Contents Accessing the switch Introduction ............................. 8 Additional references ..........................8 Typographical conventions........................9 Management Network..........................9 Connecting through the console port....................10 Connecting through Telnet........................10 Connecting through Secure Shell......................10 Using the command line interfaces ......................10 Configuring an IP interface......................... 11 Using the Browser-based Interface......................
Page 4
802.1x port states..........................41 Supported RADIUS attributes ......................41 EAPoL configuration guidelines ......................42 Port-based traffic control ......................... 42 VLANs Introduction ............................43 Overview.............................. 43 VLANs and port VLAN ID numbers ......................43 VLAN numbers ..........................43 PVID numbers ........................... 43 Viewing and configuring PVIDs......................
Page 5
Overview.............................. 70 Using ACL filters ............................ 71 Summary of packet classifiers ......................71 Summary of ACL actions ........................72 Understanding ACL precedence......................72 Using ACL Groups ..........................74 ACL Metering and Re-marking ......................... 74 Metering ............................74 Re-marking ............................75 Viewing ACL statistics..........................
Page 6
Neighbors and adjacencies ......................109 Link-State Database ......................... 109 Shortest Path First Tree ........................109 Internal versus external routing......................109 OSPF implementation in GbE2c software ....................110 Configurable parameters ......................... 110 Defining areas ..........................110 Interface cost ..........................112 Electing the designated router and backup ..................112 Summarizing routes.........................
Page 7
Other network troubleshooting techniques ....................162 Console and Syslog messages ......................162 Ping .............................. 162 Trace route............................. 163 Statistics and state information ......................163 Customer support tools ........................163 Index Accessing the switch 7...
Accessing the switch Introduction This guide will help you plan, implement, and administer the switch software for the HP GbE2c Ethernet Blade Switch and the HP GbE2c Layer 2/3 Ethernet Blade Switch. Where possible, each section provides feature overviews, usage examples, and configuration instructions.
Typographical conventions The following table describes the typographic styles used in this guide: Table 1 Typographic conventions Typeface or symbol Meaning Example This type depicts onscreen computer output and AaBbCc123 Main# prompts. This type displays in command examples and shows AaBbCc123 Main# sys text that must be typed in exactly as shown.
Connecting through the console port Using a null modem cable, you can directly connect to the switch through the console port. A console connection is required in order to configure Telnet or other remote access applications. For more information on establishing console connectivity to the switch, see the HP GbE2c Ethernet Blade Switch for c-Class BladeSystem User Guide.
Configuring an IP interface An IP interface address must be set on the switch to provide management access to the switch over an IP network. By default, the management interface is set up to request its IP address from a Bootstrap Protocol (BOOTP) server. If you have a BOOTP server on your network, add the Media Access Control (MAC) address of the switch to the BOOTP configuration file located on the BOOTP server.
Statistics—These menus provide access to the switch statistics and state information. Dashboard—These menus display settings and operating status of a variety of switch features. Using Simple Network Management Protocol The switch software provides SNMP v1.0 and SNMP v3.0 support for access through any network management software, such as HP-OpenView.
User configuration Users can be configured to use the authentication/privacy options. The GbE2c supports two authentication algorithms: MD5 and SHA, as specified in the following command: /cfg/sys/ssnmp/snmpv3/usm <x>/auth md5|sha To configure a user with name 'admin,' authentication type MD5, and authentication password of 'admin,' privacy option DES with privacy password of 'admin,' use the following CLI commands: >>...
View based configurations CLI user equivalent To configure an SNMP user equivalent to the CLI 'user,' use the following configuration: /c/sys/ssnmp/snmpv3/usm 4 name "usr" (Configure the user) /c/sys/ssnmp/snmpv3/access 3 name "usrgrp" (Configure access group 3) rview "usr" wview "usr" nview "usr" /c/sys/ssnmp/snmpv3/group 4 (Assign user to access group 3) uname usr...
Configuring SNMP trap hosts SNMPv1 trap host Configure a user with no authentication or password. /c/sys/ssnmp/snmpv3/usm 10 (Configure user named “v1trap”) name "v1trap" Configure an access group and group table entries for the user. Use the following command to specify which traps can be received by the user: /c/sys/ssnmp/snmpv3/access <x>/nview /c/sys/ssnmp/snmpv3/access 10...
SNMPv2 trap host configuration The SNMPv2 trap host configuration is similar to the SNMPv1 trap host configuration. Wherever you specify the model, specify snmpv2 instead of snmpv1. c/sys/ssnmp/snmpv3/usm 10 (Configure user named “v2trap”) name "v2trap" /c/sys/ssnmp/snmpv3/access 10 (Define access group to view SNMPv2 traps) name "v2trap"...
See the HP GbE2c Ethernet Blade Switch for c-Class BladeSystem User Guide for a complete list of supported MIBs. Secure access to the switch Secure switch management is needed for environments that perform significant management functions across the Internet. The following are some of the functions for secured management: Limiting management users to a specific IP address range.
In this example, the management network is set to 192.192.192.0 and management mask is set to 255.255.255.128. This defines the following range of allowed IP addresses: 192.192.192.1 to 192.192.192.127. The following source IP addresses are granted or not granted access to the switch: A host with a source IP address of 192.192.192.21 falls within the defined range and would be allowed to access the switch.
Page 19
Configure the primary RADIUS secret and secondary RADIUS secret. >> RADIUS Server# secret Enter new RADIUS secret: <1-32 character secret> >> RADIUS Server# secret2 Enter new RADIUS second secret: <1-32 character secret> CAUTION: If you configure the RADIUS secret using any method other than a direct console connection, the secret may be transmitted over the network as clear text.
CAUTION: If you configure the RADIUS secret using any method other than a direct console connection, the secret may be transmitted over the network as clear text. Click Submit. Apply, verify, and save the configuration. RADIUS authentication features The switch supports the following RADIUS authentication features: Supports RADIUS client on the switch, based on the protocol definitions in RFC 2138 and RFC 2866.
