Download Print this page

HP ProCurve Series 3400cl Release Notes

HP ProCurve Series 3400cl Release Notes

Procurve series

Hide thumbs Also See for ProCurve Series 3400cl:

Management manual (664 pages)

,

Management and configuration manual (508 pages)

,

Access security manual (404 pages)

Table Of Contents

page of 197

/ 197
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

Download this manual

Release Notes:

for the HP ProCurve Series 3400cl Switches

"M" software versions are supported on these switches:

ProCurve Switch

ProCurve Switch 3400cl-24G (J4905A)

ProCurve Switch 3400cl-48G (J4906A)

ProCurve Switch 6400cl-6XG 10-GbE CX4(J8433A)

ProCurve Switch 6410cl-6XG 10-GbE X2(J8474A)

Release M.10.41 supports the ProCurve Switch 3400cl-24G (J4905A), and 3400cl-48G (J4906A).

These release notes include information on the following:

■

Downloading switch software and documentation from the Web

■

Clarification of operating details for certain software features

A listing of software enhancements in recent releases

■

■

A listing of software fixes included in releases M.08.51 through M.10.72

IMPORTA NT:

3400cl switches MUST be running ROM version I.08.12 prior to loading M.10.20 or newer software. If your

switch is using a software version earlier than M.10.10, you need to install and boot the M.10.10 software

(included in the M.10.41 software package) to load the I.08.12 ROM version, before installing M.10.20 or

newer.

S e c u r i t y N o t e:

Downloading and booting software release M.08.89 or greater for the first time automatically enables

SNMP access to the hpSwitchAuth MIB objects. If this is not desirable for your network, ProCurve

recommends that you disable it after downloading and rebooting with the latest switch software. For more

information, refer to "Enforcing Switch Security" on page

Switch Authentication Features" on page 35.

Configuration Compatibility Caution:

Configuration files created or saved using version M.10.65 or higher are NOT backward-compatible with

previous software versions. The user is advised to save a copy of the pre-M.10.65 startup-config file

BEFORE UPDATING to M.10.68 or greater, in case there is ever a need to revert back to an earlier version

of software.

Version M.10.72 Software

M.08.51 through

M.08.95

✔

✔

✔

✔

M.08.99.x

M.08.96, M.08.97,

and newer

M.10.01

and newer

✔

✔

✔

✔

(page

1)

(page

20)

(page

25)

(page

10

and "Using SNMP To View and Configure

145)

i

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the ProCurve Series 3400cl and is the answer not in the manual?

