HP ProCurve J8766A Release Note

Hp procurve j8766a: release note.
Hide thumbs
Version L.11.09 Software
for the ProCurve Series 4200vl Switches
Release L.11.09 supports these switches:
ProCurve Switch 4204vl (J8770A), 4208vl (J8773A), 4202vl-72 (J8772A), 4202vl-48G (J8771A),
4204vl-48GS (J9064A), 4208vl-72GS (J9030A), 4208vl-96 (J8775A), and 4208vl-64G (J8774A).
These release notes include information on the following:
Downloading switch software and documentation from the Web
Support added for the ProCurve J8766A 10-GbE X2 vl Module
Clarification of operating details for certain software features
A listing of software enhancements in this release
A listing of software fixes included in releases L.10.01 through L.11.09
S e c u r i t y N o t e:
Downloading and booting software release L.10.20 or greater for the first time automatically enables
SNMP access to the hpSwitchAuth MIB objects. If this is not desirable for your network, ProCurve
recommends that you disable it after downloading and rebooting with the latest switch software. For more
information, refer to
Configure Switch Authentication Features" on page
Related Publications
For the latest version of any of the publications listed below, visit the ProCurve Networking Web site
at
www.procurve.com
Management and Configuration Guide* (part number 5990-6050)
Advanced Traffic Management Guide* (part number 5990-6051)
Access Security Guide* (part number 5990-6052)
*Covers the ProCurve Series Series 6400cl, Series 5300xl, Series 4200vl, and Series 3400cl switches.
Click on Technical support, then Product manuals.
.
(page
(page
7)
(page
8)
(page
18)
and
51.
1)
(page
106)
"Using SNMP To View and
i

Advertising

   Related Manuals for HP ProCurve J8766A

   Summary of Contents for HP ProCurve J8766A

  • Page 1: Release Notes

    4204vl-48GS (J9064A), 4208vl-72GS (J9030A), 4208vl-96 (J8775A), and 4208vl-64G (J8774A). These release notes include information on the following: ■ Downloading switch software and documentation from the Web Support added for the ProCurve J8766A 10-GbE X2 vl Module ■ Clarification of operating details for certain software features ■...

  • Page 2

    The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

  • Page 3: Table Of Contents

    ProCurve Switch, Routing Switch, and Router Software Keys ....... 6...

  • Page 4: Table Of Contents

    Spanning Tree BPDU Protection ........... 49 Using SNMP To View and Configure Switch Authentication Features ....51 TCP/UDP Port Closure .

  • Page 5: Table Of Contents

    Rebooting and Reloading the Switch ........

  • Page 6: Table Of Contents

    Release L.10.23 ..............113 Release L.10.24 .

  • Page 7: Software Management, Software Updates, Downloading Switch Documentation And Software From The Web

    Check the ProCurve Networking Web site frequently for free software updates for the various ProCurve switches you may have in your network. Downloading Switch Documentation and Software from the Web You can download software updates and the corresponding product documentation from the ProCurve Networking Web site as described below.

  • Page 8: Downloading Software To The Switch

    This section describes how to use the CLI to download software to the switch. You can also use the menu interface for software downloads. For more information, refer to the Management and...

  • Page 9: Tftp Download From A Server

    03125K When the switch finishes downloading the software file from the server, it displays the progress message shown in figure 1. When the CLI prompt re-appears, the switch is ready to reboot to activate the downloaded software: Figure 1. Message Indicating the Switch Is Ready To Activate the Downloaded Software...

  • Page 10: Xmodem Download From A Pc Or Unix Workstation

    To reduce the download time, you may want to increase the baud rate in your terminal emulator and in the switch to a value such as 115200 bits per second. (The baud rate must be the same in both devices.) For example, to change the baud rate in the switch to 115200, execute this...

  • Page 11: Saving Configurations While Using The Cli

    When you use the CLI to make a configuration change, the switch places the change in the running- config file. If you want to preserve the change across reboots, you must save the change to the startup- config file.

  • Page 12: Procurve Switch, Routing Switch, And Router Software Keys

    ProCurve Wireless Edge Services zl Module and the ProCurve Redundant Wireless Services zl Module numeric Switch 9408sl, Switch 9300 Series (9304M, 9308M, and 9315M), Switch 6208M-SX and Switch 6308M-SX (Uses software version number only; no alphabetic prefix. For example 07.6.04.)

  • Page 13: Minimum Software Versions For Series 4200vl Switch, Os/web/java Compatibility Table

    J9033A ProCurve Switch vl 20-port Gig-T + 4-port SFP Module J9064A ProCurve Switch 4204vl-48GS 44 10/100/1000 + 4 SFP J8766A ProCurve Switch vl 10-GbE X2 Module OS/Web/Java Compatibility Table The switch web agent supports the following combinations of OS browsers and Java Virtual Machines: Operating System Internet Explorer Windows NT 4.0 SP6a...

