HP 2610 User Manual

HP 2610 User Manual

Version r.11.25 software procurve 2610 series
Table of Contents


Release Notes:

Version R.11.25 Software
for the ProCurve Series 2610 Switches
Release R.11.25 supports these switches:
ProCurve Switch 2610-24 (J9085A)
ProCurve Switch 2610-24/12PWR (J9086A)
ProCurve Switch 2610-24-PWR (J9087A)
ProCurve Switch 2610-48 (J9088A)
ProCurve Switch 2610-48-PWR (J9089A)
These release notes include information on the following:
Downloading Switch Documentation and Software from the Web
Clarification of operating details for certain software features
Software enhancements available in releases R.11.07 through R.11.25
A listing of software fixes included in releases R.11.07 through R.11.25


Table of Contents

Summary of Contents for HP 2610

  • Page 1: Release Notes

    Release Notes: Version R.11.25 Software for the ProCurve Series 2610 Switches Release R.11.25 supports these switches: ■ ProCurve Switch 2610-24 (J9085A) ProCurve Switch 2610-24/12PWR (J9086A) ■ ■ ProCurve Switch 2610-24-PWR (J9087A) ■ ProCurve Switch 2610-48 (J9088A) ProCurve Switch 2610-48-PWR (J9089A) ■...
  • Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be (J9085A) construed as constituting an additional warranty.
  • Page 3: Table Of Contents

    ProCurve Switch, Routing Switch, and Router Software Keys ....... 6...
  • Page 4 Known Issues Release R.11.12 ..............16 Release R.11.22 .
  • Page 5 Release R.11.08 ..............54 Release R.11.09 .
  • Page 6: Software Management

    Check the ProCurve Networking Web site frequently for free software updates for the various ProCurve switches you may have in your network. Downloading Switch Documentation and Software from the Web You can download software updates and the corresponding product documentation from HP’s ProCurve web site as described below. To Download a Software Version: Go to the ProCurve Networking Web site at: Click on Switches.
  • Page 7: Downloading Software To The Switch

    This section describes how to use the CLI to download software to the switch. You can also use the menu interface for software downloads.
  • Page 8: Tftp Download From A Server

    When the CLI prompt re-appears, the switch is ready to reboot to activate the downloaded software Reboot the switch. After the switch reboots, it displays the CLI or Main Menu, depending on the Logon Default setting last configured in the menu’s Switch Setup screen.
  • Page 9: Xmodem Download From A Pc Or Unix Workstation

    To reduce the download time, you may want to increase the baud rate in your terminal emulator and in the switch to a value such as 57600 bits per second. (The baud rate must be the same in both devices.) For example, to change the baud rate in the switch to 57600, execute this...
  • Page 10: Saving Configurations While Using The Cli

    When you use the CLI to make a configuration change, the switch places the change in the running- config file. If you want to preserve the change across reboots, you must save the change to the startup- config file.
  • Page 11: Procurve Switch, Routing Switch, And Router Software Keys

    Switch 2810 Series (2810-24G and 2810-48G) PA/PB Switch 1800 Series (Switch 1800-8G – PA.xx; Switch 1800-24G – PB.xx) Switch 2510 Series (2510-24) Switch 2610 Series (2610-24, 2610-24/12PWR, 2610-24-PWR, 2610-48 and 2610-48-PWR) Switch 2900 Series (2900-24G, and 2900-48G) Switch 2510-48 VA/VB...
  • Page 12: Os/Web/Java Compatibility Table

    Downloading Software to the Switch OS/Web/Java Compatibility Table OS/Web/Java Compatibility Table The switch web agent supports the following combinations of OS browsers and Java Virtual Machines: Operating System Internet Explorer Windows NT 4.0 SP6a 5.00, 5.01 5.01, SP1 6.0, SP1 Windows 2000 Pro SP4 5.05, SP2...
  • Page 13: Enforcing Switch Security

    Since security incidents can originate with sources inside as well as outside of an organization, your switch and network access security provisions must protect against internal and external threats while preserving the necessary network access for authorized clients and uses.
  • Page 14: Local Manager Password

