HP Aruba JL253A Management And Configuration Manual

HP Aruba JL253A Management And Configuration Manual

For arubaos-switch 16.08

Advertisement

Quick Links

Table of Contents
Aruba 2930F / 2930M Management and
Configuration Guide for ArubaOS-
Switch 16.08
Part Number: 5200-5486a
Published: January 2019
Edition: 2

Advertisement

Table of Contents
loading

  Related Manuals for HP Aruba JL253A

  Summary of Contents for HP Aruba JL253A

  • Page 1 Aruba 2930F / 2930M Management and Configuration Guide for ArubaOS- Switch 16.08 Part Number: 5200-5486a Published: January 2019 Edition: 2...
  • Page 2 © Copyright 2019 Hewlett Packard Enterprise Notices The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
  • Page 3: Table Of Contents

    Contents Chapter 1 About this guide................Applicable products..........................26 Switch prompts used in this guide......................Chapter 2 Time Protocols................General steps for running a time protocol on the switch................27 TimeP time synchronization......................SNTP time synchronization......................27 NTP time synchronization......................Command........................timesync Selecting a time synchronization protocol....................28 Disabling time synchronization........................
  • Page 4 show ntp associations......................show ntp authentication......................60 Validation rules........................Event log messages......................Precision Time Protocol (PTP).........................63 ptp..............................63 show ptp............................. Monitoring resources..........................Displaying current resource usage....................65 Viewing information on resource usage..................Policy enforcement engine....................Usage notes for show resources output................67 When insufficient resources are available..................67 Chapter 3 Port Status and Configuration.............69...
  • Page 5 Configuring UDLD for tagged ports..................Viewing UDLD information (CLI)....................Viewing summary information on all UDLD-enabled ports (CLI)........Viewing detailed UDLD information for specific ports (CLI)..........99 Clearing UDLD statistics (CLI)................... Uplink Failure Detection...........................99 Configuration Guidelines for UFD....................enable/disable........................101 uplink-failure-detection..................... configuration........................uplink-failure-detection track.................101 show uplink-failure-detection................102...
  • Page 6 Recommendations........................Show commands.........................125 PoE Event Log messages........................127 Chapter 5 Port Trunking................Overview of port trunking........................Port connections and configuration.....................129 Port trunk features and operation......................Fault tolerance ........................... Trunk configuration methods........................130 Dynamic LACP trunk........................130 Using keys to control dynamic LACP trunk configuration..........130 Static trunk..........................
  • Page 7 Configuring ICMP rate-limiting....................Using both ICMP rate-limiting and all-traffic rate-limiting on the same interface......159 Viewing the current ICMP rate-limit configuration............... Operating notes for ICMP rate-limiting..................160 ICMP rate-limiting trap and Event Log messages...............161 Determining the switch port number used in ICMP port reset commands.......
  • Page 8 Listing community names and values (CLI)..............SNMP notifications........................194 Supported Notifications....................General steps for configuring SNMP notifications............194 SNMPv1 and SNMPv2c Traps..................SNMP trap receivers......................Overview.......................... SNMP trap when MAC address table changes..............SNMPv2c informs......................198 Configuring SNMPv3 notifications (CLI)................199 Network security notifications...................202 Enabling Link-Change Traps (CLI)...................
  • Page 9 Basic LLDP per-port advertisement content..............228 Support for port speed and duplex advertisements............230 Port VLAN ID TLV support on LLDP................... Configuring the VLAN ID TLV...................231 Viewing the TLVs advertised.................... SNMP support........................LLDP-MED (media-endpoint-discovery)..................LLDP-MED endpoint support................... LLDP-MED endpoint device classes................LLDP-MED operational support..................
  • Page 10 dhcp-server........................DHCP address pool name......................dhcp-server pool.......................259 Authoritative........................DHCP client boot file........................bootfile-name ........................261 DHCP client default router......................default-router........................DNS IP servers .......................... dns-server........................Configure a domain name......................262 domain-name........................Configure lease time........................lease..........................262 NetBIOS WINS servers.......................262 NetBIOS node type........................bios-ode-type......................263 Subnet and mask ........................
  • Page 11 dhcpv6–snooping authorized-server................... ddhcpv6–snooping database file....................275 dhcpv6–snooping max-bindings....................276 dhcpv6–relay option 79....................... snmp-server enable traps dhcpv6-snooping................clear dhcpv6–snooping stats.......................278 debug security dhcpv6–snooping....................278 ipv6 source-lockdown ethernet....................ipv6 source-binding........................snmp-server enable traps dyn-ipv6-lockdown................281 debug security dynamic-ipv6-lockdown..................Show commands for DHCPv6–snooping....................282 show dhcpv6-snooping....................... show dhcpv6 snooping bindings....................
  • Page 12 show crypto-ipsec sa......................322 show running-configuration....................ZTP with Aruba Central..........................324 LED Blink feature........................Aruba Central Configuration manually..................Activating ArubaOS-Switch Firmware Integration............activate software-update enable..................activate software-update check..................326 activate software-update update..................show activate software-update..................327 Show activate provision....................328 aruba-central........................Troubleshooting...........................331 Show aruba-central......................Error reason for Aruba Central..................
  • Page 13 Copying diagnostic data.........................357 copy command-log........................357 copy event-log..........................357 Transferring switch configurations......................TFTP: Copying a configuration file to a remote host (CLI)............358 TFTP: Copying a configuration file from a remote host (CLI)............359 TFTP: Copying a customized command file to a switch (CLI)............ USB: Copying a configuration file to a USB device..............360 USB: Copying a configuration file from a USB...