  • Page 14: Enforcing Switch Security, Switch Management Access Security, Default Settings Affecting Security

    Since security incidents can originate with sources inside as well as outside of an organization, your switch and network access security provisions must protect against internal and external threats while preserving the necessary network access for authorized clients and uses.

  • Page 15: Local Manager Password, Inbound Telnet Access And Web Browser Access, Secure File Transfers

    In the default configuration, there is no password protection. Configuring a local Manager password is a fundamental step in reducing the possibility of unauthorized access through the switch’s web browser and console (CLI and Menu) interfaces. The Manager password can easily be set using the CLI password manager command, the Menu interface Console Passwords option, or the password options under the Security tab in the web browser interface.

  • Page 16: Snmp Access (simple Network Management Protocol)

    SNMP networked device management application such as ProCurve Manager Plus (PCM+) or HP OpenView can access the switch’s management information base (MIB) for read access to the switch’s status and read/write access to the switch’s configuration. In earlier software versions, SNMP access to the switch’s authentication configuration (hpSwitchAuth) MIB was not allowed.

  • Page 17: Physical Access To The Switch

    • Disable SNMP version 2c on the switch. Refer to “Using SNMP Tools To Manage the Switch” in the chapter titled “Configuring for Network Management Applications” in the Management and Configuration Guide for your switch.. Physical Access to the Switch Physical access to the switch allows the following: ■...

  • Page 18: Other Provisions For Management Access Security

    RADIUS Authentication. For each authorized client, RADIUS can be used to authenticate operator or manager access privileges on the switch via the serial port (CLI and Menu interface), Telnet, SSH, and Secure FTP/Secure Copy (SFTP/SCP) access methods.

  • Page 19: Network Access Security, Access Control Lists (acls), Web And Mac Authentication

    It also means the same credentials can be used for authentication, regardless of which switch or switch port is the current access point into the LAN. Web authentication uses a web page login to authenticate users for access to the network.

  • Page 20: Secure Shell (ssh), Secure Socket Layer (sslv3/tlsv1), Traffic/security Filters

    ■ client public-key authentication: uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a stored public key can gain access to the switch. ■...

  • Page 21: X Access Control

    This feature provides port-based or client-based authentication through a RADIUS server to protect the switch from unauthorized access and to enable the use of RADIUS-based user profiles to control client access to network services. Included in the general features are the following: client-based access control supporting up to 32 authenticated clients per-port ■...

  • Page 22: Port Security, Mac Lockdown, Mac Lockout, And Ip Lockdown, Key Management System (kms)

    MAC lockdown: This “static addressing” feature is used as an alternative to port security for to prevent station movement and MAC address “hijacking” by allowing a given MAC address to use only one assigned port on the switch. MAC lockdown also restricts the client device to a specific VLAN.

  • Page 23: Connection-rate Filtering Based On Virus-throttling Technology

    KMS provides specific instances of routing protocols with one or more Send or Accept keys that must be active at the time of a request. Refer to the chapter titled “Key Management System” in the Access Security Guide for your switch model.

  • Page 24: Enhancements, Release L.10.02 Enhancements, Mstp Default Path Cost Controls, Release L.10.03 Enhancements

    Enhancements Release L.10.02 Enhancements Enhancements Unless otherwise noted, each new release includes the enhancements added in all previous releases. Enhancements are listed in chronological order, oldest to newest software release. To review the list of enhancements included since the last general release that was published, begin with L.10.25 Enhancements”...

  • Page 25: Release L.10.04 Enhancements

    “IP Routing Features” in the Advanced Traffic Management Guide for your switch. When the routing switch is used as a DHCP relay agent with Option 82 enabled, it inserts a relay agent information option into client-originated DHCP packets being forwarded to a DHCP server. The option automatically includes two suboptions: ■...

  • Page 26

    MAC address that is assigned to all VLANs configured on the routing switch.) (Default: mac) Example In the routing switch shown below, option 82 has been configured with mgmt-vlan for the Remote ID. ProCurve(config)# dhcp-relay option 82 append mgmt-vlan DHCP Server “A”...

  • Page 27: Release L.10.05 Enhancements, Release L.10.06 Enhancements, Show Sflow Commands

    ID suboption, the routing switch dynamically adjusts to the new IP addressing for all future DHCP requests. The Management VLAN and all other VLANs on the routing switch use the same MAC address. ■ Release L.10.05 Enhancements No enhancements, software fixes only.

  • Page 28

    The agent packages data into datagrams that are forwarded to a central data collector. sFlow destination — The central data collector that gathers datagrams from sFlow-enabled switch ports on the network. The data collector decodes the packet headers and other information to present detailed Layer 2 to Layer 7 usage statistics.

  • Page 29

    The show sflow sampling-polling command displays information about sFlow sampling and polling on the switch. You can specify a list or range of ports for which to view sampling information. ProCurve# show sflow sampling-polling 1-5...