Questions and answers

Summary of Contents for HP ProCurve Series 3400cl

Page 1 Release Notes: Version M.10.72 Software for the HP ProCurve Series 3400cl Switches "M” software versions are supported on these switches: ProCurve Switch M.08.51 through M.08.99.x M.08.96, M.08.97, and newer M.08.95 M.10.01 and newer ✔ ✔ ProCurve Switch 3400cl-24G (J4905A) ✔...
Page 2 May, 2009 consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying Applicable Product such products and services. Nothing herein should be...
Page 3: Table Of Contents
Contents Software Management ......... . .1 Software Updates .
Page 4 Connection-Rate Filtering Based On Virus-Throttling Technology ..... . . 19 Identity-Driven Management (IDM) ..........19 Clarifications and Updates .
Page 5 QoS Pass-Through Mode ............39 Release M.08.94 Enhancements .
Page 6 Release M.10.26 Enhancements ............97 Release M.10.27 Enhancements .
Page 7 Release M.10.65 Enhancements ............136 MSTP VLAN Configuration Enhancement .
Page 8 Release M.08.76 ..............152 Release M.08.77 .
Page 9 Release M.10.10 ..............161 Release M.10.11 .
Page 10 Release M.10.42 ..............174 Release M.10.43 .
Page 11: Software Management
Software Management Software Updates Software Management Software Updates Check the ProCurve Networking Web site frequently for free software updates for the various ProCurve switches you may have in your network. Download Switch Documentation and Software from the Web You can download software updates and the corresponding product documentation from the ProCurve Networking Web site as described below.
Page 12: Downloading Software To The Switch
Software Management Downloading Software to the Switch N o t e Downloading new software does not change the current switch configuration. The switch configu- ration is contained in a separate file that can also be transferred, for example, for archive purposes or to be used in another switch of the same model.
Page 13: Tftp Download From A Server
Software Management Downloading Software to the Switch TFTP Download from a Server Syntax: copy tftp flash <ip-address> <remote-os-file> [ < primary | secondary > ] Note that if you do not specify the flash destination, the TFTP download defaults to the primary flash. For example, to download a software file named M_08_8x.swi from a TFTP server with the IP address of 10.28.227.103: Execute the copy command as shown below:...
Page 14 (step 1), use the same command to return it to its previous setting. (HP recommends a baud rate of 9600 bits per second for most applications.) Remember to return your terminal emulator to the same baud rate as the switch.) Reboot the switch.
Page 15: Saving Configurations While Using The Cli
Software Management Saving Configurations While Using the CLI Saving Configurations While Using the CLI The switch operates with two configuration files: ■ Running-Config File: Exists in volatile memory and controls switch operation. Rebooting the switch erases the current running-config file and replaces it with an exact copy of the current startup-config file.
Page 16: Install Recommendations For I.08.12 Boot Rom Update
Software Management Install Recommendations for I.08.12 Boot ROM Update Install Recommendations for I.08.12 Boot ROM Update When installing the M.10.17 software to load the I.08.12 ROM version, ProCurve recommends that you use the “fastboot” feature and the “reload” command after updating to M.10.17, as shown below. ProCurve3400cl#config ProCurve3400cl(config)# fastboot ProCurve3400cl(config)# copy tftp flash <ip address of tftp server>...
Page 17: Procurve Switch, Routing Switch, And Router Software Keys
Software Management ProCurve Switch, Routing Switch, and Router Software Keys ProCurve Switch, Routing Switch, and Router Software Keys Software ProCurve Networking Products Letter 1600M, 2400M, 2424M, 4000M, and 8000M Switch 8100fl Series (8108fl and 8116fl) Switch 5300xl Series (5304xl, 5308xl, 5348xl, and 5372xl) Switch 2500 Series (2512 and 2524), Switch 2312, and Switch 2324 Switch 4100gl Series (4104gl, 4108gl, and 4148gl) Switch 2600 Series, Switch 2600-PWR Series: H.07.81 and earlier, or H.08.55 and greater,...
Page 18 Software Management ProCurve Switch, Routing Switch, and Router Software Keys Software ProCurve Networking Products Letter numeric Switch 9408sl, Switch 9300 Series (9304M, 9308M, and 9315M), Switch 6208M-SX and Switch 6308M-SX (Uses software version number only; no alphabetic prefix. For example 07.6.04.)
Page 19: Minimum Software Versions For Series 3400Cl Switch Features
Software Management Minimum Software Versions for Series 3400cl Switch Features Minimum Software Versions for Series 3400cl Switch Features For Software Features. To view a tabular listing of major switch software features and the minimum software version each feature requires: Visit the ProCurve Networking Web site at www.procurve.com. Click on Software updates.
Page 20: Enforcing Switch Security
Enforcing Switch Security Switch Management Access Security Enforcing Switch Security ProCurve switches are designed as “plug and play” devices, allowing quick and easy installation in your network. However, when preparing the switch for network operation, ProCurve strongly recommends that you enforce a security policy to help ensure that the ease in getting started is not used by unauthorized persons as an opportunity for access and possible malicious actions.
Page 21: Local Manager Password
Enforcing Switch Security Switch Management Access Security It is important to evaluate the level of management access vulnerability existing in your network and take steps to ensure that all reasonable security precautions are in place. This includes both configurable security options and physical access to the switch hardware. Local Manager Password In the default configuration, there is no password protection.
Page 22: Snmp Access (Simple Network Management Protocol)
SNMP networked device management application such as ProCurve Manager Plus (PCM+) or HP OpenView can access the switch’s management information base (MIB) for read access to the switch’s status and read/write access to the switch’s configuration. In earlier software versions, SNMP access to the switch’s authentication configuration (hpSwitchAuth) MIB was not allowed.
Page 23: Physical Access To The Switch
Enforcing Switch Security Switch Management Access Security C a u t i o n : Downloading and booting from the M.08.89 or greater software version for the first time enables SNMP access to the authentication configuration MIB (the default action). If SNMPv3 and other security safeguards are not in place, the switch’s authentication configuration MIB is exposed to unprotected SNMP access and you should use the above command to disable this access.
Page 24: Other Provisions For Management Access Security
Enforcing Switch Security Switch Management Access Security For the commands to implement the above actions, refer to “Front-Panel Security” in the chapter titled “Configuring Usernames and Passwords” in the Access Security Guide for your switch. Other Provisions for Management Access Security Authorized IP Managers.
Page 25: Network Access Security
Enforcing Switch Security Network Access Security Network Access Security This section outlines provisions for protecting access through the switch to the network. For more detailed information on these features, refer to the indicated manuals. Access Control Lists (ACLs) ACLs enable the switch to permit or deny the following: ■...
Page 26: Secure Shell (Ssh)
Enforcing Switch Security Network Access Security Secure Shell (SSH) SSH provides Telnet-like functions through encrypted, authenticated transactions of the following types: ■ client public-key authentication: uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a stored public key can gain access to the switch.
Page 27: 802.1X Access Control
Enforcing Switch Security Network Access Security Switch Model Source-Port Protocol Multicast Filters Filters Filters Series 6400cl Series 5400zl Series 5300xl Series 4200vl Series 3500yl Series 3400cl Series 2800 Series 2600 ■ source-port filters: Inbound traffic from a designated, physical source-port will be forwarded or dropped on a per-port (destination) basis.
Page 28: Port Security, Mac Lockdown, Mac Lockout, And Ip Lockdown
Enforcing Switch Security Network Access Security Access Control Types 6200yl 5400zl 3500yl 5300xl 3400cl 2800 4100gl 4200vl 6400cl 2600 2600-pwr client-based access control (up to 32 authenticated clients per port) port-based access control (one authenticated client opens the port) switch operation as a supplicant * On the 5300xl switches, this feature is available with software release E.09.02 and greater.
Page 29: Connection-Rate Filtering Based On Virus-Throttling Technology
Enforcing Switch Security Network Access Security keys.) KMS provides specific instances of routing protocols with one or more Send or Accept keys that must be active at the time of a request. Refer to the chapter titled “Key Management System” in the Access Security Guide for your switch model.
Page 30: Clarifications And Updates
Clarifications and Updates Operating Notes for Jumbo Traffic-Handling Clarifications and Updates Operating Notes for Jumbo Traffic-Handling In the Management and Configuration Guide, (Oct., 2005 version) on page 14-33 ( page 347 of the .pdf file) where it states: When a port is not a member of any jumbo-enabled VLAN, it drops all jumbo traffic. If the port is receiving “excessive”...
Page 31: Igmp Command Update
■ Can operate in IGMPv2 Querier mode on VLANs with an IP address. IGMP is supported in the HP MIB, rather than the standard IGMP MIBs, as the latter reduce Group Membership detail in switched environments. Using Delayed Group Flush. This feature continues to filter IGMP groups for a specified additional period of time after IGMP leaves have been sent.
Page 32: General Switch Traffic Security Guideline
Clarifications and Updates General Switch Traffic Security Guideline Setting Fast-Leave and Forced Fast-Leave from the CLI. In earlier switch models, including the 5300xl switches, fast-leave and forced fast-leave options for a port were configured with a lengthy setmib command. The following commands now allow a port to be configured for fast-leave or forced fast-leave operation with a conventional CLI command instead of the setmib command.
