HP (Hewlett-Packard) 2500 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270

Ir para a página of

Bom manual de uso

As regras impõem ao revendedor a obrigação de fornecer ao comprador o manual com o produto HP (Hewlett-Packard) 2500. A falta de manual ou informações incorretas fornecidas ao consumidor são a base de uma queixa por não conformidade do produto com o contrato. De acordo com a lei, pode anexar o manual em uma outra forma de que em papel, o que é frequentemente utilizado, anexando uma forma gráfica ou manual electrónicoHP (Hewlett-Packard) 2500 vídeos instrutivos para os usuários. A condição é uma forma legível e compreensível.

O que é a instrução?

A palavra vem do latim "Instructio" ou instruir. Portanto, no manual HP (Hewlett-Packard) 2500 você pode encontrar uma descrição das fases do processo. O objetivo do manual é instruir, facilitar o arranque, a utilização do equipamento ou a execução de determinadas tarefas. O manual é uma coleção de informações sobre o objeto / serviço, um guia.

Infelizmente, pequenos usuários tomam o tempo para ler o manual HP (Hewlett-Packard) 2500, e um bom manual não só permite conhecer uma série de funcionalidades adicionais do dispositivo, mas evita a formação da maioria das falhas.

Então, o que deve conter o manual perfeito?

Primeiro, o manual HP (Hewlett-Packard) 2500 deve conte:
- dados técnicos do dispositivo HP (Hewlett-Packard) 2500
- nome do fabricante e ano de fabricação do dispositivo HP (Hewlett-Packard) 2500
- instruções de utilização, regulação e manutenção do dispositivo HP (Hewlett-Packard) 2500
- sinais de segurança e certificados que comprovam a conformidade com as normas pertinentes

Por que você não ler manuais?

Normalmente, isso é devido à falta de tempo e à certeza quanto à funcionalidade específica do dispositivo adquirido. Infelizmente, a mesma ligação e o arranque HP (Hewlett-Packard) 2500 não são suficientes. O manual contém uma série de orientações sobre funcionalidades específicas, a segurança, os métodos de manutenção (mesmo sobre produtos que devem ser usados), possíveis defeitos HP (Hewlett-Packard) 2500 e formas de resolver problemas comuns durante o uso. No final, no manual podemos encontrar as coordenadas do serviço HP (Hewlett-Packard) na ausência da eficácia das soluções propostas. Atualmente, muito apreciados são manuais na forma de animações interessantes e vídeos de instrução que de uma forma melhor do que o o folheto falam ao usuário. Este tipo de manual é a chance que o usuário percorrer todo o vídeo instrutivo, sem ignorar especificações e descrições técnicas complicadas HP (Hewlett-Packard) 2500, como para a versão papel.

Por que ler manuais?

Primeiro de tudo, contem a resposta sobre a construção, as possibilidades do dispositivo HP (Hewlett-Packard) 2500, uso dos acessórios individuais e uma gama de informações para desfrutar plenamente todos os recursos e facilidades.

Após a compra bem sucedida de um equipamento / dispositivo, é bom ter um momento para se familiarizar com cada parte do manual HP (Hewlett-Packard) 2500. Atualmente, são cuidadosamente preparados e traduzidos para sejam não só compreensíveis para os usuários, mas para cumprir a sua função básica de informação

Índice do manual

  • Página 1

    Release Notes: V ersion F .05.70 Software for the ProCurve Series 2300 and 2500 Switches These release notes include information on the following: ■ Downloading switch software and Do cumentation from the W eb (Page 1) ■ Enhancements in Release F .05. xx (Page 6) ■ Enhancements in Release F .04.08 (Page 72) ■ Enhancements in Release F .02.1[...]

  • Página 2

    ii © Copyright 2001-2009 Hewlett-Packard Development Company , LP . The information contained herein is subject to change without notice. Publication Number 5990-3102 March, 2009 Applicable Products ProCurve Switch 2512 (J4812A) ProCurve Switch 2524 (J4813A) ProCurve Switch 2312 (J4817A) ProCurve Switch 2324 (J4818A) T rademark Credits Microsoft, [...]

  • Página 3

    iii Disclaimer The information contained in this documen t is subject to change without notice. HEWLETT -P ACKARD COMPANY MAKES NO W ARRANTY OF ANY KIND WITH REGARD TO THIS MA TERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED W ARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A P ARTICULAR PURPOSE. Hewlett-Packard shall not be lia ble for errors cont[...]

  • Página 4

    iii Contents Software Management Download Switch Documentation and Software from the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 View or Download the Software Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Downloading Software to the Switch . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Página 5

    iv Configuring Port Isolation on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 4 Steps for Configuring Port Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Configuring and Viewing Port-Isolation . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Página 6

    v Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 How RADIUS/802.1X Authentication Affects VLAN Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Messages Related to 802.1X Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Página 7

    vi Messages Related to Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 35 Troubleshooting Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Using the "Kill" Command To Terminate Remote Sessions . . . . . . . . . . . [...]

  • Página 8

    vii Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Troubleshooting TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 6 CDP (Updated by Software Version F.05.50) . . . . . . . . . . . . . .[...]

  • Página 9

    viii Port Security: Changes to Retaining Learned Static Addresses Across a Reboot . . . . . 217 Recommended Port Security Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Retention of Static Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Página 10

    ix Release F.02.13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Release F.04.01 (Beta Release Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Release F.04.02 (Beta Release Only) . . . . . . . . . . . . . . . . . . . . .[...]

  • Página 11

    x Release F.05.37 (Not a General Release) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Release F.05.38 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3 Release F.05.39 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Página 12

    1 Software Management Software Management Caution: Archive Pre-F .05.17 Configuration Files A configuration file saved while using release F .05 .17 or later software is not backward-compatible with earlier software versions. For this reason, HP recommends that you archive the most recent configuration on switches using software releases ea rlier t[...]

  • Página 13

    2 Software Management ■ Use the download utility in ProCurve Manager Plus. Note Downloading new software does not change the curr ent switch configuration. The switch configu- ration is contained in a separate fi le that can also be transferred, for example, for archive purposes or to be used in another switch of the same model. TFTP Download fro[...]

  • Página 14

    3 Software Management Xmodem Download From a PC or Unix W orkstation This procedure assumes that: ■ The switch is connected via the Console RS-232 por t on a PC operating as a terminal. (Refer to the Installation Guide you received with the sw itch for information on connecting a PC as a terminal and running the switch console interface.) ■ The[...]

  • Página 15

    4 Software Management Saving Configurations While Using the CLI The switch operates with two configuration files: ■ Running-Config File: Exists in volatile memory and co ntrols switch operation. Rebooting the switch erases the current running-config file and replaces it with an exact copy of the current startup-config file. T o save a conf igurat[...]

  • Página 16

    5 Software Management ProCurve Switch, Routing Switch, and Router Software Keys Software Letter ProCurve Networking Products C 1600M, 2400M, 2424M, 4000M, and 8000M CY Switch 8100fl Series (8108fl and 8116fl) E Switch 5300xl Series (5304xl, 5308xl, 5348xl, and 5372xl) F Switch 2500 Series (2512 and 2524) , Switch 2312, and Switch 2324 G Switch 4100[...]

  • Página 17

    6 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.61 through F.05.70 Enhancements in Release F .05.05 through F .05.70 Enhancements in Release F .05.61 through F .05.70 No new enhancements, software fixes only. Enhancements in Release F .05.05 through F .05.60 Enhancement Summary Page LLDP Implements the industry standa[...]

  • Página 18

    7 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Implementation of LLDP For network device discovery solu tions, software version F .05.50 implements a limited version of the industry standard Link Layer Discovery Protocol (LLDP) on your switch, as an alternative to the Cisco Discovery Protocol (CDP)[...]

  • Página 19

    8 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 MIB (Management Information Base): An internal da tabase the switch maintains for configuration and performance information. Neighbor: See “LLDP Neighbor”. Non_LLDP Device: A device that is not capable of LLDP operation. TL V (T ype-Length-V alue):[...]

  • Página 20

    9 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 T able 1. Viewable Data A vailable for LLDP Advertisements Note Selected LLDP information (such as system name, port description, port type, chassis type) received by a Series 2500 switch from a remote neighbor is not viewable. LLDP Standards Compatibi[...]

  • Página 21

    10 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 LLDP Operating Rules Port T runking. LLDP manages trunked ports individually . That is, trunked ports are configured individually for LLDP operation, in the same manner as non-trunked po rts. Also, LLDP sends separate advertisements on each port in a [...]

  • Página 22

    11 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 LLDP Operation and Commands In the default configuration, LLDP is enabled to transmit on all active ports. The LLDP configuration includes global settings that apply to all active po rts on the switch, and per -port settings that affect only the opera[...]

  • Página 23

    12 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Viewing LLDP-detected Devices Note Selected LLDP information (such as system name, port description, port type, chassis type) received by a Series 2500 switch from a remote neighbor is not viewable. W ith version F .05.60, LLDP advertisements from re [...]

  • Página 24

    13 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Additional information from the remote device can be displayed by specifying the local port number in the command. For example, show lldp info remote-device 1 produces the following display: Figure 3. Example of Viewing the LLD P Remote Device Informa[...]

  • Página 25

    14 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring Per -Port LLDP T r ansmit/Receive This command controls LLDP transmit/receive traffic on active ports. For example, to disable LLDP on port 1, use the command: ProCurve(config)# lldp admin-status 1 disable Disable Auto-MDIX The Auto-MDIX f[...]

