Page 1
Advanced Traffic Management Guide HP ProCurve Series 6400cl Switches Series 5300xl Switches Series 3400cl Switches www.hp.com/go/hpprocurve...
Page 3
HP Procurve Series 6400cl Switches Series 5300xl Switches Series 3400cl Switches January 2005 (Rev. B) E.09.xx or Greater M.08.6x or Greater Advanced Traffic Management Guide...
Page 4
Publication Number performance, or use of this material. 5990-6051 The only warranties for HP products and services are set January 2005 (Rev. B) forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Contents Contents 1 Getting Started Contents ............1-1 Overview .
Page 6
Contents VLAN Operating Rules ......... . 2-13 General Steps for Using VLANs .
Page 7
Contents Effect of VLANs on Other Switch Features ......2-51 Spanning Tree Operation with VLANs ......2-51 IP Interfaces .
Page 8
Contents CLI: Configuring and Displaying IGMP ......4-6 Web: Enabling or Disabling IGMP ....... . 4-11 How IGMP Operates .
Page 9
Contents Messages Related to PIM Operation ......5-37 Applicable RFCs ..........5-40 Exceptions to Support for RFC 2932 - Multicast Routing MIB .
Page 10
Contents 802.1s Multiple Spanning Tree Protocol (MSTP) ....6-44 MSTP Structure ..........6-45 How MSTP Operates .
Page 12
Contents Troubleshooting a Shortage of Per-Port Rule Resources on the 3400cl/6400cl Switches ....... 8-18 Examples of QoS Resource Usage on 3400cl/6400cl Switches .
Page 13
Contents QoS Messages in the CLI ........8-69 QoS Operating Notes and Restrictions .
Page 14
Contents ACL Configuration Factors ........9-29 The Sequence of Entries in an ACL Is Significant ... . 9-29 In Any ACL, There Will Always Be a Match .
Page 15
Contents 10 Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Contents ............10-1 Introduction .
Page 16
Contents How an ACE Uses a Mask To Screen Packets for Matches ..10-30 What Is the Difference Between Network (or Subnet) Masks and the Masks Used with ACLs? ....10-30 Rules for Defining a Match Between a Packet and an Access Control Entry (ACE) .
Page 17
Contents Editing ACLs and Creating an ACL Offline ......10-65 Using the CLI To Edit ACLs ....... . . 10-65 General Editing Rules .
Page 19
Contents Configuring OSPF ..........11-34 Overview of OSPF .
Page 20
Contents Displaying OSFPF Redistribution Filter (restrict) Information ......... . . 11-64 Displaying OSPF Virtual Neighbor Information .
Page 21
6400cl Switches ..........13-2 Stacking Support on HP ProCurve Switches ....13-2 Components of HP ProCurve Stack Management .
Page 22
Contents Configuring Stack Management ........13-8 Overview of Configuring and Bringing Up a Stack ....13-8 Using the Menu Interface To View Stack Status and Configure Stacking .
Page 23
Getting Started Contents Overview ............1-2 Conventions .
The Product Documentation CD-ROM shipped with the switch includes a copy of this guide. You can also download the latest version of this guide from the HP ProCurve website. (Refer to “Getting Documentation From the Web” on page 1-6.) For information on other product documentation available for the above- listed switches, refer to “Related Publications”...
Port Numbering Conventions. HP ProCurve stackable switches designate individual ports with sequential numbers (1, 2, 3, etc.) HP ProCurve chassis switches designate individual ports with a letter/number combination to show the slot in which the port is found and the sequential number the port has in that slot (A1, A2, B1, B2, etc.) Examples that include port numbering informa...
A PDF version of this guide is also provided on the Product Documentation CD-ROM shipped with the switch. And you can download a copy from the HP Procurve website. (See “Getting Documentation From the Web” on page 1-6.) Management and Configuration Guide.
Page 27
HP provides PDF versions of the switch documentation on the Product Documentation CD-ROM shipped with the switch. You can also download the latest version of any HP ProCurve switch manual (PDF format) from the HP ProCurve website. (Refer to “Getting Documentation From the Web” on...
1. Go to the HP Procurve website at http://www.hp.com/go/hpprocurve Click on technical support. Click on manuals. Click on the product for which you want to view or download a manual. Figure 1-2. Example of How To Locate Product Manuals on the HP ProCurve Website...
Interface (hereafter referred to as the “web browser interface”), use the online help available for the web browser interface. For more information on web browser Help, refer to “Online Help for the HP Web Browser Interface” in the chapter titled “Using the HP Web Browser Interface” in...
If you just want to give the switch an IP address so that it can communicate on your network, or if you are not using VLANs, HP recommends that you use the Switch Setup screen to quickly configure IP addressing. To do so, do one of the following: Enter setup at the CLI Manager level prompt.