  • Page 14 Accessing port and trunk group statistics (CLI)..............386 Displaying trunk load balancing statistics.................386 Clearing trunk load balancing statistics................Resetting the port counters....................Viewing the switch's MAC address tables...................387 Accessing MAC address views and searches (CLI)............388 Accessing MSTP Data (CLI)....................... Viewing internet IGMP status (CLI).....................
  • Page 15 Traffic-direction criteria...........................409 Configure ACL criteria to select inbound....................interface monitor ip access-group....................Configuring a destination switch in a remote mirroring session.............410 Configuring a source switch in a local mirroring session................411 Configuring a source switch in a remote mirroring session..............411 Selecting all traffic on a port interface for mirroring according to traffic direction........412 Selecting all traffic on a VLAN interface for mirroring according to traffic direction.......
  • Page 16 About selecting inbound traffic using advanced classifier-based mirroring.........435 Classifier-based mirroring configuration....................Classifier-based mirroring restrictions..................437 About applying multiple mirroring sessions to an interface............Mirroring configuration examples....................Maximum supported frame size......................443 Enabling jumbo frames to increase the mirroring path MTU............444 Effect of downstream VLAN tagging on untagged, mirrored traffic............
  • Page 17 The switch does not receive a response to RADIUS authentication requests....The switch does not authenticate a client even though the RADIUS server is properly configured and providing a response to the authentication request.........465 During RADIUS-authenticated client sessions, access to a VLAN on the port used for the client sessions is lost....................465 The switch appears to be properly configured as a supplicant, but cannot gain access...
  • Page 18 Event Log......................... Restrictions........................478 Viewing transceiver information......................Viewing information about transceivers (CLI)................480 support..........................480 Viewing transceiver information....................Information displayed with the detail parameter...............481 Viewing transceiver information for copper transceivers with VCT support........... Testing the Cable........................Viewing transceiver information......................Using the Event Log for troubleshooting switch problems..............
  • Page 19 Saving show tech command output to a text file.............. Customizing show tech command output.................536 Viewing more information on switch operation................538 Searching for text using pattern matching with show command........Displaying the information you need to diagnose problems............541 Restoring the factory-default configuration....................
  • Page 20 Troubleshooting and support......................... debug cfg-restore........................575 Chapter 16 Virtual Technician..............Cisco Discovery Protocol (CDP)......................Show cdp traffic...........................577 Clear cdp counters........................show cdp neighbors detail......................578 Enable/Disable debug tracing for MOCANA code................. Debug security ........................... User diagnostic crash via Front Panel Security (FPS) button..............579 Front panel security password-clear...................
  • Page 21 Event log messages..........................603 Interoperability............................IP SLA UDP Jitter and Jitter for VoIP ....................604 Overview............................. Significance of jitter........................Solution components........................605 Measurements........................606 Chapter 18 Dynamic Segmentation............Definition of Terms..........................Overview..............................Benefits of Dynamic Segmentation......................609 Cases............................. Users/Devices and Policy Enforcement Recommendations..............Colorless Ports............................612 Port-Based Tunneling..........................
  • Page 22 VSF link..............................651 Physical VSF ports..........................651 VSF member ID............................. Interface naming conventions........................ VSF member roles..........................Member priority............................Supported topologies..........................Running-configuration synchronization ....................654 VSF split..............................655 VSF merge.............................655 commands............................. Configuration commands ......................enable......................... disable........................vsf member link ....................... domain........................member........................657 vsf member shutdown...................... vsf member reboot......................
  • Page 23 configuration..........................Manual configuration of a VSF....................689 Manual configuration with multiple ports bundled in a VSF link........Automatic configuration of a VSF fabric..................695 Port speed..............................701 VSF port LED front panel........................701 VSF port LEDs..........................Diagnostic tips for stacking error....................702 LED 1 and LED 2 display solid green color, whereas, LED 3 displays solid orange..702 LED 1 displays slow flash orange, LED 2 displays solid green, whereas, LED 3 displays different...
  • Page 24 Requirements............................728 Limitations..............................728 Feature Interactions..........................Profile Manager and 802.1X....................... Profile Manager and LMA/WMA/MAC-AUTH................729 Profile manager and Private VLANs................... MAC lockout and lockdown ......................729 LMA/WMA/802.1X/Port-Security....................730 Troubleshooting............................. Dynamic configuration not displayed when using “show running-config”........730 The show run command displays non-numerical value for untagged-vlan.......730 Show commands.........................731...
  • Page 25 Overview..............................LACP-MAD Passthrough commands.....................750 interface lacp..........................750 show lacp............................ clear lacp statistics........................Remote Device Deployment (TR-069)............752 Introduction............................Advantages of TR-069........................ Zero-touch configuration process....................753 Zero-touch configuration setup and execution................CLI commands............................756 Configuration setup........................ACS password configuration.......................757 When encrypt-credentials is off..................When encrypt-credentials is on..................
  • Page 26: Chapter 1 About This Guide