  • Página 26

    15 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 New Console Option Starting with Release F .05.23, a new console option removes terminal escape sequences, which allows scripts to better interact with the Co mmand Line Interface. The command console local-terminal none changes the current terminal s[...]

  • Página 27

    16 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syslog Overview The switch’ s Event Log records switch-level prog ress, status, and warning messages. The System- Logging ( Syslog ) feature provides a means for recording these messages on a remote server . The Syslog feature complies with RFC 3168[...]

  • Página 28

    17 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 no logging < syslog-ip-address > removes only the specified Syslog logging destination from the switch.[...]

  • Página 29

    18 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Note As of March 2004, the logging facility < facility-name > option also is available on these switch models: ■ Switch Series 5300XL (software release E.08. xx or greater) ■ Switch Series 4100GL (software release G.07.50 or greater) ■ Swi[...]

  • Página 30

    19 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 V iewing the Syslog Configuration Configuring Syslog Logging 1. If you want to use a Syslog serv er for recording Event Log messages: a. Use this command to configure the Syslog se rver IP address and enable Syslog logging: ProCurve(config)# logging &[...]

  • Página 31

    20 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 See Figure 6 below for an example of adding an additional Syslog server . Figure 6. Configuring multiple Syslog Servers Operating Notes for Syslog ■ Rebooting the switch or pressing the Reset butt on resets the Debug Configuration. Any Syslog server[...]

  • Página 32

    21 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 The Isolated Port Groups feature or iginally included in release F .04.08 has been enhanced in release F. 0 5 . xx with the inclusion of two new port isolation groups ( group1 and group2 ). Isolated port groups provide an alternative to VLAN s for iso[...]

  • Página 33

    22 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 T able 2. Communication Allowed Betw een Port-Isolation T ypes within a Switch Figure 7. Communication Allowed Between Port-Isolation T ypes within a Switch Port T ype: Permits T raffic T o and From This Port T ype? Notes Uplink Ports Public Ports Gro[...]

  • Página 34

    23 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Operating Rules for Port Isolation ■ Port Isolation is intended only for networks that do not use VL AN tagging. (The switch must be in the default VLAN configuration before you configure port-isolation.) ■ Multiple VLANs are not allowed on the sw[...]

  • Página 35

    24 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring Port Isolation on the Switch Steps for Configuring Port Isolation 1. Remove all non-default VLANs from the switch and ensure that all ports are untagged members of the default VLAN (VID = 1). 2. Identify the devices you will connect to the[...]

  • Página 36

    25 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring and V iewing Port-Isolation Note The no port-isolation command erases all port-isolation mode settings from memory . This means that whenever you disable, then re-enable port isolation, all ports on the switch wi ll be set to the (default)[...]

  • Página 37

    26 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 For example, suppose that the switch is in its default configuration (no multiple VLANs; GVRP disabled, all ports untagged members of the defa ult VLAN—VID = 1) with two optional gigabit transceivers installed, and you wanted to use the swit ch port[...]

  • Página 38

    27 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Figure 8. Example of Isolating Ports on a Series 2500 Switch Assuming a switch in the factory-default configurat ion, you would configure the port isolation plan in figure 8 as follows: 1 2 3 4 5 6 12 11 10 9 8 7 1 2 3 4 5 6 14 13 Port Mode Internal T[...]

  • Página 39

    28 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Figure 9. Example of Port-Isolation Configuration Messages Related to Port-Isolation Operation Message Meaning Port Isolation is disabled. It must be enabled first. In the switch’ s factory-defaul t state or after you execute no port-isolation , you[...]

  • Página 40

    29 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 T roubleshooting Port-Isolation Operation Configuring Port-Based Access Control (802.1X) Overview Why Use Port-Based Access Control? Local Area Networks are often deployed in a way that allows unauthorized clients to attach to network devices, or allo[...]

  • Página 41

    30 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 General Features 802.1X on the Series 2500 sw itches includes the following: ■ Switch operation as both an authenticator (for supplicants having a point-to-point connec- tion to the switch) and as a supplicant for poi nt-to-point connections to othe[...]

  • Página 42

    31 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Authenticating One Switch to Another . 802.1X authentication also en ables the switch to operate as a supplicant when connected to a port on an other switch running 802.1X authentication. Figure 10. Example of an 802.1X Application Accounting . The Se[...]

  • Página 43

    32 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 iv . If the client is successfully authenticated and authorized to connect to the network, then the server notifies the switch to allo w access to the client. Otherwise, access is denied and the port remains blocked. • If 802.1X (port-access) on the[...]

  • Página 44

    33 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 2. The RADIUS server then responds with an MD5 access challenge that switch “B” forwards to port 1 on switch “A”. 3. Port 1 replies with an MD5 hash response base d on its username and password or other unique credentials. Switch “B” forwa[...]

  • Página 45

    34 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 EAP (Extensible Authentication Protocol) : EAP enables network acces s that supports multiple authentication methods. EAPOL: Extensible Authentication Protocol Over LAN, as defined in the 802.1X standard. Friendly Client: A client that does not pose a[...]

  • Página 46

    35 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 General Operating Rules and Notes ■ When a port on the switch is configured as either an authenticator or supplicant and is connected to another device, rebooting the swit ch causes a re-authentication of the link. ■ When a port on the switch is c[...]

  • Página 47

    36 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 General Setup Procedure for Port-Based Access Control (802.1X) Do These Steps Before Y ou Configure 802.1X Operation 1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this[...]

  • Página 48

    37 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 3. Configure the 802.1X authentication type. Options include: • Local Operator username and password (the default). This option allows a client to use the switch’ s local username and password as valid 802.1X credentials for network access. • EA[...]

  • Página 49

    38 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring Switch Ports as 802.1X Authenticators 802.1X Authentication Commands Page [no] aaa port-access authenticator < [ethernet] < port-list >3 9 [control | quiet-period | tx-period | suppl icant-timeout | server -timeout | max-r equests[...]

  • Página 50

    39 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 1. Enable 802.1X Authentication on Selected Ports This task configures the individual ports you want to operate as 802.1X authenticators for point-to- point links to 802.1X-aware clients or switches. (Actual 802.1X operation does not commence until yo[...]

  • Página 51

    40 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syntax: aaa port-access authenticator < port-list > (Syntax Continued) [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt autho- rized by the ma[...]

  • Página 52

    41 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syntax: aaa port-access authenticator < port-list > (Syntax Continued) [reauth-period < 1 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthen- tication is d[...]

  • Página 53

    42 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 3. Configure the 802.1X Authentication Method This task specifies how the switch will authenti cate the credentials provided by a supplicant connected to a switch port config ured as an 802.1X authenticator . For example, to enable the switch to perfo[...]

  • Página 54

    43 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 4. Enter the RADIUS Host IP Address(es) If you selected either eap-radius or chap-radius for the authentication meth od, configure the switch to use 1 to 3 RADIUS servers for authentication. The following sy ntax shows the basic commands. For coverage[...]

  • Página 55

    44 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 802.1X Open VLAN Mode This section describes how to use the 802.1X Open VLAN mode to configur e unauthorized-client and authorized-client VLANs on ports configured as 802.1X authenticators. Introduction Configuring the 802.1X Open VLAN mode on a por t[...]

  • Página 56

    45 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 ■ 3rd Priority: If the port does not have an Authorized-Client VLAN configured, but does have a static, untagged VLAN membership in its config uration, then the switch assigns the port to this VLAN. If the port is not configured for any of the above[...]

  • Página 57

    46 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 T able 4. 802.1X Open VLAN Mode Options 802.1X Per -Port Configuration Port Response No Open VLAN mode: The port automatically bloc ks a client that cannot initiate an authen- tication session. Open VLAN mode with both of the following configured: Una[...]

  • Página 58

    47 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN. T o limit security risks, the network services and access available on this VLAN should incl[...]

  • Página 59

    48 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as Authorized- Client or Unauthorized-Client VLANs These must be configured on the switch before you configure an 802.1X authenticator port to use the[...]

  • Página 60

    49 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Note: If you use the same VLAN as the Unauthorized-Cli ent VLAN for all authenticator ports, unauthenti- cated clients on different ports can communicate wi th each other . However , in this case, you can improve security between authentica tor ports [...]

  • Página 61

    50 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of both the Un authorized-Client and Authorized-Client VLANs. Refer to T able 4 on page 46 for other options. Before you configure the 802.1X Open VLAN mode on a po[...]

  • Página 62

    51 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However , this is less desirable be cause it means that all clients use the same passwords and have the same access privil[...]

  • Página 63

    52 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. 4. Activate authentication on the switch. 5. T est both the authorized and unauthorized ac[...]

  • Página 64

    53 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listing of the steps ne eded to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 50. For example, suppose you want to conf[...]

  • Página 65

    54 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Inspecting 802.1X Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewi ng 802.1X Open VLAN Mode Status” on page 63. 802.1X Open VLAN Operating Notes ■ Although you can configure Op[...]

  • Página 66

    55 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Option For Authenticator Ports: Configure Port-Security T o Allow Only 802.1X Devices If you are using port-security on authenticator por ts, you can configure it to learn only the MAC address of the first 802.1X-aware device detected on the port. The[...]

  • Página 67

    56 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Note on Blocking a Non-802.1X Device If the port’ s 802.1X authenticator control mode is configured to authorized (as shown below , instead of auto ), then the first source MAC address from any device, whether 802.1X-aware or not, becomes the only a[...]