  • Page 30: Release L.10.07 Enhancements, Uni-directional Link Detection (udld)

    Figure 6. UDLD Example In this example, each ProCurve switch load balances traffic across two ports in a trunk group. Without the UDLD feature, a link failure on a link that is not directly attached to one of the ProCurve switches remains undetected.

  • Page 31

    UDLD-enabled port. When a port is blocked by UDLD, the event is recorded in the switch log or via an SNMP trap (if configured); and other port blocking protocols, like spanning tree or meshing, will not use the bad link to load balance packets.

  • Page 32

    ProCurve(config)#interface al-a4 link-keepalive Note When at least one port is UDLD-enabled, the switch will forward out UDLD packets that arrive on non-UDLD-configured ports out of all other non-UDLD-configured ports in the same vlan. That is, UDLD control packets will “pass through” a port that is not configured for UDLD. However, UDLD...

  • Page 33

    If an untagged UDLD packet is received by a non-ProCurve switch, that switch may reject the packet. To avoid such an occurrence, you can configure ports to send out UDLD control packets that are tagged with a specified VLAN.

  • Page 34: Viewing Udld Information

    Syntax: show link-keepalive Displays all the ports that are enabled for link-keepalive. Syntax: show link-keepalive statistics Displays detailed statistics for the UDLD-enabled ports on the switch. Syntax: clear link-keepalive statistics Clears UDLD statistics. This command clears the packets sent, packets received, and transitions counters in the show link-keepalive statistics display.

  • Page 35

    Displaying Detailed UDLDP Status Information. To display detailed UDLD information for specific ports, enter the show link-keepalive statistics command. For example: ProCurve(config)# show link-keepalive statistics Port: Current State: Udld Packets Sent: Udld Packets Received: 1000 Port Blocking: Port: Current State: Udld Packets Sent: Udld Packets Received: 450 Port Blocking:...

  • Page 36: Configuration Warnings And Event Log Messages

    VLAN configuration. Note: If you are configuring the switch via SNMP with the same problematic VLAN configuration choices, the above warning messages will also be logged in the switch’s event log. Event Log Messages. The following table shows the event log messages that may be generated once UDLD has been enabled on a port.

  • Page 37: Release L.10.08 Enhancements, Configuring 802.1x Controlled Directions

    The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol ■ (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network. For information on how to configure the prerequisites for using the aaa port-access controlled- directions in command, see Chapter 4, “Multiple Instance Spanning-Tree Operation”...

  • Page 38

    Wake-on-LAN traffic on unauthenticated egress ports that are configured for 802.1X. Because a port can be configured for more than one type of authentication to protect the switch from unauthorized access, the last setting you configure with the aaa port-access controlled-directions command is applied to all authentication methods configured on the switch.

  • Page 39: Release L.10.09 Enhancements, Dhcp Snooping Overview, Enabling Dhcp Snooping

    DHCP clients on the network. DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end- users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded.

  • Page 40

    Enhancements Release L.10.09 Enhancements ProCurve(config)# dhcp-snooping Use the no form of the command to disable DHCP snooping. Syntax: [no] dhcp-snooping [authorized-server | database | option | trust | verify | vlan] authorized server: Enter the IP address of a trusted DHCP server.

  • Page 41

    To display the DHCP snooping configuration, enter this command: ProCurve(config)# show dhcp-snooping An example of the output is shown below. ProCurve(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping Enabled Vlans Verify MAC Option 82 untrusted policy : drop Option 82 Insertion Option 82 remote-id Store lease database : Not configured Port...

  • Page 42: Enabling Dhcp Snooping On Vlans, Configuring Dhcp Snooping Trusted Ports

    Enhancements Release L.10.09 Enhancements Enabling DHCP Snooping on VLANS DHCP snooping on VLANs is disabled by default. To enable DHCP snooping on a VLAN or range of VLANs enter this command: ProCurve(config)# dhcp-snooping vlan <vlan-id-range> You can also use this command in the vlan context, in which case you cannot enter a range of VLANs for snooping.

  • Page 43: Configuring Authorized Server Addresses

    ProCurve(config)# dhcp-snooping trust B1-B2 ProCurve(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping Enabled Vlans Verify MAC Option 82 untrusted policy : drop Option 82 Insertion Option 82 remote-id Store lease database : Not configured Port Trust ----- ----- Figure 13. Example of Setting Trusted Ports DHCP server packets are forwarded only if received on a trusted port;...

  • Page 44: Using Dhcp Snooping With Option 82

    (See the preceding section Configuring DHCP Relay for more information on Option 82.) When DHCP is enabled globally and also enabled on a VLAN, and the switch is acting as a DHCP relay, the settings for the DHCP relay Option 82 command are ignored when snooping is controlling Option 82 insertion.

  • Page 45

    If DHCP snooping is enabled on a switch where an edge switch is also using DHCP snooping, it is desirable to have the packets forwarded so the DHCP bindings are learned. To configure the policy for DHCP packets from untrusted ports that already have Option 82 present, enter this command in the global configuration context.