    Chapter 1 About this guide This guide provides information on how to configure, manage, and monitor basic switch operation. Applicable products This guide applies to these products: Aruba 2930F Switch Series (JL253A, JL254A, JL255A, JL256A, JL258A, JL259A, JL260A, JL261A, JL262A, JL263A, JL264A, JL557A, JL558A, JL559A) Aruba 2930M Switch Series (JL319A, JL320A, JL321A, JL322A, JL323A, JL324A, R0M67A, R0M68A) Switch prompts used in this guide...
  • Page 27: Chapter 2 Time Protocols

    Chapter 2 Time Protocols NOTE: For successful time protocol setup and specific configuration details, you may need to contact your system administrator regarding your local configuration. General steps for running a time protocol on the switch Using time synchronization ensures a uniform time among interoperating devices. This helps you to manage and troubleshoot switch operation by attaching meaningful time data to event and error messages.
  • Page 28: Ntp Time Synchronization

    security over the Broadcast mode by specifying which time server to use instead of using the first one detected through a broadcast. NTP time synchronization The Network Time Protocol (NTP) synchronizes the time of day among a set of distributed time servers and clients in order to correlate events when receiving system logs and other time-specific events from multiple network devices.
  • Page 29: Disabling Time Synchronization

    The switch retains the parameter settings for both time protocols even if you change from one protocol to the other. Thus, if you select a time protocol, the switch uses the parameters you last configured for the selected protocol. Simply selecting a time synchronization protocol does not enable that protocol on the switch unless you also enable the protocol itself (step 2, above).
  • Page 30 If you configure the switch with TimeP as the time synchronization method, then enable TimeP in DHCP mode with the default poll interval, show timep lists the following: TimeP configuration when TimeP is the selected Time synchronization method switch(config)# show timep Timep Configuration Time Sync Mode: Timep TimeP Mode [Disabled] : DHCP...
  • Page 31: Configuring (Enabling Or Disabling) The Timep Mode

    Configuring (enabling or disabling) the TimeP mode Enabling the TimeP mode means to configure it for either broadcast or unicast mode. Remember to run TimeP as the switch's time synchronization protocol, you must also select TimeP as the time synchronization method by using the CLI timesync command.
  • Page 32 Selects TimeP as the time synchronization method. Syntax: ip timep dhcp Configures DHCP as the TimeP mode. For example, suppose: • Time Synchronization is configured for SNTP. • You want to: ◦ View the current time synchronization. ◦ Select TimeP as the synchronization mode. ◦...
  • Page 33 Configuring TimeP for manual operation switch(config)# timesync timep switch(config)# ip timep manual 10.28.227.141 switch(config)# show timep Timep Configuration Time Sync Mode: Timep TimeP Mode : Manual Server Address : 10.28.227.141 Poll Interval (min) : 720 Changing from one TimeP server to another (CLI) Procedure 1.
  • Page 34: Sntp: Selecting And Configuring

    Disabling the TimeP mode Syntax: no ip timep Disables TimeP by changing the TimeP mode configuration to Disabled and prevents the switch from using it as the time synchronization protocol, even if it is the selected Time Sync Method option. Example: If the switch is running TimeP in DHCP mode, no ip timep changes the TimeP configuration as shown below and disables time synchronization.
  • Page 35: Viewing And Configuring Sntp (Cli)

    SNTP parameter Operation Server Address Used only when the SNTP Mode is set to Unicast. Specifies the IP address of the SNTP server that the switch accesses for time synchronization updates. You can configure up to three servers; one using the menu or CLI, and two more using the CLI. Server Version Specifies the SNTP software version to use and is assigned on a per-server basis.
  • Page 36: Configuring (Enabling Or Disabling) The Sntp Mode

    Priority SNTP Server Address Protocol Version -------- ------------------------------ ---------------- 2001:db8::215:60ff:fe79:8980 10.255.5.24 fe80::123%vlan10 Syntax: show management This command can help you to easily examine and compare the IP addressing on the switch. It lists the IP addresses for all time servers configured on the switch, plus the IP addresses and default gateway for all VLANs configured on the switch.
  • Page 37 Syntax: sntp server priority <1-3> Specifies the order in which the configured servers are polled for getting the time. Value is between 1 and 3. Syntax: sntp <30-720> Configures the amount of time between updates of the system clock via SNTP. Default: 720 seconds Enabling SNTP in Broadcast Mode Because the switch provides an SNTP polling interval (default: 720 seconds), you need only these two commands...
  • Page 38 The commands and output would appear as follows: Figure 1: Enabling SNTP operation in Broadcast Mode switch(config)# show sntp SNTP Configuration Time Sync Mode: Timep SNTP Mode : disabled Poll Interval (sec) [720] :720 switch(config)# timesync sntp switch(config)# sntp broadcast switch(config)# show sntp SNTP Configuration Time Sync Mode: Sntp...
  • Page 39 version The protocol version of the SNTP server. Allowable values are 1 through 7; default is 3. Syntax: no sntp server priority <1-3> <ip-addr> Deletes the specified SNTP server. NOTE: priority <1-3> value must match what server is configured with. Deleting an SNTP server when only one is configured disables SNTP unicast operation.
  • Page 40 Specifying the SNTP protocol version number switch(config)# no sntp server 10.28.227.141 switch(config)# sntp server 10.28.227.141 4 switch(config)# show sntp SNTP Configuration Time Sync Mode: Sntp SNTP Mode : Broadcast Poll Interval (sec) [720] : 600 IP Address Protocol Version ------------- ----------------- 10.28.227.141 •...
  • Page 41 Disabling time synchronization without changing the SNTP configuration (CLI) The recommended method for disabling time synchronization is to use the timesync command. Syntax: no timesync Halts time synchronization without changing your SNTP configuration. Example: Suppose SNTP is running as the switch's time synchronization protocol, with broadcast as the SNTP mode and the factory-default polling interval.
  • Page 42: Sntp Client Authentication

    Note that even though the Time Sync Mode is set to Sntp, time synchronization is disabled because no sntp has disabled the SNTP Mode parameter. SNTP client authentication Enabling SNTP authentication allows network devices such as switches to validate the SNTP messages received from an NTP or SNTP server before updating the network time.
  • Page 43: Configuring A Trusted Key

    Syntax: sntp authentication key-id <key-id> authentication-mode <md5> key-value <key-string> [trusted] no sntp authentication key-id <key-id> Configures a key-id, authentication-mode (MD5 only), and key-value, which are required for authentication. The no version of the command deletes the authentication key. Default: No default keys are configured on the switch. key-id A numeric key identifier in the range of 1-4,294,967,295 (2 ) that identifies the unique key value.
  • Page 44: Associating A Key With An Sntp Server (Cli)