Page 33: The Management Vlan Ip Address
For more information on rate-limiting operation, refer to “Operating Notes for Rate-Limiting” in the chapter titled “Port Traffic Controls ” of the Management and Configuration Guide for your ProCurve Series 3400cl switch. (To download switch documentation, refer to...
Page 34: Known Issues
Known Issues Rate-Limiting Known Issues Release M.10.17 The following is a known issue related to installation of Release M.10.17 software, which includes a required update to ROM version I.08.12. When there is an active 10-GbE link in port 26 of the ProCurve 3400cl-24G switch, or port 50 of the ProCurve 3400cl-48G switch, there may be a problem with that link initializing following a software update into the required M.10.17 software version.
Page 35: Enhancements
Source Port Filter user interface, described in Chapter 9. “Traffic/Security Filters” in the Access Security Guide for the switch. Information on these features is included in the current documentation for the switch, available on the web at: http://www.hp.com/rnd/support/manuals/. Release M.08.70 through M.08.72 Enhancements Software fixes only; no new enhancements.
Page 36: Release M.08.78 Enhancements
Enhancements Release M.08.78 Enhancements Release M.08.78 Enhancements Using Fastboot To Reduce Boot Time The fastboot command allows a boot sequence that skips the internal power-on self-tests, resulting in a faster boot time. Syntax: [no] fastboot Used in the global configuration mode to enable the fastboot option.
Page 37: Release M.08.80 Through M.08.83 Enhancements
Enhancements Release M.08.80 through M.08.83 Enhancements The following shows a sample output from this new command. ProCurve# show interface port-utilization Port Mode ------- ------- ------ ------- ------ ------ KBits/s Pkts/s Util KBits/s Pkts/s Util ---- ---- ------- ------- ------ ------- ------ ------ 100FDx...
Page 38: Release M.08.84 Enhancements
Enhancements Release M.08.84 Enhancements Release M.08.84 Enhancements Release M.08.84 includes the following enhancement: Added the show tech transceivers command to allow removable transceiver serial numbers to be read without removal of the transceivers from the switch. : Release M.08.85 through M.08.88 Enhancements Software fixes only;...
Page 39 Enhancements Release M.08.89 Enhancements IP address of 10.10.100.27 is assigned a host name of accounts015 and another IP address of 10.10.100.33 is assigned a host name of sales021, then the switch configured with the domain suffix evergreen.trees.org and a DNS server that resolves addresses in that domain can use the host names to reach the devices with ping and traceroute commands: ping accounts015 traceroute sales021...
Page 40 Enhancements Release M.08.89 Enhancements The host’s domain must be reachable from the switch. This requires that the DNS server for ■ the switch must be able to communicate with the DNS server(s) in the path to the domain in which the target host operates. The fully qualified domain name must be used, and the domain suffix must correspond to ■...
Page 41 Enhancements Release M.08.89 Enhancements Configuring a DNS Entry The switch allows one DNS server entry, which includes the DNS server IP address and the chosen domain name suffix. Configuring the entry enables the use of ping and traceroute with a target’s host name instead of the target’s IP address.
Page 42 Enhancements Release M.08.89 Enhancements Switch “A” Configured Document with DNS Resolver Server Router “B” 10.28.192.1 10.28.192.2 docservr (10.28.229.219) 10.28.229.1 DNS Server for pubs.outdoors.com 10.28.229.10 Host Name for IP address 10.28.229.219 = “docservr” Domain: pubs.outdoors.com Figure 5. Example Network Domain Configuring switch “A” with the domain name and the IP address of a DNS server for the domain enables the switch to use host names assigned to IP addresses in the domain to perform ping and traceroute actions on the devices in the domain.
Page 43 Enhancements Release M.08.89 Enhancements ProCurve# ping docservr 10.28.229.219 is alive, time = 1 ms ProCurve# traceroute docservr First-Hop Router (“B”) traceroute to 10.28.229.219 1 hop min, 30 hops max, 5 sec. timeout, 3 probes 1 10.28.192.2 1 ms 0 ms 0 ms 2 10.28.229.219 0 ms...
Page 44 Enhancements Release M.08.89 Enhancements ProCurve# show ip Internet (IP) Service IP Routing : Disabled Default Gateway : 10.28.192.2 Default TTL : 64 Arp Age : 20 Domain Suffix : pubs.outdoors.com DNS Resolver Configuration in the DNS server : 10.28.229.10 show ip command output VLAN | IP Config IP Address...
Page 45: Using Snmp To View And Configure Switch Authentication Features
Enhancements Release M.08.89 Enhancements Event Log Messages Message Meaning DNS server address not configured The switch does not have an IP address configured for the DNS server. DNS server not responding The DNS server failed to respond or is unreachable. An incorrect server IP address can produce this result.
Page 46 Enhancements Release M.08.89 Enhancements S e c u r i t y N o t es Passwords and keys configured in the hpSwitchAuth MIB are not returned via SNMP, and the response to SNMP queries for such information is a null string. However, SNMP sets can be used to configure password and key MIB objects.
Page 47 Enhancements Release M.08.89 Enhancements For example, to disable SNMP access to the switch’s authentication MIB and then display the result in the Excluded MIB field, you would execute the following two commands. ProCurve(config)# snmp-server mib hpswitchauthmib excluded ProCurve(config)# show snmp-server This command disables SNMP Communities SNMP security MIB access.
Page 48: Releases M.08.90 And M.08.91 Enhancements
Enhancements Releases M.08.90 and M.08.91 Enhancements ProCurve(config)# show run Running configuration: ; J4905A Configuration Editor; Created on release #M.10.05 hostname "ProCurve" snmp-server mib hpSwitchAuthMIB excluded Indicates that SNMP access to the authentication ip default-gateway 10.10.24.55 configuration MIB snmp-server community "public" Operator (hpSwitchAuth) is disabled.
Page 49: Qos Pass-Through Mode
Enhancements Releases M.08.90 and M.08.91 Enhancements The “legacy-path-cost” CLI command does not affect or replace functionality of the “spanning- tree force-version” command. The “spanning-tree force-version” controls whether MSTP will send and process 802.1w RSTP, or 802.1D STP BPDUs. Regardless of what the “legacy-path-cost” parameter is set to, MSTP will interoperate with legacy STP bridges (send/receive Config and TCN BPDUs).
Page 50 Enhancements Releases M.08.90 and M.08.91 Enhancements Note Changing the QoS Pass-Through Mode can be done without rebooting the switch. However, the switch ports are toggled down and back up, allowing the QoS queues to be reconfigured. This may affect routing and spanning tree operation. ProCurve Networking recommends that QoS queues be recon- figured during periods of non-peak traffic.
Page 51 Enhancements Releases M.08.90 and M.08.91 Enhancements QoS Pass-Through Mode SNMP MIB Object. A read-write MIB object, 1.3.6.1.4.1.11.2.14.11.5.1.7.1.24.1, has been added to the ProCurve switch MIB. The QoS Pass-Through Mode can be changed using either an SNMP network management application or the CLI setmib command.
Page 52: Release M.08.94 Enhancements
Enhancements Release M.08.94 Enhancements The current QoS Pass-Through Mode also is displayed in the show running-config command output. Operating Notes To use the same QoS queue structure used in pre-M.08.78 software, set the QoS Pass-Through ■ Mode to balanced. The optimized mode matches the QoS Pass-through mode on the ProCurve Series 2800 ■...
Page 53 Enhancements Release M.08.94 Enhancements Syntax: dhcp-relay option 82 < append | replace | drop > [ validate ] [ ip | mac | mgmt-vlan ] [ ip | mac | mgmt-vlan ] : Specifies the remote ID suboption the routing switch will use in Option 82 fields added or appended to DHCP client packets.
Page 54: Udp Broadcast Forwarding
Enhancements Release M.08.94 Enhancements Table 3. DHCP Operation for the Topology in Figure Client Remote ID giaddr* DHCP Server 10.38.10.1 10.39.10.1 A only If a DHCP client is in the Management VLAN, then its DHCP requests can go only to a DHCP server that is also in the Management VLAN. Routing to other VLANs is not allowed.
Page 55: Releases M.08.95 Through M.10.01 Enhancements
Enhancements Releases M.08.95 through M.10.01 Enhancements Releases M.08.95 through M.10.01 Enhancements Software fixes only; no new enhancements. Release M.08.96 Enhancements Enabled use of login "Message of the Day" (MOTD) banner. For details on using this feature, ■ refer to “Custom Login Banners for the Console and Web Browser Interfaces” in Chapter 2 of the Management and Configuration Guide for 3400cl and 6400cl switches.
Page 56 Enhancements Release M.10.02 Enhancements An ACL must be configured on the RADIUS server (instead of the switch) by creating and ■ assigning one or more Access Control Entries to the username/password pair or MAC address of the client for which you want ACL support. Where 802.1X is used for client authentication, then either the client device must be running ■...
Page 57 Enhancements Release M.10.02 Enhancements Table 4. Contrasting Dynamic and Static ACLs RADIUS-Based (Dynamic) ACLs Port-Based (Static) ACLs Operates on the 3400cl switches. Operates on both the 3400cl and 6400cl switches. Configured in client accounts on a RADIUS server. Configured in the switch itself. Designed for use on the edge of the network where Designed for general use where the filtering needs for filtering of inbound traffic is most important and where...
Page 58 Enhancements Release M.10.02 Enhancements Terminology ACE: See Access Control Entry, below. Access Control Entry (ACE): An ACE is a policy consisting of a packet-handling action and criteria to define the packets on which to apply the action. For RADIUS-based ACLs, the elements composing the ACE include: •...
Page 59 Enhancements Release M.10.02 Enhancements packet (from the authenticated client) that is not explicitly permitted or denied by other ACEs configured sequentially earlier in the ACL. Unless otherwise noted, “implicit deny IP any” refers to the “deny” action enforced by both standard and extended ACLs. Inbound Traffic: For the purpose of defining where the switch applies ACLs to filter traffic, inbound traffic is any IP packet that enters the switch from a given client on a given port.
