6400cl 5300xl 4200vl 3400cl ProCurve Switches E.10.02 (Series 5300xl) L.10.XX (Series 4200vl) M.08.73 (Series 3400/6400cl) www.procurve.
ProCurve Series 6400cl Switches Series 5300xl Switches Series 4200vl Switches Series 3400cl Switches October 2006 E.10.02 or Greater (5300xl) L.10.01 or Greater (4200vl) M.08.
© Copyright 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change with out notice. All Rights Reserved. Disclaimer This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of HewlettPackard.
Contents Product Documentation About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Feature Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv 1 Getting Started Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Protocol-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Designated VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Static VLAN Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 VLAN Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Components of Voice VLAN Operation . . . . . . . . . . . . . . . . . . . . . 2-52 Voice VLAN QoS Prioritizing (Optional) . . . . . . . . . . . . . . . . . . . . 2-52 Voice VLAN Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-53 Effect of VLANs on Other Switch Features . . . . . . . . . . . . . . . . . . . . 2-53 Spanning Tree Operation with VLANs . . . . . . . . . . . . . . . . . . . . . . . . . 2-53 IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IGMP General Operation and Features . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 IGMP Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 IGMP Operating Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Displaying PIM Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-27 Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-36 Messages Related to PIM Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-37 Applicable RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
802.1s Multiple Spanning Tree Protocol (MSTP) . . . . . . . . . . . . . . . 6-45 MSTP Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-46 How MSTP Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-49 MST Regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-49 Regions, Legacy STP and RSTP Switches, and the Common Spanning Tree (CST) . . . . . . . . . . . . . . . . . . . . . .
Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11 Menu: To Configure Switch Meshing . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11 CLI: To View and Configure Switch Meshing . . . . . . . . . . . . . . . . . . . 7-13 Viewing Switch Mesh Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14 CLI: Configuring Switch Meshing . . . . . . . . . . . . . . . . . . . . . . . . . 7-17 Operating Notes for Switch Meshing . . . . .
Troubleshooting a Shortage of Per-Port Rule Resources on the 3400cl/6400cl Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19 Examples of QoS Resource Usage on 3400cl/6400cl Switches . 8-20 Using QoS Classifiers To Configure Quality of Service for Outbound Traffic . . . . . . . . . . . . . . . . . . . . . . . 8-23 Viewing the QoS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23 No Override . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IP Multicast (IGMP) Interaction with QoS . . . . . . . . . . . . . . . . . . . . . 8-71 QoS Messages in the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-72 QoS Operating Notes and Restrictions . . . . . . . . . . . . . . . . . . . . . . . . 8-73 9 Access Control Lists (ACLs) for the Series 5300xl Switches Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Introduction . . . . . . . . . . . . . . . . . .
ACL Configuration Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-29 The Sequence of Entries in an ACL Is Significant . . . . . . . . . . . . 9-29 In Any ACL, There Will Always Be a Match . . . . . . . . . . . . . . . . . 9-31 A Configured ACL Has No Effect Until You Apply It to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10 Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 ACL Applications on Series 3400cl and 6400cl Switches . . . . . . . . . . 10-4 General Application Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 Terminology . . .
Rules for Defining a Match Between a Packet and an Access Control Entry (ACE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-33 Configuring and Assigning an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-38 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-38 General Steps for Implementing ACLs . . . . . . . . . . . . . . . . . . . . 10-38 Types of ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Working Offline To Create or Edit an ACL . . . . . . . . . . . . . . . . . . . . 10-72 Creating an ACL Offline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-72 Enable ACL “Deny” Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-75 Requirements for Using ACL Logging . . . . . . . . . . . . . . . . . . . . . . . . . 10-76 ACL Logging Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-76 Enabling ACL Logging on the Switch . . . .
Configuring Static IP Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-20 Static Route Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-20 Static IP Route Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-21 Static Route States Follow Port States . . . . . . . . . . . . . . . . . . . . . . . . 11-21 Configuring a Static IP Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-42 OSPF Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-42 Enabling OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-43 Assigning OSPF Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-43 Assigning an Area Range (optional) . . . . . . . . . . . . . . . . . . . . . . 11-45 Assigning VLANs to an Area . . . . .
Configuring IRDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-76 Enabling IRDP Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-77 Enabling IRDP on an Individual VLAN Interface . . . . . . . . . . . . . . . 11-77 Displaying IRDP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-78 Configuring DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-79 Overview . . . . .
Configuring Static Network Address Translation (NAT) for Intranet Applications on the 5300xl Switches . . . . . . . . . . . . 11-103 Static NAT Operating Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-104 Configuring Static NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-104 Displaying Static NAT Statistics and Configuration . . . . . . . . . . . . 11-106 Static NAT Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-25 Configuration for Figure 12-2 – Single VLAN Example . . . . . . . 12-25 Configuration for Figure 12-4 – Multiple VLANs . . . . . . . . . . . . 12-26 Displaying XRRP Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-27 Comparison Between XRRP and VRRP . . . . . . . . . . . . . . . . . . . . . . . . 12-31 Messages Related to XRRP Operation . . . . . . . . . . . . . . . . . .
Adding to a Stack or Moving Switches Between Stacks . . . . . . 13-35 Using the CLI To Remove a Member from a Stack . . . . . . . . . . 13-40 Using the CLI To Access Member Switches for Configuration Changes and Traffic Monitoring . . . . . . . . . . . . . 13-42 SNMP Community Operation in a Stack . . . . . . . . . . . . . . . . . . . . . . 13-43 Using the CLI To Disable or Re-Enable Stacking . . . . . . . . . . . . . . . 13-44 Transmission Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
—This page unused intentionally— xxii
Product Documentation About Your Switch Manual Set Note For the latest version of all ProCurve switch documentation, including Release Notes covering recently added features, please visit the ProCurve Networking Web site at www.procurve.com, click on Technical support, and then click on Product manuals (all). Printed Publications The two publications listed below are printed and shipped with your switch.
Product Documentation Feature Index For the manual set supporting your switch model, the following feature index indicates which manual to consult for information on a given software feature and which switches support that feature. Feature Management Advanced and Traffic Configuration Management 802.1Q VLAN Tagging 802.1X Port-Based Priority Access Security Guide X X 802.
Product Documentation Feature Management Advanced and Traffic Configuration Management Eavesdrop Protection Access Security Guide X Supported Supported Supported on 5300xl on 4200vl on 3400cl/ 6400cl yes yes no Event Log X yes yes yes Factory Default Settings X yes yes yes Flow Control (802.
Product Documentation Feature Management Advanced and Traffic Configuration Management Meshing Monitoring and Analysis Access Security Guide X X Multicast Filtering X Supported Supported Supported on 5300xl on 4200vl on 3400cl/ 6400cl yes no yes yes yes yes yes no no Multiple Configuration Files X yes yes yes Network Management Applications X yes SNMP only SNMP only OpenView Device Management X yes yes yes yes no yes OSPF X Passwords X yes yes yes Password Clear Pro
Product Documentation Feature Management Advanced and Traffic Configuration Management RMON 1,2,3,9 Access Security Guide X Supported Supported Supported on 5300xl on 4200vl on 3400cl/ 6400cl yes yes yes Routing X yes yes yes Routing - IP Static X yes yes yes yes yes yes yes yes yes Secure Copy X SFLOW SFTP X yes yes yes SNMPv3 X yes yes yes X yes yes yes yes yes yes yes yes yes Software Downloads (SCP/SFTP, TFTP, Xmodem) X Source-Port Filters X Spanning Tr
Product Documentation Feature Management Advanced and Traffic Configuration Management Voice VLAN Access Security Guide X Supported Supported Supported on 5300xl on 4200vl on 3400cl/ 6400cl yes yes yes Web Authentication RADIUS Support X yes yes yes Web-based Authentication X yes yes yes Web UI X yes yes yes Xmodem X yes yes yes yes no yes XRRP xxviii X
1 Getting Started Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 Feature Descriptions by Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 Command Syntax Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 Command Prompts . . . . . . . . . . . . . . . . . . . . .
Getting Started Introduction Introduction This Advanced Traffic Management Guide is intended for use with the following switches: ■ ProCurve Switch 10G CX4 6400cl-6xg ■ ProCurve Switch 10G X2 6400cl-6xg ■ ProCurve Switch 5304xl ■ ProCurve Switch 5348xl ■ ProCurve Switch 5308xl ■ ProCurve Switch 5372xl ■ ProCurve Switch 4204vl ■ ProCurve Switch 4208vl ■ ProCurve Switch 4202vl-48G ■ ProCurve Switch 4202vl-72 ■ ProCurve Switch 3400cl-24G ■ ProCurve Switch 3400cl-48G This guide describe
Getting Started Conventions Conventions This guide uses the following conventions for command syntax and displayed information. Feature Descriptions by Model In cases where a software feature is not available in all of the switch models covered by this guide, the section heading specifically indicates which product or product series offer the feature. For example, (the switch is highlighted here in bold italics): “QoS Pass-Through Mode on the Series 5300xl and 4200vl Switches”.
Getting Started Conventions Command Prompts In the default configuration, your switch displays one of the following CLI prompts: ProCurve ProCurve ProCurve ProCurve ProCurve ProCurve ProCurve 6400cl# 5304xl# 5308xl# 4204vl# 4208vl# 3400-24cl# 3400-48cl# To simplify recognition, this guide uses ProCurve to represent command prompts for all models. For example: ProCurve# (You can use the hostname command to change the text in the CLI prompt.) Screen Simulations Displayed Text.
Getting Started Sources for More Information However, unless otherwise noted, such examples apply equally to the stackable switches, which typically use only numbers, such as “1”, “3-5”, “15”, etc. for port identities. Keys Simulations of actual keys use a bold, sans-serif typeface with square brackets. For example, the Tab key appears as [Tab] and the “Y” key appears as [Y].
Getting Started Sources for More Information ROM shipped with the switch. And you can download a copy from the ProCurve Networking Web Site. (See “Getting Documentation From the Web” on page 1-6.) ■ ■ Advanced Traffic Management Guide—Use the Advanced Traffic Man agement Guide for information on: • VLANs: Static port-based and protocol VLANs, and dynamic GVRP VLANs • Multicast traffic control (IGMP) and Protocol-Independent Multicast routing (PIM-DM) • Spanning-Tree: 802.1D (STP), 802.
Getting Started Sources for More Information Figure 1-2. Example of How To Locate Product Manuals on the ProCurve Networking Web Site Figure 1-3.
Getting Started Sources for More Information Online Help If you need information on specific parameters in the menu interface, refer to the online help provided in the interface. For example: Online Help for Menu If you need information on a specific command in the CLI, type the command name followed by “help”. For example: If you need information on specific features in the web browser interface use the online help available for the web browser interface.
Getting Started Need Only a Quick Start? Need Only a Quick Start? IP Addressing If you just want to give the switch an IP address so that it can communicate on your network, or if you are not using VLANs, HP recommends that you use the Switch Setup screen to quickly configure IP addressing. To do so, do one of the following: ■ Enter setup at the CLI Manager level prompt. Procurve# setup ■ In the Main Menu of the Menu interface, select 8.
Getting Started To Set Up and Install the Switch in Your Network —This page is intentionally unused— 1-10
2 Static Virtual LANs (VLANs) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 General VLAN Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Types of Static VLANs Available in the Switch . . . . . . . . . . . . . . . . . . . 2-5 Port-Based VLANs . . . . . . . . . . . . . . . .
Static Virtual LANs (VLANs) Contents CLI: Configuring Port-Based and Protocol-Based VLAN Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-28 Web: Viewing and Configuring VLAN Parameters . . . . . . . . . . . . . . . 2-39 802.1Q VLAN Tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40 Special VLAN Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Static Virtual LANs (VLANs) Overview Overview This chapter describes how to configure and use static, port-based and protocol-based VLANs on the switches covered by this manual.
Static Virtual LANs (VLANs) Introduction Introduction VLAN Features Feature Default Menu CLI Web page 2-23 thru 2-28 page 2-29 page 2-39 default VLAN with page 2-23 VID = 1 thru 2-28 page 2-28 page 2-39 view existing VLANs n/a configuring static VLANs VLANs enable you to group users by logical function instead of physical location.
Static Virtual LANs (VLANs) Introduction Types of Static VLANs Available in the Switch Port-Based VLANs This type of static VLAN creates a specific layer-2 broadcast domain com prised of member ports that bridge IPv4 traffic among themselves. Port-Based VLAN traffic is routable on the switches covered by this guide.
Static Virtual LANs (VLANs) Terminology Note In a multiple-VLAN environment that includes some older switch models there may be problems related to the same MAC address appearing on different ports and VLANs on the same switch. In such cases the solution is to impose some cabling and VLAN restrictions. For more on this topic, refer to “Multiple VLAN Considerations” on page 2-18. Terminology Dynamic VLAN: An 802.
Static Virtual LANs (VLANs) Static VLAN Operation Static VLAN Operation A group of networked ports assigned to a VLAN form a broadcast domain that is separate from other VLANs that may be configured on the switch. On a given switch, packets are bridged between source and destination ports that belong to the same VLAN. Thus, all ports passing traffic for a particular subnet address should be configured to the same VLAN.
Static Virtual LANs (VLANs) Static VLAN Operation Port-Based VLANs Protocol-Based VLANs Tagged VLAN Membership A port can be a tagged member of any port-based A port can be a tagged member of any protocolVLAN. See above. based VLAN. See above. Routing The switch can internally route IP (IPv4) traffic between port-based VLANs and between portbased and IPv4 protocol-based VLANs if the switch configuration enables IP routing.
Static Virtual LANs (VLANs) Static VLAN Operation VLAN Operation The Default VLAN. In figure 2-1, all ports belong to the default VLAN, and devices connected to these ports are in the same broadcast domain. Except for an IP address and subnet, no configuration steps are needed. A1 A8 A7 A2 VLAN 1 A6 A3 A5 A4 Figure 2-1. Example of a Switch in the Default VLAN Configuration Multiple Port-Based VLANs. In figure 2-2, routing within the switch is disabled (the default).
Static Virtual LANs (VLANs) Static VLAN Operation Protocol VLAN Environment. Figure 2-2 can also be applied to a protocol VLAN environment. In this case, VLANs “W” and “X” represent routable protocol VLANs. VLANs “Y” and “Z” can be any protocol VLAN. As noted for the discussion of multiple port-based VLANs, VLAN 1 is not shown. Enabling internal (IP) routing on the switch allows IP traffic to move between VLANs on the switch. However, routable, non-IP traffic always requires an external router.
Static Virtual LANs (VLANs) Static VLAN Operation overlap in this way, VLAN “tags” are used in the individual packets to distin guish between traffic from different VLANs. A VLAN tag includes the particu lar VLAN I.D. (VID) of the VLAN on which the packet was generated. ProCurve Switch 802.1Q-Compliant Server Figure 2-3. Example of Overlapping VLANs Using the Same Server Similarly, using 802.1Q-compliant switches, you can connect multiple VLANs through a single switch-to-switch link.
Static Virtual LANs (VLANs) Static VLAN Operation The legacy (non-802.1Q compliant) switch requires a separate link for each VLAN. Red Server Red VLAN Blue Server Non-802.1Q Switch VLAN tagging enables the Link to carry Red VLAN and Blue VLAN Traffic Red VLAN ProCurve Switch ProCurve Switch Red VLAN Blue VLAN Blue VLAN Blue VLAN Blue VLAN Red VLAN Figure 2-5.
Static Virtual LANs (VLANs) Static VLAN Operation Example of Per-Port VLAN Configuration with GVRP Disabled (the default) Example of Per-Port VLAN Configuration with GVRP Enabled Enabling GVRP causes “No” to display as “Auto”. Figure 2-6. Comparing Per-Port VLAN Options With and Without GVRP Table 2-4. Per-Port VLAN Configuration Options Parameter Effect on Port Participation in Designated VLAN Tagged Allows the port to join multiple VLANs.
Static Virtual LANs (VLANs) VLAN Operating Rules VLAN Operating Rules ■ DHCP/Bootp: If you are using DHCP/Bootp to acquire the switch’s configuration, packet time-to-live, and TimeP information, you must des ignate the VLAN on which DHCP is configured for this purpose as the Primary VLAN. (In the factory-default configuration, the DEFAULT_VLAN is the Primary VLAN.) ■ Per-VLAN Features: IGMP and some other features operate on a “per VLAN” basis.
Static Virtual LANs (VLANs) VLAN Operating Rules ■ Adding or Deleting VLANs: Changing the number of VLANs supported on the switch requires a reboot. (From the CLI, you must perform a write memory command before rebooting.) Other VLAN configuration changes are dynamic. ■ Inbound Tagged Packets: If a tagged packet arrives on a port that is not a tagged member of the VLAN indicated by the packet’s VID, the switch drops the packet.
Static Virtual LANs (VLANs) VLAN Operating Rules Port “X” receives an inbound, untagged Packet. Is the port an untagged member of any VLANs? No Drop the packet. Yes Does the packet’s protocol match the protocol of an untagged VLAN membership on the port? Yes Forward the packet on that protocol VLAN. No Drop the packet. No Is the port a member of an untagged, port-based VLAN? Yes Forward the packet on the port-based VLAN. Figure 2-7.
Static Virtual LANs (VLANs) General Steps for Using VLANs tagged member must have the same VID as that carried by the inbound, tagged packets generated on that VLAN.) Port “X” receives an inbound, tagged Packet From VLAN “A”. Is port “X” a tagged member of VLAN “A”? No Drop the packet. Yes Forward the packet to any port “Y” on VLAN “A” for outbound transmission. Note that the outbound port can be either a tagged or untagged member of the VLAN. Figure 2-8.
Static Virtual LANs (VLANs) Multiple VLAN Considerations 3. Assign the desired switch ports to the new VLAN(s). 4. If you are managing VLANs with SNMP in an IP network, the VLAN through which you are managing the switch must have an IP address. Refer to chapter 7, “Configuring IP Addressing”, in the Management and Configuration Guide for your switch. Multiple VLAN Considerations Switches use a forwarding database to maintain awareness of which external devices are located on which VLANs.
Static Virtual LANs (VLANs) Multiple VLAN Considerations Table 2-6 lists the database structure of current ProCurve switch models. Table 2-6.
Static Virtual LANs (VLANs) Multiple VLAN Considerations Example of an Unsupported Configuration and How To Correct It The Problem. In figure 2-9, the MAC address table for Switch 8000M will sometimes record the 5300xl, 4200vl, 3400cl, or 6400cl as accessed on port A1 (VLAN 1), and other times as accessed on port B1 (VLAN 2): Switch 8000M VLAN 2 VLAN 1 PC “A” A1 B1 PC “B” This switch has a single forwarding database.
Static Virtual LANs (VLANs) Multiple VLAN Considerations the 8000M discards some packets directed through it for the 5300xl, resulting in poor performance and the appearance of an intermittent or broken link. The Solution. To avoid the preceding problem, use only one cable or port trunk between the single-forwarding and multiple-forwarding database devices, and configure the link with multiple, tagged VLANs.
Static Virtual LANs (VLANs) Configuring VLANs 4108gl Switch VLAN 1 VLAN 1 VLAN 2 VLAN 2 5300xl, 3400/6400cl, or 4200vl Switch Both switches have multiple forwarding databases. Figure 2-11. Example of a Valid Topology for Devices Having Multiple Forwarding Databases in a Multiple VLAN Environment Configuring VLANs Menu: Configuring Port-Based VLAN Parameters The Menu interface enables you to configure and view port-based VLANs. Note The Menu interface configures and displays only port-based VLANs.
Static Virtual LANs (VLANs) Configuring VLANs To Change VLAN Support Settings This section describes: ■ Changing the maximum number of VLANs to support ■ Changing the Primary VLAN selection (See “Changing the Primary VLAN” on page 2-34.) ■ Enabling or disabling dynamic VLANs (Refer to chapter 3, “GVRP” .) 1. From the Main Menu select: 2. Switch Configuration 8. VLAN Menu … 1. VLAN Support You will then see the following screen: Figure 2-12. The Default VLAN Support Screen 2.
Static Virtual LANs (VLANs) Configuring VLANs If you changed the value for Maximum VLANs to support, you will see an asterisk next to the VLAN Support option (see below). An asterisk indicates you must reboot the switch to implement the new Maximum VLANs setting. Figure 2-13. VLAN Menu Screen Indicating the Need To Reboot the Switch 4. 2-24 • If you changed the VLAN Support option, you must reboot the switch before the Maximum VLANs change can take effect.
Static Virtual LANs (VLANs) Configuring VLANs Adding or Editing VLAN Names Use this procedure to add a new VLAN or to edit the name of an existing VLAN. 1. From the Main Menu select: 2. Switch Configuration 8. VLAN Menu … . 2. VLAN Names If multiple VLANs are not yet configured you will see a screen similar to figure 2-14: Default VLAN and VLAN ID Figure 2-14. The Default VLAN Names Screen 2. Press [A] (for Add). You will then be prompted for a new VLAN name and VLAN ID: 802.1Q VLAN ID : 1 Name : _ 3.
Static Virtual LANs (VLANs) Configuring VLANs Example of a New VLAN and ID Figure 2-15. Example of VLAN Names Screen with a New VLAN Added 6. Repeat steps 2 through 5 to add more VLANs. Remember that you can add VLANs until you reach the number specified in the Maximum VLANs to support field on the VLAN Support screen (see figure 2-12 on page 2-23). This includes any VLANs added dynamically due to GVRP operation. 7.
Static Virtual LANs (VLANs) Configuring VLANs Default: In this example, the “VLAN-22” has been defined, but no ports have yet been assigned to it. (“No” means the port is not assigned to that VLAN.) Using GVRP? If you plan on using GVRP, any ports you don’t want to join should be changed to “Forbid”. A port can be assigned to several VLANs, but only one of those assignments can be “Untagged”. Figure 2-16. Example of the Port-Based VLAN Port Assignment Screen in the Menu Interface 2.
Static Virtual LANs (VLANs) Configuring VLANs Ports A4 and A5 are assigned to both VLANs. Ports A6 and A7 are assigned only to VLAN-22. All other ports are assigned only to the Default VLAN. Figure 2-17. Example of Port-Based VLAN Assignments for Specific Ports For information on VLAN tags (“Untagged” and “Tagged”), refer to “802.1Q VLAN Tagging” on page 2-40. d. 3.
Static Virtual LANs (VLANs) Configuring VLANs VLAN Commands Page show vlans below show vlans < vid > 2-31 show vlans ports max-vlans <1-256> 2-33 primary-vlan < vid > 2-34 [no] vlan < vid > 2-35 auto < port-list > 2-37 (Available if GVRP enabled.) forbid 2-37 name < vlan-name > 2-37 protocol < protocol-list > 2-35 tagged < port-list > 2-37 untagged < port-list > 2-37 voice 2-51 static-vlan < vlan-id > 2-37 (Available if GVRP enabled.
Static Virtual LANs (VLANs) Configuring VLANs Name: The default or specified name assigned to the VLAN. For a static VLAN, the default name consists of VLAN-x where “x” matches the VID assigned to that VLAN. For a dynamic VLAN, the name consists of GVRP_x where “x” matches the applicable VID. Status: Port-Based: Port-Based, static VLAN Protocol: Protocol-Based, static VLAN Dynamic: Port-Based, temporary VLAN learned through GVRP (Refer to chapter 3, “GVRP” .
Static Virtual LANs (VLANs) Configuring VLANs Syntax: show vlan ports < port-list > 802.1Q VLAN ID: The VLAN identification number, or VID. Refer to “Terminology” on page 2-6. Name: The default or specified name assigned to the VLAN. For a static VLAN, the default name consists of VLAN-x where “x” matches the VID assigned to that VLAN. For a dynamic VLAN, the name consists of GVRP_x where “x” matches the applicable VID.
Static Virtual LANs (VLANs) Configuring VLANs Syntax: show vlans < vlan-id > 802.1Q VLAN ID: The VLAN identification number, or VID. Refer to “Terminology” on page 2-6. Name: The default or specified name assigned to the VLAN. For a static VLAN, the default name consists of VLAN-x where “x” matches the VID assigned to that VLAN. For a dynamic VLAN, the name consists of GVRP_x where “x” matches the applicable VID.
Static Virtual LANs (VLANs) Configuring VLANs Figure 2-20. Example of “Show VLAN” for a Specific Static VLAN Show VLAN lists this data when GVRP is enabled and at least one port on the switch has dynamically joined the designated VLAN. Figure 2-21. Example of “Show VLAN” for a Specific Dynamic VLAN Changing the Number of VLANs Allowed on the Switch. In the default VLAN configuration, the switch allows a maximum of 8 VLANs. You can specify any value from 1 to 256.
Static Virtual LANs (VLANs) Configuring VLANs For example, to reconfigure the switch to allow 10 VLANs: Note that you can execute these three steps at another time. Figure 2-22. Example of Command Sequence for Changing the Number of VLANs Changing the Primary VLAN. In the default VLAN configuration, the portbased default VLAN (DEFAULT_VLAN) is the Primary VLAN. However, you can reassign the Primary VLAN to any port-based, static VLAN on the switch.
Static Virtual LANs (VLANs) Configuring VLANs Creating a New Static VLAN (Port-Based or Protocol-Based) Changing the VLAN Context Level. The vlan < vid > command operates in the global configuration context to either configure a static VLAN and/or take the CLI to the specified VLAN’s context. Syntax: vlan < vid | ascii-name-string > [ no ] vlan < vid > If < vid > does not exist in the switch, this command creates a port-based VLAN with the specified < vid >.
Static Virtual LANs (VLANs) Configuring VLANs — Continued from the Previous Page — Note: If you create an IPv4 protocol VLAN, you must also assign the ARP protocol option to the VLAN to provide IP address resolution. Otherwise, IP packets are not deliverable. A “Caution” message appears in the CLI if you configure IPv4 in protocol VLAN that does not already include the arp protocol option. The same message appears if you add or delete another protocol in the same VLAN.
Static Virtual LANs (VLANs) Configuring VLANs Deleting a VLAN (5300xl Running Software Release E.09.xx or Greater and 4200vl). If ports B1-B5 belong to both VLAN 2 and VLAN 3, and ports B6-B10 belong to VLAN 3 only, then deleting VLAN 3 causes the CLI to prompt you to approve moving ports B6 - B10 to VLAN 1 (the default VLAN). (Ports B1-B5 are not moved because they still belong to another VLAN.
Static Virtual LANs (VLANs) Configuring VLANs Syntax: [no] vlan < vid > tagged < port-list > Configures the indicated port(s) as Tagged for the specified VLAN. The “no” version sets the port(s) to either No or (if GVRP is enabled) to Auto. untagged < port-list > Configures the indicated port(s) as Untagged for the specified VLAN. The “no” version sets the port(s) to either No or (if GVRP is enabled) to Auto.
Static Virtual LANs (VLANs) Configuring VLANs At the global config level, use: ProCurve(config)# no vlan 100 tagged a1-a5 - or At the VLAN 100 context level, use: ProCurve(vlan-100)# no tagged a1-a5 Note You cannot use these commands with dynamic VLANs. Attempting to do so results in the message “VLAN already exists.” and no change occurs.
Static Virtual LANs (VLANs) 802.1Q VLAN Tagging 802.1Q VLAN Tagging General Applications: ■ The switch requires VLAN tagging on a given port if more than one VLAN of the same type uses the port. When a port belongs to two or more VLANs of the same type, they remain as separate broadcast domains and cannot receive traffic from each other without routing.
Static Virtual LANs (VLANs) 802.1Q VLAN Tagging Blue Server Red VLAN 5 4 Red Server 6 Green VLAN: Tagged 2 Green Server 7 White VLAN 4 Red VLAN: Untagged Switch “X” 3 White Server Blue VLAN 5 Switch “Y” 1 1 Green VLAN Red VLAN 3 2 Green VLAN Ports 1 - 6: Untagged Ports 1 - 4: Untagged Port 7: Red VLAN Untagged Green VLAN Tagged Port 5: Red VLAN Untagged Green VLAN Tagged Figure 2-25.
Static Virtual LANs (VLANs) 802.1Q VLAN Tagging Note Each 802.1Q-compliant VLAN must have its own unique VID number, and that VLAN must be given the same VID in every device in which it is configured. That is, if the Red VLAN has a VID of 10 in switch X, then 10 must also be used for the Red VID in switch Y. VID Numbers Figure 2-26.
Static Virtual LANs (VLANs) 802.1Q VLAN Tagging If all end nodes on a port comply with the 802.1Q standard and are configured to use the correct VID, then, you can configure all VLAN assignments on a port as “Tagged” if doing so either makes it easier to manage your VLAN assignments, or if the authorized, inbound traffic for all VLANs on the port will be tagged.
Static Virtual LANs (VLANs) 802.1Q VLAN Tagging ■ The VLANs assigned to ports X4 - X6, Y2 - Y5 can all be untagged because there is only one VLAN assigned per port. ■ Port X1 has two AppleTalk VLANs assigned, which means that one VLAN assigned to this port can be untagged and the other must be tagged. ■ Ports X2 and Y1 have two port-based VLANs assigned, so one can be untagged and the other must be tagged on both ports. ■ Ports X3 and Y6 have two port-based VLANs and one protocol-based VLAN assigned.
Static Virtual LANs (VLANs) Special VLAN Types Special VLAN Types VLAN Support and the Default VLAN In the factory default configuration, VLAN support is enabled and all ports on the switch belong to the port-based, default VLAN (named DEFAULT_VLAN). This places all ports in the switch into one physical broadcast domain. In the factory-default state, the default VLAN is also the Primary VLAN.
Static Virtual LANs (VLANs) Special VLAN Types Candidates for Primary VLAN include any static, port-based VLAN currently configured on the switch. (Protocol-Based VLANs and dynamic—GVRP learned—VLANs that have not been converted to a static VLAN cannot be the Primary VLAN.) To display the current Primary VLAN, use the CLI show vlan command. Note If you configure a non-default VLAN as the Primary VLAN, you cannot delete that VLAN unless you first select a different VLAN to serve as primary.
