication screen. This occurs if a client receives the same unauthenticated DHCP address that a previous authorized client has used. ■ 802.1s (PR_1000233920) — 802.1s (MSTP) blocks a port that is connected to an RSTP device.
PAGE 162
Software Fixes in Release M.08.51 - M.10.72 Release M.08.75 Release M.08.75 Problems Resolved in Release M.08.75 ■ LR optic (PR_1000282195) — After a switch reboot, certain 10GbE X2-SC LR Optic (J8437A) transceivers will lose its configuration. Administrator will be unable to turn off LACP, and CLI commands will not be displayed.
PAGE 163
Software Fixes in Release M.08.51 - M.10.72 Release M.08.78 Release M.08.78 Problems Resolved in Release M.08.78 (Not a general release) ■ Enhancement (PR_1000291806) — Fast boot enhancement. ■ MSTP (PR_1000286883) — Slow MSTP fail-over and fall-back time. Release M.08.79 Problems Resolved in Release M.08.79 (Not a general release) ■ Fault (PR_1000089786) — Chassis fault LED stops blinking after a new OS image was downloaded to the switch.
PAGE 164
Software Fixes in Release M.08.51 - M.10.72 Release M.08.83 ■ RSTP (PR_1000300623) — Under some circumstances, the switch may allow packets to loop for an extended period of time. Release M.08.83 Problems Resolved in Release M.08.83 (Not a general release) ■ Crash (PR_1000297510) — When using the Web User Interface and the switch is set as commander for stacking, the switch may crash. ■ Event Log/ARP (PR_1000293466) — Generic Link Up message not showing up and unnecessary flushing of ARP cache.
PAGE 165
Software Fixes in Release M.08.51 - M.10.72 Release M.08.87 ■ SNMP (PR_1000295753) — Removing 'public' SNMP community generates an empty Event Log message. Release M.08.87 Problems Resolved in Release M.08.87 (Not a general release) ■ Crash/STP (PR_1000307280) — Inconsistent or incorrect STP data may cause the switch to crash with a message similar to: Software exception at stp_mib.c:248 -- in 'mSnmpCtrl', task ID = 0x12d14b8\n-> ASSERT: failed.
PAGE 166
Software Fixes in Release M.08.51 - M.10.72 Release M.08.90 • RADIUS Configuration via SNMP. For details refer to “Using SNMP To View and Configure Switch Authentication Features” on page 35. ■ Port Security (PR_1000304202) — The port-security MAC address learn mode does not function correctly between 'port-security' ports. ■ SNMP (PR_1000310841) — User can assign illegal values for CosDSCPPolicy through SNMP. All other user-interfaces for configuring QoS function correctly. Release M.08.
PAGE 167
Software Fixes in Release M.08.51 - M.10.72 Release M.08.93 Release M.08.93 Problems Resolved in Release M.08.93 (Not a general release) ■ Help (PR_1000317711) — In the VLAN menu Help text, the word 'default' is spelled incorrectly. ■ RSTP (PR_1000307278) — Replacing an 802.1D bridge device with an end node (non-STP device) on the same Switch port, can result in the RSTP Switch sending TCNs. ■ SNMP (PR_1000315054)— SNMP security violations appear in syslog after a valid SNMPv3 “get” operation.
PAGE 168
Software Fixes in Release M.08.51 - M.10.72 Release M.08.97 Release M.08.97 Problems Resolved in Release M.08.97 (Never released) ■ OSPF (PR_1000319678) — Switch does not accept IP fragmented OSPF packets. Release M.10.01 Note: The M.10.xx software releases run only on the ProCurve 3400cl series. Problems Resolved in Release M.10.01 (Not a general release) ■ Boot ROM/X-Modem (PR_1000327175) - Boot ROM I.08.
PAGE 169
Software Fixes in Release M.08.51 - M.10.72 Release M.10.04 ■ sFlow (PR_1000321195)— A network management application may incorrectly report spikes in traffic when sFlow is first re-enabled. Release M.10.04 Problems Resolved in Release M.10.04 (Never released) ■ Enhancement (PR_1000330743) — Denial of Service logging enhancement with implementation of Instrumentation Monitor. See “Instrumentation Monitor” on page 70 for details. ■ Enhancement (PR_1000331027) — TCP/UDP port closure feature added.