    Trusted keys are used during the authentication process. You can configure the switch with up to eight sets of key-id/key-value pairs. One specific set must selected for authentication; this is done by configuring the set as trusted. The key-id itself must already be configured on the switch. To enable authentication, at least one key-id must be configured as trusted.
  • Page 45: Configuring Unicast And Broadcast Mode For Authentication

    Configuring unicast and broadcast mode for authentication To enable authentication, you must configure either unicast or broadcast mode. When authentication is enabled, changing the mode from unicast to broadcast or vice versa is not allowed; you must disable authentication and then change the mode.
  • Page 46: Saving Configuration Files And The Include-Credentials Command

    Viewing all SNTP authentication keys that have been configured on the switch (CLI) Enter the show sntp authentication command, as shown in Show sntp authentication command output on page 46. Show sntp authentication command output switch(config)# show sntp authentication SNTP Authentication Information SNTP Authentication : Enabled Key-ID Auth Mode...
  • Page 47 sntp broadcast sntp 50 sntp authentication sntp server priority 1 10.10.10.2.3 key-id 55 sntp server priority 2 fe80::200:24ff:fec8:4ca8 4 key-id 55 NOTE: SNTP authentication has been enabled and a key-id of 55 has been created. In this Example:, the include-credentials command has not been executed and is not present in the configuration file.
  • Page 48: Sntp Unicast Time Polling With Multiple Sntp Servers

    If include-credentials is configured, the SNTP authentication configuration is saved in the configuration file. When the show config command is entered, all of the information that has been configured for SNTP authentication displays, including the key-values. Figure 2: Saved SNTP Authentication information when include-credentials is configured SNTP unicast time polling with multiple SNTP servers When running SNTP unicast time polling as the time synchronization method, the switch requests a time update from the server you configured with either the Server Address parameter in the menu interface, or the primary...
  • Page 49: Adding And Deleting Sntp Server Addresses

    Default Gateway : 10.0.9.80 VLAN Name MAC Address | IP Address ------------ ------------------- + ------------------- DEFAULT_VLAN 001279-88a100 | Disabled VLAN10 001279-88a100 | 10.0.10.17 Adding and deleting SNTP server addresses Adding addresses As mentioned earlier, you can configure one SNTP server address using either the Menu interface or the CLI. To configure a second and third address, you must use the CLI.
  • Page 50: Commands

    Before synchronizing, NTP compares the time reported by several network devices and does not synchronize with one that is significantly different, even if it is a stratum 1. The security features of NTP can be used to avoid the accidental or malicious setting of incorrect time. One such mechanism is available: an encrypted authentication mechanism.
  • Page 51: Ntp Enable

    Disable NTP and removes the entire NTP configuration. Options authentication Configure NTP authentication. broadcast Operate in broadcast mode. enable Enable/disable NTP. max-association Maximum number of Network Time Protocol (NTP) associations. server Configure a NTP server to poll for time synchronization. trap Enable/disable NTP traps.
  • Page 52: Ntp Authentication Key-Id

    ntp authentication key-id <KEY-ID> [authentication-mode <MODE> key-value <KEY- STRING>] [trusted] Parameters/Options key-id <id> Sets the key-id for the authentication key. Subcommands authentication-mode Sets the NTP authentication mode key-value <KEY-STRING> Sets the key-value for the authentication key. [trusted] Sets the authentication key as trusted. Example Switch(config)# ntp Authentication...
  • Page 53: Ntp Max-Association

    Description The NTP client authenticates the NTP server. Options authentication-mode Set the NTP authentication mode. • md5: Authenticate using MD5. • sha1: Authenticate using SHA1. trusted Set this authentication key as trusted. ntp max-association This command is used to configure the maximum number of servers associated with this NTP client. Syntax ntp max-association <number>...
  • Page 54 Syntax [no] ntp server ntp server <IP-ADDR|IPv6-ADDR> [key <key-id>] [oobm] [max-poll <max-poll-val>][min-poll <min-poll-val>][burst | iburst] [version <1-4>] Parameters/Options [no] Removes the unicast NTP configurations on the device. Subcommands IP-ADDR Sets the IPv4 address of the NTP server. IPV6-ADDR Sets the IPv6 address of the NTP server. key <key-id>...
  • Page 55: Ntp Server Key-Id

    switch(config)# ntp server <IP-ADDR> key key-id Max-poll Configure the maximum time intervals in seconds. switch(config)# ntp server <IP-ADDR> key key-id max-poll <4-17> Enter an integer number. Switch(config)# ntp server <IP-ADDR> key key-id Min-poll Configure the minimum time intervals in seconds. switch(config)# ntp server <IP-ADDR>...
  • Page 56: Ntp Ipv6-Multicast

    key-id Set the authentication key to use for this server. max-poll <max-poll-val> Configure the maximum time intervals in seconds. min-poll <min-poll-val> Configure the minimum time intervals in seconds. ntp ipv6-multicast This command is used to configure NTP multicast on a VLAN interface. Syntax ntp ipv6-multicast Description...
  • Page 57 Syntax ntp trap <trap-name> Description Enable NTP traps. Use [no] to disable NTP traps. Options ntp-mode-change Trap name resulting in send notification when the NTP entity changes mode, including starting and stopping (if possible). ntp-stratum-change Trap name resulting in send notification when stratum level of NTP changes. ntp-peer-change Trap name resulting in send notification when a (new) syspeer has been selected.
  • Page 58: Show Ntp Statistics

    - 'ntpEntNotifConfigChanged' The notification to be sent when the NTP configuration has changed. - 'ntpEntNotifLeapSecondAnnounced' The notification to be sent when a leap second has been announced. - 'ntpEntNotifHeartbeat' The notification to be sent periodically (as defined by ntpEntHeartbeatInterval) to indicate that the NTP entity is still alive. - 'ntpEntNotifAll' The notification to be sent when all traps have been enabled show ntp statistics This command is used to show NTP statistics.
  • Page 59: Show Ntp Associations