User accounts for RADIUS users The user accounts listed in the following table can be defined in the RADIUS server dictionary file. Table 2 User access levels User account Description and tasks performed User User interaction with the switch is completely passive; nothing can be changed on the switch. Users may display information that has no security or privacy implications, such as switch statistics and current operational state information.
TACACS+ offers full packet encryption whereas RADIUS offers password-only encryption in authentication requests. TACACS+ separates authentication, authorization, and accounting. How TACACS+ authentication works TACACS+ works much in the same way as RADIUS authentication. Remote administrator connects to the switch and provides user name and password. NOTE: The user name and password can have a maximum length of 128 characters.
Accounting Accounting is the action of recording a user’s activities on the device for the purposes of billing and/or security. It follows the authentication and authorization actions. If the authentication and authorization is not performed via TACACS+, no TACACS+ accounting messages are sent out. You can use TACACS+ to record and track software logins, configuration changes, and interactive commands.
Configure custom privilege-level mapping (optional). >> TACACS+ Server# usermap 2 Current privilege mapping for remote privilege 2: not set Enter new local privilege mapping: user >> TACACS+ Server# usermap 3 user >> TACACS+ Server# usermap 4 user >> TACACS+ Server# usermap 5 oper Apply and save the configuration.
Configure custom privilege-level mapping (optional). Click Submit to accept each mapping change. Apply, verify, and save the configuration. Secure Shell and Secure Copy Secure Shell (SSH) and Secure Copy (SCP) use secure tunnels to encrypt and secure messages between a remote administrator and the switch.
Page 26
Configuring SSH and SCP features (CLI example) Before you can use SSH commands, use the following commands to turn on SSH and SCP. Enabling or disabling SSH To enable the SSH feature, connect to the switch CLI and enter the following commands: >>...
Using SSH and SCP client commands The following shows the format for using some client commands. The examples below use 205.178.15.157 as the IP address of a sample switch. Logging in to the switch Enter the following command to log in to the switch: ssh <user>@<switch IP address>...
SSH and SCP encryption of management messages The following encryption and authentication methods are supported for SSH and SCP: Server Host Authentication—Client RSA authenticates the switch at the beginning of every connection Key Exchange—RSA Encryption—AES256-CBC, AES192-CBC, 3DES-CBC, 3DES, ARCFOUR User Authentication—Local password authentication, RADIUS, TACACS+ Generating RSA host and server keys for SSH access To support the SSH server feature, two sets of RSA keys (host and server keys) are required.
User access control The switch allows an administrator to define end user accounts that permit end users to perform limited actions on the switch. Once end user accounts are configured and enabled, the switch requires username/password authentication. For example, an administrator can assign a user who can log into the switch and perform operational commands (effective only until the next switch reboot).
Ports and trunking Introduction The first part of this chapter describes the different types of ports used on the switch. This information is useful in understanding other applications described in this guide, from the context of the embedded switch/server environment. For specific information on how to configure ports for speed, auto-negotiation, and duplex modes, see the port commands in the HP GbE2c Ethernet Blade Switch for c-Class BladeSystem Command Reference Guide.
Port trunk groups When using port trunk groups between two switches, you can create an aggregate link operating at up to five Gigabits per second, depending on how many physical ports are combined. The switch supports up to 12 trunk groups per switch, each with up to six ports per trunk group.
You cannot configure a trunk member as a monitor port in a Port Mirroring configuration. A monitor port cannot monitor trunks; however, trunk members can be monitored. Port trunking example In this example, the Gigabit uplink ports on each switch, and the crosslink ports are configured into a total of five trunk groups: two on each switch, and one trunk group at the crosslink between the two switches.
Configuring trunk groups (CLI example) On Switch 1, configure trunk groups 5 and 3: >> # /cfg/l2/trunk 5 (Select trunk group 5) >> Trunk group 5# add 23 (Add port 23 to trunk group 5) >> Trunk group 5# add 24 (Add port 24 to trunk group 5) >>...
Configuring trunk groups (BBI example) Configure trunk groups. Click the Configure context button on the Toolbar. Open the Layer 2 folder, and select Trunk Groups. Click a Trunk Group number to select it. Ports and trunking 34...
Page 35
Enable the Trunk Group. To add ports, select each port in the Ports Available list, and click Add Click Submit. Apply, verify, and save the configuration. Examine the trunking information on each switch. Click the Dashboard context button on the Toolbar. Ports and trunking 35...
Select Trunk Groups. Information about each configured trunk group is displayed. Make sure that trunk groups consist of the expected ports and that each port is in the expected state. Configurable Trunk Hash algorithm This feature allows you to configure the particular parameters for the GbE2c Trunk Hash algorithm instead of having to utilize the defaults.
Link Aggregation Control Protocol Link Aggregation Control Protocol (LACP) is an IEEE 802.3ad standard for grouping several physical ports into one logical port (known as a dynamic trunk group or Link Aggregation group) with any device that supports the standard. Refer to the IEEE 802.3ad-2002 for a full description of the standard.
Configuring LACP Use the following procedure to configure LACP for port 20 and port 21 to participate in link aggregation. Set the LACP mode on port 20. >> # /cfg/l2/lacp/port 20 (Select port 20) >> LACP port 20# mode active (Set port 20 to LACP active mode) Define the admin key on port 20.
Port-based Network Access and traffic control Port-based Network Access control Port-based Network Access control provides a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics. It prevents access to ports that fail authentication and authorization.
The following figure shows a typical message exchange initiated by the client. Figure 2 Using EAPoL to authenticate a port EAPoL Message Exchange During authentication, EAPOL messages are exchanged between the client and the switch authenticator, while RADIUS-EAP messages are exchanged between the switch authenticator and the Radius authentication server. Authentication is initiated by one of the following methods: Switch authenticator sends an EAP-Request/Identity packet to the client.
