Release Notes: Version Y.11.16 Software for the ProCurve 2510G-24 and 2510G-48 Switches Releases Y.11.01 through Y.11.16 supports these switches: ■ ProCurve Switch 2510G-24 (J9279A) ■ ProCurve Switch 2510G-48 (J9280A) These release notes include information on the following: ■ Downloading Switch Documentation and Software from the Web (page 1) ■ Enforcing Switch Security (page 9) ■ Known Issues (page 15) ■ Software enhancements available in releases Y.11.01 through Y.11.
© Copyright 2008-2010 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice. Publication Number Part Number 5992-3098 February 2010 Applicable Product ProCurve Switch 2510G-24 ProCurve Switch 2510G-48 (J9279A) (J9280A) Trademark Credits Microsoft®, Windows®, and Windows NT® are US registered trademarks of Microsoft Corporation. Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated. Java™ is a US trademark of Sun Microsystems, Inc.
Contents Software Management Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Downloading Switch Documentation and Software from the Web . . . . . . . . . . . . . . . . . . . . . . . . 1 Downloading Software to the Switch TFTP Download from a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Xmodem Download From a PC or Unix Workstation . . .
Enhancements Release Y.11.01 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Release Y.11.02 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Release Y.11.03 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Release Y.11.04 through Y.11.06 Enhancements . . . . . . . . . . .
Release Y.11.14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Release Y.11.15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Release Y.11.16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software Management Software Management Software Updates Check the ProCurve Networking Web site frequently for software updates for the various ProCurve switches you may have in your network. Downloading Switch Documentation and Software from the Web You can download software updates and the corresponding product documentation from HP’s ProCurve web site as described below. To Download a Software Version: 1. Go to the ProCurve Networking Web site at: http://www.procurve.com. 2.
Downloading Software to the Switch Downloading Software to the Switch Caution The startup-config file generated by the latest software release may not be backward-compatible with the same file generated by earlier software releases. HP periodically provides switch software updates through the ProCurve Networking Web site http://www.procurve.com).
Downloading Software to the Switch TFTP Download from a Server Syntax: copy tftp flash [< primary | secondary >] Note that if you do not specify the flash destination, the TFTP download defaults to the primary flash. For example, to download a software file named Y_11_0 1.swi from a TFTP server with the IP address of 10.28.227.103: 1. Execute the copy command as shown below: ProCurve # copy tftp flash 10.28.227.103 Y_11_01.swi The primary OS image will be deleted.
Downloading Software to the Switch Xmodem Download From a PC or Unix Workstation This procedure assumes that: ■ The switch is connected via the Console RS-232 port on a PC operating as a terminal. (Refer to the Installation Guide you received with the switch for information on connecting a PC as a terminal and running the switch console interface.) ■ The switch software is stored on a disk drive in the PC. ■ The terminal emulator you are using includes the Xmodem binary transfer feature.
Downloading Software to the Switch Saving Configurations While Using the CLI Saving Configurations While Using the CLI The switch operates with two configuration files: ■ Running-Config File: Exists in volatile memory and controls switch operation. Rebooting the switch erases the current running-config file and replaces it with an exact copy of the current startup-config file. To save a configuration change, you must save the running configuration to the startup-config file.
Downloading Software to the Switch ProCurve Switch, Routing Switch, and Router Software Keys ProCurve Switch, Routing Switch, and Router Software Keys Software Letter ProCurve Networking Products C 1600M, 2400M, 2424M, 4000M, and 8000M CY Switch 8100fl Series (8108fl and 8116fl) E Switch 5300xl Series (5304xl, 5308xl, 5348xl, and 5372xl) F Switch 2500 Series (2512 and 2524), Switch 2312, and Switch 2324 G Switch 4100gl Series (4104gl, 4108gl, and 4148gl) H Switch 2600 Series, Switch 2600-PWR S
Downloading Software to the Switch OS/Web/Java Compatibility Table Software Letter ProCurve Networking Products WM ProCurve Access Point 10ag WS ProCurve Wireless Edge Services xl Module and the ProCurve Redundant Wireless Services xl Module WT ProCurve Wireless Edge Services zl Module and the ProCurve Redundant Wireless Services zl Module Y Switch 2510G Series (2510G-24 and 2510G-48) Z ProCurve 6120G/XG and 6120XG Blade Switches numeric Switch 9408sl, Switch 9300 Series (9304M, 9308M, and 9315
Downloading Software to the Switch Minimum Software Versions Minimum Software Versions For the ProCurve 2510G-24 and 2510G-48 Switches and Hardware Features ProCurve Device Minimum Supported Software Version ProCurve 100-BX-D SFP-LC Transceiver (J9099B) Y.11.03 ProCurve 100-BX-U SFP-LC Transceiver (J9100B) Y.11.03 ProCurve 1000-BX-D SFP-LC Mini-GBIC (J9142B) Y.11.03 ProCurve 1000-BX-U SFP-LC Mini-GBIC (J9143B) Y.11.