Page 60 Enhancements Release M.10.02 Enhancements the client MAC address is the selection criteria, only the client having that MAC address can use the corresponding ACL. When a RADIUS server authenticates a client, it also assigns the ACL configured with that client’s credentials to the port. The ACL then filters the client’s inbound IP traffic and denies (drops) any such traffic from the client that is not explicitly permitted by the ACL.
Page 61 Enhancements Release M.10.02 Enhancements Example. Suppose the ACL in Figure 3 is assigned to filter the traffic from an authenticated client on a given port in the switch: For an inbound packet with a destination Permit in ip from any to 18.28.136.24 IP address of 18.28.156.3, the ACL: Permit in ip from any to 18.28.156.7 1.
Page 62 Enhancements Release M.10.02 Enhancements 1. If a match is not found with Test packet against the first ACE in an ACL, the criteria in first ACE. switch proceeds to the next ACE and so on. 2. If a match with an explicit ACE is subsequently found, Is there a Perform action...
Page 63 Enhancements Release M.10.02 Enhancements For example, suppose you want to configure a RADIUS-based ACL to invoke these policies in the 11.11.11.0 network: Permit inbound client traffic with a DA of 11.11.11.42. Permit inbound Telnet traffic for DA 11.11.11.101. Deny inbound Telnet traffic for all other IP addresses in the 11.11.11.0 network. Permit inbound HTTP traffic for any IP address in the 11.11.11.0 network.
Page 64 Enhancements Release M.10.02 Enhancements General Steps These steps suggest a process for using ACLs to establish client access policies. The topics following this section provide details. Determine the polices you want to enforce for client traffic inbound on the switch. Plan ACLs to execute traffic policies: •...
Page 65 Enhancements Release M.10.02 Enhancements Is it important to keep track of the number of matches for a particular client or ACE? If so, ■ you can use the optional cnt (counter) feature in ACEs where you want to know this information.
Page 66 Enhancements Release M.10.02 Enhancements Explicitly Denying Any IP Traffic: Entering a deny in ip from any to any ACE in an ACL ■ denies all IP traffic not previously permitted or denied by that ACL. Any ACEs listed after that point have no effect. Implicitly Denying Any IP Traffic: For any packet being filtered by an ACL, there will ■...
Page 67 Enhancements Release M.10.02 Enhancements Limits for RADIUS-Based ACLs, Associated ACEs, and Counters Table 5 describes limits the switch supports in ACLs applied by a RADIUS server. Exceeding a limit causes the related client authentication to fail. Table 5. Limits Affecting RADIUS-Based ACL Applications Item Limit Notes Maximum Number of...
Page 68 (username/password and MAC address). For information on how to configure this functionality on other RADIUS server types, refer to the documentation provided with the server. Enter the HP vendor-specific ID and the ACL VSA in the FreeRADIUS dictionary file:...
Page 69 Enhancements Release M.10.02 Enhancements VENDOR ProCurve (HP) Vendor-Specific ID BEGIN-VENDOR ProCurve (HP) Vendor-Specific ATTRIBUTE HP-IP-FILTER-RAW 61 STRING Attribute for RADIUS-Based ACLs END-VENDOR Figure 6. Example of Configuring the VSA for RADIUS-Based ACLs in a FreeRADIUS Server Enter the switch IP address, NAS (Network Attached Server) type, and the key in the FreeRA- DIUS clients.conf file.
Page 70 Client’s Password (802.1X or Web Authentication) Client’s Username (802.1X or Web Authentication) mobile011 Auth-Type:= Local, User-Password == run101112 HP-IP-FILTER-RAW = “permit in tcp from any to 10.10.10.101”, HP-IP-FILTER-RAW += “deny in tcp from any to any”, HP-IP-FILTER-RAW += “permit in ip from any to any”...
Page 71 Enhancements Release M.10.02 Enhancements The following syntax and operating information refers to ACLs configured in a RADIUS server ACE Syntax: < permit | deny > in < ip | ip-protocol-value > from any to < ip-addr > [/< mask > ] | any > [ tcp/udp-ports] [cnt ] <...
Page 72 Enhancements Release M.10.02 Enhancements Optional counter specifier for a RADIUS-based ACL. When used in an ACL, the [ cnt ]: counter increments each time there is a “match” with a permit or deny ACE. (Refer to the entry describing the maximum number of (optional) internal counters in the table on page 57.) Counter values appear in RADIUS accounting log for client if RADIUS networking accounting is configured on the switch.
Page 73 Enhancements Release M.10.02 Enhancements Configure an authentication method. Options include 802.1X, Web authentication, and MAC authentication. (You can configure 802.1X and either Web or MAC authentication to operate simultaneously on the same ports.) 802.1X Option: Syntax: aaa port-access authenticator < port-list > aaa authentication port-access chap-radius aaa port-access authenticator active These commands configure 802.1X port-based access control on the switch, and activates...
Page 74 Enhancements Release M.10.02 Enhancements Displaying the Current RADIUS-Based ACL Activity on the Switch These commands output data indicating the current ACL activity imposed per-port by RADIUS server responses to client authentication. Syntax: show access-list radius < port-list > For the specified ports, this command lists the explicit ACEs, switch port, and client MAC address for the ACL dynamically assigned by a RADIUS server as a response to client authentication.
Page 75 Enhancements Release M.10.02 Enhancements Syntax: show port-access authenticator < port-list > For ports,in < port-list > that are configured for authentication, this command indicates whether there are any RADIUS-assigned features active on the port(s). (Any ports in < port-list > that are not configured for authentication do not appear in this listing.) Port: Port number of port configured for authentication.
Page 76: Event Log Messages
Enhancements Release M.10.02 Enhancements ProCurve(config)# show port-access authenticator 10-11 Port Access Authenticator Status Port-access authenticator activated [No] : No Current Current % Curr. Rate RADIUS ACL Port Status VLAN ID Port COS Limit Inbound Applied? ---- ------ -------- ----------- -------------- ----------- Indicates a RADIUS ACL is currently applied as part of Open...
Page 77 Enhancements Release M.10.02 Enhancements Message Meaning Notifies of a problem with the destination IP field in the ACE parsing error, destination IP, < ace-# > client < mac-address > port indicated ACE of the access list for the indicated client on the indicated switch port.
Page 78: Sflow Show Commands
Enhancements Release M.10.02 Enhancements • An ACE in the ACL for a given authenticated client exceeds 80 characters. • An ACL assigned to an authenticated client causes the number of optional counters needed on the ACL to exceed the per-ACL maximum (32). SFlow Show Commands In earlier software releases, the only method for checking whether sFlow is enabled on the switch was via an snmp request.
Page 79 Enhancements Release M.10.02 Enhancements ProCurve# show sflow agent Version 1.3;HP;M.10.03 Agent Address 10.0.10.228 Figure 13. Viewing sFlow Agent Information The show sflow destination command includes information about the management-station’s destina- tion address, receiver port, and owner. ProCurve# show sflow destination...
Page 80: Release M.10.04 Enhancements
Enhancements Release M.10.04 Enhancements ProCurve# show sflow sampling-polling 1-5 sflow destination Enabled Port | Sampling Dropped | Polling Enabled Rate Header Samples | Enabled Interval ----- + ------- -------- ------ ---------- + ------- -------- | Yes 6500000 5671234 | No | Yes 2000 24978...
Page 81 Enhancements Release M.10.04 Enhancements Parameter Name Description ip-address-count The number of destination IP addresses learned in the IP forwarding table. Some attacks fill the IP forwarding table causing legitimate traffic to be dropped. system-resource-usage The percentage of system resources in use. Some Denial-of-Service (DoS) attacks (Denial of Service logging) will cause excessive system resource usage, resulting in insufficient resources for legitimate traffic.
Page 82 Enhancements Release M.10.04 Enhancements Alerts are automatically rate limited to prevent filling the log file with redundant information. ■ The following is an example of alerts that occur when the device is continually subject to the same attack (too many MAC addresses in this instance): W 01/01/90 00:05:00 inst-mon: Limit for MAC addr count (300) is exceeded (321) W 01/01/90 00:10:00 inst-mon: Limit for MAC addr count (300) is exceeded (323) W 01/01/90 00:15:00 inst-mon: Limit for MAC addr count (300) is exceeded (322)
Page 83 Enhancements Release M.10.04 Enhancements Configuring Instrumentation Monitor The following commands and parameters are used to configure the operational thresholds that are monitored on the switch. By default, the instrumentation monitor is disabled. Syntax: [no] instrumentation monitor [parameterName|all] [<low|med|high|limitValue>] [log] : Enables/disables instrumentation monitoring log so that event log messages are generated every time there is an event which exceeds a configured threshold.
Page 84 Enhancements Release M.10.04 Enhancements Examples To turn on monitoring and event log messaging with the default medium values: ProCurve(config)# instrumentation monitor To turn off monitoring of the system delay parameter: ProCurve(config)# no instrumentation monitor system-delay To adjust the alert threshold for the MAC address count to the low value: ProCurve(config)# instrumentation monitor mac-address-count low To adjust the alert threshold for the MAC address count to a specific value: ProCurve(config)# instrumentation monitor mac-address-count 767...
Page 85: Tcp/Udp Port Closure
Enhancements Release M.10.04 Enhancements ProCurve# show instrumentation monitor configuration PARAMETER LIMIT ------------------------- --------------- mac-address-count 1000 (med) ip-address-count 1000 (med) system-resource-usage 50 (med) system-delay 5 (high) mac-moves/min 100 (med) learn-discards/min 100 (med) ip-port-scans/min 10 (med) arp-requests/min 100 (low) login-failures/min 10 (med) port-auth-failures/min 10 (med) SNMP trap generation for alerts: enabled...
