Go to page of
Similar user manuals
-
Switch
HP (Hewlett-Packard) Series 8212zl
138 pages 4.95 mb -
Switch
HP (Hewlett-Packard) J9079A
57 pages 0.8 mb -
Switch
HP (Hewlett-Packard) J3250M
104 pages 1.62 mb -
Switch
HP (Hewlett-Packard) 331404-008
176 pages 1.29 mb -
Switch
HP (Hewlett-Packard) SAS BL
3 pages 0.25 mb -
Switch
HP (Hewlett-Packard) ST-C5USBVA-300
21 pages 0.41 mb -
Switch
HP (Hewlett-Packard) J9833AABA
8 pages 1.38 mb -
Switch
HP (Hewlett-Packard) 8407A
191 pages 9.37 mb
A good user manual
The rules should oblige the seller to give the purchaser an operating instrucion of HP (Hewlett-Packard) 2500, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.
What is an instruction?
The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of HP (Hewlett-Packard) 2500 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.
Unfortunately, only a few customers devote their time to read an instruction of HP (Hewlett-Packard) 2500. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.
What should a perfect user manual contain?
First and foremost, an user manual of HP (Hewlett-Packard) 2500 should contain:
- informations concerning technical data of HP (Hewlett-Packard) 2500
- name of the manufacturer and a year of construction of the HP (Hewlett-Packard) 2500 item
- rules of operation, control and maintenance of the HP (Hewlett-Packard) 2500 item
- safety signs and mark certificates which confirm compatibility with appropriate standards
Why don't we read the manuals?
Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of HP (Hewlett-Packard) 2500 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of HP (Hewlett-Packard) 2500, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the HP (Hewlett-Packard) service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of HP (Hewlett-Packard) 2500.
Why one should read the manuals?
It is mostly in the manuals where we will find the details concerning construction and possibility of the HP (Hewlett-Packard) 2500 item, and its use of respective accessory, as well as information concerning all the functions and facilities.
After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.
Table of contents for the manual
-
Page 1
Release Notes: V ersion F .05.70 Software for the ProCurve Series 2300 and 2500 Switches These release notes include information on the following: ■ Downloading switch software and Do cumentation from the W eb (Page 1) ■ Enhancements in Release F .05. xx (Page 6) ■ Enhancements in Release F .04.08 (Page 72) ■ Enhancements in Release F .02.1[...]
-
Page 2
ii © Copyright 2001-2009 Hewlett-Packard Development Company , LP . The information contained herein is subject to change without notice. Publication Number 5990-3102 March, 2009 Applicable Products ProCurve Switch 2512 (J4812A) ProCurve Switch 2524 (J4813A) ProCurve Switch 2312 (J4817A) ProCurve Switch 2324 (J4818A) T rademark Credits Microsoft, [...]
-
Page 3
iii Disclaimer The information contained in this documen t is subject to change without notice. HEWLETT -P ACKARD COMPANY MAKES NO W ARRANTY OF ANY KIND WITH REGARD TO THIS MA TERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED W ARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A P ARTICULAR PURPOSE. Hewlett-Packard shall not be lia ble for errors cont[...]
-
Page 4
iii Contents Software Management Download Switch Documentation and Software from the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 View or Download the Software Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Downloading Software to the Switch . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 5
iv Configuring Port Isolation on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 4 Steps for Configuring Port Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Configuring and Viewing Port-Isolation . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 6
v Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 How RADIUS/802.1X Authentication Affects VLAN Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Messages Related to 802.1X Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Page 7
vi Messages Related to Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 35 Troubleshooting Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Using the "Kill" Command To Terminate Remote Sessions . . . . . . . . . . . [...]
-
Page 8
vii Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Troubleshooting TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 6 CDP (Updated by Software Version F.05.50) . . . . . . . . . . . . . .[...]
-
Page 9
viii Port Security: Changes to Retaining Learned Static Addresses Across a Reboot . . . . . 217 Recommended Port Security Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Retention of Static Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 10
ix Release F.02.13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Release F.04.01 (Beta Release Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Release F.04.02 (Beta Release Only) . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 11
x Release F.05.37 (Not a General Release) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Release F.05.38 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3 Release F.05.39 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 12
1 Software Management Software Management Caution: Archive Pre-F .05.17 Configuration Files A configuration file saved while using release F .05 .17 or later software is not backward-compatible with earlier software versions. For this reason, HP recommends that you archive the most recent configuration on switches using software releases ea rlier t[...]
-
Page 13
2 Software Management ■ Use the download utility in ProCurve Manager Plus. Note Downloading new software does not change the curr ent switch configuration. The switch configu- ration is contained in a separate fi le that can also be transferred, for example, for archive purposes or to be used in another switch of the same model. TFTP Download fro[...]
-
Page 14
3 Software Management Xmodem Download From a PC or Unix W orkstation This procedure assumes that: ■ The switch is connected via the Console RS-232 por t on a PC operating as a terminal. (Refer to the Installation Guide you received with the sw itch for information on connecting a PC as a terminal and running the switch console interface.) ■ The[...]
-
Page 15
4 Software Management Saving Configurations While Using the CLI The switch operates with two configuration files: ■ Running-Config File: Exists in volatile memory and co ntrols switch operation. Rebooting the switch erases the current running-config file and replaces it with an exact copy of the current startup-config file. T o save a conf igurat[...]
-
Page 16
5 Software Management ProCurve Switch, Routing Switch, and Router Software Keys Software Letter ProCurve Networking Products C 1600M, 2400M, 2424M, 4000M, and 8000M CY Switch 8100fl Series (8108fl and 8116fl) E Switch 5300xl Series (5304xl, 5308xl, 5348xl, and 5372xl) F Switch 2500 Series (2512 and 2524) , Switch 2312, and Switch 2324 G Switch 4100[...]
-
Page 17
6 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.61 through F.05.70 Enhancements in Release F .05.05 through F .05.70 Enhancements in Release F .05.61 through F .05.70 No new enhancements, software fixes only. Enhancements in Release F .05.05 through F .05.60 Enhancement Summary Page LLDP Implements the industry standa[...]
-
Page 18
7 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Implementation of LLDP For network device discovery solu tions, software version F .05.50 implements a limited version of the industry standard Link Layer Discovery Protocol (LLDP) on your switch, as an alternative to the Cisco Discovery Protocol (CDP)[...]
-
Page 19
8 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 MIB (Management Information Base): An internal da tabase the switch maintains for configuration and performance information. Neighbor: See “LLDP Neighbor”. Non_LLDP Device: A device that is not capable of LLDP operation. TL V (T ype-Length-V alue):[...]
-
Page 20
9 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 T able 1. Viewable Data A vailable for LLDP Advertisements Note Selected LLDP information (such as system name, port description, port type, chassis type) received by a Series 2500 switch from a remote neighbor is not viewable. LLDP Standards Compatibi[...]
-
Page 21
10 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 LLDP Operating Rules Port T runking. LLDP manages trunked ports individually . That is, trunked ports are configured individually for LLDP operation, in the same manner as non-trunked po rts. Also, LLDP sends separate advertisements on each port in a [...]
-
Page 22
11 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 LLDP Operation and Commands In the default configuration, LLDP is enabled to transmit on all active ports. The LLDP configuration includes global settings that apply to all active po rts on the switch, and per -port settings that affect only the opera[...]
-
Page 23
12 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Viewing LLDP-detected Devices Note Selected LLDP information (such as system name, port description, port type, chassis type) received by a Series 2500 switch from a remote neighbor is not viewable. W ith version F .05.60, LLDP advertisements from re [...]
-
Page 24
13 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Additional information from the remote device can be displayed by specifying the local port number in the command. For example, show lldp info remote-device 1 produces the following display: Figure 3. Example of Viewing the LLD P Remote Device Informa[...]
-
Page 25
14 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring Per -Port LLDP T r ansmit/Receive This command controls LLDP transmit/receive traffic on active ports. For example, to disable LLDP on port 1, use the command: ProCurve(config)# lldp admin-status 1 disable Disable Auto-MDIX The Auto-MDIX f[...]
-
Page 26
15 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 New Console Option Starting with Release F .05.23, a new console option removes terminal escape sequences, which allows scripts to better interact with the Co mmand Line Interface. The command console local-terminal none changes the current terminal s[...]
-
Page 27
16 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syslog Overview The switch’ s Event Log records switch-level prog ress, status, and warning messages. The System- Logging ( Syslog ) feature provides a means for recording these messages on a remote server . The Syslog feature complies with RFC 3168[...]
-
Page 28
17 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 no logging < syslog-ip-address > removes only the specified Syslog logging destination from the switch.[...]
-
Page 29
18 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Note As of March 2004, the logging facility < facility-name > option also is available on these switch models: ■ Switch Series 5300XL (software release E.08. xx or greater) ■ Switch Series 4100GL (software release G.07.50 or greater) ■ Swi[...]
-
Page 30
19 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 V iewing the Syslog Configuration Configuring Syslog Logging 1. If you want to use a Syslog serv er for recording Event Log messages: a. Use this command to configure the Syslog se rver IP address and enable Syslog logging: ProCurve(config)# logging &[...]