Static Virtual LANs (VLANs) Special VLAN Types Figure 2-28 illustrates use of the Management VLAN feature to support man agement access by a group of management workstations. Note • Switches “A”, “B”, and “C” are connected by ports belonging to the management VLAN. • Hub “X” is connected to a switch port that belongs to the management VLAN. As a result, the devices connected to Hub X are included in the management VLAN.
Static Virtual LANs (VLANs) Special VLAN Types Links with Ports Configured as Members of the Management VLAN and other VLANs Switch A Switch B Switch C 3 Port A1 Port A3 Port A6 Port A7 Port B2 Port B4 Port B5 Port B9 Port C2 Port C3 Port C6 Port C8 4 Server Server System Server (on the DEFAULT_VLAN) Marketing Links Not Belonging to the Management VLAN 1 System Management Workstation Shipping Server 2 Figure 2-29. Example of Management VLAN Control in a LAN Table 2-7.
Static Virtual LANs (VLANs) Special VLAN Types Hubs dedicated to connecting management stations to the Management VLAN can also be included in the above topology. Note that any device connected to a hub in the Management VLAN will also have Management VLAN access. Note 3. Configure the Management VLAN on the selected switch ports. 4. Test the management VLAN from all of the management stations autho rized to use the Management VLAN, including any SNMP-based network management stations.
Static Virtual LANs (VLANs) Special VLAN Types Deleting the Management VLAN You can disable the Secure Management feature without deleting the VLAN itself. For example, either of the following commands disables the Secure Management feature in the above example: ProCurve (config)# no management-vlan 100 ProCurve (config)# no management-vlan my_vlan Operating Notes for Management VLANs Note ■ Use only a static, port-based VLAN for the Management VLAN.
Static Virtual LANs (VLANs) Special VLAN Types Switch 1 VLAN 20 (Management VLAN) Even though the ports on the Management VLAN link do not belong to any of the VLANs in the mesh, the link will be blocked if you enable Spanning Tree. This is because Spanning Tree operates per-switch and not per-VLAN. Mesh Domain Includes Membership in Three VLANs VLAN 10 VLAN 30 VLAN 40 Switch 2 Switch 3 Figure 2-31.
Static Virtual LANs (VLANs) Special VLAN Types Components of Voice VLAN Operation ■ Voice VLAN(s): Configure one or more voice VLANs on the switch. Some reasons for having multiple voice VLANs include: • Employing telephones with different VLAN requirements • Better control of bandwidth usage • Segregating telephone groups used for different, exclusive purposes Where multiple voice VLANs exist on the switch, you can use routing to communicate between telephones on different voice VLANs. .
Static Virtual LANs (VLANs) Effect of VLANs on Other Switch Features Note that you also have the option of resetting the DSCP (DiffServe Codepoint) on tagged voice VLAN traffic moving through the switch. For more on this and other QoS topics, refer to the chapter titled “Quality of Service (QoS): Managing Bandwidth More Effectively”. Voice VLAN Access Security You can use port security configured on an individual port or group of ports in a voice VLAN.
Static Virtual LANs (VLANs) Effect of VLANs on Other Switch Features IP Interfaces There is a one-to-one relationship between a VLAN and an IP network inter face. Since the VLAN is defined by a group of ports, the state (up/down) of those ports determines the state of the IP network interface associated with that VLAN. When a port-based VLAN or an IPv4 or IPv6 protocol-based VLAN comes up because one or more of its ports is up, the IP interface for that VLAN is also activated.
Static Virtual LANs (VLANs) VLAN Restrictions Jumbo Packet Support on the Series 3400cl and Series 6400cl Switches Jumbo packet support for the 3400cl and 6400cl switches is enabled per-VLAN and applies to all ports belonging to the VLAN. For more information, refer to the chapter titled “Port Traffic Controls” in the Management and Configura tion Guide for your switch. (Jumbo packet support is not available on the Series 5300xl switches or Series 4200vl switches.
Static Virtual LANs (VLANs) VLAN Restrictions —This page is intentionally unused — 2-56
3 GVRP Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Per-Port Options for Handling GVRP “Unknown VLANs” . . . . . . . . 3-7 Per-Port Options for Dynamic VLAN Advertising and Joining . . . .
GVRP Overview Overview This chapter describes GVRP and how to configure it with the switch’s builtin interfaces, and assumes an understanding of VLANs, which are described in chapter 2, “Static Virtual LANs (VLANs)” .
GVRP Introduction Introduction Feature Default view GVRP configuration n/a list static and dynamic VLANs on a GVRP-enabled switch n/a Menu CLI Web page 3-13 page 3-14 page 3-18 page 3-16 page 3-18 page 3-18 — enable or disable GVRP disabled page 3-13 page 3-15 enable or disable GVRP on individual ports enabled page 3-13 page 3-15 control how individual ports handle advertisements for new VLANs Learn page 3-13 page 3-15 convert a dynamic VLAN to a static VLAN n/a configure stati
GVRP General Operation having to set up VLANs across your network. After the switch creates a dynamic VLAN, you can optionally use the CLI static command to convert it to a static VLAN or allow it to continue as a dynamic VLAN for as long as needed. You can also use GVRP to dynamically enable port member ship in static VLANs configured on a switch.
GVRP General Operation Operating Note: When a GVRP-aware port on a switch learns a VID through GVRP from another device, the switch begins advertising that VID out all of its ports except the port on which the VID was learned. Core switch with static 2. Port 1 receives advertise VLANs (VID= 1, 2, & 3). Port 2 ment of VIDs 1, 2, & 3 AND is a member of VIDs 1, 2, & 3. becomes a member of VIDs 1, 2, & 3. 1. Port 2 advertises VIDs 1, 2, 3. Port 3 advertises VIDs 1, 2, & 3.
GVRP General Operation Switch “C” GVRP On Switch “A” GVRP On 1 5 Tagged VLAN 22 11 Tagged VLAN 33 Switch “B” (No GVRP) Switch “C”: Port 5 dynamically joins VLAN 22. Ports 11 and 12 belong to Tagged VLAN 33. Switch “D” GVRP On Tagged VLAN 22 2 12 3 6 Switch “E” GVRP On 7 Switch “E”: Port 2 dynamically joins VLANs 22 and 33. Port 7 dynamically joins VLANs 33 and 22. Switch “D”: Port 3 dynamically joins VLANs 22 and 33. Port 6 dynamically joins VLAN 22 and 33. Figure 3-2.
GVRP Per-Port Options for Handling GVRP “Unknown VLANs” ■ Send VLAN advertisements, and also receive advertisements for VLANs on other ports and dynamically join those VLANs. ■ Send VLAN advertisements, but ignore advertisements received from other ports. ■ Avoid GVRP participation by not sending advertisements and dropping any advertisements received from other devices. IP Addressing. A dynamic VLAN does not have an IP address, and moves traffic on the basis of port membership in VLANs.
GVRP Per-Port Options for Handling GVRP “Unknown VLANs” Table 3-1. Options for Handling “Unknown VLAN” Advertisements: Unknown VLAN Operation Mode Learn (the Default) Enables the port to become a member of any unknown VLAN for which it receives an advertisement. Allows the port to advertise other VLANs that have at least one other port on the same switch as a member. Block Prevents the port from joining any new dynamic VLANs for which it receives an advertisement.
GVRP Per-Port Options for Dynamic VLAN Advertising and Joining Per-Port Options for Dynamic VLAN Advertising and Joining Initiating Advertisements. As described in the preceding section, to enable dynamic joins, GVRP must be enabled and a port must be configured to Learn (the default). However, to send advertisements in your network, one or more static (Tagged, Untagged, or Auto) VLANs must be configured on one or more switches (with GVRP enabled), depending on your topology.
GVRP Per-Port Options for Dynamic VLAN Advertising and Joining Table 3-2. Controlling VLAN Behavior on Ports with Static VLANs Per-Port Static VLAN Options—Per VLAN Specified on Each Port 1 “Unknown VLAN” Port Activity: Port Activity: Port Activity: Forbid (Per VLAN)2 2 2 (GVRP) Auto (Per VLAN) Tagged or Untagged (Per VLAN) Configuration Learn (the Default) The port: • Belongs to specified VLAN. • Advertises specified VLAN. • Can become a member of dynamic VLANs for which it receives advertisements.
GVRP GVRP and VLAN Access Control As the preceding table indicates, when you enable GVRP, a port that has a Tagged or Untagged static VLAN has the option for both generating advertise ments and dynamically joining other VLANs. Note In table 3-2, above, the Unknown VLAN parameters are configured on a perport basis using the CLI. The Tagged, Untagged, Auto, and Forbid options are configured per static VLAN on every port, using either the menu interface or the CLI.
GVRP Planning for GVRP Operation The time-to-live for dynamic VLANs is 10 seconds. That is, if a port has not received an advertisement for an existing dynamic VLAN during the last 10 seconds, the port removes itself from that dynamic VLAN. Planning for GVRP Operation These steps outline the procedure for setting up dynamic VLANs for a seg ment. 3-12 1. Determine the VLAN topology you want for each segment (broadcast domain) on your network. 2.
GVRP Configuring GVRP On a Switch Configuring GVRP On a Switch The procedures in this section describe how to: ■ View the GVRP configuration on a switch ■ Enable and disable GVRP on a switch ■ Specify how individual ports will handle advertisements To view or configure static VLANs for GVRP operation, refer to “Per-Port Static VLAN Configuration Options” on page 2-12. Menu: Viewing and Configuring GVRP 1. From the Main Menu, select: 2. Switch Configuration … 8. VLAN Menu … 1.
GVRP Configuring GVRP On a Switch The Unknown VLAN fields enable you to configure each port to: – Learn - Dynamically join any advertised VLAN and advertise all VLANs learned through other ports. – Block - Do not dynamically join any VLAN, but still advertise all VLANs learned through other ports. – Disable - Ignore and drop all incoming advertisements and do not transmit any advertisements. Figure 3-5. Example Showing Default Settings for Handling Advertisements 3.
GVRP Configuring GVRP On a Switch Figure 3-6. Example of “Show GVRP” Listing with GVRP Disabled This example includes non-default settings for the Unknown VLAN field for some ports. Figure 3-7. Example of Show GVRP Listing with GVRP Enabled Enabling and Disabling GVRP on the Switch. This command enables GVRP on the switch.
GVRP Configuring GVRP On a Switch Syntax: interface < port-list > unknown-vlans < learn | block | disable > Changes the Unknown VLAN field setting for the specified port(s). For example, to change and view the configuration for ports A1-A2 to Block: Figure 3-8. Displaying the Static and Dynamic VLANs Active on the Switch Syntax: show vlans The show vlans command lists all VLANs present in the switch.
GVRP Configuring GVRP On a Switch Switch “A” Switch “B” GVRP enabled. GVRP enabled. 1 Static VLANs: 3 Static VLANs: – DEFAULT_VLAN – VLAN-222 – VLAN-333 Port 1: Set to “Learn” Mode – DEFAULT_VLAN The show vlans command lists the dynamic (and static) VLANs in switch “B” after it has learned and joined VLAN-222 and VLAN-333. Dynamic VLANs Learned from Switch “A” through Port 1 Figure 3-9. Example of Listing Showing Dynamic VLANs Converting a Dynamic VLAN to a Static VLAN.
GVRP GVRP Operating Notes Web: Viewing and Configuring GVRP To view, enable, disable, or reconfigure GVRP: 1. Click on the Configuration tab. 2. Click on [VLAN Configuration] and do the following: • To enable or disable GVRP, click on GVRP Enabled. • To change the Unknown VLAN field for any port: i. Click on [GVRP Security] and make the desired changes. ii. Click on [Apply] to save and implement your changes to the Unknown VLAN fields.
GVRP GVRP Operating Notes ■ Rebooting a switch on which a dynamic VLAN exists deletes that VLAN. However, the dynamic VLAN re-appears after the reboot if GVRP is enabled and the switch again receives advertisements for that VLAN through a port configured to add dynamic VLANs. ■ By receiving advertisements from other devices running GVRP, the switch learns of static VLANs on those other devices and dynamically (automat ically) creates tagged VLANs on the links to the advertising devices.
GVRP GVRP Operating Notes — This page intentionally unused.
4 Multimedia Traffic Control with IP Multicast (IGMP) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 IGMP General Operation and Features . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 IGMP Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 IGMP Operating Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Basic Operation . . . . . .
Multimedia Traffic Control with IP Multicast (IGMP) Overview Overview This chapter describes multimedia traffic control with IP multicast (IGMP) to reduce unnecessary bandwidth usage on a per-port basis, and how to config ure it with the switch’s built-in interfaces: For general information on how to use the switch’s built-in interfaces, refer to these chapters in the Management and Configuration Guide for your switch: 4-2 ■ Chapter 3, “Using the Menu Interface” ■ Chapter 4, “Using the Command Line I
Multimedia Traffic Control with IP Multicast (IGMP) IGMP General Operation and Features IGMP General Operation and Features IGMP Features Feature Default Menu CLI view igmp configuration n/a — page 4-6 show igmp status for multicast groups used by the selected VLAN n/a — Yes enabling or disabling IGMP (Requires VLAN ID Context) disabled — page 4-8 per-port packet control auto — page 4-9 IGMP traffic priority normal — page 4-10 querier enabled — page 4-10 fast-leave disabled —
Multimedia Traffic Control with IP Multicast (IGMP) IGMP General Operation and Features Note IGMP configuration on the Series 5300xl switches and 4200vl switches oper ates at the VLAN context level. If you are not using VLANs, then configure IGMP in VLAN 1 (the default VLAN) context. IGMP Terms 4-4 ■ IGMP Device: A switch or router running IGMP traffic control features. ■ IGMP Host: An end-node device running an IGMP (multipoint, or multicast communication) application.
Multimedia Traffic Control with IP Multicast (IGMP) IGMP General Operation and Features IGMP Operating Features Basic Operation In the factory default configuration, IGMP is disabled. To enable IGMP ■ If multiple VLANs are not configured, you configure IGMP on the default VLAN (DEFAULT_VLAN; VID = 1). ■ If multiple VLANs are configured, you configure IGMP on a per-VLAN basis for every VLAN where this feature is to be used.
Multimedia Traffic Control with IP Multicast (IGMP) CLI: Configuring and Displaying IGMP Notes Whenever IGMP is enabled, the switch generates an Event Log message indicating whether querier functionality is enabled. IP multicast traffic groups are identified by IP addresses in the range of 224.0.0.0 to 239.255.255.255. Also, incoming IGMP packets intended for reserved, or “well-known” multicast addresses automatically flood through all ports (except the port on which the packets entered the switch).
Multimedia Traffic Control with IP Multicast (IGMP) CLI: Configuring and Displaying IGMP Viewing the Current IGMP Configuration. This command lists the IGMP configuration for all VLANs configured on the switch or for a specific VLAN. Syntax: show ip igmp config Displays IGMP configuration for all VLANs on the switch. show ip igmp vlan < vid > config Displays IGMP configuration for a specific VLAN on the switch, including per-port data.
Multimedia Traffic Control with IP Multicast (IGMP) CLI: Configuring and Displaying IGMP The following version of the show ip igmp command includes the VLAN ID (vid) designation, and combines the above data with the IGMP per-port configuration: IGMP Configuration for the Selected VLAN IGMP Configuration On the Individual Ports in the VLAN Figure 4-2. Example Listing of IGMP Configuration for A Specific VLAN Enabling or Disabling IGMP on a VLAN.
Multimedia Traffic Control with IP Multicast (IGMP) CLI: Configuring and Displaying IGMP Note If you disable IGMP on a VLAN and then later re-enable IGMP on that VLAN, the switch restores the last-saved IGMP configuration for that VLAN. For more on how switch memory operates, refer to the chapter titled “Switch Memory and Configuration” in the Management and Configuration Guide for your switch.
Multimedia Traffic Control with IP Multicast (IGMP) CLI: Configuring and Displaying IGMP The following command displays the VLAN and per-port configuration result ing from the above commands. ProCurve> show igmp vlan 1 config Configuring IGMP Traffic Priority. Syntax: vlan < vid > ip igmp high-priority-forward This command assigns “high” priority to IGMP traffic or returns a high-priority setting to “normal” priority. (The traffic will be serviced at its inbound priority.) (Default: normal.
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates How IGMP Operates The Internet Group Management Protocol (IGMP) is an internal protocol of the Internet Protocol (IP) suite. IP manages multicast traffic by using switches, multicast routers, and hosts that support IGMP. (In Hewlett-Pack ard’s implementation of IGMP, a multicast router is not necessary as long as a switch is configured to support IGMP with the querier feature enabled.
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates in the join request is determined by the requesting application running on the IGMP client.) When a networking device with IGMP enabled receives the join request for a specific group, it forwards any IP multicast traffic it receives for that group through the port on which the join request was received. When the client is ready to leave the multicast group, it sends a Leave Group message to the network and ceases to be a group member.
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates IGMP Function Available With IP Addressing Available Operating Differences Without an IP Address Configured on the VLAN Without IP Addressing? Configure IGMP traffic forwarding to normal or high-priority forwarding. Yes None Age-Out IGMP group addresses when the last IGMP client on a port in the VLAN leaves the group. Yes Support Fast-Leave IGMP and Forced FastLeave IGMP (below).
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates leave. The Querier will continue to transmit the multicast group during this short time, and because the group is no longer registered the switch will then flood the multicast group to all ports. On ProCurve switches that do support Data-Driven IGMP (“Smart” IGMP), when unregistered multicasts are received the switch automatically filters (drops) them.
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates In the next figure, automatic Fast-Leave operates on the switch ports for IGMP clients “3A” and “5A”, but not on the switch port for IGMP clients “7A” and 7B, Server “7C”, and printer “7D”. Fast-Leave IGMP automatically operates on the ports connected to IGMP clients 3A and 5A, but does not operate on the port connected to Switch 7X because the Series 5300xl switch detects multiple end nodes on that port.
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates Configuring Fast-Leave IGMP Syntax: [no] ip igmp fastleave < port-list > Enables IGMP fast-leaves on the specified ports in the selected VLAN. The no form of the command disables IGMP fast-leave on the specified ports in the selected VLAN. Use show running to display the ports per-VLAN on which Fast-Leave is disabled.
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates Configuring Delayed Group Flush When enabled, this feature continues to filter IGMP groups for a specified additional period of time after IGMP leaves have been sent. The delay in flushing the group filter prevents unregistered traffic from being forwarded by the server during the delay period. In practice, this is rarely necessary on 5300xl or 3400cl switches, which support data-driven IGMP.
Multimedia Traffic Control with IP Multicast (IGMP) Using the Switch as Querier Using the Switch as Querier The function of the IGMP Querier is to poll other IGMP-enabled devices in an IGMP-enabled VLAN to elicit group membership information. The switch performs this function if there is no other device in the VLAN, such as a multicast router, to act as Querier.
Multimedia Traffic Control with IP Multicast (IGMP) Excluding Well-Known or Reserved Multicast Addresses from IP Multicast Filtering Excluding Well-Known or Reserved Multicast Addresses from IP Multicast Filtering Each multicast host group is identified by a single IP address in the range of 224.0.0.0 through 239.255.255.255. Specific groups of consecutive addresses in this range are termed “well-known” addresses and are reserved for pre defined host groups.
Multimedia Traffic Control with IP Multicast (IGMP) Excluding Well-Known or Reserved Multicast Addresses from IP Multicast Filtering Notes IP Multicast Filters. This operation applies to the Procurve Series 5300xl switches, as well as on the 1600M, 2400M, 2424M, 4000M, and 8000M, but not to the Series 2500, 2650, Series 4100gl, Series 4200vl, or 6108 switches (which do not have static traffic/security filters). IP multicast addresses occur in the range from 224.0.0.0 through 239.255.255.
5 PIM-DM (Dense Mode) on the 5300xl Switches Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 PIM-DM Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PIM-DM (Dense Mode) on the 5300xl Switches Overview Overview This chapter describes protocol-independent multicast routing operation on the ProCurve Series 5300xl switches and how to configure it with the switch’s built-in interfaces, and assumes an understanding of multimedia traffic con trol with IP multicast (IGMP), which is described in chapter 4, “Multimedia Traffic Control with IP Multicast (IGMP)”.
PIM-DM (Dense Mode) on the 5300xl Switches Introduction Introduction This feature operates only on the Series 5300xl switches.
PIM-DM (Dense Mode) on the 5300xl Switches Feature Overview Feature Overview PIM-DM on the Switch Series 5300XL devices includes: ■ Routing Protocol Support: PIM uses whichever unicast routing proto col is running on the routing switch.
PIM-DM (Dense Mode) on the 5300xl Switches PIM-DM Operation multicast group address (destination), but may reach many hosts in different subnets, depending on which hosts have issued joins for the same multicast group. PIM routes the multicast traffic for a particular S/G pair on paths between the source unicast address and the VLANs where it is requested (by joins from hosts connected to those VLANs). Physical destinations for a particular multicast group can be hosts in different VLANs or networks.
PIM-DM (Dense Mode) on the 5300xl Switches PIM-DM Operation Video Server Multicast Tree Routing Switch (PIM) Routing Switch (PIM & IGMP) Switch/IGMP Switch/IGMP Switch/IGMP Hosts Routing Switch (PIM & IGMP) Switch/IGMP Switch/IGMP Hosts Figure 5-1.
PIM-DM (Dense Mode) on the 5300xl Switches PIM-DM Operation Multicast Flow Management This section provides details on how the routing switch manages forwarding and pruned flows. This information is useful when planning topologies to include multicast support and when viewing and interpreting the “show” command output for PIM-DM features. Initial Flood and Prune.
PIM-DM (Dense Mode) on the 5300xl Switches PIM-DM Operation These ProCurve 5300xl multicast routers support the state refresh feature but must handle periodic flood-prune cycles for the downstream routers that lack this Video Server 5304XL #4 Video Server Video Server These ProCurve 5300xl multicast routers support the state refresh feature and do not require periodic flood-prune cycles for a given multicast group, which frees up bandwidth for other uses.
PIM-DM (Dense Mode) on the 5300xl Switches Terminology General Configuration Elements The configured elements PIM-DM requires are: Note 1. IP routing enabled on all routing switches you want to carry routed multicast traffic. 2.
PIM-DM (Dense Mode) on the 5300xl Switches PIM-DM Operating Rules Multicast Address: In IP multicast traffic on the switch, this is a single IP address that can be used by a group of related or unrelated clients wanting the same data. A single S/G pair consists of unicast source address and a multicast group address. Sometimes termed a “multicast group address”. See also “Source” and “S/G Pair”.
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches Command Page PIM Global Context Commands [no] ip multicast-routing 5-12 [no] router pim 5-12 state-refresh 5-12 trap 5-13 PIM Interface Context Commands [no] ip pim 5-15 [< all | source-ip-address >] 5-15 [ hello-interval ] 5-15 [ hello-delay ] 5-16 [ graft-retry-interval ] 5-16 [ max-graft-retries ] 5-17 [ lan-prune-delay ] 5-17 [ propagation-
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches PIM-DM requires configuration on both the global level and on the VLAN (interface) level. The recommended configuration order is: 1. Enable IGMP on all VLANs where hosts may join a multicast group. 2. Enable the following at the global level on the Switch Series 5300XL device.
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches Syntax: [no] router pim trap < all | neighbor-loss | hardware-mrt-full | software-mrt-full> Enables and disables these PIM SNMP traps: all — Enable/Disable all PIM notification traps. neighbor-loss — Enable/Disable the notification trap sent when the timer for a multicast router neighbor expires and the switch has no other multicast router neighbors on the same VLAN with a lower IP address. (Default: Disabled.
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches To configure global-level PIM operation for the “5308XL #1” routing switch, you would use the commands shown in figure 5-3, below. Enables IP routing. Enables multicast routing. Enables PIM. Enables RIP. Configures a non-default State Refresh timer. Sets an SNMP trap to notify an SNMP management station if the hardware multicast routing table fills with active flows.
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches After configuring the global-level PIM operation on a routing switch, go to the device’s VLAN context level for each VLAN you want to include in your multicast routing domain. (Refer to “PIM VLAN (Interface) Configuration Context”, below. PIM VLAN (Interface) Configuration Context Syntax: [no] ip pim [no] vlan < vid > ip pim Enables multicast routing on the VLAN interface to which the CLI is currently set.
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches For example, if multiple routers are connected to the same VLAN and the routing switch requests multicast traffic, all routers on the VLAN receive that traffic. (Those which have pruned the traffic will drop it when they receive it.
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches Syntax: ip pim [ max-graft-retries < 1 - 10 > vlan < vid > ip pim [ max-graft-retries < 1 - 10 > Changes the number of times the routing switch will retry sending the same graft packet to join a flow. If a Graft Ack response is not received after the specified number of retries, the routing switch ceases trying to join the flow.
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches Syntax: ip pim [ propagation-delay < 250-2000 >] vlan < vid > ip pim [ propagation-delay < 250-2000 >] ip pim [ override-interval < 500 - 6000 >] vlan < vid > ip pim [ override-interval < 500 - 6000 >] A routing switch sharing a VLAN with other multicast routers uses these two values to compute the lan-prune-delay setting (above) for how long to wait for a PIM-DM join after receiving a prune packet from downstream
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches Syntax: ip pim [ ttl-threshold < 0 - 255 > ] vlan < vid > ip pim Sets the multicast datagram time-to-live (router hop-count) threshold for the VLAN. Any IP multicast datagrams or state refresh packets with a TTL less than this threshold will not be forwarded out the interface. The default value of 0 means all multicast packets are forwarded out the interface.
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches Video Server On the three routing switches, VLAN 25 is multinetted with subnets that match in only one instance. Since subnet 25.38.10.x exists on VLAN 25 in all routing switches, it serves as the source IP address for multicast traffic outbound on VLAN 25 for the network. 5308XL #1 VLAN 25 25.38.10.1 25.38.11.1 Note the common subnet instance in (multinetted) VLAN 25 (25.38.10.x). 25.38.12.1 VLAN 27 27.27.30.
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches Enables IP routing; required for multicast routing. Multinetting and IGMP enabled in VLAN 25. Multicast Routing Configuration for Global Level.. Indicates the source-IP-address for multicast packets forwarded on this VLAN. Multicast Routing Configuration for VLAN 25. Multicast Routing Configurations for VLANs 27 and 29. Dashed lines indicate configuration settings affecting multicast routing. Figure 5-6.
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Command Page show ip mroute 5-23 [ interface < vid >] 5-24 [< multicast-ip-addr > < source-ip-addr >] 5-25 show ip pim [ interface [< vid >]] 5-27 5-28 5-29 [ mroute 5-30 [< multicast-group-address> < multicast-source-address >]] 5-31 neighbor [< ip-address >] 5-22 5-33 5-34
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Displaying PIM Route Data Syntax: show ip mroute Without parameters, lists all VLANs actively forwarding routed, multicast traffic. Group Address: The multicast address of the specific multicast group (flow). Source Address: The unicast address of the multicast group source.
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Syntax: show ip mroute [ interface < vid >] Lists these settings: VLAN: The VID specified in the command. Protocol Identity: PIM-DM only. TTL: The time-to-live threshold for packets forwarded through this VLAN. When configured, the routing switch drops multi cast packets having a TTL lower than this value.
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Syntax: show ip mroute [< multicast-ip-addr > < source-ip-addr >] Lists the following data for the specified flow (multicast group): Group Address: The multicast group IP address for the current group. Source Address: The multicast source address < source-ip-addr > for the current group. Source Mask: The subnet mask applied to the multicast source address < source-ip-addr >.
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Multicast Routing Protocol: Identifies the multicast routing protocol through which the current flow was learned. Unicast Routing Protocol: Identifies the routing protocol through which the routing switch learned the upstream interface for the current multicast flow. The listed protocol will be either RIP, OSPF, or Static Route.
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches A blank Neighbor field indicates that the multicast server is directly connected to the routing switch. Figure 5-9. Example Output for “5300XL #1” Routing Switch in Figure 5-4 on Page 5-20 Displaying PIM Status Syntax: show ip pim Displays PIM status and global parameters. PIM Status: Shows either enabled or disabled.
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Figure 5-10. Example Output for the “5304XL #1” Routing Switch in Figure 5-4 on Page 5-20 Syntax: show ip pim [interface] Lists the PIM interfaces (VLANs) currently configured in the routing switch. VLAN: Lists the VID of each VLAN configured on the switch to support PIM-DM. IP Address: Lists the IP addresses of the PIM interfaces (VLANs). Mode: Shows dense only. Figure 5-11.
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Syntax: show ip pim [interface [< vid >]] Displays the current configuration for the specified VLAN (PIM interface). Refer to table 5-1, below. Figure 5-12. Example Output for the “5304xl #1” Routing Switch in Figure 5-4 on Page 5-20 Table 5-1.
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Field Default Control Command Max Graft Retries 2 vlan < vid > ip pim graft-retries < 1 - 10 > Override Interval (msec) 2500 vlan < vid > ip pim override-interval < 500 - 6000 > Propagation Delay 500 (msec) vlan < vid > ip pim propagation-delay < 250-2000 > SR TTL Threshold (router hops) 0 vlan < vid > ip pim ttl-threshold < 0 - 255 > LAN Prune Delay Yes vlan < vid > ip pim
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches This output shows the routing switch is receiving two multicast groups from an upstream device at 27.27.30.2. The “0” metric shows that the routing switch is directly connected to the multicast source. Figure 5-13.