Page 86 Enhancements Release M.10.04 Enhancements Enabling/Disabling TFTP The TFTP server and client can be enabled and/or disabled independently. Syntax: [no] tftp < client | server > Enables or disables the TFTP client. client: Enables or disables the TFTP client. (Default: disabled) server: Enables or disables the TFTP server.
Page 87: Spanning Tree Show Commands
Enhancements Release M.10.04 Enhancements Note The router rip command exists in previous software versions. In this implementation, however, RIP must be enabled in order to open the port on the switch. Enabling/Disabling Stacking To enable/disable stacking, use the following command. Syntax: [no] stack Enables stacking (SNMP) on the switch.
Page 88 Enhancements Release M.10.04 Enhancements The following shows RSTP sample output from the enhanced command. ProCurve# show spanning-tree detail Status and Counters - RSTP Port(s) Detailed Information Port Status : Up Role : Root State : Forwarding Priority : 128 Path Cost : 200000 Root Path Cost : 10...
Page 89: Release M.10.05 Enhancements
Enhancements Release M.10.05 Enhancements • TC Flag Received counter shows the number of TC notifications (RSTP or MSTP style BPDU with the TC flag set) received on the port. TC ACK Flag Transmitted is an 802.1D mode counter. It will only increment when the port •...
Page 90: Release M.10.07 Enhancements
Enhancements Release M.10.07 Enhancements Release M.10.07 Enhancements Release M.10.07 includes the following enhancement: ■ Added support for PIM Dense Mode. For details, refer to Chapter 5, “PIM-DM (Dense Mode) on the 5300xl Switches” in the Advanced Traffic Management Guide for the ProCurve Series 6400cl/5300xl/4200vl/3400cl Switches.
Page 91 Enhancements Release M.10.09 Enhancements Scenario 1 (No UDLD): Without UDLD, the switch ports remain enabled despite the link failure. Traffic continues to be load-balanced to the ports connected to the failed link. Scenario 2 (UDLD-enabled): When UDLD is enabled, the feature blocks the ports connected to the failed link.
Page 92 Enhancements Release M.10.09 Enhancements Configuration Considerations ■ UDLD is configured on a per-port basis and must be enabled at both ends of the link. See the note below for a list of ProCurve switches that support UDLD. ■ To configure UDLD on a trunk group, you must configure the feature on each port of the group individually.
Page 93 Enhancements Release M.10.09 Enhancements Enabling UDLD. UDLD is enabled on a per port basis. For example, to enable UDLD on port a1, enter: ProCurve(config)#interface al link-keepalive To enable the feature on a trunk group, enter the appropriate port range. For example: ProCurve(config)#interface al-a4 link-keepalive Note When at least one port is UDLD-enabled, the switch will forward out UDLD packets that arrive on...
Page 94 Enhancements Release M.10.09 Enhancements Notes ■ You must configure the same VLANs that will be used for UDLD on all devices across the network; otherwise, the UDLD link cannot be maintained. ■ If a VLAN ID is not specified, then UDLD control packets are sent out of the port as untagged packets.
Page 95 Enhancements Release M.10.09 Enhancements Displaying Summary UDLD Information. To display summary information on all UDLD-enabled ports, enter the show link-keepalive command. For example: ProCurve(config)# show link-keepalive Total link-keepalive enabled ports: 4 Keepalive Retries: Keepalive Interval: 1 sec Port 1 is UDLD-enabled, and Port Enabled Physical Keepalive Adjacent...
Page 96 Enhancements Release M.10.09 Enhancements Displaying Detailed UDLDP Status Information. To display detailed UDLD information for specific ports, enter enter the show link-keepalive statistics command. For example: Ports 1 and 2 are UDLD-enabled and show the number of health check packets sent and received on each port.
Page 97: Configuration Warnings And Event Log Messages
Enhancements Release M.10.09 Enhancements Configuration Warnings and Event Log Messages Warning Messages. The following table shows the warning messages that may be issued and their possible causes, when UDLD is configured for tagged ports. Table 6. Warning Messages caused by configuring UDLD for Tagged Ports CLI Command Example Warning Message Possible Problem...
Page 98: Release M.10.10 Enhancements
Enhancements Release M.10.10 Enhancements Release M.10.10 Enhancements Release M.10.10 includes the following enhancement: Spanning Tree Per-Port BPDU Filtering The STP BPDU filter feature allows control of spanning-tree participation on a per-port basis. It can be used to exclude specific ports from becoming part of spanning tree operations. A port with the BPDU filter enabled will ignore incoming BPDU packets and stay locked in the spanning-tree forwarding state.
Page 99 Enhancements Release M.10.10 Enhancements C a u t i o n Ports configured with the BPDU filter mode remain active (learning and forward frames); however, spanning-tree cannot receive or transmit BPDUs on the port. The port remains in a forwarding state, permitting all broadcast traffic.
Page 100 Enhancements Release M.10.10 Enhancements The show spanning-tree command has also been extended to display BPDU filtered ports. ProCurve# show spanning-tree Multiple Spanning Tree (MST) Information STP Enabled : Yes Force Version : MSTP-operation IST Mapped VLANs : 1-7 Row showing ports with BPDU filters enabled Protected Ports : Filtered Ports : A6-A7...
Page 101: Releases M.10.11 Through M.10.12 Enhancements
Enhancements Releases M.10.11 through M.10.12 Enhancements Releases M.10.11 through M.10.12 Enhancements Software fixes only, no new enhancements. Release M.10.13 Enhancements Release M.10.13 includes the following enhancement: Enhancement (PR_1000354065) - Added DHCP protection feature. No additional documen- ■ tation is available at this time Releases M.10.14 through M.10.16 Enhancements Software fixes only, no new enhancements.
Page 102 Enhancements Release M.10.17 Enhancements STP Domain SNMP Trap Management Station SNMP Trap SNMP Trap Switch Event Log: port X is disable by STP BPDU protection Fake STP BPDU End User Figure 27. Example of BPDU Protection Enabled at the Network Edge Terminology BPDU —...
Page 103 Enhancements Release M.10.17 Enhancements STP — Spanning Tree Protocol, part of the original IEEE 802.1D specification. The 2004 edition completely deprecates STP. Both RSTP and MSTP have fallback modes to handle STP. SNMP — Simple Network Management Protocol, used to remotely manage network devices. Note The switches covered in these Release Notes, use the IEEE 802.1s Multiple Spanning Tree Protocol (MSTP) standard.
Page 104: Example Of Bpdu Protection Additions To Show Spanning Tree Command
Enhancements Release M.10.17 Enhancements Viewing BPDU Protection Status The show spanning-tree command has additional information on BPDU protection as shown below. ProCurve# show spanning-tree 1-10 Multiple Spanning Tree (MST) Information STP Enabled : Yes Force Version : MSTP-operation IST Mapped VLANs : 1-7 Ports with BPDU protection enabled Protected Ports : 3-7,9 Errant BPDU detected on this port...
Page 105: Release M.10.21 Enhancements
Enhancements Release M.10.21 Enhancements Release M.10.21 Enhancements Software fixes only, no new enhancements. Release M.10.22 Enhancements Release M.10.22 includes the following enhancement: Enhancement (PR_1000376406) — Loop Protection feature additions, including packet ■ authentication, loop detected trap, and receiver port configuration. Configuring Loop Protection You can use BPDU protection for systems that have spanning tree enabled (See “Spanning Tree BPDU...
Page 106 Enhancements Release M.10.22 Enhancements [trap <loop-detected>] Allows you to configure loop protection traps The “loop-detected” trap indicates that a loop was detected on a port. [disable-timer <0-604800>] How long (in seconds) a port is disabled when a loop has been detected. A value of zero disables the auto re-enable functionality.
Page 107: Release M.10.23 Enhancements
Enhancements Release M.10.23 Enhancements Release M.10.23 Enhancements Release M.10.23 includes the following enhancement: ■ Enhancement (PR_1000379804) — Historical information about MAC addresses that have been moved has been added to the "show tech" command output. Release M.10.24 Enhancements Release M.10.24 includes the following enhancement: ■...
Page 108: Release M.10.27 Enhancements
Enhancements Release M.10.27 Enhancements Release M.10.27 Enhancements Release M.10.27 includes the following enhancement: ■ Enhancement (PR_1000374085) — This enhancement expands the use of the Controlled Directions parameter to also support MAC/Web authentication. Syntax: aaa port-access <port-list > controlled-directions <both | in> After you enable MAC-based authentication on specified ports, you can use the aaa port-access controlled-directions command to configure how a port transmits traffic before it successfully authenticates a client and enters...
Page 109 Enhancements Release M.10.27 Enhancements Notes: The aaa port-access controlled-direction in command allows Wake-on-LAN traffic to be ■ transmitted on a MAC-authenticated outbound port that has not yet transitioned to the authenticated state; the controlled-direction both setting prevents transmission of outbound Wake-on-LAN traffic on a MAC-authenticated port until authentication occurs.
Page 110: Release M.10.28 Enhancements
Enhancements Release M.10.28 Enhancements Release M.10.28 Enhancements Software fixes only, no new enhancements. Release M.10.29 Enhancements Release M.10.29 includes the following enhancement: Enhancement (PR_1000376626) — Enhance CLI "qos dscp-map he" help and "show dscp- ■ map" text to warn the user that inbound classification based on DSCP codepoints only occurs if "qos type-of-service diff-services"...
Page 111: Release M.10.32 Enhancements
Enhancements Release M.10.32 Enhancements The <hash-type> parameter specifies the type of algorithm (if any) used to hash the password. ■ Valid values are plaintext or sha-1. ■ The <password> parameter is the clear ASCII text string or SHA-1 hash of the password. You can enter a manager, operator, or 802.1X port-access password in clear ASCII text or hashed format.
Page 112: Release M.10.33 Enhancements
Enhancements Release M.10.33 Enhancements To schedule a reload in 3 hours: ProCurve# reload after 03:00 To schedule a reload for the same time the following day: ProCurve# reload after 01:00:00 To schedule a reload for the same day at 12:05: ProCurve# reload at 12:05 To schedule a reload on some future date: ProCurve# reload at 12:05 01/01/2007...