  • Página 68

    57 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring Switch Ports T o Operate As Supplicants for 802.1X Connections to Other Switches Y ou can configure a switch port to operate as a s upplicant in a connection to a port on another 802.1X- aware switch to provide security on links between 80[...]

  • Página 69

    58 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 • If, after the supplicant port sends the configur ed number of start request packets, it does not receive a response, it assumes that switch “B” is not 802.1X-aware, and transitions to the authenticated state. If switch “B” is operating pro[...]

  • Página 70

    59 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring a Supplicant Switch Port. Note that you must enable supplicant operation on a port before you can change the supplicant configuratio n. This means you must execute the supplicant command once without any other pa rameters, then execute it [...]

  • Página 71

    60 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syntax : aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [auth-timeout < 1 - 300 >] Sets the period of time the port waits to receive a challenge from the authenticator . If the request times out, the port sends anot[...]

  • Página 72

    61 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access Authenticator 802.1X Authentication Commands page 38 802.1X Supplicant Commands page 57 802.1X Open VLAN Mode Commands page 44 802.1X-Related Show Commands show po[...]

  • Página 73

    62 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syntax: show port-access authenticator (Syntax Continued) config [[e] < port-list >] S hows: • Whether port-access authenticator is active • The 802.1X configuration of the ports configured as 802.1X authenticators If you do not specify <[...]

  • Página 74

    63 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 V iewing 802.1X Open VLAN Mode Status Y ou can examine the switch’ s current VLAN status by using the show port-access authenticator and show vlan < vlan-id > commands as illustrated in this section. Figure 14 shows an example of show port-acc[...]

  • Página 75

    64 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Note that because a temporary Open VLAN port assi gnment to either an authorized or unauthorized VLAN is an untagged VLAN membership, these a ssignments temporarily replace any other untagged VLAN membership that is statically configured on the port. [...]

  • Página 76

    65 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Figure 15. Example of Showing a VLAN with Ports Configured for Open VLAN Mode Current VLAN ID < vlan-id >: Lists the VID of the static, untagged VL AN to which the port currently belongs. No PVID: The port is not an untag ged member of any VLAN.[...]

  • Página 77

    66 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Show Commands for Port-Access Supplicant Note on Supplicant Statistics. For each port configured as a supplicant, show port-access suppli- cant statistics [e] < port-list >] displays the source MAC address and statistics for transactions with th[...]

  • Página 78

    67 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 How RADIUS/802.1X Authentication Affects VLAN Operation Static VLAN Requirement. RADIUS authentication for an 802.1X client on a given port can include a (static) VLAN requirement. (Ref er to the documentation provided with your RADIUS application.) T[...]

  • Página 79

    68 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 ■ VLAN 33 becomes unavailable to port 2 for th e duration of the session (because there can be only one untagged VLAN on any port). Y ou can use the show vlan < vlan-id > command to view this temporary change to the active configuration, as sh[...]

  • Página 80

    69 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Figure 18. The Active Configuration for VLAN 33 T emporarily Drops Port 22 for the 802.1X Session When the 802.1X client’ s session on port 2 ends, the port discards the temporary untagged VLAN membership. At this time the static VLAN ac tually conf[...]

  • Página 81

    70 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Notes Any port VLAN-ID changes you make on 802.1X-awa re ports during an 802.1X-authenticated session do not take effect until the session ends. W ith GVRP enabled, a temporary , untagged static VLAN assignment created on a port by 802.1X authenticati[...]

  • Página 82

    71 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 IGMP V ersion 3 Support When the switch receives an IGMPv3 Join, it ac cepts the host request and begins forwarding the IGMP traffic. This means that ports that have not joined the group and are not connected to routers or the IGMP Querier will not re[...]

  • Página 83

    72 Enhancements in Release F.04.08 Enhancements in Release F .04.08 Enhancement Summary Page Friendly Port Names Enables you to assign opti onal, meaningful names to physical ports on the switch. 73 Security Enhancements SSH Security Provide remote access to managem ent functions on the switches via encrypted paths between the switch and management[...]

  • Página 84

    73 Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Using Friendly (Optional) Port Names This feature enables you to assign alphanumeric port names of your choosing to augment automat- ically assigned numeric port names. This means you can configure meaningful port names to make it easier to identify the source of information li[...]

  • Página 85

    74 Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Configuring Friendly Port Names Syntax : interface [e] < port-list > name < port-name-string > Assigns a port name to port-list . no interface [e] < port-list > name Deletes the port name from port-list . Configuring a Single Port Name. Suppose that you have c[...]

  • Página 86

    75 Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Displaying Friendly Port Names with Other Port Data Y ou can display friendly port name da ta in the following combinations: ■ show name : Displays a listing of port numbers with their corresponding friendly port names and also quickly shows you which ports do not have friend[...]

  • Página 87

    76 Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Figure 23. Example of Friendly Port Na me Data for Specific Ports on the Switch Including Friendly Port Names in Per -Port Statistics Listings. A friendly port name config- ured to a port is automatically included wh en you display the port’ s statistics output. Syntax : show[...]

  • Página 88

    77 Enhancements in Release F.04.08 Using Friendly (Optional) Port Names For a given port, if a friendly port name does not exist in the running-config file, the Name line in the above command output appears as: Name : not assigned T o Search the Configuration for Po rts with Friendly Port Names. This option tells you which friendly port names have [...]

  • Página 89

    78 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Configuring Secure Shell (SSH) The Series 2500 switches use Secure Shell versi on 1 (SSHv1) to provide remote access to management functions on the switches via encrypted paths be tween the switch and management station clients capable of SSHv1 operation. (The switches can be authent[...]

  • Página 90

    79 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Note SSH in the ProCurve Series 2500 switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit http://www .openssh.com . Switch SSH and User Pass word Authentication . This option is a subset of the client public-key authentication show in figure 26. I[...]

  • Página 91

    80 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) T erminology ■ SSH Server: An HP Series 2500 switch with SSH enabled. ■ Key Pair: A pair of keys generated by the switch or an SSH client application. Each pair includes a public key (that can be read by any one) and a private key that is held internally in the switch or by a cli[...]

  • Página 92

    81 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) keys by default, check the application software fo r a key conversion utility or use a third-party key conversion utility . Figure 28. Example of Public Key in PEM- Encoded ASCII Format Common for SSHv2 Clients Figure 29. Example of Public Key in Non-Encoded ASCII Format (Common for [...]

  • Página 93

    82 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) The general steps for configuring SSH include: A. Client Preparation 1. Install an SSH client application on a management station you want to use for access to the switch. (Refer to the documentation provided with your SSH client application.) 2. Optional—If you want the switch to [...]

  • Página 94

    83 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 6. Use your SSH client to access the switch using the switch’ s IP address or DNS name (if allowed by your SSH client application). Refer to the documentation provided with the client application. General Operating Rules and Notes ■ Any SSH client application you use must offe r [...]

  • Página 95

    84 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH-Related Commands in This Section show ip ssh page 91 show ip client-public-key [< babble | fingerprint >] page 98 show ip host-public-key [< babble | fingerprint >] page 88 show authentication page 94 crypto key < generate |[...]

  • Página 96

    85 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 1. Assigning a Local Login (Operator) and Enable (Manager) Password At a minimum, HP recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with T elnet, W eb, or serial port access could modify the switch’ s configu[...]

  • Página 97

    86 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) T o Generate or Erase the Switch’ s Public/Private RSA Host Key Pair . Because the host key pair is stored in flash instead of the runn ing-config file, it is not necessary to use write memory to save the key pair . Erasing the key pair automatically disables SSH. Syntax : crypto k[...]

  • Página 98

    87 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 3. Providing the Switch’ s Public Key to Clients When an SSH client contacts the switch for the first time, the client wi ll challenge the connection unless you have already copied the key into the clie nt’ s "known host" file. Copying the switch’ s key in this way re[...]

  • Página 99

    88 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 3. Ensure that there are no line breaks in the text string. (A public key must be an unbroken ASCII string. Line breaks are not allowed.) For exampl e, if you are using W indows® Notepad, ensure that W ord W rap (in the E dit menu) is disabled, and that the key text appears on a sin[...]

  • Página 100

    89 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Figure 35. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’ s Public Key Note The two commands shown in figure 35 convert the disp layed format of the switch’ s (host) public key for easier visual comparison of the switch’ s public key to a copy of the key[...]

  • Página 101

    90 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) SSH Client Contact Behavior . At the first contact between the sw itch and an SSH client, if you have not copied the switch’ s public key into the switch, your client ’ s first connection to the switch will question the connection and, for security reas ons, give you the option o[...]

  • Página 102

    91 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Note on Port Number The ip ssh key-size command affects only a per -session, internal server key the switch creates, uses, and discards. This key is not accessible from the user interface. The switch’ s public (host) key is a separate, accessible key that is always 896 bits. HP rec[...]

  • Página 103

    92 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 5. Configuring the Switch for SSH Authentication Note that all methods in this section result in au thentication of the switch’ s public key by an SSH client. However , only Option B, below results in the sw itch also authenticating the client’ s public key . Also, for a more det[...]

  • Página 104

    93 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) (For more on these topics, refer to “Further In formation on SSH Client Public-Key Authentication” on page 95.) W ith steps 1 - 3, above, completed and SSH properly configured on the switch, if an SSH client contacts the switch, login authentication automatically occurs first, us[...]

