ProCurve Series 8100fl Switches March 2007 Software Release CY.02.05.xxxx or Greater Management and Configuration Guide...
Page 4
Publication Number performance, or use of this material. 5990-8867 The only warranties for HP products and services are set March 2007 forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Getting Started Overview Overview This Management and Configuration Guide is intended for use with the following switches: ■ ProCurve Switch 8108fl ProCurve Switch 8116fl ■ N o t e Each device uses the same command line functions. Together, these two devices are referred to in this guide as the 8100fl switch.
Getting Started Conventions Command Prompts The default configuration for your switch displays one of the following CLI prompts: ProCurve 8108fl# ProCurve 8116fl# ProCurve To simplify recognition, this guide uses the hostname to represent command prompts for both models. For example: ProCurve# N o t e You can use the hostname command to change the text in the CLI prompt.
Getting Started Related Publications Related Publications Read Me First. The Read Me First shipped with your switch provides software update information, product notes, and other information. A printed copy is shipped with your switch. Installation and Getting Started Guide. Use the Installation and Getting Started Guide shipped with your switch to prepare for and perform the physical installation.
Getting Started Need Only a Quick Start? Need Only a Quick Start? IP Addressing. If you just want to give the switch an IP address so that it can communicate on your network, ProCurve recommends that you use the CLI to quickly configure IP addressing and enable Telnet access to the switch: “Setting the Management Module IP Address”...
Using the Command Line Interface (CLI) Accessing the CLI Accessing the CLI The CLI can be accessed through both serial and Telnet connections (including Secure Shell). For initial log on, you must use a serial connection. Once an IP address is assigned to the management interface (see “Setting the Management Module IP Address”...
Page 27
Using the Command Line Interface (CLI) Accessing the CLI N o t e For more information on the CLI Access modes and permissions, see Table 2-1 on page 2-4. To access the Privileged Exec mode from the Exec mode, enter: ProCurve>enable You will be prompted for a password if one has been assigned.
Using the Command Line Interface (CLI) Accessing the CLI CLI Access Modes The CLI has four different access modes, each of which provides the ability to perform the specific operations shown in Table 2-1. Table 2-1. CLI Access Modes Access Mode Command Prompt Description Exec ProCurve>...
Using the Command Line Interface (CLI) Using the CLI Using the CLI The CLI supports partial matching (also known as command completion), so you do not need to enter the entire name of a command or option. As long as you enter enough characters of the command or option name to be unique, the CLI understands what you are typing.
Page 30
Using the Command Line Interface (CLI) Using the CLI To enter a line-editing command, use the [ ] combination for the Ctrl command by pressing and holding the [ ] key, then pressing the letter Ctrl associated with the command as detailed in the following table. Table 2-2.
Using the Command Line Interface (CLI) Using the CLI Table 2-2. CLI Line Editing Commands (Continued) Command Resulting Action [Ctrl][Y] Paste back what was deleted by the previous Ctrl-k or Ctrl-w command. Text is pasted back at the cursor location [Ctrl][Z] If inside a subsystem, it exits back to the top level.
Using the Command Line Interface (CLI) Using the CLI CLI Parameter Types The following table describes all the parameter types you can use with the CLI. Table 2-3. CLI Parameter Types Data Type Description Example conditional A numerical conditional expression. Special <1024 or >2048 or symbols are used to describe a numerical !=4096...
Using the Command Line Interface (CLI) Using the CLI Setting CLI Parameters The terminal history command specifies the number of commands that will be stored in the command history buffer. Commands stored in the buffer can be recalled without having to type the complete command again. When you hit the ↑...
Using the Command Line Interface (CLI) Using the CLI Getting Help with CLI Commands Interactive help is available from CLI by entering the question mark (?) character at any time. The help is context-sensitive; the help provided is based on where you are in the command. For example, if you are at the Exec mode prompt, enter a question mark (?) as shown in the following example to list the commands available in Exec mode: ProCurve>?
Using the Command Line Interface (CLI) Using the CLI Utilities and Conventions Take note of the following commands or conventions when using the CLI. Search Command The search <WORD> command can locate strings that appear in your ■ running configuration file. Strings can be words like vlan, or numbers such as 10.20.30.40, or even a Perl-style regular expression.
Page 36
Using the Command Line Interface (CLI) Using the CLI • T he end command when used at any level of the Configuration mode, returns the CLI to the Privileged Exec mode. Terminate Session Exec > quit exit logout Privileged Exec # quit exit logout...
File and System Management Maintaining Configuration Files Maintaining Configuration Files The 8100fl switch maintains in memory and on disk the following configuration files and commands: ■ running-config—The running-config file includes both the startup-con fig file plus any configuration changes or additions that you have made entered during a CLI session.
File and System Management Maintaining Configuration Files Changing Configuration Information The commands to change configuration information are shown in Table 3-1. Table 3-1. Commands to change configuration information Mode Command Action copy <source> Privileged Copy between running configuration, <destination> Exec startup configuration, TFTP server, or URL.
File and System Management Managing Files Managing Files The 8100fl switch supports a 512 MB internal compact flash device located on the management module. This device contains the local flash storage area used to store configuration and system files. Copy Command Table 3-3 shows the local file systems supported by the copy command.
File and System Management Managing Files Table 3-4 shows syntaxes and examples for the various URL options used to perform remote file transfer. Table 3-4. URL Syntaxes for Remote File Systems Syntaxes Example tftp: tftp://location/directory/filename tftp://10.10.10.10/filename.txt scp: scp://[username@]location]/directory/filename scp://remoteuser@10.10.10.10/filename.txt When using scp you will be prompted for a password remoteuser@10.10.10.10’s password: ******* File Management Commands Because the 8100fl switch allows a wide variety of file storage activities to a...
Page 42
File and System Management Managing Files Table 3-5. File Management Commands (Continued) Command Description Syntax copy <url> <source- copy The copy command uses a url to copy a file> <target-file> source-file to a target-file, with the following conditions: or the inverse: •...
File and System Management Managing Files Table 3-5. File Management Commands (Continued) Command Description Syntax rename <source-file> rename The rename command renames source-file to <target-file> target-file. Both source-file and target-file must reside on logical or physical file systems; they cannot be on remote file systems. Both source-file and target-file must be writable.
File and System Management Managing Files Backing Up Startup Configuration When you save the startup configuration file, the switch stores it in three places: in the boot flash and the PC card of the primary management module, and if there is a redundant management module, in its PC flash card as well. It is recommended that you store a backup of the startup configuration file on a central server.
File and System Management Managing System Devices and Software Managing System Devices and Software This section highlights some key commands used to manage hardware and software on the switch. For complete information and procedures on updating system software and Boot ROM images to the most current versions, refer to the latest Release Notes, available on the ProCurve Networking Web site.
File and System Management Managing System Devices and Software Updating Software For easy software image management, the 8100fl switch supports the download and upload of software images between the compact flash on the management module and a server on the network (see “Backing Up and Restoring Files”...
File and System Management Managing System Devices and Software Managing Modules To control the power and administrative states of modules on the switch, enter the set module command from Configuration mode in the CLI: ProCurve(config)#set module {enable | disable} {management- module slot | fabric-module slot | interface-module slot } ProCurve(config)#set module {poweron | poweroff} {fabric- module slot | interface-module slot}...
File and System Management Managing System Devices and Software You can gracefully stop a management module or fabric module and cause the redundant module to take over by using the following command in Privileged Exec mode: ProCurve#halt <module> Alternatively, you can power down the fabric module slot by issuing the following command: ProCurve#power down <fabric-module slot>...
File and System Management Managing System Devices and Software Monitoring System Hardware This section provides details on monitoring the system hardware, including finding the chassis serial number and displaying information on the modules that are installed in the switch. Showing Hardware Information Use the show hardware command to display switch hardware inventory details, including the chassis serial number and summary details of all installed modules on the switch.
File and System Management Managing System Devices and Software Showing Module Information Use the show modules command to display summary status information on all installed modules on the switch. ProCurve#show module Chassis Serial Number Chassis Serial Number :SG444SS014 Part Number Slot Module-Type Model...
Configuring Basic System Information and Port Parameters Overview Overview This chapter describes how to configure basic, non-protocol features on the 8100fl switch using the CLI. The switch is configured at the factory with default parameters that allow you to use basic features of the system immediately. However, many of the advanced features such as VLANs or routing protocols must be enabled at the system (global) level before they can be configured.
Page 53
Configuring Basic System Information and Port Parameters Configuring Basic System Information 3. From the Privileged Exec mode, enter the configure command to get to Configuration mode in the CLI. 4. From Configuration mode, enter the following command to access the management interface: ProCurve(config)#interface management 0 5. From Interface Management mode, enter the following command:...
Configuring Basic System Information and Port Parameters Configuring Basic System Information 9. Enter write memory to save the running configuration to the startup configuration. Setting the System Date and Time To set the system date and time: 1. From the Privileged Exec mode (#) prompt, enter the clock set command: ProCurve#clock set <HH:MM:SS>...
Configuring Basic System Information and Port Parameters Configuring Basic System Information Setting System ID, Location, and Contact To assign a chassis ID, a physical location, and a contact person to the system using snmp (Simple Network Management Protocol), enter the following commands: ProCurve(config)#snmp-server location <string>...