Management and Configuration Guide for your switch: ■ Chapter 3, “Using the Menu Interface” Chapter 4, “Using the Command Line Interface (CLI)” ■ Chapter 5, “Using the HP Web Browser Interface ■ ■ Chapter 6, “Switch Memory and Configuration”...
■ The Secure Management VLAN: This optional, port-based VLAN estab lishes an isolated network for managing the HP ProCurve switches that support this feature. Access to this VLAN and to the switch’s management functions are available only through ports configured as members (page 2-44).
Static Virtual LANs (VLANs) Terminology N o t e In a multiple-VLAN environment that includes some older switch models there may be problems related to the same MAC address appearing on different ports and VLANs on the same switch. In such cases the solution is to impose some cabling and VLAN restrictions.
Static Virtual LANs (VLANs) Static VLAN Operation Static VLAN Operation A group of networked ports assigned to a VLAN form a broadcast domain that is separate from other VLANs that may be configured on the switch. On a given switch, packets are bridged between source and destination ports that belong to the same VLAN.
Static Virtual LANs (VLANs) Static VLAN Operation Port-Based VLANs Protocol-Based VLANs Tagged VLAN A port can be a tagged member of any port-based A port can be a tagged member of any protocol- Membership VLAN. See above. based VLAN. See above. Routing The switch can internally route IP (IPv4) traffic If the switch configuration enables IP routing, the...
Static Virtual LANs (VLANs) Static VLAN Operation VLAN Operation The Default VLAN. In figure 2-1, all ports belong to the default VLAN, and devices connected to these ports are in the same broadcast domain. Except for an IP address and subnet, no configuration steps are needed. VLAN 1 Figure 2-1.
Static Virtual LANs (VLANs) Static VLAN Operation Protocol VLAN Environment. Figure 2-2 can also be applied to a protocol VLAN environment. In this case, VLANs “W” and “X” represent routable protocol VLANs. VLANs “Y” and “Z” can be any protocol VLAN. As noted for the discussion of multiple port-based VLANs, VLAN 1 is not shown.
Page 40
Static Virtual LANs (VLANs) Static VLAN Operation overlap in this way, VLAN “tags” are used in the individual packets to distin guish between traffic from different VLANs. A VLAN tag includes the particu lar VLAN I.D. (VID) of the VLAN on which the packet was generated. ProCurve Switch 802.1Q-Compliant...
Page 41
Static Virtual LANs (VLANs) Static VLAN Operation The legacy (non-802.1Q compliant) switch requires a separate link for each VLAN. VLAN tagging enables the Link to Red Server carry Red VLAN and VLAN Blue VLAN Traffic Blue Server Red VLAN Non-802.1Q ProCurve ProCurve VLAN...
Page 42
Static Virtual LANs (VLANs) Static VLAN Operation Example of Per-Port VLAN Configuration Example of Per-Port with GVRP Disabled VLAN Configuration (the default) with GVRP Enabled Enabling GVRP causes “No” to display as “Auto”. Figure 2-6. Comparing Per-Port VLAN Options With and Without GVRP Table 2-4.
Static Virtual LANs (VLANs) VLAN Operating Rules VLAN Operating Rules ■ DHCP/Bootp: If you are using DHCP/Bootp to acquire the switch’s configuration, packet time-to-live, and TimeP information, you must des ignate the VLAN on which DHCP is configured for this purpose as the Primary VLAN.
Page 44
Static Virtual LANs (VLANs) VLAN Operating Rules Adding or Deleting VLANs: Changing the number of VLANs supported ■ on the switch requires a reboot. (From the CLI, you must perform a write memory command before rebooting.) Other VLAN configuration changes are dynamic.
Page 45
Static Virtual LANs (VLANs) VLAN Operating Rules Port “X” receives an inbound, untagged Packet. Is the Drop the port an untagged packet. member of any VLANs? Does the packet’s protocol Forward the match the protocol of packet on that an untagged VLAN protocol VLAN.
Static Virtual LANs (VLANs) General Steps for Using VLANs tagged member must have the same VID as that carried by the inbound, tagged packets generated on that VLAN.) Port “X” receives an inbound, tagged Packet From VLAN “A”. Is port Drop the “X”...
MAC entry, it just adds a new instance of that it replaces the existing MAC instance with MAC to the table. a new instance showing the new destination. Table 2-6 lists the database structure of current HP ProCurve switch models. 2-17...
Static Virtual LANs (VLANs) Multiple VLAN Considerations Example of an Unsupported Configuration and How To Correct It The Problem. In figure 2-9, the MAC address table for Switch 8000M will sometimes record the 5300xl, 3400cl, or 6400cl as accessed on port A1 (VLAN 1), and other times as accessed on port B1 (VLAN 2): Switch 8000M VLAN 1...
Static Virtual LANs (VLANs) Multiple VLAN Considerations tion on the location of the 5300xl changes over time. For this reason, the 8000M discards some packets directed through it for the 5300xl, resulting in poor performance and the appearance of an intermittent or broken link. The Solution.