  • Page 46

    Changing the Remote-id from a MAC to an IP Address By default, DHCP snooping uses the MAC address of the switch as the remote-id in Option 82 additions. The IP address of the VLAN the packet was received on or the IP address of the...

  • Page 47: The Dhcp Binding Database

    Lease time The switch can be configured to store the bindings at a specific URL so they will not be lost if the switch is rebooted. If the switch is rebooted, it will read its binding database from the specified location.

  • Page 48

    Figure 17. Example Showing DHCP Snooping Binding Database Contents Note If a lease database is configured, the switch drops all DHCP packets until the lease database is read. This only occurs when the switch reboots and is completed quickly. If the switch is unable to read the lease database from the tftp server, it waits until that operation times out and then begins forwarding DHCP packets.

  • Page 49

    Log Messages Server <ip-address> packet received on untrusted port <port-number> dropped. Indicates a DHCP server on an untrusted port is attempting to transmit a packet. This event is recognized by the reception of a DHCP server packet on a port that is configured as untrusted. Ceasing untrusted server logs for %s.

  • Page 50: Release L.10.10 Enhancements, Release L.10.11 Enhancements

    Release L.10.10 includes the following enhancements: Enhancement (PR_1000351445) — The “show tech transceiver” CLI command output now ■ contains the HP part number and revision information for all transceivers on the switch. Release L.10.11 Enhancements No enhancements, software fixes only.

  • Page 51: Release L.10.20 Enhancements

    SNMP Traps. See “Spanning Tree Per-Port BPDU Filtering” on page 46. ■ Enhancement (PR_1000346164) — When this feature is enabled on a port, the switch will disable (drop link) a port that receives a spanning tree BPDU, log a message, and optionally send an SNMP TRAP.

  • Page 52: Spanning Tree Per-port Bpdu Filtering, Configuring Stp Bpdu Filters

    All other ports will maintain their role. Here are some sample scenarios in which this feature may be used: To have STP operations running on selected ports of the switch rather than every port of the ■ switch at a time.

  • Page 53

    Viewing Status of BPDU Filtering The show spanning-tree <port-list> detail command has been extended to show per-port BPDU filter mode as shown below. ProCurve# show spanning-tree a9 detail Status and Counters - CST Port(s) Detailed Information Port Status BPDU Filtering Errant BPUDUs received MST Region Boundary External Path Cost...

  • Page 54

    Enhancements Release L.10.20 Enhancements The show spanning-tree command has also been extended to display BPDU filtered ports. ProCurve# show spanning-tree Multiple Spanning Tree (MST) Information STP Enabled : Yes Force Version : MSTP-operation IST Mapped VLANs : 1-7 Protected Ports : Filtered Ports : A6-A7 Figure 19.

  • Page 55: Spanning Tree Bpdu Protection

    BPDU messages are exchanged across bridges to detect loops in a network topology. The loops are then removed by placing redundant switch ports in a backup, or blocked, state.

  • Page 56

    Note The switches covered in these Release Notes, use the IEEE 802.1s Multiple Spanning Tree Protocol (MSTP) standard. Under standard settings, your MSTP-configured switch interoperates effectively with both STP (IEEE 802.1D) and RSTP (IEEE 802.1w) spanning-tree devices. For more information, refer to the chapter entitled Multiple Instance Spanning-Tree Operation in the Advanced Traffic Management Guide for your switch.

  • Page 57: Using Snmp To View And Configure Switch Authentication Features

    Figure 23. Example of BPDU Protection Additions to Show Spanning Tree Command Using SNMP To View and Configure Switch Authentication Features In earlier software releases, SNMP MIB object access has not been available for switch authentication configuration (hpSwitchAuth) features. Beginning with software release L.10.20, the 4200 switches...

  • Page 58

    To help prevent unauthorized access to the switch’s authentication MIB, ProCurve recommends enhancing security according to the guidelines under If you do not want to use SNMP access to the switch’s authentication configuration MIB, then you should use the snmp-server mib hpswitchauthmib excluded command to disable this access, as described in the next section.

  • Page 59

    The output for this command has been enhanced to display the current access status of the switch’s authentication configuration MIB in the Excluded MIBs field. For example, to disable SNMP access to the switch’s authentication MIB and then display the result in the Excluded MIB field, you would execute the following two commands.

  • Page 60: Tcp/udp Port Closure

    1507 Stacking (SNMP) To open any of these ports, the respective services must first be enabled on the switch. For information on how to enable/disable these services, refer to the following command listings. For details on each service, refer to the latest version of the switch’s software documentation available on the ProCurve Networking Web site.

  • Page 61

    Enables, disables, or configures Routing Internet Protocol (RIP) on the switch. (Default: disabled) Note The router rip command exists in previous software versions. In this implementation, however, RIP must be enabled in order to open the port on the switch. Enhancements Release L.10.20 Enhancements...