-
Page 31
20 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 See Figure 6 below for an example of adding an additional Syslog server . Figure 6. Configuring multiple Syslog Servers Operating Notes for Syslog ■ Rebooting the switch or pressing the Reset butt on resets the Debug Configuration. Any Syslog server[...]
-
Page 32
21 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 The Isolated Port Groups feature or iginally included in release F .04.08 has been enhanced in release F. 0 5 . xx with the inclusion of two new port isolation groups ( group1 and group2 ). Isolated port groups provide an alternative to VLAN s for iso[...]
-
Page 33
22 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 T able 2. Communication Allowed Betw een Port-Isolation T ypes within a Switch Figure 7. Communication Allowed Between Port-Isolation T ypes within a Switch Port T ype: Permits T raffic T o and From This Port T ype? Notes Uplink Ports Public Ports Gro[...]
-
Page 34
23 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Operating Rules for Port Isolation ■ Port Isolation is intended only for networks that do not use VL AN tagging. (The switch must be in the default VLAN configuration before you configure port-isolation.) ■ Multiple VLANs are not allowed on the sw[...]
-
Page 35
24 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring Port Isolation on the Switch Steps for Configuring Port Isolation 1. Remove all non-default VLANs from the switch and ensure that all ports are untagged members of the default VLAN (VID = 1). 2. Identify the devices you will connect to the[...]
-
Page 36
25 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring and V iewing Port-Isolation Note The no port-isolation command erases all port-isolation mode settings from memory . This means that whenever you disable, then re-enable port isolation, all ports on the switch wi ll be set to the (default)[...]
-
Page 37
26 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 For example, suppose that the switch is in its default configuration (no multiple VLANs; GVRP disabled, all ports untagged members of the defa ult VLAN—VID = 1) with two optional gigabit transceivers installed, and you wanted to use the swit ch port[...]
-
Page 38
27 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Figure 8. Example of Isolating Ports on a Series 2500 Switch Assuming a switch in the factory-default configurat ion, you would configure the port isolation plan in figure 8 as follows: 1 2 3 4 5 6 12 11 10 9 8 7 1 2 3 4 5 6 14 13 Port Mode Internal T[...]
-
Page 39
28 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Figure 9. Example of Port-Isolation Configuration Messages Related to Port-Isolation Operation Message Meaning Port Isolation is disabled. It must be enabled first. In the switch’ s factory-defaul t state or after you execute no port-isolation , you[...]
-
Page 40
29 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 T roubleshooting Port-Isolation Operation Configuring Port-Based Access Control (802.1X) Overview Why Use Port-Based Access Control? Local Area Networks are often deployed in a way that allows unauthorized clients to attach to network devices, or allo[...]
-
Page 41
30 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 General Features 802.1X on the Series 2500 sw itches includes the following: ■ Switch operation as both an authenticator (for supplicants having a point-to-point connec- tion to the switch) and as a supplicant for poi nt-to-point connections to othe[...]
-
Page 42
31 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Authenticating One Switch to Another . 802.1X authentication also en ables the switch to operate as a supplicant when connected to a port on an other switch running 802.1X authentication. Figure 10. Example of an 802.1X Application Accounting . The Se[...]
-
Page 43
32 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 iv . If the client is successfully authenticated and authorized to connect to the network, then the server notifies the switch to allo w access to the client. Otherwise, access is denied and the port remains blocked. • If 802.1X (port-access) on the[...]
-
Page 44
33 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 2. The RADIUS server then responds with an MD5 access challenge that switch “B” forwards to port 1 on switch “A”. 3. Port 1 replies with an MD5 hash response base d on its username and password or other unique credentials. Switch “B” forwa[...]
-
Page 45
34 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 EAP (Extensible Authentication Protocol) : EAP enables network acces s that supports multiple authentication methods. EAPOL: Extensible Authentication Protocol Over LAN, as defined in the 802.1X standard. Friendly Client: A client that does not pose a[...]
-
Page 46
35 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 General Operating Rules and Notes ■ When a port on the switch is configured as either an authenticator or supplicant and is connected to another device, rebooting the swit ch causes a re-authentication of the link. ■ When a port on the switch is c[...]
-
Page 47
36 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 General Setup Procedure for Port-Based Access Control (802.1X) Do These Steps Before Y ou Configure 802.1X Operation 1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this[...]
-
Page 48
37 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 3. Configure the 802.1X authentication type. Options include: • Local Operator username and password (the default). This option allows a client to use the switch’ s local username and password as valid 802.1X credentials for network access. • EA[...]
-
Page 49
38 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring Switch Ports as 802.1X Authenticators 802.1X Authentication Commands Page [no] aaa port-access authenticator < [ethernet] < port-list >3 9 [control | quiet-period | tx-period | suppl icant-timeout | server -timeout | max-r equests[...]
-
Page 50
39 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 1. Enable 802.1X Authentication on Selected Ports This task configures the individual ports you want to operate as 802.1X authenticators for point-to- point links to 802.1X-aware clients or switches. (Actual 802.1X operation does not commence until yo[...]
-
Page 51
40 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syntax: aaa port-access authenticator < port-list > (Syntax Continued) [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt autho- rized by the ma[...]
-
Page 52
41 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syntax: aaa port-access authenticator < port-list > (Syntax Continued) [reauth-period < 1 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthen- tication is d[...]
-
Page 53
42 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 3. Configure the 802.1X Authentication Method This task specifies how the switch will authenti cate the credentials provided by a supplicant connected to a switch port config ured as an 802.1X authenticator . For example, to enable the switch to perfo[...]
-
Page 54
43 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 4. Enter the RADIUS Host IP Address(es) If you selected either eap-radius or chap-radius for the authentication meth od, configure the switch to use 1 to 3 RADIUS servers for authentication. The following sy ntax shows the basic commands. For coverage[...]
-
Page 55
44 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 802.1X Open VLAN Mode This section describes how to use the 802.1X Open VLAN mode to configur e unauthorized-client and authorized-client VLANs on ports configured as 802.1X authenticators. Introduction Configuring the 802.1X Open VLAN mode on a por t[...]
-
Page 56
45 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 ■ 3rd Priority: If the port does not have an Authorized-Client VLAN configured, but does have a static, untagged VLAN membership in its config uration, then the switch assigns the port to this VLAN. If the port is not configured for any of the above[...]
-
Page 57
46 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 T able 4. 802.1X Open VLAN Mode Options 802.1X Per -Port Configuration Port Response No Open VLAN mode: The port automatically bloc ks a client that cannot initiate an authen- tication session. Open VLAN mode with both of the following configured: Una[...]
-
Page 58
47 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN. T o limit security risks, the network services and access available on this VLAN should incl[...]
-
Page 59
48 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as Authorized- Client or Unauthorized-Client VLANs These must be configured on the switch before you configure an 802.1X authenticator port to use the[...]
-
Page 60
49 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Note: If you use the same VLAN as the Unauthorized-Cli ent VLAN for all authenticator ports, unauthenti- cated clients on different ports can communicate wi th each other . However , in this case, you can improve security between authentica tor ports [...]
-
Page 61
50 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of both the Un authorized-Client and Authorized-Client VLANs. Refer to T able 4 on page 46 for other options. Before you configure the 802.1X Open VLAN mode on a po[...]
-
Page 62
51 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However , this is less desirable be cause it means that all clients use the same passwords and have the same access privil[...]
-
Page 63
52 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. 4. Activate authentication on the switch. 5. T est both the authorized and unauthorized ac[...]
-
Page 64
53 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listing of the steps ne eded to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 50. For example, suppose you want to conf[...]
-
Page 65
54 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Inspecting 802.1X Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewi ng 802.1X Open VLAN Mode Status” on page 63. 802.1X Open VLAN Operating Notes ■ Although you can configure Op[...]
-
Page 66
55 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Option For Authenticator Ports: Configure Port-Security T o Allow Only 802.1X Devices If you are using port-security on authenticator por ts, you can configure it to learn only the MAC address of the first 802.1X-aware device detected on the port. The[...]
-
Page 67
56 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Note on Blocking a Non-802.1X Device If the port’ s 802.1X authenticator control mode is configured to authorized (as shown below , instead of auto ), then the first source MAC address from any device, whether 802.1X-aware or not, becomes the only a[...]
-
Page 68
57 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring Switch Ports T o Operate As Supplicants for 802.1X Connections to Other Switches Y ou can configure a switch port to operate as a s upplicant in a connection to a port on another 802.1X- aware switch to provide security on links between 80[...]
-
Page 69
58 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 • If, after the supplicant port sends the configur ed number of start request packets, it does not receive a response, it assumes that switch “B” is not 802.1X-aware, and transitions to the authenticated state. If switch “B” is operating pro[...]
-
Page 70
59 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring a Supplicant Switch Port. Note that you must enable supplicant operation on a port before you can change the supplicant configuratio n. This means you must execute the supplicant command once without any other pa rameters, then execute it [...]
-
Page 71
60 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syntax : aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [auth-timeout < 1 - 300 >] Sets the period of time the port waits to receive a challenge from the authenticator . If the request times out, the port sends anot[...]