802.1x port states The state of the port determines whether the client is granted access to the network, as follows: Unauthorized—While in this state, the port discards all ingress and egress traffic except EAP packets. Authorized—When the client is authenticated successfully, the port transitions to the authorized state allowing all traffic to and from the client to flow normally.
EAPoL configuration guidelines When configuring EAPoL, consider the following guidelines: The 802.1x port-based authentication is currently supported only in point-to-point configurations, that is, with a single supplicant connected to an 802.1x-enabled switch port. When 802.1x is enabled, a port has to be in the authorized state before any other Layer 2 feature can be operationally enabled.
VLANs Introduction This chapter describes network design and topology considerations for using Virtual Local Area Networks (VLANs). VLANs are commonly used to split up groups of network users into manageable broadcast domains, to create logical segmentation of workgroups, and to enforce security policies among logical segments. The following topics are discussed in this chapter: VLANs and Port VLAN ID Numbers VLAN Tagging...
Viewing and configuring PVIDs You can view PVIDs from the following CLI commands: Port information >> /info/port Port Tag RMON PVID NAME VLAN(s) ---- --- ---- ---- -------------- ------------------------------- 1 Downlink1 1 Downlink2 1 Downlink3 1 Downlink4 1 Downlink5 1 Downlink6 1 Downlink7 Port configuration >>...
Page 45
Figure 3 Default VLAN settings NOTE: The port numbers specified in these illustrations may not directly correspond to the physical port configuration of your switch model. When you configure VLANs, you configure the switch ports as tagged or untagged members of specific VLANs. See the following figures.
Page 46
Figure 5 802.1Q tagging (after port-based VLAN assignment) In the following figure, the tagged incoming packet is assigned directly to VLAN 2 because of the tag assignment in the packet. Port 5 is configured as a tagged member of VLAN 2, and port 7 is configured as an untagged member of VLAN 2.
VLANs and IP interfaces Carefully consider how you create VLANs within the switch, so that communication with the switch remains possible. In order to access the switch for remote configuration, trap messages, and other management functions, be sure that at least one IP interface on the switch has a VLAN defined. You can also inadvertently cut off access to management functions if you exclude the ports from the VLAN membership.
Page 48
Figure 8 Multiple VLANs with VLAN tagging The features of this VLAN are described in the following table: Table 10 Multiple VLANs with tagging Component Description Switch 1 Switch 1 is configured for VLANS 1, 2, and 3. Port 1 is tagged to accept traffic from VLANs 1 and 2.
Table 10 Multiple VLANs with tagging Component Description PC #3 This PC is a member of VLAN 1 and VLAN 2. Via VLAN 1, it can communicate with Server 1 and PC 5. Via VLAN 2, it can communicate with Server 1, PC 1, and PC 5. PC #4 This PC is a member of VLAN 3, and it can communicate with Server 1, Server 2, and PC 1.
Page 50
Configure the VLANs and their member ports. Since all ports are by default configured for VLAN 1, configure only those ports that belong to VLAN 2. Crosslink ports 17 and 18 must belong to VLANs 1 and 2. >> /cfg/l2/vlan 2 >>...
Page 51
Configure the VLANs and their member ports. Since all ports are by default configured for VLAN 1, configure only those ports that belong to other VLANs. >> /cfg/l2/vlan 3 >> VLAN 3# add 2 Current ports for VLAN 3: empty Pending new ports for VLAN 3: 2 >>...
Page 52
Click a port number to select it. Enable the port and enable VLAN tagging. Click Submit. VLANs 52...
Page 53
Configure the VLANs and their member ports. Open the Virtual LANs folder, and select Add VLAN. Enter the VLAN name, VLAN ID number, and enable the VLAN. To add ports, select each port in the Ports Available list and click Add. Since all ports are configured for VLAN 1 by default, configure only those ports that belong to VLAN 2.
The external Layer 2 switches should also be configured for VLANs and tagging. Apply, verify, and save the configuration. FDB static entries Static entries in the Forwarding Database (FDB) allow the switch to forward packets without flooding ports to perform a lookup.
Spanning Tree Protocol Introduction When multiple paths exist on a network, Spanning Tree Protocol (STP) configures the network so that a switch uses only the most efficient path. The following topics are discussed in this chapter: Overview Bridge Protocol Data Units (BPDUs) Spanning Tree Group (STG) configuration guidelines Multiple Spanning Trees Overview...
Port path cost The port path cost assigns lower values to high-bandwidth ports, such as Gigabit Ethernet, to encourage their use. The objective is to use the fastest links so that the route with the lowest cost is chosen. A value of 0 indicates that port cost is computed dynamically based on link speed.
Adding and removing ports from STGs Information on adding and removing ports from STGs is as follows: By default, all ports belong to VLAN 1 and STG 1. Each port is always a member of at least one VLAN. Each VLAN is always a member of at least one STG. Port membership within VLANs can be changed, and VLAN membership within STGs can be changed.
Figure 9 Two VLANs on one instance of Spanning Tree Protocol In the following figure, VLAN 1 and VLAN 2 belong to different Spanning Tree Groups. The two instances of spanning tree separate the topology without forming a loop, so that both VLANs can forward packets between the switches without losing connectivity.
Page 59
Configuring Switch 1 (CLI example) Configure port and VLAN membership on Switch 1 as described in the “Configuring ports and VLANs on Switch 1 (CLI example)” section, in the “VLANs” chapter of this guide. Add VLAN 2 to Spanning Tree Group 2. >>...
Enter the Spanning Tree Group number and set the Switch Spanning Tree State to on. To add a VLAN to the Spanning Tree Group, select the VLAN in the VLANs Available list, and click Add. VLAN 2 is automatically removed from Spanning Tree Group 1. Scroll down, and click Submit.