  • Page 62: Instrumentation Monitor

    Enables stacking (SNMP) on the switch. (Default: disabled) Note The stack command exists in previous software versions. In this implementation, however, both stacking and SNMP must be enabled to open the port on the switch. If either feature is disabled, the port will remain closed. Instrumentation Monitor The 3400cl switches have instrumentation to monitor many operating parameters at pre-determined intervals.

  • Page 63

    Parameter Name Description mac-moves/min The average number of MAC address moves from one port to another per minute. This usually indicates a network loop, but can also be caused by DoS attacks. learn-discards/min Number of MAC address learn events per minute discarded to help free CPU resources when busy.

  • Page 64

    (Default threshold setting when instrumentation monitoring is enabled: enabled) [all]: Enables/disables all counter types on the switch but does not enable/disable instrumentation monitor logging. (Default threshold setting when enabled: see parameter losings below) [arp-requests]: The number of arp requests that are processed each minute.

  • Page 65

    To enable instrumentation monitor using the default parameters and thresholds, enter the general instrumentation monitor command. To adjust specific settings, enter the name of the parameter that you wish to modify, and revise the threshold limits as needed. Examples To turn on monitoring and event log messaging with the default medium values: ProCurve(config)# instrumentation monitor To turn off monitoring of the system delay parameter: ProCurve(config)# no instrumentation monitor system-delay...

  • Page 66: Adding Snmpv3 Users With Aes

    If you add an SNMPv3 user without authentication and/or privacy to a group that requires either feature, the user will not be able to access the switch. Ensure that you add a user with the appropriate security level to an existing security group.

  • Page 67: Configuring Loop Protection, Snmpv3 User Commands

    When the switch sends out a loop protocol packet and then receives the same packet on a port that has send-disable configured, it shuts down the port from which the packet was sent.

  • Page 68

    [transmit-interval <1-10>] | [disable-timer <0-604800>] | [trap <loop-detected>] Allows you to configure per-port loop protection on the switch. [receiver-action <send-disable | no-disable>] Sets the action to be taken when a loop is detected on the port. The port that received the loop protection packet determines what action is taken.

  • Page 69: Release L.10.23 Enhancements

    J8768A - ProCurve Switch vl 24-port Gig-T Module • J9030A - ProCurve Switch 4208vl-72GS 68 10/100/1000 + 4 SFP • J9033A - ProCurve Switch vl 20-port Gig-T + 4-port SFP Module • J9064A - ProCurve Switch 4204vl-48GS 44 10/100/1000 + 4 SFP : Enabled...

  • Page 70: Release L.10.24 Enhancements, Configuring The Source Ip Address For Snmp Requests And Traps

    Configuring the Source IP Address for SNMP Requests and Traps The switch uses the interface IP address as the source IP address in the IP header when sending a response to SNMP requests. For multi-netted interfaces, the source IP address is the outgoing interface IP address, which may be different from the IP address in the destination field of the IP header of the request.

  • Page 71: Release L.10.25 Enhancements, Release L.10.26 Enhancements, Release L.10.27 Enhancements

    [no] snmp-server trap-source [ IP-ADDR | loopback<0-7>] Allows you to specify the source IP address for the trap pdu. The no form of the command resets the switch to the default behavior (compliant with rfc- 1517). Default: Interface IP address IP-ADDR: The user-specified IP address that will be used as the source IP address in the generated trap.

  • Page 72: Release L.10.28 Enhancements, Dynamic Arp Protection

    Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and responses are relayed or used to update the local ARP cache. ARP packets with invalid IP-to-MAC address bindings advertised in the source protocol address and source physical address fields are discarded.

  • Page 73

    The DHCP binding database is used to validate packets by other security features on the switch. If you have already enabled DHCP snooping on a switch, you may also want to add static IP-to- MAC address bindings to the DHCP snooping database so that ARP packets from devices that have been assigned static IP addresses are also verified.

  • Page 74

    You must configure trusted ports carefully. For example, in the topology in Figure 2, Switch B may not see the leased IP address that Host 1 receives from the DHCP server. If the port on Switch B that is connected to Switch A is untrusted and if Switch B has dynamic ARP protection enabled, it will see ARP packets from Host 1 as invalid, resulting in a loss of connectivity.

  • Page 75

    To configure one or more Ethernet interfaces that handle VLAN traffic as trusted ports, enter the arp protect trust command at the global configuration level. The switch does not check ARP requests and responses received on a trusted port. Syntax: [no] arp protect trust <port-list>...

  • Page 76

    Enhancements Release L.10.28 Enhancements An example of the ip source binding command is shown here: ProCurve(config)# ip source binding 0030c1-7f49c0 interface vlan 100 10.10.20.1 interface A4 N o t e Note that the ip source binding command is the same command used by the Dynamic IP Lockdown feature to configure static bindings.

  • Page 77

    Verifying the Configuration of Dynamic ARP Protection To display the current configuration of dynamic ARP protection, including the additional validation checks and the trusted ports that are configured, enter the show arp protect command: ProCurve(config)# show arp protect ARP Protection Information Enabled Vlans : 1-4094 Validate...