Configuring Basic System Information and Port Parameters Configuring Basic System Information Configuring Terminal Services The Series 8100fl Switch supports up to 10 concurrent Telnet sessions (numbered from 0 through 9) for a maximum of ten incoming remote connections. Use the shutdown command to terminate the Telnet service. The following example shows how to terminate a Telnet connection: ProCurve(config)#ip telnet ProCurve(config-telnet)#...
Page 57
Configuring Basic System Information and Port Parameters Configuring Basic System Information To limit the amount of time (in minutes) that a session on this line can ■ remain connected without activity, enter: ProCurve(config-line)#exec-timeout <value> where value is an integer designating the timer inactivity in minutes (enter a value of 0 to set an unlimited time for each session).
Configuring Basic System Information and Port Parameters Configuring Basic System Information Saving and Using the New Configuration 1. To activate the system commands entered in the previous steps, use the following command: ProCurve#save running-config The CLI displays the following message: ProCurve(config)#save running-config Please wait, acquiring configuration lock...done in 0.00 seconds...
Configuring Basic System Information and Port Parameters Configuring Port Parameters Configuring Port Parameters Changes to port parameters are made using the interface <port> command to adjust to attached devices or other network requirements. Follow the procedures in this section to set the following port parameters: ■...
Configuring Basic System Information and Port Parameters Configuring Port Parameters For example, the port name gi 3/2 refers to a port on the Gigabit Ethernet interface module located in slot 3, port 2. N o t e You can build a configuration for a module that is not yet installed. For example, although slot 2 is empty, you can configure an interface gi 2/1 and add an IP address to it, and then save the configuration for later use.
Configuring Basic System Information and Port Parameters Configuring Port Parameters Switch 8116fl Slot Numbering. The Switch 8116fl chassis contains 16 numbered slots for interface modules, 2 slots for management modules, 2 slots for fabric modules, and 2 expansion slots. The following illustration shows the numbering and naming scheme used to identify each slot in the CLI.
Configuring Basic System Information and Port Parameters Configuring Port Parameters Modifying Port Speed The 8100fl switch ports are designed to auto-negotiate the speed and mode of the connected device. If the attached device does not support auto- negotiation, you can manually enter the port speed to operate at either 100 Mbps or 1000 Mbps.
Configuring Basic System Information and Port Parameters Configuring Port Parameters To re-enable flow control: ProCurve(config)#interface et 1/8 ProCurve(config-if)#flowcontrol N o t e Flow control is enabled by default and is not reported in show interface configuration displays. The flow control state is only reported when it is disabled (no flowcontrol).
Security Configuration Overview Overview The 8100fl switch provides security features that help control access and filter traffic. Access to the switch can be controlled by: ■ Terminal line password authentication Secure shell protocol (version 1 and 2, server and client) ■...
Security Configuration Configuring Passwords To test your configuration safely, leave your startup configuration ■ unchanged. Add your planned changes to the running config, and then verify that you can log on safely before saving any changes to the startup config. ■...
Security Configuration Configuring Passwords For example: To create an encrypted password called “mysecretpassword” enter; ProCurve(config)#enable secret mysecretpassword When you enter show running-config, this will appear as a line in the running configuration as follows: enable secret 5 $1$ZyK.$8NHx2DJBsiGQyhTBmUakz1 where 5 indicates that the password has been encrypted. To allow passwords to be displayed in an unencrypted format, enter 0 before you enter the password.
Security Configuration Configuring Passwords To configure a switch password and set the privilege level, enter the following command in Configuration mode: ProCurve(config)#enable secret level <lvl> [encrypt|0|5] <string> where <lvl> is either 0 (Exec mode) or 15 (Privileged Exec mode); and [ 0 | 5 ] can be either 0 (an unecrypted password) or 5 (hidden or encrypted) For example, to set and encrypt a Privileged Exec mode password as abcd1234, you would enter the following command:...
Security Configuration Configuring Passwords 2. Enter the following command to configure a password to the line that you have specified: ProCurve(config-line)#password <password> By default the password you enter will be encrypted to prevent it from being displayed in the configuration file output. For example: To create an encrypted password called “mysecretpassword”...
Page 71
Security Configuration Configuring Passwords N o t e The following procedure may only be performed via the serial console. Because this procedure allows passwords to be changed without actually logging onto the switch, physical security should be maintained at all times. 1. If you have two Management Modules installed, pull the backup module out of its slot so that only one Management Module is active.
Security Configuration Using SSH Using SSH SSH provides more secure communications than using Telnet because connections are authenticated and communications over the network are encrypted. Secure shell (SSH) is a protocol based on OpenSSH that allows you to log in to a remote switch and execute commands on that system. The switch provides both an SSH server and client.
Security Configuration Using SSH The SSH client parameters are: ProCurve(config)#ssh ? - Force protocol version 1 - Force protocol version 2 - Specify encryption algorithm - Specify escape character - Specify a user name to log in as - Specify MAC algorithm for protocol version 2 - Specify the port to connect to on the remote host WORD(1..1024) - Target address or hostname N o t e...
Security Configuration Using SSH Using SSH and Telnet Sessions You can combine SSH connections with Telnet connections to reach your destination. Figure 5-1 shows different ways to mix secure and unsecure connections and the consequences experienced. Preferred Acceptable Telnet Telnet (Password exposed here) Figure 5-1.
Security Configuration Configuring Authentication Configuring Authentication You can configure authentication at the following levels: ■ Line Enable mode ■ ■ Local user ■ RADIUS/TACACS+ server groups To configure the authentication lists for logging in, enter the following command in Configuration mode: ProCurve(config)#aaa authentication login <method list>...
Security Configuration Configuring Authentication The parameters can be used as follows: ■ The group option allows you to use the default RADIUS or TACACS+ server group. The group name option allows you to specify a defined server group. ■ Specify enable to set up an authentication method list for Privileged Exec ■...
Security Configuration Configuring Authentication To configure a banner to display prior to login, enter the following command in Configuration mode: ProCurve(config)#aaa authentication banner <C_TEXT_C(0..1023) - Banner text> where C_TEXT_C means delimited text. Whatever character you first enter, will be interpreted as the delimiting text, that is, the character you must enter to terminate banner text entry.
Page 78
Security Configuration Configuring Authentication where: commands account for shell commands, default or listname specifies the accounting list to be used, system accounts for system event messages, cfg-change accounts for changes to the system configuration, broadcast sends records to multiple servers, and group specifies the server group to be used.
Security Configuration Configuring RADIUS Configuring RADIUS You can secure Exec or Privileged Exec mode access to the switch by enabling a Remote Authentication Dial-In User Service (RADIUS) client. (See RFCs 2865 and 2866 for more information on RADIUS.) A RADIUS server responds to the switch RADIUS client to provide authentication.
Security Configuration Configuring RADIUS Table 5-2. Configuring RADIUS Security (Continued) Command Action radius-server host <server-options> Uniquely define the host. Minimally, you can define an IP address or hostname, authentication port (default is 1812), and accounting port (default is 1813). If you specify authentication port or accounting port is 0, they will not be used.
Security Configuration Configuring TACACS+ Configuring TACACS+ You can secure Exec or Privileged Exec mode access to the switch by enabling a TACACS+ client. A TACACS+ server responds to the switch TACACS+ client to provide authentication. You can configure multiple TACACS+ server targets on the switch. You can configure a timeout value to tell the switch how long to wait for a response from TACACS+ servers.
Security Configuration Configuring TACACS+ Monitoring TACACS+ To monitor TACACS+ by showing server statistics, enter the show tacacs servers command in Privileged Exec mode. The following example shows a configuration for two TACACS+ servers: ProCurve(config)#tacacs-server host 172.2.100.2 port 49 key testing123 ProCurve(config)#tacacs-server host 172.2.100.1 port 49 key testing123 ProCurve(config)#aaa group server tacacs+ MYTGROUP...
VLAN Configuration Overview Overview Virtual LANs (VLANs) are a means of dividing a physical network into several logical (virtual) LANs. The division can be done on the basis of various criteria, giving rise to different types of VLANs. For example, the simplest type of VLAN is the port-based VLAN.
VLAN Configuration Overview The 8100fl switch uses VLANs to achieve this behavior. This means that a Layer 3 subnet (that is, an IP subnet) is mapped to a VLAN. A given subnet maps to exactly one and only one VLAN. With this definition, the terms VLAN and subnet are almost interchangeable.
VLAN Configuration Access Ports and Trunk Ports (802.1P and 802.1Q support) Access Ports and Trunk Ports (802.1P and 802.1Q support) The ports of the 8100fl switch can be classified into two types, based on VLAN functionality: access ports and trunk ports. By default, a port is an access port.
VLAN Configuration Configuring a VLAN Configuring a VLAN This section shows you how to create a VLAN and assign ports. Creating a VLAN The 8100fl switch supports standards-based VLAN trunking between multiple 8100fl switches as defined by IEEE 802.1Q. 802.1Q adds a header to a standard Ethernet frame.
VLAN Configuration Configuring a VLAN Adding Ports to a VLAN To configure a port that belongs only to one VLAN (that is, a port that sends out untagged packets), use the switchport command in Interface Configuration mode: ProCurve(config-if)#switchport mode access To configure VLAN trunk ports, (that is, ports that send out tagged packets to multiple VLANs), enter: ProCurve(config-if)#switchport mode trunk...