  • Página 105

    94 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Figure 37. Configuring for SSH Access Requiring a Client Public-Key Match and Manager Passwords Figure 38 shows how to check th e results of the above commands. Figure 38. SSH Configuration and Client-Public-Key Listing From Figure 37 6. Use an SSH Client T o Access the Switch T est [...]

  • Página 106

    95 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication The section titled “5. Configuring the Switch for SSH Authentication” on page 92 lists the steps for configuring SSH authentication on the switch. Howeve r , if you are new to SSH or need more details on client public-ke[...]

  • Página 107

    96 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) b. Uses MD5 to create a hash version of this information. c. Returns the hash version to the switch. 7. The switch computes its own hash version of the da ta in step 6 and compar es it to the client’ s hash version. If they match, then the client is authenticated. Otherwise, the cl[...]

  • Página 108

    97 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 1. Use your SSH client application to create a public/private key pair . Refer to the documentation provided with your SSH client application for details. The Series 2500 switches support the following client-public-key properties: 2. Copy the client’ s public key (in ASCII, non-en[...]

  • Página 109

    98 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Note on Public Keys The actual content of a public key entry in a public key file is determ ined by the SSH client application generating the key . (Although you can manually add or edit any comments the client application adds to the end of the key , such as the smith@fellow at the [...]

  • Página 110

    99 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Replacing or Clearing the Public Key File. The client public-key file remains in the switch’ s flash memory even if you erase the startup-config file, reset the switch, or reboot the switch. ■ Y ou can replace the existing client public-key file by copying a new client public-key[...]

  • Página 111

    100 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. Indicates an error in communicating with the tftp server or not finding the file to download . Causes include such factors as: • Incorrect IP configuration on the switch • Incorrect IP address in the comm[...]

  • Página 112

    101 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) T roubleshooting SSH Operation See also “Messages Related to SSH Operation” on page 100. Generating new RSA host key. If the cache is depleted, this could take up to two minutes. After you execute the crypto key generate [rsa] command, the switch displays this message while it i[...]

  • Página 113

    102 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Configuring RADIUS Authentication and Accounting RADIUS ( Remote Authentication Dial-In User Service ) enables you to use up to three servers (one primary server and one or two backups) and main tain separate authentication and accounting for each RADIUS server emp[...]

  • Página 114

    103 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Note The Series 2500 switches do not support RADIUS security for SNMP (net work management) access or W eb browser interface access. For steps to block unauthorized access through the W eb browser interface, see “Controlling W eb Browser Interface Access When Usi[...]

  • Página 115

    104 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Switch Operating Rules for RADIUS ■ Y ou must have at least one RADIUS server accessible to the switch. ■ The switch supports authentication and accoun ting using up to three RADIUS servers. The switch accesses the servers in the order in which they are listed [...]

  • Página 116

    105 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • If you need to replace the default UDP destination port (1812) the switch uses for authentication requests to a specific RADIUS server , select it befor e beginning the configuration process. • If you need to r[...]

  • Página 117

    106 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Outline of the Steps for Configuring RADIUS Authentication There are three main steps to co nfiguring RADIUS authentication: 1. Configure RADIUS authentication for controlling access through one or more of the following • Serial port •T e l n e t •S S H • P[...]

  • Página 118

    107 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting zero and then trying to log on again. As an alternative, you can reboot the switch, (thus resetting the dead-time counter to assume the server is available) and then try to log on again. • Number of Login Attempts: This is actually an aaa authentication command. [...]

  • Página 119

    108 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting For example, suppose you have already configured local passwords on the switch, but want to use RADIUS to protect primary T elnet and SSH access wi thout allowing a secondary T elnet or SSH access option (which would be the switch’ s local passwords): Figure 42. [...]

  • Página 120

    109 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting 2. Configure the Switch T o Access a RADIUS Server This section describes how to configure the swit ch to interact with a RADIUS server for both authentication and accounting services. (If you want to configure RADIUS accounting on the switch, go to “Configuring [...]

  • Página 121

    110 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting For example, suppose you have configured the switch as shown in figure 43 and you now need to make the following changes: 1. Change the encryption key for the se rver at 10.33.18.127 to "source0127". 2. Add a RADIUS server with an IP address of 10. 33.18.[...]

  • Página 122

    111 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting 3. Configure the Switch’ s Global RADIUS Parameters Y ou can configure the switch for the following global RADIUS parameters: ■ Number of login attempts: In a given session, specifies how many tries at entering the correct username and password pair are allowe [...]

  • Página 123

    112 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting radius-server retransmit < 1 .. 5 > If a RADIUS server fails to respond to an authentication request, specifies how many retries to attempt before closing the session. (Default: 3; Range: 1 - 5) Note Where the switch has multiple RADIUS servers config ured to[...]

  • Página 124

    113 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Figure 46. Listings of Global RADIUS Parameters Configured In Figure 45 Local Authentication Process When the switch is configured to use RADIUS, it r everts to local authentication only if one of these two conditions exists: ■ "Local" is the authentica[...]

  • Página 125

    114 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting For local authentication, the switch uses the Op erator -level and Manager -level username/password set(s) previously configured locally on the switch . (These are the usernames and passwords you can configure using the CLI password command, the W e b browser inter[...]

  • Página 126

    115 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Note This section assumes you have already: ■ Configured RADIUS authentication on the switch for one or more access methods ■ Configured one or more RADIUS servers to support the switch If you have not already done so, refer to “General RADIUS Setup Procedure[...]

  • Página 127

    116 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting ■ System accounting: Provides records containing the in formation listed below when system events occur on the switch, including system re set, system boot, and enabling or disabling of system accounting. The switch forwards the accounting information it collects[...]

  • Página 128

    117 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Outline of the Steps for Configuring RADIUS Accounting 1. Configure the switch for accessing a RADIUS server . Y ou can configure a list of up to three RADIUS servers (one primary , two backup). The switch operates on the assumption that a server can op erate in bo[...]

  • Página 129

    118 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting 1. Configure the Switch T o Access a RADIUS Server Before you configure the actual accounting parame ters, you should first configure the switch to use a RADIUS server . This is the same as the process de scribed on page 109. Y ou need to repeat this step here only[...]

  • Página 130

    119 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Figure 47. Example of Configuring for a RADIUS Se rver with a Non-Default Accounting UDP Port Number The radius-server command as shown in figure 47, above, configures the switch to use a RADIUS server at IP address 10.33.18.151, with a (non-de fault) UDP accountin[...]

  • Página 131

    120 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Determine how you want the switch to send accounting data to a RADIUS server: ■ Start-Stop: • Send a start record accounting notice at the beginning of the accounting session and a stop record notice at the end of the session. Both notices include the latest da[...]

  • Página 132

    121 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting ■ Updates: In addition to using a Start-Stop or Stop-O nly trigger , you can optionally configure the switch to send periodic accountin g record updates to a RADIUS server . ■ Suppress: The switch can suppress accounting for an unknown user having no username. [...]

  • Página 133

    122 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Figure 50. Example of General RADIUS Information from Show Radius Command Figure 51. Example of RADIUS Server Info rmation From the Show Radius Host Command[...]

  • Página 134

    123 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Te r m Definition Round T rip T ime The time interv al between the most recent Accou nting-Response and the Accounting- Request that matched it from this RADIUS accounting server . PendingRequests The number of RADIUS Accounting-Request packets sent to this server [...]

  • Página 135

    124 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting RADIUS Authentication Syntax : show authentication Displays the primary and secondary authentication methods configured for the Console, Telnet, Port-Access (802.1X), and SSH methods of accessing the switch. Also displays the number of access attempts currently all[...]

  • Página 136

    125 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting RADIUS Accounting Syntax : show accounting Lists configured accounting interval, "Empty User" suppression status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) configured in the switch (u[...]

  • Página 137

    126 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the lis[...]

  • Página 138

    127 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Figure 58. Example of New RADIUS Server Search Order Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authen- tication request. T ry pinging the server to determin[...]

  • Página 139

    128 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting T roubleshooting RADIUS Operation Symptom Possible Cause The switch does not receive a response to RADIUS authen- tication requests. In this case, the switch will attempt authentication using the secondary method configured for the type of access you are usi ng (co[...]

  • Página 140

    129 Enhancements in Release F.04.08 IP Preserve: Retaining VLAN-1 IP Addre ssing Across Configuration File Downloads IP Preserve: Retaining VLAN-1 IP Addressing Across Configuration File Downloads IP Preserve enables you to copy a configuration file to multiple Series 2500 switches while retaining the individual IP address and subnet mask on VLAN 1[...]

  • Página 141

    130 Enhancements in Release F.04.08 IP Preserve: Retaining VLAN-1 IP Addre ssing Across Configuration File Downloads For example, consider Figure 60: Figure 60. Example of IP Preserve Operation If you apply the following configuration file to Figu re 60, switches 1 - 3 will retain their manually assigned IP addressing and switch 4 will be configure[...]

  • Página 142

    131 Enhancements in Release F.04.08 IP Preserve: Retaining VLAN-1 IP Addre ssing Across Configuration File Downloads If you apply this configuration file to figure 60, swit ches 1 - 3 will still retain their manually assigned IP addressing. However , switch 4 will be configured with the IP addressing included in the file. Figure 62. Configuration F[...]

  • Página 143

    132 Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets Configuring Port-Based Priority for Incoming Packets When network congestion occurs, it is important to move traffic on the basis of relative importance. However , without prioritization: ■ T raffic from less important sources can consum e bandwidth and slow [...]

  • Página 144

    133 Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets Outbound Port Queues and Packet Priority Settings Series 2500 switch ports use two outbound port queues, Normal and High . As described below , these two queues map to the eight priority sett ings specified in the 802.1p standard. T able 8. Mapping Priority Set[...]

  • Página 145

    134 Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets Operating Rules for Port-Based Priority on Series 2500 Switches ■ In the switch’ s default configuration, port-bas ed priority is configured as "0" (zero) for inbound traffic on all ports. ■ On a given port, when port-based priority is conf igur[...]

  • Página 146

    135 Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets For example, suppose you wanted to configure ports 10 -12 on the switch to prioritize all untagged, inbound VLAN traffic as "Low" (priority leve l = 1; refer to table 8 on page 133). Figure 63. Example of Configuring Non-Default Prioritization on Unta[...]

  • Página 147

    136 Enhancements in Release F.04.08 Using the "Kill" Command To Terminate Remote Sessions Using the "Kill" Command T o T erminate Remote Sessions Using the kill command, you can terminate remote management sessions. ( Kill does not terminate a Console session on the serial port, either through a direct connection or via a modem.[...]

  • Página 148

    137 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Configuring Rapid Reconfiguration Spanning T ree (RSTP) This section is related to the information on “Spanning T ree Protocol” in your Series 2500 Switches Management and Configuration Guide (5969-2354), but it primaril y describes the new information a[...]

  • Página 149

    138 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) The IEEE 802.1D version of Spanning T ree (STP) can take a fairly long time to resolve all the possible paths and to select the most efficient path through the network. The IEEE 802.1w Rapid Reconfigu- ration Spanning T ree (RSTP) significantly reduces the a[...]

  • Página 150

    139 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Configuring RSTP The default switch configuration has Spanning T ree disabled with RSTP as the selected protocol. That is, when Spanning T ree is enabled, RSTP is the version of Spanning T ree that is enabled, by default. Optimizing the RSTP Configuration T [...]

  • Página 151

    140 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) CLI: Configuring RSTP V iewing the Current Spanning T ree Configuration. Even if Spanning T ree is disabled (the default configuration), the show spanning-tree config command lists the switch’ s full Spanning T ree configuration, including whole- switch an[...]

  • Página 152

    141 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Figure 65. Example of the Spanning T ree Configuration Display Enabling or Disabling RSTP. Issuing the command to enable Sp anning T ree on the switch imple- ments, by default, the RSTP version of Spanning T r ee for all physical ports on the switch. Disabli[...]

  • Página 153

    142 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Reconfiguring Whole-Switch Spanning T ree V alues. Y ou can configure one or more of the following parameters, which affect the Sp anning T ree operation of the whole switch: T able 9. Whole-Switch RSTP Parameters Parameter Default Description protocol-versi[...]

  • Página 154

    143 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Note Executing the spanning-tree command alone enables Spanning T r ee. Executing the command with one or more of the whole-switch RSTP parameters shown in the table on the previous page, or with any of the per -port RSTP parameters shown in the table on pag[...]

  • Página 155

    144 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Reconfiguring Per -Port Spanning T ree V alues. Y ou can configure one or more of the following parameters, which affect the Spanning T ree operation of the specified ports only: T able 10. Per -Port RSTP Parameters Parameter Default Description edge-port Y [...]

  • Página 156

    145 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Note on Path Cost RSTP implements a greater range of path costs and new default path cost values to account for higher network speeds. These values are different than the values defined by 802.1D STP as shown in the next table. Because the maximum value for [...]

  • Página 157

    146 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Menu: Configuring RSTP 1. From the console CLI prompt, enter the menu command. ProCurve Switch # menu 2. From the switch console Main Menu, select 2. Switch Configuration ... 4. Spanning T ree Operation 3. Press [E] (for E dit ) to highlight the Protocol V e[...]

  • Página 158

    147 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) 7. Press the [T ab] key or use the arrow keys to go to the next parameter you want to change, then type in the new value or press the Space bar to select a value. (T o get help on this screen, press [Enter] to select the Actions –> line, then press [H] [...]

  • Página 159

    148 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Enhancements in Release F .02.11 Fast-Uplink Spanning T ree Protocol (STP) Fast-Uplink STP improves the recove ry (convergence) time in wiring closet switches with redundant uplinks. Specifically , a Series 2500 switch having re dundant links toward the root device can dec[...]

  • Página 160

    149 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) T o use fast-uplink STP on a Series 2500 switch, configure fast-uplink ( Mode = Uplink ) only on the switch’ s upstream ports; (that is, two or more ports forming a group of redundant links in the direction of the STP root switch). If the active link in this group goes d[...]

  • Página 161

    150 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) When single-instance spanning tree (STP) is running in a network and a forwarding port goes down, a blocked port typically requires a period of (2 x ( forward delay ) + link down detection) to transition to forwarding. In a normal spanning tree environment, this transition[...]

  • Página 162

    151 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Operating Rules for Fast Uplink ■ A switch with ports configured for fast uplink must be an edge switch and not either an interior switch or the STP root switch. Configure fast-uplink on only the edge switch por ts used for providing redundant STP uplink connections in a[...]

  • Página 163

    152 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Menu: Viewing and Configuring Fast-Uplink STP Y ou can use the menu to quickly display the en tire STP configuration and to make any STP configuration changes. T o V iew and/or Configure Fast-Uplink STP . This procedure uses the Spanning T ree Operation screen to enable ST[...]

  • Página 164

    153 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) 3. If the Protocol V ersion is set to RSTP (as shown in figure 70), do the following: a. Press [E] ( E dit ) to move the cursor to the Protocol V ersion field. b. Press the Space bar once to change the Protocol Version field to STP . c. Press [Enter] to return to the comma[...]

  • Página 165

    154 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Figure 72. The Spanning T ree Operation Screen 4. On the ports and/or trunks you want to us e for redundant fast uplink connections, change the mode to Uplink . In this example, port 1 and T rk1 (using ports 2 and 3) provide the redundant uplinks for STP: a. Press [E] (for[...]

  • Página 166

    155 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Figure 73. Example of STP Enabled with T wo Redundant Links Configured for Fast-Uplink STP 5. Press [S] (for S ave ) to save the configuration changes to flash (non-volatile) memory . STP is enabled. Port 1 and T rk1 are now configured for fast-uplink STP .[...]

  • Página 167

    156 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) T o V iew Fast-Uplink STP Status. Continuing from figures 72 and 73 in the preceding procedure, this task uses the same screen that you would use to view STP status for other operating modes. 1. From the Main Menu, select: 1. Status and Counters . . . 7. Spanning T ree Inf[...]

  • Página 168

    157 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) In figure 75: • Port 1 and T rk1 (trunk 1; formed from port s 2 and 3) are redundant fast-uplink STP links, with trunk 1 forwarding (the active link) and port 1 blocking (the backup link). (T o view the configuration for port 1 and T r k1, see figure 73 on page 155.) •[...]

  • Página 169

    158 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Figure 77. Example of a Show Spanning-T ree Listing for the T opology Shown in Figure 76 Indicates that T rk1 (T runk 1) provides the currently active path to the STP root device. Redundant STP link in the Blocking state. Links to PC or Workstation End Nodes Redundant STP [...]

  • Página 170

    159 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Figure 78. Example of a Configuration Supp orting the STP T opology Shown in Figure 76 Using the CLI T o Configure Fast-Uplink STP . This example uses the CLI to configure the switch for the fast-uplink operation shown in figures 76, 77, and 78. (The example assumes that p[...]

  • Página 171

    160 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Syntax : spanning-tree e < port/trunk-list > mode uplink Enables STP on the switch and configures fast-uplink STP on the designated interfaces (port or trunk). HP2512(config)# spanning-tree e 1,trk1 mode uplink Operating Notes Effect of Reboots on Fast-Uplink STP Ope[...]

  • Página 172

    161 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Fast-Uplink T roubleshooting Some of the problems that can result from inco rrect usage of Fast-Uplink STP include temporary loops and generation of duplicate packets. Problem sources can include: ■ Fast-Uplink is configured on a swit ch that is the STP root device. ■ [...]

  • Página 173

    162 Enhancements in Release F.02.11 The Show Tech Command for Listing Swit ch Configuration and Operating Details The Show T ech Command for Listing Switch Configuration and Operating Details The show tech command provides a tool for gathering inform ation to help with troubleshooting. This command outputs, in a single listin g, switch operating an[...]

  • Página 174

    163 Enhancements in Release F.02.11 The Show Tech Command for Li sting Switch Configuration and Operating Details 1. In Hyperterminal, click on T ransfer | Capture T ext... Figure 80. The Capture T ext window of the Hypert ext Application Used with Microsoft Windows Software 2. In the File field, enter the path and file name under which you want to[...]

  • Página 175

    164 Enhancements in Release F.02.02 Documentation for Enhancements in Release F.02.02 Enhancements in Release F .02.02 Documentation for Enhancements in Release F .02.02 Software release F .02.02 contains these enhancements: Enhancement Summary Page T ACACS+ T ACACS+ authentication enables you to use a central server to allow or deny access to Seri[...]

  • Página 176

    165 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security T ACACS+ Authentication for Centralized Control of Switch Access Security T ACACS+ Feat ures T ACACS+ authentication enables you to use a central server to allow or deny access to Series 2500 switches (and other T ACACS-aware devices) in yo[...]

  • Página 177

    166 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security W ith authentication configured on the switch and T ACACS+ configured and operating on a server in your network, an attempt to log on through T elnet or the switch’ s serial port will be passed to the T ACACS+ server for verification befo[...]

  • Página 178

    167 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security T erminology Used in T ACACS Applications: ■ NAS (Network Access Server): This is an industry term for a T ACACS-aware device that communicates with a T ACACS server for authen tication services. Some other terms you may see in literature[...]

  • Página 179

    168 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security General System Requirements T o use T ACACS+ authentication, you need the following: ■ Release F .02.02 or later software running on your Series 2500 switch. Ensure that software release F .02.02 or later is running on your swit ch. Use a[...]

  • Página 180

    169 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security T ACACS+ Operation T ACACS+ in Series 2500 switches manages authen tication of logon attempts through either the Console port or T elnet. For both Console and Teln et you can configure a login (read-only) and an enable (read/write) privileg[...]

  • Página 181

    170 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security 2. Ensure that the switch is configured to operate on your network and can communicate with your first -choice T ACACS+ server . (At a minimum, th is requires IP addressing and a successful ping test from the switch to the server .) 3. Dete[...]

  • Página 182

    171 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Caution You should ensure that the switch has a local Manager password. Otherwise, if authentication through a TACACS+ server fails for any reason, then unauthorized acce ss will be available through the console port or Telnet. 6. Using a t[...]

  • Página 183

    172 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Configuring T ACACS+ on the Switch The switch offers three command areas for T ACACS+ operation: ■ show authentication and show tacacs: Displays the switch’ s T ACACS+ configuration and status. ■ aaa authentication: A command for conf[...]

  • Página 184

    173 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security V iewing the Switch’ s Current Authentication Configuration This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary access methods conf igured for each type of access. Syntax [...]

  • Página 185

    174 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Configuring the Switch’ s Authentication Methods The aaa authentication command configures the access control for console port and T elnet access to the switch. That is, for both access methods, aaa authentication specifies whether to use[...]

  • Página 186

    175 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security T able 13. Primary/Secondary Authentication T able Access Method and Privilege Level Authentication Options Effect on Access Attempts Primary Secondary Console — Login local none* Local username/password access only. tacacs local If T aca[...]

  • Página 187

    176 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security For example, here is a set of access options and the corresponding comm ands to configure them: Console Login (Operator , or Read-Only) Access: Primary using T ACACS+ server . Secondary using Local. HP2512(config)# aaa authenticationconsole[...]

  • Página 188

    177 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Configuring the Switch’ s T ACACS+ Server Access The tacacs-server command configures these parameters: ■ The host IP address(es) for up to three T ACACS+ servers; one first-choice and up to two backups. Designating backup servers provi[...]

  • Página 189

    178 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Name Default Range host < ip-addr > [key < key-string > none n/a Specifies the IP address of a device ru nning a T ACACS+ server application. Optionally , can also specify the unique, per- server encryption key to use when each [...]

  • Página 190

    179 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Adding, Removing, or Changing th e Priority of a T ACACS+ Server . Suppose that the switch was already configured to use T ACACS+ servers at 10.28.227.10 and 10.28.227.15. In this case, 10.28.227.15 was entered first, and so is listed as th[...]

  • Página 191

    180 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security To configure westside as a global encryption key: HP2512(config) tacacs-server key westside To configure westside as a per-server encryption key: HP2512(config)tacacs-server host 10.28.227.63 key westside An encryption key can contain up to[...]

  • Página 192

    181 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security How Authentication Operates General Authentication Process Using a T ACACS+ Server Authentication through a T ACACS+ server operates generally as described below . For specific operating details, refer to the documentation you received with[...]

  • Página 193

    182 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security • If the username/password pair received from the requesting terminal matches a user - name/password pair previously stored in the server , then the server passes access permission through the switch to the terminal. • If the username/p[...]

  • Página 194

    183 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Using the Encryption Key General Operation When used, the encryption key (sometimes termed "k ey", "secret key", or "secret") helps to prevent unauthorized intruders on the network from r eading username and pa[...]

  • Página 195

    184 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security For example, you would use the next command to co nfigure a global encryption key in the switch to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you d[...]

  • Página 196

    185 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Messages The switch generates the CLI messages listed below . However , you may see other messages generated in your T ACACS+ server application. For information on such messages, refer to the documentation you received with the application[...]

  • Página 197

    186 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security T roubleshooting T ACACS+ Operation All Users Are Locked Out of Access to the Switch. If the switch is functioning properly , but no username/password pairs result in console or T elnet access to th e switch, the problem may be due to how t[...]

  • Página 198

    187 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security ■ The time quota for the account has been exhausted. ■ The time credit for th e account has expired. ■ The access attempt is outside of th e timeframe allowed for the account. ■ The allowed number of concurrent logi ns for the accou[...]

  • Página 199

    188 Enhancements in Release F.02.02 CDP (Updated by Software Version F.05.50) CDP (Updated by Software V ersion F .05.50) Software version F .02.02 for the Series 2500 sw itches, implemented CDP-v1 (Cisco Discovery Protocol, version 1) to help discover devices in a network. Software version F .05.50 and beyond updates this network discovery method [...]

  • Página 200

    189 Enhancements in Release F.02.02 New Time Synchronization Protocol Options T imeP T ime Synchronization Y ou can either manually assign th e switch to use a T imeP server or use DHCP to assign the TimeP server . In either case, the switch can get its time synchronization updates from only one, designated T imep server . This option enhances secu[...]

  • Página 201

    190 Enhancements in Release F.02.02 New Time Synchronization Protocol Options •T i m e P : DHCP or Manual 3. Configure the remaining parameters for the time protocol you selected. The switch retains the parameter settings for both time protocols even if you change from one protocol to the other . Thus, if you select a time protocol the switch use[...]

  • Página 202

    191 Enhancements in Release F.02.02 New Time Synchronization Protocol Options T able 15. SNTP Parameters Menu: Viewing and Configuring SNTP T o View , Enable, and Modify SNTP T ime Protocol: 1. From the Main Menu, select: 2. Switch Configuration... 1. System Information SNTP Parameter Operation T ime Sync Method Used to select either SNTP , TIMEP ,[...]

  • Página 203

    192 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Figure 88. The System Inform ation Screen (Default V alues) 2. Press [E] (for E dit ). The cursor moves to the System Name field. 3. Use [v] to move the cursor to the T ime Sync Method field. 4. Use the Space bar to select SNTP , then press [v] once to display and move to[...]

  • Página 204

    193 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Note: This step replaces any previously configured server IP address. If you will be using backup SNTP servers (r equires use of the CLI), then see “SNTP Unicast T ime Polling with Mu ltiple SNTP Servers” on page 205. iii. Press [v] to move the cursor to the Server V [...]

  • Página 205

    194 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Viewing the Current SNTP Configuration This command lists both the time synchronizatio n method (T imeP , SNTP , or None) and the SNTP configuration, even if SNTP is not the selected time protocol. Syntax : show sntp For example, if you configured the switch with SNTP as [...]

  • Página 206

    195 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Enabling SNTP in Broadcast Mode. Because the switch provides an SNTP polling interval (default: 720 seconds), you need only these two commands for minimal SNTP broadcast configura- tion: Syntax : timesync sntp Selects SNTP as the time synchronization method. sntp broadcas[...]

  • Página 207

    196 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Syntax : timesync sntp Selects SNTP as the time synchronization method. sntp unicast Configures the SNTP mode for Unicast operation . sntp server < ip-addr > [ version ] Specifies the SNTP server. The default server version is 3. no sntp server < ip-addr > Del[...]

  • Página 208

    197 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Figure 93. Example of Specifying the SNTP Protocol V ersion Number Changing the SNTP Poll Interval. This command lets you specif y how long the switch waits between time polling intervals. The default is 720 seconds and the range is 30 to 720 seconds. (This parameter is s[...]

  • Página 209

    198 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Disabling the SNTP Mode. If you want to prevent SNTP from being used even if selected by timesync (or the Menu interface’ s T ime Sync Method parameter), configure the SNTP mode as disabled. Syntax : no sntp Disables SNTP by changing th e SNTP mode configuration to Disa[...]

  • Página 210

    199 Enhancements in Release F.02.02 New Time Synchronization Protocol Options T able 16. T imep Parameters Menu: Viewing and Configuring T imeP T o View , Enable, and Modify the TimeP Protocol: 1. From the Main Menu, select: 2. Switch Configuration... 1. System Information SNTP Parameter Operation T ime Sync Method Used to select either TIMEP (the [...]

  • Página 211

    200 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Figure 96. The System Inform ation Screen (Default V alues) 2. Press [E] (for E dit ). The cursor moves to the System Name field. 3. Use [v] to move the cursor to the T ime Sync Method field. 4. If TIMEP is not already selected, use the Space bar to select TIMEP , then pr[...]

  • Página 212

    201 Enhancements in Release F.02.02 New Time Synchronization Protocol Options iii. Press [>] to move the cursor to the Poll Interval field, then go to step 6. 6. In the Poll Interval field, enter the time in minutes that you want for a T i meP Poll Interval. Press [Enter] to return to the Actions line, then [S] (for S ave ) to enter the new time[...]

  • Página 213

    202 Enhancements in Release F.02.02 New Time Synchronization Protocol Options If SNTP is the selected time synchronization method ), show timep still lists the Ti meP configuration even though it is not currently in use: Figure 98. Example of SNTP Configuration When SN TP Is Not the Selected T ime Synchronization Method Configuring (Enabling or Dis[...]

  • Página 214

    203 Enhancements in Release F.02.02 New Time Synchronization Protocol Options For example, suppose: ■ T ime synchronization is configured for SNTP . ■ Y ou want to: 1. View the current time synchronization. 2. Select T imeP as the time synchronization mode. 3. Enable T imeP for DHCP mode. 4. V iew the T i meP configuration. The commands and out[...]

  • Página 215

    204 Enhancements in Release F.02.02 New Time Synchronization Protocol Options HP2512(config)# timesync timep Selects TimeP . HP2512(config)# ip timep manual 10.28.227.141 Activates TimeP in Manual mode . Figure 100. Example of Configuring T imep for Manual Operation Changing the T imeP Poll Interval. This command lets you specify how long the switc[...]

  • Página 216

    205 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Disabling the T imeP Mode. Disabling the T imeP mode means to configure it as disabled. (Disabling T imeP prevents the switch from using it as the time synchronization protocol, even if it is the selected T ime Sync Method option.) Syntax : no ip timep Disables T imeP by [...]

  • Página 217

    206 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Adding and Deleting SNTP Server Addresses Adding Addresses. As mentioned earlier , you can configure one SNTP server address using either the Menu interface or the CLI. T o configure a seco nd and third address, you must use the CLI. For example, suppose you have already [...]

  • Página 218

    207 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Menu Interface Operation with Multiple SNTP Server Addresses Configured When you use the Menu interface to configure an SN TP server IP address, the new address writes over the current primary address, if one is config ured. If there are multiple addresses configured, the[...]

  • Página 219

    208 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) Operation and Enhancements for Multimedia T raffic Control (IGMP) How Data-Driven IGMP Operates The information in this section supplements the information provided under "Multimedia T raffic Control with IP Multicast (IGMP)" beginning on[...]

  • Página 220

    209 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) multicast packets to ports from which a join requ est for that group has not been received. (If the switch or router has not received any join requests for a given multicast group, it drops the traffic it receives for that group.) Figure 104. Examp[...]

  • Página 221

    210 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) Fast-Leave IGMP IGMP Operation Presents a "Delayed Leave" Problem. Where multiple IGMP clients are connected to the same port on an IGMP device (switc h or router), if only one IGMP client joins a given multicast group, then later sends a[...]

  • Página 222

    211 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) unnecessary multicast traffic from that group to th e former IGMP client. This improves performance by reducing the amount of multicast traffic going thro ugh the port to the IGMP client after the client leaves a multicast group. IGMP in the Series[...]

  • Página 223

    212 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) Forced Fast-Leave IGMP Forced Fast-Leave IGMP Features Forced Fast-Leave IGMP speeds up the process of blocking unnecessary IGMP traffic to a switch port that is connected to multiple end nodes. (Thi s feature does not activate on ports where the s[...]

  • Página 224

    213 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) For example: Figure 106. Listing the Forced Fast-L eave State for Ports in an HP2512 Switch T o list the Forced Fast-Leave state for a single port. Syntax : getmib hpSwitchIgmpPortForcedLeaveState.1. < port-number > (Not case-sensitive.) getm[...]

  • Página 225

    214 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) CLI: Configuring Per -Port Forced Fast-Leave IGMP In the factory-default configuration, Forced Fast-L eave is disabled for all ports on the switch. T o enable (or disable) this feature on individual port s, use the switch’ s MIB commands, as show[...]

  • Página 226

    215 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) Querier Operation The function of the IGMP Querier is to poll other IGMP-enabled de vices in an IGMP-enabled VLAN to elicit group membership information. The switch pe rforms this function if there is no other device in the VLAN, such as a multicas[...]

  • Página 227

    216 Enhancements in Release F.02.02 The Switch Excludes Well-Known or Reserved Mult icast Addresses from IP Multicast Filtering The Switch Excludes W ell-Known or Reserved Multicast Addresses from IP Multicast Filtering Each multicast host group is identified by a sing le IP address in the range of 224.0.0.0 through 239.255.255.255. Specific groups[...]

  • Página 228

    217 Enhancements in Release F.02.02 Port Security: Changes to Retaining Learned Static Addresses Across a Reboot Port Security: Changes to Retaining Learned Static Addresses Across a Reboot Recommended Port Security Procedures ■ Before configuring port security , use the swit ch’ s TFTP features to save a copy of the configuration. In the event[...]

  • Página 229

    218 Enhancements in Release F.02.02 Port Security: Changes to Retaining Le arned Static Addresses Across a Reboot T o remove an address learned using either of the preceding methods, do one of the following: • Delete the address by using the no port-security < port-number > mac-address < mac-addr > command. • Download a previously s[...]

  • Página 230

    219 Enhancements in Release F.02.02 Username Assignment and Prompt Username Assignment and Prompt Prior to release F .02.02, assigning a manager or oper ator username to the switch required you to use the W eb browser interface. Also, only the W eb brow ser interface required y ou to enter a username at logon if one was configured for the privilege[...]

  • Página 231

    220 Updates and Corrections for the Management and Configuration Guide Updates and Corrections for the Management and Configuration Guide This section lists updates to the Management and Configuration Guide (p/n 5969-2354; August 2000). Changes in Commands for Viewing the Current Configuration Files On page C-4, the manual incorrectly states that s[...]

  • Página 232

    221 Updates and Corrections for the M anagement and Configuration Guide • Running configuration has been changed and needs to be saved. This message indicates that the two configurations are different. Change in CLI Command for Listing Intrusion Alerts W ith port security configured, the switch formerly used show interfaces to display a port stat[...]

  • Página 233

    222 Updates and Corrections for the Management and Configuration Guide This change affects the following commands: Restoring the Factory-Default Configuration, Including Usernames and Passwords Page 11-20 in the Management and Configuration guide incorrectly implies that the erase startup-config command clears passwords. This command does reset the[...]

  • Página 234

    223 Updates and Corrections for the M anagement and Configuration Guide GVRP Does Not Require a Common VLAN Delete the note at the top of page 9-78 in the Management and Configuration Guide. GVRP does not require a common VLAN (VID) connecting all of the GVRP-aware devices in the network to carry GVRP packets. Incomplete Information on Saving Confi[...]

  • Página 235

    224 Updates and Corrections for the Management and Configuration Guide Note Duplicate MAC addresses are likely to occur in VLAN environments where XNS and DECnet are used. For this reason, using VLANs in XNS and DECnet environments is not currently supported. On page 11-10 of the Management and Configuration Guide , under "Duplicate MAC Addres[...]

  • Página 236

    225 Updates and Corrections for the M anagement and Configuration Guide Also on page 9-54, add the foll owing item to the bulleted list: ■ When T imeP is enabled and configured for DH CP operation, the switch learns of T imeP servers from DHCP and Bootp packet s received on the primary VLAN. Misleading Statement About VLANs On page 9-56 in the Ma[...]

  • Página 237

    226 Software Fixes Software Fixes Release F .01.07 was the first software rel ease for the ProCurve Series 2500 switches Release F.01.08 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Release F.01.09 (Beta Release Only) . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Página 238

    227 Software Fixes Release F.05.19 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 1 Release F.05.20 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 1 Release F.05.21 (Never Released) . . . . . . . . . . . . . . . . . . . . [...]

  • Página 239

    228 Software Fixes Release F.05.64 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 7 Release F.05.65 (Not a Public Release) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Release F.05.66 (Never Released) . . . . . . . . . . . . . . . . . . . . . .[...]

  • Página 240

    229 Software Fixes Release F .01.08 Fixed in release F .01.08: ■ 100/1000-T transceiver — When using this 100/1000-T transceiver and negotiating to 100 Mbps, the port may report that it is operating at 100 full duplex, when it is actually operating at 100 half duplex. ■ W eb-Browser Interface — The product label in the W eb-browser display [...]

  • Página 241

    230 Software Fixes Note The startup-config file saved u nder version F .02.02 is NOT back ward-compatible with previous software versions. HP recommends that you save a c opy of the pre-02.02 startup-config file BEFORE UPGRADING to F .02.02 or greater , in case there is ever a need to revert back to pre-02.02 software. Instructions for saving a cop[...]

  • Página 242

    231 Software Fixes ■ LACP — Resolves several issues with LACP , including: conversation on a trunk may momentarily fail if a trunk member port goes down, difficulty accessing the MIB, configura- tion issues, port priority issues, problems with dynamic negotiation, and switch crashes with messages similar to: -> Software Exception at woody_de[...]

  • Página 243

    232 Software Fixes Release F .02.04 (Beta Release Only) The switch's CDP packets have been modified to better interoperate with older Cisco IOS versions. Certain legal CDP packets sent from the ProCurve switch could result in Cisco routers, running older IOS versions, to crash. Note The ProCurve switch's CDP packets are legal both before [...]

  • Página 244

    233 Software Fixes ■ IGMP — If there are several IGMP groups in seve ral VLANs, and the switch is acting as Querier , the switch may stop sending IGMP Queries on some of its VLANs. ■ IGMP — All Querier intervals on the switch will be cut in half if IGMP , after already being enabled, is disabled and then re-enabled. ■ IGMP — The switch [...]

  • Página 245

    234 Software Fixes Note Contact your local Customer Care Center before activating this feature to receive proper configura- tion instructions. Failure to configure this featur e properly will result in unexpected connectivity problems. Release F .02.06 (Beta Release Only) T extual modifications made to th e Isolated Port Groups feature. Release F .[...]

  • Página 246

    235 Software Fixes ■ XRMON — V arious XRMON counters display incorrec t values. Possible symptoms include network management applications reporting a too high network utilization (T opT ools may report "crossed octets"). Release F .02.08 (Beta Release Only) Fixed in F .02.08: ■ Crash — If a transceiver is repeatedly installed and [...]

  • Página 247

    236 Software Fixes Release F .02.12 Fixed in release F .02.12 ■ Monitoring Port — When a config file containing a Monitoring Port configuration is loaded onto the switch via TFTP or XModem, the Moni toring Port feature does not work properly . Release F .02.13 Fixed in release F .02.13 ■ Monitoring Port — Monitoring Port configuration chang[...]

  • Página 248

    237 Software Fixes ■ Port Configuration — Changing a port setting from one Auto mode to another may not be reflected in Auto-negotiation's advertised capab ility without a switch reset, or module hot- swap. ■ Port Monitoring — Port monitoring does not work correc tly after a TFTP transfer of the configuration from the switch to the ser[...]

  • Página 249

    238 Software Fixes Release F .04.08 Fixed in release F .04.08 Modification of Lab troubleshooting commands. Release F .04.09 (Beta Release Only) Fixed in release F .04.09 ■ Agent Hang — Agent processes (such as console, telnet, STP , ping, etc.) may stop functioning when the IGMP querier function is disabled, and then re-enabled, on a VLAN that[...]

  • Página 250

    239 Software Fixes Note The startup-config file saved u nder version F .05.05, or later , is NOT backward-compatible with previous software versions. The user is advised to save a copy of the pre-05 .05 startup-config file BEFORE UPGRADING to F .05.05 or greater , in case ther e is ever a need to revert back to pre- 05.05 software. Instructions for[...]

  • Página 251

    240 Software Fixes ■ Crash — If dynamic trunks are configured and the sw itch is rebooted, the switch may crash with a message similar to: ->Software exception at rstp_dyn_reconfit.c:243 in -- 'Lpmgr' ■ Crash — The "show config" CLI command may cause the switch to crash with a message similar to: ->Software excepti[...]

  • Página 252

    241 Software Fixes ■ Link-up polling interval — A delay of up to 1.7 seconds between plugging in a cable (linkbeat established) and traffic being forwar ded to and from that port may cause problems with some time sensitive applications. For example, AppleT alk dynamic address negotiation can be affected, resulting in multiple devices using the [...]

  • Página 253

    242 Software Fixes ■ STP/Startup-Config — When a startup-config file contai ning an 802.1D STP configuration is reloaded that was saved off from the swit ch, an error similar to the following occurs: Line: 13. Invalid input: stp802.1d Corrupted download file. ■ T ACACS+ — When logging into the switch via T A CACS+ encrypted authentication, [...]

  • Página 254

    243 Software Fixes Release F .05.12 (Beta Release Only) Adds the following enhancement: ■ Changes to 802.1X to support Open VLAN Mode Release F .05.13 (Beta Release Only) Adds the following enhancement: ■ Changes to Isolated Port Groups to add two new groups: group1 and group2. Release F .05.14 This update is only for the ProCurve 2312, ProC ur[...]

  • Página 255

    244 Software Fixes ■ Performance/Crash (PR_4967) — Slow performance may occur when using 10/100 ports or the 100FX transceiver operating at half-dupl ex. This also may occur when using 100FX, Gigabit Stacking, Gigabit-SX, or Gigabit-LX tr ansceivers operating at full-duplex. Note: The Gigabit transceivers can only operate in full-duplex mode. T[...]

  • Página 256

    245 Software Fixes ■ Crash — When setting the host name to a very long (~20 characters) string, the switch may crash with a bus error similar to: -> Bus error: HW Addr=0x29283030 IP=0x002086ac Task='mSnmpCtrl' Task ID=0x165ae00. ■ Flow control — Users are allowed to configure flow control for half-duplex ports, even though the [...]

  • Página 257

    246 Software Fixes ■ SNMP — The OID ifAlias is defaulted to "not a ssigned", causing Network Node Manager to log error messages. (The fix is to default ifAlias to a zero-length string, as stated in the MIB, or make each port have a unique value.) ■ SNMP — The switch does not support community names other than PUBLIC in traps. ■ [...]

  • Página 258

    247 Software Fixes ■ RSTP/LACP — T urning LACP off, then back on, le aves LACP in Passive mode. This can T runking — With ports 25 and 26 configured in a trunk group, the show trunk 25 , 26 command displays incorrect information for T r unk Group Name and T runk Group T ype. Example output: ■ We b — Sun java v1.3.x and v1.4.x interope rab[...]

  • Página 259

    248 Software Fixes Release F .05.19 (Never Released) Fixed in release F .05.19 ■ Counters (PR_92221) — Counters for J4834A 100/1000 xcvr do not clear . ■ Crash/Bus Error (PR_92466) — Bus error related to 802.1X/unauthorized VLAN. ■ Agent Hang (PR_92802) — Agent 'hang'. Fix for agent 'hang' (ping and TELNET hang, but [...]

  • Página 260

    249 Software Fixes ■ Syslog (PR_1000003656) — The syslog capability added to F .05.22. ■ Syslog (PR_1000004080) — A timep event log messa ge on syslog is truncated. ■ W eb (PR_81848) — 'Clear changes' button does not wo rk for the Default Gateway or VLAN selections. ■ W eb (PR_82039) — If the user selects GVRP mode, se lec[...]

  • Página 261

    250 Software Fixes Release F .05.24 (Not a General Release) Fixed in release F .05.24 ■ W eb (PR_1000007144) — When using the W eb user interface, VLAN Configuration, Add/ Remove VLANs, GVRP Mode, clicking on the help link gives the message, The page you requested is no longer located here. Release F .05.25 (Not a General Release) Fixed in rele[...]

  • Página 262

    251 Software Fixes ■ SNMP (PR_1000190654) — When switch has the IP addr ess configured on a VLAN other than the "default VLAN", Find/Fix/Inform (FFI) SNMP traps list a 0.0. 0.0 IP address in the URL. ■ W eb/Crash (PR_1000092011) — While using the W eb user interface, switch may crash with a "software exceptio n" message [...]

  • Página 263

    252 Software Fixes Release F .05.32 (Not a General Release) Fixed in release F .05.32 ■ TFTP/Config (PR_1000215024) — After a new configuration is loaded from a TFTP server , the switch reboots so the new configuration will take effect. If that same configuration is loaded from a TFTP server , the switch recogn izes that the configuration is un[...]

  • Página 264

    253 Software Fixes Release F .05.37 (Not a General Release) Fixed in release F .05.36 ■ CLI (PR_83354) — The command " show mac vlan <VID> " displays all MAC addresses known on the switch (from all VLANs) instead of just those in the specified VLAN. Release F .05.38 (Never Released) Fixed in release F .05.38 ■ TCP (PR_10002461[...]

  • Página 265

    Release F .05.51 (Never Released) Fixed in release F .05.51 ■ Crash (PR_1000297510) — When using the W eb User Interface and the switch is set as commander for stacking, the switch may crash with a message similar to: PPC Bus Error exception vector 0x300: Stack-frame=0x01731de8 HW Addr=0x02800007 IP=0x0022dc30 Task='tHttpd' Task ID=0x[...]

  • Página 266

    255 Software Fixes Release F .05.55 Fixed in release F .05.55 ■ LLDP (PR_1000310666) — The command "show LLDP" does not display information learned from CDPv2 packets. ■ Menu (PR_1000318531) — When using the 'Menu' interface, the Switch hostname may be displayed incorrectly . ■ RSTP (PR_99049) — Switch does not detec[...]

  • Página 267

    256 Software Fixes Release F .05.59 Fixed in release F .05.59 ■ Daylight savings (PR_1000364740) — Due to the passage of the Energy Policy Act of 2005, Pub. L. no. 109-58, 119 Stat 594 (2005), starting in March 20 07 daylight time in the United States will begin on the second Sunday in Marc h and end on the first Sunday in November . Release F [...]

  • Página 268

    257 Software Fixes Daylight Savings (PR_1000467724) — DST is outdated for the W estern-European Time Zone. This change corrects the schedule for the W estern Europe T ime Zone: DST to start the last Sunday in March and DST to end the last Sunday in October. Release F .05.64 (Never Released) No issues fixed in release F .05.64 Release F .05.65 (No[...]

  • Página 269

    258 Software Fixes Release F .05.69 Fixed in release F .05.69 ■ ProCurve Manager (PR_1000768253) — The ProCurve Manager 2.2 Auto Update 5 test communication parameters feature fa ils intermittently . ■ Stacking T ransceivers (PR_1000784489) — Stacking-kit ports (J4116A) display an inaccurate duplex output. ■ T ACACS+ (PR_0000003839) — T[...]

  • Página 270

    © Copyright 2001-2009 Hewlett-Packard Company , LP . The information contained in this document is subject to change without notice. Part Number: 5990-3102 March, 2009[...]