  • Page 78: Release L.11.08 Enhancements

    SNMP. For security considerations related to this feature. “Using SNMP To View and Configure Switch Authentication Features” on page ■ Enhancement — Support has been added for the ProCurve Switch 4200vl Series single port, 10-GbE module (J8766A). See page Enhancement (PR_1000415155) —...

  • Page 79: Operating Rules For 4200vl Series 10-gbe Port Trunks

    10-GbE Trunk rules: Supports a maximum of 2 ports per trunk ■ The 4200vl switch chassis supports a maximum of four (4) 10-GbE modules ■ Media: For proper trunk operation, all ports on both ends of a trunk group must have the same media type and mode (speed and duplex).

  • Page 80: Arp Age Timer Increase

    ARP Age Timer Increase The ARP age is the amount of time the switch keeps a MAC address learned through ARP in the ARP cache. The switch resets the timer to zero each time the ARP entry is refreshed and removes the entry...

  • Page 81

    (approximately 3.2 years). An arp-age value of 0 (zero) is stored in the configuration file to indicate that “infinite” has been configured. This value also displays with the show commands and in the menu display (Menu > Switch Configuration > IP Config).

  • Page 82

    Figure 9. Example Showing IP Arp-Age Value in the Running Config File You can set or display the arp-age value using the menu interface (Menu > Switch Configuration > IP Config). ProCurve ===========================- TELNET - MANAGER MODE ======================...

  • Page 83: Using Snmp To Configure Local Usernames And Passwords

    To help prevent unauthorized access to the switch’s local username and password authentication MIB objects, ProCurve recommends enhancing security. If you do not want to use SNMP access to the switch’s local username and password authentication configuration MIB objects, then use the CLI command snmp-server mib hpswitchauthmib excluded to disable this access, as described in the next section.

  • Page 84

    MIB objects in the Excluded MIBs field. For example, to disable SNMP access to the switch’s username and password authentication MIB objects and then display the result in the Excluded MIB field, you would execute the following two...

  • Page 85: How Radius-based Authentication Affects Vlan Operation

    ProCurve(config)# show run Running configuration: ; J8165A Configuration Editor; Created on release #H.10.32 hostname "ProCurve" snmp-server mib hpSwitchAuthMIB excluded ip default-gateway 10.10.24.55 snmp-server community "public" Operator vlan 1 name "DEFAULT_VLAN" untagged 1-50 ip address 10.10.24.100 255.255.255.0 exit ProCurve(config)# Figure 2. Using the show run Command to View the Current Authentication MIB Access State How RADIUS-Based Authentication Affects VLAN Operation Using a RADIUS server to authenticate clients, you can provide port-level security protection from unauthorized network access for the following authentication methods:...

  • Page 86

    VLAN configuration is an untagged member of the VLAN for the duration of the authenticated session. This applies even if the port is also configured in the switch as a tagged member of the same VLAN. The following restrictions apply: •...

  • Page 87

    If the port is not already a member of the RADIUS-assigned (static or dynamic) untagged VLAN, the switch temporarily reassigns the port as an untagged member of the required VLAN (for the duration of the session). At the same time, if the ProCurve port is already configured as an untagged member of a different VLAN, the port loses access to the other VLAN for the duration of the session.

  • Page 88

    Enhancements Release L.11.08 Enhancements Example of Untagged VLAN Assignment in a RADIUS-Based Authentication Session The following example shows how an untagged static VLAN is temporarily assigned to a port for use during an 802.1X authentication session. In the example, an 802.1X-aware client on port 2 has been authenticated by a RADIUS server for access to VLAN 22.

  • Page 89

    Figure 4. Active Configuration for VLAN 22 Temporarily Changes for the 802.1X Session However, as shown in Figure 4, because VLAN 33 is configured as untagged on port 2 and because a port can be untagged on only one VLAN, port 2 loses access to VLAN 33 for the duration of the 802.1X session on VLAN 22.

  • Page 90

    Enter the no form of this command to disable the use of GVRP-learned VLANs in an authentication session. For information on how to enable a switch to dynamically create 802.1Q- compliant VLANs, refer to the “GVRP” chapter in the Access Security Guide.

  • Page 91: System Location And Contact String Size Increase

    However, if a RADIUS-configured dynamic VLAN used for an authentication session is deleted from the switch through normal GVRP operation (for example, if no GVRP advertisements for the VLAN are received on any switch port), authenticated clients using this VLAN are deauthenticated.

  • Page 92

    Enhancements Release L.11.08 Enhancements ProCurve Switch 5406zl(config)# show system-information Status and Counters - General System Information System Name : Blue Switch System Contact : George_Johnson System Location : North-Data-Room MAC Age Time (sec) : 300 Time Zone Daylight Time Rule : None Software revision : K.12.06...