VLAN Configuration Configuring a VLAN The default status for a Layer 3 VLAN is shutdown. you must use the no ■ shutdown command to enable these ports. You can verify a port’s status by examining the running configuration to see if no shutdown appears for each port’s configuration.
Link Aggregation Configuration Overview Overview This chapter explains how to configure: ■ A manual (or static) Link Aggregate Group (LAG) on the switch A dynamic link using Link Aggregation Control Protocol (LACP). ■ Link aggregation on the 8100fl switch has the following features and charac teristics: Link aggregation performs load balancing (based on the aggregation hash ■...
Link Aggregation Configuration Configuring Static Link Aggregations (LAG) Configuring Static Link Aggregations (LAG) The steps for creating and configuring a manual or static link aggregation are: Create a LAG. Add physical ports to the LAG. Creating a LAG When creating a LAG, assign an ID to the LAG. Here is an example of creating a LAG with the ID of 11: ProCurve(config)#aggregator 11 Adding Physical Ports to the LAG...
Link Aggregation Configuration Configuring Dynamic Link Aggregations (LACP) Configuring Dynamic Link Aggregations (LACP) To configure and maintain a link aggregation group automatically, you must use 802.3ad LACP, which is supported on the switch. This protocol can detect the presence and capabilities of other aggregation capable devices automati cally.
Link Aggregation Configuration Configuring Dynamic Link Aggregations (LACP) Creating the Aggregation The first thing you must do in creating a dynamic aggregation is to define the aggregation. Do this by entering from Configuration mode: ProCurve(config)#aggregator <aggregator ID number> Specifying the System 1. To specify the system priority value for each host, from Configuration mode enter: ProCurve(config)#lacp sys-priority 5...
Link Aggregation Configuration Configuring Dynamic Link Aggregations (LACP) Configuring the Partner System You have the option to configure the end-to-end specifications for the link aggregation. To do so, you must configure both ends of the links. For example, to configure a LAG with an ID of 13: 1. From Configuration mode on the 8100fl switch enter: ProCurve(config)#aggregator 13 ProCurve(config-lag-13)#partner-sys-id <mac address>...
Link Aggregation Configuration LAG and LACP Configuration Example LAG and LACP Configuration Example Figure 7-1 shows manual LAG11 connecting five ports on System Blue to five ports on System Red. It also shows LACP 22 connecting three ports on System Blue to three ports on System Red.
Page 98
Link Aggregation Configuration LAG and LACP Configuration Example Figure 7-2 shows the configuration for these two aggregations on System Blue. vlan 2-101 bridge stp bridge-priority 1000 aggregator 11 aggregator 22 port-type gigethernet actorkey 12 partnerkey 50 interface GigabitEthernet2/5 no shutdown lag 11 interface GigabitEthernet2/6 no shutdown...
Page 99
Link Aggregation Configuration LAG and LACP Configuration Example Figure 7-3 shows the corresponding configuration on System Red. vlan 2-101 bridge stp bridge-priority 2000 aggregator 11 aggregator 22 port-type gigethernet actorkey 50 partnerkey 12 interface GigabitEthernet3/5 no shutdown lag 11 interface GigabitEthernet3/6 no shutdown lag 11 interface GigabitEthernet3/8...
Link Aggregation Configuration Monitoring LAG and LACP Monitoring LAG and LACP The following section shows commands and examples to use to view LAG and LACP configuration information and statistics. Monitoring LAG Configurations The show port summary command displays information on LAG configurations (see the examples for details).
Page 101
Link Aggregation Configuration Monitoring LAG and LACP The following example displays the LAG attributes for LAGs. ProCurve#show lag all-lags lag-tuples LAG Tuple Ports -------------- [(1, 000a.af00.0dfe, 12, 0, 0), (255, --, 65535, 0, 0)] Gig11/8 [(1, 000a.af00.0dfe, 12, 0, 0), (1, 000a.af00.50fe, 50, 0, 0)] Gig2/8 Gig2/9...
Page 102
Link Aggregation Configuration Monitoring LAG and LACP The following example displays the categories of information available for LAG member ports. ProCurve#show lag all-lags member-ports Lag Id Designated Port Member Ports Status lag.11 Gig11/5 Gig2/5 enabled/up Gig2/6 enabled/up Gig2/7 enabled/up Gig11/5 enabled/up Gig11/6 enabled/up...
Page 103
Link Aggregation Configuration Monitoring LAG and LACP The following example displays the categories of information returned by the show lag all-lag attributes command for System Red. system_red#show lag all-lag attributes ************************************************ LAG 11 attributes ************************************************ LAG Name : LAG11 Admin status : Up Trunk status : Trunk Native VLAN : 1 VLAN membership in : 101 VLANs (VLAN 1-101)
Link Aggregation Configuration Monitoring LAG and LACP The following example displays the categories of information returned by the show lag all-lag parameters command for System Red. system_red#show lag lag22 parameters ************************************************ LAG 22 parameters ************************************************ LAG Name : LAG22 Port Type : Gigabit Ethernet Actor Key : 50 Partner Key : 12 Partner System Pri : 1...
Page 105
Link Aggregation Configuration Monitoring LAG and LACP Table 7-1. show lacp <port> statistics Fields Description LACP pdus received The number of protocol data units received on this interface since it was last activated Marker pdus received The number of response protocol data units received on this interface since it was last activated.
Page 106
Link Aggregation Configuration Monitoring LAG and LACP The following example displays the categories of information returned by the show lacp <port> parameters command. ProCurve#show lacp gi 2/9 parameters LACP parameters (Gig2/9) : Actor system priority: system mac addr: 000a.af00.0dfe port admin key: port oper key: port number: 1609...
QoS Configuration Overview Overview The 8100fl switch was designed with Quality of Service (QoS) in mind. QoS is performed globally and centrally by a scheduler that sees all the queues and all the priorities for every port. Therefore, the switch only has to queue traffic once on ingress to schedule traffic through the system, with the result that wire speed performance is not compromised.
QoS Configuration Overview Class Map l2- MAC, 802.1p l3 - Source IP, Destination IP, subnet range, port range, protocol type (UDP, TCP, IP), TOS bit Outgoing classified Incoming Traffic Policy Map traffic ingress ports egress ports Figure 8-1. The QoS Classifier Connecting Ingress and Egress Traffic All incoming traffic is sorted into five queues or forwarding paths that can be controlled separately.
QoS Configuration Using QoS Commands Using QoS Commands This section explains the QoS commands available in this release. Spolicy Input Commands To access the special policy input mode, enter from Configuration mode: ProCurve(config)#spolicy-input-map <traffic policy name> To access the spolicy input mode map command, enter from Policy Map Configuration mode: ProCurve(config-spimap)#map <cos|ip-dscp|ip-precedence>...
QoS Configuration Using QoS Commands Differentiated Class To configure a differentiated class, enter from Special Output Map mode diff-class <diff-serv class> where diff-serv-class is one of the following values: af11—Assured Forwarding Class 1—drop probability 1 af12—Assured Forwarding Class 1—drop probability 2 af13—Assured Forwarding Class 1—drop probability 3 af21—Assured Forwarding Class 1—drop probability 1 af22—Assured Forwarding Class 1—drop probability 2...
Page 112
QoS Configuration Using QoS Commands N o t e Queue depths (variables A and B) are expressed in terms of a percentage of 256. Therefore 25% of 256 is 64 and 75% is 192. Queue probability (variable C) is simply a percentage. 100% Queue Depth Figure 8-2.
QoS Configuration Using QoS Commands For example, if you want to invoke WRED when the queue is approximately 25% full, assign the drop probability to 1 when the queue is approximately 75% full, and drop all packets when the queue is completely full (drop probability is 100%), you would enter: ProCurve(config-spomap-dc)#random-detect 64 192 100 Differential Class Group...
QoS Configuration Using QoS Commands Interface Commands The QoS traffic policy maps you create must be attached to an interface before they can process incoming traffic. For example, to define a service policy from an interface (Ethernet, GigabitEthernet, TenGigabitEthernet, etc.), enter: ProCurve(config-if)#service-policy <input|input- spmap|output-spmap>...
Page 115
QoS Configuration Using QoS Commands Diff-Serv Domain queue 2 ToS bit 7 Packet 1 queue 4 ToS bit 8 8100fl Switch Packet 2 8100fl Switch Classifier Figure 8-3. QoS Example...
Page 116
— This page is intentionally unused. —...
Spanning-Tree Operation Overview Overview Spanning tree is used to prevent network loops. Without spanning tree it is possible to have more than one active path to a destination, which can result in duplication of messages, leading to a “broadcast storm” that can bring down the network.