Page 113: Operating Notes
Enhancements Release M.10.33 Enhancements The port is temporarily assigned as a member of an untagged (static or dynamic) VLAN for use ■ during the client session according to the following order of options. The port joins the VLAN to which it has been assigned by a RADIUS server during client authentication.
Page 114: Example Of Untagged Vlan Assignment In A Radius-Based Authentication Session
Enhancements Release M.10.33 Enhancements When the authentication session ends, the switch removes the temporary untagged VLAN assignment and re-activates the temporarily disabled, untagged VLAN assignment. ■ If GVRP is already enabled on the switch, the temporary untagged (static or dynamic) VLAN created on the port for the authentication session is advertised as an existing VLAN.
Page 115 Enhancements Release M.10.33 Enhancements Figure 8. Example of an Active VLAN Configuration In Figure Figure 8, if RADIUS authorizes an 802.1X client on port A2 with the requirement that the client use VLAN 22, then: VLAN 22 becomes available as Untagged on port A2 for the duration of the session. ■...
Page 116 Enhancements Release M.10.33 Enhancements Figure 10. Active Configuration for VLAN 33 Temporarily Drops Port 22 for the 802.1X Session When the 802.1X client session on port A2 ends, the port removes the temporary untagged VLAN membership. The static VLAN (VLAN 33) that is “permanently” configured as untagged on the port becomes available again.
Page 117: Enabling The Use Of Gvrp-Learned Dynamic Vlans In Authentication Sessions
Enhancements Release M.10.33 Enhancements Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions Syntax: aaa port-access gvrp-vlans Enables the use of dynamic VLANs (learned through GVRP) in the temporary untagged VLAN assigned by a RADIUS server on an authenticated port in an 802.1X, MAC, or Web authentication session.
Page 118: Release M.10.34 Enhancements
Enhancements Release M.10.34 Enhancements 3. If you disable the use of dynamic VLANs in an authentication session using the no aaa port-access gvrp-vlans command, client sessions that were authenticated with a dynamic VLAN continue and are not deauthenticated. (This behavior differs form how static VLAN assignment is handled in an authentication session.
Page 119: Release M.10.35 Enhancements
Enhancements Release M.10.35 Enhancements Release M.10.35 Enhancements Release M.10.35 includes the following enhancement: Enhancement (PR_1000419928) — The Dynamic ARP Protection feature was added. ■ Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and responses are relayed or used to update the local ARP cache.
Page 120 ARP packets may be dropped and will need to be retransmitted. ■ The SNMP MIB, HP-ICF-ARP-PROTECT-MIB, is created to configure dynamic ARP protection and to report ARP packet-forwarding status and counters. Enabling Dynamic ARP Protection To enable dynamic ARP protection for VLAN traffic on a routing switch, enter the arp protect vlan command at the global configuration level.
Page 121 Enhancements Release M.10.35 Enhancements Configuring Trusted Ports In a similar way to DHCP snooping, dynamic ARP protection allows you to configure VLAN interfaces in two categories: trusted and untrusted ports. ARP packets received on trusted ports are forwarded without validation. By default, all ports on a switch are untrusted.
Page 122 Enhancements Release M.10.35 Enhancements To configure one or more Ethernet interfaces that handle VLAN traffic as trusted ports, enter the arp protect trust command at the global configuration level. The switch does not check ARP requests and responses received on a trusted port. Syntax: [no] arp protect trust <port-list>...
Page 123 Enhancements Release M.10.35 Enhancements An example of the ip source binding command is shown here: ProCurve(config)# ip source binding 0030c1-7f49c0 interface vlan 100 10.10.20.1 interface A4 N o t e Note that the ip source binding command is the same command used by the Dynamic IP Lockdown feature to configure static bindings.
Page 124 Enhancements Release M.10.35 Enhancements Verifying the Configuration of Dynamic ARP Protection To display the current configuration of dynamic ARP protection, including the additional validation checks and the trusted ports that are configured, enter the show arp protect command: ProCurve(config)# show arp protect ARP Protection Information Enabled Vlans : 1-4094...
Page 125: Release M.10.36 Enhancements
Enhancements Release M.10.36 Enhancements Monitoring Dynamic ARP Protection When dynamic ARP protection is enabled, you can monitor and troubleshoot the validation of ARP packets with the debug arp protect command. Use this command when you want to debug the following conditions: The switch is dropping valid ARP packets that should be allowed.
Page 126: Configuring Mstp Port Connectivity Parameters
Enhancements Release M.10.37 Enhancements Configuring MSTP Port Connectivity Parameters With release K.12.04, all ports are configured as auto-edge-ports by default, and the spanning tree edge-port option has been removed. This section describes selected spanning-tree <port-list> com- mand parameters for enhanced operation. Basic port connectivity parameters affect spanning-tree links at the global level.
Page 127 Enhancements Release M.10.37 Enhancements [root-guard] MSTP only. When a port is enabled as root-guard, it cannot be selected as the root port even if it receives superior STP BPDUs. The port is assigned an “alternate” port role and enters a blocking state if it receives superior STP BPDUs. The BPDUs received on a root-guard port are ignored.
Page 128: Release M.10.38 Enhancements
Enhancements Release M.10.38 Enhancements point-to-point-mac <true | false | auto > This parameter informs the switch of the type of device to which a specific port connects. True (default): Indicates a point-to-point link to a device such as a switch, bridge, or end-node.
Page 129: Send Snmp V2C Informs
Enhancements Release M.10.38 Enhancements Send SNMP v2c Informs Enabling and Configuring SNMP Informs You can use the snmp-server informs command (SNMPv2c and SNMPv3 versions) to send notifications when certain events occur. When an SNMP Manager receives an informs request, it can send an SNMP response back to the sending agent.
Page 130: Release M.10.39 Enhancements
Enhancements Release M.10.39 Enhancements Select whether SNMP traps or informs are sent to this management station. For more information on SNMP informs, see “Enabling and Configuring SNMP Informs” on page 119. [version <1 | 2c | 3>] Select the version of SNMP being used. Note: SNMP informs are supported on version 2c or 3 only.
Page 131: Radius Server Unavailable
Enhancements Release M.10.39 Enhancements Enhancement (PR_1000428213) — This software enhancement adds the ability to ■ configure a secondary authentication method to be used when the RADIUS server is unavailable for the primary port-access method. RADIUS Server Unavailable Overview In certain situations, RADIUS servers can become isolated from the network. Users are not able to access the network resources configured with RADIUS access protection and are rejected.
Page 132 Enhancements Release M.10.39 Enhancements You can configure local, chap-radius or eap-radius as the primary password authentication method for the port-access method. You also need to select none or authorized as a secondary, or backup, method. Syntax: aaa authentication port-access <chap-radius |eap-radius | local> Configures local, chap-radius, or eap-radius as the primary password authentication method for port-access.
Page 133: Specifying The Mac Address Format
Enhancements Release M.10.39 Enhancements ProCurve(config)# show authentication Status and Counters - Authentication Information Login Attempts : 3 Respect Privilege : Disabled | Login Login Enable Enable Access Task | Primary Secondary Primary Secondary ----------- + ---------- ---------- ---------- ---------- Console | Local None Local...
Page 134: Arp Age Timer Increase
Enhancements Release M.10.39 Enhancements Enhancement (PR_1000415155) — The ARP age timer was enhanced from the previous ■ limit of 240 minutes to allow for configuration of values up to 1440 minutes (24 hours) or "infinite" (99,999,999 seconds or 3.2 years). ARP Age Timer Increase The ARP age is the amount of time the switch keeps a MAC address learned through ARP in the ARP cache.
Page 135 Enhancements Release M.10.39 Enhancements You can also view the value of the Arp Age timer in the configuration file. ProCurve(config)# show running-config Running configuration: ; J9091A Configuration Editor; Created on release #K.12.XX hostname "8200LP" module 2 type J8702A module 3 type J8702A module 4 type J8702A ip default-gateway 15.255.120.1 ip arp-age 1000...
Page 136: Release M.10.40 Enhancements
Enhancements Release M.10.40 Enhancements If the ARP cache should become full because entries are not cleared (due to increased timeout limits) you can use the clear arp command to remove all non-permanent entries in the ARP cache. To remove a specific entry in the ARP cache, enter this command: Syntax: [no] arp IP-ADDRESS Allows removal of any dynamic entry in the ARP cache.
Page 137 Enhancements Release M.10.43 Enhancements Protection Against IP Source Address Spoofing Many network attacks occur when an attacker injects packets with forged IP source addresses into the network. Also, some network services use the IP source address as a component in their authentication schemes.
Page 138 Enhancements Release M.10.43 Enhancements Prerequisite: DHCP Snooping Dynamic IP lockdown requires that you enable DHCP snooping as a prerequisite for its operation on ports and VLAN traffic: Dynamic IP lockdown only enables traffic for clients whose leased IP addresses are already ■...
Page 139 Enhancements Release M.10.43 Enhancements In this example, the following DHCP leases have been learned by DHCP snooping on port 5. VLANs 2 and 5 are enabled for DHCP snooping. IP Address MAC Address VLAN ID 10.0.8.5 001122-334455 10.0.8.7 001122-334477 10.0.10.3 001122-334433 Figure 17.
Page 140: Operating Notes