Enforcing Switch Security Switch Management Access Security Enforcing Switch Security ProCurve switches are designed as “plug and play” devices, allowing quick and easy installation in your network. However, when preparing the switch for network operation, ProCurve strongly recommends that you enforce a security policy to help ensure that the ease in getting started is not used by unauthorized persons as an opportunity for access and possible malicious actions.
Enforcing Switch Security Switch Management Access Security It is important to evaluate the level of management access vulnerability existing in your network and take steps to ensure that all reasonable security precautions are in place. This includes both configurable security options and physical access to the switch hardware. Local Manager Password In the default configuration, there is no password protection.
Enforcing Switch Security Switch Management Access Security SNMP Access (Simple Network Management Protocol) In the default configuration, the switch is open to access by management stations running SNMP management applications capable of viewing or changing usernames, passwords, configuration, and status data in the switch’s MIB (Management Information Base). Thus, controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy.
Enforcing Switch Security Switch Management Access Security Note on SNMP Access to Local Authentication MIB Objects Downloading and booting U.11.04 or later software versions for the first time enables SNMP access to the switch’s local authentication configuration MIB objects (the default action). If SNMPv3 and other security safeguards are not in place, the local username and password MIB objects are exposed to unprotected SNMP access and you should use the preceding command to disable this access. 2.
Enforcing Switch Security Network Security Features Other Provisions for Management Access Security Authorized IP Managers. This feature uses IP addresses and masks to determine whether to allow management access to the switch through the network, and covers access through the following: ■ Telnet and other terminal emulation applications ■ The switch’s Web browser interface ■ SNMP (with a correct community name) Secure Management VLAN.
Enforcing Switch Security Network Security Features ■ switch SSH and user password authentication: this option is a subset of the client publickey authentication, and is used if the switch has SSH enabled without a login access configured to authenticate the client’s key. In this case, the switch authenticates itself to clients, and users on SSH clients then authenticate themselves to the switch by providing passwords stored on a RADIUS or TACACS+ server, or locally on the switch.
Known Issues Release Y.11.01 Known Issues Release Y.11.01 The following problems are known issues in release Y.11.01. ■ RADIUS/Web Management (PR_1000811781) — When the user attempts RADIUS authentication to the Web Management Interface, the switch may crash with a message similar to the following. TLB Miss: Virtual Addr=0x0024c904 IP=0x0024c904 Task='tHttpd' Task ID=0x81e46eb0 fp:0x00000000 sp:0x81e46d70 ra:0x0024c904 sr:0x1000fc01 Release Y.11.03 The following problems are known issues in release Y.11.
Enhancements Release Y.11.01 Enhancements Enhancements Unless otherwise noted, each new release includes the features added in all previous releases. Enhancements are listed in chronological order, oldest to newest software release. Release Y.11.01 Enhancements No new enhancements. Initial Release. Release Y.11.02 Enhancements No new enhancements. Never Released. Release Y.11.03 Enhancements Release Y.11.
Enhancements Release Y.11.10 Enhancements Release Y.11.10 Enhancements No new enhancements. Not a public release. Release Y.11.11 Enhancements Release Y.11.11 includes the following enhancements. Not a public release. ■ Enhancement (PR_0000016739) — Banner Size Increase to 1280 characters.
Enhancements Release Y.11.12 Enhancements Customized Banner without Password Configured. When a custom MOTD banner is configured and there is no password required, the custom MOTD banner displays followed by the “press any key to continue” prompt. When any key is pressed, the custom banner is cleared and the CLI prompt displays. Customized Banner with Password Configuration.
Enhancements Release Y.11.15 Enhancements Release Y.11.15 Enhancements Release Y.11.15 includes the following enhancements. (Not a public release.) ■ Enhancement (PR_0000018479) — Longer usernames and passwords are now allowed, and some special characters may be used. Username and Password Size Increase For security reasons, it is desirable to allow the configuration of longer usernames and passwords than is currently allowed on the switch.
Enhancements Release Y.11.15 Enhancements Additional Restrictions Some authentication servers prevent the usage of special symbols such as the backslash (\) and quotes (“”). ProCurve allows the use of these symbols in configurable credentials, but using them may limit access for some users who may use different client software. Please refer to the vendor’s documentation for specific information about these restrictions. ■ Enhancement (PR_0000038122) — TELNET Negotiate About Window Size (NAWS) Initiation.
Enhancements Release Y.11.16 Enhancements Release Y.11.16 Enhancements Release Y.11.16 includes the following enhancement: ■ Enhancement (PR_0000041022) — Enhancement to AAA accounting. Accounting Services RADIUS accounting collects data about user activity and system events and sends it to a RADIUS server when specified events occur on the switch, such as a logoff or a reboot.