-
Page 72
61 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access Authenticator 802.1X Authentication Commands page 38 802.1X Supplicant Commands page 57 802.1X Open VLAN Mode Commands page 44 802.1X-Related Show Commands show po[...]
-
Page 73
62 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syntax: show port-access authenticator (Syntax Continued) config [[e] < port-list >] S hows: • Whether port-access authenticator is active • The 802.1X configuration of the ports configured as 802.1X authenticators If you do not specify <[...]
-
Page 74
63 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 V iewing 802.1X Open VLAN Mode Status Y ou can examine the switch’ s current VLAN status by using the show port-access authenticator and show vlan < vlan-id > commands as illustrated in this section. Figure 14 shows an example of show port-acc[...]
-
Page 75
64 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Note that because a temporary Open VLAN port assi gnment to either an authorized or unauthorized VLAN is an untagged VLAN membership, these a ssignments temporarily replace any other untagged VLAN membership that is statically configured on the port. [...]
-
Page 76
65 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Figure 15. Example of Showing a VLAN with Ports Configured for Open VLAN Mode Current VLAN ID < vlan-id >: Lists the VID of the static, untagged VL AN to which the port currently belongs. No PVID: The port is not an untag ged member of any VLAN.[...]
-
Page 77
66 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Show Commands for Port-Access Supplicant Note on Supplicant Statistics. For each port configured as a supplicant, show port-access suppli- cant statistics [e] < port-list >] displays the source MAC address and statistics for transactions with th[...]
-
Page 78
67 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 How RADIUS/802.1X Authentication Affects VLAN Operation Static VLAN Requirement. RADIUS authentication for an 802.1X client on a given port can include a (static) VLAN requirement. (Ref er to the documentation provided with your RADIUS application.) T[...]
-
Page 79
68 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 ■ VLAN 33 becomes unavailable to port 2 for th e duration of the session (because there can be only one untagged VLAN on any port). Y ou can use the show vlan < vlan-id > command to view this temporary change to the active configuration, as sh[...]
-
Page 80
69 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Figure 18. The Active Configuration for VLAN 33 T emporarily Drops Port 22 for the 802.1X Session When the 802.1X client’ s session on port 2 ends, the port discards the temporary untagged VLAN membership. At this time the static VLAN ac tually conf[...]
-
Page 81
70 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Notes Any port VLAN-ID changes you make on 802.1X-awa re ports during an 802.1X-authenticated session do not take effect until the session ends. W ith GVRP enabled, a temporary , untagged static VLAN assignment created on a port by 802.1X authenticati[...]
-
Page 82
71 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 IGMP V ersion 3 Support When the switch receives an IGMPv3 Join, it ac cepts the host request and begins forwarding the IGMP traffic. This means that ports that have not joined the group and are not connected to routers or the IGMP Querier will not re[...]
-
Page 83
72 Enhancements in Release F.04.08 Enhancements in Release F .04.08 Enhancement Summary Page Friendly Port Names Enables you to assign opti onal, meaningful names to physical ports on the switch. 73 Security Enhancements SSH Security Provide remote access to managem ent functions on the switches via encrypted paths between the switch and management[...]
-
Page 84
73 Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Using Friendly (Optional) Port Names This feature enables you to assign alphanumeric port names of your choosing to augment automat- ically assigned numeric port names. This means you can configure meaningful port names to make it easier to identify the source of information li[...]
-
Page 85
74 Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Configuring Friendly Port Names Syntax : interface [e] < port-list > name < port-name-string > Assigns a port name to port-list . no interface [e] < port-list > name Deletes the port name from port-list . Configuring a Single Port Name. Suppose that you have c[...]
-
Page 86
75 Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Displaying Friendly Port Names with Other Port Data Y ou can display friendly port name da ta in the following combinations: ■ show name : Displays a listing of port numbers with their corresponding friendly port names and also quickly shows you which ports do not have friend[...]
-
Page 87
76 Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Figure 23. Example of Friendly Port Na me Data for Specific Ports on the Switch Including Friendly Port Names in Per -Port Statistics Listings. A friendly port name config- ured to a port is automatically included wh en you display the port’ s statistics output. Syntax : show[...]
-
Page 88
77 Enhancements in Release F.04.08 Using Friendly (Optional) Port Names For a given port, if a friendly port name does not exist in the running-config file, the Name line in the above command output appears as: Name : not assigned T o Search the Configuration for Po rts with Friendly Port Names. This option tells you which friendly port names have [...]
-
Page 89
78 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Configuring Secure Shell (SSH) The Series 2500 switches use Secure Shell versi on 1 (SSHv1) to provide remote access to management functions on the switches via encrypted paths be tween the switch and management station clients capable of SSHv1 operation. (The switches can be authent[...]
-
Page 90
79 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Note SSH in the ProCurve Series 2500 switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit http://www .openssh.com . Switch SSH and User Pass word Authentication . This option is a subset of the client public-key authentication show in figure 26. I[...]
-
Page 91
80 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) T erminology ■ SSH Server: An HP Series 2500 switch with SSH enabled. ■ Key Pair: A pair of keys generated by the switch or an SSH client application. Each pair includes a public key (that can be read by any one) and a private key that is held internally in the switch or by a cli[...]
-
Page 92
81 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) keys by default, check the application software fo r a key conversion utility or use a third-party key conversion utility . Figure 28. Example of Public Key in PEM- Encoded ASCII Format Common for SSHv2 Clients Figure 29. Example of Public Key in Non-Encoded ASCII Format (Common for [...]
-
Page 93
82 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) The general steps for configuring SSH include: A. Client Preparation 1. Install an SSH client application on a management station you want to use for access to the switch. (Refer to the documentation provided with your SSH client application.) 2. Optional—If you want the switch to [...]
-
Page 94
83 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 6. Use your SSH client to access the switch using the switch’ s IP address or DNS name (if allowed by your SSH client application). Refer to the documentation provided with the client application. General Operating Rules and Notes ■ Any SSH client application you use must offe r [...]
-
Page 95
84 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH-Related Commands in This Section show ip ssh page 91 show ip client-public-key [< babble | fingerprint >] page 98 show ip host-public-key [< babble | fingerprint >] page 88 show authentication page 94 crypto key < generate |[...]
-
Page 96
85 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 1. Assigning a Local Login (Operator) and Enable (Manager) Password At a minimum, HP recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with T elnet, W eb, or serial port access could modify the switch’ s configu[...]
-
Page 97
86 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) T o Generate or Erase the Switch’ s Public/Private RSA Host Key Pair . Because the host key pair is stored in flash instead of the runn ing-config file, it is not necessary to use write memory to save the key pair . Erasing the key pair automatically disables SSH. Syntax : crypto k[...]
-
Page 98
87 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 3. Providing the Switch’ s Public Key to Clients When an SSH client contacts the switch for the first time, the client wi ll challenge the connection unless you have already copied the key into the clie nt’ s "known host" file. Copying the switch’ s key in this way re[...]
-
Page 99
88 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 3. Ensure that there are no line breaks in the text string. (A public key must be an unbroken ASCII string. Line breaks are not allowed.) For exampl e, if you are using W indows® Notepad, ensure that W ord W rap (in the E dit menu) is disabled, and that the key text appears on a sin[...]
-
Page 100
89 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Figure 35. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’ s Public Key Note The two commands shown in figure 35 convert the disp layed format of the switch’ s (host) public key for easier visual comparison of the switch’ s public key to a copy of the key[...]
-
Page 101
90 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) SSH Client Contact Behavior . At the first contact between the sw itch and an SSH client, if you have not copied the switch’ s public key into the switch, your client ’ s first connection to the switch will question the connection and, for security reas ons, give you the option o[...]
-
Page 102
91 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Note on Port Number The ip ssh key-size command affects only a per -session, internal server key the switch creates, uses, and discards. This key is not accessible from the user interface. The switch’ s public (host) key is a separate, accessible key that is always 896 bits. HP rec[...]
-
Page 103
92 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 5. Configuring the Switch for SSH Authentication Note that all methods in this section result in au thentication of the switch’ s public key by an SSH client. However , only Option B, below results in the sw itch also authenticating the client’ s public key . Also, for a more det[...]
-
Page 104
93 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) (For more on these topics, refer to “Further In formation on SSH Client Public-Key Authentication” on page 95.) W ith steps 1 - 3, above, completed and SSH properly configured on the switch, if an SSH client contacts the switch, login authentication automatically occurs first, us[...]
-
Page 105
94 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Figure 37. Configuring for SSH Access Requiring a Client Public-Key Match and Manager Passwords Figure 38 shows how to check th e results of the above commands. Figure 38. SSH Configuration and Client-Public-Key Listing From Figure 37 6. Use an SSH Client T o Access the Switch T est [...]
-
Page 106
95 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication The section titled “5. Configuring the Switch for SSH Authentication” on page 92 lists the steps for configuring SSH authentication on the switch. Howeve r , if you are new to SSH or need more details on client public-ke[...]
-
Page 107
96 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) b. Uses MD5 to create a hash version of this information. c. Returns the hash version to the switch. 7. The switch computes its own hash version of the da ta in step 6 and compar es it to the client’ s hash version. If they match, then the client is authenticated. Otherwise, the cl[...]