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches DownStream Interfaces: – VLAN: Lists the VID of the destination VLAN on the nexthop multicast router. – Prune Reason: Identifies the reason for pruning the flow to the indicated VLAN: • Prune: A neighbor multicast router has sent a prune request. • Assert: Another multicast router connected to the same VLAN has been elected to provide the path for the specified multicast group traffic.
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Syntax: show ip pim [neighbor] Lists PIM neighbor information for all PIM neighbors connected to the routing switch: IP Address: Lists the IP address of a neighbor multicast router. VLAN: Lists the VLAN through which the routing switch connects to the indicated neighbor. Up Time: Shows the elapsed time during which the neighbor has maintained a PIM route to the routing switch.
PIM-DM (Dense Mode) on the 5300xl Switches Operating Notes Syntax: show ip pim [neighbor [< ip-address >]] Lists the same information as show ip pim neighbor (page 5-33) for the specified PIM neighbor: This example simulates output from the “5304XL #1” Routing Switch in Figure 5-4 on Page 5-20. The data is from the first downstream neighbor (“5300XL #2”). Figure 5-16.
PIM-DM (Dense Mode) on the 5300xl Switches Operating Notes Flow Capacity. The routing switch provides an ample multicast environ ment, supporting 1022 multicast flows in hardware across a maximum of 64 VLANs. (A flow comprises a unicast source address and a multicast group address, regardless of the number of active hosts belonging to the multicast group at any given time.
PIM-DM (Dense Mode) on the 5300xl Switches Troubleshooting Troubleshooting Symptom: Noticeable slowdown in some multicast traffic. If the switch is supporting more than 1022 active flows. This generates the message Unable to learn HW IP multicast groups, table FULL in the Event Log because there is no room in the hardware Multicast Routing Table to add another Multicast Group.
PIM-DM (Dense Mode) on the 5300xl Switches Messages Related to PIM Operation Messages Related to PIM Operation These messages appear in the Event Log and, if Syslog Debug is configured, in the designated Debug destinations. Note The value displayed at the end of each PIM Event Log message (and SNMP trap messages, if trap receivers are configured) indicates the number of times the switch has detected a recurring event since the last reboot.
PIM-DM (Dense Mode) on the 5300xl Switches Messages Related to PIM Operation Message Meaning I/F removal with IP < ip-addr > on vid < vlan-id > () Indicates that a PIM interface (VLAN) has been removed from the router as a result of an IP address change or removal. MCAST flow < multicast-address > < sourceaddress > not rteing (rsc low) () The indicated multicast flow is not routing.
PIM-DM (Dense Mode) on the 5300xl Switches Messages Related to PIM Operation Message Meaning Rcvd pkt from rtr < ip-address >, unkwn pkt type < value > () A packet received from the router at < ip-address > is an unknown PIM packet type. (The < value > variable is the numeric value received in the packet.) Rcvd pkt ver# < ver-num >, from < ip-address >, expected < ver-num > () The versions of PIM-DM on the sending and receiving routers do not match.
PIM-DM (Dense Mode) on the 5300xl Switches Applicable RFCs Message Meaning Unable to alloc a msg buffer for < text-message > () Multicast routing is unable to acquire memory for a flow. Router memory is oversubscribed. Reduce the number of VLANs or the number of features in use. Remedies include one or more of the following: • Reduce the number of configured VLANs by moving some VLANs to another router.
PIM-DM (Dense Mode) on the 5300xl Switches Exceptions to Support for RFC 2932 - Multicast Routing MIB Exceptions to Support for RFC 2932 Multicast Routing MIB These MIB objects are not supported in the 5300XL routing switch.
PIM-DM (Dense Mode) on the 5300xl Switches Exceptions to Support for RFC 2932 - Multicast Routing MIB — This page is intentionally unused.
6 Spanning-Tree Operation Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 The RSTP (802.1w) and STP (802.1D) Spanning Tree Options (5300xl, 3400/6400cl switches) . . . . . . . . . . 6-7 RSTP (802.1w) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 STP (802.1D) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Spanning-Tree Operation Contents MST Regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-49 Regions, Legacy STP and RSTP Switches, and the Common Spanning Tree (CST) . . . . . . . . . . . . . . . . . . . . . . . . 6-51 MSTP Operation with 802.1Q VLANs . . . . . . . . . . . . . . . . . . . . . . 6-51 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-52 Operating Rules . . . . . . . . . . . . . . . . . . . .
Spanning-Tree Operation Overview Overview Note The Series 4200vl switches support MSTP only. STP Features 802.1D Spanning Tree Protocol * Default Viewing the STP Configuration n/a page 6-22 page 6-14 Enable/Disable STP Disabled page 6-22 page 6-26 Reconfiguring General Operation priority: 32768 max age: 20 s hello time: 2 s fwd. delay: 15 s page 6-22 page 6-27 Reconfiguring Per-Port STP path cost: var priority: 128 mode: norm Menu CLI page 6-22 page 6-28 802.
Spanning-Tree Operation Overview 802.
Spanning-Tree Operation Overview configured with VLANs grouped into two instances, as follows: VLANs Instance 1 Instance 2 10, 11, 12 Yes No 20, 21, 22 No Yes The logical and physical topologies resulting from these VLAN/Instance groupings result in blocking on different links for different VLANs: Region “A”: Logical Topology Path blocked for VLANs in instance 2.
Spanning-Tree Operation Overview N o t e f o r 80 2 . 1D and 802.1w S p a n ni n g - T r e e Operation for the Series 5300xl and S e r i e s 3 40 0/ 6400cl switches 6-6 You should enable spanning tree operation in any switch that is part of a redundant physical link (loop topology). (HP recommends that you do so on all switches belonging to a loop topology.) This topic is covered in more detail under “How STP and RSTP Operate on the 5300xl, 3400cl and 6400cl Switches” on page 6-8.
Spanning-Tree Operation The RSTP (802.1w) and STP (802.1D) Spanning Tree Options (5300xl, 3400/6400cl switches) The RSTP (802.1w) and STP (802.1D) Spanning Tree Options (5300xl, 3400/ 6400cl switches) Caution Spanning tree interprets a switch mesh as a single link. Because the switch automatically gives faster links a higher priority, the default STP or RSTP parameter settings are usually adequate for spanning tree operation.
Spanning-Tree Operation The RSTP (802.1w) and STP (802.1D) Spanning Tree Options (5300xl, 3400/6400cl switches) STP (802.1D) STP is supported on the Series 5300xl, 3400cl and 6400cl switches. The IEEE 802.1D version of spanning tree has been in wide use and can coexist in a network in which RSTP (802.1w) has been introduced. If your network currently uses 802.1D STP and you are not yet ready to implement RSTP, you can apply STP to the switch until such time as you are ready to move ahead with RSTP.
Spanning-Tree Operation The RSTP (802.1w) and STP (802.1D) Spanning Tree Options (5300xl, 3400/6400cl switches) • Active path from node A to node B: 1—> 3 • Backup (redundant) path from node A to node B: 4 —> 2 —> 3 switch A 1 path cost: 100 2 3 path cost: 100 path cost: 100 switch B 4 switch C switch D path cost:200 node A node B Figure 6-2. General Example of Redundant Paths Between Two Nodes In the factory default configuration, spanning tree operation is off.
Spanning-Tree Operation The RSTP (802.1w) and STP (802.1D) Spanning Tree Options (5300xl, 3400/6400cl switches) Problem: Solution: STP enabled with 2 separate (non-trunked) links blocks a VLAN link. STP enabled with one trunked link. Nodes 1 and 2 cannot communicate because STP is blocking the link. Nodes 1 and 2 can communicate because STP sees the trunk as a single link and 802.1Q (tagged) VLANs enable the use of one (trunked) link for both VLANs. Figure 6-3.
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) Configuring Rapid Reconfiguration Spanning Tree (RSTP) RSTP is supported on the Series 5300xl, 3400cl and 6400cl switches. This section describes the operation of the IEEE 802.1w Rapid Spanning Tree Protocol (RSTP).
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) dant paths. If a switch or bridge in the path becomes disabled, spanning tree activates the necessary blocked segments to create the next most efficient path. Transitioning from STP to RSTP IEEE 802.1w RSTP is designed to be compatible with IEEE 802.1D STP.
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) Configuring RSTP The default switch configuration has spanning tree disabled with RSTP as the selected protocol. That is, when spanning tree is enabled, RSTP is the version of spanning tree that is enabled, by default.
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) CLI: Configuring RSTP Spanning Tree Commands in This Section STP RSTP Page for RSTP Use show spanning-tree config Y Y Below on this page spanning-tree Y Y page 6-15 protocol-version Y Y page 6-16 force-version N Y page 6-16 forward-delay <4 - 30> Y Y page 6-16 hello-time <1 - 10> Y Y page 6-16 maximum-age <6 - 40> Y Y page 6-16 priority <0 - 15 | 0 - 6
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) In the default configuration, the output from this command appears similar to the following: Figure 6-4. Example of the Spanning Tree Configuration Display (ProCurve Series 3400cl Switch) Enabling or Disabling RSTP. Issuing the command to enable spanning tree on the switch implements, by default, the RSTP version of spanning tree for all physical ports on the switch.
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) For the STP version of spanning tree, the rest of the information in this section does not apply. Refer to “802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches” on page 6-22 for more information on the STP version and its parameters. Reconfiguring Whole-Switch Spanning Tree Values.
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) Note Executing the spanning-tree command alone enables spanning tree. Executing the command with one or more of the whole-switch RSTP parameters shown in the table on the previous page, or with any of the per-port RSTP parameters shown in the table on page 6-18, does not enable spanning tree. It only configures the spanning tree parameters, regardless of whether spanning tree is actually running (enabled) on the switch.
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) Reconfiguring Per-Port Spanning Tree Values. You can configure one or more of the following parameters, which affect the spanning tree operation of the specified ports only: Table 6-2. Per-Port RSTP Parameters Parameter Default Description edge-port Yes Identifies ports that are connected to end nodes. During spanning tree establishment, these ports transition immediately to the Forwarding state.
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) Parameter priority Default Description 128 This parameter is used by RSTP to determine the port(s) to use for forwarding. The port with the lowest number has the highest priority. The range is 0 to 240, but you configure the value by entering a multiple of 16. You enter a value in the range 0 - 15. The default value of 128 is derived by the default setting of 8.
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) Menu: Configuring RSTP 1. From the console CLI prompt, enter the menu command. ProCurve # menu 2. From the switch console Main Menu, select 2. Switch Configuration … 4. Spanning Tree Operation 3. Press [E] (for Edit) to highlight the Protocol Version parameter field. 4. Press the Space bar to select the version of spanning tree you wish to run: RSTP or STP.
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) 7. Press the [Tab] key or use the arrow keys to go to the next parameter you want to change, then type in the new value or press the Space bar to select a value. (To get help on this screen, press [Enter] to select the Actions –> line, then press [H], for Help, to display the online help.) 8. Repeat step 6 for each additional parameter you want to change.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches Menu: Configuring 802.1D STP 1. From the Main Menu, select: 2. Switch Configuration … 4. Spanning Tree Operation Use this field to select the 802.1D version of STP. Figure 6-6. The Default “Spanning Tree Operation” Screen 6-22 2. Press [E] (for Edit) to highlight the Protocol Version field.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches Use this field to enable spanning tree. Read-Only Fields Figure 6-7. Enabling Spanning-Tree Operation 6. If the remaining STP parameter settings are adequate for your network, go to step 10. 7. Use [Tab] or the arrow keys to select the next parameter you want to change, then type in the new value or press the Space Bar to select a value.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches The Spanning Tree Operation menu is not present for the Series 4200vl switches Figure 6-8. The Configuration Menu Indicating a Reboot Is Needed to Implement a Configuration Change 11. Press [0] to return to the Main menu. Figure 6-9. The Main Menu Indicating a Reboot Is Needed To Implement a Configuration Change 12. Press [6] to reboot the switch.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches CLI: Configuring 802.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches Configuring the Switch To Use the 802.1D Spanning Tree Protocol (STP). In the default configuration, the switch is set to RSTP (that is, 802.1w Rapid Spanning Tree), and spanning tree operation is disabled. To reconfigure the switch to 802.1D spanning tree, you must: 1. Change the spanning tree protocol version to stp. 2. Use write memory to save the change to the startup-configuration. 3.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches Enabling STP implements the spanning tree protocol for all physical ports on the switch, regardless of whether multiple VLANs are configured. Disabling STP removes protection against redundant loops that can significantly slow or halt a network. This command enables STP with the current parameter settings or disables STP without losing the most-recently configured parameter settings.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches Table 6-3. General STP Operating Parameters Name Default Range priority 32768 0 - 65535 Specifies the priority value used along with the switch MAC address to determine which device is root. The lower a priority value, the higher the priority. *maximum-age 20 seconds 6 - 40 Maximum received message age the switch seconds allows for STP information before discarding the message.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches Table 6-4. Name Per-Port STP Parameters Default Range Function path-cost Ethernet: 100 10/100Tx: 10 100 Fx: 10 Gigabit: 5 1 - 65535 Assigns an individual port cost that the switch uses to determine which ports are the forwarding ports. priority 128 0 - 255 Used by STP to determine the port(s) to use for forwarding. The port with the lowest number has the highest priority.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches state, the server access will fail. To provide support for this end node behavior, the switches covered by this manual offer a configuration mode, called “Fast Mode”, that causes the switch port to skip the standard STP start-up sequence and put the port directly into the “Forwarding” state, thus allowing the server access request to be forwarded when the end node needs it.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches Note Fast-Uplink STP operates only with 802.1D STP and is not available with the Rapid STP (802.1w) feature (6-11). Caution In general, fast-uplink spanning tree on the switch is useful when running STP in a tiered topology that has well-defined edge switches. Also, ensure that an interior switch is used for the root switch and for any logical backup root switches.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches on the other end of the links can be either ProCurve devices or another vendor’s devices, regardless of whether they support fast uplink. For example: Port A is the STP root port. C 3400cl or 5300xl Switch (Wiring Closet or Edge Switch) A D STP Root Switch LAN B E Port B provides a backup redundant link. that becomes the new STP root port (uplink port) if the link through port A fails.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches to transition to forwarding. In a normal spanning tree environment, this transition is usually 30 seconds (with the Forward Delay parameter set to its default of 15 seconds). However, by using the fast-uplink spanning tree feature, a port on a switch used as an edge switch can make this transition in as little as ten seconds.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches Configure fast-uplink on only the edge switch ports used for providing redundant STP uplink connections in a network. (Configuring Fast-Uplink STP on ports in interior switches can create network performance prob lems.) That is, a port configured for STP uplink should not be connected to a switch that is sequentially further away from the STP root device.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches Menu: Viewing and Configuring Fast-Uplink STP You can use the menu to quickly display the entire STP configuration and to make any STP configuration changes. To View and/or Configure Fast-Uplink STP. This procedure uses the Spanning Tree Operation screen to enable STP and to set the Mode for fastuplink STP operation. 1. From the Main Menu select: 2. Switch Configuration … 4. Spanning Tree Operation 2.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches 3. If the Protocol Version is set to RSTP (as shown in figure 6-15), do the following: a. Press [E] (Edit) to move the cursor to the Protocol Version field. b. Press the Space bar once to change the Protocol Version field to STP. c. Press [Enter] to return to the command line. d. Press [S] (for Save) to save the change and exit from the Spanning Tree Operation screen.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches In this example, ports A2 and A3 have already been configured as a port trunk (Trk1), which appears at the end of the port listing. All ports (and the trunk) are in their default STP configuration. Note: In the actual menu screen, you must scroll the cursor down the port list to view the trunk configuration (ports A2 and A3). Figure 6-17. The Spanning Tree Operation Screen 4.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches STP is enabled. Port A1 and Trk1 are now configured for fast-uplink STP. Figure 6-18. Example of STP Enabled with Two Redundant Links Configured for Fast-Uplink STP 5. Press [S] (for Save) to save the configuration changes to flash (non-volatile) memory. To View Fast-Uplink STP Status.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches Indicates which uplink is the active path to the STP root device. Note: A switch using fast-uplink STP must never be the STP root device. Figure 6-19. Example of STP Status with Trk1 (Trunk 1) as the Path to the STP Root Device 2. Press [S] (for Show ports) to display the status of individual ports.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches In figure 6-20: • Port A1 and Trk1 (trunk 1; formed from ports A2 and A3) are redun dant fast-uplink STP links, with trunk 1 forwarding (the active link) and port A1 blocking (the backup link). (To view the configuration for port A1 and Trk1, see figure 6-18 on page 6-38.) • If the link provided by trunk 1 fails (on both ports), then port A1 begins forwarding in fast-uplink STP mode.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches Indicates that Trk1 (Trunk 1) provides the currently active path to the STP root device. Redundant STP link in the Blocking state. Links to PC or Workstation End Nodes Redundant STP link in the Forwarding state. (See the “Root Port field, above. This is the currently active path to the STP root device.) Figure 6-22.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches STP Enabled on the Switch Fast-Uplink STP Configured on Port A1 and Trunk 1 (Trk1) Figure 6-23. Example of a Configuration Supporting the STP Topology Shown in Figure 6-21 Using the CLI To Configure Fast-Uplink STP. This example uses the CLI to configure the switch for the fast-uplink operation shown in figures 6 21, 6-22, and 6-23.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches Lists STP configuration. Shows the default STP protocol 1. Changes the Spanning-Tree protocol to STP (required for Fast-Uplink). 2. Saves the change to the startup-configuration 3. Reboots the switch. (Required for this configuration change.) Figure 6-24. Example of Changing the STP Configuration from the Default RSTP (802.1w) to STP (802.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) on 5300xl, 3400cl and 6400cl Switches Note When you add a port to a trunk, the port takes on the STP mode configured for the trunk, regardless of which STP mode was configured on the port before it was added to the trunk. Thus, all ports belonging to a trunk configured with Uplink in the STP Mode field will operate in the fast-uplink mode.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) 802.1s Multiple Spanning Tree Protocol (MSTP) The 802.1D and 802.1w spanning tree protocols (5300xl, 3400cl and 6400cl switches) operate without regard to a network’s VLAN configuration, and maintain one common spanning tree throughout a bridged network. Thus, these protocols map one loop-free, logical topology on a given physical topology. The 802.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Caution Spanning tree interprets a switch mesh as a single link (meshing is supported on the 5300xl, 3400cl and 6400cl switches only). Because the switch automat ically gives faster links a higher priority, the default MSTP parameter settings are usually adequate for spanning tree operation.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Common and Internal Spanning Tree (CIST) Common Spanning Tree (CST) Switch Running STP MST Region IST Instance Switch Running STP Switch Running STP MSTI (Optional) MST Region MSTI (Optional) IST Instance MSTI (Optional) MSTI (Optional) Switch Running RSTP Switch Running RSTP Switch Running RSTP MSTI (Optional) Figure 6-25.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) in a single, active spanning tree topology (instance) within the IST. This is termed the “IST instance”. Any VLANs you subsequently configure on the switch are added to this IST instance. To create separate forwarding paths within a region, group specific VLANs into different Multiple Spanning Tree Instances (MSTIs). (Refer to “Multiple Spanning Tree Instance”, below.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) How MSTP Operates In the factory default configuration, spanning tree operation is off. Also, the switch retains its currently configured spanning tree parameter settings when disabled. Thus, if you disable spanning tree, then later re-enable it, the param eter settings will be the same as before spanning tree was disabled.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Path through IST Instance to Other Regions Region “X” Switch 1 IST Root VLAN Memberships: • IST Instance: VLANs 1, 2 • MSTI “A”: 4, 5 • MSTI “B”: 7, 9 Blocks redundant link for MSTI “B”. Blocks redundant link for MSTI “A”. Switch 2 MSTI “A” Root Switch 3 MSTI “B” Root VLAN Memberships: • IST Instance: VLANs 1, 2 • MSTI “A”: 4, 5 • MSTI “B”: 7, 9 Blocks redundant link for IST instance.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) All MSTP switches (as well as STP and RSTP switches) in a network use BPDUs (Bridge Protocol Data Units) to exchange information from which to build multiple, active topologies in the individual instances within a region and between regions. From this information: ■ The MSTP switches in each LAN segment determine a designated bridge and designated port or trunk for the segment.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Problem: Solution: An MST instance with two separate (non-trunked) links blocks a VLAN link. Configure one trunked link for the two VLAN memberships. Nodes 1 and 2 cannot communicate because MSTP is blocking the link. Nodes 1 and 2 can communicate because the MST instance sees the trunk as a single link and 802.1Q (tagged) VLANs enable the use of one (trunked) link for both VLANs. Figure 6-27.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Common Spanning Tree (CST): Refers to the single forwarding path the switch calculates for STP (802.1D) and RSTP (802.1w) topologies, and for inter-regional paths in MSTP (802.1s) topologies. Note that all three types of spanning tree can interoperate in the same network. Also, the MSTP switch interprets a device running 802.1D STP or 802.1w RSTP as a separate region. (Refer to figure 6-25 on page 6-47.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) 6-54 ■ Within a region, a VLAN can be allocated to either a single MSTI or to the region’s IST instance. ■ All switches in a region must have the same VID-to-MST instance and VIDto-IST instance assignments. ■ There is one root MST switch per configured MST instance. ■ Within any region, the root switch for the IST instance is also the root switch for the region.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) ■ ■ ■ A port can have different states (forwarding or blocking) for different instances (which represent different forwarding paths). MSTP interprets a switch mesh as a single link. A dynamic VLAN learned by GVRP will always be placed in the IST instance and cannot be moved to any configured MST instance. Transitioning from STP or RSTP to MSTP Note STP and RSTP are available on the Series 5400xl, 3400cl and 6400cl switches. IEEE 802.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) incompatibility between devices running the older 802.1D STP and your switch running MSTP or RSTP. Please see the “Note on Path Cost” on page 6-19 for more information on adjusting to this incompatibility. Tips for Planning an MSTP Application 6-56 ■ Ensure that the VLAN configuration in your network supports all of the forwarding paths necessary for the desired connectivity.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Note on MSTP Rapid Under some circumstances the rapid state transitions employed by MSTP (and RSTP) can increase the rates of frame duplication and misordering in the State Transitions switched LAN.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) • Optional MSTP parameter changes for region settings: HP recommends that you leave these parameters at their default settings for most networks. Refer to the “Caution” on page 6-48. – The maximum number of hops before the MSTP BPDU is dis carded (default: 20) spanning-tree max-hops 3.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) default auto allows the switch to calculate the path-cost from the link speed. spanning-tree instance 5. Enable spanning-tree operation on the switch.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Syntax: spanning-tree protocol-version mstp Note: This command is not present for the 4200vl switches. Changes the current spanning-tree protocol on the switch to 802.1s Multiple Spanning Tree. Must be followed by write mem and reboot to activate the change. After rebooting, the switch is ready to operate as an MSTP bridge. Note that this command does not enable spanning-tree operation.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Syntax: [no] spanning-tree config-name < ascii-string > This command resets the configuration name of the MST region in which the switch resides. This name can include up to 32 nonblank characters and is case-sensitive. On all switches within a given MST region, the configuration names must be identical. Thus, if you want more than one MSTP switch in the same MST region, you must configure the identical region name on all such switches.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Syntax: spanning-tree max-hops < hop-count > This command resets the number of hops allowed for BPDUs in an MST region. When an MSTP switch receives a BPDU, it decrements the hop-count setting the BPDU carries. If the hopcount reaches zero, the receiving switch drops the BPDU.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Syntax: spanning-tree hello-time < 1..10 > If MSTP is running and the switch is operating as the CIST root for your network, this command specifies the time in seconds between transmissions of BPDUs for all ports on the switch configured with the Global option (the default). This parameter applies in MSTP, RSTP and STP modes.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) [ mcheck ] Forces a port to send RSTP BPDUs for 3 seconds. This allows for another switch connected to the port and running RSTP to establish its connection quickly and for identifying switches running 802.1D STP. If the wholeswitch force-version parameter is set to stp-compatible, the switch ignores the mcheck setting and sends 802.1D STP BPDUs out all ports.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) [point-to-point-mac < force-true | force-false | auto >] This parameter informs the switch of the type of device to which a specific port connects. Force-True (default): Indicates a point-to-point link to a device such as a switch, bridge, or end-node. Force-False: Indicates a connection to a hub (which is a shared LAN segment). Auto: Causes the switch to set Force-False on the port if it is not running at full duplex.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Configuring MST Instance Parameters Command Page [no] spanning-tree instance < 1..16 > vlan < vid> [ vid..vid ] no spanning-tree instance < 1..16 > 6-66 spanning-tree instance < 1..16 > priority 6-67 spanning-tree priority 6-68 Syntax: [no] spanning-tree instance < 1..16 > vlan < vid [ vid..
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Syntax: spanning-tree instance < 1..16 > priority < 0 .. 15 > This command sets the switch (bridge) priority for the designated instance. This priority is compared with the priorities of other switches in the same instance to determine the root switch for the instance. The lower the priority value, the higher the priority. (If there is only one switch in the instance, then that switch is the root switch for the instance.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Syntax: spanning-tree priority < priority-multiplier> Every switch running an instance of MSTP has a Bridge Identifier, which is a unique identifier that helps distinguish this switch from all others. The switch with the lowest Bridge Identifier is elected as the root for the tree. The Bridge Identifier is composed of a configurable Priority component (2 bytes) and the bridge’s MAC address (6 bytes).
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Configuring MST Instance Per-Port Parameters Command Page spanning-tree instance < 1..16 > < port-list > path-cost < auto | 1..200000000 > 6-69 spanning-tree instance < 1..16 > < port-list > priority < priority-multiplier > 6-70 spanning-tree < port-list > priority < priority-multiplier > 6-71 Syntax: spanning-tree instance < 1..16 >< port-list > path-cost < auto | 1..
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Syntax: spanning-tree instance < 1..16 >< port-list > priority This command sets the priority for the specified port(s) in the specified MST instance. (For a given port, the priority setting can be different for different MST instances to which the port may belong.) The priority range for a port in a given MST instance is 0-255. However, this command specifies the priority as a multiplier (0 - 15) of 16.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Syntax: spanning-tree< port-list > priority < priority-multiplier > This command sets the priority for the specified port(s) for the IST (that is, Instance 0) of the region in which the switch resides. The “priority” component of the port’s “Port Identifier” is set. The Port Identifier is a unique identifier that helps distinguish this switch’s ports from all others.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Enabling or Disabling Spanning Tree Operation This command enables or disables spanning tree operation for any spanning tree protocol enabled on the switch. Before using this command to enable spanning tree, ensure that the version you want to use is active on the switch.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) 1. Configure the VLANs you want included in any instances in the new region. When you create the pending region, all VLANs configured on the switch will be assigned to the pending IST instance unless assigned to other, pending MST instances. 2. Configure MSTP as the spanning-tree protocol, then execute write mem and reboot. (The pending option is available only with MSTP enabled.) 3.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) 9. To view the current pending MSTP configuration, use the show spanningtree pending command (page 6-80). Displaying MSTP Statistics and Configuration Command Page MSTP Statistics: show spanning-tree [< port-list >] show spanning-tree instance < ist | 1..16 > below 6-76 MSTP Configuration show spanning-tree [ port-list ] config 6-77 show spanning-tree [ port-list ] config instance < ist | 1..
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Switch’s Spanning Tree Configuration and Identity of VLANs Configured in the Switch for the IST Instance Identifies the overall spanning-tree root for the network. Lists the switch’s MSTP root data for connectivity with other regions and STP or RSTP devices. Identifies the spanning-tree root for the IST Instance for the region.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Displaying Switch Statistics for a Specific MST Instance. Syntax: show spanning-tree instance < ist | 1..16 > This command displays the MSTP statistics for either the IST instance or a numbered MST instance running on the switch. Figure 6-29.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Displaying the MSTP Configuration Displaying the Global MSTP Configuration. This command displays the switch’s basic and MST region spanning-tree configuration, including basic port connectivity settings. Syntax: show spanning-tree config The upper part of this output shows the switch’s global spanning-tree configuration that applies to the MST region.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Displaying Per-Instance MSTP Configurations. These commands dis plays the per-instance port configuration and current state, along with instance identifiers and regional root data. Syntax: show spanning-tree config instance < ist | 1..16 > The upper part of this output shows the instance data for the specified instance. The lower part of the output lists the spanning-tree port settings for the specified instance.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Displaying the Region-Level Configuration in Brief. This command output is useful for quickly verifying the allocation of VLANs in the switch’s MSTP configuration and for viewing the configured region identifiers. Syntax: show spanning-tree mst-config This command displays the switch’s regional configuration. Note: The switch computes the MSTP Configuration Digest from the VID to MSTI configuration mappings on the switch itself.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Displaying the Pending MSTP Configuration. This command displays the MSTP configuration the switch will implement if you execute the span ning-tree pending apply command (Refer to “Enabling an Entire MST Region at Once or Exchanging One Region Configuration for Another” on page 6-72.) Syntax: show spanning-tree pending < instance | mst-config > instance < 1..16 | ist > Lists region, instance I.D.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Operating Notes SNMP MIB Support for MSTP. MSTP is a superset of the STP/802.1D and RSTP/802.1w protocols and uses the MIB objects defined for these two protocols. Troubleshooting Duplicate packets on a VLAN, or packets not arriving on a LAN at all. The allocation of VLANs to MSTIs may not be identical among all switches in a region. A Switch Intended To Operate Within a Region Does Not Receive Traffic from Other Switches in the Region.
Spanning-Tree Operation 802.
7 Switch Meshing Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Switch Meshing Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 Operating Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 Using a Heterogeneous Switch Mesh . . . . . . . .