Configuring Port Fast Forwarding Use the following CLI commands to enable Port Fast Forwarding on an external port. >> # /cfg/l2/stp 1/port 20 (Select port 20) >> Spanning Tree Port 20# fastfwd ena (Enable Port Fast Forwarding) >> Spanning Tree Port 20# apply (Make your changes active) >>...
RSTP and MSTP Introduction Rapid Spanning Tree Protocol (IEEE 802.1w) enhances the Spanning Tree Protocol (IEEE 802.1d) to provide rapid convergence on Spanning Tree Group 1. Multiple Spanning Tree Protocol (IEEE 802.1s) extends the Rapid Spanning Tree Protocol to provide both rapid convergence and load balancing in a VLAN environment. The following topics are discussed in this chapter: Rapid Spanning Tree Protocol (RSTP) Multiple Spanning Tree Protocol (MSTP)
Link type The link type determines how the port behaves in regard to Rapid Spanning Tree. The link type corresponds to the duplex mode of the port. A full-duplex link is point-to-point (p2p), while a half-duplex link should be configured as shared.
Page 64
Select RSTP mode, and set the MSTP/RSTP state to ON. Click Submit. Apply, verify, and save the configuration. RSTP and MSTP 64...
Multiple Spanning Tree Protocol IEEE 802.1s Multiple Spanning Tree extends the IEEE 802.1w Rapid Spanning Tree Protocol through multiple Spanning Tree Groups. MSTP maintains up to 128 spanning-tree instances that correspond to STP Groups 1-128. In Multiple Spanning Tree Protocol (MSTP), several VLANs can be mapped to each Spanning-Tree instance. Each Spanning-Tree instance is independent of other instances.
Page 66
Assign VLANs to Spanning Tree Groups. >> /cfg/l2/stp 2 (Select Spanning Tree Group 2) >> Spanning Tree Group 2# add 2 (Add VLAN 2) >> Spanning Tree Group 2# apply (Apply the configurations) Configuring Multiple Spanning Tree Protocol (BBI example) Configure port and VLAN membership on the switch, as described in the “Configuring ports and VLANs (BBI example)”...
Page 67
Configure Common Internal Spanning Trees (CIST) bridge parameters. Open the MSTP/RSTP folder, and select CIST-Bridge. Enter the Bridge Priority, Maximum Age, and Forward Delay values. Click Submit. RSTP and MSTP 67...
Page 68
Configure Common Internal Spanning Tree (CIST) port parameters. Open the MSTP/RSTP folder, and select CIST-Ports. Click a port number to select it. RSTP and MSTP 68...
Page 69
Enter the Port Priority, Path Cost, and select the Link Type. Set the CIST Port State to ON. Click Submit. Apply, verify, and save the configuration. RSTP and MSTP 69...
Quality of Service Introduction Quality of Service features allow you to allocate network resources to mission-critical applications at the expense of applications that are less sensitive to such factors as time delays or network congestion. You can configure your network to prioritize specific types of traffic, ensuring that each type receives the appropriate Quality of Service (QoS) level.
Queue and schedule traffic: Place packets in one of two COS queues Schedule transmission based on the COS queue weight Using ACL filters Access Control Lists are filters that allow you to classify and segment traffic, so you can provide different levels of service to different traffic types.
Table 15 Well-known application ports Number TCP/UDP Number TCP/UDP Number TCP/UDP Application Application Application tftp snmp 1985 gopher snmptrap Table 16 Well-krown TCP flag values Flag Value 0x0020 0x0010 0x0008 0x0004 0x0002 0x0001 Packet Format Ethernet format (eth2, SNAP, LLC) Ethernet tagging format Egress port packets Note that the egress port ACL will not match a broadcast, multicast, unknown unicast, or Layer 3 packet.
Page 73
Table 17 ACI Precedence Groups Precedence Group ACLs Packet Classifiers Precedence Level Precedence Group 2 ACL 128 – ACL 254 Source MAC address Destination MAC address Ethernet type VLAN ID 802.1p Packet format Precedence Group 3 ACL 255 – ACL 381 Source IP Address Destination IP Address IP protocol...
Using ACL Groups Access Control Lists (ACLs) allow you to classify packets according to a particular content in the packet header, such as the source address, destination address, source port number, destination port number, and others. Packet classifiers identify flows for more processing. You can define a traffic profile by compiling a number of ACLs into an ACL Group, and assigning the ACL Group to a port.
Using meters, you set a Committed Rate in Kb/s (1024 bits per second in each Kb/s). All traffic within this Committed Rate is In-Profile. Additionally, you set a Maximum Burst Size that specifies an allowed data burst larger than the Committed Rate for a brief period.
In this example, all traffic that ingresses on port 20 with source IP from the class 100.10.1.0/24 and destination IP 200.20.1.116 is denied. Example 3: Use this configuration to block traffic from a source that is destined for a specific egress port. >>...
Page 77
Configure the ACL parameters. Set the Filter Action to Deny, the Ethernet Type to IPv4, and the Destination IP Address to 100.10.1.116. Click Submit. Quality of Service 77...
Page 78
Apply, verify, and save the configuration. Add ACL 1 to port 1. Click the Configure context button on the Toolbar. Select Switch Ports (click the underlined text, not the folder). Select a port. Quality of Service 78...
Page 79
Add the ACL to the port. Click Submit. Apply, verify, and save the configuration. Quality of Service 79...
Using DSCP values to provide QoS The six most significant bits in the TOS byte of the IP header are defined as DiffServ Code Points (DSCP). Packets are marked with a certain value depending on the type of treatment the packet must receive in the network device. DSCP is a measure of the Quality of Service (QoS) level of the packet.