-
Page 108
97 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 1. Use your SSH client application to create a public/private key pair . Refer to the documentation provided with your SSH client application for details. The Series 2500 switches support the following client-public-key properties: 2. Copy the client’ s public key (in ASCII, non-en[...]
-
Page 109
98 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Note on Public Keys The actual content of a public key entry in a public key file is determ ined by the SSH client application generating the key . (Although you can manually add or edit any comments the client application adds to the end of the key , such as the smith@fellow at the [...]
-
Page 110
99 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Replacing or Clearing the Public Key File. The client public-key file remains in the switch’ s flash memory even if you erase the startup-config file, reset the switch, or reboot the switch. ■ Y ou can replace the existing client public-key file by copying a new client public-key[...]
-
Page 111
100 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. Indicates an error in communicating with the tftp server or not finding the file to download . Causes include such factors as: • Incorrect IP configuration on the switch • Incorrect IP address in the comm[...]
-
Page 112
101 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) T roubleshooting SSH Operation See also “Messages Related to SSH Operation” on page 100. Generating new RSA host key. If the cache is depleted, this could take up to two minutes. After you execute the crypto key generate [rsa] command, the switch displays this message while it i[...]
-
Page 113
102 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Configuring RADIUS Authentication and Accounting RADIUS ( Remote Authentication Dial-In User Service ) enables you to use up to three servers (one primary server and one or two backups) and main tain separate authentication and accounting for each RADIUS server emp[...]
-
Page 114
103 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Note The Series 2500 switches do not support RADIUS security for SNMP (net work management) access or W eb browser interface access. For steps to block unauthorized access through the W eb browser interface, see “Controlling W eb Browser Interface Access When Usi[...]
-
Page 115
104 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Switch Operating Rules for RADIUS ■ Y ou must have at least one RADIUS server accessible to the switch. ■ The switch supports authentication and accoun ting using up to three RADIUS servers. The switch accesses the servers in the order in which they are listed [...]
-
Page 116
105 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • If you need to replace the default UDP destination port (1812) the switch uses for authentication requests to a specific RADIUS server , select it befor e beginning the configuration process. • If you need to r[...]
-
Page 117
106 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Outline of the Steps for Configuring RADIUS Authentication There are three main steps to co nfiguring RADIUS authentication: 1. Configure RADIUS authentication for controlling access through one or more of the following • Serial port •T e l n e t •S S H • P[...]
-
Page 118
107 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting zero and then trying to log on again. As an alternative, you can reboot the switch, (thus resetting the dead-time counter to assume the server is available) and then try to log on again. • Number of Login Attempts: This is actually an aaa authentication command. [...]
-
Page 119
108 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting For example, suppose you have already configured local passwords on the switch, but want to use RADIUS to protect primary T elnet and SSH access wi thout allowing a secondary T elnet or SSH access option (which would be the switch’ s local passwords): Figure 42. [...]
-
Page 120
109 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting 2. Configure the Switch T o Access a RADIUS Server This section describes how to configure the swit ch to interact with a RADIUS server for both authentication and accounting services. (If you want to configure RADIUS accounting on the switch, go to “Configuring [...]
-
Page 121
110 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting For example, suppose you have configured the switch as shown in figure 43 and you now need to make the following changes: 1. Change the encryption key for the se rver at 10.33.18.127 to "source0127". 2. Add a RADIUS server with an IP address of 10. 33.18.[...]
-
Page 122
111 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting 3. Configure the Switch’ s Global RADIUS Parameters Y ou can configure the switch for the following global RADIUS parameters: ■ Number of login attempts: In a given session, specifies how many tries at entering the correct username and password pair are allowe [...]
-
Page 123
112 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting radius-server retransmit < 1 .. 5 > If a RADIUS server fails to respond to an authentication request, specifies how many retries to attempt before closing the session. (Default: 3; Range: 1 - 5) Note Where the switch has multiple RADIUS servers config ured to[...]
-
Page 124
113 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Figure 46. Listings of Global RADIUS Parameters Configured In Figure 45 Local Authentication Process When the switch is configured to use RADIUS, it r everts to local authentication only if one of these two conditions exists: ■ "Local" is the authentica[...]
-
Page 125
114 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting For local authentication, the switch uses the Op erator -level and Manager -level username/password set(s) previously configured locally on the switch . (These are the usernames and passwords you can configure using the CLI password command, the W e b browser inter[...]
-
Page 126
115 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Note This section assumes you have already: ■ Configured RADIUS authentication on the switch for one or more access methods ■ Configured one or more RADIUS servers to support the switch If you have not already done so, refer to “General RADIUS Setup Procedure[...]
-
Page 127
116 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting ■ System accounting: Provides records containing the in formation listed below when system events occur on the switch, including system re set, system boot, and enabling or disabling of system accounting. The switch forwards the accounting information it collects[...]
-
Page 128
117 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Outline of the Steps for Configuring RADIUS Accounting 1. Configure the switch for accessing a RADIUS server . Y ou can configure a list of up to three RADIUS servers (one primary , two backup). The switch operates on the assumption that a server can op erate in bo[...]
-
Page 129
118 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting 1. Configure the Switch T o Access a RADIUS Server Before you configure the actual accounting parame ters, you should first configure the switch to use a RADIUS server . This is the same as the process de scribed on page 109. Y ou need to repeat this step here only[...]
-
Page 130
119 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Figure 47. Example of Configuring for a RADIUS Se rver with a Non-Default Accounting UDP Port Number The radius-server command as shown in figure 47, above, configures the switch to use a RADIUS server at IP address 10.33.18.151, with a (non-de fault) UDP accountin[...]
-
Page 131
120 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Determine how you want the switch to send accounting data to a RADIUS server: ■ Start-Stop: • Send a start record accounting notice at the beginning of the accounting session and a stop record notice at the end of the session. Both notices include the latest da[...]
-
Page 132
121 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting ■ Updates: In addition to using a Start-Stop or Stop-O nly trigger , you can optionally configure the switch to send periodic accountin g record updates to a RADIUS server . ■ Suppress: The switch can suppress accounting for an unknown user having no username. [...]
-
Page 133
122 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Figure 50. Example of General RADIUS Information from Show Radius Command Figure 51. Example of RADIUS Server Info rmation From the Show Radius Host Command[...]
-
Page 134
123 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Te r m Definition Round T rip T ime The time interv al between the most recent Accou nting-Response and the Accounting- Request that matched it from this RADIUS accounting server . PendingRequests The number of RADIUS Accounting-Request packets sent to this server [...]
-
Page 135
124 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting RADIUS Authentication Syntax : show authentication Displays the primary and secondary authentication methods configured for the Console, Telnet, Port-Access (802.1X), and SSH methods of accessing the switch. Also displays the number of access attempts currently all[...]
-
Page 136
125 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting RADIUS Accounting Syntax : show accounting Lists configured accounting interval, "Empty User" suppression status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) configured in the switch (u[...]
-
Page 137
126 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the lis[...]
-
Page 138
127 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Figure 58. Example of New RADIUS Server Search Order Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authen- tication request. T ry pinging the server to determin[...]
-
Page 139
128 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting T roubleshooting RADIUS Operation Symptom Possible Cause The switch does not receive a response to RADIUS authen- tication requests. In this case, the switch will attempt authentication using the secondary method configured for the type of access you are usi ng (co[...]
-
Page 140
129 Enhancements in Release F.04.08 IP Preserve: Retaining VLAN-1 IP Addre ssing Across Configuration File Downloads IP Preserve: Retaining VLAN-1 IP Addressing Across Configuration File Downloads IP Preserve enables you to copy a configuration file to multiple Series 2500 switches while retaining the individual IP address and subnet mask on VLAN 1[...]
-
Page 141
130 Enhancements in Release F.04.08 IP Preserve: Retaining VLAN-1 IP Addre ssing Across Configuration File Downloads For example, consider Figure 60: Figure 60. Example of IP Preserve Operation If you apply the following configuration file to Figu re 60, switches 1 - 3 will retain their manually assigned IP addressing and switch 4 will be configure[...]
-
Page 142
131 Enhancements in Release F.04.08 IP Preserve: Retaining VLAN-1 IP Addre ssing Across Configuration File Downloads If you apply this configuration file to figure 60, swit ches 1 - 3 will still retain their manually assigned IP addressing. However , switch 4 will be configured with the IP addressing included in the file. Figure 62. Configuration F[...]
-
Page 143
132 Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets Configuring Port-Based Priority for Incoming Packets When network congestion occurs, it is important to move traffic on the basis of relative importance. However , without prioritization: ■ T raffic from less important sources can consum e bandwidth and slow [...]
-
Page 144
133 Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets Outbound Port Queues and Packet Priority Settings Series 2500 switch ports use two outbound port queues, Normal and High . As described below , these two queues map to the eight priority sett ings specified in the 802.1p standard. T able 8. Mapping Priority Set[...]
-
Page 145
134 Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets Operating Rules for Port-Based Priority on Series 2500 Switches ■ In the switch’ s default configuration, port-bas ed priority is configured as "0" (zero) for inbound traffic on all ports. ■ On a given port, when port-based priority is conf igur[...]