Page 119
Spanning-Tree Operation Overview For example, suppose you have three switches in a region configured with VLANs grouped into two instances, as follows: VLANs Instance 1 Instance 2 10, 11, 12 20, 21, 22 The logical and physical topologies resulting from these VLAN/Instance groupings result in blocking on different links for different VLANs: Region “A”: Logical Topology Path blocked for VLANs in instance 2.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) 802.1s Multiple Spanning Tree Protocol (MSTP) The 802.1D and 802.1w spanning tree protocols operate without regard to a network’s VLAN configuration, and maintain one common spanning tree throughout a bridged network. Thus, these protocols map one loop-free, logical topology on a given physical topology.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) MSTP Structure MSTP maps active, separate paths through separate spanning tree instances and between MST regions. Each MST region comprises one or more MSTP switches. Note that MSTP recognizes an STP or RSTP LAN as a distinct spanning-tree region.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Terminology Bridge: See “MSTP Bridge”. Common and Internal Spanning Tree (CIST): Comprises all LANs, STP, and RSTP bridges and MSTP regions in a network. The CIST automatically determines the MST regions in a network and defines the root bridge (switch) and designated port for each region.
Page 123
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) MSTI (Multiple Spanning Tree Instance): This type of configurable ■ spanning tree instance comprises all static VLANs you specifically assign to it, and must include at least one VLAN. The VLAN(s) you assign to an MSTI must initially exist in the IST instance of the same MST region.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) How MSTP Operates In the factory default configuration, spanning tree operation is off. Also, the switch retains its currently configured spanning tree parameter settings when disabled. Thus, if you disable spanning tree, then later re-enable it, the parameter settings will be the same as before spanning tree was disabled.
Page 125
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Path through IST Instance to Other Regions Region “X” Switch 1 IST Root VLAN Memberships: •IST Instance: VLANs 1, 2 •MSTI “A”: 4, 5 •MSTI “B”: 7, 9 Blocks redundant Blocks redundant link for MSTI “A”.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) All MSTP switches (as well as STP and RSTP switches) in a network use BPDUs (Bridge Protocol Data Units) to exchange information from which to build multiple, active topologies in the individual instances within a region and between regions.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Problem: Solution: An MST instance with two Configure one trunked separate (non-trunked) link for the two VLAN links blocks a VLAN link. memberships. Nodes 1 and 2 can communicate because the Nodes 1 and 2 cannot MST instance sees the trunk as a single link and communicate because 802.1Q (tagged) VLANs enable the use of one...
Page 128
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Within any region, the root switch for the IST instance is also the root ■ switch for the region. Because boundary ports provide the VLAN connec tivity between regions, all boundary ports on a region's root switch should be configured as members of all static VLANs defined in the region.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Transitioning from STP or RSTP to MSTP IEEE 802.1s MSTP includes RSTP functionality and is designed to be compatible with both IEEE 802.1D and 802.1w spanning-tree protocols. Even if all the other devices in your network are using STP, you can enable MSTP on the 8100fl switch.
Page 130
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Plan individual regions based on VLAN groupings. That is, plan on all ■ MSTP switches in a given region supporting the same set of VLANs. Within each region, determine the VLAN membership for each spanning-tree instance.
Spanning-Tree Operation Configuring MSTP Configuring MSTP This section outlines the general steps for configuring MSTP operation in your network, and assumes you have already planned and configured the VLANs you want MSTP to use. The actual MSTP parameter descriptions are in the following sections.
Page 132
Spanning-Tree Operation Configuring MSTP Configure MST instances. • Configure one instance for each VLAN group that you want to operate as an active topology within the region to which the switch belongs. When you create the instance, you should include a minimum of one VID.
Spanning-Tree Operation Configuring MSTP c. Set the path-cost value for the port(s) used by a specific MST instance. Leaving this setting at the default auto allows the switch to calculate the path-cost from the link speed. spanning-tree instance <instance-id> path-cost <cost> Configuring MSTP Operation Mode and Global Parameters The commands in this section apply on the switch level, and do not affect...
Page 134
Spanning-Tree Operation Configuring MSTP Syntax: spanning-tree max-hops < hop-count > This command resets the number of hops allowed for BPDUs in an MST region. When an MSTP switch receives a BPDU, it decrements the hop-count setting the BPDU carries. If the hop-count reaches zero, the receiving switch drops the BPDU.
Spanning-Tree Operation Configuring MSTP Configuring Basic Port Connectivity Parameters The following commands must be entered on a port-by-port basis within the interface configuration context. For example, to set the message transmission interval on port 1 of slot 5, you would first enter the interface context and then enter the configuration command.
Page 136
Spanning-Tree Operation Configuring MSTP Syntax: [no] spanning-tree < edge-port | mcheck > [ edge-port ] Enable edge-port on ports connected to end nodes. During spanning tree establishment, ports with edge-port enabled transition immediately to the forwarding state. Disable this feature on any switch port that is connected to another switch, bridge, or hub.
Page 137
Spanning-Tree Operation Configuring MSTP [point-to-point-mac < force-true | force-false | auto >] This parameter informs the switch of the type of device to which a specific port connects. Force-True (default): Indicates a point-to-point link to a device such as a switch, bridge, or end-node. Force-False: Indicates a connection to a hub (which is a shared LAN segment).
Spanning-Tree Operation Configuring MSTP Configuring MST Instance Parameters The commands in this section apply on the switch level, and do not affect individual port configurations. Those commands listed as belonging to the spanning tree instance context must be entered within the instance configuration context.
Page 139
Spanning-Tree Operation Configuring MSTP Syntax: spanning-tree priority < priority-multiplier > Every switch running an instance of MSTP has a Bridge Identifier, which is a unique identifier that helps distinguish this switch from all others. The switch with the lowest Bridge Identifier is elected as the root for the tree.
Page 140
Spanning-Tree Operation Configuring MSTP Syntax: spanning-tree priority <priority-multiplier > This command is used within the spanning-tree instance configuration context and sets the switch (bridge) priority for the designated instance. This priority is compared with the priorities of other switches in the same instance to determine the root switch for the instance.
Spanning-Tree Operation Configuring MSTP Configuring MST Instance Per-Port Parameters The commands in this section must be entered on a port-by-port basis within the interface configuration context. You may also need to specify the MST instance to which the command applies. For example, to set the port’s path- cost on port 2 of slot 5, you would first enter the following.
Page 142
Spanning-Tree Operation Configuring MSTP Syntax: spanning-tree instance < 1..16 > priority <priority-multiplier> This command sets the priority for the specified port in the specified MST instance. (For a given port, the priority setting can be different for different MST instances to which the port may belong.) The priority range for a port in a given MST instance is 0-255.
Spanning-Tree Operation Configuring MSTP Syntax: spanning-tree priority < priority-multiplier > This command sets the priority for the specified port(s) for the IST (that is, Instance 0) of the region in which the switch resides. The “priority” component of the port’s “Port Identifier” is set. The Port Identifier is a unique identifier that helps distinguish this switch’s ports from all others.
Spanning-Tree Operation MSTP Show Commands and Troubleshooting MSTP Show Commands and Troubleshooting The following commands are used to display MSTP statistics and configuration information. Command Page MSTP Statistics: show spanning-tree below show spanning-tree <interface-id> below show spanning-tree instance < ist | 1..16 > bridge 9-30 show spanning-tree instance <...
Page 145
Spanning-Tree Operation MSTP Show Commands and Troubleshooting ProCurve(config)#show spanning-tree Switch’s spanning-tree configuration, Force Version : 802.1s (MSTP) global settings Bridge ID : 32768:000d00000001 Ports In Bridge Identifies the overall spanning-tree root Max Age : 20 secs for the network. Hello Time : 2 secs Lists the switch’s MSTP root data for Forward Delay...
Spanning-Tree Operation MSTP Show Commands and Troubleshooting Displaying Statistics for a Specific MST Instance Syntax: show spanning-tree instance < ist | 1..16 > This command displays the MSTP statistics for either the IST instance or a numbered MST instance running on the switch. ProCurve(config)#show spanning-tree instance 1 Force Version : 802.1s (MSTP)
Spanning-Tree Operation MSTP Show Commands and Troubleshooting Displaying the MSTP Configuration This command output is useful for quickly verifying the allocation of VLANs in the switch’s MSTP configuration and for viewing the configured region identifiers. Syntax: show spanning-tree mst-config This command displays the switch’s regional configuration. Note: The switch computes the MSTP Configuration Digest from the VID to MSTI configuration mappings on the switch itself.
Spanning-Tree Operation MSTP Show Commands and Troubleshooting debug spanning-tree clear Logs information about clear parameters. debug spanning-tree flush Logs for displaying flush-related information. debug spanning-tree set Logs information about set parameters. debug spanning-tree show Logs information about show parameters. debug spanning-tree tc Logs information about state changes on individual ports.
Spanning-Tree Operation MSTP Show Commands and Troubleshooting Operating Notes SNMP MIB Support for MSTP. MSTP is a superset of the STP/802.1D and RSTP/802.1w versions of STP, and will use the MIB objects defined for these earlier versions of STP as well as its own defined MIB objects. Troubleshooting Duplicate packets on a VLAN, or packets not arriving on a LAN at all.
Page 150
Spanning-Tree Operation MSTP Show Commands and Troubleshooting 9-34...
Multimedia Traffic Control with IP Multicast (IGMP) Overview Overview This chapter describes multimedia traffic control with IP multicast (IGMP) to reduce unnecessary bandwidth usage on a per-port basis, and how to configure it with the switch’s built-in interfaces. IGMP General Operation and Features In a network where IP multicast traffic is transmitted for various multimedia applications, you can use the switch to reduce unnecessary bandwidth usage on a per-port basis by configuring IGMP (Internet Group Management...