Enhancements Release M.10.43 Enhancements Enabling Dynamic IP Lockdown To enable dynamic IP lockdown on all ports or specified ports, enter the ip source-lockdown command at the global configuration level. Use the no form of the command to disable dynamic IP lockdown. Syntax: [no] ip source-lockdown [port-list] Enables dynamic IP lockdown globally on all ports or on specified ports on the routing switch.
Page 141 Enhancements Release M.10.43 Enhancements • Remove the trusted-port configuration. You can configure dynamic IP lockdown only from the CLI; this feature cannot be configured ■ from the Web management or menu interface. ■ If you enable dynamic IP lockdown on a port, you cannot add the port to a trunk. ■...
Page 142 Enhancements Release M.10.43 Enhancements Adding a Static Binding To add the static configuration of an IP-to-MAC binding for a port to the lease database, enter the ip source-binding command at the global configuration level. Use the no form of the command to remove the IP-to-MAC binding from the database.
Page 143 Enhancements Release M.10.43 Enhancements An example of the show ip source-lockdown status command output is shown in Figure 20. Note that the operational status of all switch ports is displayed. This information indicates whether or not dynamic IP lockdown is supported on a port. ProCurve(config)# show ip source-lockdown status Dynamic IP Lockdown (DIPLD) Information Global State: Enabled...
Page 144 Enhancements Release M.10.43 Enhancements ProCurve(config)# show ip source-lockdown bindings Dynamic IP Lockdown (DIPLD) Bindings Mac Address IP Address VLAN Port Not in HW ----------- ---------- ----- ----- --------- 001122-334455 10.10.10.1 1111 005544-332211 10.10.10.2 2222 Trk11 ......Figure 21.
Page 145: Release M.10.44 Through M.10.64 Enhancements
Enhancements Release M.10.44 through M.10.64 Enhancements ProCurve(config)# debug dynamic-ip-lockdown DIPLD 01/01/90 00:01:25 : denied ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 1 packets DIPLD 01/01/90 00:06:25 : denied ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 294 packets DIPLD 01/01/90 00:11:25 : denied ip 192.168.2.100 (0) (PORT 4) ->...
Page 146: Release M.10.65 Enhancements
Enhancements Release M.10.65 Enhancements Release M.10.65 Enhancements Release M.10.65 includes the following enhancement: Enhancement (PR_0000001316) — The MSTP VLAN Assignment is enhanced. ■ MSTP VLAN Configuration Enhancement C a u t i o n When this software version is installed, the prior VLAN ID-to-MSTI mappings do not change. However, this enhancement is not backward-compatible.
Page 147 Enhancements Release M.10.65 Enhancements All switches in a region must be configured with the same VLAN ID-to-MSTI mappings and the same MSTP configuration identifiers (region name and revision number). ■ Flexibility: By preconfiguring identical VLAN ID-to-MSTI mappings on all switches in an MST region, you can combine switches that support different maximum numbers of VLANs.
Page 148 Enhancements Release M.10.65 Enhancements Each MST instance supports a different set of VLANs. A VLAN that is mapped to an MST instance cannot be a member of another MST instance. The MSTP VLAN Configuration enhancement allows you to ensure that the same VLAN ID-to-MSTI assignments exist on each MSTP switch in a region.
Page 149 Enhancements Release M.10.65 Enhancements ProCurve(config)# show spanning-tree mst-config MST Configuration Identifier Information MST Configuration Name: MSTP1 MST Configuration Revision: 1 MST Configuration Digest: 0x51B7EBA6BEED8702D2BA4497D4367517 IST Mapped VLANs : Instance ID Mapped VLANs -------- --------------- 1-10 Figure 23. Example of Mapping VLANs with the Range Option where all VLANs are Included Note If you want all switches to be in the same MST region, they should all have a software version that supports this enhancement installed, or have the same VLANS configured.
Page 150: Release M.10.66 Enhancements
SNMP, which allows more options for remote access and management of the switch. The HP enterprise MIB hpicfSyslog.mib is added to allow the configuration and monitoring of syslog. (RFC 3164 supported) The CLI has some additional parameters that permit interoperability with SNMP that are explained below.
Page 151 Enhancements Release M.10.66 Enhancements Adding a Description for a Syslog Server You can associate a user-friendly description with each of the IP addresses (IPv4 only) configured for syslog using the CLI or SNMP. The CLI command is: Syntax: logging <ip-addr> control-descr <text_string>] no logging <ip-addr>...
Page 152 Enhancements Release M.10.66 Enhancements ProCurve(config)# logging priority-descr severe-pri Figure 30. Example of the Logging Command with a Priority Description Note A notification is sent to the SNMP agent if there are any changes to the syslog parameters either through the CLI or with SNMP. Command Differences for the ProCurve Series 2600/2800/3400cl/6400cl Switches CLI Commands.
Page 153: Release M.10.67 Enhancements
Enhancements Release M.10.67 Enhancements Release M.10.67 Enhancements Software fixes only, no new enhancements. Release M.10.68 Enhancements Release M.10.68 includes the following enhancement: ■ Enhancement (PR_0000003127) — A Link Trap and LACP Global enable/disable feature has been added. LACP and Link Traps Global Disable Two SNMP commands are added to allow disabling of LACP and link traps on multiple ports at one time.
Page 154: Release M.10.69 Enhancements
Enhancements Release M.10.69 Enhancements hpSwitchLinkUpDownTrapAllPortsStatus OBJECT-TYPE SYNTAX INTEGER { enable (1), disable (2) ACCESS read-write STATUS current DESCRIPTION “Used to either enable/disable the Link Up/Link Down traps for all the ports.” ::= { hpSwitchPortConfig 3 } Release M.10.69 Enhancements Release M.10.69 includes the following enhancement (Not a public release). Enhancement (PR_0000010783b) —...
Page 155: Software Fixes In Release M.08.51 - M.10.72
165. Unless otherwise noted, each new release includes the software fixes added in all previous releases. Release M.08.51 was the first software release for the HP ProCurve 3400cl Series. Release M.08.52 Updated Boot ROM image to I.08.02 to address Manufacturing test condition.
Page 156 Software Fixes in Release M.08.51 - M.10.72 Release M.08.61 2. In show CDP the Yes is changed to Yes,(Receive Only). CLI (PR_1000192677) — Show access-list ports <tab> does not list the all keyword. The ■ command only shows [PORT-LIST] as input for the command. Console/TELNET (PR_1000195647) —...
Page 157: Release M.08.62
Software Fixes in Release M.08.51 - M.10.72 Release M.08.62 Web UI (PR_1000177915) — Device View from the Web user interface is missing. ■ ■ Web UI/Port Security (PR_1000195894) — The Web user interface does not allow the user to select multiple ports when configuring port-security. Release M.08.62 Problems Resolved in Release M.08.62 Crash (PR_1000207542) —...
Page 158: Release M.08.64
Software Fixes in Release M.08.51 - M.10.72 Release M.08.64 Release M.08.64 Problems Resolved in Release M.08.64 (Not a general release) ■ IP Routing (PR_1000220668)— Fatal exception when routing with more than 8 trunks configured and IP routing enabled. Release M.08.65 Problems Resolved in Release M.08.65 (Never released) Crash (PR_1000194486) —...
Page 159: Release M.08.68
Software Fixes in Release M.08.51 - M.10.72 Release M.08.68 Release M.08.68 Problems Resolved in Release M.08.68 (Not a general release) ■ Switching (PR_1000232312) — In cases where traffic is being L2 switched or L3 routed from one port at Gigabit speeds to a group of ports (i.e. to a VLAN) where one of the outbound ports is running at a slower speed, traffic may have been dropped even to egress ports running at Gigabit speeds.
Page 160: Release M.08.70
Software Fixes in Release M.08.51 - M.10.72 Release M.08.70 Port Security (PR_1000203984) — CLI port-security "mac-address" command will save ■ address above the limit. ■ SNMP (PR_1000212170) — The Switch transmits Warm and Cold Start traps with an agent address of 0.0.0.0. ■...
Page 161: Release M.08.72
Software Fixes in Release M.08.51 - M.10.72 Release M.08.72 LLDP (PR_1000241315) — CLI command "show LLDP" does not display information ■ correctly. ■ Web Auth (PR_1000230444) — Using port-based web authentication on the Switch will cause some users to never receive the web authentication screen. This occurs if a client receives the same unauthenticated DHCP address that a previous authorized client has used.
Page 162: Release M.08.75
Software Fixes in Release M.08.51 - M.10.72 Release M.08.75 Release M.08.75 Problems Resolved in Release M.08.75 LR optic (PR_1000282195) — After a switch reboot, certain 10GbE X2-SC LR Optic ■ (J8437A) transceivers will lose its configuration. Administrator will be unable to turn off LACP, and CLI commands will not be displayed.
Page 163: Release M.08.78
Software Fixes in Release M.08.51 - M.10.72 Release M.08.78 Release M.08.78 Problems Resolved in Release M.08.78 (Not a general release) Enhancement (PR_1000291806) — Fast boot enhancement. ■ MSTP (PR_1000286883) — Slow MSTP fail-over and fall-back time. ■ Release M.08.79 Problems Resolved in Release M.08.79 (Not a general release) Fault (PR_1000089786) —...
Page 164: Release M.08.83
Software Fixes in Release M.08.51 - M.10.72 Release M.08.83 RSTP (PR_1000300623) — Under some circumstances, the switch may allow packets to ■ loop for an extended period of time. Release M.08.83 Problems Resolved in Release M.08.83 (Not a general release) Crash (PR_1000297510) —...
Page 165: Release M.08.87
Software Fixes in Release M.08.51 - M.10.72 Release M.08.87 SNMP (PR_1000295753) — Removing 'public' SNMP community generates an empty ■ Event Log message. Release M.08.87 Problems Resolved in Release M.08.87 (Not a general release) Crash/STP (PR_1000307280) — Inconsistent or incorrect STP data may cause the switch ■...
Page 166: Release M.08.90
Software Fixes in Release M.08.51 - M.10.72 Release M.08.90 • RADIUS Configuration via SNMP. For details refer to “Using SNMP To View and Configure Switch Authentication Features” on page Port Security (PR_1000304202) — The port-security MAC address learn mode does not ■...
Page 167: Release M.08.93
Software Fixes in Release M.08.51 - M.10.72 Release M.08.93 Release M.08.93 Problems Resolved in Release M.08.93 (Not a general release) Help (PR_1000317711) — In the VLAN menu Help text, the word 'default' is spelled ■ incorrectly. RSTP (PR_1000307278) — Replacing an 802.1D bridge device with an end node (non-STP ■...
Page 168: Release M.08.97