Enhancements Release Y.11.16 Enhancements ■ Commands accounting: Provides records containing information on CLI command execution during user sessions. • • • • Acct-Session-Id Acct-Status-Type Service-Type Acct-Authentic • • • • User-Name NAS-IP-Address NAS-Identifier NAS-Port-Type • Calling-Station-Id • HP-Command-String • Acct-Delay-Time The switch forwards the accounting information it collects to the designated RADIUS server, where the information is formatted, stored, and managed by the server.
Enhancements Release Y.11.16 Enhancements Note In Unique Acct-Session-ID operation, the Command service type is a special case in which the AcctSession-ID for each executed CLI command in the session is different from the IDs for other service types used in the session and also different for each CLI command executed during the session.
Enhancements Release Y.11.16 Enhancements The figure below shows Unique mode accounting operation for a new session in which two commands are executed, and then the session is closed. User “fred” starts Exec Accounting session “003300000008”. User “fred” then executes show ip, which results in this accounting entry. Notice the session ID (003300000009) assigned to this accounting entry incrementally follows the preceding Acct-Session-Id.
Enhancements Release Y.11.16 Enhancements Common Acct-Session-ID Operation. In this case, all service types running in a given management session operate as subprocesses of the same parent process, and the same Acct-Session-ID is used for accounting of all service types, including successive CLI commands. User “fred” starts Exec Accounting session “00330000000B”. User “fred” then executes show ip, which results in this command accounting entry.
Enhancements Release Y.11.
Enhancements Release Y.11.16 Enhancements – 2. 3. 4. Optional—if you are also configuring the switch for RADIUS authentication, and need a unique encryption key for use during authentication sessions with the RADIUS server you are designating, configure a server-specific key. This key overrides the global encryption key you can also configure on the switch, and must match the encryption key used on the specified RADIUS server. (Optional) Reconfigure the desired Acct-Session-ID operation.
Enhancements Release Y.11.16 Enhancements Syntax: [no] radius-server host < ip-address > Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. [acct-port < port-number >] Optional. Changes the UDP destination port for accounting requests to the specified RADIUS server. If you do not use this option, the switch automatically assigns the default accounting port number. (Default: 1813) [key < key-string >] Optional.
Enhancements Release Y.11.16 Enhancements ProCurve(config)# radius-server host 10.33.18.151 acct-port 1750 key source0151 ProCurve(config)# write mem ProCurve(config)# show radius Status and Counters - General RADIUS Information Deadtime(min) : 0 Timeout(secs) : 5 Retransmit Attempts : 3 Global Encryption Key : Auth Server IP Addr Port --------------- ----10.33.18.
Enhancements Release Y.11.16 Enhancements ProCurve(config)# aaa accounting session-id common ProCurve(config)# show accounting Status and Counters - Accounting Information Interval(min) : 0 Suppress Empty User : No Sessions Identification : Common Type -------Network Exec System Commands | + | | | | Example of common Session ID Configuration Method Mode ------ -------------None None None None Figure 4. Accounting Configured for the Common Option 3.
Enhancements Release Y.11.16 Enhancements ■ ■ Stop-Only: Applies to the network, exec, system, and command service types, as described below: • Send a stop record accounting notice at the end of the accounting session. The notice includes the latest data the switch has collected for the requested accounting type (network, exec, or system service types). For the commands service type, sends the “Stop” accounting notice after execution of each CLI command. • Do not wait for an acknowledgment.
Enhancements Release Y.11.16 Enhancements Example. To configure RADIUS accounting on the switch with start-stop for Exec functions, stoponly for system functions, and interim-update for commands functions. This example continues from figure 4, where the session ID was configured as common.
Enhancements Release Y.11.16 Enhancements Example. If the switch is configured with RADIUS accounting on the switch to use start-stop for Exec, System, and Command functions, as shown in figure 6, there will be an “Accounting-On” record when the switch boots up and an “Accounting-Off” record when the switch reboots or reloads. (Assume that Acct-Session-Id is configured for common.
Enhancements Release Y.11.16 Enhancements Syntax: [no] aaa accounting update periodic < 1 - 525600 > Sets the accounting update period for all accounting sessions on the switch. (The no form disables the update function and resets the value to zero.) (Default: zero; disabled) Syntax: [no] aaa accounting suppress null-username Disables accounting for unknown users having no username.
Enhancements Release Y.11.16 Enhancements Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which. requires prior use of the radius-server host command. (See “Configuring RADIUS Accounting” on page 26.
Enhancements Release Y.11.16 Enhancements Table 1. Values for Show Radius Host Output (Figure 9) Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the AccountingRequest that matched it from this RADIUS accounting server. Pending Requests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.