Switch Meshing Introduction Introduction Switch meshing is not available on the Series 4200vl switches. Switch meshing is a load-balancing technology that enhances reliability and performance in these ways: ■ Provides significantly better bandwidth utilization than either Spanning Tree Protocol (STP) or standard port trunking. ■ Uses redundant links that remain open to carry traffic, removing any single point of failure for disabling the network, and allowing quick responses to individual link failures.
Switch Meshing Introduction Finding the Fastest Path. Using multiple switches redundantly linked together to form a meshed switch domain, switch meshing dynamically distributes traffic across load-balanced switch paths by seeking the fastest paths for new traffic between nodes. In actual operation, the switch mesh periodically determines the best (lowest latency) paths, then assigns these paths as the need arises. The path assignment remains until the related MAC address entry times out.
Switch Meshing Switch Meshing Fundamentals Switch Meshing Fundamentals Terminology Switch Mesh Domain. This is a group of meshed switch ports exchanging meshing protocol packets. Paths between these ports can have multiple redundant links without creating broadcast storms. Hub W Switch 1 Switch Non-Mesh Switch 2 Switch 3 W Switch Non-Mesh Switch 4 Switch Mesh Domain Hub W Hub W W W Edge Switches: 1, 2, & 4 Figure 7-2. Example of a Switch Mesh Domain in a Network Edge Switch.
Switch Meshing Switch Meshing Fundamentals Operating Rules (See also “Mesh Design Optimization” on page 7-24.) ■ A meshed switch can have some ports in the meshed domain and other ports outside the meshed domain. That is, ports within the meshed domain must be configured for meshing, while ports outside the meshed domain must not be configured for meshing. ■ Meshed links must be point-to-point switch links. ■ On any switch, all meshed ports belong to the same mesh domain.
Switch Meshing Switch Meshing Fundamentals 7-6 ■ If meshing is configured on the switch, the routing features (IP routing, RIP, and OSPF) must be disabled. That is, the switch’s meshing and routing features cannot be enabled at the same time. ■ The spanning-tree configuration must be the same for all switches in the mesh (enabled or disabled). If spanning tree is enabled in the mesh, it must be the same version on all switches in the mesh: 802.1D, 802.1w, or 802.1s.
Switch Meshing Switch Meshing Fundamentals Mesh Domain Non-Mesh Ports Mesh Domain Switch Non-Mesh Mesh Domain Mesh Domain Non-Mesh Ports Non-Mesh Link Figure 7-3. Example of Multiple Meshed Domains Separated by a Non-Mesh Switch or a Non-Mesh Link ■ GVRP Note Note If GVRP is enabled, meshed ports in a switch become members of any dynamic VLANs created in the switch in the same way that they would if meshing was not configured in the switch. (For more on GVRP, refer to chapter 3, “GVRP”.
Switch Meshing Switch Meshing Fundamentals This topology forms a broadcast loop unless you configure STP or RSTP on the network. Switch 1 Switch 3 Switch 2 Switch Mesh Domain Figure 7-4. Example of an Unsupported Topology • The switch blocks traffic on a meshed port connected to a nonmeshed port on another switch. • Switch meshing does not allow trunked links (LACP or Trunk) between meshed ports.
Switch Meshing Switch Meshing Fundamentals Scenario 1: In a heteroge nous mesh, creating the mesh with only one 5300xl, 3400cl, or 6400cl switch connected to the host (on VLAN 1, for example), and then connecting a second 5300xl, 3400cl, or 6400cl switch to the host (regardless of the VLAN used) results in connectivity issues with the host.
Switch Meshing Switch Meshing Fundamentals Untagged VLAN 1 Host (Both links use the same MAC address.
Switch Meshing Configuring Switch Meshing Configuring Switch Meshing Preparation Before configuring switch meshing: ■ Review the Operating Rules (page 7-5), and particularly the restrictions and requirements for using switch meshing in environments that include static trunks, multiple static VLANs, GVRP, IGMP, and STP. ■ To avoid unnecessary system disruption, plan the mesh bring-up to min imize temporary port-blocking. (Refer to “Bringing Up a Switch Mesh Domain:” on page 7-10.
Switch Meshing Configuring Switch Meshing 3. In the Group column, move the cursor to the port you want to assign to the switch mesh. 4. Press [M] to choose Mesh for the selected port. 5. Use the up-arrow or down-arrow key to select the next port you want to include in your mesh domain, then press [M] again. For example, if you were adding ports A1 and A2 to your mesh domain, the screen would appear similar to figure 7-9: Ports A1 and A2 configured for meshing. Figure 7-9.
Switch Meshing Configuring Switch Meshing The asterisk indicates that you must reboot the switch to cause the Mesh configuration change to take effect. Figure 7-10. After Saving a Mesh Configuration Change, Reboot the Switch 8. Press [0] to return to the Main menu. 9. To activate the mesh assignment(s) from the Main menu, reboot the switch by pressing the following keys: a. [6] (for Reboot Switch) b. Space bar (to select Yes). c. 13 (to start the reboot process).
Switch Meshing Configuring Switch Meshing Viewing Switch Mesh Status Syntax: show mesh Lists the switch ports configured for meshing, along with the State of each mesh-configured connection, the MAC address of the switch on the opposite end of the link (Adjacent Switch), and the MAC address of the port on the opposite end of the link (Peer Port). Reading the Show Mesh Output.
Switch Meshing Configuring Switch Meshing Table 7-1. State Descriptions for Show Mesh Output State Meaning Established The port is linked to a meshed port on another switch and meshing traffic is flowing across the link. The show mesh listing includes the MAC addresses of the adjacent switch and direct connection port on the adjacent switch. Not Established The port may be linked to a switch on a port that is not configured for meshing or has gone down.
Switch Meshing Configuring Switch Meshing Table 7-2. Port Operating Details for Figure 7-12 Meshing? Connection A1 Yes Connected to a port that may not be configured for meshing A2 Yes Connected to a switch port on a device that is not configured for meshing (another switch, or a hub). In this case, the Topology Error message indicates that the switch detects a meshed port on another, non-adjacent device that is also connected to the non-meshed switch or hub.
Switch Meshing Configuring Switch Meshing CLI: Configuring Switch Meshing Syntax: [no] mesh [e] < port-list > Enables or disables meshing operation on the specified ports. [no] mesh backward-compat Enables or disables the switch for backward compatible mode. This allows the 3400cl, 6400cl, and 5300xl switches to interoperate with the 8000M/4000M/2424M/2400M/1600M switches in the same switch mesh.
Switch Meshing Operating Notes for Switch Meshing Operating Notes for Switch Meshing In a switch mesh domain traffic is distributed across the available paths with an effort to keep latency the same from path to path.
Switch Meshing Operating Notes for Switch Meshing W Switches A, B, C, & D are Edge Switches B W A E C W D Switch Mesh Domain W Figure 7-16. Example of a Broadcast Path Through a Switch Mesh Domain Any mesh switches that are not edge switches will flood the broadcast packets only through ports (paths) that link to separate edge switches in the controlled broadcast tree. The edge switches that receive the broadcast will flood the broadcast out all non-meshed ports.
Switch Meshing Operating Notes for Switch Meshing Spanning Tree Operation with Switch Meshing Using STP or RSTP with several switches and no switch meshing configured can result in unnecessarily blocking links and reducing available bandwidth. For example: Problem: Solution: STP enabled and creating traffic bottlenecks. Enabling meshing on links between switch ports removes STP blocks on meshed redundant links.
Switch Meshing Operating Notes for Switch Meshing = Non-mesh Switch Ports Figure 7-18. Connecting a Switch Mesh Domain to Non-Meshed Devices Note on the EdgePort Mode in RSTP and MSTP When using RSTP or MSTP and interconnecting 3400cl, 6400cl, or 5300xl in a mesh with switches that are not in the mesh, all the non-mesh switch ports (as indicated in the figure above) should have the edge-port parameter dis abled.
Switch Meshing Operating Notes for Switch Meshing this condition occurs, the meshed switch that has a blocked link will automat ically increase the cost on the external (non-meshed) link to the point where STP or RSTP will block the external link and unblock the meshed link. This process typically resolves itself in approximately 30 seconds. Caution Spanning tree interprets a switch mesh as a single link.
Switch Meshing Operating Notes for Switch Meshing Static VLANs In a network having a switch mesh domain and multiple static VLANs config ured, all static VLANs must be configured on each meshed switch, even if no ports on the switch are assigned to any VLAN. (The switch mesh is a member of all static VLANs configured on the switches in the mesh.) When static VLANs are configured, the mesh is seen as a single entity by each VLAN.
Switch Meshing Mesh Design Optimization Dynamic VLANs If GVRP is enabled, meshed ports in a switch become members of any dynamic VLANs created in the switch in the same way that they would if meshing was not configured in the switch. (For more on GVRP, refer to chapter 3, “GVRP”.) Jumbo Packets (3400cl and 6400cl Switches Only) If you enable jumbo traffic on any VLAN is a 3400cl or 6400cl switch, then all meshed ports on the switch will be enabled to support jumbo traffic.
Switch Meshing Mesh Design Optimization every 30 seconds and are flooded to all mesh ports. Return packets include a cost metric based on inbound and outbound queue depth, port speed, number of dropped packets, etc. Also, as mesh complexity grows, the number of hops over which a downed link has to be reported may increase, thereby increasing the reconvergence time.
Switch Meshing Mesh Design Optimization Other factors affecting the performance of mesh networks include the number of destination addresses that have to be maintained, and the overall traffic levels and patterns. However a conservative approach when designing new mesh implementations is to use the two-tier design and limit the mesh domain to eight switches where possible.
Switch Meshing Mesh Design Optimization recognize multiple instances of a particular MAC address on different VLANs.) If you try to add one of these switches to a mesh comprised entirely of Series 3400cl, 6400cl, and/or 5300xl switches, and any of these switches detects a duplicate MAC address entering the mesh through separate switches, the 1600M/2400M/2424M/4000M/8000M switch will not be allowed into the switch mesh.
Switch Meshing Mesh Design Optimization — This page is intentionally unused.
8 Quality of Service (QoS): Managing Bandwidth More Effectively Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7 Classifiers for Prioritizing Outbound Packets . . . . . . . . . . . . . . . . . . .
Quality of Service (QoS): Managing Bandwidth More Effectively Contents Assigning a Priority Based on IP Address . . . . . . . . . . . . . . . . . . . 8-32 Assigning a DSCP Policy Based on IP Address . . . . . . . . . . . . . . 8-33 QoS IP Type-of-Service (ToS) Policy and Priority . . . . . . . . . . . . . . . 8-37 Assigning an 802.1p Priority to IPv4 Packets on the Basis of the ToS Precedence Bits . . . . . . . . . . . . . . . . . . . . . . . . . 8-38 Assigning an 802.
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction Introduction QoS Feature Default Menu CLI Web UDP/TCP Priority Disabled — page 8-25 Refer to the Online Help.
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction Quality of Service is a general term for classifying and prioritizing traffic throughout a network. That is, QoS enables you to establish an end-to-end traffic priority policy to improve control and throughput of important data. You can manage available bandwidth so that the most important traffic goes first.
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction QoS is implemented in the form of rules or policies that are configured on the switch. While you can use QoS to prioritize only the outbound traffic while it is moving through the switch, you derive the maximum benefit by using QoS in an 802.1Q VLAN environment (with 802.
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction Terminology Term Use in This Document 802.1p priority A traffic priority setting carried by a VLAN-tagged packet moving from one device to another through ports that are tagged members of the VLAN to which the packet belongs. This setting can be from 0 7. The switch handles an outbound packet on the basis of its 802.1p priority.
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction Term Use in This Document outbound port queue For any port, a buffer that holds outbound traffic until it can leave the switch through that port. There are four outbound queues for each port in the switch: high, medium, normal, and low. Traffic in a port’s high priority queue leaves the switch before any traffic in the port’s medium priority queue, and so-on.
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction ■ Configuring a priority for outbound packets and a service (prior ity) policy for use by downstream devices: • DSCP Policy: This feature enables you to set a priority policy in outbound IP packets. (You can configure downstream devices to read and use this policy.) This method is not dependent on VLAN-tagged ports to carry priority policy to downstream devices, and can: – Change the codepoint (the upper six bits) in the ToS byte.
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction You can configure a QoS priority of 0 through 7 for an outbound packet. When the packet is then sent to a port, the QoS priority determines which outbound queue the packet uses: Table 8-2.
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction Classifiers for Prioritizing Outbound Packets The classifiers used in the 3400cl/6400cl switches are a subset of the classifiers used in the 5300xl and 4200vl switches. Also, the 3400cl/6400cl switches search for classifier matches in the opposite order of that used in the 5300xl and 4200vl switches.
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction 3400cl/6400cl Packet Classifiers and Evaluation Order The 3400cl/6400cl switches provide six QoS classifiers (packet criteria) you can use to configure QoS priority. Table 8-5. 3400cl/6400cl Classifier Search Order and Precedence Search Order Precedence QoS Classifier 1 6 (lowest) Incoming 802.
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction In general, the precedence of QoS classifiers should be considered when configuring QoS policies. For example, suppose that a system administrator has used an 802.1p priority rule to assign a high priority for packets received on VLAN 100, but has also used another 802.1p priority rule to assign a normal priority for TCP port 80 packets received on the switch.
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction Precedence Criteria 4 Layer 3 Protocol Priority Overview Note: This classifier is available in the 5300xl and 4200vl switches, but not in the 3400cl/6400cl switches. To prioritize traffic in a 3400cl or 6400cl switch according to protocol type, configure the switch to place traffic of the desired protocol type in a specific VLAN, and then apply the VLAN classifier.
Quality of Service (QoS): Managing Bandwidth More Effectively Preparation for Configuring QoS Preparation for Configuring QoS QoS operates in VLAN-tagged and VLAN-untagged environments. If your network does not use multiple VLANs, you can still implement the 802.1Q VLAN capability for packets to carry their 802.1p priority to the next down stream device. To do so, configure ports as VLAN-tagged members on the links between switches and routers in your network infrastructure. Table 8-7.
Quality of Service (QoS): Managing Bandwidth More Effectively Preparation for Configuring QoS h. Incoming 802.1p Priority (requires at least one tagged VLAN on the network) For more on how QoS operates with the preceding traffic types, see ‘‘Precedence Criteria for QoS Classifiers’’, on page 8-12.) Select the QoS option you want to use. Table 8-8 lists the traffic types (QoS classifiers) and the QoS options you can use for prioritizing or setting a policy on these traffic types: Table 8-8.
Quality of Service (QoS): Managing Bandwidth More Effectively Preparation for Configuring QoS Note 3. Determine the actual QoS configuration changes you will need to make on each QoS-capable device in your network in order to implement the desired policy. Also, if you want downstream devices to read and use DSCPs in IP packets from the switch, configure them to do so by enabling ToS Differentiated Service mode and making sure the same DSCP policies are configured. 4.
Quality of Service (QoS): Managing Bandwidth More Effectively Preparation for Configuring QoS then you should plan and configure your QoS resource usage first for that switch. If insufficient resources remain for all of the ACL implementation you want, try spreading this implementation across multiple switches. QoS Resource Usage and Monitoring on 3400cl/6400cl Switches QoS, ACLs, multicast protocols, and Rate-Limiting configurations on the 3400cl/6400cl switches use rule resources on a per-port basis.
Quality of Service (QoS): Managing Bandwidth More Effectively Preparation for Configuring QoS The following two CLI commands are unique to the 3400cl/6400cl switches and are useful for planning and monitoring rule usage in a QoS configuration. Syntax: qos resources help Provides a quick reference on how QoS and ACLs use rule resources for each configuration option. Includes most of the information in table 8-10, plus an ACL usage summary.
Quality of Service (QoS): Managing Bandwidth More Effectively Preparation for Configuring QoS Configuring a Policy When There Are Not Enough Rules Available On a Target Port. Attempting to configure a QoS policy on the switch, on a VLAN, or on selected ports when there are not enough rules available on one or more ports that are subject to the command results in the following: ■ The policy is not configured on any ports subject to the command.
Quality of Service (QoS): Managing Bandwidth More Effectively Preparation for Configuring QoS At a minimum, the policies configured on port 5 must be reduced to free up enough rule resources to add a new QoS policy. Depending on the QoS policy you want to add, existing policies on ports 3 and 4 may have to be reduced. Port 3 has enough rules available to accept any policy that uses 1 or 2 rules. Port 4 can accept only a policy that uses one rule.
Quality of Service (QoS): Managing Bandwidth More Effectively Preparation for Configuring QoS All ports are configured for five QoS device priorities. VLANs 111 and 222 are configured for QoS priority. Ports 1 and 2 use 12 rules; 10 for implementing the 5 device priority QoS instances and one each for implementing the 2 VLAN QoS instances (111 and 222). Ports 3 and 4 use 11 rules; 10 for implementing the 5 device priority QoS instances on 1 for implementing the single VLAN QoS instance (VLAN 222).
Quality of Service (QoS): Managing Bandwidth More Effectively Preparation for Configuring QoS Demonstrating How the Switch Uses Resources in DSCP Configurations. In the default configuration, the DSCP map is configured with one DSCP policy (Expedited Forwarding; 101110 with a “7” priority) but, because no ToS Diff-Services options are configured, no rules are used. If ToS Diff-Services mode is enabled, then one rule is immediately used for this codepoint.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Note QoS Feature Default UDP/TCP Priority Disabled IP-Device Priority Disabled Menu CLI Web — page 8-25 Refer to Online Help.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic type-of-service Displays the current type-of-service priority configu ration. The display output differs according to the ToS option used: ■ IP Precedence: Refer to figure 8-16 on page 8-38. ■ Diffserve: Refer to figure 8-18 on page 8-42. protocol-priority Available on the 5300xl and 4200vl switches. Displays the current protocol priority configuration.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Note As mentioned in table 8-6, the 3400cl/6400cl switches do not include the layer 3 protocol classifier. However, you can still apply a QoS priority to non-IP Layer 3 protocol traffic by grouping such traffic into separate VLANs, as desired, and then assigning a priority based on VLAN membership.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Assigning an 802.1p Priority Based on TCP or UDP Port Number This option assigns an 802.1p priority to (IPv4) TCP or UDP packets as described below. Syntax: qos < udp-port | tcp-port > < tcp or udp port number > priority < 0 - 7 > Configures an 802.1p priority for outbound packets having the specified TCP or UDP application port number.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Values in these two columns define the QoS classifiers to use for identifying packets to prioritize. Indicates 802.1p priority assignments are in use for packets with 23 or 80 as a TCP or UDP Application port number. Shows the 802.1p priority assignment for packets with the indicated QoS classifiers. Figure 8-8. Example of Configuring and Listing 802.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 3. Assigns the 802.1p priority configured in the switch for the new DSCP. (Refer to “Differentiated Services Codepoint (DSCP) Mapping” on page 8-64.) 4. Forwards the packet through the appropriate outbound port queue. 3400cl/6400cl Switch Restriction. On the 3400cl/6400cl switches, “mixing” ToS DSCP policies and 802.1p priorities is not recommended.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Syntax: qos dscp-map < codepoint > priority < 0 - 7 > This command is optional if a priority has already been assigned to the < codepoint >. The command creates a DSCP policy by assigning an 802.1p priority to a specific DSCP. When the switch applies this policy to a packet, the priority determines the packet’s queue in the outbound port to which it is sent.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic For example, suppose you wanted to assign these DSCP policies to the packets identified by the indicated UDP and TDP port applications: Port Applications DSCP Policies DSCP 1.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 3. Assign the DSCP policies to the selected UDP/TCP port applications and display the result. Classifier DSCP Policy Figure 8-11. The Completed DSCP Policy Configuration for the Specified UDP/TCP Port Applications The switch will now apply the DSCP policies in figure 8-11 to IPV4 packets received in the switch with the specified UDP/TCP port applications.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Note The switch does not allow a QoS IP-device priority for the Management VLAN IP address, if configured. If there is no Management VLAN configured, then the switch does not allow configuring a QoS IP-device priority for the Default VLAN IP address. Ip address QoS does not support layer-2 SAP encapsulation.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic For example, configure and list the 802.1p priority for packets carrying the following IP addresses: IP Address 802.1p Priority 10.28.31.1 7 10.28.31.130 5 10.28.31.100 1 10.28.31.101 1 Figure 8-12. Example of Configuring and Listing 802.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 3400cl/6400cl Switch Restriction. On the 3400cl/6400cl switches, “mix ing” ToS DSCP policies and 802.1p priorities is not recommended. Refer to the Note on page 8-11. For more on DSCP, refer to “Terminology” on page 8-6. Steps for Creating a Policy Based on IP Address.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Syntax: qos device-priority < ip-address > dscp < codepoint > Assigns a DSCP policy to packets carrying the specified IP address, and overwrites the DSCP in these packets with the assigned < codepoint > value. This policy includes an 802.1p priority and determines the packet’s queue in the outbound port to which it is sent.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 2. Configure the priorities for the DSCPs you want to use. DSCP Policies Configured in this step. Figure 8-14. Assigning 802.1p Priorities to the Selected DSCPs 3. Assign the DSCP policies to the selected device IP addresses and display the result. Figure 8-15.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic QoS IP Type-of-Service (ToS) Policy and Priority QoS Classifier Precedence: 3 This feature applies only to IPv4 traffic and performs either of the following: ■ ToS IP-Precedence Mode: All IP packets generated by upstream devices and applications include precedence bits in the ToS byte.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Assigning an 802.1p Priority to IPv4 Packets on the Basis of the ToS Precedence Bits If a device or application upstream of the switch sets the precedence bits in the ToS byte of IPv4 packets, you can use this feature to apply that setting for prioritizing packets for outbound port queues. If the outbound packets are in a tagged VLAN, this priority is carried as an 802.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic ProCurve(config)# no qos type-of-service Assigning an 802.1p Priority to IPv4 Packets on the Basis of Incoming DSCP One of the best uses for this option is on an interior switch where you want to honor (continue) a policy set on an edge switch. That is, it enables you to select incoming packets having a specific DSCP and forward these packets with the desired 802.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic When enabled, the switch applies direct 802.1p prioritization to all packets having codepoints that meet these criteria: ■ The codepoint is configured with an 802.1p priority in the DSCP table. (Codepoints configured with No-override are not used.) ■ The codepoint is not configured for a new DSCP policy assignment.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic no qos dscp-map < codepoint > Disables direct 802.1p priority assignment to packets carry ing the < codepoint > by reconfiguring the codepoint priority assignment in the DSCP table to No-override.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic configure an 802.1p priority of 7 for packets received with a DSCP of 000110, and then enable diff-services: Executing this command displays the current ToS configuration and shows that the selected DSCP is not currently in use. The 000110 codepoint is unused, and thus available for directly assigning an 802.1p priority without changing the packet’s DSCP.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Assigning a DSCP Policy on the Basis of the DSCP in IPv4 Packets Received from Upstream Devices The preceding section describes how to forward a policy set by an edge (or upstream) switch. This option changes a DSCP policy in an IPv4 packet by changing its IP ToS codepoint and applying the priority associated with the new codepoint.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Syntax: qos type-of-service diff-services < current-codepoint > dscp < new-codepoint > Configures the switch to select an incoming IP packet carry ing the and then use the to assign a new, previously configured DSCP policy to the packet. The policy overwrites the with the < new-codepoint > and assigns the 802.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic The DSCPs for this example have not yet been assigned an 802.1p priority level. Figure 8-20. Display the Current DSCP-Map Configuration 2. Configure the policies in the DSCP table: Figure 8-21.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 3. Assign the policies to the codepoints in the selected packet types. The specified DSCP policies overwrite the original DSCPs on the selected packets, and use the 802.1p priorities previously configured in the DSCP policies in step 2. Figure 8-22.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Details of QoS IP Type-of-Service IP packets include a Type of Service (ToS) byte. The ToS byte includes: ■ A Differentiated Services Codepoint (DSCP): This element is com prised of the upper six bits of the ToS byte). There are 64 possible codepoints. • In the 5300xl and 4200vl switches, the default qos configuration includes some codepoints with 802.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Figure 8-23 shows an example of the ToS byte in the header for an IPv4 packet, and illustrates the diffserv bits and precedence bits in the ToS byte. (Note that the Precedence bits are a subset of the Differentiated Services bits.) Field: Destination MAC Address Source MAC Address 802.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic ToS Option: Outbound Port IP Precedence (Value = 0 - 7) Differentiated Services IP Packet Sent Out Same as above, plus the IP Prece an Untagged Port dence value (0 - 7) will be used to in a VLAN set a corresponding 802.1p priority in the VLAN tag carried by the packet to the next downstream device. Refer to table 8-13, below.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic QoS Layer-3 Protocol Priority (5300xl and 4200vl Switches Only) (This feature is available only on the Series 5300xl and 4200vl switches.) QoS Classifier Precedence: 4 The QoS protocol option enables you to use these protocols as QoS classifiers: ■ IP ■ ARP ■ Appletalk ■ IPX ■ DEC_LAT ■ SNA ■ Netbeui Options for Assigning Priority.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic For example: 1. Configure QoS protocol classifiers with IP at 0 (normal), ARP at 5 (medium), and AppleTalk at 7 (high) and display the QoS protocol config uration. 2. Disable the QoS IP protocol classifier, downgrade the ARP priority to 4, and again display the QoS protocol configuration. Figure 8-24 shows the command sequence and displays for the above steps.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic QoS VLAN-ID (VID) Priority QoS Classifier Precedence: 5 The QoS protocol option enables you to use the VLAN-ID quantities listed below as QoS classifiers.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Syntax: vlan < vid > qos priority < 0 - 7 > Configures an 802.1p priority for outbound packets belong ing to the specified VLAN. This priority determines the packet’s queue in the outbound port to which it is sent. If the packet leaves the switch on a tagged port, it carries the 802.1p priority with it to the next downstream device.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 2. You would then execute the following commands to prioritize the VLANs by VID: Figure 8-26. Configuring and Displaying QoS Priorities on VLANs If you then decided to remove VLAN_20 from QoS prioritization: In this instance, No- override indicates that VLAN 20 is not prioritized by QoS. Figure 8-27.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 3400cl/6400cl Switch Restriction. On the 3400cl and 6400cl switches, “mixing” ToS DSCP policies and 802.1p priorities is not recommended. Refer to the Note on page 8-11. For more on DSCP, refer to “Terminology” on page 8-6. Steps for Creating a Policy Based on VLAN-ID Classifier. 1. Determine the VLAN-ID classifier to which you want to assign a DSCP policy. 2.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Syntax: vlan < vid > qos dscp < codepoint > Assigns a DSCP policy to packets carrying the specified VLAN-ID, and overwrites the DSCP in these packets with the assigned < codepoint > value. This policy includes an 802.1p priority and determines the packet’s queue in the outbound port to which it is sent. If the packet leaves the switch on a tagged port, it carries the 802.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 2. Configure the priorities for the DSCPs you want to use. Priorities Configured in this step. Figure 8-29. Assign Priorities to the Selected DSCPs 3. Assign the DSCP policies to the selected VIDs and display the result. Figure 8-30.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic QoS Source-Port Priority QoS Classifier Precedence: 6 The QoS source-port option enables you to use a packet’s source-port on the switch as a QoS classifier.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Syntax: no interface < port-list > qos Disables use of the specified source-port(s) for QoS classi fier(s) and resets the priority for the specified source-port(s) to No-override. Syntax: show qos port-priority Lists the QoS port-priority classifiers with their priority data.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic If you then decided to remove port A1 from QoS prioritization: In this instance, No-override indicates that port A1 is not prioritized by QoS. Figure 8-32. Returning a QoS-Prioritized VLAN to “No-override” Status Assigning a DSCP Policy Based on the Source-Port This option assigns a previously configured DSCP policy (codepoint and 802.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 2. 3. Note Determine the DSCP policy for packets having the selected source-port: a. Determine the DSCP you want to assign to the selected packets. (This codepoint will be used to overwrite the DSCP carried in packets received through the source-port from upstream devices.) b. Determine the 802.1p priority you want to assign to the DSCP.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Syntax: no interface [e] < port-list > qos Removes QoS classifier for the specified source-port(s). Syntax: show qos source-port Displays a listing of all source-port QoS classifiers currently in the running-config file. For example, suppose you wanted to assign this set of priorities: Source-Port 1.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 2. Configure the priorities for the DSCPs you want to use. Priorities Configured in this step. Figure 8-34. Assign Priorities to the Selected DSCPs 3. Assign the DSCP policies to the selected source-ports and display the result. Figure 8-35.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Radius Override Field. During a client session authenticated by a RADIUS server, the server can impose a port priority that applies only to that client session. Refer to the RADIUS chapter in the Access Security Guide for your switch (January 2005 or later). Differentiated Services Codepoint (DSCP) Mapping The DSCP Policy Table associates an 802.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Table 8-14. The Default DSCP Policy Table DSCP Policy 802.1p Priority DSCP Policy 802.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Quickly Listing Non-Default Codepoint Settings Table 8-14 lists the switch’s default codepoint/priority settings. If you change the priority of any codepoint setting to a non-default value and then execute write memory, the switch will list the non-default setting in the show config display.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic affect the packet queuing priority or VLAN tagging. In this case, the packets are handled as follows (as long as no other QoS feature creates priority assignments for them): 802.1Q Status Outbound 802.1p Priority Received and Forwarded on a tagged port member of a VLAN.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Example of Changing the Priority Setting on a Policy When One or More Classifiers Are Currently Using the Policy Suppose that codepoint 000001 is in use by one or more classifiers. If you try to change its priority, you see a result similar to the following: Figure 8-37.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Three classifiers use the codepoint that is to be changed. Two classifiers do not use the codepoint that is to be changed. Figure 8-38.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 2. 3. Change the classifier configurations by assigning them to a different DSCP policy, or to an 802.1p priority, or to No-override. For example: a. Delete the policy assignment for the device-priority classifier. (That is, assign it to No-override.) b. Create a new DSCP policy to use for re-assigning the remaining classifiers. c.