    Inbound Telnet Access and Web Browser Access The default remote management protocols enabled on the switch, such as Telnet or HTTP, are plain text protocols, which transfer passwords in open or plain text that is easily captured. To reduce the chances of unauthorized users capturing your passwords, secure and encrypted protocols such as SSH and SSL must be used for remote access.
  • Page 15: Snmp Access (Simple Network Management Protocol)

    A management station running an SNMP networked device management application such as ProCurve Manager Plus (PCM+) or HP OpenView can access the switch’s management information base (MIB) for write access to the switch’s local username and password configuration. In earlier software versions, SNMP access to the switch’s local authentication configuration (hpSwitchAuth)
  • Page 16: Front-Panel Access And Physical Security

    (and erasing any non-default configuration settings) Keeping the switch in a locked wiring closet or other secure space helps to prevent unauthorized physical access. As additional precautions, you can do the following: ■...
  • Page 17: Other Provisions For Management Access Security

    ■ client public-key authentication: uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a stored public key can gain access to the switch. Enforcing Switch Security...
  • Page 18: Secure Socket Layer (Sslv3/Tlsv1)

    Enforcing Switch Security Network Security Features switch SSH and user password authentication: this option is a subset of the client public- ■ key authentication, and is used if the switch has SSH enabled without a login access configured to authenticate the client’s key. In this case, the switch authenticates itself to clients, and users on SSH clients then authenticate themselves to the switch by providing passwords stored on a RADIUS or TACACS+ server, or locally on the switch.
  • Page 19: Clarifications

    The 2610 only supports a single sFlow collector and can only be configured via SNMP. By design, when sFlow is configured via SNMP, the sFlow-MIB OIDs that have been set do not survive a reboot.
  • Page 20: Access Security Guide

    Installation and Getting Started Guide ■ The Installation and Getting Started Guide, dated November 2008, on pages 2-3 and 2-4, describes the new 2610 rail kit, part number 508783-B21. Only the following ProCurve switches can be mounted with the new rail kit. •...
  • Page 21: Known Issues

    The following problems are known issues in release R.11.12. SSH (PR_0000003592) — Repeatedly performing crypto key generation tasks, and then connecting to the switch via SSH and executing a show ip ssh command may trigger a switch crash with a message similar to the following.
  • Page 22: Enhancements

    Enhancements Release R.11.04 Enhancements Enhancements Unless otherwise noted, each new release includes the features added in all previous releases. Enhancements are listed in chronological order, oldest to newest software release. Release R.11.04 Enhancements No new enhancements. Initial Release. Release R.11.07 Enhancements Release R.11.07 includes the following enhancement: ■...
  • Page 23: Dhcp Snooping

    DHCP clients on the network. DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end- users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded.
  • Page 24 Enhancements Release R.11.12 Enhancements database: To configure a location for the lease database, enter a URL in the format tftp://ip-addr/ascii-string. The maximum number of characters for the URL is 63. option Add relay information option (Option 82) to DHCP client packets that are being forwarded out trusted ports. The default is yes trust Configure trusted ports.
  • Page 25 ProCurve(config)# show dhcp-snooping stats Packet type Action Reason ----------- ------- ---------------------------- server forward from trusted port client forward to trusted port server drop received on untrusted port server drop unauthorized server client drop destination on untrusted port client drop untrusted option 82 field client drop bad DHCP release request...
  • Page 26 Enhancements Release R.11.12 Enhancements Configuring DHCP Snooping Trusted Ports By default, all ports are untrusted. To configure a port or range of ports as trusted, enter this command: ProCurve(config)# dhcp-snooping trust <port-list> You can also use this command in the interface context, in which case you are not able to enter a list of ports.
  • Page 27 (See the preceding section Configuring DHCP Relay for more information on Option 82.) When DHCP is enabled globally and also enabled on a VLAN, and the switch is acting as a DHCP relay, the settings for the DHCP relay Option 82 command are ignored when snooping is controlling Option 82 insertion.
  • Page 28 Enhancements Release R.11.12 Enhancements If DHCP snooping is enabled on a switch where an edge switch is also using DHCP snooping, it is desirable to have the packets forwarded so the DHCP bindings are learned. To configure the policy for DHCP packets from untrusted ports that already have Option 82 present, enter this command in the global configuration context.
  • Page 29 ProCurve(config)# dhcp-snooping option 82 remote-id subnet-ip ProCurve(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping Enabled Vlans Verify MAC Option 82 untrusted policy : drop Option 82 Insertion Option 82 remote-id Disabling the MAC Address Check DHCP snooping drops DHCP packets received on untrusted ports when the check address (chaddr) field in the DHCP header does not match the source MAC address of the packet (default behavior).
  • Page 30 Lease time ■ The switch can be configured to store the bindings at a specific URL so they will not be lost if the switch is rebooted. If the switch is rebooted, it will read its binding database from the specified location.
  • Page 31 ■ A remote server must be used to save lease information or there may be a loss of connectivity after a switch reboot. Log Messages Server <ip-address> packet received on untrusted port <port-number> dropped. Indi- cates a DHCP server on an untrusted port is attempting to transmit a packet. This event is recognized by the reception of a DHCP server packet on a port that is configured as untrusted.
  • Page 32 Write database to remote file failed errno (error-num). An error occurred while writing the temporary file and sending it using tftp to the remote server. DHCP packets being rate-limited. Too many DHCP packets are flowing through the switch and some are being dropped.
  • Page 33: Dynamic Arp Protection