Software Fixes in Release M.08.51 - M.10.72 Release M.08.97 Release M.08.97 Problems Resolved in Release M.08.97 (Never released) OSPF (PR_1000319678) — Switch does not accept IP fragmented OSPF packets. ■ Release M.10.01 Note: The M.10.xx software releases run only on the ProCurve 3400cl series. Problems Resolved in Release M.10.01 (Not a general release) ■...
Page 169: Release M.10.04
Software Fixes in Release M.08.51 - M.10.72 Release M.10.04 sFlow (PR_1000321195)— A network management application may incorrectly report ■ spikes in traffic when sFlow is first re-enabled. Release M.10.04 Problems Resolved in Release M.10.04 (Never released) Enhancement (PR_1000330743) — Denial of Service logging enhancement with imple- ■...
Page 170: Release M.10.07
■ Ping MIB (PR_1000311510) — If the DNS hostname given to ping was invalid (for example hp..com) the switch will crash with an “ASSERT in ip_util.c”. ■ Transceiver (PR_1000310852) — 10gig LR port has excessive link toggles during bootup.
Page 171: Release M.10.09
Software Fixes in Release M.08.51 - M.10.72 Release M.10.09 Release M.10.09 Problems Resolved in Release M.10.09 CLI (PR_1000317554) — The show version command does not display full minor version ■ if it's three digits. Counters (PR_1000327308) — 10gig port in xSTP blocking mode will increment RX drops ■...
Page 172: Release M.10.11
NMI event SW:IP=0x002030b4 MSR:0x0000b032 LR:0x002030d4 Task='mMst- pCtrl' Task ID=0x60d6060cr: 0x48000040 sp:0x060d5cc8xer:0x00000000 ■ Crash (PR_1000350363) — Switch crashes when pinging any other HP switch that is being rebooted, with the following message: Software exception at cli_oper_action.c:986 -- in 'mSess1', task ID = 0x62ff180 -> ASSERT: failed Radius EAP (PR_1000334731) —...
Page 173: Release M.10.14
Software Fixes in Release M.08.51 - M.10.72 Release M.10.14 Release M.10.14 Problems Resolved in Release M.10.14 CLI (PR_1000342461) — Command “show lldp info remote <port number>" reports incorrect ■ information for remote management address. LACP (PR_1000352012) — LACP state change does not properly reset 10Gig port. ■...
Page 174: Release M.10.17
Software Fixes in Release M.08.51 - M.10.72 Release M.10.17 DHCP Protection (PR_1000360273) — DHCP Lease renewal packets received on an ■ untrusted port are dropped. ■ DHCP Protection (PR_1000360254) — An entry with an expired lease is not removed from the binding table. ■...
Page 175: Release M.10.21
Software Fixes in Release M.08.51 - M.10.72 Release M.10.21 Enhancement (PR_1000358900) — A RADIUS accounting enhancement was made. More ■ information about this enhancement will be made available in a future update. Release M.10.21 Problems Resolved in Release M.10.21 (Not a general release) Crash (PR_1000368540) —...
Page 176: Release M.10.23
Software Fixes in Release M.08.51 - M.10.72 Release M.10.23 Release M.10.23 Problems Resolved in Release M.10.23 (Never released) Crash (PR_1000362248) — While attempting to configure "qos type-of-service diff-services" ■ the switch may crash with a message similar to: Assertion failed: !VALUE_TOO_BIG_FOR_FIELD, file drvmem.c, line 184. ■...
Page 177: Release M.10.26
Software Fixes in Release M.08.51 - M.10.72 Release M.10.26 STP/RSTP/MSTP (PR_1000386113) — In some cases STP/RSTP/MSTP may allow a loop ■ on 10-Gig ports, resulting in a broadcast storm. Release M.10.26 Problems Resolved in Release M.10.26 (Not a general release) Enhancement (PR_1000381681) —...
Page 178: Release M.10.28
Software Fixes in Release M.08.51 - M.10.72 Release M.10.28 Release M.10.28 Problems Resolved in Release M.10.28 (Not a general release) CLI/LLDP (PR_1000377191) — Output from the CLI command, "show lldp info remote- ■ device <port>" shows a blank field for the chassis ID. CLI (PR_1000390970) —...
Page 179: Release M.10.30
Software Fixes in Release M.08.51 - M.10.72 Release M.10.30 Transceiver hotswap (PR_1000390888) — Transceiver hotswap issues: ■ • Simultaneous hotswap of transceivers on both dual-personality ports will only detect a single change. • After certain transceiver hotswaps, the in/out LED indicator will not match the current status of the transceiver.
Page 180: Release M.10.32
Software Fixes in Release M.08.51 - M.10.72 Release M.10.32 RIP (PR_1000393366) — The switch does not process RIP (v2) responses containing ■ subnets with a classful subnet mask, when the receiving RIP switch has a connected VLSM network defined that would fall within that classful range. Enhancement (PR_1000372989) —...
Page 181: Release M.10.34
Software Fixes in Release M.08.51 - M.10.72 Release M.10.34 Crash (PR_1000407542) — Attempting to change the spanning-tree protocol version from ■ STP to RSTP or MSTP may cause the switch to crash with a message similar to: PPC Bus Error exception vector 0x300: Stack-frame=0x063d5de0 HW Addr=0x4b5a697c IP=0x0064c648 Task='mSnmpCtrl' ■...
Page 182: Release M.10.36
Software Fixes in Release M.08.51 - M.10.72 Release M.10.36 BPDU Protection (PR_1000395569) — BPDU-protection fails after module hot-swap. ■ ■ Enhancement (PR_1000419928) — The Dynamic ARP Protection feature was added. ■ IP Connectivity (PR_1000418378) — The switch incorrectly updates its ARP table when a client that is configured with a valid IP address for a valid VLAN, is connected to a port in another VLAN on the switch.
Page 183: Release M.10.39
Software Fixes in Release M.08.51 - M.10.72 Release M.10.39 Release M.10.39 Problems Resolved in Release M.10.39 Enhancement (PR_1000428213) — This software enhancement adds the ability to ■ configure a secondary authentication method to be used when the RADIUS server is unavailable for the primary port-access method.
Page 184: Release M.10.42
Software Fixes in Release M.08.51 - M.10.72 Release M.10.42 SCP (PR_1000428142) — The switch does not exit a secure copy protocol (SCP) session ■ properly. Release M.10.42 No Problems Resolved in Release M.10.42 (Never Released) Release M.10.43 Problems Resolved in Release M.10.43 (Never Released) CLI (PR_1000413734) —...
Page 185: Release M.10.45
Software Fixes in Release M.08.51 - M.10.72 Release M.10.45 Release M.10.45 Problems Resolved in Release M.10.45 (Not a Public Release) Web-UI (PR_1000416955) — Inserting an LH GBIC into dual personality ports results in ■ the LH ports not appearing in the device view. Meshing (PR_1000453201) —...
Page 186: Release M.10.48
Software Fixes in Release M.08.51 - M.10.72 Release M.10.48 • The switch does not send an appropriate exit status message to the client. This corrects the symptom that occurs in some applications, which reports a message similar to: Fatal error: Server unexpectedly closed connection. •...
Page 187: Release M.10.50 Through M.10.64
Software Fixes in Release M.08.51 - M.10.72 Release M.10.50 through M.10.64 Routed traffic is off by a factor of 1000 Switched traffic is not sampled at all ■ Security (PR_1000388616) — Possible cross-site scripting vulnerability in Web Manage- ment Interface. ■...
Page 188: Release M.10.66
Software Fixes in Release M.08.51 - M.10.72 Release M.10.66 Authentication (PR_1000454714) — Concurrent 802.1X and MAC Authentication does ■ not give the 802.1X value precedence. This fix gives 802.1X VLAN assignment precedence over MAC Auth RADIUS VLAN assignment. Web Management (PR_1000760153) — A Java error occurs when viewing "Stack ■...
Page 189: Release M.10.67
Software Fixes in Release M.08.51 - M.10.72 Release M.10.67 CLI (1000415243) — Output from the CLI command show name still lists 10-GbE trans- ■ ceiver names, even after the transceivers are removed and replaced with another type of transceiver. CLI (PR_1000430534) — Output from the show port-access mac-based CLI command may ■...
Page 190: Release M.10.68
Software Fixes in Release M.08.51 - M.10.72 Release M.10.68 Crash (PR_0000004023) — Repeated PCM configuration scans using SSH/SCP may cause ■ the switch to crash with a message similar to the following. PPC Data Storage (Bus Error) exception vector 0x300: Stack Frame=0x07af44c0 HW Addr=0x6520463a IP=0x00965a88 Task='tSsh0' Task ID=0x7af4810 Release M.10.68...
Page 191: Release M.10.70
Software Fixes in Release M.08.51 - M.10.72 Release M.10.70 PC Phone/Authentication (PR_0000007209) — When an IP phone is used in tandem ■ with a PC connected to the phone, if the phone is moved to a tagged VLAN, some phone manufactures send some traffic to the switch untagged.
Page 192 Software Fixes in Release M.08.51 - M.10.72 Release M.10.70 Dynamic ARP Protection (PR_0000009942) — When a switch using Dynamic ARP ■ Protection is rebooted, it blocks all ARP traffic on untrusted ports, including traffic consid- ered valid according to the binding database. On trusted ports, traffic flows normally. Workarounds: either disable / re-enable ARP protect, or configure ports to be trusted, and then untrusted again.
Page 193: Release M.10.71
Software Fixes in Release M.08.51 - M.10.72 Release M.10.71 Release M.10.71 Problems Resolved in Release M.10.71 (Not a Public Release) 802.1X (PR_0000014842) — If an invalid number of characters are used at the CLI for the ■ command aaa port-access supplicant <port number> secret, the CLI returns an error message that references the wrong port number for the supplicant being configured.
Page 194 Software Fixes in Release M.08.51 - M.10.72 Release M.10.72 Config (PR_0000005002) — If a friendly port name uses the characters TRUNK=, then ■ after a reload, all the trunking configuration will have been removed from the configuration. GVRP (PR_0000012224) — Changing the GVRP unknown-vlan state from 'block' to 'learn' ■...
Page 195 Software Fixes in Release M.08.51 - M.10.72 Release M.10.72 Drop offer from <DHCP server IP address> of <DHCP address offer> because the address is assigned to some other client Drop request from <MAC address of client requesting an IP address that is already in use>...
Page 196 Software Fixes in Release M.08.51 - M.10.72 Release M.10.72 Message 2 (when an unauth-vid config is attempted on a port with an existing 802.1X unauth-vid): Configuration change denied for port <number>.Only Web or MAC- authenticator can have unauthenticated VLAN enabled if 802.1X authenticator is enabled on the same port.
Page 197 © 2004 - 2009 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice. October 2009 Manual Part Number 5991-4764...

This manual is also suitable for:

Procurve 3400cl-48g Procurve 6400cl-6xg Procurve 6410cl-6xg Procurve 3400cl-24g