    Precision : 2**7 Root Dispersion : 15.91 sec NTP Uptime : 01d 09h 15m Time Resolution : 1 Drift : 0.000000000 sec/sec System Time : Tue Aug 25 04:59:11 2015 Reference Time : Mon Jan 1 00:00:00 1990 show ntp associations Syntax show ntp associations [detail <IP-ADDR>]...
  • Page 60: Show Ntp Authentication

    Filter Delay = 4.23 4.14 2.41 5.95 2.37 2.33 4.26 4.33 Filter Offset = -8.59 -8.82 -9.91 -8.42 -10.51 -10.77 -10.13 -10.11 show ntp authentication Syntax Description Show the authentication status and other information about the authentication key. show ntp authentication Switch(config)# show ntp authentication NTP Authentication Information Key-ID...
  • Page 61 Validation Error/Warning/Prompt If the username and the key installation user The username in the key being installed does not for that privilege do not match, a message match the username configured on the switch. displays and installation is not allowed. This will also happen when the authentication method is set for two-factor.
  • Page 62: Event Log Messages

    Event log messages Cause Event Message RMON_AUTH_TWO_FACTOR_AUTHEN_STATUS W 01/01/15 18:24:03 03397: auth: %s. Examples: W 01/01/15 18:24:03 03397: auth: Public key and username/password should be configured for the successful two-factor authentication. W 01/01/15 18:24:03 03397: auth: Username and password should be configured for the successful two-factor authentication.
  • Page 63: Precision Time Protocol (Ptp)

    Event Message When NTP found a new broadcast server. A new broadcast server at %s. When system clock was updated with new time. The system clock time was changed by %ld sec %lu nsec. The new time is %s. When NTP stratum was updated. The NTP Stratum was changed from %d to %d.
  • Page 64: Show Ptp

    displays: Port A1 does not support IEEE 1588 end-to-end transparent mode.Use the command show ptp to identify the unsupported ports. • IEEE 1588 end-to-end transparent mode cannot be enabled on a stack. If the user attempts this, an error message like the following displays: IEEE 1588 end-to-end transparent mode cannot be enabled when stacking is enabled.
  • Page 65: Displaying Current Resource Usage

    Displaying current resource usage To display current resource usage in the switch, enter the following command: Syntax: show {<qos | access-list | policy> resources} Displays the resource usage of the policy enforcement engine on the switch by software feature. For each type of resource, the amount still available and the amount used by each software feature is shown.
  • Page 66: Viewing Information On Resource Usage

    Resource usage includes resources actually in use, or reserved for future use by the listed feature. Internal dedicated-purpose resources, such as port bandwidth limits or VLAN QoS priority, are not included. Viewing information on resource usage The switch allows you to view information about the current usage and availability of resources in the Policy Enforcement engine, including the following software features: •...
  • Page 67: Usage Notes For Show Resources Output

    ◦ Mirror policies per VLAN through the CLI using monitor service ◦ Jumbo IP-MTU • When the following features are configured per-port, resource usage is applied only to the slot or port group on which the feature is configured: ◦ ACLs or QoS applied per-port or per-user through RADIUS authentication ◦...
  • Page 68 mirroring policies if a policy has not been applied to an interface. However, sufficient resources must be available when you apply a configured policy to an interface. ◦ Acceptance of new RADIUS-based client authentication requests (displayed as a new resource entry for IDM).Failure to authenticate a client that presents valid credentials may indicate that insufficient resources are available for the features configured for the client in the RADIUS server.
  • Page 69: Chapter 3 Port Status And Configuration

    Chapter 3 Port Status and Configuration Viewing port status and configuring port parameters Connecting transceivers to fixed-configuration devices If the switch either fails to show a link between an installed transceiver and another device or demonstrates errors or other unexpected behavior on the link, check the port configuration on both devices for a speed and/or duplex (mode) mismatch.
  • Page 70 Status or Description parameter Mode The port's speed and duplex (data transfer operation) setting.10/100/1000Base-T Ports: • Auto-MDIX (default): Senses speed and negotiates with the port at the other end of the link for port operation (MDI-X or MDI).To see what the switch negotiates for the auto setting, use the CLI show interfaces brief command.
  • Page 71: Viewing Port Status And Configuration (Cli)

    Status or Description parameter 10-Gigabit CX4 Copper Ports: 10-Gigabit SC Fiber-Optic Ports (10-GbE SR, 10-GbE LR, 10-GbE ER): Auto: The port operates at 10 gigabits FDx and negotiates flow control. Lower speed settings or half-duplex are not allowed. NOTE: Conditioning patch cord cables are not supported on 10-GbE. Auto-MDIX The switch supports Auto-MDIX on 10Mb, 100Mb, and 1 Gb T/TX (copper) ports.
  • Page 72: Dynamically Updating The Show Interfaces Command (Cli/Menu)

    brief Lists the current operating status for all ports on the switch. config Lists a subset of configuration data for all ports on the switch; that is, for each port, the display shows whether the port is enabled, the operating mode, and whether it is configured for flow control. <port-list>...
  • Page 73: Customizing The Show Interfaces Command (Cli)

    When using the display option in the CLI, the information stays on the screen and is updated every 3 seconds, as occurs with the display using the menu feature. The update is terminated with Cntl-C. You can use the arrow keys to scroll through the screen when the output does not fit in one screen. Figure 3: show interfaces display command with dynamically updating output Customizing the show interfaces command (CLI) You can create show commands displaying the information that you want to see in any order you want by using...
  • Page 74: Error Messages Associated With The Show Interfaces Command

    Parameter column Displays Examples name Friendly port name vlanid The vlan id this port belongs to, or "tagged" if it 4tagged belongs to more than one vlan enabled port is or is not enabled yes or nointrusion intrusion Intrusion alert status bcast Broadcast limit The custom show interfaces command...
  • Page 75: Show Interface Smartrate

    Note on using pattern matching with the show interfaces custom command If you have included a pattern matching command to search for a field in the output of the show int custom command, and the show int custom command produces an error, the error message may not be visible and the output is empty.
  • Page 76: Operating Notes For Viewing Port Utilization Statistics

    Operating notes for viewing port utilization statistics • For each port on the switch, the command provides a real-time display of the rate at which data is received (Rx) and transmitted (Tx) in terms of kilobits per second (KBits/s), number of packets per second (Pkts/s), and utilization (Util) expressed as a percentage of the total bandwidth available.
  • Page 77: Enabling Or Disabling Ports And Configuring Port Mode (Cli)

    • For a non-Aruba switches installed transceiver, no transceiver type, product number, or part information is displayed. In the Serial Number field, non-operational is displayed instead of a serial number. • The following error messages may be displayed for a non-operational transceiver: ◦...
  • Page 78: Enabling Or Disabling Flow Control (Cli)

    If port C8 was disabled, and you wanted to enable it and configure it for 100FDx with flow-control active, you could do so with either of the following command sets: Figure 4: Two methods for changing a port configuration For more on flow control, see Enabling or disabling flow control (CLI) on page 78. Enabling or disabling flow control (CLI) NOTE: You must enable flow control on both ports in a given link.
  • Page 79 Assuming that flow control is currently disabled on the switch, you would use these commands: Figure 5: Configuring flow control for a series of ports switch(config)# int a1-a6 flow-control switch(config)# show interfaces brief Status and Counters - Port Status | Intrusion Flow Bcast Port Type...
  • Page 80: Port Shutdown With Broadcast Storm

    Port shutdown with broadcast storm A LAN broadcast storm arises when an excessively high rate of broadcast packets flood the LAN. Occurrence of LAN broadcast storm disrupts traffic and degrades network performance. To prevent LAN traffic from being disrupted, an enhancement of fault-finder commands adds new options, and the corresponding MIBs, that trigger a port disablement when a broadcast storm is detected on that port.
  • Page 81: Snmp Mib

    Syntax: show fault-finder broadcast-storm [[ethernet] port-list] Examples: switch# show fault-finder broadcast-storm [A1] Port Bcast Storm Port Status Rising Action Disable Disable Threshold Timer Timer Left Down warn-and- 65535 — disable switch (config)# show fault-finder broadcast-storm Port Bcast Storm Port Status Rising Action Disable...
  • Page 82 • syntax HpicfFfBcastStormControlPortConfigEntry • max-access: not-accessible • status: current • description: This object provides information about broadcast storm control configuration of each port. • index: {hpicfffbcaststormcontrolportindex}::= {hpicfFfBcastStormControlPortConfigTable 1} hpicfFfBcastStormControlPortConfigEntry ::= Syntax sequence:hpicfFfBcastStormControlPortIndex InterfaceIndex, hpicfFfBcastStormControlMode Integer, hpicfFfBcastStormControlRisingpercent Integer32, hpicfFfBcastStormControlRisingpps Integer32, hpicfFfBcastStormControlAction Integer, hpicfFfBcastStormControlPortDisableTimer Unsigned32 hpicfFfBcastStormControlPortIndex OBJECT-TYPE •...
  • Page 83: Multicast Storm Control

    hpicfFfBcastStormControlRisingpps OBJECT-TYPE • Syntax Integer32 (1..10000000) • max-access: read-write • status: current • description: This object indicates the rising threshold for broadcast storm control. This value is in packets-per- second of received broadcast traffic. hpicfffbcaststormcontrolaction object takes action when broadcast traffic reaches this level.
  • Page 84: Fault-Finder Multicast-Storm

    fault-finder multicast-storm Syntax fault-finder multicast-storm <PORT-LIST> action {warn | warn-and-disable <Seconds>} {percent <Percent> | pps <Rate>} no fault-finder multicast-storm <PORT-LIST> action {warn | warn-and-disable <Seconds>} {percent <Percent> | pps <Rate>} Description Per-port command to configure multicast-storm. The no form of the command disables multicast-storm configuration on the port.
  • Page 85 switch(config)# fault-finder multicast-storm ethernet 1/1 action warn-and-disable 10 percent <1-100> The percentage that is considered a multicast storm. switch(config)# fault-finder multicast-storm ethernet 1/1 action warn-and-disable 10 percent 40 Per port show fault-finder output: switch(config)# show fault-finder multicast-storm 1/1 Mcast | Port Rising Disable Disable Time...
  • Page 86: Fault-Finder Multicast-Storm Action

    fault-finder multicast-storm action Syntax fault-finder multicast-storm [action {warn | warn-and-disable}] [sensitivity {low | medium |high}] no fault-finder multicast-storm [action {warn | warn-and-disable}] [sensitivity {low | medium |high}] Description Global command to configure multicast-storm. The no form of the command disables multicast-storm configuration on the port.
  • Page 87: Show Logging

    bad-driver medium warn bad-transceiver medium warn bad-cable medium warn too-long-cable medium warn over-bandwidth medium warn broadcast-storm medium warn loss-of-link medium warn duplex-mismatch-hdx medium warn duplex-mismatch-fdx medium warn multicast-storm high warn-and-disable link-flap medium warn show running-config Syntax show running-config Description Displays information about the current configuration. Command context Manager Example...
  • Page 88: Restrictions