Table 19 Class selector priority classes Priority Class Selector DSCP Lowest QoS levels The following table shows the default service levels provided by the GbE2c, listed from highest to lowest importance: Table 20 Default QoS service levels Service Level Default PHB 802.1p Priority Critical Network Control...
Use the /cfg/qos/8021p/cur command to display the mapping between 802.1p values, Class of Service queues (COSq), and COSq scheduling weights. >> 802.1p# cur Current priority to COS queue configuration: Number of COSq: 2 Priority COSq Weight -------- ---- ------ 802.1p configuration (CLI example) Configure a port’s default 802.1 priority.
802.1p configuration (BBI example) Configure a port’s default 802.1p priority. Click the Configure context button on the Toolbar. Select Switch Ports (click the underlined text, not the folder). Select a port. Quality of Service 83...
Page 84
Set the 802.1p priority value. Click Submit. Map the 802.1p priority value to a COS queue. Click the Configure context button on the Toolbar. Open the 802.1p folder, and select Priority - CoS. Quality of Service 84...
Page 85
Select an 802.1p priority value. Select a Class of Service queue (CoSQ) to correlate with the 802.1p priority value. Click Submit. Set the COS queue scheduling weight. Click the Configure context button on the Toolbar. Open the 802.1p folder, and select CoS - Weight. Quality of Service 85...
Select a Class of Service queue (CoS). Enter a value for the weight of the Class of Service queue. Click Submit. Apply, verify, and save the configuration. Queuing and scheduling The GbE2c has two output Class of Service queues (COSq) per port (0-1), into which each packet is placed. Each packet’s 802.1p priority determines its COSq, except when an ACL action sets the COSq of the packet.
Basic IP routing This chapter provides configuration background and examples for using the GbE2c Layer 2/3 Ethernet Blade Switch to perform IP routing functions. The following topics are addressed in this chapter: IP Routing Benefits Routing Between IP Subnets Example of Subnet Routing Defining IP Address Ranges for the Local Route Cache Dynamic Host Configuration Protocol NOTE:...
Page 88
Figure 14 Router legacy network In this example, a corporate campus has migrated from a router-centric topology to a faster, more powerful, switch- based topology. As is often the case, the legacy of network growth and redesign has left the system with a mix of illogically distributed subnets.
Take a closer look at the GbE2c in the following configuration example: Figure 15 Switch-based routing topology The GbE2c connects the Gigabit Ethernet and Fast Ethernet trunks from various switched subnets throughout one building. Common servers are placed on another subnet attached to the switch. Primary and backup routers are attached to the switch on yet another subnet.
Page 90
Assign an IP interface for each subnet attached to the switch. Since there are four IP subnets connected to the switch, four IP interfaces are needed Table 022 Subnet routing example: IP interface assignments Interface Devices IP Interface Address IF 1 Primary and Secondary Default Routers 205.21.17.3 IF 2...
Using VLANs to segregate broadcast domains In the previous example, devices that share a common IP network are all in the same broadcast domain. If you want to limit the broadcasts on your network, you could use VLANs to create distinct broadcast domains. For example, as shown in the following procedure, you could create one VLAN for the client trunks, one for the routers, and one for the servers.
Add each IP interface to the appropriate VLAN. Now that the ports are separated into three VLANs, the IP interface for each subnet must be placed in the appropriate VLAN. The settings are made as follows: >> VLAN 3# /cfg/l3/if 1 (Select IP interface 1 for def.
switch. The servers respond as a UDP Unicast message back to the switch, with the default gateway and IP address for the client. The destination IP address in the server response represents the interface address on the switch that received the client request. This interface address tells the switch on which VLAN to send the server response to the client.
Routing Information Protocol In a routed environment, routers communicate with one another to keep track of available routes. Routers can learn about available routes dynamically, using the Routing Information Protocol (RIP). GbE2c software supports RIP version 1 (RIPv1) and RIP version 2 (RIPv2) for exchanging TCP/IP route information with other routers. NOTE: RIP is available only on the GbE2c Layer 2/3 Ethernet Blade Switch.
RIPv2 in RIPv1 compatibility mode GbE2c software allows you to configure RIPv2 in RIPv1compatibility mode, for using both RIPv2 and RIPv1 routers within a network. In this mode, the regular routing updates use broadcast UDP data packet to allow RIPv1 routers to receive those packets.
RIP configuration example NOTE: An interface RIP disabled uses all the default values of the RIP, no matter how the RIP parameters are configured for that interface. RIP sends out RIP regular updates to include an Up interface, but not a Down interface.
IGMP Snooping Introduction IGMP Snooping allows the switch to forward multicast traffic only to those ports that request it. IGMP Snooping prevents multicast traffic from being flooded to all data ports. The switch learns which server hosts are interested in receiving multicast traffic, and forwards it only to ports connected to those servers.
IGMP Filtering With IGMP Filtering, you can allow or deny a port to send and receive multicast traffic to certain multicast groups. Unauthorized users are restricted from streaming multicast traffic across the network. If access to a multicast group is denied, IGMP Membership Reports from the port for that group are dropped, and the port is not allowed to receive IP multicast traffic from that group.
Page 99
View dynamic IGMP information. >> /info/l3/igmp (Select IGMP Information menu) >> IGMP Multicast# dump (Show IGMP Group information) >> Switch-A - IGMP Multicast# dump Group VLAN Version Port ----------- ------ --------- ------------- 238.1.0.0 238.1.0.1 >> IGMP Multicast# mrouter (Select MRouter Information menu) >>...
Page 100
Assign the IGMP Filter to a port. >> //cfg/l3/igmp/igmpflt (Select IGMP Filtering menu) >>IGMP Filter# port 24 (Select port 24) >>IGMP Port 24# filt ena (Enable IGMP Filtering on the port) Current port 24 filtering: disabled New port 24 filtering: enabled >>IGMP Port 24# add 1 (Add IGMP Filter 1 to the port) >>IGMP Port 24# apply...