Quality of Service (QoS): Managing Bandwidth More Effectively IP Multicast (IGMP) Interaction with QoS IP Multicast (IGMP) Interaction with QoS IGMP high-priority-forward causes the switch to service the subscribed IP multicast group traffic at high priority, even if QoS on the switch has relegated the traffic to a lower priority. This does not affect any QoS priority settings, so the QoS priority is honored by downstream devices. However, QoS does take precedence over IGMP normal-priority traffic.
Quality of Service (QoS): Managing Bandwidth More Effectively QoS Messages in the CLI QoS Messages in the CLI Message Meaning DSCP Policy < decimal-codepoint > not configured You have attempted to map a QoS classifier to a codepoint for which there is no configured priority (No-override). Use the qos dscp-map command to configure a priority for the codepoint, then map the classifier to the codepoint.
Quality of Service (QoS): Managing Bandwidth More Effectively QoS Operating Notes and Restrictions QoS Operating Notes and Restrictions Table 8-15. Details of Packet Criteria and Restrictions for QoS Support Packet Criteria or Restriction Restricted to IPv4 Packets Only QoS Classifiers IP Type-of- Layer 3 Device Protocol Priority (IP Service Address) UDP/TCP Yes Yes Allow Packets 3400cl and with IP Options1 6400cl: No Support IPv6 Packets2 Yes No VLAN No Source Port No Incoming 802.
Quality of Service (QoS): Managing Bandwidth More Effectively QoS Operating Notes and Restrictions VLAN should receive untagged traffic. For more on VLANs, refer to chapter 2, “Static Virtual LANs (VLANs)”. ■ 3400cl and 6400cl Switches Only—SAP-Encapsulated Packet Restriction: Except for source-port QoS and VLAN QoS, the 3400cl/ 6400cl switches do not support QoS (or ACL) operation for SAPEncapsulated packets.
Quality of Service (QoS): Managing Bandwidth More Effectively QoS Operating Notes and Restrictions ■ 5300xl and 4200vl Switches—Non-Supported IP Packets: The DSCP policy codepoint-remarking operation is not supported in any QoS classi fier for packets carrying IP options in the packet header. ■ All Switches—Not Supported: Use of an inbound 802.1p packet priority as a classifier for remapping a packet’s outbound priority to different 802.1p priority. For example, where inbound packets carry an 802.
Quality of Service (QoS): Managing Bandwidth More Effectively QoS Operating Notes and Restrictions —This page is intentionally unused — 8-76
9 Access Control Lists (ACLs) for the Series 5300xl Switches Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8 Types of IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access Control Lists (ACLs) for the Series 5300xl Switches Contents Extended ACL Configuration Structure . . . . . . . . . . . . . . . . . . . . 9-28 ACL Configuration Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-29 The Sequence of Entries in an ACL Is Significant . . . . . . . . . . . . 9-29 In Any ACL, There Will Always Be a Match . . . . . . . . . . . . . . . . . 9-31 A Configured ACL Has No Effect Until You Apply It to an Interface . . . . . . . . . . . . . . . . . . .
Access Control Lists (ACLs) for the Series 5300xl Switches Introduction Introduction This chapter applies only to the Series 5300xl Switches. For ACL operation on Series 3400cl and Series 6400clswitches, refer to the chapter 10, “Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches”.
Access Control Lists (ACLs) for the Series 5300xl Switches Introduction For ACL filtering to take effect, configure an ACL and then assign it to either the inbound or outbound traffic on a statically configured VLAN on the switch. (Except for ACEs that screen traffic to an IP address on the switch itself, ACLs assigned to VLANs can operate only while IP routing is enabled. Refer to “Notes on IP Routing” on page 9-11.) Table 9-1.
Access Control Lists (ACLs) for the Series 5300xl Switches Terminology Action Command Page Deleting an ACL from the Switch ProCurve(config)# no ip access-list < standard | extended > < name-str | 1-99 | 100 -199 > < in | out > 9-4 7 Displaying ACL Data ProCurve(config)# show access-list 9-4 8 ProCurve(config)# show access-list config ProCurve(config)# show access-list vlan < vid > ProCurve(config)# show config ProCurve(config)# show running Terminology Access Control Entry (ACE): An ACE is a polic
Access Control Lists (ACLs) for the Series 5300xl Switches Terminology ACL Mask: Follows any IP address (source or destination) listed in an ACE. Defines which bits in a packet’s corresponding IP addressing must exactly match the IP addressing in the ACE, and which bits need not match (wildcards). See also “How an ACE Uses a Mask To Screen Packets for Matches” on page 9-20.
Access Control Lists (ACLs) for the Series 5300xl Switches Terminology – The packet’s DA is for an IP address configured on the switch itself. (This increases your options for protecting the switch from unauthorized management access.) Because ACLs are assigned to VLANs, an ACL that filters inbound traffic on a particular VLAN examines packets meeting the above criteria that have entered the switch through any port on that VLAN.
Access Control Lists (ACLs) for the Series 5300xl Switches Overview Overview Types of IP ACLs Standard ACL: Use a standard ACL when you need to permit or deny traffic based on source IP address only. Standard ACLs are also useful when you need to quickly control a performance problem by limiting traffic from a subnet, group of devices, or a single device. (This can block all IP traffic from the configured source, but does not hamper traffic from other sources within the network.
Access Control Lists (ACLs) for the Series 5300xl Switches Overview The switch can apply ACL filtering to traffic entering or leaving the switch on VLANs configured to apply ACL filters. (When you assign an ACL to a VLAN, you must specify whether the ACL will filter inbound or outbound traffic.) For example, in figure 9-1: ■ You would assign either an inbound ACL on VLAN “A” or an outbound ACL on VLAN “B” to filter a packet routed between subnets; that is, from the workstation 18.28.10.
Access Control Lists (ACLs) for the Series 5300xl Switches Overview Features Common to All per-VLAN ACLs ■ On any VLAN you can apply one ACL to inbound traffic and one ACL to outbound traffic. You can use the same ACL or different ACLs for the inbound and outbound traffic. ■ Any ACL can have multiple entries (ACEs). ■ You can apply any one ACL to multiple VLANs. ■ A source or destination IP address and a mask, together, can define a single host, a range of hosts, or all hosts.
Access Control Lists (ACLs) for the Series 5300xl Switches Overview 4. Design the ACLs for the control points you have selected. Where you are using explicit “deny” ACEs, you can optionally use the ACL logging feature to help verify that the switch is denying unwanted packets where intended. Remember that excessive ACL logging activity can degrade the switch's performance. (Refer to “Enable ACL “Deny” Logging” on page 9-59.) 5. Create the ACLs in the selected switches. 6.
Access Control Lists (ACLs) for the Series 5300xl Switches ACL Operation ACL Operation Introduction An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). An ACL applies only to the switch in which it is configured. ACLs operate on assigned static VLANs, and filter these traffic types: ■ Routed traffic entering or leaving the switch on a VLAN.
Access Control Lists (ACLs) for the Series 5300xl Switches ACL Operation The Packet-Filtering Process Sequential Comparison and Action. When the switch uses an ACL to fil ter a packet, it sequentially compares each ACE’s filtering criteria to the corresponding data in the packet until it finds a match. For a packet with a source IP address of 18.28.156.3, the switch: 1. Compares the packet to this ACE first. 2.
Access Control Lists (ACLs) for the Series 5300xl Switches ACL Operation Note on Implicit Deny For ACLs configured to filter inbound packets on a VLAN, remember that Implicit Deny filters routed packets and any bridged packets with a DA specifying the switch itself. This operation helps to prevent management access from unauthorized IP sources. 1. If a match is not found with the first ACE in an ACL, the switch proceeds to the next ACE and so on. Test a packet against criteria in first ACE.
Access Control Lists (ACLs) for the Series 5300xl Switches ACL Operation Note The order in which an ACE occurs in an ACL is significant. For example, if an ACL contains six ACEs, but the first ACE is a “permit IP any”, then the ACL permits all IP traffic, and the remaining ACEs in the list do not apply, even if they specify criteria that would make a match with any of the traffic permitted by the first ACE.
Access Control Lists (ACLs) for the Series 5300xl Switches Planning an ACL Application It is important to remember that this ACL (and all ACLs) include an implicit “deny IP any”. That is, routed IP packets (and switched packets having the switch as the destination IP address) that the ACL does not explicitly permit or deny will be implicitly denied, and therefore dropped instead of forwarded on the VLAN.
Access Control Lists (ACLs) for the Series 5300xl Switches Planning an ACL Application ■ What traffic can you implicitly block by taking advantage of the implicit deny IP any to deny traffic that you have not explicitly permitted? This can reduce the number of entries needed in an ACL. ■ What traffic should you permit? In some cases you will need to explicitly identify permitted traffic. In other cases, depending on your policies, you can insert a permit any entry at the end of an ACL.
Access Control Lists (ACLs) for the Series 5300xl Switches Planning an ACL Application Guidelines for Planning the Structure of an ACL The first step in planning a specific ACL is to determine where you will apply it. (Refer to “ACL Inbound and Outbound Application Points” on page 9-8.) You must then determine the order in which you want the individual ACEs in the ACL to filter traffic. ■ The first match dictates the action on a packet. Subsequent matches are ignored.
Access Control Lists (ACLs) for the Series 5300xl Switches Planning an ACL Application permit any packets that you have not expressly denied, you must enter a permit any or permit ip any any as the last ACE in an ACL. Because, for a given packet the switch sequentially applies the ACEs in an ACL until it finds a match, any packet that reaches the permit any or permit ip any any entry will be permitted, and will not encounter the “deny ip any” ACE the switch automatically includes at the end of the ACL.
Access Control Lists (ACLs) for the Series 5300xl Switches Planning an ACL Application How an ACE Uses a Mask To Screen Packets for Matches When the switch applies an ACL to inbound or outbound traffic in a VLAN, each ACE in the ACL uses an IP address and ACL mask to enforce a selection policy on the packets being screened. That is, the mask determines the range of IP addresses (SA only or SA/DA) that constitute a match between the policy and a packet being screened.
Access Control Lists (ACLs) for the Series 5300xl Switches Planning an ACL Application Rules for Defining a Match Between a Packet and an Access Control Entry (ACE) ■ For a given ACE, when the switch compares an IP address and corresponding mask in the ACE to an IP address carried in a packet: • A mask-bit setting of 0 (“off”) requires that the corresponding bit in the packet’s IP address and in the ACE’s IP address must be the same.
Access Control Lists (ACLs) for the Series 5300xl Switches Planning an ACL Application ■ Every IP address and mask pair (source or destination) used in an ACE creates one of the following policies: • Any IP address fits the matching criteria. In this case, the switch automatically enters the IP address and mask in the ACE. For exam ple: access-list 1 deny any produces this policy in an ACL listing: IP Address Mask 0.0.0.0 255.255.255.
Access Control Lists (ACLs) for the Series 5300xl Switches Planning an ACL Application Example of How the Mask Bit Settings Define a Match . Assume an ACE where the second octet of the mask for an SA is 7 (the rightmost three bits are “on”, or “1”) and the second octet of the corresponding SA in the ACE is 31 (the rightmost five bits). In this case, a match occurs when the second octet of the SA in a packet being filtered has a value in the range of 24 to 31. Refer to table 9-1, below. Table 9-1.
Access Control Lists (ACLs) for the Series 5300xl Switches Planning an ACL Application Examples Allowing Multiple IP Addresses. Table 9-2 provides examples of how to apply masks to meet various filtering requirements. Table 9-2. Example of Using an IP Address and Mask in an Access Control Entry IP Address in the ACE Mask Policy for a Match Between a Allowed IP Addresses Packet and the ACE A: 18.38.252.195 0.0.0.255 Exact match in first three octets only. B: 18.38.252.195 0.0.7.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL CIDR Notation. For information on using CIDR notation to specify ACL masks, refer to “Using CIDR Notation To Enter the ACL Mask” on page 9-32.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Types of ACLs ■ Standard ACL: Uses only a packet's source IP address as a criterion for permitting or denying the packet. For a standard ACL ID, use either a unique numeric string in the range of 1-99 or a unique name string of up to 64 alphanumeric characters.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL always functions when the switch uses an ACL to filter packets. (You cannot delete the implicit “deny any”, but you can supersede it with a “permit any” statement.) Standard ACL Structure Individual ACEs in a standard ACL include only a permit/deny “type” state ment, the source IP addressing, and an optional log command (available with “deny” statements).
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Extended ACL Configuration Structure Individual ACEs in an extended ACL include: ■ A permit/deny “type” statement ■ Source IP addressing ■ Optional TCP or UDP port type with optional source port ID and operator and/or optional destination port ID and operator ■ Destination IP addressing ■ Optional ACL log command ip access-list < type > “< id-string >”< permit | deny > ip < source-ip-address > < source-acl
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL For example, figure 9-9 shows how to interpret the entries in an extended ACL. ACL List Heading with List Type and ID String (Name or Number) Protocol Types Specifies all destination IP addresses. Denies TCP Port 80 traffic to any destination from any source. End-of-List Marker ACE Action (permit or deny) Source IP Addresses and Masks. Upper entry denies certain UDP packets from a single host.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL 1 ip access-list extended "101" Source Destination 2 deny ip 18.28.235.10 0.0.0.0 0.0.0.0 255.255.255.255 3 deny ip 18.28.245.89 0.0.0.0 0.0.0.0 255.255.255.255 4 permit tcp 18.28.18.100 0.0.0.0 18.28.237.1 0.0.0.0 5 deny tcp 18.28.18.100 0.0.0.0 0.0.0.0 255.255.255.255 6 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL In Any ACL, There Will Always Be a Match As indicated in figure 9-10, the switch automatically uses an implicit “deny IP any” (Standard ACL) or “deny IP any any” (Extended ACL) as the last ACE in any ACL.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL You can use either the switch CLI or an offline text editor to create an ACL. This section describes the CLI method, which is recommended for creating short ACLs. (To use the offline method, refer to “Editing ACLs and Creating an ACL Offline” on page 9-53.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Configuring and Assigning a Numbered, Standard ACL This section describes how to configure numbered, standard ACLs. ■ To configure named ACLs, refer to “Configuring a Named ACL” on page 9-44. ■ To configure extended, numbered ACLs, refer to “Configuring and Assigning a Numbered, Extended ACL” on page 9-38. A standard ACL uses only source IP addresses in its ACEs.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Syntax: [no] access-list Creates an ACE in the specified (1-99) access list and indicates the action (deny or permit) to take on a packet if there is a match between the packet and the criterion in the entry. If the ACL does not already exist, this command creates the specified ACL and its first ACE. To create a named ACL, refer to “Configuring a Named ACL” on page 9-44. < 1-99 > Specifies the ACL ID number.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL The mask is applied to the IP address in the ACL to define which bits in a packet’s source IP address must exactly match the IP address configured in the ACL and which bits need not match. Note that specifying a group of contiguous IP addresses may require more than one ACE. For more on how masks operate in ACLs, refer to “How an ACE Uses a Mask To Screen Packets for Matches” on page 9-20.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL • Permits IP traffic from the indicated IP address. Since, for this example, ACL 50 is a new list, this command also creates the ACL. • Permits IP traffic from the indicated IP address. • The deny any that the switch implicitly includes in all standard ACLs denies IP packets from IP sources not included in the above three commands. Show config lists any ACLs and ACL assignments configured in the startup config.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL • Denies IP traffic from the indicated IP address. Since, for this example, ACL 60 is a new list, this command also creates the ACL. • Denies IP traffic from the indicated IP address. • Permits IP traffic from all sources. (Traffic from the IP sources in the first two lines is already filtered and dropped.) The deny any with which the switch implicitly concludes all ACLs is preempted by this line.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Configuring and Assigning a Numbered, Extended ACL This section describes how to configure numbered, extended ACLs. ■ To configure named ACLs, refer to “Configuring a Named ACL” on page 9-44. ■ To configure standard, numbered ACL, refer to “Configuring and Assigning a Numbered, Standard ACL” on page 9-33.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Syntax: [no] access-list Creates an ACE in the specified (100-199) access list and: • Indicates the action (deny or permit) to take on a packet if there is a match between the packet and the criteria in the complete ACE. • Specifies the packet protocol type (IP, TCP, or UDP). • Specifies the source and destination addressing options described in the remainder of this section.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL < any | host < src-ip-addr > | ip-addr/mask -length > In an extended ACL, this parameter defines the source IP address (SA) that a packet must carry in order to have a match with the ACE. • any — Specifies all inbound IP packets. • host < src-ip-addr > — Specifies only inbound packets from a single IP address. Use this option when you want to match only the IP packets from one source IP address.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Comparison Operators: • eq < tcp/udp-port-nbr > — “Equal To”; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be equal to < tcp/udp-port-nbr >. • gt < tcp/udp-port-nbr > — “Greater Than”; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be greater than < tcp/udp-port-nbr >.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL [log] Optional; generates an ACL log message if: • The action is deny. (This option is not configurable for Permit.) • There is a match. • ACL logging is enabled on the switch.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL A (Refer to figure 9-13, above.) B (Refer to figure 9-13, above.) Enabling ip routing activates ACL operation on routed traffic. Executing write memory saves the configuration changes to the startup-config file. Figure 9-14.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Configuring a Named ACL You can use the “Named ACL” context to configure a standard or extended ACL with an alphanumeric name instead of a number. Note that the command structure for configuring a named ACL differs from that for a numbered ACL.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL < name-str | 1-99 | 100-199 > Consists of an alphanumeric string of up to 64 casesensitive characters. If you include a space in the string, you must also enclose the string with quotes. For example, “ACL # 1". You can also enter numbers in the ranges associated with standard (1-99) and extended (100-199) ACLs.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Command Entry for Source IP Address and Mask Configured Source IP Address and Mask Command Entry for Destination IP Address and Mask Configured Destination IP Address and Mask Figure 9-15. Using the “Named ACL” Context To Configure an ACL Enabling or Disabling ACL Filtering on a VLAN For a given interface, you can configure one ACL to filter inbound traffic and one ACL to filter outbound traffic.
Access Control Lists (ACLs) for the Series 5300xl Switches Deleting an ACL from the Switch Enabling an ACL from the Global Configuration Level Enabling an ACL from a VLAN Context. Disabling an ACL from the Global Configuration Level Disabling an ACL from a VLAN Context. Figure 9-16.
Access Control Lists (ACLs) for the Series 5300xl Switches Displaying ACL Data Displaying ACL Data ACL Commands Function Page show access-list View a brief listing of all ACLs on the switch. 9-48 show access-list config Display the CLI commands for generating the ACL commands configured in the switch. 9-49 show access-list vlan < vid > List the name and type of ACLs assigned to a particular VLAN on the switch.
Access Control Lists (ACLs) for the Series 5300xl Switches Displaying ACL Data Display the Content of All ACLs on the Switch This command lists the configuration details for every ACL configured in the running-config file, regardless of whether you have assigned any to filter traffic on VLANs configured on the switch. Syntax: show access-list config List the configured syntax for all ACLs currently configured on the switch.
Access Control Lists (ACLs) for the Series 5300xl Switches Displaying ACL Data Display the ACL Assignments for a VLAN This command briefly lists the identification and type(s) of ACLs currently assigned to a particular VLAN in the running-config file. (The switch allows up to two ACL assignments per VLAN; one inbound and one outbound.) Syntax: show access-list vlan < vid > List the ACLs assigned to a VLAN in the running config file. Note This information also appears in the show running display.
Access Control Lists (ACLs) for the Series 5300xl Switches Displaying ACL Data For example, suppose you configured the following two ACLs in the switch: ACL ID ACL Type Desired Action 1 Standard • Deny IP traffic from 18.28.236.77 and 18.29.140.107. • Permit IP traffic from all other sources. 105 Extended • Permit any TCP traffic from 18.30.133.27 to any destination. • Deny any other IP traffic from 18.30.133.(1-255). • Permit all other IP traffic from any source to any destination.
Access Control Lists (ACLs) for the Series 5300xl Switches Displaying ACL Data Table 9-6. Descriptions of Data Types Included in Show Access-List < acl-id > Output Field Description Name The ACL identifier. Can be a number from 1 to 199, or a name. Type Standard or Extended. The former uses only source IP addressing. The latter uses both source and destination IP addressing and also allows TCP or UDP port specifiers. Applied “Yes” means the ACL has been applied to a VLAN.
Access Control Lists (ACLs) for the Series 5300xl Switches Editing ACLs and Creating an ACL Offline Editing ACLs and Creating an ACL Offline Earlier sections of this chapter describe how to use the CLI to create an ACL. Beginning with “Using the CLI To Edit ACLs”, below, describes how to use the CLI to edit existing ACLs. However, you can also create or edit an ACL offline, then use a TFTP server to upload the ACL as a command file.
Access Control Lists (ACLs) for the Series 5300xl Switches Editing ACLs and Creating an ACL Offline ■ Deleting the last ACE from a numeric ACL, removes the ACL from the configuration. Deleting the last ACE from a named ACL leaves the ACL in memory. In this case, the ACL is “empty” and cannot perform any filtering tasks. (In any ACL the implicit “deny any” does not apply unless the ACL includes at least one explicit ACE.
Access Control Lists (ACLs) for the Series 5300xl Switches Editing ACLs and Creating an ACL Offline ACL 103 Before Removing the Second “deny” ACE. Use no access-list to remove this line from ACL 103. Use no access-list to remove this line from ACL 103. ACL 103 After Removing the Second “deny” ACE. Figure 9-22.
Access Control Lists (ACLs) for the Series 5300xl Switches Editing ACLs and Creating an ACL Offline Creating an ACL Offline Use a text editor that allows you to create an ASCII text file (.txt). If you are replacing an ACL on the switch with a new ACL that uses the same number or name syntax, begin the command file with a “no” command to remove the earlier version of the ACL from the switch’s running-config file. Otherwise, the switch will append the new ACEs in the ACL you download to the existing ACL.
Access Control Lists (ACLs) for the Series 5300xl Switches Editing ACLs and Creating an ACL Offline ■ Deny all traffic from VLAN 30 (10.10.30.0) to the server at 10.10.10.100 on VLAN 10 (without ACL logging), but allow any other traffic from VLAN 30 to VLAN 10. ■ Deny all other inbound traffic to VLAN 20. (Hint: The implicit “deny any” can achieve this objective.) 1. You would create a .txt file with the content shown in figure 9-24. You can use the “ ; “ character to denote a comment.
Access Control Lists (ACLs) for the Series 5300xl Switches Editing ACLs and Creating an ACL Offline 2. After you copy the above .txt file to a TFTP server the switch can access, you would then execute the following command: Figure 9-25. Example of Using “copy tftp command-file” To Configure an ACL in the Switch Note If a transport error occurs, the switch does not execute the command and the ACL is not configured. 3.
Access Control Lists (ACLs) for the Series 5300xl Switches Enable ACL “Deny” Logging Enable ACL “Deny” Logging ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match with an ACE that results in an explicit “deny” action.
Access Control Lists (ACLs) for the Series 5300xl Switches Enable ACL “Deny” Logging summary of any additional “deny” matches for that ACE (and any other “deny” ACEs for which the switch detected a match). If no further log messages are generated in the wait-period, the switch suspends the timer and resets itself to send a message as soon as a new “deny” match occurs. The data in the message includes the information illustrated in figure 9-26.
Access Control Lists (ACLs) for the Series 5300xl Switches Enable ACL “Deny” Logging Syslog Server Console 18.38.110.54 Series 5300XL Switch Console RS-232 Port Subnet 110 VLAN 110 18.38.110.1 VLAN 100 Subnet 100 18.38.100.1 Configure extended ACL 143 here to deny Telnet access to inbound Telnet traffic from IP address 18.38.100.127. 18.38.100.127 Block Telnet access to the network from this host. Figure 9-27. Example of an ACL Log Application Figure 9-28.
Access Control Lists (ACLs) for the Series 5300xl Switches Enable ACL “Deny” Logging Operating Notes for ACL Logging 9-62 ■ The ACL logging feature generates a message only when packets are explicitly denied as the result of a match, and not when explicitly permitted or implicitly denied. To help test ACL logging, configure an ACL with an explicit deny any and log statements at the end of the list, and apply the ACL to an appropriate VLAN.
Access Control Lists (ACLs) for the Series 5300xl Switches General ACL Operating Notes General ACL Operating Notes ACLs do not provide DNS hostname support. Protocol Support: ACL criteria includes IP, TCP, and UDP. ACLs do not use these protocols: ■ TOS (Type-of-Service) ■ Precedence ■ MAC information ■ QoS ACLs do not affect switch serial port access. When the ACL configuration includes TCP or UDP options, the switch operates in “strict” TCP and UDP mode for increased control.
Access Control Lists (ACLs) for the Series 5300xl Switches General ACL Operating Notes — This page is intentionally unused.
10 Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 ACL Applications on Series 3400cl and 6400cl Switches . . . . . . . . . . 10-4 General Application Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7 Overview . . .
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Contents Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-28 Guidelines for Planning the Structure of an ACL . . . . . . . . . . . . . . . 10-29 ACL Configuration and Operating Rules . . . . . . . . . . . . . . . . . . . . . . 10-30 How an ACE Uses a Mask To Screen Packets for Matches . . . . . . .
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Contents Display All ACLs and Their Assignments in the Switch Startup-Config File and Running-Config File . . . . . . . . . 10-68 Editing ACLs and Creating an ACL Offline . . . . . . . . . . . . . . . . . . . 10-69 Using the CLI To Edit ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-69 General Editing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Introduction Introduction Feature Default Menu CLI Web Standard ACLs None — 10-47 — Extended ACLs None — 10-52 — — 10-58 — Numbered ACLs Named ACLs Enable or Disable an ACL — 10-61 — Display ACL Data n/a — 10-62 — Delete an ACL n/a — 10-62 — Configure an ACL from a TFTP Server n/a — 10-72 — Enable ACL Logging n/a — 10-77 — Show ACL Resources Access-List Resources Help ACL Applications on
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Introduction ■ Switch Management Access: Permits or denies in-band manage ment access. This includes preventing the use of certain TCP or UDP applications (such as Telnet, SSH, web browser, and SNMP) for transactions between specific source and destination IP addresses.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Introduction Table 10-1.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Terminology Action Command Page Displaying ACL Data ProCurve(config)# show access-list 10 62 ProCurve(config)# show access-list [ acl-name-string ] ProCurve(config)# show access-list config ProCurve(config)# show access-list ports < port-list > ProCurve(config)# show access-list resources ProCurve(config)# access-list resources help ProCurve(config)# show config ProCurve(config)# show running Terminology 3400cl/6400cl Switc
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Terminology ACL Mask: Follows an IP address (source or destination) listed in an ACE to specify either a subnet or a group of devices. Defines which bits in a packet’s corresponding IP addressing must exactly match the IP address ing in the ACE, and which bits need not match (wildcards). For example: Dotted-Decimal and CIDR versions of the same mask. In both cases, zeros in the mask indicate significant digits.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Terminology Inbound Traffic: For the purpose of defining where the switch applies ACLs to filter traffic, inbound traffic is any IP packet that: • Enters the switch through a physical port. • Has a destination IP address (DA) that meets either of these criteria: – The packet’s DA is for an external device. – The packet’s DA is for an IP address configured on the switch itself.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Overview Standard ACL: This type of Access Control List uses layer-3 IP criteria of source IP address to determine whether there is a match with an inbound IP packet. You can apply a standard ACL to inbound traffic on a port or trunk, including any inbound traffic with a DA belonging to the switch itself. Standard ACLs require an identification number (ID) in the range of 1 - 99 or an alphanumeric name.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Overview The switch can apply ACL filtering to traffic entering the switch on ports and/ or trunks configured to apply ACL filters. For example, in figure 10-2 you would assign an inbound ACL on port 1 to filter a packet from the workstation 10.28.10.5 to the server at 10.28.20.99. Note that all ACL filtering is performed on the inbound port or trunk.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Overview You can configure ACLs using either the CLI or a text editor. The text-editor method is recommended when you plan to create or modify an ACL that has more entries than you can easily enter or edit using the CLI alone. Refer to “Editing ACLs and Creating an ACL Offline” on page 10-69. General Steps for Planning and Configuring ACLs 1. Identify the traffic type to filter.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches ACL Operation ACL Operation Introduction An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). An ACL applies only to the switch in which it is configured. ACLs operate on assigned ports and static trunks, and filter these traffic types: ■ Traffic entering the switch. (Note that ACLs do not screen traffic at any internal point.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches ACL Operation The Packet-Filtering Process Sequential Comparison and Action. When the switch uses an ACL to fil ter a packet, it sequentially compares each ACE’s filtering criteria to the corresponding data in the packet until it finds a match. For a packet with a source IP address of 10.28.156.3, the switch: 1. Compares the packet to this ACE first. 2.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches ACL Operation Note on Implicit Deny For ACLs configured to filter inbound packets, note that Implicit Deny filters any packets, including those with a DA specifying the switch itself. This operation helps to prevent management access from unauthorized IP sources. 1. If a match is not found with the first ACE in an ACL, the switch proceeds to the next ACE and so on. Test a packet against criteria in first ACE.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches ACL Operation Note The order in which an ACE occurs in an ACL is significant. For example, if an ACL contains six ACEs, but the first ACE is a “permit IP any”, then the ACL permits all IP traffic, and the remaining ACEs in the list do not apply, even if they specify criteria that would make a match with any of the traffic permitted by the first ACE.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch It is important to remember that this ACL (and all ACLs) include an implicit deny any. That is, inbound IP packets (including switched packets having the switch as the destination IP address) that the ACL does not explicitly permit or deny will be implicitly denied, and therefore dropped.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Prioritizing and Monitoring ACL, IGMP, QoS, and Rate Limiting Feature Usage If you want to configure ACLs and either QoS or Rate-Limiting (or both) on the same 3400cl or 6400cl port(s), plan and implement your per-port configu ration in descending order of feature importance.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Standard ACLs: ■ Each ACE, including the implicit deny any ACE in a standard ACL, uses one port rule. ■ Contiguous ACE entries with the same subnet mask use the same port mask. Contiguous ACE entries with different subnet masks use one port mask per entry. To conserve ACL mask resources, group ACEs with identical subnet masks together.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Table 10-2. Minimizing Per-Port Mask Usage Contiguous ACEs with the Same Subnet Mask Contiguous ACEs with Different Subnet Masks The ACEs in this sequence use two port masks because entries with identical subnet masks are contiguous.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Table 10-3. ACL Rule and Mask Resource Usage ACE Type Per-Port Rule Usage Per-Port Masks Usage Implicit deny any (automatically included in any standard ACL, but not displayed by show access-list < acl-# > command).