  • Page 93: Show Vlan Ports Cli Command Enhancement

    MENU ProCurve Switch 5406zl ===========================- TELNET - MANAGER MODE =========================== Switch Configuration - System Information System Name : Blue Switch System Contact : Bill_Smith System Location : + characters of the location are missing. It’s too long. Inactivity Timeout (min) [0] : 0...

  • Page 94

    Jumbo: Indicates whether a VLAN is configured for Jumbo packets. For more on jumbos, refer to the chapter titled “Port Traffic Controls” in the Management and Configuration Guide for your switch. Mode: Indicates whether a VLAN is tagged or untagged.

  • Page 95

    ProCurve# show vlan ports a1-a33 Status and Counters - VLAN Information - for ports A1-A33 VLAN ID Name ------- ----------------- + ---------- ----- ----- DEFAULT_VLAN VLAN_10 VLAN_20 GVRP_33 ProCurve# Figure 1-1. Example of “Show VLAN Ports” Cumulative Listing | Status Voice Jumbo | Port-based No | Port-based Yes...

  • Page 96

    Enhancements Release L.11.08 Enhancements ProCurve# show vlan ports a1-a4 detailed Status and Counters - VLAN Information - for ports A1 Port name: Voice_Port VLAN ID Name ------- ----------------- + ---------- ----- ----- ------ DEFAULT_VLAN VLAN_10 Status and Counters - VLAN Information - for ports A2 Port name: Uplink_Port VLAN ID Name...

  • Page 97: Configuring The Privilege-mode Option

    Using the Privilege-Mode Option for Login When using TACACS+ to control user access to the switch, you must first login with your username at the Operator privilege level using the password for Operator privileges, and then login again with the same username but using the Manger password to obtain Manager privileges.

  • Page 98: Send Snmp V2c Informs

    (Operator or Manager) that was configured on the TACACS+ server for this username/password. The TACACS+ server returns the allowed privilege level to the switch. You are placed directly into Operator or Manager mode, depending on your privilege level.

  • Page 99

    Using community name and destination IP address, this command designates a destination network-management station for receiving SNMP event log messages from the switch. If you do not specify the event level, then the switch does not send event log messages as traps. You can specify up to 10 trap receivers (network management stations).

  • Page 100: Radius Server Unavailable

    Console: Either direct serial-port connection or modem connection. ■ ■ Telnet: Inbound Telnet must be enabled (the default). ■ SSH: To use RADIUS for SSH access, first configure the switch for SSH operation. Unrestricted | Community Events Sent in Trap...

  • Page 101

    Web: Enables RADIUS authentication for web browser interface access to the switch. ■ You can configure radius as the primary password authentication method for the above access methods. You also need to select either local, none, or authorized as a secondary, or backup, method.

  • Page 102

    Enhancements Release L.11.08 Enhancements Figure 1 shows an example of the show authentication command displaying authorized as the second- ary authentication method for port-access, Web-auth access, and Mac-auth access. Since the config- uration of authorized means no authentication will be performed and the client has unconditional access to the network, the “Enable Primary”...

  • Page 103: Concurrent Tacacs+ And Sftp, Mstp Vlan Configuration Enhancement

    multi-colon-uppercase — specifies an AA:BB:CC:DD:EE:FF format. For example, using the multi-colon-uppercase option, the MAC address would appear as follows: AA:BB:CC:DD:EE:FF Concurrent TACACS+ and SFTP It is now possible to have SFTP/SCP sessions run concurrently with TACACS+ authentication. Because the initial login must be with a username/password that has manager level privileges, you must configure TACACS+ single sign--on in order for TACACS+ and SFTP/SCP to coexist.

  • Page 104

    The default behavior of the spanning-tree instance vlan command changes so that, before a static VLAN is configured or a dynamic VLAN is learned on the switch, you can preconfigure its VLAN ID- to-MSTI mapping. Later, when the VLAN is created, it is automatically assigned to the MSTI to which you had previously mapped it.

  • Page 105

    On other ProCurve switches, only the VLANs that are present will be included, that is, only VLANs 1, 5, and 7 would be included. The switch will map these VLANs to MSTP Instance 1, which results in a Configuration Digest that is not the same as the Configuration Digest for the Series 3500/5400/ 6200 switches running this enhancement.

  • Page 106

    VLANs are included in the instance whether they exist or not. Figure 6 shows an example of an MSTP instance configured on a ProCurve switch other than the Series 3500/5400/6200. Only VLANs 1, 5, and 7 are included in the instance.

  • Page 107: To Save Current Configuration

    The valid VLAN IDs that you can map to a specified MSTI are from 1 to 4094. The VLAN ID- ■ to-MSTI mapping does not require a VLAN to be already configured on the switch. The MSTP VLAN enhancement allows you to preconfigure MSTP topologies before the VLAN IDs associated with each instance exist on a switch.

  • Page 108

    Default Boot : Primary Figure 9. Show Flash Command after Upgrading the Switch to a New Version of the Software (K.12.51) If you want to run the prior software version, K.12.43 in this example, enter this command: ProCurve(config)# boot system flash secondary config configK1243.cfg...