-
Page 146
135 Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets For example, suppose you wanted to configure ports 10 -12 on the switch to prioritize all untagged, inbound VLAN traffic as "Low" (priority leve l = 1; refer to table 8 on page 133). Figure 63. Example of Configuring Non-Default Prioritization on Unta[...]
-
Page 147
136 Enhancements in Release F.04.08 Using the "Kill" Command To Terminate Remote Sessions Using the "Kill" Command T o T erminate Remote Sessions Using the kill command, you can terminate remote management sessions. ( Kill does not terminate a Console session on the serial port, either through a direct connection or via a modem.[...]
-
Page 148
137 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Configuring Rapid Reconfiguration Spanning T ree (RSTP) This section is related to the information on “Spanning T ree Protocol” in your Series 2500 Switches Management and Configuration Guide (5969-2354), but it primaril y describes the new information a[...]
-
Page 149
138 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) The IEEE 802.1D version of Spanning T ree (STP) can take a fairly long time to resolve all the possible paths and to select the most efficient path through the network. The IEEE 802.1w Rapid Reconfigu- ration Spanning T ree (RSTP) significantly reduces the a[...]
-
Page 150
139 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Configuring RSTP The default switch configuration has Spanning T ree disabled with RSTP as the selected protocol. That is, when Spanning T ree is enabled, RSTP is the version of Spanning T ree that is enabled, by default. Optimizing the RSTP Configuration T [...]
-
Page 151
140 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) CLI: Configuring RSTP V iewing the Current Spanning T ree Configuration. Even if Spanning T ree is disabled (the default configuration), the show spanning-tree config command lists the switch’ s full Spanning T ree configuration, including whole- switch an[...]
-
Page 152
141 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Figure 65. Example of the Spanning T ree Configuration Display Enabling or Disabling RSTP. Issuing the command to enable Sp anning T ree on the switch imple- ments, by default, the RSTP version of Spanning T r ee for all physical ports on the switch. Disabli[...]
-
Page 153
142 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Reconfiguring Whole-Switch Spanning T ree V alues. Y ou can configure one or more of the following parameters, which affect the Sp anning T ree operation of the whole switch: T able 9. Whole-Switch RSTP Parameters Parameter Default Description protocol-versi[...]
-
Page 154
143 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Note Executing the spanning-tree command alone enables Spanning T r ee. Executing the command with one or more of the whole-switch RSTP parameters shown in the table on the previous page, or with any of the per -port RSTP parameters shown in the table on pag[...]
-
Page 155
144 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Reconfiguring Per -Port Spanning T ree V alues. Y ou can configure one or more of the following parameters, which affect the Spanning T ree operation of the specified ports only: T able 10. Per -Port RSTP Parameters Parameter Default Description edge-port Y [...]
-
Page 156
145 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Note on Path Cost RSTP implements a greater range of path costs and new default path cost values to account for higher network speeds. These values are different than the values defined by 802.1D STP as shown in the next table. Because the maximum value for [...]
-
Page 157
146 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Menu: Configuring RSTP 1. From the console CLI prompt, enter the menu command. ProCurve Switch # menu 2. From the switch console Main Menu, select 2. Switch Configuration ... 4. Spanning T ree Operation 3. Press [E] (for E dit ) to highlight the Protocol V e[...]
-
Page 158
147 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) 7. Press the [T ab] key or use the arrow keys to go to the next parameter you want to change, then type in the new value or press the Space bar to select a value. (T o get help on this screen, press [Enter] to select the Actions –> line, then press [H] [...]
-
Page 159
148 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Enhancements in Release F .02.11 Fast-Uplink Spanning T ree Protocol (STP) Fast-Uplink STP improves the recove ry (convergence) time in wiring closet switches with redundant uplinks. Specifically , a Series 2500 switch having re dundant links toward the root device can dec[...]
-
Page 160
149 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) T o use fast-uplink STP on a Series 2500 switch, configure fast-uplink ( Mode = Uplink ) only on the switch’ s upstream ports; (that is, two or more ports forming a group of redundant links in the direction of the STP root switch). If the active link in this group goes d[...]
-
Page 161
150 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) When single-instance spanning tree (STP) is running in a network and a forwarding port goes down, a blocked port typically requires a period of (2 x ( forward delay ) + link down detection) to transition to forwarding. In a normal spanning tree environment, this transition[...]
-
Page 162
151 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Operating Rules for Fast Uplink ■ A switch with ports configured for fast uplink must be an edge switch and not either an interior switch or the STP root switch. Configure fast-uplink on only the edge switch por ts used for providing redundant STP uplink connections in a[...]
-
Page 163
152 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Menu: Viewing and Configuring Fast-Uplink STP Y ou can use the menu to quickly display the en tire STP configuration and to make any STP configuration changes. T o V iew and/or Configure Fast-Uplink STP . This procedure uses the Spanning T ree Operation screen to enable ST[...]
-
Page 164
153 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) 3. If the Protocol V ersion is set to RSTP (as shown in figure 70), do the following: a. Press [E] ( E dit ) to move the cursor to the Protocol V ersion field. b. Press the Space bar once to change the Protocol Version field to STP . c. Press [Enter] to return to the comma[...]
-
Page 165
154 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Figure 72. The Spanning T ree Operation Screen 4. On the ports and/or trunks you want to us e for redundant fast uplink connections, change the mode to Uplink . In this example, port 1 and T rk1 (using ports 2 and 3) provide the redundant uplinks for STP: a. Press [E] (for[...]
-
Page 166
155 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Figure 73. Example of STP Enabled with T wo Redundant Links Configured for Fast-Uplink STP 5. Press [S] (for S ave ) to save the configuration changes to flash (non-volatile) memory . STP is enabled. Port 1 and T rk1 are now configured for fast-uplink STP .[...]
-
Page 167
156 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) T o V iew Fast-Uplink STP Status. Continuing from figures 72 and 73 in the preceding procedure, this task uses the same screen that you would use to view STP status for other operating modes. 1. From the Main Menu, select: 1. Status and Counters . . . 7. Spanning T ree Inf[...]
-
Page 168
157 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) In figure 75: • Port 1 and T rk1 (trunk 1; formed from port s 2 and 3) are redundant fast-uplink STP links, with trunk 1 forwarding (the active link) and port 1 blocking (the backup link). (T o view the configuration for port 1 and T r k1, see figure 73 on page 155.) •[...]
-
Page 169
158 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Figure 77. Example of a Show Spanning-T ree Listing for the T opology Shown in Figure 76 Indicates that T rk1 (T runk 1) provides the currently active path to the STP root device. Redundant STP link in the Blocking state. Links to PC or Workstation End Nodes Redundant STP [...]
-
Page 170
159 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Figure 78. Example of a Configuration Supp orting the STP T opology Shown in Figure 76 Using the CLI T o Configure Fast-Uplink STP . This example uses the CLI to configure the switch for the fast-uplink operation shown in figures 76, 77, and 78. (The example assumes that p[...]
-
Page 171
160 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Syntax : spanning-tree e < port/trunk-list > mode uplink Enables STP on the switch and configures fast-uplink STP on the designated interfaces (port or trunk). HP2512(config)# spanning-tree e 1,trk1 mode uplink Operating Notes Effect of Reboots on Fast-Uplink STP Ope[...]
-
Page 172
161 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Fast-Uplink T roubleshooting Some of the problems that can result from inco rrect usage of Fast-Uplink STP include temporary loops and generation of duplicate packets. Problem sources can include: ■ Fast-Uplink is configured on a swit ch that is the STP root device. ■ [...]
-
Page 173
162 Enhancements in Release F.02.11 The Show Tech Command for Listing Swit ch Configuration and Operating Details The Show T ech Command for Listing Switch Configuration and Operating Details The show tech command provides a tool for gathering inform ation to help with troubleshooting. This command outputs, in a single listin g, switch operating an[...]
-
Page 174
163 Enhancements in Release F.02.11 The Show Tech Command for Li sting Switch Configuration and Operating Details 1. In Hyperterminal, click on T ransfer | Capture T ext... Figure 80. The Capture T ext window of the Hypert ext Application Used with Microsoft Windows Software 2. In the File field, enter the path and file name under which you want to[...]
-
Page 175
164 Enhancements in Release F.02.02 Documentation for Enhancements in Release F.02.02 Enhancements in Release F .02.02 Documentation for Enhancements in Release F .02.02 Software release F .02.02 contains these enhancements: Enhancement Summary Page T ACACS+ T ACACS+ authentication enables you to use a central server to allow or deny access to Seri[...]
-
Page 176
165 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security T ACACS+ Authentication for Centralized Control of Switch Access Security T ACACS+ Feat ures T ACACS+ authentication enables you to use a central server to allow or deny access to Series 2500 switches (and other T ACACS-aware devices) in yo[...]
-
Page 177
166 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security W ith authentication configured on the switch and T ACACS+ configured and operating on a server in your network, an attempt to log on through T elnet or the switch’ s serial port will be passed to the T ACACS+ server for verification befo[...]