Multimedia Traffic Control with IP Multicast (IGMP) CLI: Configuring and Displaying IGMP CLI: Configuring and Displaying IGMP The following commands can be used to configure and display IGMP settings on the 8100fl switch. Enabling or Disabling IGMP In the factory default configuration, IGMP is disabled. To enable IGMP: If multiple VLANs are not configured, you configure IGMP on the default ■...
Page 154
Multimedia Traffic Control with IP Multicast (IGMP) CLI: Configuring and Displaying IGMP Blocked: Drop all IGMP Control traffic (reports, joins, leaves) received ■ from devices on the specified ports, and prevent any outgoing multicast traffic from moving through these ports. Multicast traffic (non-control) will be received and forwarded to the VLAN ports according to the currently established IGMP forwarding rules.
Page 155
Multimedia Traffic Control with IP Multicast (IGMP) CLI: Configuring and Displaying IGMP You could use the following commands to configure IGMP on VLAN 2 with the preceding settings: ProCurve(config)# int gig 5/3 Enters interface context for port 3 in slot 5. ProCurve(config-interface-gig5/3)#ip igmp snooping forward vlan 2 Forwards all multicast traffic for this port on vlan 2.
Multimedia Traffic Control with IP Multicast (IGMP) CLI: Configuring and Displaying IGMP IGMP Show Commands The following commands are used to display IGMP configuration information and statistics. Viewing the Current IGMP Configuration The following IGMP show commands list the IGMP configuration for all VLANs configured on the switch or for a specific VLAN.
Multimedia Traffic Control with IP Multicast (IGMP) CLI: Configuring and Displaying IGMP The show ip igmp snooping vlan config command includes the VLAN ID (vid) designation, and combines the above data with the IGMP per-port configuration: IGMP Configuration ProCurve#show ip igmp snooping vlan 11 config for the Selected VLAN VLAN ID...
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates For example, suppose that show ip igmp snooping listed an IGMP group address of 224.0.1.22. You could get additional data on that group by executing the following command. ProCurve#show ip igmp snooping group 224.0.1.22 IGMP ports for group 224.0.1.22 Port Access...
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates IGMP Messages The multicast group running version 2 of IGMP uses three fundamental types of messages to communicate: ■ Query: A message sent from the querier (multicast router or switch) asking for a response from each host belonging to the multicast group.
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates When a networking device with IGMP enabled receives the join request ■ for a specific group, it forwards any IP multicast traffic it receives for that group through the port on which the join request was received. ■...
IGMP client on a port in the VLAN leaves the cast router or another switch configured for IGMP oper group. ation. (HP recommends that the VLAN also include a device operating as a backup Querier in case the device Support Fast-Leave IGMP and Forced Fast- operating as the primary Querier fails for any reason.
Page 162
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates In the next figure, automatic Fast-Leave operates on the switch ports for IGMP clients “3A” and “5A”, but not on the switch port for IGMP clients “7A” and 7B, Server “7C”, and printer “7D”. Fast-Leave IGMP Server automatically operates on...
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates Configuring Fast-Leave IGMP The following interface-based command can be used to disable/re-enable Fast-Leave IGMP operation on a per-port basis. Syntax: [no] ip igmp snooping fastleave Enables IGMP Fast-Leaves on the specified port. (Default: Enabled.) The no form of the command disables IGMP Fast-Leave on the speci...
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates For example, to configure Forced Fast-Leave IGMP on port 5/3, you would enter the following command: ProCurve(config)# int gig 5/3 Enters interface-based configuration context for port 3 in slot 5. ProCurve(config-interface-gig5/3)#ip igmp snooping forcedfastleave Enables Forced Fast-Leave operation on port 5/3.
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates I 01/15/01 09:01:13 igmp: DEFAULT_VLAN: Other Querier detected I 01/15/01 09:01:13 igmp: DEFAULT_VLAN: This switch is no longer Querier In the above scenario, if the other device ceases to operate as a Querier on the default VLAN, then the switch detects this change and can become the Querier as long as it is not pre-empted by some other IGMP Querier on the VLAN.
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates Disabling or Re-enabling Data-Driven IGMP Whenever IGMP snooping is enabled on a VLAN, data-driven IGMP is automatically enabled for the switch. When unregistered multicasts are received, the data-driven IP Multicast feature (“Smart IGMP”) enables the switch to filter them automatically.
Page 167
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates N o t e s : IP Multicast Filters. IP multicast addresses occur in the range from 224.0.0.0 through 239.255.255.255 (which corresponds to the Ethernet multicast address range of 01005e-000000 through 01005e-7fffff). Where a switch has a static Traffic/Security filter configured with a “Multicast”...
Page 168
— This page is intentionally unused. —...
IP Routing Configuration Overview Overview The 8100fl switch supports standards-based unicast routing for protocols such as TCP, UDP, and IP. Unicast routing protocol support covers both Interior Gateway Protocols and Exterior Gateway Protocols . This chapter describes how to configure IP interfaces and general non-protocol-specific routing parameters.
IP Routing Configuration Configuring IP Interfaces Configuring IP Interfaces You can configure an IP interface to a single port or to a VLAN. This section provides an overview of configuring IP interfaces. Interfaces on the 8100fl switch are logical interfaces. Therefore, you can associate an interface with a single port or with multiple ports: ■...
IP Routing Configuration Configuring IP Interfaces Extending the IP Configuration You can configure an ProCurve 8100fl interface to support the following configurations: ip access-group specifies the name of an access control list to control ■ packets ip address sets the IP address of an interface ■...
IP Routing Configuration Configuring Jumbo Frames Configuring Jumbo Frames Certain ProCurve 8100fl interface modules support jumbo frames (frames larger than the standard Ethernet frame size of 1518 bytes). To transmit frames of up to 9216 bytes, you increase the maximum transmission unit (MTU) size from the default of 1522.
IP Routing Configuration Layer 2 Filters Layer 2 Filters Layer 2 filters on the 8100fl switch allow you to configure ports to filter specific MAC addresses. When defining a Layer 2 filter, you specify the ports to which you want the filter to apply. You can specify the following filters: Address filters.
IP Routing Configuration Layer 2 Filters Layer 2 Filter Examples Figure 11-1 shows an example of the router connections for which Layer 2 filters will be configured. Router gi 1/1 gi 1/2 gi 1/3 Engineering Finance File Servers File Servers Engineers, Consultant Figure 11-1.
IP Routing Configuration Configuring Address Resolution Protocol (ARP) Configuring Address Resolution Protocol (ARP) The Address Resolution Protocol (ARP) is used to associate IP addresses with media or MAC addresses. Taking an IP address as input, ARP determines the associated MAC address. Once a media or MAC address is determined, the IP address/media address association is stored in an ARP cache for rapid retrieval.
IP Routing Configuration Configuring Address Resolution Protocol (ARP) To configure the ARP refresh interval: From Configuration mode, enter the VLAN interface. Enter the ARP refresh interval using the arp refresh command. For example, to configure VLAN 701 with an ip address of 171.1.1 255.255.255.0, an arp refresh interval of 120 seconds, and an arp timeout of 300 seconds, you would enter the following commands: ProCurve(config)#interface vlan701...
IP Routing Configuration Configuring Basic IP Parameters Configuring Basic IP Parameters This section explains how to configure the following basic IP parameters. Configuring DNS Parameters The 8100fl switch can be configured to specify DNS servers, which supply name services for DNS requests. You can specify up to three DNS servers. For example, to configure the default DNS server with the domain name “ProCurve_8100.com”, enter: ProCurve(config)#ip domain-name ProCurve_8100.com...
IP Routing Configuration Configuring Basic IP Parameters • VLAN interface: ProCurve(config-vlan-3)# interface vlan 3 ProCurve(config-interface-vlan3)# ip helper-address 10.1.1.2 • Port interface: ProCurve(config)# int gig 5/2 ProCurve(config-interface-gig 5/2)# ip helper-address 10.1.1.2 2. Globally enable forwarding of IP BOOTP broadcasts on the switch, using the ip forward-protocol udp bootps command .
Page 180
IP Routing Configuration Configuring Basic IP Parameters The following example displays the contents of the routing table. It shows that some of the route entries are for locally connected interfaces (“directly connected”), while some of the other routes are learned from OSPF. ProCurve#show ip route Codes: R - RIP derived, O - OSPF derived, C - connected, S - static,...
IP Routing Configuration Configuring Basic IP Parameters Setting Memory Thresholds The routing information base (RIB) is stored in the switch’s memory. You can use the ip table-partition command to configure the percentage of the available memory that is used for storing IP route entries. (For the command to take effect, the interface modules in the system need to be rebooted.) When the threshold level you configure is reached, no new routes are added.
Page 182
— This page is intentionally unused. —...
RIP Configuration Overview Overview This chapter describes how to configure the Routing Information Protocol (RIP) on the 8100fl switch. RIP is a distance-vector routing protocol for use in small networks. A router running RIP broadcasts updates at set intervals. Each update contains paired values where each pair consists of an IP network address and an integer distance to that network.