Static Virtual LANs (VLANs) Configuring VLANs 4108gl Switch VLAN 2 VLAN 1 VLAN 1 Both switches have VLAN 2 multiple forwarding 5300xl, 3400cl, or 6400cl Switch databases. Figure 2-11. Example of a Valid Topology for Devices Having Multiple Forwarding Databases in a Multiple VLAN Environment Configuring VLANs Menu: Configuring Port-Based VLAN Parameters The Menu interface enables you to configure and view port-based VLANs.
Page 52
Static Virtual LANs (VLANs) Configuring VLANs Changing the Primary VLAN selection (See “Changing the Primary VLAN” ■ on page 2-31.) ■ Enabling or disabling dynamic VLANs (Refer to chapter 3, “GVRP” .) From the Main Menu select: 2. Switch Configuration 8.
Page 53
Static Virtual LANs (VLANs) Configuring VLANs An asterisk indicates you must reboot the switch to implement the new Maximum VLANs setting. Figure 2-13. VLAN Menu Screen Indicating the Need To Reboot the Switch • If you changed the VLAN Support option, you must reboot the switch before the Maximum VLANs change can take effect.
Static Virtual LANs (VLANs) Configuring VLANs Adding or Editing VLAN Names Use this procedure to add a new VLAN or to edit the name of an existing VLAN. From the Main Menu select: 2. Switch Configuration 8. VLAN Menu … . 2.
Static Virtual LANs (VLANs) Configuring VLANs Example of a New VLAN and ID Figure 2-15. Example of VLAN Names Screen with a New VLAN Added Repeat steps 2 through 5 to add more VLANs. Remember that you can add VLANs until you reach the number specified in the Maximum VLANs to support field on the VLAN Support screen (see figure 2-12 on page 2-22).
Page 56
Static Virtual LANs (VLANs) Configuring VLANs Default: In this example, the “VLAN-22” has been defined, but no ports have yet been assigned to it. (“No” means the port is not assigned to that VLAN.) Using GVRP? If you plan on using GVRP, any ports you don’t want to join should be changed to “Forbid”.
Static Virtual LANs (VLANs) Configuring VLANs Ports A4 and A5 are assigned to both VLANs. Ports A6 and A7 are assigned only to VLAN-22. All other ports are assigned only to the Default VLAN. Figure 2-17. Example of Port-Based VLAN Assignments for Specific Ports For information on VLAN tags (“Untagged”...
Page 59
Static Virtual LANs (VLANs) Configuring VLANs Status: Port-Based: Port-Based, static VLAN Protocol: Protocol-Based, static VLAN Dynamic: Port-Based, temporary VLAN learned through GVRP (Refer to chapter 3, “GVRP” .) Voice: Indicates whether a (port-based) VLAN is configured as a voice VLAN. Refer to “Voice VLANs” on page 2-49. Jumbo: Indicates whether a VLAN is configured for Jumbo packets.
Page 60
Static Virtual LANs (VLANs) Configuring VLANs Status: Port-Based: Port-Based, static VLAN Protocol: Protocol-Based, static VLAN Dynamic: Port-Based, temporary VLAN learned through GVRP (Refer to the chapter titled “GVRP” in the Advanced Traffic Management Guide for your switch.) Voice: Indicates whether a (port-based) VLAN is configured as a voice VLAN.
Page 61
Static Virtual LANs (VLANs) Configuring VLANs Show VLAN lists this data when GVRP is enabled and at least one port on the switch has dynamically joined the designated VLAN. Figure 2-20. Example of “Show VLAN” for a Specific Dynamic VLAN Changing the Number of VLANs Allowed on the Switch.
Page 62
Static Virtual LANs (VLANs) Configuring VLANs more on the Primary VLAN, refer to “The Primary VLAN” on page 2-43.) To identify the current Primary VLAN and list the available VLANs and their respective VIDs, use show vlans. Syntax: primary-vlan vid | ascii-name-string <...
Page 63
Static Virtual LANs (VLANs) Configuring VLANs Creating a New Static VLAN (Port-Based or Protocol-Based) Changing the VLAN Context Level. The vlan < vid > command operates in the global configuration context to either configure a static VLAN and/or take the CLI to the specified VLAN’s context. Syntax: vlan <...
Page 64
Static Virtual LANs (VLANs) Configuring VLANs — Continued from the Previous Page — Note: If you create an IPv4 protocol VLAN, you must also assign the ARP protocol option to the VLAN to provide IP address resolution. Otherwise, IP packets are not deliverable. A “Caution”...
Page 65
The following ports will be moved to the default VLAN: B6-B10 Do you want to continue? [y/n] y HP ProCurve Switch 5304XL(config)# Converting a Dynamic VLAN to a Static VLAN. Use this feature if you want to convert a dynamic, port-based VLAN membership to a static, port- based VLAN membership.