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch The following two CLI commands are unique to the 3400cl/6400cl switches and are useful for planning and monitoring rule and mask usage in an ACL configuration. Syntax: access-list resources help Provides a quick reference on how ACL, QoS and RateLimiting use rule resources and how ACL uses mask resources for each configuration option.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Troubleshooting a Shortage of Per-Port Resources As noted above, a lack of available per-port rules can be caused by a combi nation of ACL, IGMP, QoS, and Rate-Limiting applications. A lack of available ACL masks is caused by configuring an ACL to oversubscribe the number of per-port masks available for ACLs.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch the switch’s existing configuration for unnecessary QoS and rate-limiting entries or inefficient applications that could be removed or revised to achieve the desired policies with less resource usage.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Example of ACL Resource Usage This example illustrates how to check for current per-port rule and mask availability, and then how to create and assign an ACL, and then to verify its effect on per-port rule and mask resources. (For more detailed information on configuring and applying ACLs, refer to the later sections of this chapter.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch ■ Permit inbound VLAN 3 traffic on all ports. Because all ports in the example have the same inbound traffic requirements for ACL filtering, the system administrator needs to create only one ACL for application to all four ports. ■ All inbound 10.10.10.x (VLAN 1) traffic is allowed on all ports. ■ For the inbound 10.10.11.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Every standard ACL has at least two ACEs; the first ACE that you configure, and the implicit deny any ACE that follows all other configured ACEs in the ACL. The first ACE and the implied deny any together consume two per-port rules and two per-port masks. ACE # 2 consumes one per-port rule.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Traffic Management and Improved Network Performance You can use ACLs to block unnecessary traffic caused by individual hosts, workgroups, or subnets, and to block user access to subnets, devices, and services. Answering the following questions can help you to design and properly position ACLs for optimum network usage.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch You can also enhance switch management security by using ACLs to block inbound IP traffic that has the switch itself as the destination address (DA). Caution ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of maintaining network security.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch ACL Configuration and Operating Rules ■ Per-Interface ACL Limits. At a minimum an ACL must have one, explicit “permit” or “deny” Access Control Entry.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch ■ ACLs Operate On Ports and Static Trunk Interfaces: You can assign an ACL to any port and/or any statically configured trunk on the switch. ACLs do not operate with dynamic (LACP) trunks.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch How an ACE Uses a Mask To Screen Packets for Matches When the switch applies an ACL to inbound traffic on an interface, each ACE in the ACL uses an IP address and ACL mask to enforce a selection policy on the packets being screened.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Rules for Defining a Match Between a Packet and an Access Control Entry (ACE) ■ For a given ACE, when the switch compares an IP address and corresponding mask in the ACE to an IP address carried in a packet: • A mask-bit setting of 0 (“off”) requires that the corresponding bit in the packet’s IP address and in the ACE’s IP address must be the same.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch ■ Every IP address and mask pair (source or destination) used in an ACE creates one of the following policies: • Any IP address fits the matching criteria. In this case, the switch automatically enters the IP address and mask in the ACE. For exam ple: access-list 1 deny any produces this policy in an ACL listing: IP Address Mask 0.0.0.0 255.255.255.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Example of How the Mask Bit Settings Define a Match . Assume an ACE where the second octet of the mask for an SA is 7 (the rightmost three bits are “on”, or “1”) and the second octet of the corresponding SA in the ACE is 31 (the rightmost five bits).
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch . This ACL (a standard ACL named “Fileserver”) includes an ACE (Access Control Entry) that permits matches only with the packets received from IP address 10.28.252.117 (the SA). Packets from any other source do not match and are denied. ip access-list standard Fileserver permit 10.28.252.117 ACE 0.0.0.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Table 10-6.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Configuring and Assigning an ACL ACL Feature Page Configuring and Assigning a Numbered, Standard ACL 10-47 Configuring and Assigning a Numbered, Extended ACL 10-52 Configuring a Named ACL 10-58 Enabling or Disabling ACL Filtering 10-61 Overview General Steps for Implementing ACLs Caution Regarding the Use of Source Routing 1. Configure at least one ACL.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL You should carefully plan your ACL application before configuring specific ACLs. For more on this topic, refer to “Planning an ACL Application on a Series 3400cl or Series 6400cl Switch” on page 10-17. ACL Configuration Structure After you enter an ACL command, you may want to inspect the resulting configuration. This is especially true where you are entering multiple ACEs into an ACL.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Standard ACL Structure Individual ACEs in a standard ACL include only a permit/deny “type” state ment, the source IP addressing, and an optional log command (available with “deny” statements). ip access-list < type > "< id-string >" permit host < source-ip-address > deny < source-ip-address > < acl-mask > [log] . . . permit any exit Figure 10-10.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL ■ Optional ACL log command (available for “Deny” ACLs only) ip access-list < type > “< id-string >”< permit | deny > ip < source-ip-address > < source-acl-mask > < destination-ip-address > < destination-acl-mask > [log] Note: The optional log function appears only with “deny” aces.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL ACL Configuration Factors ACL Resource Consumption Consumption of per-port rules and masks can be a significant factor in switches using extensive ACL applications. In this case, resource usage takes precedence over other factors when planning and configuring ACLs. For more information on this topic, refer to “Planning an ACL Application on a Series 3400cl or Series 6400cl Switch” on page 10-17.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Table 10-7. Effect of the ACL in Figure 10-14 on Inbound Traffic on the Assigned Port Line # Action 1 Shows list type (extended) and ID (101). 2 A packet from IP source address 10.28.235.10 will be denied (dropped). This line filters out all packets received from 10.28.235.10.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL In Any ACL, There Will Always Be a Match As indicated in figure 10-14, the switch automatically uses an implicit “deny IP any” (Standard ACL) or “deny IP any any” (Extended ACL) as the last ACE in any ACL.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL ■ Duplicate ACEs are allowed in an ACL. However, multiple instances of an ACE have no effect on filtering because the first instance preempts any subsequent duplicates. Also, duplicate entries unnec essarily consume additional resources on assigned ACLs. For more information, refer to “Editing ACLs and Creating an ACL Offline” on page 10-69.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Table 10-8. Examples of CIDR Notation for Masks 10-46 IP Address Used In an ACL with CIDR Notation Resulting ACL Mask Meaning 18.38.240.125/15 0.1.255.255 The leftmost 15 bits must match; the remaining bits are wildcards. 18.38.240.125/20 0.0.15.255 The leftmost 20 bits must match; the remaining bits are wildcards. 18.38.240.125/21 0.0.7.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Configuring and Assigning a Numbered, Standard ACL Configuring Named ACLs “Configuring a Named ACL” on page 10-58 Configuring Extended, Numbered ACLs “Configuring and Assigning a Numbered, Extended ACL” on page 10-52 ■ To configure named ACLs, refer to “Configuring a Named ACL” on page 10-58.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Syntax: [no] access-list Creates an ACE in the specified (1-99) access list and indicates the action (deny or permit) to take on a packet if there is a match between the packet and the criterion in the entry. If the ACL does not already exist, this command creates the specified ACL and its first ACE.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL The mask is applied to the IP address in the ACL to define which bits in a packet’s source IP address must exactly match the IP address configured in the ACL and which bits need not match. Note that specifying a group of contiguous IP addresses may require more than one ACE. For more on how masks operate in ACLs, refer to “How an ACE Uses a Mask To Screen Packets for Matches” on page 10-32.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL • Permits IP traffic from the indicated IP address. Since, for this example, ACL 50 is a new list, this command also creates the ACL. • Permits IP traffic from the indicated IP address. • The deny any that the switch implicitly includes in all standard ACLs denies IP packets from IP sources not included in the above three commands.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Denies IP traffic from the indicated IP address. Since, for this example, ACL 60 is a new list, this command also creates the ACL. Denies IP traffic from the indicated IP address. Show config lists any ACLs and ACL assignments configured in the startup-config. ACL “50” from the preceding example. Permits IP traffic from all sources.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Configuring and Assigning a Numbered, Extended ACL This section describes how to configure numbered, extended ACLs. To con figure other ACL types, refer to the following table.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Syntax: [no] access-list Creates an ACE in the specified (100-199) access list and: • Indicates the action (deny or permit) to take on a packet if there is a match between the packet and the criteria in the complete ACE. • Specifies the packet protocol type (IP, TCP, or UDP). • Specifies the source and destination addressing options described in the remainder of this section.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL < any | host < src-ip-addr > | ip-addr/mask -length > In an extended ACL, this parameter defines the source IP address (SA) that a packet must carry in order to have a match with the ACE. • any — Specifies all inbound IP packets. • host < src-ip-addr > — Specifies only inbound packets from a single IP address.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Comparison Operator: • eq < tcp/udp-port-nbr > — “Equal To”; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be equal to < tcp/udp-port-nbr >. Port Number or Well-Known Port Name: Use the TCP or UDP port number required by your application.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Example of an Extended ACL. Suppose that you want to implement these policies on ports 1, 2, and 3: A. Permit Telnet traffic from 10.10.10.44 inbound on port 1 to 10.10.20.78, deny all other inbound IP traffic from network 10.10.10.0 (VLAN 10) to 10.10.20.0 (VLAN 20), and permit all other IP traffic from any source to any destination. (See “A” in figure 10-18, below.) B.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL A (Refer to figure 10-18, above.) B (Refer to figure 10-18, above.) write memory writes the configuration changes to the startup-config file. Access-List configuration in the switch’s startup-config file. ACL 110, applied to port 1, consumes two per-port rules and three ACL masks. ACL 120, applied to port 2, also consumes two per-port rules and three ACL masks. Figure 10-19.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Configuring a Named ACL You can use the “Named ACL” context to configure a standard or extended ACL with an alphanumeric name instead of a number. Note that the command structure for configuring a named ACL differs from that for a numbered ACL.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL < name-str | 1-99 | 100-199 > Consists of an alphanumeric string of up to 64 casesensitive characters. If you include a space in the string, you must also enclose the string with quotes. For example, “ACL # 1". You can also enter numbers in the ranges associated with standard (1-99) and extended (100-199) ACLs.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Command Entry for Source IP Address and Mask Configured Source IP Address and Mask Figure 10-20.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Enabling or Disabling ACL Filtering on an Interface You can configure one ACL to filter inbound traffic on multiple interfaces. For limits and operating rules, refer to “ACL Configuration and Operating Rules” on page 10-30. Syntax: [no] interface < port-list > ip access-group < ascii-string > in where: < ascii-string > = either a ACL name or an ACL ID number.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Deleting an ACL from the Switch Deleting an ACL from the Switch Syntax: no ip access-list standard < name-str | 1-99 > no ip access-list extended < name-str | 100-199 > Removes the specified ACL from the switch’s running config file. Note: You cannot delete an ACL from the switch while the ACL is assigned to any interfaces. Thus, before deleting an ACL from the switch, remove all assignments of the ACL to specific interfaces.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Displaying ACL Data Display an ACL Summary This command lists the configured ACLs, regardless of whether they are assigned to any interfaces. Syntax: show access-list List a summary table of the name, type, and application status of all ACLs configured on the switch.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Displaying ACL Data Note Notice that you can use the output from this command for input to an offline text file in which you can edit, add, or delete ACL commands. Refer to “Editing ACLs and Creating an ACL Offline” on page 10-69. This information also appears in the show running display. If you executed write memory after configuring an ACL, it appears in the show config display.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Displaying ACL Data For example, if you assigned a standard ACL with an ACL-ID of “1” to filter inbound traffic on port 10, you could quickly verify this assignment as follows: Indicates that a standard ACL with the ID of “2” is assigned to filter inbound traffic on port 7.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Displaying ACL Data For example, suppose you configured the following two ACLs in the switch: ACL ID ACL Type Desired Action 1 Standard • Deny IP traffic from 18.28.236.77 and 18.29.140.107. • Permit IP traffic from all other sources. 105 Extended • Permit any TCP traffic from 18.30.133.27 to any destination. • Deny any other IP traffic from 18.30.133.(1-255).
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Displaying ACL Data Table 10-9. Descriptions of Data Types Included in Show Access-List < interface > Output Field Description Name The ACL identifier. Can be a number from 1 to 199, or a name. Type Standard or Extended. The former uses only source IP addressing. The latter uses both source and destination IP addressing and also allows TCP or UDP port specifiers. Applied “Yes” means the ACL has been applied to an interface.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Displaying ACL Data Indicates that one rule and two masks have been used. All other ports show the default quantity of rules and masks, which means that there are no ACLs or QoS assigned to these other ports on the switch. Note: Because ACLs and QoS use the same rule resources in the switch, show access-list resources and show qos resources both list the same resource table.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Editing ACLs and Creating an ACL Offline Editing ACLs and Creating an ACL Offline Earlier sections of this chapter describe how to use the CLI to create an ACL. Beginning with “Using the CLI To Edit ACLs”, below, describes how to use the CLI to edit existing ACLs. However, you can also create or edit an ACL offline, then use a TFTP server to upload the ACL as a command file.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Editing ACLs and Creating an ACL Offline General Editing Rules ■ You can delete any ACE from an ACL by repeating the ACE’s entry command, preceded by the “no” statement. When you enter a new ACE, the switch inserts it as the last entry of the specified ACL. ■ Deleting the last ACE from a numeric ACL, removes the ACL from the configuration. Deleting the last ACE from a named ACL leaves the ACL in memory.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Editing ACLs and Creating an ACL Offline For example, the first of the following two commands creates an ACE in ACL 22 and the second deletes the same ACE: Creates an ACE in ACL 22. Removes the same ACE from ACL 22, regardless of the ACE’s position in the ACL. Figure 10-27. Example of Deleting an ACE from a Standard ACL Figure 10-28 shows an example of deleting an ACE from an extended ACL.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Editing ACLs and Creating an ACL Offline Working Offline To Create or Edit an ACL Note When creating an ACL offline, ensure that the interfaces to which you plan to assign the ACL will have adequate per-port rules and ACL masks available.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Editing ACLs and Creating an ACL Offline Removes an existing ACL and replaces it with a new version with the same identity. To append new ACEs to the ACL instead of replacing it, you would omit the first line. no ip access-list extended 103 ip access-list extended "103" deny tcp 0.0.0.0 255.255.255.255 10.10.10.2 0.0.0.0 eq 23 log permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 exit Figure 10-29.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Editing ACLs and Creating an ACL Offline You can use the “ ; “ character to denote a comment. The file stored on your TFTP server retains comments, and they appear when you use copy to download the ACL command file. (Comments are not saved in the switch configuration.) Enables a comment in the file. Blank lines in the file cause breaks in the displayed linenumbering sequence when you copy the command file to the switch.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Enable ACL “Deny” Logging Note If a transport error occurs, the switch does not execute the command and the ACL is not configured. 3. Next, assign the new ACL to the intended interface which, in this example, is for port 2. ProCurve(config)# interface 2 access-group 160 in 4. Inspect the effect of the ACL on the switch’s per-port resources. ACL 160 used six per-port rules and 5 ACL masks on port 2.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Enable ACL “Deny” Logging ■ Receive notification when the switch detects attempts to transmit traffic you have designed your ACLs to reject The switch sends ACL messages to Syslog and optionally to the current console, Telnet, or SSH session. You can configure up to six Syslog server destinations.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Enable ACL “Deny” Logging Note: To fit this illustration on the page, the portion of the message generated by the Syslog server itself is shown in the line above the portion of the message generated by the switch.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Enable ACL “Deny” Logging Syslog Server Console 10.38.110.54 3400cl or 6400cl Switch Console RS-232 Port 11 10 Configure extended ACL 143 here to deny Telnet access to inbound Telnet traffic from IP address 10.38.100.127. 10.38.100.127 Block Telnet access to the network from this host. Figure 10-34. Example of an ACL Log Application Figure 10-35.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Enable ACL “Deny” Logging Operating Notes for ACL Logging ■ The ACL logging feature generates a message only when packets are explicitly denied as the result of a match, and not when explicitly permitted or implicitly denied. To help test ACL logging, configure an ACL with an explicit deny any and log statements at the end of the list, and apply the ACL to an appropriate interface.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches General ACL Operating Notes General ACL Operating Notes ACLs do not provide DNS hostname support. Protocol Support: ACL criteria includes IP, TCP, and UDP. ACLs do not use these protocols: ■ TOS (Type-of-Service) ■ Precedence ■ MAC information ■ QoS ACLs do not affect switch serial port access. ACLs filter both Layer 2 and Layer 3 on a port. There is no performance degradation with ACLs enabled; traffic is at line rate.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches General ACL Operating Notes ACLs Do Not Filter Traffic Generated by the Switch. Because ACLs on the 3400cl/6400cl switches filter only inbound traffic at the inbound physical port, outbound traffic from any source is not filtered by any ACL(s) configured on the switch. Filtering of such traffic must be done at a downstream device. < acl-list-# >: Unable to apply access control list.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches General ACL Operating Notes —This page is intentionally unused— 10-82
11 IP Routing Features Contents Overview of IP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 IP Tables and Caches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 IP Route Exchange Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7 IP Global Parameters for Routing Switches . . . . . . . . .
IP Routing Features Contents Overview of OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-34 Configuring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-38 Displaying OSPF Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-53 OSPF Equal-Cost Multipath (ECMP) for Different Subnets Available Through the Same Next-Hop Routes . . . . . . . . . 11-70 Enabling IRDP Globally . . . . . . . . . . . . . . . .
IP Routing Features Overview of IP Routing Overview of IP Routing The Procurve Series 5300xl, 4200vl, 3400cl, and 6400cl switches offer the following IP routing features, as noted: ■ IP Static Routes – up to 256 static routes for 5300xl, 3400/6400cl switches. Up to 16 static routes for 4200vl switches.
IP Routing Features Overview of IP Routing detail. Use the information in this chapter if you need to change some of the IP parameters from their default values or you want to view configuration information or statistics. IP Interfaces On the routing switches, IP addresses are associated with individual VLANs. By default, there is a single VLAN (Default_VLAN) on the routing switch. In that configuration, a single IP address serves as the management access address for the entire device.
IP Routing Features Overview of IP Routing ARP Cache Table The ARP cache contains entries that map IP addresses to MAC addresses. Generally, the entries are for devices that are directly attached to the routing switch. An exception is an ARP entry for an interface-based static IP route that goes to a destination that is one or more router hops away.
IP Routing Features Overview of IP Routing The IP route table contains the best path to a destination. ■ When the software receives paths from more than one of the sources listed above, the software compares the administrative distance of each path and selects the path with the lowest administrative distance. The admin istrative distance is a protocol-independent value from 1 – 255. The IP route table is displayed by entering the CLI command show ip route from any context level in the console CLI.
IP Routing Features Overview of IP Routing IP Route Exchange Protocols This feature is not available on the Series 4200vl switches. The switch supports the following IP route exchange protocols: ■ Routing Information Protocol (RIP) ■ Open Shortest Path First (OSPF) These protocols provide routes to the IP route table. You can use one or more of these protocols, in any combination. The protocols are disabled by default.
IP Routing Features Overview of IP Routing Parameter Description Default See page Time to Live (TTL) The maximum number of routers (hops) through which a packet can pass before being discarded. Each router decreases a packet’s TTL by 1 before forwarding the packet. If decreasing the TTL causes the TTL to be 0, the router drops the packet instead of forwarding it. 64 hops Refer to the chapter titled “Configuring IP Addressing” in the Management and Configuration Guide.
IP Routing Features Overview of IP Routing IP Interface Parameters for Routing Switches Table 11-2 lists the interface-level IP parameters for routing switches. Table 11-2. IP Interface Parameters – Routing Switches Parameter Description Default See page IP address A Layer 3 network interface address; separate IP addresses on individual VLAN interfaces. None configured chapter 7 Metric A numeric cost the router adds to RIP routes learned on the interface. This parameter applies only to RIP routes.
IP Routing Features Configuring IP Parameters for Routing Switches Configuring IP Parameters for Routing Switches The following sections describe how to configure IP parameters. Some param eters can be configured globally while others can be configured on individual VLAN interfaces. Some parameters can be configured globally and overridden for individual VLAN interfaces. Note This section describes how to configure IP parameters for routing switches.
IP Routing Features Configuring IP Parameters for Routing Switches To change the router ID, enter a command such as the following: ProCurve(config)# ip router-id 209.157.22.26 Syntax: Syntax: ip router-id < ip-addr > The < ip-addr > can be any valid, unique IP address. Note You can specify an IP address used for an interface on the ProCurve routing switch, but do not specify an IP address in use by another device.
IP Routing Features Configuring IP Parameters for Routing Switches To obtain the MAC address required for forwarding a datagram, the routing switch does the following: ■ First, the routing switch looks in the ARP cache (not the static ARP table) for an entry that lists the MAC address for the IP address. The ARP cache maps IP addresses to MAC addresses. The cache also lists the port attached to the device and, if the entry is dynamic, the age of the entry.
IP Routing Features Configuring IP Parameters for Routing Switches Enabling Proxy ARP Proxy ARP allows a routing switch to answer ARP requests from devices on one network on behalf of devices in another network. Since ARP requests are MAC-layer broadcasts, they reach only the devices that are directly connected to the sender of the ARP request. Thus, ARP requests do not cross routers. For example, if Proxy ARP is enabled on a routing switch connected to two sub-nets, 10.10.10.0/24 and 20.20.20.
IP Routing Features Configuring IP Parameters for Routing Switches Changing the TTL Threshold The configuration of this parameter is covered in chapter 7, “Configuring IP Addressing”. Enabling Forwarding of Directed Broadcasts A directed broadcast is an IP broadcast to all devices within a single directlyattached network or sub-net. A net-directed broadcast goes to all devices on a given network. A sub-net-directed broadcast goes to all devices within a given sub-net.
IP Routing Features Configuring IP Parameters for Routing Switches Configuring ICMP You can configure the following ICMP limits: ■ Burst-Normal – The maximum number of ICMP replies to send per second. ■ Reply Limit – You can enable or disable ICMP reply rate limiting. Disabling ICMP Messages ProCurve devices are enabled to reply to ICMP echo messages and send ICMP Destination Unreachable messages by default.
IP Routing Features Configuring IP Parameters for Routing Switches Disabling ICMP Destination Unreachable Messages By default, when a ProCurve device receives an IP packet that the device cannot deliver, the device sends an ICMP Unreachable message back to the host that sent the packet. The following types of ICMP Unreachable messages are generated: Note ■ Administration – The packet was dropped by the ProCurve device due to a filter or ACL configured on the device.
IP Routing Features Configuring Static IP Routes Disabling ICMP Redirects You can disable ICMP redirects on the ProCurve routing switch. only on a global basis, for all the routing switch interfaces.
IP Routing Features Configuring Static IP Routes Static IP Route Parameters When you configure a static IP route, you must specify the following parameters: ■ The IP address and network mask for the route’s destination network. ■ The route’s path, which can be one of the following: • The IP address of a next-hop gateway • A “null” interface. The routing switch drops traffic forwarded to the null interface.
IP Routing Features Configuring Static IP Routes When you configure a static IP route, you specify the destination address for the route and the next-hop gateway or routing switch interface through which the routing switch can reach the route. The routing switch adds the route to the IP route table. In this case, Router A knows that 207.95.6.157 is reachable through port A2, and also assumes that local interfaces within that sub-net are on the same port. Router A deduces that IP interface 207.95.7.
IP Routing Features Configuring Static IP Routes Configuring the Default Route You can also assign the default router as the destination by entering 0.0.0.0 0.0.0.0. Configuring a “Null” Route You can configure the routing switch to drop IP packets to a specific network or host address by configuring a “null” (sometimes called “null0”) static route for the address. When the routing switch receives a packet destined for the address, the routing switch drops the packet instead of forwarding it.
IP Routing Features Configuring RIP Configuring RIP This feature is not available on the Series 4200vl switches. This section describes how to configure RIP using the CLI interface. To display RIP configuration information and statistics, see “Displaying RIP Information” on page 11-31. Overview of RIP Routing Information Protocol (RIP) is an IP route exchange protocol that uses a distance vector (a number representing distance) to measure the cost of a given route.
IP Routing Features Configuring RIP Note ICMP Host Unreachable Message for Undeliverable ARPs. If the routing switch receives an ARP request packet that it is unable to deliver to the final destination because of the ARP timeout and no ARP response is received (the routing switch knows of no route to the destination address), the routing switch sends an ICMP Host Unreachable message to the source.
IP Routing Features Configuring RIP Table 11-4. RIP Interface Parameters Parameter Description Default RIP version The version of the protocol that is supported on the interface. The version can be one of the following: • Version 1 only • Version 2 only • Version 1 compatible with version 2 V2-only metric A numeric cost the routing switch adds to RIP routes 1 learned on the interface. This parameter applies only to RIP routes.
IP Routing Features Configuring RIP To enable RIP on a routing switch, enter the following commands: ProCurve(config)# ip routing ProCurve(config)# router rip ProCurve(rip)# exit ProCurve(config)# write memory Syntax: [no] router rip Note IP routing must be enabled prior to enabling RIP. The first command in the preceding sequence enables IP routing. Changing the RIP Type on a VLAN Interface When you enable RIP on a VLAN interface, RIPv2-only is enabled by default.
IP Routing Features Configuring RIP Note RIP considers a route with a metric of 16 to be unreachable. Use this metric only if you do not want the route to be used. In fact, you can prevent the switch from using a specific interface for routes learned though that interface by setting its metric to 16.
IP Routing Features Configuring RIP Note Do not enable redistribution until you have configured the redistribution filters. Otherwise, the network might get overloaded with routes that you did not intend to redistribute. Example: To configure the switch to filter out redistribution of static or connected routes on network 10.0.0.0, enter the following commands: ProCurve(config)# router rip ProCurve(rip)# restrict 10.0.0.0 255.0.0.
IP Routing Features Configuring RIP 0(config)# router rip ProCurve(rip)# redistribute connected ProCurve(rip)# redistribute static ProCurve(rip)# write memory Syntax: [no] redistribute connected | static Changing the Route Loop Prevention Method RIP can use the following methods to prevent routing loops: ■ Split horizon - the routing switch does not advertise a route on the same interface as the one on which the routing switch learned the route.
IP Routing Features Configuring RIP Displaying RIP Information All RIP configuration and status information is shown by the CLI command show ip rip and options off that command. The following RIP information can be displayed: RIP Information Type Page General Information 11-31 Interface Information 11-33 Peer Information 11-34 Redistribute Information 11-36 Restrict Information 11-36 Displaying General RIP Information To display general RIP information, enter show ip rip at any context level.
IP Routing Features Configuring RIP The display is a summary of Global RIP information, information about interfaces with RIP enabled, and information about RIP peers. The following fields are displayed: ■ RIP protocol – Status of the RIP protocol on the router. RIP must be enabled here and on the VLAN interface for RIP to be active. The default is disabled. ■ Auto-summary – Status of Auto-summary for all interfaces running RIP.
IP Routing Features Configuring RIP Displaying RIP Interface Information To display RIP interface information, enter the show ip rip interface command at any context level. The resulting display will appear similar to the following: Figure 11-2.Example of Show IP RIP Interface Output See “RIP Interface Information” on the previous page for definitions of these fields.
IP Routing Features Configuring RIP The information in this display includes the following fields, which are defined under ““RIP Interface Information” on page 11-32: IP Address, Status, Send mode, Recv mode, Metric, and Auth. The information also includes the following fields: ■ Bad packets received – The number of packets that were received on this interface and were not processed for any reason.
IP Routing Features Configuring RIP The resulting display will appear similar to the following: ProCurve# show ip rip peer RIP peer information IP Address --------------100.1.0.100 100.2.0.100 100.3.0.100 100.10.0.100 Bad routes ----------0 0 0 0 Last update timeticks -------------------1 0 2 1 Figure 11-5. Example of Show IP RIP Peer Output This display lists all neighboring routers from which the routing switch has received RIP updates.
IP Routing Features Configuring RIP Displaying RIP Redistribution Information To display RIP redistribution information, enter the show ip rip redistribute command at any context level: ProCurve# show ip rip redistribute RIP redistributing Route type ---------connected static Status ------enabled enabled Figure 11-7. Example of Show IP RIP Redistribute Output RIP automatically redistributes connected routes which are configured on interfaces that are running RIP, and all routes that are learned via RIP.
IP Routing Features Configuring OSPF Configuring OSPF This feature is not available on the Series 4200vl switches. This section describes how to configure OSPF using the CLI interface. To display OSPF configuration information and statistics, see “Displaying OSPF Information” on page 11-56. Overview of OSPF OSPF is a link-state routing protocol. The protocol uses link-state advertise ments (LSA) to update neighboring routers regarding its interfaces and infor mation on those interfaces.