RIP Configuration Configuring RIP on the Switch Enabling and Disabling RIP To enable or disable RIP on the switch, enter one of the following commands in Configuration mode: To enable RIP, enter router rip. ■ To disable RIP, enter no router rip. ■...
RIP Configuration Configuring RIP on the Switch Setting Default Metrics To set the default metric of distributed routes, enter: ProCurve(config-router)#default-metric <number> Defining Administrative Distance The administrative distance is a metric used to determine the best path to use when more than one route to the same destination exists but in different routing protocols.
RIP Configuration Configuring RIP on the Switch Limiting Paths Your RIP routing table can track up to four paths to another router. You can set that number to as low as one path. To limit the number of connections your routing tables will maintain to any one IP address, enter: ProCurve(config-router)#maximum-paths <number>...
RIP Configuration Configuring an Interface for RIP Configuring an Interface for RIP To configure RIP in the switch, you must first add interfaces in the Interface Configuration mode to inform RIP about attached interfaces. Table 12-1. Configuring an Interface for RIP Command Action ip rip authentication mode {md5 | <text>}...
RIP Configuration Configuring an Interface for RIP Configuration Example The following configuration example configures Gigabit Ethernet ports 3 and 4 in slot 1 to support RIP version 2 and to apply MD5 authentication control to incoming RIP traffic. The 8100fl switch is also configured to support RIP version 2, to redistribute traffic from OSPF.
RIP Configuration Configuring an Interface for RIP Related Topics For more about the protocol-independent features that apply to RIP, such as configuring authentication and routing policies, refer to Chapter 14, “Configuring Routing Policies”. For information on how to configure IP interfaces and general non-protocol specific routing parameters, refer to Chapter 11, “IP Routing Configuration”.
OSPF Configuration Overview Overview Open Shortest Path First (OSPF) is a modern, scalable, and fast link-state routing protocol. It is an interior routing protocol (IGP), used to distribute routing information within the boundaries of an Autonomous System (AS). Each OSPF route chooses the shortest path to any known destination based on complete knowledge of the routing topology within the AS, and using Djikstra's SPF algorithm.
OSPF Configuration Overview Multipath Support The 8100fl switch supports OSPF and static Multi-path. If multiple equal-cost OSPF or static routes have been defined for any destination, then the switch “discovers” and uses all of them. The switch will automatically learn up to sixteen equal-cost OSPF or static routes and retain them in its forwarding information base (FIB).
OSPF Configuration Overview Area Routers. In connection to areas, the following terms are used in OSPF: ■ ABR (Area Border Router) — A router that connects the Backbone (area 0) with some other area(s). ASBR (Autonomous System Border Router) —A router that redistributes ■...
OSPF Configuration Configuring OSPF Router Parameters Configuring OSPF Router Parameters To configure OSPF on the switch in the Router Configuration mode, perform the following tasks: 1. Enable OSPF 2. Set the router ID 3. Create and configure OSPF area 4. Add interfaces to the area 5. If necessary, configure virtual links 6. Optionally, configure redistribution 7. Optionally, configure parameters at the global, area, and/or interface level...
OSPF Configuration Configuring OSPF Router Parameters If there are no addresses on the loopback interface, the switch will set the ■ default router ID to the address of the first interface that is in the up state that the switch encounters (except the interface management0, which is the Management Module’s interface).
OSPF Configuration Configuring OSPF Router Parameters Configuring Summary Ranges To reduce the amount of routing information propagated between areas, you can configure summary-ranges on Area Border Routers (ABRs). On the switch, summary-ranges are created using the range command ProCurve(config-ospf-area)#range <ipaddr-mask> The networks specified using this command describe the scope of an area.
OSPF Configuration Configuring OSPF Router Parameters ProCurve(config-ospf-area)#stubhost <ipaddr> cost <costvalue> To specify the cost to inject into a stub area: ProCurve(config-ospf-area)#default-cost <num> To use a prefix-list to filter specific summary LSAs from a stub area, enter the following command: ProCurve(config-ospf-area)#summary-filter <prefix> Configuring Not-So-Stubby Areas (NSSA) NSSAs are similar to stub areas, in that they are used to restrict the AS-external routing for routers in the area.
OSPF Configuration Configuring OSPF Router Parameters Creating Virtual Links You can create a virtual link to: ■ Connect an area via a transit area to the backbone ■ Create a redundant backbone connection via another area Each ABR must be configured with the same virtual link. Note that virtual links cannot be configured through a stub or NSSA area.
OSPF Configuration Configuring OSPF Router Parameters Configuring the OSPF Router To specify the OSPF router ID, enter: ProCurve(config-router)#router-id <ip addr> For information on setting router IDs, see “Setting the Router ID” on page 13-5. Associating a Network with the OSPF Area To identify which network IP addresses belong to an OSPF area, enter the following command: ProCurve(config-router)#network <ip addr>...
OSPF Configuration Configuring OSPF Router Parameters Logging Adjacency Changes Support for logging changes in the adjacency states of OSPF neighbors is enabled by default. To turn it off, enter the following command: ProCurve(config-router)#no log-adjacency-changes Redistribution You can redistribute routes from another protocol into the OSPF domain. To redistribute connected routes, enter the following command: ProCurve(config-router)#redistribute connected [metric <default metric value>| metric-type <1 | 2>...
OSPF Configuration Configuring OSPF Router Parameters Configuring OSPF Interface Parameters To set OSPF interface parameters, use the ip ospf command for each interface in an OSPF area. The following parameters can be set at the interface level. Parameter Description authentication Enable authentication authentication-key Authentication password (key)
OSPF Configuration Configuring OSPF Router Parameters To override authentication specified at the area level by specifying the ■ authentication method at the interface level, enter: ProCurve(config-if)#ip ospf authentication null Specifying null turns off authentication for this interface even if area authentication is specified.
OSPF Configuration Configuring OSPF Router Parameters To limit the time between HELLO packets, enter: ■ ProCurve(config-if)#ip ospf hello-interval <num> To limit the time to wait before retransmitting lost-link-state ■ advertisements, enter: ProCurve(config-if)#ip ospf retransmit-interval <num> ■ To limit the link-state transmit delay, enter: ProCurve(config-if)#ip ospf transmit-delay <num>...
OSPF Configuration Alternative Area Border Router (ABR) Alternative Area Border Router (ABR) The switch automatically supports the alternative ABR implementation, as defined in the IETF “Alternative OSPF ABR Implementations” Internet Working Draft. This feature improves the behavior of a router connected to multiple areas without an active backbone connection.
OSPF Configuration OSPF Configuration Example OSPF Configuration Example Figure 13-1 shows a sample OSPF configuration of a ProCurve 8100fl and several neighboring routers. The interfaces are GigabitEthernet ports and have MD5 authentication enabled. Except where noted in the configuration, all other OSPF interface and router parameters use default values: Router 2 Router 3 172.18.1.14...
Page 207
OSPF Configuration OSPF Configuration Example The configuration for this sample OSPF configuration would look like: interface GigabitEthernet1/1 no shutdown ip address 172.18.1.13 ip OSPF message-digest-key 109 md5 2router1 ip OSPF authentication message-digest interface GigabitEthernet1/2 no shutdown ip address 172.18.1.17 ip OSPF message-digest-key 109 md5 2router2 ip OSPF authentication message-digest interface GigabitEthernet1/3 no shutdown...
OSPF Configuration Monitoring OSPF Monitoring OSPF The show ip ospf commands allow you to display detailed versions of the various OSPF tables. The show ip ospf commands can only display OSPF tables for the switch on which the commands are being entered (see the following examples and commands).
Page 209
OSPF Configuration Monitoring OSPF Example. Show ip ospf database: ProCurve#show ip ospf database OSPF Router with ID(66.1.1.1) (Process ID 11) Router Link States (Area 0.0.0.0) Link ID ADV Router Age Seq# Checksum Link Count 32.32.32.32 32.32.32.32 1364 0x80000003 0x2414 1 33.33.33.33 33.33.33.33 1371 0x80000003 0x1416 1 66.1.1.1 66.1.1.1 1362 0x8000000D 0x42C4 4 67.1.1.1 67.1.1.1 161 0x80000011 0xA783 3...
OSPF Debug Commands To display information on selected OSPF processes, the following debug commands can be used from the Privileged Exec mode of the CLI: Command Function debug ip ospf ack Logs information about OSPF link state Ack packets. Includes the following command line options: •...
Configuring Routing Policies Overview Overview The 8100fl switch supports flexible routing policies. These allow the network administrator to control import and export of routing information based on criteria including: ■ Source and destination interface Previous hop router ■ ■ Tag associated with routes ■...
Configuring Routing Policies Route Preferences A default preference is assigned to each source from which the switch routing process receives routes. Preference values range from 0 to 255 with the lowest number indicating the most preferred route. Table 14-1 summarizes the default preference values for routes learned in various ways.
Configuring Routing Policies Route Preferences The importation of RIP routes may be controlled by source interface and source gateway. RIP does not support the use of preference to choose between RIP routes. That is left to the protocol metrics. Due to the nature of OSPF, only the importation of ASE routes may be controlled.
Configuring Routing Policies Authentication Export-Source This component specifies the source of the exported routes. It can also specify the metric to be associated with the routes exported from this source. The routes to be exported can be identified by their associated attributes: Their protocol type (RIP, OSPF, Static, Connected).