Page 101
Enable IGMP Snooping. Click Submit. Apply, verify, and save the configuration. IGMP Snooping 101...
Page 102
Configuring IGMP Filtering (BBI example) Configure IGMP Snooping. Enable IGMP Filtering. Click the Configure context button. Open the IGMP folder, and select IGMP Filters (click the underlined text, not the folder). Enable IGMP Filtering globally. Click Submit. IGMP Snooping 102...
Page 103
Define the IGMP Filter. Select Layer 3 > IGMP > IGMP Filters > Add Filter. Enable the IGMP Filter. Assign the range of IP multicast addresses and the filter action (allow or deny). Click Submit. IGMP Snooping 103...
Page 104
Assign the filter to a port and enable IGMP Filtering on the port. Select Layer 3 > IGMP > IGMP Filters > Switch Ports. Select a port from the list. IGMP Snooping 104...
Page 105
Enable IGMP Filtering on the port. Select a filter in the IGMP Filters Available list, and click Add. Click Submit. Apply, verify, and save the configuration. Configuring a Static Multicast Router (BBI example) Configure Static Mrouter. Click the Configure context button. Open the Switch folder and select IP Menu >...
Page 106
Apply, verify, and save the configuration. IGMP Snooping 106...
OSPF GbE2c software supports the Open Shortest Path First (OSPF) routing protocol. The GbE2c implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583. The following sections discuss OSPF support for the GbE2c Ethernet Blade Switch: OSPF Overview: This section provides information on OSPF concepts, such as types of OSPF areas, types of routing devices, neighbors, adjacencies, link state database, authentication, and internal versus external routing.
Figure 17 OSPF area types Types of OSPF routing devices As shown in the figure, OSPF uses the following types of routing devices: Internal Router (IR)—a router that has all of its interfaces within the same area. IRs maintain LSDBs identical to those of other routing devices within the local area.
Neighbors and adjacencies In areas with two or more routing devices, neighbors and adjacencies are formed. Neighbors are routing devices that maintain information about each others’ health. To establish neighbor relationships, routing devices periodically send hello packets on each of their interfaces. All routing devices that share a common network segment, appear in the same area, and have the same health parameters (hello and dead intervals) and authentication parameters respond to each other’s hello packets and become neighbors.
OSPF implementation in GbE2c software The GbE2c Ethernet Blade Switch supports a single instance of OSPF and up to 4 K routes on the network. The follow- ing sections describe OSPF implementation in GbE2c software: Configurable Parameters Defining Areas Interface Cost Electing the Designated Router and Backup Summarizing Routes Default Routes...
Assigning the area index The aindex <area index> option is actually just an arbitrary index (0-2) used only by the switch. This index does not necessarily represent the OSPF area number, though for configuration simplicity, it should where possible. For example, both of the following sets of commands define OSPF area 0 (the backbone) and area 1 because that information is held in the area ID portion of the command.
Interface cost The OSPF link-state algorithm (Dijkstra’s algorithm) places each routing device at the root of a tree and determines the cumulative cost required to reach each destination. Usually, the cost is inversely proportional to the bandwidth of the interface. Low cost indicates high bandwidth. You can manually enter the cost for the output route with the following command: >>...
Figure 19 Injecting default routes In more complex OSPF areas with multiple ABRs or ASBRs (such as area 0 and area 2 in the figure), there are multiple routes leading from the area. In such areas, traffic for unrecognized destinations cannot tell which route leads upstream without further configuration.
Router ID Routing devices in OSPF areas are identified by a router ID. The router ID is expressed in IP address format. The IP address of the router ID is not required to be included in any IP interface range or in any OSPF area. The router ID can be configured in one of the following two ways: Dynamically—OSPF protocol configures the lowest IP interface IP address as the router ID.
Enable OSPF authentication for Area 2 on switch 4. >> # /cfg/l3/ospf/aindex 2/auth password Configure a simple text password up to eight characters for the virtual link between Area 2 and Area 0 on switches 2 and 4. >> # /cfg/l3/ospf/virt 1/key packard Use the following commands to configure MD5 authentication on the switches shown in the figure: Enable OSPF MD5 authentication for Area 0 on switches 1, 2, and 3 >>...
OSPF features not supported in this release The following OSPF features are not supported in this release: Summarizing external routes Filtering OSPF routes Using OSPF to forward multicast routes Configuring OSPF on non-broadcast multi-access networks (such as frame relay, X.25, and ATM) OSPF configuration examples A summary of the basic steps for configuring OSPF on the GbE2c is listed here.
Page 117
Define the backbone. The backbone is always configured as a transit area using areaid 0.0.0.0 >> Open Shortest Path First # aindex 0(Select menu for area index 0) >> OSPF Area (index) 0 # areaid 0.0.0.0(Set the ID for backbone area 0) >>...
Page 118
Configure an IP interface. Enter the IP address, subnet mask, and enable the interface. Click Submit. Apply, verify, and save the configuration. OSPF 118...
Page 119
Enable OSPF. Open the OSPF Routing Protocol folder, and select General. Enable OSPF. Click Submit. OSPF 119...
Page 120
Configure OSPF Areas. Open the OSPF Areas folder, and select Add OSPF Area. Configure the OSPF backbone area 0. Click Submit. OSPF 120...
Page 121
Select Add OSPF Area. Configure the OSPF area 1. Click Submit. OSPF 121...
Page 122
Configure OSPF Interfaces. Open the OSPF Interfaces folder, and select Add OSPF Interface. OSPF 122...
Page 123
Configure the OSPF Interface 1, and attach it to the backbone area 0. Click Submit. Select Add OSPF Interface. OSPF 123...
Configure the OSPF Interface 2, and attach it to the stub area 1. Click Submit. Apply, verify, and save the configuration. Example 2: Virtual links In the example shown in the following figure, area 2 is not physically connected to the backbone as is usually required.