IP Routing Features Configuring OSPF An OSPF router can be a member of multiple areas. Routers with membership in multiple areas are known as Area Border Routers (ABRs). Each ABR maintains a separate topological database for each area the router is in. Each topological database contains all of the LSA databases for each router within a given area. The routers within the same area have identical topological databases.
IP Routing Features Configuring OSPF When multiple ProCurve switches on the same network are declaring them selves as DRs, then both priority and router ID are used to select the desig nated router and backup designated routers. When only one router on the network claims the DR role despite neighboring routers with higher priorities or router IDs, this router remains the DR. This is also true for BDRs.
IP Routing Features Configuring OSPF This enhancement implements the portion of RFC 2328 that describes AS External LSA reduction. This enhancement is enabled by default, requires no configuration, and cannot be disabled. OSPF eliminates duplicate AS External LSAs.
IP Routing Features Configuring OSPF Dynamic OSPF Activation and Configuration OSPF is automatically activated when you enable it. The protocol does not require a software reload.
IP Routing Features Configuring OSPF Configuration Rules ■ If the switch is to operate as an ASBR, you must enable redistribution. When you do that, ASBR capability is automatically enabled. ■ All VLAN interfaces on which you wish to run OSPF must be assigned to one of the defined areas. When a VLAN interface is assigned to an area, the IP address is automatically included in the assignment.
IP Routing Features Configuring OSPF Note When using the CLI, you set global level parameters at the OSPF CONFIG Level of the CLI. To reach that level, make sure routing is enabled and then enter the command router ospf at the global CONFIG Level. Interface param eters for OSPF are set at the VLAN CONFIG Level using the CLI command ip ospf. Enabling OSPF When you enable OSPF, the protocol is automatically activated.
IP Routing Features Configuring OSPF Example: Here is an example of the commands to set up several OSPF areas. ProCurve(ospf)# area 192.5.1.0 ProCurve(ospf)# area 200.5.0.0 ProCurve(ospf)# area 0.0.0.0 ProCurve(ospf)# write memory Syntax: area < num > | < ip-addr > [normal | stub < cost > [no-summary]] The < num > | < ip-addr > parameter specifies the area number, which can be a number or in IP address format. If you specify a number, the number can be from 0 – 4,294,967,295.
IP Routing Features Configuring OSPF Note This feature applies only when the switch is configured as an Area Border Router (ABR) for the area. To completely prevent summary LSAs from being sent to the area, disable the summary LSAs on each OSPF router that is an ABR for the area.
IP Routing Features Configuring OSPF Assigning VLANs to an Area Once you define OSPF areas, you can assign VLANs to the areas. All VLANs in the switch must be assigned to one of the defined areas on an OSPF router. When a VLAN is assigned to an area, the first IP address is automatically included in the assignment. To include other IP addresses, you must enable OSPF on them separately, or use the “all” option in the assignment. Example: To assign VLAN 8 of Switch A to area 192.5.0.
IP Routing Features Configuring OSPF Authentication-key: OSPF supports two methods of authentication for each VLAN—simple password and MD5. In addition, the value can be set to none, meaning no authentication is performed. Only one method of authentication can be active on a subnet at a time. The default authentication value is none. The two authentication methods are configured by different commands: ■ Simple password – Use the ip ospf authentication-key command.
IP Routing Features Configuring OSPF Assigning Virtual Links It is highly recommended that all ABRs (area border routers) have either a direct or indirect link to the OSPF backbone area (0.0.0.0 or 0). If an ABR does not have a physical link to the area backbone, the ABR can configure a virtual link to another router within the same area, which has a physical connection to the area backbone. Note A backbone area can be purely virtual with no physical backbone links.
IP Routing Features Configuring OSPF OSPF Area 0 5308xl “C” Router ID 209.157.22.1 OSPF Area 1 “transit area” 5308xl OSPF Area 2 5308xl “A” Router ID 10.0.0.1 Figure 11-9. Defining OSPF virtual links within a network Example. Figure 11-9 shows an OSPF area border router, Routing Switch-A, that is cut off from the backbone area (Area 0). To provide backbone access to Routing Switch-A, you can add a virtual link between Routing Switch-A and Routing Switch-C using Area 1 as a transit area.
IP Routing Features Configuring OSPF To configure the virtual link on Routing Switch-C, enter the following commands: ProCurve(ospf)# area 1 virtual-link 10.0.0.1 ProCurve(ospf)# write memory Syntax: area | virtual-link The area < ip-addr > | < num > parameter specifies the transit area. The parameter specifies the router ID of the OSPF router at the remote end of the virtual link. To display the router ID, enter the show ip command.
IP Routing Features Configuring OSPF ■ Simple password – Use the area | virtual-link authentication-key command. The simple password method of authentication requires you to configure an alphanumeric password on an interface. The simple password setting takes effect immediately. All OSPF packets transmitted on the interface contain this password. Any OSPF packet that is received on the interface is checked for this pass word.
IP Routing Features Configuring OSPF Note Do not enable redistribution until you have configured the redistribution filters. Otherwise, the network might get overloaded with routes that you did not intend to redistribute. Example: To configure the switch acting as an ASBR to filter out redistribu tion of static or connected routes on network 10.0.0.0, enter the following commands: ProCurve(config)# router ospf ProCurve(ospf)# restrict 10.0.0.0 255.0.0.
IP Routing Features Configuring OSPF Enabling Route Redistribution Note Do not enable redistribution until you have configured the redistribution “restrict” filters. Otherwise, the network might get overloaded with routes that you did not intend to redistribute. To enable redistribution of connected and static IP routes into OSPF, enter the following commands.
IP Routing Features Configuring OSPF Modifying OSPF Traps Generated OSPF traps as defined by RFC 1850 are supported on the switches covered in this guide. OSPF trap generation is enabled by default.
IP Routing Features Configuring OSPF OSPF Trap Name MIB Object originate-lsa-trap ospfOriginateLsa originate-maxage-lsa-trap ospfMaxAgeLsa link-state-database-overflow-trap ospfLsdbOverflow link-state-database-approaching-overflow-trap ospfLsdbApproachingOverflow Examples: 1. To stop an OSPF trap from being collected, use the following CLI command: ProCurve(ospf)# no trap < ospf-trap > 2.
IP Routing Features Configuring OSPF Displaying OSPF Information You can use CLI commands to display the following OSPF information: OSPF Information Type Page General Information 11-56 Area information 11-58 External link state information 11-59 Interface information 11-60 Link state information 11-63 Neighbor information 11-65 Route information 11-71 Virtual Neighbor information 11-68 Virtual Link information 11-69 Displaying General OSPF Configuration Information To display general O
IP Routing Features Configuring OSPF Syntax: show ip ospf general The following fields are shown in the OSPF general status display: Table 11-6. CLI Display of OSPF General Information This Field... Displays... OSPF protocol indicates whether OSPF is currently enabled.
IP Routing Features Configuring OSPF Displaying OSPF Area Information To display OSPF area information, enter show ip ospf area at any CLI level: ProCurve> show ip ospf area OSPF Area Information Area ID Type Cost SPFR ABR ASBR LSA Checksum --------------0.0.0.0 192.147.60.0 192.147.80.0 -----normal normal stub ----0 0 1 -----1 1 1 ---0 0 0 ---0 0 0 --------0x0000781f 0x0000fee6 0x000181cd ----1 1 2 Figure 11-11.
IP Routing Features Configuring OSPF Displaying OSPF External Link State Information To display external link state information, enter show ip ospf external-link-state at any CLI level. When you enter this command, an output similar to the following is displayed: ProCurve# show ip ospf external-link-state Link State ID Router ID Age Sequence # Checksum --------------- --------------- ---- ----------- --------10.3.7.0 10.0.8.37 232 0x80000005 0x0000d99f 10.3.8.0 10.0.8.37 232 0x80000005 0x0000cea9 10.3.9.
IP Routing Features Configuring OSPF The advertise keyword displays the hexadecimal data in the specified LSA packet, the actual contents of the LSAs. This can also be filtered as above by including the link-state-id, router-id, or sequence-number options.
IP Routing Features Configuring OSPF Syntax: show ip ospf interface [vlan < vlan-id > | < ip-addr >] The OSPF interface display shows the following information: Table 11-9. CLI Display of OSPF Interface Information This Field... Displays... IP Address The local IP address for this interface. Status enabled or disabled - whether OSPF is currently enabled on this interface. Area ID The ID of the area that this interface is in. State The current state of the interface.
IP Routing Features Configuring OSPF Displaying OSPF Interface Information for a Specific VLAN or IP Address To display OSPF interface information for a specific VLAN or IP address, enter show ip ospf interface < ip-addr > at any CLI level. For example: ProCurve# show ip ospf interface 10.3.18.36 OSPF Interface Status for 10.3.18.36 IP Address Area ID State Cost Type : 10.3.18.36 : 10.3.16.
IP Routing Features Configuring OSPF This Field... Displays... Hello Interval Configured hello interval for this interface. Rtr Dead Interval Configured router dead interval for this interface. Designated Router IP address of the router that has been elected designated router on this interface. Backup Desig. Rtr IP address of the router that has been elected backup desig nated router on this interface. Events Number of times the interface state has changed.
IP Routing Features Configuring OSPF Syntax: show ip ospf link-state The OSPF link state display shows contents of the LSA database, one table for each area. The following information is shown: Table 11-11. CLI Display of OSPF Link State Information This Field... Displays... LSA Type Type of LSA. The possible types are: Router Network Summary AsbSummary Link State ID LSA ID for this LSA. The meaning depends on the LSA type. Advertised Router ID Router ID of the router that originated this LSA.
IP Routing Features Configuring OSPF An example of the show ip ospf link-state advertise is: OSPF Link State Database for Area 0.0.0.0 Advertisements ----------------------------------------------------------------------000202010a0008200a00082080000281a7b60054000000050a030e00ffffff0003000001... 000202010a0008210a00082180000006a5c90024010000010a0008230a03112104000002 000102010a0008230a00082380000015755d006c010000070a030600ffffff0003000001...
IP Routing Features Configuring OSPF This display shows the following information. Table 11-12. CLI Display of OSPF Neighbor Information Field Description Router ID The router ID of the neighbor. Pri The OSPF priority of the neighbor. The priority is used during election of the Designated Router (DR) and Backup designated Router (BDR). IP Address The IP address of this routing switch’s interface with the neighbor. NbIfState The neighbor interface state.
IP Routing Features Configuring OSPF Displaying OSFPF Redistribution Information As described under “Enabling Route Redistribution” on page 11-53, you can configure the routing switch to redistribute connected and static routes into OSPF. When you redistribute a route into OSPF, the routing switch can use OSPF to advertise the route to its OSPF neighbors.
IP Routing Features Configuring OSPF This display shows the configured restrict entries. Displaying OSPF Virtual Neighbor Information To display OSPF virtual neighbor information, enter show ip ospf virtualneighbor at any CLI level. OSPF Virtual Interface Neighbor Information Router ID --------------10.0.8.33 10.0.8.36 Area ID --------------10.3.16.0 10.3.16.0 State -------FULL FULL IP Address --------------10.3.17.33 10.3.18.36 Events ------5 5 Figure 11-21.
IP Routing Features Configuring OSPF Displaying OSPF Virtual Link Information To display OSPF virtual link information, enter show ip ospf virtual-link at any CLI level. ProCurve# show ip ospf virtual-link OSPF Virtual Interface Status Transit AreaID --------------10.3.16.0 10.3.16.0 Neighbor Router --------------10.0.8.33 10.0.8.36 Authentication --------------none none Interface State -------------P2P P2P Figure 11-22.
IP Routing Features Configuring OSPF Example: To get OSPF virtual link information for IP address 10.0.8.33, enter show ip ospf virtual-link 10.0.8.33. A display similar to the following is shown. ProCurve# show ip ospf virtual-link 10.0.8.33 OSPF Virtual Interface Status for interface 10.0.8.33 Transit AreaID : 10.3.16.0 Neighbor Router : 10.0.8.33 Authentication : none Interface State : P2P Events : 1 Transit Delay Rtr Interval Hello Interval Dead Interval : : : : 1 5 10 40 Figure 11-23.
IP Routing Features Configuring OSPF Displaying OSPF Route Information To display OSPF route and other OSPF configuration information, enter show ip ospf at any CLI level: ProCurve# show ip ospf OSPF Configuration Information OSPF protocol Router ID : enabled : 10.0.8.35 Currently defined areas: Area ID --------------backbone 10.3.16.0 10.3.32.
IP Routing Features Configuring OSPF Syntax: show ip ospf This screen has a lot of information, most of it already covered in other show commands. The following table shows definitions for the fields: Table 11-16. CLI Display of OSPF Route and Status Information Field Description OSPF protocol enabled or disabled – indicates if OSPF is currently enabled. Router ID The Router ID that this routing switch is currently using to identify itself.
IP Routing Features Configuring OSPF OSPF Equal-Cost Multipath (ECMP) for Different Subnets Available Through the Same Next-Hop Routes Using software prior to release E.10.xx, if different subnet destinations in an OSPF network are reachable through a set of equal-cost next-hop routes, the router chooses the same next-hop route for traffic to all of these destinations. Beginning with software release E.10.
IP Routing Features Configuring OSPF Table 11-17. Example of a Routing Table for the Network in Figure 11-25 Destination Subnet Router “A” Next Hop 10.1.0.0/16 Router “C” 10.2.0.0/16 Router “D” 10.3.0.0/16 Router “B” 10.32.0.0/16 Router “B” 10.42.0.0/16 Router “D” Note that IP load-sharing does not affect routed traffic to different hosts on the same subnet. That is, all traffic for different hosts on the same subnet will go through the same next-hop router. For example, if subnet 10.32.0.
IP Routing Features Configuring OSPF ProCurve Switch 5304XL(config)# show running Running configuration: ; J4850A Configuration Editor; Created on release #E.10.00 hostname "ProCurve Switch 5304xl" module 1 type J4820A snmp-server community "public" Unrestricted vlan 1 name "DEFAULT_VLAN" Indicates a non-default IP load-sharing configuration untagged A1-A24 allowing three equal-cost next-hop paths for routed traffic ip address dhcp-bootp with different subnet destinations.
IP Routing Features Configuring IRDP Configuring IRDP The ICMP Router Discovery Protocol (IRDP) is used by ProCurve routing switches to advertise the IP addresses of its router interfaces to directly attached hosts. IRDP is enabled by default. You can enable the feature on a global basis or on an individual VLAN interface basis. When IRDP is enabled, the routing switch periodically sends Router Adver tisement messages out the IP interfaces on which the feature is enabled.
IP Routing Features Configuring IRDP messages from other routers at the same time. The interval on each IRDPenabled routing switch interface is independent of the interval on other IRDP-enabled interfaces. The default maximum message interval is 600 seconds. The default minimum message interval is 450 seconds. ■ Preference - If a host receives multiple Router Advertisement messages from different routers, the host selects the router that send the message with the highest preference as the default gateway.
IP Routing Features Configuring IRDP for the routing switch to the hold time specified in the new advertisement. If the hold time of an advertisement expires, the host discards the adver tisement, concluding that the router interface that sent the advertisement is no longer available. The value must be greater than the value of the maxadvertinterval parameter and cannot be greater than 9000. The default is three times the value of the maxadvertinterval parameter.
IP Routing Features Configuring DHCP Relay Configuring DHCP Relay Overview The Dynamic Host Configuration Protocol (DHCP) is used for configuring hosts with IP address and other configuration parameters without human intervention. The protocol is composed of three components: the DHCP client, the DHCP server, and the DHCP relay agent.
IP Routing Features Configuring DHCP Relay operation by enabling the routing switch to append an Option 82 field to such client requests. This field includes two suboptions for identifying the routing switch (by MAC address or IP address) and the routing switch port the client is using to access the network.
IP Routing Features Configuring DHCP Relay Option 82 Server Support To apply DHCP Option 82, the routing switch must operate in conjunction with a server that supports Option 82. (DHCP servers that do not support Option 82 typically ignore Option 82 fields.) Also, the routing switch applies Option 82 functionality only to client request packets being routed to a DHCP server. DHCP relay with Option 82 does not apply to switched (non-routed) client requests.
IP Routing Features Configuring DHCP Relay DHCP relay agent: See Relay Agent. Forwarding Policy: The Option 82 method the routing switch uses to process incoming client DHCP requests. For a given inbound DHCP client request, the forwarding policy determines whether the routing switch will add Option 82 information, replace existing Option 82 information, or leave any existing information unchanged.
IP Routing Features Configuring DHCP Relay General DHCP-Relay Operation with Option 82. Typically, the first (primary) Option 82 relay agent to receive a client’s DHCP request packet appends an Option 82 field to the packet and forwards it toward the DHCP server identified by the IP Helper address configured on the VLAN in which the client packet was received.
IP Routing Features Configuring DHCP Relay ■ Remote ID: This configurable subfield identifies a policy area that comprises either the routing switch as a whole (by using the routing switch MAC address) or an individual VLAN configured on the routing switch (by using the IP address of the VLAN receiving the client request). • Use the IP address option if the server will apply different IP addressing policies to DHCP client requests from ports in different VLANs on the same routing switch.
IP Routing Features Configuring DHCP Relay the sequential index number for that port position in the slot. (To view the Index number assignments for ports in the routing switch, use the walkmib ifname command.) For example, the circuit ID for a client connected to port 11 on a ProCurve 2650-PWR (J8165A) switch is “11”. However, the Circuit ID for port B11 on a ProCurve 5304xl (J4850A) is “37”. (See Figure 11-31, below.
IP Routing Features Configuring DHCP Relay Forwarding Policies DHCP Option 82 on ProCurve switches offers four forwarding policies, with an optional validation of server responses for three of the policy types (append, replace, or drop). Table 11-18.
IP Routing Features Configuring DHCP Relay Option 82 Configuration Drop DHCP Client Request Packet Inbound to the Routing Switch Packet Has No Option 82 Field Packet Includes an Option 82 Field Append an Drop causes the routing switch to drop an inbound client request with an Option Option 82 Field 82 field already appended. If no Option 82 fields are present, drop causes the routing switch to add an Option 82 field and forward the request.
IP Routing Features Configuring DHCP Relay Relay Agent “A” Client VLAN 20 VLAN 10 DROP Relay Agent “B” VLAN 20 VLAN 30 APPEND Relay Agent “C” VLAN 10 VLAN 20 APPEND DHCP Option 82 Server Figure 11-33.Example Configured To Allow Multiple Relay Agents To Contribute an Option 82 Field This is an enhancement of the previous example. In this case, each hop for an accepted client request adds a new Option 82 field to the request.
IP Routing Features Configuring DHCP Relay With validation enabled, the relay agent applies stricter rules to variations in the Option 82 field(s) of incoming server responses to determine whether to forward the response to a downstream device or to drop the response due to invalid (or missing) Option 82 information. Table 11-18, below, illustrates relay agent management of DHCP server responses with optional validation enabled and disabled Table 11-19.
IP Routing Features Configuring DHCP Relay Multinetted VLANs On a multinetted VLAN, each interface can form an Option 82 policy boundary within that VLAN if the routing switch is configured to use IP for the remote ID suboption.
IP Routing Features Configuring DHCP Relay Configuring Option 82 Operation on the Routing Switch Syntax: dhcp-relay option 82 < append [validate] | replace [validate] | drop [validate] | keep > [ip | mac] append: Configures the routing switch to append an Option 82 field to the client DHCP packet. If the client packet has any existing Option 82 field(s) assigned by another device, then the new field is appended to the existing field(s).
IP Routing Features Configuring DHCP Relay keep: For any client DHCP packet received with existing Option 82 field(s), configures the routing switch to forward the packet as-is, without replacing or adding to the existing Option 82 field(s). [ validate ]: This option operates when the routing switch is configured with append, replace, or drop as a forwarding policy.
IP Routing Features Configuring DHCP Relay 11-90 ■ The IP address of the primary DHCP relay agent receiving a client request packet is automatically added to the packet, and is identified as the giaddr (gateway interface address). (That is, the giaddr is the IP address of the VLAN on which the request packet was received from the client.) For more information, refer to RFC 2131 and RFC 3046.
IP Routing Features Configuring DHCP Relay DHCP Packet Forwarding The DHCP relay agent on the routing switch forwards DHCP client packets to all DHCP servers that are configured in the table administrated for each VLAN. Unicast Forwarding The packets are forwarded using unicast forwarding if the IP address of the DHCP server is a specific host address. The DHCP relay agent sets the destination IP address of the packet to the IP address of the DHCP server and forwards the message.
IP Routing Features Configuring DHCP Relay Configuring a Helper Address At the VLAN configuration CLI context level, enter the commands to add the DHCP server’s IP address to the VLANs list.
IP Routing Features Configuring DHCP Relay Listing the Currently Configured DHCP Helper Addresses. Syntax: show ip helper-address < vlan-id > This command shows the currently configured IP Helper addresses, regard less of whether DHCP-Relay is enabled. For example: Figure 11-36.
IP Routing Features UDP Broadcast Forwarding on 5300xl, 4200vl and 3400cl Switches UDP Broadcast Forwarding on 5300xl, 4200vl and 3400cl Switches Overview Some applications rely on client requests sent as limited IP broadcasts addressed to a UDP application port. If a server for the application receives such a broadcast, the server can reply to the client.
IP Routing Features UDP Broadcast Forwarding on 5300xl, 4200vl and 3400cl Switches For example, VLAN 1 (15.75.10.1) is configured to forward inbound UDP packets as shown in table 11-20: Table 11-20. Example of a UDP Packet-Forwarding Environment Interface VLAN 1 IP Address Subnet Mask 15.75.10.1 255.255.255.0 Forwarding Address UDP Port Notes 15.75.11.43 1188 15.75.11.255 1812 15.75.12.
IP Routing Features UDP Broadcast Forwarding on 5300xl, 4200vl and 3400cl Switches Configuring and Enabling UDP Broadcast Forwarding To configure and enable UDP broadcast forwarding on the switch: 1. Enable routing. 2. Globally enable UDP broadcast forwarding. 3. On a per-VLAN basis, configure a forwarding address and UDP port type for each type of incoming UDP broadcast you want routed to other VLANs.
IP Routing Features UDP Broadcast Forwarding on 5300xl, 4200vl and 3400cl Switches — Continued from the preceding page. — < ip-address >: This can be either of the following: • The unicast address of a destination server on another subnet. For example: 15.75.10.43. • The broadcast address of the subnet on which a destination server operates. For example, the following address directs broadcasts to All hosts in the 15.75.11.0 subnet: 15.75.11.255.
IP Routing Features UDP Broadcast Forwarding on 5300xl, 4200vl and 3400cl Switches Displaying the Current IP Forward-Protocol Configuration Syntax show ip forward-protocol [ vlan < vid >] Displays the current status of UDP broadcast forwarding and lists the UDP forwarding address(es) configured on all static VLANS in the switch or on a specific VLAN.
IP Routing Features UDP Broadcast Forwarding on 5300xl, 4200vl and 3400cl Switches Operating Notes for UDP Broadcast Forwarding Maximum Number of Entries. The number of UDP broadcast entries and IP helper addresses combined can be up to 16 per VLAN, with an overall maximum of 256 on the switch. (IP helper addresses are used with the switch’s DHCP Relay operation. For more information, refer to “Configuring DHCP Relay” on page 11-79.
IP Routing Features Configuring Static Network Address Translation (NAT) for Intranet Applications on the 5300xl Switches Configuring Static Network Address Translation (NAT) for Intranet Applications on the 5300xl Switches This section applies only to the ProCurve Series 5300xl switches.
IP Routing Features Configuring Static Network Address Translation (NAT) for Intranet Applications on the 5300xl Switches table the switch maintains when NAT is configured. Note also that static NAT operates at the layer 3 level. IP addresses embedded in layers 4 - 7, as is the case with some applications, are not translated by static NAT. Static NAT Operating Rules ■ Uses one-to-one IP address mapping.
IP Routing Features Configuring Static Network Address Translation (NAT) for Intranet Applications on the 5300xl Switches Example. This example uses the topology in figure 11-39 on page 11-103: ■ The switch is connected to the corporate intranet through VLAN 100 (IP address: 15.33.235.1). ■ The three devices are configured on VLAN 101 in the corporation’s “private” region (IP address: 10.10.10.1) with these IP addresses: A. 10.10.10.11 B. 10.10.10.12 C. 10.10.10.
IP Routing Features Configuring Static Network Address Translation (NAT) for Intranet Applications on the 5300xl Switches Displaying Static NAT Statistics and Configuration Syntax: show ip nat Displays the current IP NAT static configuration in the running-config file and the current IP NAT counters.
IP Routing Features Configuring Static Network Address Translation (NAT) for Intranet Applications on the 5300xl Switches 11-104 ■ Static NAT does not provide TCP/UDP port number translation. ■ Static NAT is not intended to support a large number of clients. ■ Static NAT is not a security application and should not be considered as a substitute for a firewall.
12 Router Redundancy Using XRRP Contents Introduction to XRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 Overview of XRRP Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5 XRRP During Normal Router Operation . . . . . . . . . . . . . . . . . . . . . . . 12-6 XRRP Fail-Over Operation . . . . . . . . . . . . . . . . . . . .
Router Redundancy Using XRRP Contents Comparison Between XRRP and VRRP . . . . . . . . . . . . . . . . . . . . . . . . 12-31 Messages Related to XRRP Operation . . . . . . . . . . . . . . . . . . . . . . . .
Router Redundancy Using XRRP Introduction to XRRP Introduction to XRRP XRRP does not apply to the Series 4200vl switches. XRRP (XL Router Redundancy Protocol) provides router redundancy, or failover, to a backup router in case one fails. XRRP is similar to the industry standard VRRP (Virtual Router Redundancy Protocol), although the details of the operation are different.
Router Redundancy Using XRRP Terminology 12-4 ■ Fail-Back Router: In a given protection domain, this is the XRRPenabled router that takes over the routing functions transferred from its XRRP peer in the domain when the peer loses access to one or more of its XRRP VLANs. The fail-back router must have access to all of its XRRP VLANs at the time of the fail-over. See also Fail-Over Router.
Router Redundancy Using XRRP Overview of XRRP Operation Overview of XRRP Operation XRRP allows you to configure pairs of switches to behave as backup routers for each other. Each pair of routers configured to operate this way is defined as a protection domain. (You can use the switches covered in this manual in any combination to create a protection domain.
Router Redundancy Using XRRP Overview of XRRP Operation XRRP During Normal Router Operation For each router, XRRP defines a virtual router, using the IP address that you have configured on the router interface, and for which XRRP assigns a virtual MAC address based on the Protection Domain ID and the XRRP router number of the router that owns the interface.
Router Redundancy Using XRRP Overview of XRRP Operation XRRP Fail-Over Operation If all access to a VLAN from one of the routers in the Protection Domain fails, the routing function of that router is automatically transferred to the other router in the Protection Domain. The master of the virtual router in the Protection Domain sends out multicast advertisements at the XRRP advertise ment interval (every 5 seconds by default).
Router Redundancy Using XRRP Overview of XRRP Operation Note Figure 12-3 shows a single interface on VLAN 5, but multiple interfaces could exist. For the fail-over to occur, Router-2 must have lost communication on all the VLAN 5 interfaces. When the fail-over occurs, Router-1 would take over as the Master of the IP address for Router-2 on VLAN 5. If Router-2 has multiple IP addresses on VLAN 5, a multinet situation, Router-1 takes over all the IP addresses for Router-2 on VLAN 5.
Router Redundancy Using XRRP Overview of XRRP Operation Fast Fail-Over. As shown in figure 12-4, if the same link goes down as was shown in figure 12-3, the standard fail-over does not occur. As soon as Router-2 detects the loss of link signal from any device in VLAN 5, it immediately requests, through VLAN 6, that Router-1 to take over all of its virtual router resources. This function is referred to as “fast fail-over”.
Router Redundancy Using XRRP Overview of XRRP Operation Standard Fail-Over. In the multiple-VLAN situation in which all communi cation between the routers in the Protection Domain is lost, the standard XRRP fail-over occurs. As shown in figure 6, Router-2 has lost communica tions on all of its XRRP virtual router interfaces. In this case, Router-1 will no longer hear XRRP packets coming from Router-2.
Router Redundancy Using XRRP Overview of XRRP Operation If Communication is Maintained Through Non-XRRP Interfaces.
Router Redundancy Using XRRP Overview of XRRP Operation The Solution. Beginning with software release E.09.05, you can optionally configure XRRP infinite fail-back, which blocks automatic fail-back as long as the fail-back router continues XRRP operation with at least one of its XRRP VLANs remaining up. In this mode, the fail-back router maintains “permanent” primary and secondary address control.
Router Redundancy Using XRRP Overview of XRRP Operation Fail-Over Operation with Infinite Fail-Back Enabled Router “A” Server Layer 2 Switch Server Server XRRP Protection Domain Layer 2 Switch Router “B” Figure 12-6.
Router Redundancy Using XRRP Overview of XRRP Operation Router Operation in the Infinite Fail-Back Mode An XRRP router with permanent (primary and secondary) address control and infinite fail-back enabled will not surrender permanent control (fail-back) to a recovered fail-over router except as described below.
Router Redundancy Using XRRP Overview of XRRP Operation Enabling Infinite Fail-Back in a Protection Domain As described in the chapter titled “Router Redundancy Using XRRP” in the Advanced Traffic Management Guide for your router, both router peers in a protection domain must have identical network access so that each can get to all the same subnets and the same end nodes without going through each other. 1. Before enabling infinite fail-back, configure XRRP on both routers in the protection domain.
Router Redundancy Using XRRP Overview of XRRP Operation Displaying the Infinite Fail-Back Configuration Syntax: show xrrp config global Indicates the router’s global XRRP configuration, including infinite fail-back status. Infinite failback status in a router configured for XRRP operation. When this shows Enabled, automatic fail-back does not operate and it is necessary to use the xrrp ctrl-transfer command to initiate a fail-back.