PAGE 170
Software Fixes in Release M.08.51 - M.10.72 Release M.10.07 ■ Stacking (PR_1000311510) — When stacking is enabled, a stack member cannot be ‘pinged’ using the stack number. ■ STP (PR_1000335141) — The output of the 'show span' CLI command displays a numeral in the 'Type' column, as opposed to terms such as "10/100T". ■ Enhancement (PR_1000309540) — Added support for the J8440B 10-GbE X2-CX4 Transceiver.
PAGE 171
Software Fixes in Release M.08.51 - M.10.72 Release M.10.09 Release M.10.09 Problems Resolved in Release M.10.09 ■ CLI (PR_1000317554) — The show version command does not display full minor version if it's three digits. ■ Counters (PR_1000327308) — 10gig port in xSTP blocking mode will increment RX drops on broadcast packets.
PAGE 172
Software Fixes in Release M.08.51 - M.10.72 Release M.10.11 Release M.10.11 Problems Resolved in Release M.10.11 ■ Crash (PR_1000336436) — A “get/put” operation on config file via SCP crashes the box with an error message similar to: Software exception at ssh_alarm.c:304 -- in 'mSshAlrm', task ID = 0x6132588 -> ASSERT: failed. ■ Transceiver (PR_1000349320) — CX4 ports lose configs; "show int config" shows an empty slot rather than CX4. Release M.10.12 Problems Resolved in Release M.10.
PAGE 173
Software Fixes in Release M.08.51 - M.10.72 Release M.10.14 Release M.10.14 Problems Resolved in Release M.10.14 ■ CLI (PR_1000342461) — Command “show lldp info remote " reports incorrect information for remote management address. ■ LACP (PR_1000352012) — LACP state change does not properly reset 10Gig port. Communication through port fails until the port is toggled. ■ LLDP (PR_1000310666) — The 'show lldp' command does not display information learned from CDPv2 packets.
PAGE 174
Software Fixes in Release M.08.51 - M.10.72 Release M.10.17 ■ DHCP Protection (PR_1000360273) — DHCP Lease renewal packets received on an untrusted port are dropped. ■ DHCP Protection (PR_1000360254) — An entry with an expired lease is not removed from the binding table. ■ Link Failure (PR_1000361488) — The J8440B version 10-GbE X2-CX4 may not initialize correctly, causing link failure.
PAGE 175
Software Fixes in Release M.08.51 - M.10.72 Release M.10.21 ■ Enhancement (PR_1000358900) — A RADIUS accounting enhancement was made. More information about this enhancement will be made available in a future update. Release M.10.21 Problems Resolved in Release M.10.21 (Not a general release) ■ Crash (PR_1000368540) — The switch may crash with a message similar to: Software exception at parser.c:8012 -- in 'mSess2', task ID = 0x90e10e0 -> ASSERT: failed.
PAGE 176
Software Fixes in Release M.08.51 - M.10.72 Release M.10.23 Release M.10.23 Problems Resolved in Release M.10.23 (Never released) ■ Crash (PR_1000362248) — While attempting to configure "qos type-of-service diff-services" the switch may crash with a message similar to: Assertion failed: !VALUE_TOO_BIG_FOR_FIELD, file drvmem.c, line 184.
PAGE 177
Software Fixes in Release M.08.51 - M.10.72 Release M.10.26 ■ STP/RSTP/MSTP (PR_1000386113) — In some cases STP/RSTP/MSTP may allow a loop on 10-Gig ports, resulting in a broadcast storm. Release M.10.26 Problems Resolved in Release M.10.26 (Not a general release) ■ Enhancement (PR_1000381681) — This enhancement added eavesdrop protection - the ability to filter unknown Destination IP Address (DA) traffic. ■ MSTP (PR_1000385573) — MSTP instability when root switch priority is changed.
PAGE 178
Software Fixes in Release M.08.51 - M.10.72 Release M.10.28 Release M.10.28 Problems Resolved in Release M.10.28 (Not a general release) ■ CLI/LLDP (PR_1000377191) — Output from the CLI command, "show lldp info remotedevice " shows a blank field for the chassis ID. ■ CLI (PR_1000390970) — The command "tftp-enable" is removed from the CLI since that functionality is served by "tftp server|client".
PAGE 179
Software Fixes in Release M.08.51 - M.10.72 Release M.10.30 ■ Transceiver hotswap (PR_1000390888) — Transceiver hotswap issues: • Simultaneous hotswap of transceivers on both dual-personality ports will only detect a single change. • After certain transceiver hotswaps, the in/out LED indicator will not match the current status of the transceiver. • Unsupported mIni-GBIC's hotswapped out of dual personality ports will leave the transceiver in an unknown state of partially inserted.
PAGE 180
Software Fixes in Release M.08.51 - M.10.72 Release M.10.32 ■ RIP (PR_1000393366) — The switch does not process RIP (v2) responses containing subnets with a classful subnet mask, when the receiving RIP switch has a connected VLSM network defined that would fall within that classful range. ■ Enhancement (PR_1000372989) — This enhancement enables the user to set the operator/manager username/password via SNMP. Release M.10.32 Problems Resolved in Release M.10.
PAGE 181
Software Fixes in Release M.08.51 - M.10.72 Release M.10.34 ■ Crash (PR_1000407542) — Attempting to change the spanning-tree protocol version from STP to RSTP or MSTP may cause the switch to crash with a message similar to: PPC Bus Error exception vector 0x300: Stack-frame=0x063d5de0 HW Addr=0x4b5a697c IP=0x0064c648 Task='mSnmpCtrl' ■ QoS (PR_1000370895) — Once the maximum number of QoS resources is reached, it cannot be cleared without a reboot. The CLI warning message, “Unable to add this QoS rule.
PAGE 182
Software Fixes in Release M.08.51 - M.10.72 Release M.10.36 ■ BPDU Protection (PR_1000395569) — BPDU-protection fails after module hot-swap. ■ Enhancement (PR_1000419928) — The Dynamic ARP Protection feature was added. ■ IP Connectivity (PR_1000418378) — The switch incorrectly updates its ARP table when a client that is configured with a valid IP address for a valid VLAN, is connected to a port in another VLAN on the switch.
PAGE 183
Software Fixes in Release M.08.51 - M.10.72 Release M.10.39 Release M.10.39 Problems Resolved in Release M.10.39 ■ Enhancement (PR_1000428213) — This software enhancement adds the ability to configure a secondary authentication method to be used when the RADIUS server is unavailable for the primary port-access method.
PAGE 184
Software Fixes in Release M.08.51 - M.10.72 Release M.10.42 ■ SCP (PR_1000428142) — The switch does not exit a secure copy protocol (SCP) session properly. Release M.10.42 No Problems Resolved in Release M.10.42 (Never Released) Release M.10.43 Problems Resolved in Release M.10.43 (Never Released) ■ CLI (PR_1000413734) — MDI/MDIX information shows "N/A" in the CLI output of the command show int brief. It should show either MDI or MDIX.
PAGE 185
Software Fixes in Release M.08.51 - M.10.72 Release M.10.45 Release M.10.45 Problems Resolved in Release M.10.45 (Not a Public Release) ■ Web-UI (PR_1000416955) — Inserting an LH GBIC into dual personality ports results in the LH ports not appearing in the device view. ■ Meshing (PR_1000453201) — Concurrent use of meshing and spanning tree may result in instability in spanning tree, with chronic root bridge transitions every 20 to 40 seconds.
PAGE 186
Software Fixes in Release M.08.51 - M.10.72 Release M.10.48 • The switch does not send an appropriate exit status message to the client. This corrects the symptom that occurs in some applications, which reports a message similar to: Fatal error: Server unexpectedly closed connection. ■ • The SSH client application does not get a command prompt (or equivalent) back from the switch until the OS is verified and burned to flash.
PAGE 187
Software Fixes in Release M.08.51 - M.10.72 Release M.10.50 through M.10.64 Routed traffic is off by a factor of 1000 Switched traffic is not sampled at all ■ Security (PR_1000388616) — Possible cross-site scripting vulnerability in Web Management Interface. ■ Config (PR_1000763386) — An SNMPv3 user is not reflected in startup config as it should be. This is an additional fix for PR_1000750637.
PAGE 188
Software Fixes in Release M.08.51 - M.10.72 Release M.10.66 ■ Authentication (PR_1000454714) — Concurrent 802.1X and MAC Authentication does not give the 802.1X value precedence. This fix gives 802.1X VLAN assignment precedence over MAC Auth RADIUS VLAN assignment. ■ Web Management (PR_1000760153) — A Java error occurs when viewing "Stack Closeup" in the Web Management interface. Only a blank screen is displayed.
PAGE 189
Software Fixes in Release M.08.51 - M.10.72 Release M.10.67 ■ CLI (1000415243) — Output from the CLI command show name still lists 10-GbE transceiver names, even after the transceivers are removed and replaced with another type of transceiver. ■ CLI (PR_1000430534) — Output from the show port-access mac-based CLI command may omit connected clients. ■ Enhancement (0000000818) — Enhancement to allow syslog configuration via SNMP. For more information, see “Release M.10.66 Enhancements” on page 140.
PAGE 190
Software Fixes in Release M.08.51 - M.10.72 Release M.10.68 ■ Crash (PR_0000004023) — Repeated PCM configuration scans using SSH/SCP may cause the switch to crash with a message similar to the following. PPC Data Storage (Bus Error) exception vector 0x300: Stack Frame=0x07af44c0 HW Addr=0x6520463a IP=0x00965a88 Task='tSsh0' Task ID=0x7af4810 Release M.10.68 Problems Resolved in Release M.10.
PAGE 191
Software Fixes in Release M.08.51 - M.10.72 Release M.10.70 ■ PC Phone/Authentication (PR_0000007209) — When an IP phone is used in tandem with a PC connected to the phone, if the phone is moved to a tagged VLAN, some phone manufactures send some traffic to the switch untagged. This may result in traffic disruption including the PC not being allowed to authenticate.
PAGE 192
Software Fixes in Release M.08.51 - M.10.72 Release M.10.70 ■ Dynamic ARP Protection (PR_0000009942) — When a switch using Dynamic ARP Protection is rebooted, it blocks all ARP traffic on untrusted ports, including traffic considered valid according to the binding database. On trusted ports, traffic flows normally. Workarounds: either disable / re-enable ARP protect, or configure ports to be trusted, and then untrusted again. ■ 802.1X Authentication (PR_0000011718) — When an 802.
PAGE 193
Software Fixes in Release M.08.51 - M.10.72 Release M.10.71 Release M.10.71 Problems Resolved in Release M.10.71 (Not a Public Release) ■ 802.1X (PR_0000014842) — If an invalid number of characters are used at the CLI for the command aaa port-access supplicant secret, the CLI returns an error message that references the wrong port number for the supplicant being configured.
PAGE 194
Software Fixes in Release M.08.51 - M.10.72 Release M.10.72 ■ Config (PR_0000005002) — If a friendly port name uses the characters TRUNK=, then after a reload, all the trunking configuration will have been removed from the configuration. ■ GVRP (PR_0000012224) — Changing the GVRP unknown-vlan state from 'block' to 'learn' and vice versa stops all GVRP advertisements from that interface until the interface is disabled and then re-enabled.
PAGE 195
Software Fixes in Release M.08.51 - M.10.72 Release M.10.
PAGE 196
Software Fixes in Release M.08.51 - M.10.72 Release M.10.72 Message 2 (when an unauth-vid config is attempted on a port with an existing 802.1X unauth-vid): Configuration change denied for port .Only Web or MACauthenticator can have unauthenticated VLAN enabled if 802.1X authenticator is enabled on the same port. Please remove the unauthenticated VLAN from 802.
PAGE 197
© 2004 - 2009 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.