Page 125
In this example, two IP interfaces are needed on Switch A: one for the backbone network on 10.10.7.0/24 and one for the transit area network on 10.10.12.0/24. >> # /cfg/l3/if 1 (Select menu for IP interface 1) >> IP Interface 1 # addr 10.10.7.1 (Set IP address on backbone network) >>...
Configuring OSPF for a virtual link on Switch B Configure IP interfaces on each network that will be attached to OSPF areas. Two IP interfaces are needed on Switch B: one for the transit area network on 10.10.12.0/24 and one for the stub area network on 10.10.24.0/24.
Configure the virtual link. The nbr router ID configured in this step must be the same as the router ID that was configured for Switch A in step 2. >> OSPF Interface 2 # ../virt 1 (Specify a virtual link number) >>...
Define the backbone. >> Open Shortest Path First # aindex 0 (Select menu for area index 0) >> OSPF Area (index) 0 # areaid 0.0.0.0(Set the ID for backbone area 0) >> OSPF Area (index) 0 # type transit (Define backbone as transit type) >>...
Remote monitoring Introduction Remote Monitoring (RMON) allows network devices to exchange network monitoring data. RMON performs the following major functions: Gathers cumulative statistics for Ethernet interfaces Tracks a history of statistics for Ethernet interfaces Creates and triggers alarms for user-defined events Overview The RMON MIB provides an interface between the RMON agent on the switch and an RMON management application.
Page 130
View RMON statistics for the port. >> /stats/port 23 (Select Port 23 Stats) >> Port Statistics# rmon ------------------------------------------------------------------ RMON statistics for port 23: etherStatsDropEvents: etherStatsOctets: 7305626 etherStatsPkts: 48686 etherStatsBroadcastPkts: 4380 etherStatsMulticastPkts: 6612 etherStatsCRCAlignErrors: etherStatsUndersizePkts: etherStatsOversizePkts: etherStatsFragments: etherStatsJabbers: etherStatsCollisions: etherStatsPkts64Octets: 27445 etherStatsPkts65to127Octets: 12253 etherStatsPkts128to255Octets:...
Page 131
Select a port. Enable RMON on the port. Click Submit. Remote monitoring 131...
Apply, verify, and save the configuration. RMON group 2—history The RMON History group allows you to sample and archive Ethernet statistics for a specific interface during a specific time interval. NOTE: RMON port statistics must be enabled for the port before an RMON history group can monitor the port. Data is stored in buckets, which store data gathered during discreet sampling intervals.
Page 133
Configure RMON History (BBI example) Configure an RMON History group. Click the Configure context button. Open the Switch folder, and select RMON > History > Add History Group. Configure RMON History Group parameters. Click Submit. Apply, verify, and save the configuration. Remote monitoring 133...
RMON group 3—alarms The RMON Alarm group allows you to define a set of thresholds used to determine network performance. When a configured threshold is crossed, an alarm is generated. For example, you can configure the switch to issue an alarm if more than 1,000 CRC errors occur during a 10-minute time interval.
Page 136
Configure RMON Alarm Group parameters to check ifInOctets on port 20 once every hour. Enter a rising limit of two billion, and a rising event index of 6. This configuration creates an RMON alarm that checks ifInOctets on port 20 once every hour. If the statistic exceeds two billion, an alarm is generated that triggers event index 6.
Page 137
Configure RMON Alarms (BBI example 2) Configure an RMON Alarm group. Click the Configure context button. Open the Switch folder, and select RMON > Alarm > Add Alarm Group. Configure RMON Alarm Group parameters to check icmpInEchos, with a polling interval of 60, a rising limit of 200, and a rising event index of 5.
Apply, verify, and save the configuration. RMON group 9—events The RMON Event group allows you to define events that are triggered by alarms. An event can be a log message, an SNMP trap message, or both. When an alarm is generated, it triggers a corresponding event notification. Use the /cfg/rmon/alarm x/revtidx and /fevtidx commands to correlate an event index to an alarm.
Page 139
Configuring RMON Events (BBI example 1) Configure an RMON Event group. Click the Configure context button. Open the Switch folder, and select RMON > Event > Add Event Group. Configure RMON Event Group parameters. This configuration creates an RMON event that sends a SYSLOG message each time it is triggered by an alarm.
High availability Introduction Switches support high availability network topologies. This release provides information about Uplink Failure Detection and Virtual Router Redundancy Protocol (VRRP). VRRP is available only on the GbE2c Layer 2/3 Ethernet Blade Switch. Uplink Failure Detection Uplink Failure Detection (UFD) is designed to support Network Adapter Teaming on HP server blades. For details about Network Adapter Teaming on HP ProLiant server blades, see the white paper at the following location: http://h18004.www1.hp.com/products/servers/networking/whitepapers.html.
Failure Detection Pair To use UFD, you must configure a Failure Detection Pair and then turn UFD on. A Failure Detection Pair consists of the following groups of ports: Link to Monitor (LtM) The Link to Monitor group consists of one uplink port (20-24), or one trunk group that contains only uplink ports. The switch monitors the LtM for link failure.
Configuring Uplink Failure Detection The preceding figure shows a basic UFD configuration. Port 21 on Blade Switch 1 is connected to a Layer 2/3 routing switch outside of the chassis. Port 20 and port 22 on Blade Switch 2 form a trunk that is connected to a different Layer 2/3 routing switch.
Page 143
Configuring Uplink Failure Detection (BBI example) Configure Uplink Failure Detection. Click the Configure context button. Open the Switch folder, and select Uplink Failure Detection (click the underlined text, not the folder). Turn Uplink Failure Detection on, and then select FDP. High availability 143...