    The DHCP binding database is used to validate packets by other security features on the switch. If you have already enabled DHCP snooping on a switch, you may also want to add static IP-to- MAC address bindings to the DHCP snooping database so that ARP packets from devices that have been assigned static IP addresses are also verified.
  • Page 34 ARP packet-forwarding status and counters. Enabling Dynamic ARP Protection To enable dynamic ARP protection for VLAN traffic on a routing switch, enter the arp protect vlan command at the global configuration level. Syntax: [no] arp protect vlan [vlan-range]...
  • Page 35 You must configure trusted ports carefully. For example, in the topology in Figure 1, Switch B may not see the leased IP address that Host 1 receives from the DHCP server. If the port on Switch B that is connected to Switch A is untrusted and if Switch B has dynamic ARP protection enabled, it will see ARP packets from Host 1 as invalid, resulting in a loss of connectivity.
  • Page 36 ProCurve(config)# arp protect trust b1-b4, d1 Adding an IP-to-MAC Binding to the DHCP Database A routing switch maintains a DHCP binding database, which is used for DHCP and ARP packet validation. Both the DHCP snooping and DHCP Option 82 insertion features maintain the lease database by learning the IP-to-MAC bindings on untrusted ports.
  • Page 37 Configuring Additional Validation Checks on ARP Packets Dynamic ARP protection can be configured to perform additional validation checks on ARP packets. By default, no additional checks are performed. To configure additional validation checks, enter the arp protect validate command at the global configuration level. Syntax: [no] arp protect validate <[src-mac] | [dst-mac] | [ip]>...
  • Page 38 Enhancements Release R.11.12 Enhancements Verifying the Configuration of Dynamic ARP Protection To display the current configuration of dynamic ARP protection, including the additional validation checks and the trusted ports that are configured, enter the show arp protect command: ProCurve(config)# show arp protect ARP Protection Information Enabled Vlans : 1-4094...
  • Page 39: Release R.11.13 Enhancements

    When dynamic ARP protection is enabled, you can monitor and troubleshoot the validation of ARP packets with the debug arp protect command. Use this command when you want to debug the following conditions: The switch is dropping valid ARP packets that should be allowed. ■ ■...
  • Page 40: Dhcp Option 66 Automatic Configuration Update

    One or more TFTP servers has the desired configuration file. C a u t i o n This feature must use configuration files generated on the switch to function correctly. If you use configuration files that were not generated on the switch, and then enable this feature, the switch may reboot continuously.
  • Page 41 Replacing the Existing Configuration File: After the DHCP client downloads the configuration file, the switch compares the contents of that file with the existing configuration file. If the content is different, the new configuration file replaces the existing file and the switch reboots.
  • Page 42: Ssh Enhancements

    Enhancements Release R.11.14 Enhancements • DHCP is preferred over BootP • If two BootP offers are received, the first one is selected • For two DHCP offers: – The offer from an authoritative server is selected – If there is no authoritative server, the offer with the longest lease is selected Log Messages The file transfer is implemented by the existing TFTP module.
  • Page 43 Syntax: [no] ip ssh [cipher <cipher-type>] Cipher types that can be used for connection by clients. Valid types are: • aes128-cbc • 3des-cbc • aes192-cbc • aes256-cbc • rijndael-cbc@lysator.liu.se • aes128-ctr • aes192-ctr • aes256-ctr Default: All cipher types are available. Use the no form of the command to disable a cipher type.
  • Page 44 Enhancements Release R.11.14 Enhancements Table 5. RSA/DSA Values for Various ProCurve Switches Platform 2610 Message Authentication Code (MAC) Support This enhancement allows configuration of the set of MACs that are available for selection. Syntax: [no] ip ssh [mac <MAC-type>] Allows configuration of the set of MACs that can be selected. Valid types are: •...
  • Page 45: Displaying The Ssh Information

    Displaying the SSH Information The show ip ssh command has been enhanced to display information about ciphers, MACs, and key types and sizes. ProCurve(config)# show ip ssh SSH Enabled : No TCP Port Number : 22 IP Version : IPv4orIPv6 Host Key Type : RSA Ciphers : aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,...
  • Page 46: Release R.11.15 Enhancements

    When you use UDP or TCP and a layer 4 Application port number as a QoS classifier, traffic carrying the specified UDP/TCP port number(s) is marked with the UDP/TCP classifier’s configured priority level, without regard for any other QoS classifiers in the switch. N o t e UDP/TCP QoS applications are supported for IPv4 packets only.
  • Page 47 This priority determines the packet’s queue in the outbound port to which it is sent. If the packet leaves the switch on a tagged port, it carries the 802.1p priority with it to the next downstream device.
  • Page 48 Enhancements Release R.11.17 Enhancements Operating Notes on Using Port Ranges You can only have 6 concurrent policies when using unique ranges. The number of policies ■ allowed is lower if ACLs are also using port ranges. You cannot have ranges that include any port numbers that have been configured as part of ■...
  • Page 49 This option assigns a previously configured DSCP policy (codepoint and 802.1p priority) to (IPv4) TCP or UDP packets having the specified port number or range of port numbers. That is, the switch: Selects an incoming IP packet if the TCP or UDP port number (or range) it carries matches the port number (or range) specified in the TCP or UDP classifier.
  • Page 50 No-override in the Priority column of the DSCP map (show qos dscp-map), then you must assign a 0 - 7 priority before proceeding. Configure the switch to assign the DSCP policy to packets with the specified TCP or UDP port number or range of port numbers.
  • Page 51 Displays a listing of all TCP and UDP QoS classifiers currently in the running-config file. Enhancements Release R.11.17 Enhancements <codepoint > value. This must be configured with an 802.1p step 3.) If the packet leaves the switch No-override...
  • Page 52 Enhancements Release R.11.17 Enhancements For example, suppose you wanted to assign these DSCP policies to the packets identified by the indicated UDP and TDP port applications: Port Applications DSCP Policies DSCP Priority 23-UDP 000111 80-TCP 000101 914-TCP 000010 1001-2000 UDP 000010 Determine whether the DSCPs already have priority assignments, which could indicate use by existing applications.
  • Page 53 When creating QoS classifiers using UDP or TCP and a layer 4 Application port number or port range, the switch automatically assigns two QoS resources for each policy—one for traffic to the UDP/TCP destination port and one for traffic to the UDP/TCP source port.
  • Page 54 Enhancements Release R.11.17 Enhancements ProCurve(config)# show qos resources Resource usage in Policy Enforcement Engine Rules Slots | Available | ACL ------+-----------+------+------+------+------+------+-------+ 3034 | 3034 | | Application | | Port Ranges | Slots | Available* | ------+-------------+---------+---------+------ 14 | 14 | * If insufficient port ranges are available, additional rules will be used.
  • Page 55: Release R.11.18 Enhancements

    Release R.11.18 Enhancements Release R.11.18 includes the following enhancement (Not a public release): Enhancement (PR_0000008960) — This enhancement allows the switch to create SSH ■ host keys by default. Release R.11.19 through R.11.21 Enhancements No enhancements, software fixes only. (Not a public release) Release R.11.22 Enhancements...
  • Page 56 Enhancements Release R.11.23 Enhancements Sends the hostname option with DHCP packets. Use the no form of the command to not include the hostname in the packet. The maximum size of the hostname is 32 characters. Default: Disabled ProCurve(config)# dhcp host-name-option Figure 9.
  • Page 57: Hitless Mac Authentication Reauth

    Syntax: aaa port-access mac-based <port-list> [reauth-period <0-9999999>] Specifies the time period, in seconds, after which the switch must reauthenticate with the RADIUS server. When set to 0 (zero), reauthentication is disabled. Default: 0 seconds (disabled) Release R.11.24 through R.11.25 Enhancements...
  • Page 58: Software Fixes In Release R.11.04 - R.11.25

    Software fixes are listed in chronological order, oldest to newest. Unless otherwise noted, each new release includes the software fixes added in all previous releases. Release R.11.04 was the first software release for the ProCurve Series 2610 Series Switches. Release R.11.04 No problems resolved in release R.11.04.
  • Page 59: Release R.11.08

    VLAN that is jumbo enabled, the Access-Request will specify a value of Framed-MTU of 9182 bytes. This allows the RADIUS server to reply with a large fragment which the switch does not process, causing the authentication process to fail. Workaround: set the Framed-MTU on the RADIUS server.
  • Page 60: Release R.11.10

    ID (VID) from one MSTP instance and assign it to another MSTP instance fails, though specifying a VID range succeeds. ■ Crash (PR_0000002579) — Attempting to manage the switch with the browser web management interface, may cause the switch to crash with a message similar to: “Release R.11.12 Enhancements” on page “Release R.11.12...
  • Page 61: Release R.11.14

    SSH (PR_0000003592) — Repeatedly performing crypto key generation tasks, and then ■ connecting to the switch via SSH and executing a show ip ssh command may trigger a switch crash with a message similar to the following. TLB Miss: Virtual Addr=0x10385720 IP=0x10385720 Task='mSnmpCtrl'...
  • Page 62: Release R.11.16

    GVRP/RADIUS (PR_0000006051) — RADIUS assigned VLANs are not propagated correctly in GVRP. Note: This fix is associated with some new switch behavior: When only one port has learned of a dynamic VLAN, it will advertise that VLAN if an auth port has been RADIUS-assigned that dynamic VLAN, regardless of the unknown-VLANs configuration of that port.
  • Page 63: Release R.11.19

    PC Phone/Authentication (PR_0000007209) — When an IP phone is used in tandem with a PC connected to the phone, if the phone is moved to a tagged VLAN, some phone manufactures send some traffic to the switch untagged. This may result in traffic disruption including the PC not being allowed to authenticate.
  • Page 64: Release R.11.21

    ■ MAC Address (PR_0000009750) — If a client moves from one port or switch to another, the MAC address is not relearned on the new port until the MAC address timer expires on the original port.
  • Page 65: Release R.11.22

    802.1X (PR_0000010850) — If an unauth-vid is configured, and the client limit is reached ■ on a switch port, a properly credentialed re-authentication following an improperly creden- tialed authentication attempt (for example, incorrect password) will leave the 802.1x client in the unauthorized VLAN instead of applying the appropriate authorized VLAN.
  • Page 66: Release R.11.24

    CLI/Config (PR_0000013696) — Entry of the CLI command no VLAN <VLAN id> will trigger ■ the switch to prompt the user to ask if they want to remove the VLAN (as designed). Answering "no" will result in the VLAN being removed anyway.
  • Page 67 Cisco Catalyst switches via CDP. ■ Crash (PR_0000015095) — The switch may reboot unexpectedly when it receives a certain type of traffic. A message similar to the following may be present in the switch event and crash logs. Unalligned Access: Task='eDrvPoll' Crash (PR_0000003648) —...
  • Page 68 © 2001, 2008, 2009 Hewlett-Packard Develop- ment Company, LP. The information contained herein is subject to change without notice. Part Number 5991-2127 January 2009...

Table of Contents