Page 66
Static Virtual LANs (VLANs) Configuring VLANs Syntax: [no] vlan < vid > tagged < port-list > Configures the indicated port(s) as Tagged for the specified VLAN. The “no” version sets the port(s) to either No or (if GVRP is enabled) to Auto. untagged <...
Static Virtual LANs (VLANs) Configuring VLANs At the global config level, use: HPswitch(config)# no vlan 100 tagged a1-a5 - or - At the VLAN 100 context level, use: HPswitch(vlan-100)# no tagged a1-a5 N o t e You cannot use these commands with dynamic VLANs. Attempting to do so results in the message “VLAN already exists.”...
Static Virtual LANs (VLANs) 802.1Q VLAN Tagging 802.1Q VLAN Tagging General Applications: ■ The switch requires VLAN tagging on a given port if more than one VLAN of the same type uses the port. When a port belongs to two or more VLANs of the same type, they remain as separate broadcast domains and cannot receive traffic from each other without routing.
Page 69
Static Virtual LANs (VLANs) 802.1Q VLAN Tagging White Blue White Blue Server Server VLAN VLAN VLAN Red VLAN: Untagged Switch Switch Green VLAN: Tagged “Y” “X” Server Green Green Green VLAN Server VLAN VLAN Ports 1 - 4: Untagged Ports 1 - 6: Untagged Port 5: Red VLAN Untagged Port 7: Red VLAN Untagged Green VLAN Tagged...
Page 70
Static Virtual LANs (VLANs) 802.1Q VLAN Tagging N o t e Each 802.1Q-compliant VLAN must have its own unique VID number, and that VLAN must be given the same VID in every device in which it is configured. That is, if the Red VLAN has a VID of 10 in switch X, then 10 must also be used for the Red VID in switch Y.
Page 71
Static Virtual LANs (VLANs) 802.1Q VLAN Tagging If all end nodes on a port comply with the 802.1Q standard and are ■ configured to use the correct VID, then, you can configure all VLAN assignments on a port as “Tagged” if doing so either makes it easier to manage your VLAN assignments, or if the authorized, inbound traffic for all VLANs on the port will be tagged.
Page 72
Static Virtual LANs (VLANs) 802.1Q VLAN Tagging The VLANs assigned to ports X4 - X6, Y2 - Y5 can all be untagged because ■ there is only one VLAN assigned per port. ■ Port X1 has two AppleTalk VLANs assigned, which means that one VLAN assigned to this port can be untagged and the other must be tagged.
Static Virtual LANs (VLANs) Special VLAN Types Special VLAN Types VLAN Support and the Default VLAN In the factory default configuration, VLAN support is enabled and all ports on the switch belong to the port-based, default VLAN (named DEFAULT_VLAN). This places all ports in the switch into one physical broadcast domain. In the factory-default state, the default VLAN is also the Primary VLAN.
VLAN” on page 2-31. The Secure Management VLAN Configuring a secure Management VLAN creates an isolated network for managing the HP ProCurve switches that support this feature. (As of January, 2005, the Secure Management VLAN feature is available on these HP ProCurve switches: ■...
Page 75
Static Virtual LANs (VLANs) Special VLAN Types N o t e The Secure Management VLAN must be a static, port-based VLAN with a manually configured IP address and subnet mask. (The switch does not allow the Management VLAN to acquire IP addressing through DHCP/Bootp.) •...
(such as Port A7 in figure 2-28.) • Ports on one switch that you will use to extend the Management VLAN to ports on other HP ProCurve switches (such as ports A1 and B2 or B4 and C2 in figure 2-28 on page 2-46.). 2-46...
802.1Q tagged VLAN capability.) Use port A2 to extend the Management VLAN to port B1 (which is already ■ configured as a tagged member of My_VLAN) on an adjacent HP Procurve switch that supports the Management VLAN feature. Switch Switch “A”...
Management VLAN and other VLANs is not allowed. If there are more than 25 VLANs configured on the switch, reboot the ■ switch after configuring the management VLAN. (HP Series 5300XL switches only.) ■ If you implement a Management VLAN in a switch mesh environment, all meshed ports on the switch will be members of the Management VLAN.
Static Virtual LANs (VLANs) Special VLAN Types Switch Mesh Domain Includes Membership in VLAN 20 (Management VLAN) Three VLANs Even though the ports on the Management VLAN link do not VLAN 10 belong to any of the VLANs in the VLAN 30 mesh, the link will be blocked if VLAN 40...
Static Virtual LANs (VLANs) Special VLAN Types Components of Voice VLAN Operation ■ Voice VLAN(s): Configure one or more voice VLANs on the switch. Some reasons for having multiple voice VLANs include: • Employing telephones with different VLAN requirements • Better control of bandwidth usage •...
Refer to chapter 6, “Spanning-Tree Operation” . Note that Spanning Tree operates differently in different devices. For example, in the (obsolete, non-802.1Q) HP Switch 2000 and the HP Switch 800T, Span ning Tree operates on a per-VLAN basis, allowing redundant physical links as long as they are in separate VLANs.
Static Virtual LANs (VLANs) Effect of VLANs on Other Switch Features IP Interfaces There is a one-to-one relationship between a VLAN and an IP network inter- face. Since the VLAN is defined by a group of ports, the state (up/down) of those ports determines the state of the IP network interface associated with that VLAN.
Static Virtual LANs (VLANs) VLAN Restrictions Jumbo Packet Support on the Series 3400cl and Series 6400cl Switches Jumbo packet support for the 3400cl and 6400cl switches is enabled per-VLAN and applies to all ports belonging to the VLAN. For more information, refer to the chapter titled “Port Traffic Controls”...
Page 84
Static Virtual LANs (VLANs) VLAN Restrictions — This page is intentionally unused. — 2-54...
Management and Configuration Guide for your switch: ■ Chapter 3, “Using the Menu Interface” Chapter 4, “Using the Command Line Interface (CLI)” ■ ■ Chapter 5, “Using the HP Web Browser Interface ■ Chapter 6, “Switch Memory and Configuration”...
GVRP General Operation having to set up VLANs across your network. After the switch creates a dynamic VLAN, you can optionally use the CLI static <vlan-id> command to convert it to a static VLAN or allow it to continue as a dynamic VLAN for as long as needed.
Page 89
GVRP General Operation Operating Note: When a GVRP-aware port on a switch learns a VID through GVRP from another device, the switch begins advertising that VID out all of its ports except the port on which the VID was learned. Core switch with static Port 1 receives advertise...
Page 90
GVRP General Operation Switch “C” Switch “A” Switch “C”: GVRP On GVRP On Port 5 dynamically joins VLAN 22. Ports 11 and 12 belong to Tagged VLAN 33. Tagged VLAN 22 Tagged Switch “E” VLAN 33 GVRP On Switch “B” Switch “D”...
GVRP Per-Port Options for Handling GVRP “Unknown VLANs” Send VLAN advertisements, and also receive advertisements for VLANs ■ on other ports and dynamically join those VLANs. ■ Send VLAN advertisements, but ignore advertisements received from other ports. Avoid GVRP participation by not sending advertisements and dropping ■...
Page 92
GVRP Per-Port Options for Handling GVRP “Unknown VLANs” Table 3-1. Options for Handling “Unknown VLAN” Advertisements: UnknownVLAN Operation Mode Learn Enables the port to become a member of any unknown VLAN for which it (the Default) receives an advertisement. Allows the port to advertise other VLANs that have at least one other port on the same switch as a member.
GVRP Per-Port Options for Dynamic VLAN Advertising and Joining Per-Port Options for Dynamic VLAN Advertising and Joining Initiating Advertisements. As described in the preceding section, to enable dynamic joins, GVRP must be enabled and a port must be configured to Learn (the default). However, to send advertisements in your network, one or more static (Tagged, Untagged, or Auto) VLANs must be configured on one or more switches (with GVRP enabled), depending on your topology.
Page 94
GVRP Per-Port Options for Dynamic VLAN Advertising and Joining Table 3-2. Controlling VLAN Behavior on Ports with Static VLANs Per-Port Static VLAN Options—Per VLAN Specified on Each Port “Unknown VLAN” Port Activity: Port Activity: Port Activity: Forbid (Per VLAN) (GVRP) Auto (Per VLAN) Tagged or Untagged (Per VLAN)
Because dynamic VLANs operate as Tagged VLANs, and because a tagged port on one device cannot communicate with an untagged port on another device, HP recommends that you use Tagged VLANs for the static VLANs you will use to generate advertisements.
GVRP Planning for GVRP Operation The time-to-live for dynamic VLANs is 10 seconds. That is, if a port has not received an advertisement for an existing dynamic VLAN during the last 10 seconds, the port removes itself from that dynamic VLAN. Planning for GVRP Operation These steps outline the procedure for setting up dynamic VLANs for a seg...
GVRP Configuring GVRP On a Switch Configuring GVRP On a Switch The procedures in this section describe how to: ■ View the GVRP configuration on a switch Enable and disable GVRP on a switch ■ ■ Specify how individual ports will handle advertisements To view or configure static VLANs for GVRP operation, refer to “Per-Port Static VLAN Configuration Options”...
GVRP Configuring GVRP On a Switch The Unknown VLAN fields enable you to configure each port to: – Learn - Dynamically join any advertised VLAN and advertise all VLANs learned through other ports. – Block - Do not dynamically join any VLAN, but still advertise all VLANs learned through other...
Page 99
GVRP Configuring GVRP On a Switch Figure 3-6. Example of “Show GVRP” Listing with GVRP Disabled This example includes non-default settings for the Unknown VLAN field for some ports. Figure 3-7. Example of Show GVRP Listing with GVRP Enabled Enabling and Disabling GVRP on the Switch. This command enables GVRP on the switch.
Page 100
GVRP Configuring GVRP On a Switch Syntax: interface < port-list > unknown-vlans < learn | block | disable > Changes the Unknown VLAN field setting for the specified port(s). For example, to change and view the configuration for ports A1-A2 to Block: Figure 3-8.
Page 101
GVRP Configuring GVRP On a Switch Switch “B” Switch “A” GVRP enabled. GVRP enabled. 1 Static VLANs: 3 Static VLANs: Port 1: Set to – DEFAULT_VLAN – DEFAULT_VLAN “Learn” Mode – VLAN-222 – VLAN-333 The show vlans command lists the dynamic (and static) VLANs in switch “B” after it has learned and joined VLAN-222 and VLAN-333.
GVRP GVRP Operating Notes Web: Viewing and Configuring GVRP To view, enable, disable, or reconfigure GVRP: Click on the Configuration tab. Click on and do the following: [VLAN Configuration] To enable or disable GVRP, click on GVRP Enabled. • • To change the Unknown VLAN field for any port: Click on and make the desired changes.
Page 103
GVRP GVRP Operating Notes Rebooting a switch on which a dynamic VLAN exists deletes that VLAN. ■ However, the dynamic VLAN re-appears after the reboot if GVRP is enabled and the switch again receives advertisements for that VLAN through a port configured to add dynamic VLANs. ■...
Management and Configuration Guide for your switch: ■ Chapter 3, “Using the Menu Interface” Chapter 4, “Using the Command Line Interface (CLI)” ■ ■ Chapter 5, “Using the HP Web Browser Interface ■ Chapter 6, “Switch Memory and Configuration”...
Multimedia Traffic Control with IP Multicast (IGMP) IGMP General Operation and Features IGMP General Operation and Features IGMP Features Feature Default Menu view igmp configuration — page 4-6 — show igmp status for multicast — — groups used by the selected VLAN enabling or disabling IGMP disabled...
Querier. When enabled (the default state), the switch’s querier function eliminates the need for a multicast router. In most cases, HP recommends that you leave this parameter in the default “enabled”...
Multimedia Traffic Control with IP Multicast (IGMP) IGMP General Operation and Features IGMP Operating Features Basic Operation In the factory default configuration, IGMP is disabled. To enable IGMP If multiple VLANs are not configured, you configure IGMP on the default ■...
Multimedia Traffic Control with IP Multicast (IGMP) CLI: Configuring and Displaying IGMP N o t e s Whenever IGMP is enabled, the switch generates an Event Log message indicating whether querier functionality is enabled. IP multicast traffic groups are identified by IP addresses in the range of 224.0.0.0 to 239.255.255.255.
Page 111
Multimedia Traffic Control with IP Multicast (IGMP) CLI: Configuring and Displaying IGMP Viewing the Current IGMP Configuration. This command lists the IGMP configuration for all VLANs configured on the switch or for a specific VLAN. Syntax: show ip igmp config Displays IGMP configuration for all VLANs on the switch.
Page 112
Multimedia Traffic Control with IP Multicast (IGMP) CLI: Configuring and Displaying IGMP The following version of the show ip igmp command includes the VLAN ID (vid) designation, and combines the above data with the IGMP per-port configuration: IGMP Configuration for the Selected VLAN IGMP Configuration On the Individual...
Page 113
Multimedia Traffic Control with IP Multicast (IGMP) CLI: Configuring and Displaying IGMP N o t e If you disable IGMP on a VLAN and then later re-enable IGMP on that VLAN, the switch restores the last-saved IGMP configuration for that VLAN. For more on how switch memory operates, refer to the chapter titled “Switch Memory and Configuration”...
Page 114
Multimedia Traffic Control with IP Multicast (IGMP) CLI: Configuring and Displaying IGMP The following command displays the VLAN and per-port configuration result ing from the above commands. HPswitch> show igmp vlan 1 config Configuring IGMP Traffic Priority. Syntax: vlan < vid > ip igmp high-priority-forward This command assigns “high”...
Multimedia Traffic Control with IP Multicast (IGMP) Web: Enabling or Disabling IGMP Web: Enabling or Disabling IGMP In the web browser interface you can enable or disable IGMP on a per-VLAN basis. To configure other IGMP features, telnet to the switch console and use the CLI.
Page 116
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates Report (Join): A message sent by a host to the querier to indicate that ■ the host wants to be or is a member of a given group indicated in the report message.
IGMP client on a port in the VLAN leaves the cast router or another switch configured for IGMP oper- group. ation. (HP recommends that the VLAN also include a device operating as a backup Querier in case the device Support Fast-Leave IGMP and Forced Fast- operating as the primary Querier fails for any reason.
Page 118
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates group members exist on the same port. This delayed leave operation means that the switch continues to transmit unnecessary multicast traffic through the port until the Querier renews multicast group status. Fast-Leave IGMP Reduces Leave Delays.
IGMP client) on that port. N o t e o n V L A N In the HP Procurve Series 5300XL switch, the walkmib and setmib com- N u m b e r s mands use an internal VLAN number (and not the VLAN ID, or VID) to display or change many per-vlan features, such as the Forced Fast-Leave state.
For the IGMP MIB commands that are described on the next few pages, the N u m b e r s HP Procurve Switch 5300xl uses 26 ports for each slot. This is true regardless of the type of modules that you have installed in the slots. The following port numbering is used: ■...
Page 121
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates at the end of a port listing shows that Forced Fast-Leave is disabled on the corresponding port. at the end of a port listing shows that Forced Fast-Leave is enabled on the corresponding port.
Multimedia Traffic Control with IP Multicast (IGMP) How IGMP Operates Configuring Per-Port Forced Fast-Leave IGMP In the factory-default configuration, Forced Fast-Leave is disabled for all ports on the switch. To enable (or disable) this feature on individual ports, use the switch’s command, as shown below.
Multimedia Traffic Control with IP Multicast (IGMP) Using the Switch as Querier Using the Switch as Querier The function of the IGMP Querier is to poll other IGMP-enabled devices in an IGMP-enabled VLAN to elicit group membership information. The switch performs this function if there is no other device in the VLAN, such as a multicast router, to act as Querier.
Multimedia Traffic Control with IP Multicast (IGMP) Excluding Well-Known or Reserved Multicast Addresses from IP Multicast Filtering Excluding Well-Known or Reserved Multicast Addresses from IP Multicast Filtering Each multicast host group is identified by a single IP address in the range of 224.0.0.0 through 239.255.255.255.
Excluding Well-Known or Reserved Multicast Addresses from IP Multicast Filtering N o t e s : IP Multicast Filters. This operation applies to the HP Procurve Series 5300XL switches, as well as on the 1600M, 2400M, 2424M, 4000M, and 8000M, but not to the Series 2500, 2650, Series 4100GL or 6108 switches (which do not have static traffic/security filters).
Page 126
Multimedia Traffic Control with IP Multicast (IGMP) Excluding Well-Known or Reserved Multicast Addresses from IP Multicast Filtering — This page is intentionally unused. — 4-22...
Overview This chapter describes protocol-independent multicast routing operation on the HP ProCurve Series 5300xl switches and how to configure it with the switch’s built-in interfaces, and assumes an understanding of multimedia traffic control with IP multicast (IGMP), which is described in chapter 4, “Multimedia Traffic Control with IP Multicast (IGMP)”.
PIM-DM (Dense Mode) on the 5300xl Switches Introduction Introduction This feature operates only on the Series 5300xl switches. Feature Default Menu Configure PIM Global — 5-12 — Configure PIM VLAN Interface — 5-15 — Display PIM Route Data Disabled — 5-23 —...
PIM-DM (Dense Mode) on the 5300xl Switches Feature Overview Feature Overview PIM-DM on the Switch Series 5300XL devices includes: ■ Routing Protocol Support: PIM uses whichever unicast routing proto col is running on the routing switch. These can include: • •...
Page 131
PIM-DM (Dense Mode) on the 5300xl Switches PIM-DM Operation multicast group address (destination), but may reach many hosts in different subnets, depending on which hosts have issued joins for the same multicast group. PIM routes the multicast traffic for a particular S/G pair on paths between the source unicast address and the VLANs where it is requested (by joins from hosts connected to those VLANs).
Page 132
PIM-DM (Dense Mode) on the 5300xl Switches PIM-DM Operation Video Server Multicast Tree Routing Switch (PIM) Hosts Routing Routing Switch Switch (PIM & IGMP) (PIM & IGMP) Switch/IGMP Switch/IGMP Switch/IGMP Switch/IGMP Switch/IGMP Hosts Figure 5-1. Example of Multicast “Tree” for a Given Flow When the routing switch detects a new multicast flow, it initially floods the traffic throughout the PIM-DM domain, and then prunes the traffic on the branches (network paths) where joins have not been received from individual...
PIM-DM (Dense Mode) on the 5300xl Switches PIM-DM Operation Multicast Flow Management This section provides details on how the routing switch manages forwarding and pruned flows. This information is useful when planning topologies to include multicast support and when viewing and interpreting the “show” command output for PIM-DM features.
Page 134
PIM-DM (Dense Mode) on the 5300xl Switches PIM-DM Operation These HP 5300XL multicast routers support the state refresh feature but must handle periodic flood-prune cycles for the downstream routers that lack this feature. These multicast routers do Other Video not have the state refresh...