Enhancements Release Y.11.16 Enhancements RADIUS Authentication Statistics Syntax: show authentication Displays the primary and secondary authentication methods configured for the Console, Telnet, Port-Access (802.1X), and SSH methods of accessing the switch. Also displays the number of access attempts currently allowed in a session. show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch’s interactions with this server.
Enhancements Release Y.11.16 Enhancements RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, “Empty User” suppression status, session ID, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) configured in the switch (using the radius-server host command). show accounting sessions Lists the accounting sessions currently active on the switch.
Enhancements Release Y.11.16 Enhancements ProCurve(config)# show accounting sessions Active Accounted actions on SWITCH, User (n/a) Priv (n/a), Acct-Session-Id 0x013E00000006, System Accounting record, 1:45:34 Elapsed system event 'Accounting On Figure 14. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command.
Software Fixes in Releases Y.11.01 - Y.11.16 Release Y.11.01 Software Fixes in Releases Y.11.01 - Y.11.16 Software fixes are listed in chronological order, oldest to newest. Unless otherwise noted, each new release includes the software fixes added in all previous releases. Release Y.11.01 was the first software release for the ProCurve 2510G-24 and 2510G-48 switches. Release Y.11.01 No Problems Resolved in Release Y.11.01. (Initial Release.) Release Y.11.02 No Problems Resolved in Release Y.11.02.
Software Fixes in Releases Y.11.01 - Y.11.16 Release Y.11.07 Release Y.11.07 No Problems Resolved in Release Y.11.07. (Not a Production Build.) Release Y.11.08 The following problems were resolved in build Y.11.08. ■ MAC Address (PR_0000009750) — If a client moves from one port or switch to another, the MAC address is not relearned on the new port until the MAC address timer expires on the original port.
Software Fixes in Releases Y.11.01 - Y.11.16 Release Y.11.10 ■ 802.1X (PR_0000012568) — There is a problem with the switch login error message. ■ Management (PR_0000012818) — The switch management interface may become unresponsive as a result of packet buffer depletion. ■ Config (PR_0000007953) — The config line spanning-tree instance vlan is truncated in some cases, causing loss of configuration after reload of the config file.
Software Fixes in Releases Y.11.01 - Y.11.16 Release Y.11.11 ■ Authentication (PR_0000013472) — Port-access authentication may not occur when there is a combination of tagged and untagged port membership in the same VLAN (as the auth-vid, unauth-vid, or a RADIUS-assigned VLAN). This fix prevents untagged VLAN assignment to be applied to a port if that port is a tagged member of the same VLAN. Best Practice Tip: Configure different VLANs for the auth-vid and unauth-vid roles.
Software Fixes in Releases Y.11.01 - Y.11.16 Release Y.11.12 access mac-based functions. Software versions that contain this fix will not allow this configuration conflict at the CLI. Existing configurations will be altered by this fix, and an error will be reported at the switch CLI and event log. Best Practice Tip: 802.1X should not have an unauthenticated VLAN setting when it works concurrently with Web-based or MAC-based authentication if the unauth-period in 802.1X is zero (the default value).
Software Fixes in Releases Y.11.01 - Y.11.16 Release Y.11.12 Message 3: Configuration change denied for port . Only Web or MACauthenticator can have unauthenticated VLAN enabled if 802.1X authenticator is enabled on the same port. Please use unauthenticated VLAN for Web or MAC authentication instead. Event log message when the configuration is changed: mgr: Disabled unauthenticated VLAN on port for the 802.1X. Unauthenticated VLAN cannot be simultaneously enabled on both 802.
Software Fixes in Releases Y.11.01 - Y.11.16 Release Y.11.13 ■ Config (PR_0000039026) — The switch reloads into a configuration that is copied to the startup configuration, even if the downloaded config is identical to the one the switch has stored. This fix will remove the need to reload in that case, and return a message at the CLI: Downloaded file identical to current, no update performed.
Software Fixes in Releases Y.11.01 - Y.11.16 Release Y.11.14 TLB Miss: Virtual Addr=0x00000000 IP=0x800ab0f8 Task='mSnmpCtrl' Task ID=0x85d26d00 fp:0x00000000 sp:0x85d26a60 ra:0x800aadc8 sr:0x1000fc01 ■ Crash (PR_0000044286) — When the switch is configured as a stack member, it will reboot continuously when the following configuration options are applied.
Software Fixes in Releases Y.11.01 - Y.11.16 Release Y.11.15 Release Y.11.15 The following problems were resolved in build Y.11.15. (Not a public release.) ■ Enhancement (PR_0000018479) — Longer usernames and passwords are now allowed, and some special characters may be used. For more information, see “Username and Password Size Increase” on page 19. ■ Enhancement (PR_0000038122) — TELNET Negotiate About Window Size (NAWS) Initiation.
© 2008-2010 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.