Router Redundancy Using XRRP Overview of XRRP Operation XRRP Operating Notes ■ Reserved Multicast MAC Address – XRRP uses the following multicast MAC address for its protocol packets: 0101-E794-0640 ■ Use of Proxy ARP on non-XRRP VLANs – Although it is not disallowed, you should not configure Proxy ARP on non-XRRP VLANs on a router running XRRP. To do so will potentially cause loss connectivity on those non-XRRP VLANs should the router fail-over to the other router in the Protection Domain.
Router Redundancy Using XRRP Overview of XRRP Operation ■ Multiple VLAN Considerations – When using multiple VLANs, some consideration must be given to whether the router interfaces are connected to devices that have a multiple forwarding database (a MAC address table for each VLAN): • If the switch at the other end of a router interface connection has a multiple forwarding database, you can use a separate interface for each VLAN.
Router Redundancy Using XRRP Overview of XRRP Operation The ProCurve switches having a multiple forwarding database are: shown in Table 12-1. Table 12-1.
Router Redundancy Using XRRP Configuring XRRP Switch 8000M VLAN 1 PC “A” VLAN 1& 2 VLAN 2 PC “B” A1 Ports A1 and C1 belong to both VLAN 1 and VLAN 2. VLAN 1 C1 VLAN 1&2 This switch has a single forwarding database. VLAN 2 This switch has multiple forwarding databases. 5300xl, 3400cl, or 6400cl Switch (Routing Enabled) Figure 12-9.
Router Redundancy Using XRRP Configuring XRRP Syntax: xrrp domain < 1-16 > no xrrp xrrp [ router < 1-2 >] xrrp failback < 10-999 > xrrp trap < trap-name | all > xrrp instance < owner-router-number > < vlan-id > [advertise < 1-60 > | authentication < auth-string > | ip < ip-addr/mask-length >] xrrp domain < 1-16 > This command sets the XRRP Protection Domain that the router is in. The router can be in only one domain. The default value is 1.
Router Redundancy Using XRRP Configuring XRRP master-transition – signifies that the router state has changed specifically to the master state. The trap sent would contain the domain-number, router-number, and state information. authentication-failure – signifies that the virtual router instance has received an XRRP packet with an authentication mismatch.
Router Redundancy Using XRRP Configuring XRRP Please see the configuration examples on page 12-25 to help clarify these concepts. • If a VLAN has multiple IP addresses (a multinet situation), an indi vidual IP address can be removed from the XRRP configuration. To remove an IP address from fail-over protection by the router being configured, use the no version of the instance command.
Router Redundancy Using XRRP Configuring XRRP Configuration Rules ■ XRRP can be configured only on statically configured IP VLANs. VLANs automatically created by GVRP cannot be used. ■ XRRP cannot be configured on the management VLAN or on any VLAN that gets its IP address through DHCP or Bootp. ■ XRRP must be disabled before the Protection Domain number or the router number configuration can be changed. Use the no xrrp command to disable XRRP.
Router Redundancy Using XRRP Configuring XRRP Configuration Examples The following configuration examples create the XRRP setups in the single VLAN and multiple VLAN environments shown in the figures earlier in this chapter. Configuration for Figure 12-2 – Single VLAN Example See the figure on page 12-6. Router-1 Configuration Explanation ProCurve (vlan-5)# ip address 10.1.1.1/24 Configures the IP address of the router interface in VLAN 5.
Router Redundancy Using XRRP Configuring XRRP Configuration for Figure 12-4 – Multiple VLANs See the figure on page 12-9. Router-1 Configuration Explanation ProCurve (vlan-5)# ip address 10.1.1.1/24 Configures the IP address of the router interface in VLAN 5. ProCurve (vlan-6)# ip address 10.2.1.1/24 Configures the IP address of the router interface in VLAN 6. ProCurve (config)# xrrp domain 2 Sets the identity of the Protection Domain. ProCurve (config)# xrrp router 1 Sets the XRRP router number.
Router Redundancy Using XRRP Displaying XRRP Data Displaying XRRP Data To verify XRRP configuration and for XRRP status and statistics information display, use the following CLI show xrrp commands at either the Manager level or the global configuration level: Syntax: show xrrp traps This command displays the information on the configured XRRP traps.
Router Redundancy Using XRRP Displaying XRRP Data The display also includes all owner router information (instances). Global information for XRRP is excluded. The keyword instance can be used to display configuration information for the virtual router instance(s).
Router Redundancy Using XRRP Displaying XRRP Data If the keyword global is used, then generic information is displayed: ProCurve(config)# show xrrp statistics global Status and Counters - XRRP Global Statistics Information XRRP This This XRRP XRRP XRRP Enabled Domain Number Router Number MAC Addr AND Mask Up Time : : : : : : Yes 2 1 0001e7-940601 ffffff-ffffff 46 hours Pkts Rx Corrupt Pkts Bad Version Bad Chksum Not Domain ------------ ------------ ------------ ------------ -----------7 0 0 0 0 Figure
Router Redundancy Using XRRP Displaying XRRP Data The keyword router can be used to display statistics information for the specific router coordinator operating in the XRRP domain as shown in the next example.
Router Redundancy Using XRRP Comparison Between XRRP and VRRP Comparison Between XRRP and VRRP The following information compares the characteristics of XRRP and the industry standard VRRP. ■ XRRP will allow a router to respond to SNMP requests on the virtual router IP address even if it is not the owner. VRRP does not. This would allow you to still access the failed router on VLANs that are accessible on that router.
Router Redundancy Using XRRP Messages Related to XRRP Operation Messages Related to XRRP Operation These messages appear in the Event Log and, if Syslog Debug is configured, in the designated Debug destinations. Message Meaning Unable to alloc a msg buffer from routine < routine name > Indicates that a message buffer could not be allocated. Although XRRP can handle this event in this case, it does indicate that the system is critically low on message buffers and will probably crash soon.
Router Redundancy Using XRRP Messages Related to XRRP Operation Message Meaning Failed to alloc a pkt buf for an XRRP pkt from < routine-name > Indicates that XRRP was not able to allocate a packet for transmission. This indicates that the system is critically low on resources. Pkt rcvd that was too short, len = < packet-len >, min = < min-length-allowed > Indicates that XRRP received an XRRP packet that was too short. This event increments the global corrupt packet counter.
Router Redundancy Using XRRP Messages Related to XRRP Operation Message Meaning No local IP addr < IP-address-in-hex > from Indicates that XRRP received a packet with an IP rtr < router-num >, on < vid-num >. address that doesn't match any of the configured IP addresses on the associated virtual router. This error will force the remote miss-configuration flag to be set so fail-over will only occur when a complete router failure occurs. (Indicates a configuration error.
Router Redundancy Using XRRP Messages Related to XRRP Operation Message Meaning Remote rtr < router-num > domain < domain-num > is miss-configured Indicates that the remote router is miss-configured relative to the local router. This condition will prevent fail-over except when complete router failure has occurred. Both routers must agree on the configuration. (Note: if one router never comes up then remote miss-configuration is not detected until the remote router does come up.
Router Redundancy Using XRRP Messages Related to XRRP Operation — This page is intentionally unused— 12-36
13 Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Contents Introduction to Stack Management on Series 3400cl, 6400cl and 4200vl Switches . . . . . . . . . . . . . . . . . . . . . 13-3 Stacking Support on ProCurve Switches . . . . . . . . . . . . . . . . . . . . . . . 13-3 Components of ProCurve Stack Management . . . . . . . . . . . . . . . . . . . 13-5 General Stacking Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5 Operating Rules for Stacking . . .
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Contents Using the CLI To Access Member Switches for Configuration Changes and Traffic Monitoring . . . . . . . . . . . . . 13-42 SNMP Community Operation in a Stack . . . . . . . . . . . . . . . . . . . . . . 13-43 Using the CLI To Disable or Re-Enable Stacking . . . . . . . . . . . . . . . 13-44 Transmission Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Introduction to Stack Management on Series 3400cl, 6400cl and 4200vl Switches Introduction to Stack Management on Series 3400cl, 6400cl and 4200vl Switches ProCurve Stack Management (stacking) enables you to use a single IP address and standard network cabling to manage a group of up to 16 total switches in the same IP subnet (broadcast domain). Using stacking, you can: ■ Reduce the number of IP addresses needed in your network.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Introduction to Stack Management on Series 3400cl, 6400cl and 4200vl Switches Note Stacking and meshing cannot both be enabled at the same time on a Series 3400cl or Series 6400cl switch. In the default configuration, stacking is enabled on the 3400cl, 6400cl and 4200vl switches.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Introduction to Stack Management on Series 3400cl, 6400cl and 4200vl Switches Components of ProCurve Stack Management Table 13-1. Stacking Definitions Stack Consists of a Commander switch and any Member switches belonging to that Commander’s stack. Commander A switch that has been manually configured as the controlling device for a stack. When this occurs, the switch’s stacking configuration appears as Commander.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Introduction to Stack Management on Series 3400cl, 6400cl and 4200vl Switches Use the Commander’s console or web browser interface to access the user interface on any Member switch in the same stack. Wiring Closet "A" Member Switch 1 Candidate Switch IP Address: None Assigned IP Address: None Assigned Manager Password: leader Manager Password: francois Commander Switch 0 Non-Member Switch Member Switch 2 IP Address: 10.28.227.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Introduction to Stack Management on Series 3400cl, 6400cl and 4200vl Switches Operating Rules for Stacking General Rules ■ Stacking is an optional feature (enabled in the default configuration) and can easily be disabled. Stacking has no effect on the normal operation of the switch in your network. ■ A stack requires one Commander switch. (Only one Commander allowed per stack.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Introduction to Stack Management on Series 3400cl, 6400cl and 4200vl Switches Specific Rules Table 13-2. Specific Rules for Commander, Candidate, and Member Switch IP Addressing and Stack Name Number Allowed Per Stack Passwords SNMP Communities Only one Commander switch is allowed per stack. The Commander’s Manager and Operator passwords are assigned to any switch becoming a Member of the stack.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management Note In the default stack configuration, the Candidate Auto Join parameter is enabled, but the Commander Auto Grab parameter is disabled. This prevents Candidates from automatically joining a stack prematurely or joining the wrong stack (if more than one stack Commander is configured in a subnet or broadcast domain).
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management Options for Configuring a Commander and Candidates. Depending on how Commander and Candidate switches are configured, Candidates can join a stack either automatically or by a Commander manually adding (“pulling”) them into the stack. In the default configuration, a Candidate joins only when manually pulled by a Commander.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management ■ Default stacking configuration (Stack State set to Candidate, and Auto Join set to Yes) ■ Same subnet (broadcast domain) and default VLAN as the Commander (If VLANs are used in the stack environment, see “Stacking Operation with a Tagged VLAN” on page 13-44.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management 2. Configure the Commander switch. Doing this first helps to establish consistency in your stack configuration, which can help prevent startup problems. • A stack requires one Commander switch.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management Using the Menu Interface To View Stack Status and Configure Stacking Using the Menu Interface To View and Configure a Commander Switch 1. Configure an IP address and subnet mask on the Commander switch. (Refer to the Management and Configuration Guide for your switch.) 2. Display the Stacking Menu by selecting Stacking in the Main Menu. Figure 13-5. The Default Stacking Menu 3.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management 4. Move the cursor to the Stack State field by pressing [E] (for Edit). Then use the Space bar to select the Commander option. 5. Press the downarrow key to display the Commander configuration fields in the Stack Configuration screen. Figure 13-7. The Default Commander Configuration in the Stack Configuration Screen 6. Enter a unique stack name (up to 15 characters; no spaces) and press the downarrow key.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management Using the Menu To Manage a Candidate Switch Using the menu interface, you can perform these actions on a Candidate switch: ■ Add (“push”) the Candidate into an existing stack ■ Modify the Candidate’s stacking configuration (Auto Join and Transmission Interval) ■ Convert the Candidate to a Commander ■ Disable stacking on the Candidate so that it operates as a standalone switch In its default stacking con
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management Figure 13-8. The Default Stack Configuration Screen 3. Move the cursor to the Stack State field by pressing [E] (for Edit). 4. Do one of the following: • To disable stacking on the Candidate, use the Space bar to select the Disabled option, then go to step 5. Note: Using the menu interface to disable stacking on a Candidate removes the Candidate from all stacking menus.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management 5. press [Enter] to return the cursor to the Actions line. 6. Press [S] (for Save) to save your configuration changes and return to the Stacking menu. Using the Commander To Manage The Stack The Commander normally operates as your stack manager and point of entry into other switches in the stack.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management For status descriptions, see the table on page 13-45. Figure 13-9. Example of the Stack Management Screen 2. Press [A] (for Add) to add a Candidate. You will then see this screen listing the available Candidates: The Commander automatically selects an available switch number (SN). You have the option of assigning any other available number. Candidate List Figure 13-10.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management 6. • If the desired Candidate has a Manager password, press the downarrow key to move the cursor to the Candidate Password field, then type the password. • If the desired Candidate does not have a password, go to step 6. Press [Enter] to return to the Actions line, then press [S] (for Save) to complete the Add process for the selected Candidate.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management 2. To learn or verify the MAC address of the Member you want to move, display a listing of all Commanders, Members, and Candidates in the subnet by selecting: 2. Stacking Status (All) You will then see the Stacking Status (All) screen: For status descriptions, see the table on page 13-45. This column lists the MAC Addresses for switches discovered (in the local subnet) that are configured for Stacking.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management 7. Use the downarrow key to move the cursor to the MAC Address field, then type the MAC address of the desired Member you want to move from another stack. 8. Do one of the following: 9. Note: • If the stack containing the Member you are moving has a Manager password, press the downarrow key to select the Candidate Password field, then type the password.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management To remove a Member from a stack, use the Stack Management screen. 1. From the Main Menu, select: 9. Stacking... 4. Stack Management You will then see the Stack Management screen: For status descriptions, see the table on page 13-45. Stack Member List Figure 13-13. Example of Stack Management Screen with Stack Members Listed 2. Use the downarrow key to select the Member you want to remove from the stack.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management 4. To continue deleting the selected Member, press the Space bar once to select Yes for the prompt, then press [Enter] to complete the deletion. The Stack Management screen updates to show the new stack Member list.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management Main Menu for stack Member named "Coral Sea" (SN = 1 from figure 13-16) Figure 13-17. The eXecute Command Displays the Console Main Menu for the Selected Stack Member 2. You can now make configuration changes and/or view status data for the selected Member in the same way that you would if you were directly connected or telnetted into the switch. 3.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management 3. Press [B] (for Back) to return to the Stacking Menu. 4. To display Stack Configuration menu for the switch you are moving, select 3. Stack Configuration 5. Press [E] (for Edit) to select the Stack State parameter. 6. Use the Space bar to select Member, then press [v] to move to the Com mander MAC Address field. 7. Enter the MAC address of the destination Commander and press [Enter]. 8.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management Using Any Stacked Switch To View the Status for All Switches with Stacking Enabled. This procedure displays the general status of all switches in the IP subnet (broadcast domain) that have stacking enabled. 1. Go to the console Main Menu for any switch configured for stacking and select: 9. Stacking ... 2.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management You will then see the Commander’s Stacking Status screen: Figure 13-19. Example of the Commander’s Stacking Status Screen Viewing Member Status. This procedure displays the Member’s stacking information plus the Commander’s status, IP address, and MAC address. To display the status for a Member: 1. Go to the console Main Menu of the Commander switch and select 9. Stacking ... 5. Stack Access 2.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management Figure 13-20. Example of a Member’s Stacking Status Screen Viewing Candidate Status. This procedure displays the Candidate’s stacking configuration. To display the status for a Candidate: 1. Use Telnet (if the Candidate has a valid IP address for your network) or a direct serial port connection to access the menu interface Main Menu for the Candidate switch and select 9. Stacking ... 1.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management Using the CLI To View Stack Status and Configure Stacking The CLI enables you to do all of the stacking tasks available through the menu interface.) Table 13-6. CLI Commands for Configuring Stacking on a Switch CLI Command Operation show stack [candidates | view | all] Commander: Shows Commander’s stacking configuration and lists the stack members and their individual status.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management CLI Command Operation [no] stack member mac-address [password ] Commander: Adds a Candidate to stack membership. “No” form removes a Member from stack membership. To easily determine the MAC address of a Candidate, use the show stack candidates command. To determine the MAC address of a Member you want to remove, use the show stack view command.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management Using the CLI To View Stack Status You can list the stack status for an individual switch and for other switches that have been discovered in the same subnet. Syntax: show stack [candidates | view | all] Viewing the Status of an Individual Switch. The following example illustrates how to use the CLI in a to display the stack status for that switch.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management Viewing the Status of all Stack-Enabled Switches Discovered in the IP Subnet. The next example lists all the stack-configured switches discovered in the IP subnet. Because the switch on which the show stack all command was executed is a candidate, it is included in the “Others” category. Syntax: show stack all Figure 13-24.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management Using the CLI To Configure a Commander Switch You can configure any stacking-enabled switch to be a Commander as long as the intended stack name does not already exist on the broadcast domain. (When you configure a Commander, you automatically create a corresponding stack.) Before you begin configuring stacking parameters: 1.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management The stack commander command configures the Commander and names the stack. The Commander appears in the stack as Switch Number (SN) 0. Figure 13-26. Example of the Commander’s Show Stack Screen with Only the Commander Discovered Using a Member’s CLI to Convert the Member to the Commander of a New Stack. This procedure requires that you first remove the Member from its current stack, then create the new stack.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management The output from this command tells you the MAC address of the current stack Commander. Removes the Member from the “Big_Waters” stack. Converts the former Member to the Commander of the new “Lakes” stack. Figure 13-27.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management Using the Commander’s CLI To Manually Add a Candidate to the Stack. To manually add a candidate, you will use: ■ A switch number (SN) to assign to the new member. Member SNs range from 1 to 15. To see which SNs are already assigned to Members, use show stack view. You can use any SN not included in the listing. (SNs are viewable only on a Commander switch.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management For example, if the 3400cl-48 in the above listing did not have a Manager password and you wanted to make it a stack Member with an SN of 2, you would execute the following command: ProCurve(config)# stack member 2 mac-address 0060b0 dfla00 The show stack view command then lists the Member added by the above command: The new member did not have a System Name configured prior to joining the stack, and so recei
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management ■ The Candidate’s Auto Join is set to Yes (and you do not want to enable Auto Grab on the Commander) or the Candidate’s Auto Join is set to No. ■ Either you know the MAC address of the Commander for the stack into which you want to insert the Candidate, or the Candidate has a valid IP address and is operating in your network.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management Syntax: stack member < switch-number > mac-address < mac-addr > [ password < password-str >] In the destination Commander, use show stack all to find the MAC address of the Member you want to pull into the destination stack.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management Syntax: no stack name < stack name> stack join < mac-address > If you don’t know the MAC address of the destination Commander, you can use show stack all to identify it. For example, suppose you have a switch operating as the Commander for a temporary stack named “Test”.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management Use show stack view to list the stack Members. For example, suppose that you wanted to use the Commander to remove the “North Sea” Member from the following stack: Remove this Member from the stack. Figure 13-34.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management You would then execute this command in the “North Sea” switch’s CLI to remove the switch from the stack: North Sea(config)# no stack join 0030c1-7fec40 Using the CLI To Access Member Switches for Configuration Changes and Traffic Monitoring After a Candidate becomes a Member, you can use the telnet command from the Commander to access the Member’s CLI or console interface for the same configuration and monitor
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management SNMP Community Operation in a Stack Community Membership In the default stacking configuration, when a Candidate joins a stack, it automatically becomes a Member of any SNMP community to which the Commander belongs, even though any community names configured in the Commander are not propagated to the Member’s SNMP Communities listing.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management Note that in the above example (figure 13-37) you cannot use the public community through the Commander to access any of the Member switches. For example, you can use the public community to access the MIB in switches 1 and 3 by using their unique IP addresses. However, you must use the red or blue community to access the MIB for switch 2. snmpget < MIB variable > 10.31.29.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management ■ Stacking uses only the primary VLAN on each switch in a stack. ■ The primary VLAN can be tagged or untagged as needed in the stacking path from switch to switch. ■ The same VLAN ID (VID) must be assigned to the primary VLAN in each stacked switch.
Stack Management for the Series 3400cl, 6400cl, and 4200vl Switches Configuring Stack Management —This page is intentionally unused— 13-46
Index Numerics 802.1p priority (QoS) definition … 8-6 802.1q VLAN in mesh … 7-23 802.1Q VLAN standard … 6-6 802.1w as a region … 6-54 802.1x, mesh, not supported … 7-5 A ABC enabled on edge switch … 7-26 in mesh domain ABR definition … 11-38 OSPF … 11-38 ACL-3400cl ACE sequence See ACL-3400cl, sequence, ACEs. ACL-3400cl/6400cl ACE sequence … 10-44 ACE, after match not used … 10-42 ACE, defined … 10-7 ACE, duplicates … 10-45 ACE, limit … 10-30 ACE, order in list See sequence, ACEs.
mask, CIDR … 10-45 mask, defined … 10-8 mask, multiple IP addresses … 10-36 mask, one IP address … 10-35 mask, per-port, defined … 10-9 match, always … 10-44 match, criteria … 10-34 match, example … 10-35 match, ignored … 10-29 maximum allowed … 10-30 name string, maximum characters … 10-38, 10-47 number of entries … 10-11 offline creation … 10-72 operator, comparison … 10-54 outbound traffic, defined … 10-9 oversubscribing resources … 10-22 packet match, defining … 10-26 performance degraded … 10-12 permit
configured, not used … 9-31 configuring offline … 9-10 connection-rate ACL … 9-6, 9-8 copy operation appends … 9-56 create, CLI method … 9-32 DA, defined … 9-6, 9-7 definitions … 9-5 deny any, implicit … 9-10, 9-12, 9-13, 9-16, 9-17, 9-18, 9-26, 9-30, 9-31 deny any, implicit, supersede … 9-27 deny any, implicit, switched packets … 9-14 deny, defined … 9-6 editing … 9-32 effect of replacing … 9-31 end … 9-30 exit statement … 9-30 extended, defined … 9-6, 9-26 extended, numeric I.D.
wildcard, defined … 9-7 ACL-5300xl, standard numeric I.D.
RSTP from the CLI … 6-14 from the menu … 6-20 per-port parameters … 6-18 whole switch parameters … 6-16 spanning tree protocol … 6-8, 6-50 static IP routes … 11-20, 11-22 XRRP … 12-20 configuration rules … 12-24 examples … 12-25 configuring RSTP … 6-13 console, for configuring switch meshing … 7-11 CoS See Class of Service.
enabling STP CLI … 6-15 event log See log. examples XRRP configuration … 12-25 Exclude Source See IGMP.
configuring … 11-18 disabling messages … 11-18 IEEE 802.
RIP configuration … 11-24 displaying configuration and status … 11-31 enabling … 11-26 general information … 11-31 interface information … 11-33 overview … 11-24 parameters and defaults … 11-25 peer information … 11-34 redistribution … 11-28 redistribution information … 11-36 restrict filter information … 11-36 route exchange protocols … 11-10 routing table … 11-8 static route configuration … 11-22 static route types … 11-20 tables and caches … 11-7 VLAN interface … 11-7 IP, type of service configuring prio
hub not allowed … 7-5, 7-7 IGMP requirement … 7-6 increase STP cost … 7-21 IP routing not allowed … 7-6 jumbo packets … 7-24 LACP dynamic trunk, effect … 7-5 link blocked … 7-21 link to non-mesh switch … 7-20 links, multiple … 7-26 management VLAN … 2-50 multicast traffic … 7-18 multiple mesh domains … 7-21 multiple VLANs … 7-19 no Type selection … 7-26 operating details … 7-18 operating notes … 7-18 operating rules … 7-5 port limit per-switch … 7-5 port trunk … 7-26 port types … 7-2 redundant link … 7-21 r
policy boundary … 11-81 primary relay agent … 11-82 relay agent … 11-82 Relay Agent Information … 11-79 remote ID … 11-82, 11-84 requirements … 11-82 secondary relay agent … 11-82 server support … 11-81 validating server response packets … 11-88 OSPF administrative distance … 11-53 area … 11-37 assigning VLAN to … 11-46 configuring … 11-43 area range configuring … 11-45 ASBR … 11-38 authentication description … 11-47 MD5 … 11-47, 11-51 simple password … 11-47, 11-51 autonomous system … 11-37 configuration r
default settings recommended … 5-9 displaying data and configuration … 5-22 draft version 3 … 5-3 draft versions 1 and 2 … 5-4 error message … 5-37 expiry time … 5-26, 5-33 extended branch … 5-5 features … 5-4 flood … 5-6 flood and prune … 5-3, 5-6, 5-7, 5-27 flood and prune cycle … 5-34 flood and prune technique … 5-3 flow … 5-6, 5-9 flow, bridged … 5-36 flow, equalizing … 5-35, 5-37, 5-38, 5-39, 5-40 flow, hardware … 5-10, 5-13 flow, multicast, limit … 5-10, 5-37 flow, software … 5-10, 5-13 flow, VLAN lim
XRRP … 5-4 port auto, IGMP … 4-5 blocked by STP operation … 6-8, 6-50 blocked in mesh … 7-10 blocked, IGMP … 4-5 forwarding, IGMP … 4-5 loop … 6-8, 6-50 monitoring … 2-54 redundant path … 6-8, 6-50 state, IGMP control … 4-5 port trunk meshed switch … 7-26 VLAN … 2-54 with fast-uplink STP … 6-43 port-based access control, no mesh … 7-5 precedence bits (QoS) definition … 8-6 primary relay agent … 11-82 primary VLAN See VLAN priority … 4-5 802.
redistribution filters OSPF configuring … 11-51 displaying … 11-67 RIP configuring … 11-28 displaying … 11-36 redundant link … 7-21 redundant link, non-meshed … 7-20 redundant links … 7-4 redundant path … 6-8, 6-50 spanning tree … 6-9 region … 6-49 See spanning-tree, 802.1s. relay agent … 11-82 remote ID … 11-82 report See IGMP.
OSPF area configuration … 11-43 area information … 11-58 assigning area range … 11-45 displaying configuration and status … 11-56 displaying routing table … 11-71 enabling … 11-43 enabling redistribution … 11-53 general information … 11-56 overview … 11-37 redistribution information … 11-67 OSPF configuration … 11-37 RIP configuration … 11-24 displaying configuration and status … 11-31 enabling … 11-26 general information … 11-31 interface information … 11-33 overview … 11-24 parameters and defaults … 11-25
MSTP See spanning-tree, 802.1s operation with switch meshing … 7-20 redundant path … 6-4 RSTP edge port parameter … 6-18 RSTP mcheck parameter … 6-18 RSTP path-cost parameter … 6-18 RSTP point-to-point-mac parameter … 6-18 RSTP priority parameter … 6-19 rules, operating, fast-uplink … 6-33 viewing the configuration … 6-14 VLAN effect on … 2-53 with 802.1Q VLANs … 6-9 spanning tree protocol See STP. spanning-tree, 802.1s … 6-4, 6-45 802.1D and 802.1w connections … 6-54 802.1D as a region … 6-53, 6-54 802.
MIB … 6-81 MST region See region. MSTI … 6-48, 6-54 MSTI root … 6-50 MSTI, view status … 6-76 MSTP … 6-48 MSTP operation … 6-49 MSTP, view global configuration … 6-77 multiple spanning tree instance See MSTI override hello-time … 6-54 path cost, effect on 802.
XRRP … 12-28 status and counters XRRP … 12-27 STP cost change by mesh switch … 7-21 enabling from the CLI … 6-15 server access failure … 6-8 stub area OSPF … 11-43 subnet … 2-4, 4-12 subnet address … 2-7 supernetting … 10-33 supernetting-5300xl … 9-21 supersede implicit deny any (3400cl/6400cl) … 10-39 supersede implicit deny any (5300xl) … 9-27 switch meshing See mesh. Syslog See ACL-3400cl6400cl, logging. See ACL-5300xl, logging.
deleting, with member ports … 2-14, 2-35, 2-37 DHCP, primary VLAN … 2-45 duplicate MAC address … 2-18 dynamic … 2-4, 2-17, 2-22, 2-28, 2-37 effect on spanning tree … 2-53 gateway, IP … 2-46 GVRP, auto … 2-13 IGMP configuration … 4-5 layer-2 broadcast domain … 2-5 layer-3 broadcast domain … 2-5 limit … 2-8, 2-22, 2-28 MAC address assignment … 2-54 maximum per-switch … 2-4 maximum, GVRP … 3-18 menu, configuring parameters … 2-22 menu, maximum capacity … 2-26 menu, missing VLAN … 2-26 multiple forwarding datab
untagged … 2-11, 2-27 untagged, operation … 2-16 VID … 2-4, 2-42 VID, default VLAN … 2-45 voice … 2-5, 2-30, 2-31, 2-32, 2-53 voice, configuration … 2-36 voice, configuring … 2-29 voice, VLAN type … 2-14 web browser configuration … 2-39 XRRP multiple VLAN example … 12-26 single VLAN example … 12-25 XRRP configuration … 12-22 XRRP fail-over … 12-7, 12-8 VLAN already exists, message … 2-39 VLAN interface changing cost of RIP routes … 11-27 changing RIP type … 11-27 description … 11-7 enabling IRDP … 11-77 IP
xrrp command domain parameter … 12-21 failback parameter … 12-21 instance parameter … 12-22 router parameter … 12-21 syntax … 12-20 trap parameter … 12-21 20 – Index
Technical information in this document is subject to change without notice. © Copyright 2006 Hewlett-Packard Development Company, L.P. Reproduction, adaptation, or translation without prior written permission is prohibited except as allowed under the copyright laws.