Page 144
Enable the FDP. Select ports in the LtM Ports Available list, and click Add to place the ports into the Link to Monitor (LtM). Select ports in the LtD Ports Available list, and click Add to place the ports into the Link to Disable (LtD).
VRRP overview In a high-availability network topology, no device can create a single point-of-failure for the network or force a single point-of-failure to any other part of the network. This means that your network will remain in service despite the failure of any single device.
VRRP operation Only the virtual router master responds to ARP requests. Therefore, the upstream routers only forward packets destined to the master. The master also responds to ICMP ping requests. The backup does not forward any traffic, nor does it respond to ARP requests. If the master is not available, the backup becomes the master and takes over responsibility for packet forwarding and responding to ARP requests.
Active-Active redundancy In an active-active configuration, shown in the following figure, two switches provide redundancy for each other, with both active at the same time. Each switch processes traffic on a different subnet. When a failure occurs, the remaining switch can process traffic on all subnets. The following figure shows an Active-Active configuration example.
Assigning VRRP virtual router ID During the software upgrade process, VRRP virtual router IDs are assigned automatically if failover is enabled on the switch. When configuring virtual routers at any point after upgrade, virtual router ID numbers (/cfg/l3/vrrp/vr #/vrid) must be assigned. The virtual router ID may be configured as any number between 1 and 255.
Page 149
a higher priority. Traffic is forwarded to Switch B, which forwards it to Switch A through the crosslink (ports 17-18). Return traffic uses default gateway 2 (192.168.2.1), and is forwarded through the Layer 2 switch at the bottom of the drawing.
Page 150
Enable tracking on ports. Set the priority of Virtual Router 1 to 101, so that it becomes the Master. /cfg/l3/vrrp/vr 1 (Select VRRP virtual router 1) >> VRRP Virtual Router 1# track/ports/ena (Set tracking on ports) >> VRRP Virtual Router 1 Priority Tracking# .. >>...
Page 151
>> VRRP Virtual Router 2# track/ports/ena (Set tracking on ports) >> VRRP Virtual Router 2 Priority Tracking# .. >> VRRP Virtual Router 2# prio 101 (Set the VRRP priority) Turn off Spanning Tree Protocol globally. Apply and save changes. /cfg/l2/stg 1/off (Turn off STG) >>...
Page 152
Configure port 20 as a member of VLAN 10 and port 21 as a member of VLAN 20. Enable each VLAN. Click Submit. Configure the following client and server interfaces: IF 1 IP address = 192.168.1.100 Subnet mask = 255.255.255.0 VLAN 10 IF 2 IP address = 10.10.12.1...
Page 153
Configure an IP interface. Enter the IP address, subnet mask, and VLAN membership. Enable the interface. Click Submit. Configure the default gateways. Each default gateway points to one of the Layer 2 routers. Open the Default Gateways folder, and select Add Default Gateway. High availability 153...
Page 154
Configure the IP address for each default gateway. Enable the default gateways. Click Submit. Turn on VRRP and configure two Virtual Interface routers. Open the Virtual Router Redundancy Protocol folder, and select General. High availability 154...
Page 155
Enable VRRP processing. Click Submit. Open the Virtual Routers folder, and select Add Virtual Router. High availability 155...
Page 156
Configure the IP address for Virtual Router 1 (VR1). Enable tracking on ports, and set the priority to 101. Enable The Virtual Router. Click Submit. Select Add Virtual Router. High availability 156...
Page 157
Configure the IP address for Virtual Router 2 (VR2). Enable tracking on ports, but set the priority to 100 (default value). Enable The Virtual Router. Click Submit. Turn off Spanning Tree globally. Open the Spanning Tree Groups folder, and select Add Spanning Tree Group. High availability 157...
Page 158
Enter Spanning Tree Group ID 1 and set the Switch Spanning Tree State to off. Click Submit. Apply, verify, and save the configuration. High availability 158...
Troubleshooting tools Introduction This appendix discusses some tools to help you use the Port Mirroring feature to troubleshoot common network problems on the switch. Port Mirroring The Port Mirroring feature on the switch is very useful for troubleshooting any connection-oriented problem. Any traffic in or out of one or more ports can be mirrored to a single monitoring port to which a network monitor can be attached.
Configuring Port Mirroring (CLI example) To configure Port Mirroring for the example shown in the preceding figure: Specify the monitoring port. >> # /cfg/pmirr/monport 20 (Select port 20 for monitoring) Select the ports that you want to mirror. >> Port 20 # add 23 (Select port 23 to mirror) >>...
Configuring Port Mirroring (BBI example) Configure Port Mirroring. Click the Configure context button. Open the Switch folder, and select Port-Based Port Mirroring (click the underlined text, not the folder). Click a port number to select a monitoring port. Click Add Mirrored Port. Troubleshooting tools 161...
Enter a port number for the mirrored port, and select the Port Mirror Direction. Click Submit. Apply, verify, and save the configuration. Verify the Port Mirroring information on the switch. Other network troubleshooting techniques Other network troubleshooting techniques include the following. Console and Syslog messages When a switch experiences a problem, review the console and Syslog messages.
Trace route To identify the route used for station-to-station connectivity across the network, execute the following command: traceroute <host name> | <IP address> [<max-hops> [ msec delay ]] The IP address is the hostname or IP address of the target station. Max-hops (optional) is the maximum distance to trace (1-16 devices).
Page 164
Index Fast Uplink Convergence, 61 meter, 74 fault tolerance, port trunking, 31 mirroring ports, 159 FDB static entries, 54 monitoring ports, 159 frame tagging, 44 MSTP, 62 802.1x port states, 41 multi-links between switches, using port trunking, 30 multiple spanning tree groups, 57 default gateway, 89 accessing the switch: defining source IP addresses, 17;...
Need help?
Do you have a question about the GbE2c - Blc Layer 2/3 Fiber SFP Option and is the answer not in the manual?
Questions and answers