-
Page 178
167 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security T erminology Used in T ACACS Applications: ■ NAS (Network Access Server): This is an industry term for a T ACACS-aware device that communicates with a T ACACS server for authen tication services. Some other terms you may see in literature[...]
-
Page 179
168 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security General System Requirements T o use T ACACS+ authentication, you need the following: ■ Release F .02.02 or later software running on your Series 2500 switch. Ensure that software release F .02.02 or later is running on your swit ch. Use a[...]
-
Page 180
169 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security T ACACS+ Operation T ACACS+ in Series 2500 switches manages authen tication of logon attempts through either the Console port or T elnet. For both Console and Teln et you can configure a login (read-only) and an enable (read/write) privileg[...]
-
Page 181
170 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security 2. Ensure that the switch is configured to operate on your network and can communicate with your first -choice T ACACS+ server . (At a minimum, th is requires IP addressing and a successful ping test from the switch to the server .) 3. Dete[...]
-
Page 182
171 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Caution You should ensure that the switch has a local Manager password. Otherwise, if authentication through a TACACS+ server fails for any reason, then unauthorized acce ss will be available through the console port or Telnet. 6. Using a t[...]
-
Page 183
172 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Configuring T ACACS+ on the Switch The switch offers three command areas for T ACACS+ operation: ■ show authentication and show tacacs: Displays the switch’ s T ACACS+ configuration and status. ■ aaa authentication: A command for conf[...]
-
Page 184
173 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security V iewing the Switch’ s Current Authentication Configuration This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary access methods conf igured for each type of access. Syntax [...]
-
Page 185
174 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Configuring the Switch’ s Authentication Methods The aaa authentication command configures the access control for console port and T elnet access to the switch. That is, for both access methods, aaa authentication specifies whether to use[...]
-
Page 186
175 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security T able 13. Primary/Secondary Authentication T able Access Method and Privilege Level Authentication Options Effect on Access Attempts Primary Secondary Console — Login local none* Local username/password access only. tacacs local If T aca[...]
-
Page 187
176 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security For example, here is a set of access options and the corresponding comm ands to configure them: Console Login (Operator , or Read-Only) Access: Primary using T ACACS+ server . Secondary using Local. HP2512(config)# aaa authenticationconsole[...]
-
Page 188
177 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Configuring the Switch’ s T ACACS+ Server Access The tacacs-server command configures these parameters: ■ The host IP address(es) for up to three T ACACS+ servers; one first-choice and up to two backups. Designating backup servers provi[...]
-
Page 189
178 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Name Default Range host < ip-addr > [key < key-string > none n/a Specifies the IP address of a device ru nning a T ACACS+ server application. Optionally , can also specify the unique, per- server encryption key to use when each [...]
-
Page 190
179 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Adding, Removing, or Changing th e Priority of a T ACACS+ Server . Suppose that the switch was already configured to use T ACACS+ servers at 10.28.227.10 and 10.28.227.15. In this case, 10.28.227.15 was entered first, and so is listed as th[...]
-
Page 191
180 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security To configure westside as a global encryption key: HP2512(config) tacacs-server key westside To configure westside as a per-server encryption key: HP2512(config)tacacs-server host 10.28.227.63 key westside An encryption key can contain up to[...]
-
Page 192
181 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security How Authentication Operates General Authentication Process Using a T ACACS+ Server Authentication through a T ACACS+ server operates generally as described below . For specific operating details, refer to the documentation you received with[...]
-
Page 193
182 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security • If the username/password pair received from the requesting terminal matches a user - name/password pair previously stored in the server , then the server passes access permission through the switch to the terminal. • If the username/p[...]
-
Page 194
183 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Using the Encryption Key General Operation When used, the encryption key (sometimes termed "k ey", "secret key", or "secret") helps to prevent unauthorized intruders on the network from r eading username and pa[...]
-
Page 195
184 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security For example, you would use the next command to co nfigure a global encryption key in the switch to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you d[...]
-
Page 196
185 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Messages The switch generates the CLI messages listed below . However , you may see other messages generated in your T ACACS+ server application. For information on such messages, refer to the documentation you received with the application[...]
-
Page 197
186 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security T roubleshooting T ACACS+ Operation All Users Are Locked Out of Access to the Switch. If the switch is functioning properly , but no username/password pairs result in console or T elnet access to th e switch, the problem may be due to how t[...]
-
Page 198
187 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security ■ The time quota for the account has been exhausted. ■ The time credit for th e account has expired. ■ The access attempt is outside of th e timeframe allowed for the account. ■ The allowed number of concurrent logi ns for the accou[...]
-
Page 199
188 Enhancements in Release F.02.02 CDP (Updated by Software Version F.05.50) CDP (Updated by Software V ersion F .05.50) Software version F .02.02 for the Series 2500 sw itches, implemented CDP-v1 (Cisco Discovery Protocol, version 1) to help discover devices in a network. Software version F .05.50 and beyond updates this network discovery method [...]
-
Page 200
189 Enhancements in Release F.02.02 New Time Synchronization Protocol Options T imeP T ime Synchronization Y ou can either manually assign th e switch to use a T imeP server or use DHCP to assign the TimeP server . In either case, the switch can get its time synchronization updates from only one, designated T imep server . This option enhances secu[...]
-
Page 201
190 Enhancements in Release F.02.02 New Time Synchronization Protocol Options •T i m e P : DHCP or Manual 3. Configure the remaining parameters for the time protocol you selected. The switch retains the parameter settings for both time protocols even if you change from one protocol to the other . Thus, if you select a time protocol the switch use[...]
-
Page 202
191 Enhancements in Release F.02.02 New Time Synchronization Protocol Options T able 15. SNTP Parameters Menu: Viewing and Configuring SNTP T o View , Enable, and Modify SNTP T ime Protocol: 1. From the Main Menu, select: 2. Switch Configuration... 1. System Information SNTP Parameter Operation T ime Sync Method Used to select either SNTP , TIMEP ,[...]
-
Page 203
192 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Figure 88. The System Inform ation Screen (Default V alues) 2. Press [E] (for E dit ). The cursor moves to the System Name field. 3. Use [v] to move the cursor to the T ime Sync Method field. 4. Use the Space bar to select SNTP , then press [v] once to display and move to[...]
-
Page 204
193 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Note: This step replaces any previously configured server IP address. If you will be using backup SNTP servers (r equires use of the CLI), then see “SNTP Unicast T ime Polling with Mu ltiple SNTP Servers” on page 205. iii. Press [v] to move the cursor to the Server V [...]
-
Page 205
194 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Viewing the Current SNTP Configuration This command lists both the time synchronizatio n method (T imeP , SNTP , or None) and the SNTP configuration, even if SNTP is not the selected time protocol. Syntax : show sntp For example, if you configured the switch with SNTP as [...]
-
Page 206
195 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Enabling SNTP in Broadcast Mode. Because the switch provides an SNTP polling interval (default: 720 seconds), you need only these two commands for minimal SNTP broadcast configura- tion: Syntax : timesync sntp Selects SNTP as the time synchronization method. sntp broadcas[...]
-
Page 207
196 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Syntax : timesync sntp Selects SNTP as the time synchronization method. sntp unicast Configures the SNTP mode for Unicast operation . sntp server < ip-addr > [ version ] Specifies the SNTP server. The default server version is 3. no sntp server < ip-addr > Del[...]
-
Page 208
197 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Figure 93. Example of Specifying the SNTP Protocol V ersion Number Changing the SNTP Poll Interval. This command lets you specif y how long the switch waits between time polling intervals. The default is 720 seconds and the range is 30 to 720 seconds. (This parameter is s[...]
-
Page 209
198 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Disabling the SNTP Mode. If you want to prevent SNTP from being used even if selected by timesync (or the Menu interface’ s T ime Sync Method parameter), configure the SNTP mode as disabled. Syntax : no sntp Disables SNTP by changing th e SNTP mode configuration to Disa[...]
-
Page 210
199 Enhancements in Release F.02.02 New Time Synchronization Protocol Options T able 16. T imep Parameters Menu: Viewing and Configuring T imeP T o View , Enable, and Modify the TimeP Protocol: 1. From the Main Menu, select: 2. Switch Configuration... 1. System Information SNTP Parameter Operation T ime Sync Method Used to select either TIMEP (the [...]
-
Page 211
200 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Figure 96. The System Inform ation Screen (Default V alues) 2. Press [E] (for E dit ). The cursor moves to the System Name field. 3. Use [v] to move the cursor to the T ime Sync Method field. 4. If TIMEP is not already selected, use the Space bar to select TIMEP , then pr[...]
-
Page 212
201 Enhancements in Release F.02.02 New Time Synchronization Protocol Options iii. Press [>] to move the cursor to the Poll Interval field, then go to step 6. 6. In the Poll Interval field, enter the time in minutes that you want for a T i meP Poll Interval. Press [Enter] to return to the Actions line, then [S] (for S ave ) to enter the new time[...]
-
Page 213
202 Enhancements in Release F.02.02 New Time Synchronization Protocol Options If SNTP is the selected time synchronization method ), show timep still lists the Ti meP configuration even though it is not currently in use: Figure 98. Example of SNTP Configuration When SN TP Is Not the Selected T ime Synchronization Method Configuring (Enabling or Dis[...]
-
Page 214
203 Enhancements in Release F.02.02 New Time Synchronization Protocol Options For example, suppose: ■ T ime synchronization is configured for SNTP . ■ Y ou want to: 1. View the current time synchronization. 2. Select T imeP as the time synchronization mode. 3. Enable T imeP for DHCP mode. 4. V iew the T i meP configuration. The commands and out[...]
-
Page 215
204 Enhancements in Release F.02.02 New Time Synchronization Protocol Options HP2512(config)# timesync timep Selects TimeP . HP2512(config)# ip timep manual 10.28.227.141 Activates TimeP in Manual mode . Figure 100. Example of Configuring T imep for Manual Operation Changing the T imeP Poll Interval. This command lets you specify how long the switc[...]
-
Page 216
205 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Disabling the T imeP Mode. Disabling the T imeP mode means to configure it as disabled. (Disabling T imeP prevents the switch from using it as the time synchronization protocol, even if it is the selected T ime Sync Method option.) Syntax : no ip timep Disables T imeP by [...]
-
Page 217
206 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Adding and Deleting SNTP Server Addresses Adding Addresses. As mentioned earlier , you can configure one SNTP server address using either the Menu interface or the CLI. T o configure a seco nd and third address, you must use the CLI. For example, suppose you have already [...]
-
Page 218
207 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Menu Interface Operation with Multiple SNTP Server Addresses Configured When you use the Menu interface to configure an SN TP server IP address, the new address writes over the current primary address, if one is config ured. If there are multiple addresses configured, the[...]
-
Page 219
208 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) Operation and Enhancements for Multimedia T raffic Control (IGMP) How Data-Driven IGMP Operates The information in this section supplements the information provided under "Multimedia T raffic Control with IP Multicast (IGMP)" beginning on[...]
-
Page 220
209 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) multicast packets to ports from which a join requ est for that group has not been received. (If the switch or router has not received any join requests for a given multicast group, it drops the traffic it receives for that group.) Figure 104. Examp[...]
-
Page 221
210 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) Fast-Leave IGMP IGMP Operation Presents a "Delayed Leave" Problem. Where multiple IGMP clients are connected to the same port on an IGMP device (switc h or router), if only one IGMP client joins a given multicast group, then later sends a[...]
-
Page 222
211 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) unnecessary multicast traffic from that group to th e former IGMP client. This improves performance by reducing the amount of multicast traffic going thro ugh the port to the IGMP client after the client leaves a multicast group. IGMP in the Series[...]
-
Page 223
212 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) Forced Fast-Leave IGMP Forced Fast-Leave IGMP Features Forced Fast-Leave IGMP speeds up the process of blocking unnecessary IGMP traffic to a switch port that is connected to multiple end nodes. (Thi s feature does not activate on ports where the s[...]
-
Page 224
213 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) For example: Figure 106. Listing the Forced Fast-L eave State for Ports in an HP2512 Switch T o list the Forced Fast-Leave state for a single port. Syntax : getmib hpSwitchIgmpPortForcedLeaveState.1. < port-number > (Not case-sensitive.) getm[...]
-
Page 225
214 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) CLI: Configuring Per -Port Forced Fast-Leave IGMP In the factory-default configuration, Forced Fast-L eave is disabled for all ports on the switch. T o enable (or disable) this feature on individual port s, use the switch’ s MIB commands, as show[...]
-
Page 226
215 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) Querier Operation The function of the IGMP Querier is to poll other IGMP-enabled de vices in an IGMP-enabled VLAN to elicit group membership information. The switch pe rforms this function if there is no other device in the VLAN, such as a multicas[...]
-
Page 227
216 Enhancements in Release F.02.02 The Switch Excludes Well-Known or Reserved Mult icast Addresses from IP Multicast Filtering The Switch Excludes W ell-Known or Reserved Multicast Addresses from IP Multicast Filtering Each multicast host group is identified by a sing le IP address in the range of 224.0.0.0 through 239.255.255.255. Specific groups[...]
-
Page 228
217 Enhancements in Release F.02.02 Port Security: Changes to Retaining Learned Static Addresses Across a Reboot Port Security: Changes to Retaining Learned Static Addresses Across a Reboot Recommended Port Security Procedures ■ Before configuring port security , use the swit ch’ s TFTP features to save a copy of the configuration. In the event[...]
-
Page 229
218 Enhancements in Release F.02.02 Port Security: Changes to Retaining Le arned Static Addresses Across a Reboot T o remove an address learned using either of the preceding methods, do one of the following: • Delete the address by using the no port-security < port-number > mac-address < mac-addr > command. • Download a previously s[...]
-
Page 230
219 Enhancements in Release F.02.02 Username Assignment and Prompt Username Assignment and Prompt Prior to release F .02.02, assigning a manager or oper ator username to the switch required you to use the W eb browser interface. Also, only the W eb brow ser interface required y ou to enter a username at logon if one was configured for the privilege[...]
-
Page 231
220 Updates and Corrections for the Management and Configuration Guide Updates and Corrections for the Management and Configuration Guide This section lists updates to the Management and Configuration Guide (p/n 5969-2354; August 2000). Changes in Commands for Viewing the Current Configuration Files On page C-4, the manual incorrectly states that s[...]
-
Page 232
221 Updates and Corrections for the M anagement and Configuration Guide • Running configuration has been changed and needs to be saved. This message indicates that the two configurations are different. Change in CLI Command for Listing Intrusion Alerts W ith port security configured, the switch formerly used show interfaces to display a port stat[...]
-
Page 233
222 Updates and Corrections for the Management and Configuration Guide This change affects the following commands: Restoring the Factory-Default Configuration, Including Usernames and Passwords Page 11-20 in the Management and Configuration guide incorrectly implies that the erase startup-config command clears passwords. This command does reset the[...]
-
Page 234
223 Updates and Corrections for the M anagement and Configuration Guide GVRP Does Not Require a Common VLAN Delete the note at the top of page 9-78 in the Management and Configuration Guide. GVRP does not require a common VLAN (VID) connecting all of the GVRP-aware devices in the network to carry GVRP packets. Incomplete Information on Saving Confi[...]
-
Page 235
224 Updates and Corrections for the Management and Configuration Guide Note Duplicate MAC addresses are likely to occur in VLAN environments where XNS and DECnet are used. For this reason, using VLANs in XNS and DECnet environments is not currently supported. On page 11-10 of the Management and Configuration Guide , under "Duplicate MAC Addres[...]
-
Page 236
225 Updates and Corrections for the M anagement and Configuration Guide Also on page 9-54, add the foll owing item to the bulleted list: ■ When T imeP is enabled and configured for DH CP operation, the switch learns of T imeP servers from DHCP and Bootp packet s received on the primary VLAN. Misleading Statement About VLANs On page 9-56 in the Ma[...]
-
Page 237
226 Software Fixes Software Fixes Release F .01.07 was the first software rel ease for the ProCurve Series 2500 switches Release F.01.08 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Release F.01.09 (Beta Release Only) . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 238
227 Software Fixes Release F.05.19 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 1 Release F.05.20 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 1 Release F.05.21 (Never Released) . . . . . . . . . . . . . . . . . . . . [...]
-
Page 239
228 Software Fixes Release F.05.64 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 7 Release F.05.65 (Not a Public Release) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Release F.05.66 (Never Released) . . . . . . . . . . . . . . . . . . . . . .[...]
-
Page 240
229 Software Fixes Release F .01.08 Fixed in release F .01.08: ■ 100/1000-T transceiver — When using this 100/1000-T transceiver and negotiating to 100 Mbps, the port may report that it is operating at 100 full duplex, when it is actually operating at 100 half duplex. ■ W eb-Browser Interface — The product label in the W eb-browser display [...]
-
Page 241
230 Software Fixes Note The startup-config file saved u nder version F .02.02 is NOT back ward-compatible with previous software versions. HP recommends that you save a c opy of the pre-02.02 startup-config file BEFORE UPGRADING to F .02.02 or greater , in case there is ever a need to revert back to pre-02.02 software. Instructions for saving a cop[...]
-
Page 242
231 Software Fixes ■ LACP — Resolves several issues with LACP , including: conversation on a trunk may momentarily fail if a trunk member port goes down, difficulty accessing the MIB, configura- tion issues, port priority issues, problems with dynamic negotiation, and switch crashes with messages similar to: -> Software Exception at woody_de[...]
-
Page 243
232 Software Fixes Release F .02.04 (Beta Release Only) The switch's CDP packets have been modified to better interoperate with older Cisco IOS versions. Certain legal CDP packets sent from the ProCurve switch could result in Cisco routers, running older IOS versions, to crash. Note The ProCurve switch's CDP packets are legal both before [...]
-
Page 244
233 Software Fixes ■ IGMP — If there are several IGMP groups in seve ral VLANs, and the switch is acting as Querier , the switch may stop sending IGMP Queries on some of its VLANs. ■ IGMP — All Querier intervals on the switch will be cut in half if IGMP , after already being enabled, is disabled and then re-enabled. ■ IGMP — The switch [...]