    Description Checks the FFI multicast-storm logging message. Command context Manager Example switch# show logging Keys: W=Warning I=Information M=Major D=Debug E=Error ---- Event Log listing: Events Since Boot ---- I 01/07/90 20:22:55 00076 ports: port 3 is now on-line M 01/07/90 20:22:52 02677 FFI: port 3-Port enabled by Fault-finder. I 01/07/90 20:22:33 00077 ports: port 3 is now off-line M 01/07/90 20:22:33 02676 FFI: port 3-Re-enable after 20 seconds.
  • Page 89: Manual Override

    Manual override If you require control over the MDI/MDI-X feature, you can set the switch to either of these non-default modes: • Manual MDI • Manual MDI-X The table below shows the cabling requirements for the MDI/MDI-X settings. Table 5: Cable types for auto and manual MDI/MDI-X settings Setting MDI/MDI-X device type PC or other MDI device type...
  • Page 90: Using Friendly (Optional) Port Names

    • Where a port is linked to another device, this command lists the MDI mode the port is currently using. • In the case of ports configured for Auto ( auto-mdix), the MDI mode appears as either MDI or MDIX, depending upon which option the port has negotiated with the device on the other end of the link.
  • Page 91: Configuring And Operating Rules For Friendly Port Names

    Configuring and operating rules for friendly port names • At either the global or context configuration level, you can assign a unique name to a port. You can also assign the same name to multiple ports. • The friendly port names you configure appear in the output of the show name [port-list], show config, and show interface <port-number >...
  • Page 92: Configuring The Same Name For Multiple Ports (Cli)

    Configuring the same name for multiple ports (CLI) Suppose that you want to use ports A5 through A8 as a trunked link to a server used by a drafting group. In this case you might configure ports A5 through A8 with the name "Draft-Server:Trunk." Configuring one friendly port name on multiple ports switch(config)# int a5-a8 name Draft-Server:Trunk switch(config)# write mem...
  • Page 93: Including Friendly Port Names In Per-Port Statistics Listings (Cli)

    Lists the friendly port name with its corresponding port number and port type. The show name command without a port list shows this data for all ports on the switch. Friendly port name data for all ports on the switch switch(config)# show name Port Names Port...
  • Page 94: Searching The Configuration For Ports With Friendly Port Names (Cli)

    Giants Rx Excessive Colln : 0 Total Rx Errors : 0 Deferred Tx Others (Since boot or last clear) : Discard Rx Out Queue Len Unknown Protos Rates (5 minute weighted average) : Total Rx (bps) : 3,028,168 Total Tx (bps) : 1,918,384 Unicast Rx (Pkts/sec) : 5 Unicast Tx (Pkts/sec) : 0...
  • Page 95: Uni-Directional Link Detection (Udld)

    Uni-directional link detection (UDLD) Uni-directional link detection (UDLD) monitors a link between two switches and blocks the ports on both ends of the link if the link fails at any point between the two devices. This feature is particularly useful for detecting failures in fiber links and trunks.
  • Page 96: Configuring Udld

    Configuring UDLD When configuring UDLD, keep the following considerations in mind: • UDLD is configured on a per-port basis and must be enabled at both ends of the link. See the note below for a list of switches that support UDLD. •...
  • Page 97: Changing The Keepalive Interval (Cli)

    Example: To enable UDLD on port a1, enter: switch(config)#interface al link-keepalive To enable the feature on a trunk group, enter the appropriate port range. For example: switch(config)#interface al-a4 link-keepalive NOTE: When at least one port is UDLD-enabled, the switch will forward out UDLD packets that arrive on non-UDLD-configured ports out of all other non-UDLDconfigured ports in the same vlan.
  • Page 98: Viewing Udld Information (Cli)

    NOTE: • You must configure the same VLANs that will be used for UDLD on all devices across the network; otherwise, the UDLD link cannot be maintained. • If a VLAN ID is not specified, UDLD control packets are sent out of the port as untagged packets. •...
  • Page 99: Viewing Detailed Udld Information For Specific Ports (Cli)

    Viewing detailed UDLD information for specific ports (CLI) Enter the show link-keepalive statistics command. Example: Figure 8: Example: of show link-keepalive statistics command Clearing UDLD statistics (CLI) Enter the following command: switch# clear link-keepalive statistics This command clears the packets sent, packets received, and transitions counters in the show link keepalive statistics display (see Figure 8: Example: of show link-keepalive statistics command on page 99 for an Example:).
  • Page 100 For UFD functionality to work as expected, the NIC teaming must be in Network Fault Tolerance (NFT) mode. Figure 9: Teamed NICs in conjunction with UFD Figure 10: Teamed NICs with a failed uplink NOTE: The state of the LtD is purely governed by the state of the LtM, and is independent of the physical state of the ports in the LtD.
  • Page 101: Configuration Guidelines For Ufd

    Configuration Guidelines for UFD Below is a list of configuration guidelines to be followed for UFD. These are applicable only to blade switches where there is a clear distinction between downlink and uplink ports. 1. UFD is required only when uplink-path redundancy is not available on the blade switches. 2.
  • Page 102: Show Uplink-Failure-Detection

    Command context config Parameters <track_ID> Specifies the track id. <Port-List> Specifies the port list. <delay_value> Specifies the delay value. Examples Configure port A8 as LtM, port A6 as LtD, and delay value as 100 for track 1: Switch(config)# uplink-failure-detection track 1 links-to-monitor A8 links-to-disable A6 delay 100 switch(config)# show running-config Running configuration:...
  • Page 103: Error Log

    Description Shows the uplink failure detection information. Command context manager Examples switch# show uplink-failure-detection Uplink Failure Detection Information UFD Enabled : Yes Track | Monitored Links to Delay | Links Disable State State Lacp Key Lacp Key (sec) ------+---------- ----------- -------- ------- --------- ---------- ------ | Dyn1 Dyn2...
  • Page 104: Basic Usb Port Commands