Configuring Routing Policies Authentication Authentication Methods There are two main authentication methods: simple password and MD5. Simple Password Authentication. In this method, an authentication key of up to 8 characters is included in the packet. If this does not match what is expected, the packet is discarded.
Configuring Routing Policies Authentication Using Route Maps A route map defines conditions and actions to be taken for: ■ importing routes or exporting routes redistributing routes from or into any routing protocol ■ A route map consists of one or more conditions and the action to be taken when the condition is met.
Configuring Routing Policies Configuring Simple Routing Policies Configuring Simple Routing Policies Simple routing policies provide an efficient way for routing information to be exchanged between routing protocols. The redistribute command can be used to redistribute routes from one routing domain into another routing domain. Redistribution of routes between routing domains is based on route policies.
Configuring Routing Policies Configuring Simple Routing Policies To redistribute RIP into RIP, enter the following command in Router Configuration mode: ProCurve(config-router)#redistribute rip [metric|route-map] Redistributing RIP into OSPF RIP routes may be redistributed to OSPF. To redistribute RIP into OSPF, enter the following command in Router Configuration mode: ProCurve(config-router)#redistribute ospf [match <external|internal|nssa-external>...
Page 220
— This page is intentionally unused. —...
Access Control Lists (ACLs) Overview Overview This chapter explains how to configure and use Access Control Lists (ACLs) on the 8100fl switch. When used in conjunction with certain features, ACLs provide control over the forwarding of Layer 3 and layer-4 traffic as illustrated Figure 15-1.
Access Control Lists (ACLs) Layer 3 Access Control List (ACLs) Layer 3 Access Control List (ACLs) An ACL consists of a protocol type and one or more rules which tell the switch to either permit or deny packets or routes that match the match criteria on which each rule is based.
Access Control Lists (ACLs) Layer 3 Access Control List (ACLs) Creating an ACL To create an ACL, complete the following steps: 1. Specify a name (or number) for the ACL. N o t e Each ACL is identified by a name, consisting of alphanumeric characters. The ACL name can be a meaningful string such as denyFTP or it can be a simple number such as 100 or 101.
Access Control Lists (ACLs) Layer 3 Access Control List (ACLs) Option (Destination) Description Match only packets on a given port number (equal to) Match only packets with a port number greater than host A single destination host Match only packets with a port number less than range Match only packets in the port number range (Optional) Refine the ACL by specifying conditions for the traffic from the...
Access Control Lists (ACLs) Layer 3 Access Control List (ACLs) Notice in the previous example that both the source address and the destination address are skipped over using the any parameter. The keyword any is needed only to skip a field in order to explicitly specify another field whose position is further along in the ACL.
Access Control Lists (ACLs) Layer 3 Access Control List (ACLs) N o t e Remember that the first rule that applies to a packet is the only rule that affects the packet. The packet is permitted or denied according to the first rule it satisfies;...
Page 228
Access Control Lists (ACLs) Layer 3 Access Control List (ACLs) To allow packets from a subnet other than 172.124.200.0 to pass through, a rule must be explicitly defined to permit other packets to go through. To change the previous example so that it accepts packets from other subnets, a new rule must be added ahead of the implicit deny rule that permits packets to pass.
Access Control Lists (ACLs) Editing ACLs Editing ACLs To modify an ACL, edit it using a text editor on a remote workstation and upload it to the switch using TFTP. (You cannot edit existing ACLs from the CLI.) Edit, delete, replace, or reorder ACL rules and match criteria in a text file.
Access Control Lists (ACLs) Applying ACLs Applying ACLs Until it is applied, an ACL itself is simply a set of one or more rules made up of match criteria and an indicator that specifies whether to permit or deny packets that meet the rules. For an ACL to actually do something on the switch, it must be applied to an interface or to some application, which permits or denies traffic to or from the switch.
Access Control Lists (ACLs) Applying ACLs ACL Viewing The switch provides the following show commands that you can use to display the ACLs, their rules, and their association to interfaces, ports and services. Table 15-1. ACL Show Commands Show Command Action show access-list Show all ACL definitions...
Page 232
Access Control Lists (ACLs) Applying ACLs The following is an example of the display from the show access-list command: ProCurve#show access-list ProCurve#show access-lists IP access list 401 permit tcp 192.168.1.4 0.0.0.0 10.203.10.1 0.0.0.0 IP access list 403 deny tcp 10.20.20.0 0.0.0.255 permit tcp any any IP access list 404 permit ip 123.1.3.10 0.0.0.255 any default...
Access Control Lists (ACLs) Layer 2 Access Control Lists (ACLs) Layer 2 Access Control Lists (ACLs) Layer 2 traffic filtering on the switch is provided by: ■ Layer 2 filters - perform filtering on source or destination MAC addresses. Layer 2 access control lists - perform access control based on source or ■...
Access Control Lists (ACLs) Layer 2 Access Control Lists (ACLs) To apply a Layer 2 ACL to a specified VLAN interface on input, enter the following command: ProCurve(config-if)#l2acl [police | <aclname>] vlan <vlanid> For example, to apply an ACL called 303 for traffic inbound to VLAN 220, you would enter;...
Access Control Lists (ACLs) Protocols and Keywords Protocols and Keywords Table 15-3 shows the list of protocols you can use in a Layer 3 ACL. All of these protocols can be referenced by their decimal number. Those protocols shown with a Keyword can alternately be referenced by this Keyword rather than by their decimal number.
Page 236
Access Control Lists (ACLs) Protocols and Keywords Table 15-3. Protocol Decimal and Keyword Equivalents (Continued) Decimal Keyword Protocol/References Packet Radio Measurement [ZSU] XNS-IDP XEROX NS IDP [ETHERNET,XEROX] TRUNK-1 Trunk-1 [BWB6] TRUNK-2 Trunk-2 [BWB6] LEAF-1 Leaf-1 [BWB6] LEAF-2 Leaf-2 [BWB6] Reliable Data Protocol [RFC908,RH6] IRTP Internet Reliable Transaction [RFC938,TXM] ISO-TP4...
VRRP Configuration Overview Overview This chapter explains how to set up and monitor the Virtual Router Redundancy Protocol (VRRP) on the switch. VRRP is defined in RFC 2338. In many networks, end hosts are often configured to send packets to a statically configured default router.
VRRP Configuration Configuration Parameters Setting the IP Address of the Virtual Router To assign the virtual router’s IP address on VLAN 15 to be 10.50.50.5, enter: ProCurve(config-interface-vlan15)#vrrp 1 ip 10.50.50.5 Labeling the Virtual Router You can label each virtual router for easy identification in configurations and the show commands.
VRRP Configuration Configuration Parameters Learning the Master Configuration When the Master router goes down, the Backup router takes over. When an interface comes up, the Master router may become available and take over from the Backup router. Before the Master router takes over, it may have to update its routing tables.
Page 243
VRRP Configuration Configuration Parameters If a Backup router doesn’t receive a keep-alive advertisement from the ■ current Master within a certain period of time, it will transition to the Master state and start sending advertisements itself. The amount of time that a Backup router will wait before it becomes the new Master is based on the following equation: Master-down-interval = (3 * advertisement-interval) + skew-time...
VRRP Configuration Configuring VRRP Configuring VRRP This section presents two sample VRRP configurations: ■ A basic VRRP configuration with one virtual router A symmetrical VRRP configuration with two virtual routers ■ N o t e The 8100fl switch is limited to up to fifteen unique virtual router configurations per interface (physical port, LAG, or VLAN).
VRRP Configuration Configuring VRRP If Router R1 should become unavailable, Router R2 would take over virtual router VRID=1 and its associated IP addresses. Packets sent to 10.0.0.1/24 would go to Router R2. When Router R1 comes up again, it would take over as Master, and Router R2 would revert to Backup.
VRRP Configuration Configuring VRRP VRRP Configuration with Two Routers Figure 16-2 shows a symmetrical VRRP configuration with two routers and two virtual routers. Routers R1 and R2 are both configured with two virtual routers (VRID=1 and VRID=2). Router R1 serves as: Master for VRID=1 ■...
VRRP Configuration Configuring VRRP In this configuration, half the hosts use 10.0.0.1/24 as their default route, and half use 11.0.0.1/24. IP address 10.0.0.1/24 is associated with virtual router VRID=1, and IP address 11.0.0.1 is associated with virtual router VRID=2. If Router R1, the Master for virtual router VRID=1, goes down, Router R2 would take over the IP address 10.0.0.1/24.
VRRP Configuration Monitoring VRRP Monitoring VRRP The show vrrp command reports information about a VRRP configuration. You can specify individual VRIDs, or interfaces. You can tailor the display to show summary information using the show vrrp brief command. You can focus displayed information using output modifiers to customize the information returned.
Time Configuration Overview Overview This chapter discusses how to set time on the 8100fl switch and how to use the pool of Network Time Protocol (NTP) servers to set the clock to Universal Coordinated Time (UTC). Setting the Date and Time To set the date and time on the 8100fl switch, use the clock set command in Privileged Exec mode.
Time Configuration Using NTP In this example, to convert PST to UTC, first convert the local time into a 24 hour clock format, 08:10:40. Then add 8 to convert to UTC. This gives the time conversion as 16:10:40. A slightly more complicated conversion occurs when adding 8 (for PST) forces the 24-hour clock into the next morning.
Page 252
Time Configuration Using NTP The following example shows a typical configuration of NTP servers. (The * symbol indicates the ip address of the server the switch is synchronized against, the = symbol identifies an additional ntp server.) Use the detail parameter to display all of the NTP statistics.
SNMP Configuration Overview Overview The Simple Network Management Protocol (SNMP) is an application layer protocol used to monitor and manage TCP/IP-based networks. It provides for the storage and exchange of management information. The 8100fl switch supports the following SNMP versions: ■...
SNMP Configuration Configuring Access to MIB Objects Configuring Access to MIB Objects The 8100fl switch supports many of the standard networking SNMP MIB modules. Each module is a collection of managed objects which can be accessed by the SNMP management stations. (For a list of MIB modules supported by the 8100fl switch, refer to “MIB Modules”...
ProCurve(config)#snmp chassis-id s/n12345 ProCurve(config)#snmp mib if-mib The example sets the MIB objects sysContact to IT dept, sysLocation to building 1 closet, and hp-switch-fl-series-inventory-mib ChassisId to s/n12345, and enables the if-mib (RFC 2863). Configuring SNMP Notifications The 8100fl switch sends notifications to pre-defined targets. The targets are the SNMP management stations that receive the notifications.
SNMP Configuration Configuring Access to MIB Objects Targets are defined by their IP addresses. Each target that is defined receives a copy of the notifications generated and sent by the ProCurve 8100fl agent. In addition, you need to specify a community string for the notifications. For security reasons, the community strings in notifications should be different from the read/write community strings.
The 8100fl switch supports the following MIB modules. You can use these modules with any SNMP version. Table 18-1. Release 1.0 Supported MIBs MIB Name RFC Standard SNMPv2-MIB RFC 1907 IP-MIB RFC 2011 TCP-MIB RFC 2012 UDP-MIB RFC 2013 IP-FORWARD-MIB RFC 2096 IF-MIB RFC 2863 ENTITY-MIB RFC 2737 HP-SWITCH-FL-SERIES-INVENTORY-MIB 18-6...
Some of the following list of IETF standard MIB modules may already be loaded, so you do not need to load them again (unless they are newer versions). Load them in the order shown—with the HP Switch proprietary MIB module at the end.
- IPv4 CIDR forwarding database per RFC 2096 ip-mib - Counters for IP and ICMP version 4 per RFC 2011 hp-switch-fl-series-inventory-mib - HP switch inventory details snmpv2-mib - System detail, SNMPv1/v2c/v3 counters per RFC 1907 tcp-mib - Counters for Transmission Control Protocol, IP...
SNMP Configuration Configuring Access to MIB Objects Displaying SNMP Information The show snmp command is used to display SNMP configuration information. The status of the notifications are listed at the bottom of the output. ProCurve(config)#show snmp agent operational 343 seconds In/out packets: 0/0 last: last error occurred on: Bad version : 0...
UDP-MIB 2013 online IP-FORWARD-MIB 2096 online ENTITY-MIB 2737 online HP-SWITCH-FL-SERIES-INVENTORY-MIB online Troubleshooting SNMP SNMP misconfigurations typically generate the following error when you enter the show snmp command: ProCurve(config)#show snmp %SNMP agent not enabled ProCurve(config)# If you receive this error: Make sure you have configured a community string (see “Configuring...
Performance Monitoring Overview Overview The 8100fl switch performs as a full wire-speed Layer 2, Layer 3, and Layer 4 switching router, and is capable of displaying performance information at each layer. As packets enter the switch, Layer 2, 3, and 4 flow tables are populated on each interface module.
Performance Monitoring Show Commands show bridge fib Show bridging information show bridge mac-table Show master MAC table information show clock Show information about the system clock show configuration Show configuration data in flash show device-logging Show how the terminal, host, and buffer are configured for logging show environment Show environmental conditions of the chassis...
Page 268
Performance Monitoring Show Commands show pinger Show pinger gateway information show policy Show IP policies show port Show Layer 2 port related information show process Show resource usage per process show radius servers Show Remote Access Dial-in User Service (RADIUS) server information show redundancy Show the status of redundant modules...
Performance Monitoring Debug Commands N o t e All the show commands are accessible at the Privileged Exec mode. Many show commands are accessible from various configuration modes, and a limited number of show commands are available at the Exec mode level. Debug Commands To gather information on selected processes and to control tracing, enter the following commands from the Privileged Exec mode:...
Performance Monitoring Clear Commands Clear Commands To delete data from the system, use the following commands from the Privi leged Exec mode: Command Function clear access-list Clear access-list counters for a specified Access Control List. clear arp Clear the Address Resolution Protocol (arp) entry IP address. clear arp-cache Clear the Address Resolution Protocol (arp) cache.
Performance Monitoring Error Reporting and Message Logging Error Reporting and Message Logging Individual file system commands will report application specific errors as part of their normal output. ERRLOG messages will be generated on the following events: ■ A physical file system becomes full A user attempts to overwrite or remove a read-only system file ■...
Performance Monitoring Error Reporting and Message Logging To set the locations that receive messages (buffer, console, or syslog respec tively), use the following commands in Configuration mode. Command Function logging buffered Set buffered logging. logging host Set host logging. Requires an <ip address>. logging terminal Set terminal logging.
Performance Monitoring Error Reporting and Message Logging When logging is buffered, the following Privileged Exec command is useful to display logged messages: ProCurve#show logging The following Privileged Exec command can be used to clear the log buffer: ProCurve#clear logging Displaying Crash Log Files To display a log file after a crash occurs, enter the following command: ProCurve#dir flash: This will list the files located in the flash directory.
Performance Monitoring Error Reporting and Message Logging N o t e The default alert level for the buffered messages is informational, and the default alert level for terminal messages is warning. The default alert level for syslog messages is informational. Controlling the Size of the Log and Messages You can set the number of messages that get stored in the history table.
Performance Monitoring Configuring Port Mirroring Configuring Port Mirroring The 8100fl switch allows you to monitor performance and activities of ports on the switch using port mirroring. Monitor Port Monitoring Device Destination Port Target Port Port 6/10 5/10 Figure 19-1. Port Mirroring Figure 19-1, the target port (5/10) is mirrored to a monitor port (6/1) on another interface module.
Performance Monitoring Setting Rate-Limits (2-port X2 Module) LAGs, and ports used within a LAG (link aggregated group), cannot be ■ used as a destination for port mirroring. C a u t i o n The mirror monitor-port command is not available from the Interface lag context.
Page 277
Performance Monitoring Setting Rate-Limits (2-port X2 Module) For example, to specify a rate limit of 2000 Megabits per second for the first port on the module, you would enter the following: ProCurve(config)#interface tengigabitethernet 1/1 ProCurve(config-interface-10gig1/1)# mac-rate-limit 2000 Operating Notes for Rate-Limiting The mac-rate-limit command is only effective on the 2-Port X2 10GbE ■...
Page 278
Performance Monitoring Setting Rate-Limits (2-port X2 Module) — This page is intentionally unused. — 19-14...
Page 279
Command Line Index This index provides an alphabetical listing of all clear ip ospf … 13-6, 19-6 clear ip traffic … 19-6 the commands in the CLI that are referenced in clear l2acl … 19-6 this guide. clear lacp … 19-6 clear logging …...
Page 280
macs (ssh) … 5-8 map … 8-4 image … 3-10 maximum-paths (rip) … 12-5 interface … 11-3 mirror monitor-port … 19-11 interface mtu … 11-5 mkdir … 3-6 ip access-group … 11-4, 15-10 more … 3-6 ip address … 11-4 mtu (config-vlan) …...
Page 281
show aaa method-lists … 19-2 show spanning-tree mst-config … 9-31 show aaa servers … 19-2 show spolicy-input-map … 19-4 show access-lists … 19-2 show spolicy-output-map … 19-4 show arp … 11-9, 19-2 show startup-config … 3-3, 19-4 show bootvar … 19-2 show statistics …...
Page 288
caution … 9-7 IST root … 9-6, 9-7, 9-9 CIST … 9-12 IST, defined … 9-6 CIST per-port hello time … 9-12 IST, switch membership … 9-6 CIST root … 9-20 legacy devices and the CST … 9-10 common and internal spanning tree legacy STP and RSTP …...
Page 289
root switch, regional … 9-12 root, CIST … 9-18 TACACS+ root, IST … 9-7 authentication … 5-2 root, MSTI … 9-9 configuring … 5-17 routed traffic in a region … 9-9 monitoring … 5-18 RSTP as a region … 9-5 multiple connections on a single server …...
Page 290
configuring an IP interface … 11-3 default … 6-6 enabled by default … 6-6 enabling trunk ports … 6-4 explicit and implicit … 6-3 IGMP configuration … 10-3 number of VLANs supported … 6-6 port-based … 6-2 static, 802.1s spanning tree … 9-6 trunk ports …...
Page 291
— This page is intentionally unused. —...
Need help?
Do you have a question about the procurve 8100fl series and is the answer not in the manual?
Questions and answers