-
Page 245
234 Software Fixes Note Contact your local Customer Care Center before activating this feature to receive proper configura- tion instructions. Failure to configure this featur e properly will result in unexpected connectivity problems. Release F .02.06 (Beta Release Only) T extual modifications made to th e Isolated Port Groups feature. Release F .[...]
-
Page 246
235 Software Fixes ■ XRMON — V arious XRMON counters display incorrec t values. Possible symptoms include network management applications reporting a too high network utilization (T opT ools may report "crossed octets"). Release F .02.08 (Beta Release Only) Fixed in F .02.08: ■ Crash — If a transceiver is repeatedly installed and [...]
-
Page 247
236 Software Fixes Release F .02.12 Fixed in release F .02.12 ■ Monitoring Port — When a config file containing a Monitoring Port configuration is loaded onto the switch via TFTP or XModem, the Moni toring Port feature does not work properly . Release F .02.13 Fixed in release F .02.13 ■ Monitoring Port — Monitoring Port configuration chang[...]
-
Page 248
237 Software Fixes ■ Port Configuration — Changing a port setting from one Auto mode to another may not be reflected in Auto-negotiation's advertised capab ility without a switch reset, or module hot- swap. ■ Port Monitoring — Port monitoring does not work correc tly after a TFTP transfer of the configuration from the switch to the ser[...]
-
Page 249
238 Software Fixes Release F .04.08 Fixed in release F .04.08 Modification of Lab troubleshooting commands. Release F .04.09 (Beta Release Only) Fixed in release F .04.09 ■ Agent Hang — Agent processes (such as console, telnet, STP , ping, etc.) may stop functioning when the IGMP querier function is disabled, and then re-enabled, on a VLAN that[...]
-
Page 250
239 Software Fixes Note The startup-config file saved u nder version F .05.05, or later , is NOT backward-compatible with previous software versions. The user is advised to save a copy of the pre-05 .05 startup-config file BEFORE UPGRADING to F .05.05 or greater , in case ther e is ever a need to revert back to pre- 05.05 software. Instructions for[...]
-
Page 251
240 Software Fixes ■ Crash — If dynamic trunks are configured and the sw itch is rebooted, the switch may crash with a message similar to: ->Software exception at rstp_dyn_reconfit.c:243 in -- 'Lpmgr' ■ Crash — The "show config" CLI command may cause the switch to crash with a message similar to: ->Software excepti[...]
-
Page 252
241 Software Fixes ■ Link-up polling interval — A delay of up to 1.7 seconds between plugging in a cable (linkbeat established) and traffic being forwar ded to and from that port may cause problems with some time sensitive applications. For example, AppleT alk dynamic address negotiation can be affected, resulting in multiple devices using the [...]
-
Page 253
242 Software Fixes ■ STP/Startup-Config — When a startup-config file contai ning an 802.1D STP configuration is reloaded that was saved off from the swit ch, an error similar to the following occurs: Line: 13. Invalid input: stp802.1d Corrupted download file. ■ T ACACS+ — When logging into the switch via T A CACS+ encrypted authentication, [...]
-
Page 254
243 Software Fixes Release F .05.12 (Beta Release Only) Adds the following enhancement: ■ Changes to 802.1X to support Open VLAN Mode Release F .05.13 (Beta Release Only) Adds the following enhancement: ■ Changes to Isolated Port Groups to add two new groups: group1 and group2. Release F .05.14 This update is only for the ProCurve 2312, ProC ur[...]
-
Page 255
244 Software Fixes ■ Performance/Crash (PR_4967) — Slow performance may occur when using 10/100 ports or the 100FX transceiver operating at half-dupl ex. This also may occur when using 100FX, Gigabit Stacking, Gigabit-SX, or Gigabit-LX tr ansceivers operating at full-duplex. Note: The Gigabit transceivers can only operate in full-duplex mode. T[...]
-
Page 256
245 Software Fixes ■ Crash — When setting the host name to a very long (~20 characters) string, the switch may crash with a bus error similar to: -> Bus error: HW Addr=0x29283030 IP=0x002086ac Task='mSnmpCtrl' Task ID=0x165ae00. ■ Flow control — Users are allowed to configure flow control for half-duplex ports, even though the [...]
-
Page 257
246 Software Fixes ■ SNMP — The OID ifAlias is defaulted to "not a ssigned", causing Network Node Manager to log error messages. (The fix is to default ifAlias to a zero-length string, as stated in the MIB, or make each port have a unique value.) ■ SNMP — The switch does not support community names other than PUBLIC in traps. ■ [...]
-
Page 258
247 Software Fixes ■ RSTP/LACP — T urning LACP off, then back on, le aves LACP in Passive mode. This can T runking — With ports 25 and 26 configured in a trunk group, the show trunk 25 , 26 command displays incorrect information for T r unk Group Name and T runk Group T ype. Example output: ■ We b — Sun java v1.3.x and v1.4.x interope rab[...]
-
Page 259
248 Software Fixes Release F .05.19 (Never Released) Fixed in release F .05.19 ■ Counters (PR_92221) — Counters for J4834A 100/1000 xcvr do not clear . ■ Crash/Bus Error (PR_92466) — Bus error related to 802.1X/unauthorized VLAN. ■ Agent Hang (PR_92802) — Agent 'hang'. Fix for agent 'hang' (ping and TELNET hang, but [...]
-
Page 260
249 Software Fixes ■ Syslog (PR_1000003656) — The syslog capability added to F .05.22. ■ Syslog (PR_1000004080) — A timep event log messa ge on syslog is truncated. ■ W eb (PR_81848) — 'Clear changes' button does not wo rk for the Default Gateway or VLAN selections. ■ W eb (PR_82039) — If the user selects GVRP mode, se lec[...]
-
Page 261
250 Software Fixes Release F .05.24 (Not a General Release) Fixed in release F .05.24 ■ W eb (PR_1000007144) — When using the W eb user interface, VLAN Configuration, Add/ Remove VLANs, GVRP Mode, clicking on the help link gives the message, The page you requested is no longer located here. Release F .05.25 (Not a General Release) Fixed in rele[...]
-
Page 262
251 Software Fixes ■ SNMP (PR_1000190654) — When switch has the IP addr ess configured on a VLAN other than the "default VLAN", Find/Fix/Inform (FFI) SNMP traps list a 0.0. 0.0 IP address in the URL. ■ W eb/Crash (PR_1000092011) — While using the W eb user interface, switch may crash with a "software exceptio n" message [...]
-
Page 263
252 Software Fixes Release F .05.32 (Not a General Release) Fixed in release F .05.32 ■ TFTP/Config (PR_1000215024) — After a new configuration is loaded from a TFTP server , the switch reboots so the new configuration will take effect. If that same configuration is loaded from a TFTP server , the switch recogn izes that the configuration is un[...]
-
Page 264
253 Software Fixes Release F .05.37 (Not a General Release) Fixed in release F .05.36 ■ CLI (PR_83354) — The command " show mac vlan <VID> " displays all MAC addresses known on the switch (from all VLANs) instead of just those in the specified VLAN. Release F .05.38 (Never Released) Fixed in release F .05.38 ■ TCP (PR_10002461[...]
-
Page 265
Release F .05.51 (Never Released) Fixed in release F .05.51 ■ Crash (PR_1000297510) — When using the W eb User Interface and the switch is set as commander for stacking, the switch may crash with a message similar to: PPC Bus Error exception vector 0x300: Stack-frame=0x01731de8 HW Addr=0x02800007 IP=0x0022dc30 Task='tHttpd' Task ID=0x[...]
-
Page 266
255 Software Fixes Release F .05.55 Fixed in release F .05.55 ■ LLDP (PR_1000310666) — The command "show LLDP" does not display information learned from CDPv2 packets. ■ Menu (PR_1000318531) — When using the 'Menu' interface, the Switch hostname may be displayed incorrectly . ■ RSTP (PR_99049) — Switch does not detec[...]
-
Page 267
256 Software Fixes Release F .05.59 Fixed in release F .05.59 ■ Daylight savings (PR_1000364740) — Due to the passage of the Energy Policy Act of 2005, Pub. L. no. 109-58, 119 Stat 594 (2005), starting in March 20 07 daylight time in the United States will begin on the second Sunday in Marc h and end on the first Sunday in November . Release F [...]
-
Page 268
257 Software Fixes Daylight Savings (PR_1000467724) — DST is outdated for the W estern-European Time Zone. This change corrects the schedule for the W estern Europe T ime Zone: DST to start the last Sunday in March and DST to end the last Sunday in October. Release F .05.64 (Never Released) No issues fixed in release F .05.64 Release F .05.65 (No[...]
-
Page 269
258 Software Fixes Release F .05.69 Fixed in release F .05.69 ■ ProCurve Manager (PR_1000768253) — The ProCurve Manager 2.2 Auto Update 5 test communication parameters feature fa ils intermittently . ■ Stacking T ransceivers (PR_1000784489) — Stacking-kit ports (J4116A) display an inaccurate duplex output. ■ T ACACS+ (PR_0000003839) — T[...]
-
Page 270
© Copyright 2001-2009 Hewlett-Packard Company , LP . The information contained in this document is subject to change without notice. Part Number: 5990-3102 March, 2009[...]