    Invalid port(s) specified as links-to-monitor. • When a user specifies an invalid LtD port, a message similar to the following is displayed. Invalid port(s) specified as links-to-disable. • When a user specifies an incorrect delay value, an error message similar to the following is displayed: Delay specified does not match with the configured value of <delay value>.
  • Page 105 switch# show usb-port USB port status: enabled USB port power status: power on (USB device detected in port) Chapter 3 Port Status and Configuration...
  • Page 106: Chapter 4 Power Over Ethernet (Poe/Poe+) Operation

    Chapter 4 Power Over Ethernet (PoE/PoE+) Operation Introduction to PoE PoE technology allows IP telephones, wireless LAN access points, and other appliances to receive power and transfer data over existing ethernet LAN cabling. For more information about PoE technology, see the PoE/PoE+ planning and implementation guide, which is available on the Networking website at http://www.hpe.com/ networking.
  • Page 107: Applying Security Features To Poe Configurations

    Applying security features to PoE configurations You can use the port security features built into the switch to control device or user access to the network through PoE ports in the same way as non-PoE ports. Using Port Security, you can configure each switch port with a unique list of MAC addresses for devices that are authorized to access the network through that port.
  • Page 108: Pd Support

    • Disable or re-enable per-port PoE operation on individual ports to help control power usage and avoid oversubscribing PoE resources. • Configure per-port priority for allocating power in case a PoE device becomes oversubscribed and must drop power for some lower-priority ports to support the demand on other, higher-priority ports. •...
  • Page 109: How Is Power Allocation Prioritized

    priority ports to meet the power demand on other, higher-priority ports. This operation occurs regardless of the order in which PDs connect to the switch’s PoE-enabled ports. How is power allocation prioritized? There are two ways that PoE power is prioritized: •...
  • Page 110: Configuring The Poe Port Priority

    NOTE: The default setting for the pre-std-detect PoE parameter changed. In earlier software the default setting is “on”. The default setting is “off”. Configuring the PoE port priority Syntax: interface <port-list> power-over-ethernet [critical | high | low] Reconfigures the PoE priority level on <port-list>. For a given level, ports are prioritized by port number in ascending order.
  • Page 111: Manually Configuring Poe Power Levels

    Table 7: Power classes and their values Power Value class Depends on cable type and PoE architecture. Maximum power level output of 15.4 watts at the PSE.This is the default class; if there is not enough information about the load for a specific classification, the PSE classifies the load as class 0 (zero).
  • Page 112: Configuring Poe Redundancy

    To view the settings, enter the show power-over-ethernet command, shown in Figure 11: PoE allocation by value and the maximum power delivered on page 112. Figure 11: PoE allocation by value and the maximum power delivered switch(config)# show power-over-ethernet A6 Status and Counters - Port Power Status for port A6 Power Enable : Yes...
  • Page 113: Changing The Threshold For Generating A Power Notice

    Allows you to set the amount of power held in reserve for redundancy. Means that all available power can be allocated to PDs.Default: No PoE redundancy enforced. One of the power supplies is held in reserve for redundancy. If a single power supply fails, no powered devices are shut down.If power supplies with different ratings are used, the highest-rated power supply is held in reserve to ensure full redundancy.
  • Page 114: Poe/Poe+ Allocation Using Lldp Information

    With this setting, if module B is allocated 100 watts of PoE power and is using 68 watts, and then another PD is connected to the module in slot B that uses 8 watts, the 70% threshold of 70 watts is exceeded. The switch sends an SNMP trap and generates this Event Log message: Slot B POE usage has exceeded threshold of 70%.
  • Page 115: Enabling Or Disabling Ports For Allocating Power Using Lldp

    Enabling or disabling ports for allocating power using LLDP Syntax: int <port-list> poe-lldp-detect [enabled | disabled] Enables or disables ports for allocating PoE power based on the link-partner's capabilities via LLDP. Default: Disabled Example: You can enter this command to enable LLDP detection: switch(config) # int A7 poe-lldp-detect enabled or in interface context: switch(eth-A7) # poe-lldp-detect enabled...
  • Page 116: Viewing Poe When Using Lldp Information

    Allows the data link layer to be used for power negotiation between a PD on a PoE port and LLDP. Default: Disabled Example: You can enter this command to enable LLDP detection: switch(config) # int 7 PoE-lldp-detect enabled or in interface context: switch(eth-7) # PoE-lldp-detect enabled NOTE: Detecting PoE information via LLDP affects only power delivery;...
  • Page 117 LLCP Port Configuration Detail Port : 4 AdminStatus [Tx_Rx] : Tx_Rx NotificationsEnabled [False] : False Med Topology Trap Enabled [False] : False TLVS Advertised: * port_descr * system_name * system_descr * system_cap * capabilities * network_policy * location_id * poe * macphy_config * poeplus_config IpAddress Advertised:...
  • Page 118: Operating Note

    System Descr : Switch 3500-24, revision W.14.xx PortDescr : 23 Pvid : 55 System Capabilities Supported : bridge, router System Capabilities Enabled : bridge Remote Management Address Type : ipv4 Address : 10.0.102.198 Poe Plus Information Detail Poe Device Type : Type2 PD Power Source : Only PSE...
  • Page 119: Viewing Poe Status On All Ports

    Displays PoE information for each port. See Viewing PoE status on all ports on page brief 119. Displays PoE information for the ports in port-list. See Viewing the PoE status on <port-list> specific ports on page 121. Displays PoE information for the selected slots. See Showing the PoE information by <slot-id- slot).Enter the all option to display the PoE information for all slots.
  • Page 120 The maximum amount of PoE power allocated for that port (expressed in watts).Default: 17 Alloc Power watts for PoE; 33 watts for PoE+. The power actually being used on that port. Actual Power If configured, shows the user-specified identifier for the port. If not configured, this field is Configured Type empty.