  • Page 109: Rebooting And Reloading The Switch

    Syntax: reload For example, if you change the number of VLANs the switch supports, you must reboot the switch in order to implement the change. Reload automatically saves your configuration changes and reboots the switch from the same software image you have been using: Scheduled Reload.

  • Page 110

    Similarly, if you create a startup-config file while using a version “Y” of the switch software, and then reboot the switch with an earlier software version “X” that does not include all of the features found in “Y”, the software simply ignores...

  • Page 111: Release L.11.09 Enhancements

    When entering a reload at or reload after command, a prompt will appear to confirm the command before it can be processed by the switch. For the reload at command, if mm/dd/yy are left blank, the current day is assumed.

  • Page 112: Software Fixes In Release L.10.01 - L.11.09, Release L.10.02

    ■ LACP (PR_ 1000302457) — Although default behavior is LACP disabled on all ports, upon boot, the switch event log reports, "lacp: Passive Dynamic LACP enabled on all ports". ■ MSTP Enhancement (PR_1000314692) — Added new commands: “spanning-tree legacy- path-cost”...

  • Page 113: Release L.10.03

    SNMP Link Up Traps and ARP Flush (PR_1000293466) — After issuing the CLI command: "snmp-server host <ip address> public all", generic Link Up traps are not gener- ated. Also, the switch flushes its ARP cache whenever a port comes online, after issuing the command.

  • Page 114: Release L.10.04

    ■ Counters (PR_1000321476) — SNMP counter may display incorrect information. ■ Crash (PR_1000322009) — The Switch may crash with a message similar to: Software exception in ISR at queues.c:123. ■ Crash (PR_1000323675) — The Switch may crash with a message similar to: ASSERT: Software exception at aaa8021x_proto.c:501 -- in...

  • Page 115: Release L.10.05, Release L.10.06, Release L.10.07

    Authentication (PR_1000343377) — When running the Windows XP 802.1X supplicant ■ and the switch sends a re-authentication, Windows XP prompts the user to re-enter their username and password again. Authentication (PR_1000344961) — A port with multiple 802.1X users on it will allow ■...

  • Page 116: Release L.10.08

    Software Fixes in Release L.10.01 - L.11.09 Release L.10.08 Crash (PR_1000339551) — When using the Menu to disable IP routing, the Switch may ■ crash with a message similar to: PPC Bus Error exception vector 0x300: Stack-frame=0x0162e030 HW Addr=0x2e2e2e2d. ■...

  • Page 117: Release L.10.09, Release L.10.10, Release L.10.11

    Enhancement (PR_1000351445) — The "show tech transceiver" CLI command output now ■ contains the HP part number and revision information for all transceivers on the switch. Source Port Filtering (PR_1000352851) — Source Port Filtering on trunks does not work ■...

  • Page 118: Release L.10.20

    Enhancement (PR_1000336169) — Added support for STP Per Port BPDU Filtering and SNMP Traps. Enhancement (PR_1000346164) — When this feature is enabled on a port, the switch will ■ disable (drop link) a port that receives a spanning tree BPDU, log a message, and optionally send an SNMP TRAP.

  • Page 119: Release L.10.23, Release L.10.24

    CLI/Show tech (PR_1000378957) — After a hotswap of chassis modules, the show tech ■ statistics value for the field “linked port on box” may be inaccurate. CLI (PR_1000240838) — If an invalid time is entered using clock set command, the switch ■ responds with an “invalid date” error.

  • Page 120: Release L.10.25

    CLI (PR_1000380660) — The show tech transceivers CLI command displays the wrong ■ message when inserting an "A" version transceiver into a switch that only supports "B" version transceivers. Also, "B" version CX4 transceivers show up as "A" and "A" version SR, LR, and ER transceivers show up as "B"...

  • Page 121: Release L.10.26, Release L.10.27, Release L.10.28

    IP address for a valid VLAN, is connected to a port in another VLAN on the switch. This will result in loss of connectivity for the valid client in the appropriate VLAN.

  • Page 122: Release L.11.08

    CLI (PR_1000399532) — The loop-protect is unable to process disable-timer and transmit- ■ interval. ■ Enhancement — Support has been added for the ProCurve Switch 4200vl Series single port, 10-GbE module (J8766A). ■ Enhancement (PR_1000413764) — Increase the size of the sysLocation and sysContact entries from 48 to 255 characters.

  • Page 123: Release L.11.09

    Config (PR_1000757101) — The configuration containing ip arp-age cannot be copied to ■ the switch using TFTP. LLDP (PR_1000759396) — LLDP packets are dropped and the switch does not learn ■ adjacent devices. 100-FX (PR_1000764546) — The 100-FX transceiver (J9054B) is not recognized.

  • Page 124

    © 2006 - 2008 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice. February 2008 Manual Part Number 5991-4696...

This manual also for:

Procurve 4200vl

Comments to this Manuals

Symbols: 0
Latest comments: