TACACS+ authentication features ... 26 Authorization... 26 Accounting... 27 Configuring TACACS+ authentication on the switch (CLI example) ... 28 Configuring TACACS+ authentication on the switch (BBI example) ... 29 Secure Shell and Secure Copy... 30 Configuring SSH and SCP features (CLI example)... 31 Using SSH and SCP client commands ...
Multiple VLANS with tagging... 60 Configuring the example network... 61 Configuring ports and VLANs on Switch 1 (CLI example) ... 61 Configuring ports and VLANs on Switch 2 (CLI example) ... 63 Configuring ports and VLANs on Switch 1 (BBI example) ... 64 FDB static entries...
Why do we need Multiple Spanning Trees? ... 71 VLAN participation in Spanning Tree Groups ... 72 Configuring Multiple Spanning Tree Groups ... 73 Configuring Switch 1 (CLI example) ... 73 Configuring Switch 2 (CLI example) ... 73 Configuring Switch 1 (BBI example) ... 74 Port Fast Forwarding ...
Using ACL Groups ... 90 ACL Metering and Re-marking ... 91 Metering ... 91 Re-marking ... 91 Viewing ACL statistics... 91 ACL configuration examples ... 92 Configure Access Control Lists (CLI example) ... 92 Configure Access Control Lists and Groups (BBI example 1) ... 93 Using DSCP values to provide QoS ...
Neighbors and adjacencies ... 133 Link-State Database ... 133 Shortest Path First Tree ... 133 Internal versus external routing... 134 OSPF implementation in HP 10GbE switch software ... 134 Configurable parameters ... 134 Defining areas ... 135 Assigning the area index ... 135 Using the area ID to assign the OSPF area number ...
Selecting the master VRRP router ... 174 Failover methods... 175 Active-Active redundancy ... 175 HP 10GbE switch extensions to VRRP ... 176 Tracking VRRP router priority ... 176 Virtual router deployment considerations ... 177 Assigning VRRP virtual router ID ... 177 Configuring the switch for tracking ...
Accessing the switch Introduction This guide will help you plan, implement, and administer the switch software for the HP 10Gb Ethernet BL-c Switch. Where possible, each section provides feature overviews, usage examples, and configuration instructions. “Accessing the switch” describes how to configure and view information and statistics on the switch over an IP network.
The 10GbE switch communicates with the Onboard Administrator through its internal management port (port 17). The factory default settings permit management and control access to the switch through the 10/100 Mbps Ethernet port on the Onboard Administrator, or the built-in console port. You also can use the external Ethernet ports to manage and control the 10GbE switch.
Gateway 254—This gateway is the default gateway for the management interface. STG 128—If the HP 10GbE switch is configured to use multiple spanning trees, spanning tree group 128 (STG 128) contains management VLAN 4095, and no other VLANS are allowed in STG 128.
Telnet or SSH. The CLI is the most direct method for collecting switch information and performing switch configuration. The HP 10GbE switch provides two CLI modes: The menu-based AOS CLI, and the tree-based ISCLI. You can set the HP 10GbE switch to use either CLI mode.
By default, the Browser-based Interface (BBI) protocol is enabled on the switch. The Browser-based Interface (BBI) provides access to the common configuration, management and operation features of the switch through your Web browser. For more information, see the HP 10Gb Ethernet BL-c Switch Browser- based Interface Reference Guide.
The SNMP manager should be able to reach the management interface or any one of the IP interfaces on the switch. For the SNMP manager to receive the traps sent out by the SNMP agent on the switch, the trap host on the switch should be configured with the following command: /cfg/sys/ssnmp/snmpv3/taddr For more details, see “Configuring SNMP trap hosts”.
User configuration Users can be configured to use the authentication/privacy options. The HP 10GbE switch supports two authentication algorithms: MD5 and SHA, as specified in the following command: /cfg/sys/ssnmp/snmpv3/usm <x>/auth md5|sha To configure a user with name admin, authentication type MD5, authentication password of admin, and privacy option DES with privacy password of admin, use the following CLI commands: >>...
View based configurations CLI user equivalent To configure an SNMP user equivalent to the CLI user, use the following configuration: /c/sys/ssnmp/snmpv3/usm 4 name "usr" /c/sys/ssnmp/snmpv3/access 3 name "usrgrp" rview "usr" wview "usr" nview "usr" /c/sys/ssnmp/snmpv3/group 4 uname usr gname usrgrp /c/sys/ssnmp/snmpv3/view 6 name "usr"...
"iso" /c/sys/ssnmp/snmpv3/group 10 model snmpv1 uname v1trap gname v1trap In this example the user will receive the traps sent by the switch. (Configure the oper) (Configure access group 4) (Assign oper to access group 4) (Create views for oper) (Configure user named “v1trap”)
Configure an entry in the notify table. /c/sys/ssnmp/snmpv3/notify 10 name v1trap tag v1trap Specify the IP address and other trap parameters in the Target Address( targetAddr) and Target Parameters (targetParam) tables. Use the following command to specify the user name used with this targetParam table: c/sys/ssnmp/snmpv3/tparam <x>/uname /c/sys/ssnmp/snmpv3/taddr 10...
SNMPv2 trap host configuration The SNMPv2 trap host configuration is similar to the SNMPv1 trap host configuration. Wherever you specify the model, specify snmpv2 instead of snmpv1. c/sys/ssnmp/snmpv3/usm 10 name "v2trap" /c/sys/ssnmp/snmpv3/access 10 name "v2trap" model snmpv2 nview "iso" /c/sys/ssnmp/snmpv3/group 10 model snmpv2 uname v2trap gname v2trap...
If the source IP address of the host or hosts is within this range, it is allowed to attempt to log in. Any packet addressed to a switch IP interface with a source IP address outside this range is discarded.
This method is based on a client/server model. The Remote Access Server (RAS)—the switch—is a client to the back-end database server. A remote user (the remote administrator) interacts only with the RAS, not the back-end server and database.
Configuring RADIUS on the switch (CLI example) To configure RADIUS on the switch, do the following: Turn RADIUS authentication on, and then configure the Primary and Secondary RADIUS servers. For example: >> Main# /cfg/sys/radius >> RADIUS Server# on Current status: OFF New status: >>...
Configuring RADIUS on the switch (BBI example) Configure RADIUS parameters. Click the Configure context button. Open the System folder, and select Radius. Enter the IP address of the primary and secondary RADIUS servers, and enter the RADIUS secret for each server. Enable the RADIUS server.
○ Retries = 1-3 The switch will time out if it does not receive a response from the RADIUS server in one to three retries. The switch will also automatically retry connecting to the RADIUS server before it declares the server down.
RADIUS attributes for user privileges When the user logs in, the switch authenticates the level of access by sending the RADIUS access request, that is, the client authentication request, to the RADIUS authentication server.
Authentication is the action of determining the identity of a user, and is generally done when the user first attempts to log in to a device or gain access to its services. Switch software supports ASCII inbound login to the device. PAP, CHAP and ARAP login methods, TACACS+ change password requests, and one-time password authentication are not supported.
(0-15) to a corresponding HP 10GbE switch management access level (user, oper, admin, none). If the remote user is authenticated by the authentication server, the HP 10GbE switch verifies the privileges of the remote user and authorizes the appropriate access. When both the primary and secondary authentication servers are not reachable, the administrator has an option to allow backdoor access via the console only or console and Telnet access.
Configuring TACACS+ authentication on the switch (CLI example) Turn TACACS+ authentication on, and then configure the Primary and Secondary TACACS+ servers. >> Main# /cfg/sys/tacacs >> TACACS+ Server# on Current status: OFF New status: ON >> TACACS+ Server# prisrv 10.10.1.1 Current primary TACACS+ server: 0.0.0.0 New pending primary TACACS+ server: 10.10.1.1...
Configuring TACACS+ authentication on the switch (BBI example) Configure TACACS+ authentication for the switch. Click the Configure context button. Open the System folder, and select Tacacs+. Enter the IP address of the primary and secondary TACACS+ servers, and enter the TACACS+ secret.
Telnet does not provide this level of security. The Telnet method of managing a switch does not provide a secure connection. SSH is a protocol that enables remote administrators to log securely into the switch over a network to execute management commands. By default, SSH is disabled (off) on the switch.
The switch implementation of SSH is based on version 1.5 and version 2.0, and supports SSH clients from version 1.0 through version 2.0. Client software can use SSH version 1 or version 2. The following SSH clients are supported: SSH 3.0.1 for Linux (freeware) SecureCRT®...
<user>@<switch IP address> For example: >> # ssh firstname.lastname@example.org Downloading configuration from the switch using SCP Enter the following command to download the switch configuration using SCP. You will be prompted for a password: scp <user>@<switch IP address>:getcfg <local filename> For example: >>...
To support the SSH server feature, two sets of RSA keys (host and server keys) are required. The host key is 1024 bits and is used to identify the switch. The server key is 768 bits and is used to make it impossible to decipher a captured session by breaking into the switch at a later time.
The switch will perform only one session of key/cipher generation at a time. Thus, an SSH/SCP client will not be able to log in if the switch is performing key generation at that time, or if another client has logged in immediately prior.
Enable the user ID. >> # /cfg/sys/access/user/uid <#>/ena Once an end user account is configured and enabled, the user can login to the switch using the username/password combination. The level of switch access is determined by the user CoS for the account.
Ports and trunking Introduction The first part of this chapter describes the different types of ports used on the switch. This information is useful in understanding other applications described in this guide, from the context of the embedded switch/server environment.
(XOR of last 3 bits of Source and last 3 bits of Destination IP address). For non-IP traffic, the switch will calculate the trunk port to use for forwarding traffic by implementing the load distribution algorithm on value equals to modulus of (XOR of last 3 bits of Source and last 3 bits of Destination MAC address).
Read the configuration rules provided in the “Trunk group configuration rules” section. Determine which switch ports (up to six) are to become trunk members (the specific ports making up the trunk). Ensure that the chosen switch ports are set to enabled, using the following command: /cfg/port x/cur Trunk member ports must have the same VLAN configuration.
NOTE: The actual mapping of switch ports to NIC interfaces is dependant on the operating system software, the type of server blade, and the enclosure type. For more information, see the HP 10Gb Ethernet BL-c Switch User Guide. Port trunk group configuration example...
Connection problems might arise when using automatic trunk group negotiation on the third-party device. Examine the trunking information on each switch, using the following command: >> /info/l2/trunk Information about each port in each configured trunk group is displayed. Make sure that trunk groups consist of the expected ports and that each port is in the expected state.
Configuring trunk groups (BBI example) Configure trunk groups. Click the Configure context button on the Toolbar. Open the Layer 2 folder, and select Trunk Groups. Click a Trunk Group number to select it.
Enable the Trunk Group. To add ports, select each port in the Ports Available list, and click Add. Click Submit. Apply, verify, and save the configuration. Examine the trunking information on each switch. Click the Dashboard context button on the Toolbar.
Select Trunk Groups. Information about each configured trunk group is displayed. Make sure that trunk groups consist of the expected ports and that each port is in the expected state.
Admin key—A port’s admin key is an integer value (1-65535) that you can configure in the CLI. Each HP 10GbE switch port that participates in the same LACP trunk group must have the same admin key value. The admin key is local significant, which means the partner switch does not need to use the same admin key value.
In the configuration shown in the table above, Actor switch ports 18 and 19 aggregate to form an LACP trunk group with Partner switch ports 1 and 2. At the same time, Actor switch ports 20 and 21 form a different LACP trunk group with a different partner.
Configuring LACP Use the following procedure to configure LACP for port 20 and port 21 to participate in link aggregation. Set the LACP mode on port 20. >> # /cfg/l2/lacp/port 20 >> LACP port 20# mode active Define the admin key on port 20. Only ports with the same admin key can form a LACP trunk group. >>...
Configuration Guidelines Extensible authentication protocol over LAN HP 10GbE switch software can provide user-level security for its ports using the IEEE 802.1x protocol, which is a more secure alternative to other methods of port-based network access control. Any device attached to an 802.1x-enabled port that fails authentication is prevented access to the network and denied services offered through that port.
Authentication is initiated by one of the following methods: Switch authenticator sends an EAP-Request/Identity packet to the client. Client sends an EAPOL-Start frame to the switch authenticator, which responds with an EAP- Request/Identity frame. The client confirms its identity by sending an EAP-Response/Identity frame to the switch authenticator,...
The Radius server chooses an EAP-supported authentication algorithm to verify the client’s identity, and sends an EAP-Request packet to the client via the switch authenticator. The client then replies to the Radius server with an EAP-Response containing its credentials. Upon a successful authentication of the client by the server, the 802.1x-controlled port transitions from unauthorized to authorized state, and the client is allowed full access to services through the controlled port.
Supported RADIUS attributes The HP 10GbE switch 802.1x Authenticator relies on external RADIUS servers for authentication with EAP. The following table lists the RADIUS attributes that are supported as part of RADIUS-EAP authentication based on the guidelines specified in Annex D of the 802.1x standard and RFC 3580.
Configuring port-based traffic control To configure a port for traffic control, perform the following steps: Configure the traffic-control threshold and enable traffic control. Main# /cfg/port 2 >> Port 2# brate 150000 >> Port 2# mrate 150000 >> Port 2# drate 150000 To disable a traffic-control threshold, use the following command: >>...
VLANs and port VLAN ID numbers VLAN numbers The HP 10GbE switch supports up to 1,000 VLANs per switch. Even though the maximum number of VLANs supported at any given time is 1,000, each can be identified with any number between 1 and 4095.
New pending port VLAN ID: 21 >> Port 21# Each port on the switch can belong to one or more VLANs, and each VLAN can have any number of switch ports in its membership. Any port that belongs to multiple VLANs, however, must have VLAN tagging enabled.
Tagged member—a port that has been configured as a tagged member of a specific VLAN. When an untagged frame exits the switch through a tagged member port, the frame header is modified to include the 32-bit tag associated with the PVID. When a tagged frame exits the switch through a tagged member port, the frame header remains unchanged (original VID remains).
Figure 4 Port-based VLAN assignment As shown in the following figure, the untagged packet is marked (tagged) as it leaves the switch through port 5, which is configured as a tagged member of VLAN 2. The untagged packet remains unchanged as...
802.1Q tag assignment Figure 6 As shown in the following figure, the tagged packet remains unchanged as it leaves the switch through port 5, which is configured as a tagged member of VLAN 2. However, the tagged packet is stripped (untagged) as it leaves the switch through port 7, which is configured as an untagged member of VLAN 2.
For example, if all IP interfaces are left on VLAN 1 (the default), and all ports are configured for VLAN 2, and then switch management features are effectively cut off. To remedy this, keep all ports used for remote switch management on the default VLAN and assign an IP interface to the default VLAN.
VLANs operate according to specific configuration rules which must be considered when creating VLANs. For example: HP recommends that all ports involved in trunking and Port Mirroring have the same VLAN configuration. If a port is on a trunk with a mirroring port, the VLAN configuration cannot be changed.
Switch 2 Switch 2 is configured for VLANS 1, 3, and 4. Port 2 is tagged to accept traffic from VLANS 3 and 4. Port 4 is configured only for VLAN 3, so VLAN tagging is off. Port 18 is tagged to accept traffic from VLANs 1 and 3.
Server 1 and PC 3. Using VLAN 2, it can communicate with Server 1, PC 1, and PC 3. The Layer 2 switch port to which it is connected is configured for both VLAN 1 and VLAN 2 and has tagging enabled.
Configure the VLANs and their member ports. Since all ports are by default configured for VLAN 1, configure only those ports that belong to VLAN 2. >> /cfg/l2/vlan 2 >> VLAN 2# add 1 Current ports for VLAN 2: empty Pending new ports for VLAN 2: 1 >>...
Configuring ports and VLANs on Switch 2 (CLI example) To configure ports and VLANs on Switch 2, do the following: On Switch 2, enable VLAN tagging on the necessary ports. Port 4 (connection to server 2) remains untagged, so it is not configured below.
On the switch 1, enable VLAN tagging on the necessary ports. Click the Configure context button on the Toolbar. Open the Switch folder, and select Switch Ports (click the underlined text, not the folder). Click a port number to select it.
Enable the port and enable VLAN tagging. Click Submit. Configure the VLANs and their member ports. Open the Virtual LANs folder, and select Add VLAN.
Apply, verify, and save the configuration. FDB static entries Static entries in the Forwarding Database (FDB) allow the switch to forward packets without flooding ports to perform a lookup. A FDB static entry is a MAC address associated with a specific port and VLAN. The switch supports 128 static entries.
FDB static entries are permanent, so the FDB Aging value does not apply to them. Static entries are manually added to the FDB, and manually deleted from the FDB. Incoming frames that contain the static entry as the source MAC can use only ports configured for the static entry.
The generic action of a switch on receiving a BPDU is to compare the received BPDU to its own BPDU that it will transmit. If the received BPDU has a priority value closer to zero than its own BPDU, it will replace its BPDU with the received BPDU.
Adding a VLAN to a Spanning Tree Group If no VLANs exist beyond the default VLAN 1, see the “Creating a VLAN” section in this chapter for information on adding ports to VLANs. Add the VLAN to the STG using the command /cfg/l2/stp <stg number>/add <vlan number>. Creating a VLAN When you create a VLAN, then that VLAN automatically belongs to STG 1, the default STG.
20 and 21 are not part of a Trunk Group. Two VLANs (VLAN 1 and VLAN 2) exist between Switch 1 and Switch 2. If the same Spanning Tree Group is enabled on both switches, the switches see an apparent loop and block port 21 on Switch 2, which cuts off communication between the switches for VLAN 2.
Figure 10 VLAN participation in Spanning Tree Groups The following table shows which switch ports participate in each Spanning Tree Group. By default, server ports (ports 1-16) do not participate in Spanning Tree, even though they are members of their respective VLANs.
Each instance of Spanning Tree Group is enabled by default. Configuring Switch 1 (CLI example) Configure port and VLAN membership on Switch 1 as described in the “Configuring ports and VLANs on Switch 1 (CLI example)” section, in the “VLANs” chapter of this guide.
Configuring Switch 1 (BBI example) Configure port and VLAN membership on Switch 1 as described in the “Configuring ports and VLANs on Switch 1 (BBI example)” section, in the “VLANs” chapter of this guide. Add VLAN 2 to Spanning Tree Group 2.
Enter the Spanning Tree Group number and set the Switch Spanning Tree State to on. To add a VLAN to the Spanning Tree Group, select the VLAN in the VLANs Available list, and click Add. VLAN 2 is automatically removed from Spanning Tree Group 1.
>> Spanning Tree Port 20# save Fast Uplink Convergence Fast Uplink Convergence enables the switch to quickly recover from the failure of the primary link or trunk group in a Layer 2 network using Spanning Tree Protocol. Normal recovery can take as long as 60 seconds, while the backup link transitions from Blocking to Listening to Learning and then Forwarding states.
There are new STP parameters to support RSTP, and some values to existing parameters are different. RSTP is compatible with devices that run 802.1d Spanning Tree Protocol. If the switch detects 802.1d BPDUs, it responds with 802.1d-compatible data units. RSTP is not compatible with Per VLAN Spanning Tree (PVST) protocol.
Group 1. The other STP Groups (2-128) are turned off. RSTP configuration example This section provides steps to configure Rapid Spanning Tree on the switch, using the Command Line Interface (CLI) or the Browser-based Interface (BBI). Configuring Rapid Spanning Tree (CLI example) Configure port and VLAN membership on the switch, as described in the “Configuring ports and...
Configuring Rapid Spanning Tree Protocol (BBI example) Configure port and VLAN membership on the switch, as described in the “Configuring ports and VLANs (BBI example)” section in the “VLANs” chapter of this guide. Configure RSTP general parameters. Click the Configure context button on the Toolbar.
The Common Internal Spanning Tree (CIST) provides a common form of Spanning Tree Protocol, with one Spanning Tree instance that can be used throughout the MSTP region. CIST allows the switch to interoperate with legacy equipment, including devices that run IEEE 802.1d (STP).
MSTP configuration guidelines This section provides important information about configuring Multiple Spanning Tree Groups: When you turn on MSTP, the switch automatically moves VLAN 1 to the Common Internal Spanning Tree (CIST). Region Name and revision level must be configured. Each bridge in the region must have the same name and revision level.
Configuring Multiple Spanning Tree Protocol (BBI example) Configure port and VLAN membership on the switch, as described in the “Configuring ports and VLANs (BBI example)” section in the “VLANs” chapter of this guide. Configure MSTP general parameters. Click the Configure context button on the Toolbar.
Configure Common Internal Spanning Trees (CIST) bridge parameters. Open the MSTP/RSTP folder, and select CIST-Bridge. Enter the Bridge Priority, Maximum Age, and Forward Delay values. Click Submit.
Configure Common Internal Spanning Tree (CIST) port parameters. Open the MSTP/RSTP folder, and select CIST-Ports. Click a port number to select it.
Enter the Port Priority, Path Cost, and select the Link Type. Set the CIST Port State to ON. Click Submit. Apply, verify, and save the configuration.
By assigning QoS levels to traffic flows on your network, you can ensure that network resources are allocated where they are needed most. QoS features allow you to prioritize network traffic, thereby providing better service for selected applications. The following figure shows the basic QoS model used by the HP 10GbE switch. QoS model Figure 11...
Each filter defines the conditions that must match for inclusion in the filter, and also the actions that are performed when a match is made. Summary of packet classifiers The HP 10GbE switch allows you to classify packets based on various parameters, such as: Ethernet ○...
Table 14 Well-known protocol types Number TCP/UDP ○ TCP/UDP application source port, as shown in the table titled “Well-Known Application Ports” ○ TCP/UDP application destination port, as shown in the table titled “Well-Known Application Ports” ○ TCP/UDP flag value, as shown in the table titled “Well-Known TCP Flag Values” Well-known application ports Table 15 Number...
The egress port ACL will not match packets if the destination port is a trunk member. Summary of ACL actions Actions determine how the traffic is treated. The HP 10GbE switch QoS actions include the following: Pass or Drop Re-mark a new DiffServ Code Point (DSCP) Re-mark the 802.1p field...
Packet classifiers identify flows for more processing. The HP 10GbE switch supports up to 384 ACLs. Each ACL defines one filter rule. Each filter rule is a collection of matching criteria, and can include an action (permit or deny the packet). For example:...
ACL Metering and Re-marking You can define a profile for the aggregate traffic flowing through the HP 10GbE switch, by configuring a QoS meter (if desired), and assigning ACL Groups to ports. When you add ACL Groups to a port, make sure they are ordered correctly in terms of precedence.
ACL configuration examples Configure Access Control Lists (CLI example) The following configuration examples illustrate how to use Access Control Lists (ACLs) to block traffic. These basic configurations illustrate common principles of ACL filtering. NOTE: Each ACL filters traffic that ingresses on the port to which the ACL is added. The egrport classifier filters traffic that ingresses the port to which the ACL is added, and then egresses the port specified by egrport.
Example 3 Use this configuration to block traffic from a source that is destined for a specific egress port. >> Main# /cfg/acl/acl 1 >> ACL 1# ethernet/smac 00:21:00:00:00:00 ff:ff:ff:ff:ff:ff >> Filtering Ethernet# .. >> ACL 1# action deny >> ACL 1# stats e >>...
Configure the ACL parameters. Set the Filter Action to Deny, the Ethernet Type to IPv4, and the Destination IP Address to 22.214.171.124. Click Submit. Apply, verify, and save the configuration.
Add ACL 1 to port 1. Click the Configure context button on the Toolbar. Select Switch Ports (click the underlined text, not the folder). Select a port.
Add the ACL to the port. Click Submit. Apply, verify, and save the configuration.
QoS policies are built by applying a set of rules to packets, based on the DSCP value, as they hop through the network. The HP 10GbE switch default settings are based on the following standard PHBs, as defined in the IEEE standards: Expedited Forwarding (EF)—This PHB has the highest egress priority and lowest drop precedence...
Bronze Using 802.1p priorities to provide QoS The HP 10GbE switch software provides Quality of Service functions based on the priority bits in a packet’s VLAN header. (The priority bits are defined by the 802.1p standard within the IEEE 802.1q VLAN header.) The 802.1p bits, if present in the packet, specify the priority given to packets during...
0 (zero) indicates a best effort traffic prioritization, and this is the default when traffic priority has not been configured on your network. The switch can filter packets based on the 802.1p values, and it can assign or overwrite the 802.1p value in the packet.
Set the 802.1p priority value. Click Submit.
Map the 802.1p priority value to a COS queue. Click the Configure context button on the Toolbar. Open the 802.1p folder, and select Priority - CoS. Select an 802.1p priority value. Select a Class of Service queue (CoSQ) to correlate with the 802.1p priority value. Click Submit.
Set the COS queue scheduling weight. Click the Configure context button on the Toolbar. Open the 802.1p folder, and select CoS - Weight. Select a Class of Service queue (CoS).
Apply, verify, and save the configuration. Queuing and scheduling The switch can be configured with either two or eight output Class of Service queues (COSq), into which each packet is placed. Each packet’s 802.1p priority determines its COSq, except when an ACL action sets the COSq of the packet.
The physical layout of most corporate networks has evolved over time. Classic hub/router topologies have given way to faster switched topologies, particularly now that switches are increasingly intelligent. HP 10GbE switches are intelligent and fast enough to perform routing functions on a par with wire speed Layer 2 switching.
This problem is solved by using HP 10GbE switch with built-in IP routing capabilities. Cross-subnet LAN traffic can now be routed within the switches with wire speed Layer 2 switching performance. This not only eases the load on the router but saves the network administrators from reconfiguring each and every end-station with new IP addresses.
Basic IP routing Take a closer look at the HP 10GbE switch in the following configuration example: Figure 15 Switch-based routing topology The switch connects the Gigabit Ethernet and Fast Ethernet trunks from various switched subnets throughout one building. Common servers are placed on another subnet attached to the switch. Primary and backup routers are attached to the switch on yet another subnet.
Example of subnet routing Prior to configuring, you must be connected to the switch Command Line Interface (CLI) as the administrator. NOTE: For details about accessing and using any of the menu commands described in this example, see the HP 10Gb Ethernet BL-c Switch Command Reference.
DHCP request. DHCP relay agent DHCP is described in RFC 2131, and the DHCP relay agent supported on HP 10GbE switches is described in RFC 1542. DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68.
Figure 16 DHCP relay agent configuration In HP 10GbE switch implementation, there is no need for primary or secondary servers. The client request is forwarded to the BOOTP servers configured on the switch. The use of two servers provides failover redundancy.
RIP identifies network reachability based on cost, and cost is defined as hop count. One hop is considered to be the distance from one switch to the next which is typically 1. This cost or hop count is known as the metric.
RIPv2. RIPv2 in RIPv1 compatibility mode HP 10GbE switch software allows you to configure RIPv2 in RIPv1compatibility mode, for using both RIPv2 and RIPv1 routers within a network. In this mode, the regular routing updates use broadcast UDP data packet to allow RIPv1 routers to receive those packets.
Multicast RIPv2 messages use IP multicast address (126.96.36.199) for periodic broadcasts. Multicast RIPv2 announcements are not processed by RIPv1 routers. IGMP is not needed since these are inter-router messages which are not forwarded. To configure RIPv2 in RIPv1-compatibility mode, set multicast to disable. Default The RIP router can listen and supply a default route, usually represented as 0.0.0.0 in the routing table.
>> RIP Interface 3# save Use the /maint/route/dump command to check the current valid routes in the routing table of the switch. For those RIP learned routes, within the garbage collection period, that are routes phasing out of the routing table with metric 16, use the /info/l3/rip/routes command. Locally configured static routes do not appear in the RIP Routes table.
The switch currently supports snooping for IGMP version 1, version 2, and version 3. The switch can sense IGMP Membership Reports from attached host servers and act as a proxy to set up a dedicated path between the requesting host and a local IP Multicast router. After the pathway is established, the switch blocks the IP Multicast stream from flowing through any port that does not connect to a host member, thus conserving bandwidth.
The host can send an IGMPv2 Leave report to the switch, which sends a proxy Leave report to the Mrouter. The multicast path is terminated immediately. A maximum of 8 VLANs can be configured for IGMP Snooping. The switch can learn up to 16 multicast routers, and supports up to 1,000 multicast groups.
IGMP Filtering With IGMP Filtering, you can allow or deny a port to send and receive multicast traffic to certain multicast groups. Unauthorized users are restricted from streaming multicast traffic across the network. If access to a multicast group is denied, IGMP Membership Reports from the port for that group are dropped, and the port is not allowed to receive IP multicast traffic from that group.
A static multicast router (Mrouter) can be configured for a particular port on a particular VLAN. A static Mrouter does not have to be learned through IGMP Snooping. You can configure static Mrouters on any switch port except the management port 17. The switch supports up to total of sixteen static Mrouters.
Configuring IGMP Filtering (CLI example) Enable IGMP Filtering on the switch. >> /cfg/l3/igmp/igmpflt >> IGMP Filter# ena Current status: disabled New status: enabled Define an IGMP Filter. >> //cfg/l3/igmp/igmpflt >>IGMP Filter# filter 1 >>IGMP Filter 1 Definition# range 188.8.131.52 Current multicast address2: Enter new multicast address2: 184.108.40.206...
Configuring IGMP Snooping (BBI example) Configure port and VLAN membership on the switch, as described in the “Configuring ports and VLANs (BBI example)” section in the “VLANs” chapter. Configure IGMP Snooping. Click the Configure context button. Open the IGMP folder, and select IGMP Snooping (click the underlined text, not the folder).
Enable IGMP Snooping. Click Submit. Apply, verify, and save the configuration.
Configuring IGMP Filtering (BBI example) Configure IGMP Snooping. Enable IGMP Filtering. Click the Configure context button. Open the IGMP folder, and select IGMP Filters (click the underlined text, not the folder). Enable IGMP Filtering globally. Click Submit.
Define the IGMP Filter. Select Layer 3 > IGMP > IGMP Filters > Add Filter. Enable the IGMP Filter. Assign the range of IP multicast addresses and the filter action (allow or deny). Click Submit.
Assign the filter to a port and enable IGMP Filtering on the port. Select Layer 3 > IGMP > IGMP Filters > Switch Ports. Select a port from the list.
Enable IGMP Filtering on the port. Select a filter in the IGMP Filters Available list, and click Add. Click Submit. Apply, verify, and save the configuration.
Configuring a Static Multicast Router (BBI example) Configure Static Mrouter. Click the Configure context button. Open the Switch folder and select Layer 3 > IGMP > IGMP Static Mrouter > Add Mrouter. Enter a port number, VLAN ID number, and IGMP version number.
IGMP Snooping Apply, verify, and save the configuration.
OSPF The HP 10GbE switch software supports the Open Shortest Path First (OSPF) routing protocol. The switch implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583. The following sections discuss OSPF support for the HP 10GbE switch:...
Figure 17 OSPF area types Types of OSPF routing devices As shown in the figure, OSPF uses the following types of routing devices: Internal Router (IR)—a router that has all of its interfaces within the same area. IRs maintain LSDBs identical to those of other routing devices within the local area.
Neighbors and adjacencies In areas with two or more routing devices, neighbors and adjacencies are formed. Neighbors are routing devices that maintain information about each others’ health. To establish neighbor relationships, routing devices periodically send hello packets on each of their interfaces. All routing devices that share a common network segment, appear in the same area, and have the same health parameters (hello and dead intervals) and authentication parameters respond to each other’s hello packets and become neighbors.
220.127.116.11/24 range, it will carry that data to its destination. OSPF implementation in HP 10GbE switch software The HP 10GbE switch supports a single instance of OSPF and up to 4 K routes on the network. The following sections describe OSPF implementation in switch software:...
(see “Virtual Links”). Up to three OSPF areas can be connected to the HP 10GbE switch. To configure an area, the OSPF number must be defined and then attached to a network interface on the switch. The full process is explained in the following sections.
Most common OSPF vendors express the area ID number as a single number. For example, the Cisco IOS-based router command network 18.104.22.168 0.0.0.255 area 1 defines the area number simply as area 1. On the switch, using the last octet in the area ID, area 1 is equivalent to areaid 0.0.0.1.
OSPF stub areas or NSSAs with only one ABR leading upstream (see Area 1 in the figure below), any traffic for IP address destinations outside the area is forwarded to the switch’s IP interface, and then into the connected transit area (usually the backbone). Since this is automatic, no further configuration is required for such areas.
>> # /cfg/l3/ospf/aindex <area index>/type transit The virtual link must be configured on the routing devices at each endpoint of the virtual link, though they may traverse multiple routing devices. To configure a switch as one endpoint of a virtual link, use the following command: >>...
OSPF allows packet authentication and uses IP multicast when sending and receiving packets. Routers participate in routing domains based on predefined passwords. The switch software supports simple password (type 1 plain text passwords) and MD5 cryptographic authentication. This type of authentication allows a password to be configured per area.
>> # /cfg/l3/ospf/virt 1/mdkey 2 Host routes for load balancing The HP 10GbE switch implementation of OSPF includes host routes. Host routes are used for advertising network device IP addresses to external networks, accomplishing the following goals: ABR Load Sharing As a form of load balancing, host routes can be used for dividing OSPF traffic among multiple ABRs.
Configuring OSPF on non-broadcast multi-access networks (such as frame relay, X.25, and ATM) OSPF configuration examples A summary of the basic steps for configuring OSPF on the switch is listed here. Detailed instructions for each of the steps are covered in the following sections: Configure IP interfaces.
>> IP Interface 2 # mask 255.255.255.0(Set IP mask on stub area network) >> IP Interface 2 # enable(Enable IP interface 2) Enable OSPF. >> IP Interface 2 # /cfg/l3/ospf/on(Enable OSPF on the switch) Define the backbone. The backbone is always configured as a transit area using areaid 0.0.0.0.
Open the IP Interfaces folder, and select Add IP Interface. Configure an IP interface. Enter the IP address, subnet mask, and enable the interface. Click Submit. Apply, verify, and save the configuration.
Enable OSPF. Open the OSPF Routing Protocol folder, and select General. Enable OSPF.
Click Submit. Configure OSPF Areas. Open the OSPF Areas folder, and select Add OSPF Area. Configure the OSPF backbone area 0.
Click Submit. Select Add OSPF Area. Configure the OSPF area 1. Click Submit.
OSPF Configure OSPF Interfaces. Open the OSPF Interfaces folder, and select Add OSPF Interface.
Configure the OSPF Interface 1, and attach it to the backbone area 0. Click Submit. Select Add OSPF Interface.
Configure the OSPF Interface 2, and attach it to the stub area 1. Click Submit. Apply, verify, and save the configuration.
Configure the router ID. A router ID is required when configuring virtual links. Later, when configuring the other end of the virtual link on Switch B, the router ID specified here will be used as the target virtual neighbor (nbr) address >>...
Configuring OSPF for a virtual link on Switch B Configure IP interfaces on each network that will be attached to OSPF areas. Two IP interfaces are needed on Switch B: one for the transit area network on 10.10.12.0/24 and one for the stub area network on 10.10.24.0/24.
Configure the virtual link. The nbr router ID configured in this step must be the same as the router ID that was configured for Switch A in step 2. >> OSPF Interface 2 # ../virt 1 >> OSPF Virtual Link 1 # aindex 1 >>...
22.214.171.124 through 126.96.36.199 are kept private. Follow this procedure to configure OSPF support on Switch A and Switch B, as shown in the figure. Configure IP interfaces for each network which will be attached to OSPF areas.
Use the following commands to verify the OSPF configuration on your switch: /info/l3/ospf/general /info/l3/ospf/nbr /info/l3/ospf/dbase/dbsum /info/l3/ospf/routes /stats/l3/route See the HP 10Gb Ethernet BL-c Switch Command Reference for information on the above commands. of summary range) for summary range) (Enable summary range) (Select menu for summary range) (Set base IP address)
Group 9: Events RMON group 1—statistics The switch supports collection of Ethernet statistics as outlined in the RMON statistics MIB, in reference to etherStatsTable. You can enable RMON statistics on a per-port basis, and you can view them using the following command: /stat/port x/rmon.
Configuring RMON Statistics (BBI example) Configure ports. Click the Configure context button. Select Switch Ports (click the underlined text, not the folder). (Select Port 20 RMON) (Enable RMON) (Make your changes active) (Save for restore after reboot) (Select Port 20 Stats)
Data is stored in buckets, which store data gathered during discreet sampling intervals. At each configured interval, the history instance takes a sample of the current Ethernet statistics, and places them into a bucket. History data buckets reside in dynamic memory. When the switch is re-booted, the buckets are emptied.
Requested buckets (/cfg/rmon/hist x/rbnum) are the number of buckets, or data slots, requested by the user for each History Group. Granted buckets (/info/rmon/hist x/gbnum) are the number of buckets granted by the system, based on the amount of system memory available. The system grants a maximum of 50 buckets.
Configure RMON History (BBI example) Configure an RMON History group. Click the Configure context button. Open the Switch folder, and select RMON > History > Add History Group. Configure RMON History Group parameters. Click Submit. Apply, verify, and save the configuration.
When a configured threshold is crossed, an alarm is generated. For example, you can configure the switch to issue an alarm if more than 1,000 CRC errors occur during a 10-minute time interval. Each Alarm index consists of a variable to monitor, a sampling time interval, and parameters for rising and falling thresholds.
>> RMON Alarm 5# apply >> RMON Alarm 5# save This configuration creates an RMON alarm that checks icmpInEchos on the switch once every minute. If the statistic exceeds 200 within a 60 second interval, an alarm is generated that triggers event index 5.
Configure RMON Alarm Group parameters to check ifInOctets on port 20 once every hour. Enter a rising limit of two billion, and a rising event index of 6. This configuration creates an RMON alarm that checks ifInOctets on port 20 once every hour. If the statistic exceeds two billion, an alarm is generated that triggers event index 6.
60, a rising limit of 200, and a rising event index of 5. This configuration creates an RMON alarm that checks icmpInEchos on the switch once every minute. If the statistic exceeds 200 within a 60 second interval, an alarm is generated that triggers event index 5.
Apply, verify, and save the configuration. RMON group 9—events The RMON Event group allows you to define events that are triggered by alarms. An event can be a log message, an SNMP trap message, or both. When an alarm is generated, it triggers a corresponding event notification. Use the /cfg/rmon/alarm x/revtidx and /fevtidx commands to correlate an event index to an alarm.
Configure an RMON Event group. Click the Configure context button. Open the Switch folder, and select RMON > Event > Add Event Group. Configure RMON Event Group parameters. This configuration creates an RMON event that sends a SYSLOG message each time it is triggered by an alarm.
The following figure shows a basic UFD configuration, with a Failure Detection Pair (FDP) that consists of one LtM (Link to Monitor) and one LtD (Link to Disable). When the switch detects a link failure in the LtM, it disables the ports in the LtD. The server blade detects the disabled downlink port, which triggers a NIC...
If Spanning Tree Protocol (STP) is enabled on ports in the LtM, then the switch monitors the STP state and the link status on ports in the LtM. The switch automatically disables the ports in the LtD when it detects a link failure or STP Blocking state.
In this example, NIC 1 is the primary network adapter; NIC 2, NIC 3, and NIC 4 are non-primary adapters. NIC 1 and NIC 2 are connected to port 1 and port 2 on Blade Switch 1. NIC 3 and NIC 4 are connected to port 1 and port 2 on Blade Switch 2.
>> /cfg/ufd/on >> Uplink Failure Detection# apply >> Uplink Failure Detection# save When a link failure or Spanning Tree blocking occurs on port 19, Blade Switch 1 disables port 1 and port 2. Configuring UFD on Switch 2 (CLI example) Create a trunk group of uplink ports (18-21) to monitor.
Configuring Uplink Failure Detection (BBI example) Configure Uplink Failure Detection. Click the Configure context button. Open the Switch folder, and select Uplink Failure Detection (click the underlined text, not the folder). Turn Uplink Failure Detection on, and then select FDP.
Enable the FDP. Select ports in the LtM Ports Available list, and click Add to place the ports into the Link to Monitor (LtM). Select ports in the LtD Ports Available list, and click Add to place the ports into the Link to Disable (LtD). Click Submit.
VRRP overview In a high-availability network topology, no device can create a single point-of-failure for the network or force a single point-of-failure to any other part of the network. This means that your network will remain in service despite the failure of any single device. To achieve this usually requires redundancy for all vital network components.
Master and backup virtual router Within each virtual router, one VRRP router is selected to be the virtual router master. See “Selecting the Master VRRP Router” for an explanation of the selection process. NOTE: If the IP address owner is available, it will always become the virtual router master. The virtual router master forwards packets sent to the virtual router.
This section describes VRRP enhancements that are implemented in switch software: Tracking VRRP router priority The HP 10GbE switch software supports a tracking function that dynamically modifies the priority of a VRRP router, based on its current state. The objective of tracking is to have, whenever possible, the master bidding processes for various virtual routers in a LAN converge on the same switch.
This behavior is preferred because running one server down is less disruptive than bringing a new master online and severing all active connections in the process. If Switch A is the master and it has two or more active servers fewer than Switch B, then Switch B becomes the master.
In the scenario illustrated in the figure, traffic destined for IP address 10.0.1.1 is forwarded through the Layer 2 switch at the top of the drawing, and ingresses Switch A on port 20. Return traffic uses default gateway 1 (192.168.1.1). If the link between Switch A and the Layer 2 switch fails, Switch B becomes the Master because it has a higher priority.
Configure client and server interfaces. /cfg/l3/if 1 >> IP Interface 1# addr 192.168.1.100 >> IP Interface 1# vlan 10 >> IP Interface 1# ena >> IP Interface 1# .. >> Layer 3# if 2 >> IP Interface 2# addr 192.168.2.101 >>...
Turn off Spanning Tree Protocol globally. Apply and save changes. /cfg/l2/stg 1/off >> Spanning Tree Group 1# apply >> Spanning Tree Group 1# save Task 1: Configure Switch A (BBI example) Configure ports and VLANs. Click the Configure context button. Open the Virtual LANs folder, and select Add VLAN.
Configure port 20 as a member of VLAN 10 and port 21 as a member of VLAN 20. Enable each VLAN. Click Submit. Configure the following client and server interfaces: IF 1 IP address = 192.168.1.100 Subnet mask = 255.255.255.0 VLAN 10 IF 2 IP address = 10.10.12.1...
Open the IP Interfaces folder, and select Add IP Interface. Configure an IP interface. Enter the IP address, subnet mask, and VLAN membership. Enable the interface. Click Submit.
Configure the default gateways. Each default gateway points to one of the Layer 2 routers. Open the Default Gateways folder, and select Add Default Gateway. Configure the IP address for each default gateway. Enable the default gateways. Click Submit.
High availability Turn on VRRP and configure two Virtual Interface routers. Open the Virtual Router Redundancy Protocol folder, and select General.
Enable VRRP processing. Click Submit. Open the Virtual Routers folder, and select Add Virtual Router.
Configure the IP address for Virtual Router 1 (VR1). Enable tracking on ports, and set the priority to 101. Enable The Virtual Router. Click Submit. Select Add Virtual Router.
Configure the IP address for Virtual Router 2 (VR2). Enable tracking on ports, but set the priority to 100 (default value). Enable The Virtual Router. Click Submit. Turn off Spanning Tree globally. Open the Spanning Tree Groups folder, and select Add Spanning Tree Group. Select a Spanning Tree Group.
As shown in the following figure, port 18 is monitoring ingress traffic (traffic entering the switch) on port 21 and egress traffic (traffic leaving the switch) on port 1. You can attach a device to port 18 to monitor the traffic on ports 21 and 1.
Ingress traffic is duplicated and sent to the mirrored port before processing, and egress traffic is duplicated and sent to the mirrored port after processing. Configuring Port Mirroring (CLI example) To configure Port Mirroring for the example shown in the preceding figure: Specify the monitoring port.
Configuring Port Mirroring (BBI example) Configure Port Mirroring. Click the Configure context button. Open the Switch folder, and select Port-Based Port Mirroring (click the underlined text, not the folder). Click a port number to select a monitoring port.
Click Add Mirrored Port. Enter a port number for the mirrored port, and select the Port Mirror Direction. Click Submit. Apply, verify, and save the configuration. Verify the Port Mirroring configuration on the switch.
Statistics and state information The switch keeps track of a large number of statistics and many of these are error condition counters. The statistics and state information can be very useful when troubleshooting a LAN or Real Server problem.
Troubleshooting tools Stack Trace—If a fatal software condition occurs, the switch dumps stack trace data to the console. If you have a console attached to the switch, capture the console dump, and forward it to HP technical support.
Index 802.1x port states, 49 accessing the switch: defining source IP addresses, 20; RADIUS authentication, 21; security, 20; using the command line interface (CLI), 12 ACL Blocks and Groups, 90 ACL configuration examples, 92 ACL filters, 87 active-active redundancy, 175...