N o t e When you initially enable PIM-DM, HP recommends that you leave the PIM-DM configuration parameters at their default settings. You can then assess performance and make configuration changes where a need appears.
PIM-DM (Dense Mode) on the 5300xl Switches PIM-DM Operating Rules Multicast Address: In IP multicast traffic on the switch, this is a single IP address that can be used by a group of related or unrelated clients wanting the same data. A single S/G pair consists of unicast source address and a multicast group address.
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches Command Page PIM Global Context Commands [no] ip multicast-routing 5-12 [no] router pim 5-12 state-refresh 5-13 trap 5-13 PIM Interface Context Commands [no] ip pim 5-15 [<...
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches PIM-DM requires configuration on both the global level and on the VLAN (interface) level. The recommended configuration order is: Enable IGMP on all VLANs where hosts may join a multicast group. 2. Enable the following at the global level on the Switch Series 5300XL device.
Page 139
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches Syntax: router pim [state-refresh < 10 - 300 >] Sets the interval in seconds between successive State Refresh messages originated by the routing switch. Note that only the routing switch connected directly to the unicast source initiates state-refresh packets.
Page 140
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches To configure global-level PIM operation for the “5308XL #1” routing switch, you would use the commands shown in figure 5-3, below. Enables IP routing. Enables multicast routing. Enables PIM.
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches After configuring the global-level PIM operation on a routing switch, go to the device’s VLAN context level for each VLAN you want to include in your multicast routing domain.
Page 142
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches For example, if multiple routers are connected to the same VLAN and the routing switch requests multicast traffic, all routers on the VLAN receive that traffic. (Those which have pruned the traffic will drop it when they receive it.) If the upstream router loses contact with the routing switch receiving the multicast traffic (that is, fails to receive a Hello...
Page 143
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches Syntax: ip pim [ max-graft-retries < 1 - 10 > vlan < vid > ip pim [ max-graft-retries < 1 - 10 > Changes the number of times the routing switch will retry sending the same graft packet to join a flow.
Page 144
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches Syntax: ip pim [ propagation-delay < 250-2000 >] vlan < vid > ip pim [ propagation-delay < 250-2000 >] ip pim [ override-interval < 500 - 6000 >] vlan <...
Page 145
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches Syntax: ip pim [ ttl-threshold < 0 - 255 > ] vlan < vid > ip pim Sets the multicast datagram time-to-live (router hop-count) threshold for the VLAN. Any IP multicast datagrams or state refresh packets with a TTL less than this threshold will not be forwarded out the interface.
Page 146
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches On the three routing switches, 5308XL #1 Video VLAN 25 is multinetted with Server VLAN 25 subnets that match in only one instance. Since subnet 25.38.10.x 25.38.10.1 exists on VLAN 25 in all routing switches, it serves as the source...
Page 147
PIM-DM (Dense Mode) on the 5300xl Switches Configuring PIM-DM on the Series 5300xl Switches Enables IP routing; required for multicast routing. Multinetting and IGMP enabled in VLAN 25. Multicast Routing Configuration for Global Level.. Indicates the source-IP-address for multicast packets forwarded on this VLAN.
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Command Page show ip mroute 5-23 [ interface < vid >] 5-24 [<...
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Displaying PIM Route Data Syntax: show ip mroute Without parameters, lists all VLANs actively forwarding routed, multicast traffic. Group Address: The multicast address of the specific multicast group (flow).
Page 150
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Syntax: show ip mroute [ interface < vid >] Lists these settings: VLAN: The VID specified in the command. Protocol Identity: PIM-DM only. TTL: The time-to-live threshold for packets forwarded through this VLAN.
Page 151
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Syntax: show ip mroute [< multicast-ip-addr > < source-ip-addr >] Lists the following data for the specified flow (multicast group): Group Address: The multicast group IP address for the current group.
Page 152
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Multicast Routing Protocol: Identifies the multicast routing protocol through which the current flow was learned. Unicast Routing Protocol: Identifies the routing protocol through which the routing switch learned the upstream interface for the current multicast flow.
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches A blank Neighbor field indicates that the multicast server is directly connected to the routing switch. Figure 5-9. Example Output for “5300XL #1” Routing Switch in Figure 5-4 on Page 5-20 Displaying PIM Status Syntax: show ip pim...
Page 154
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Figure 5-10. Example Output for the “5304XL #1” Routing Switch in Figure 5-4 on Page 5-20 Syntax: show ip pim [interface] Lists the PIM interfaces (VLANs) currently configured in the routing switch.
Page 155
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Syntax: show ip pim [interface [< vid >]] Displays the current configuration for the specified VLAN (PIM interface). Refer to table 5-1, below. Figure 5-12.
Page 156
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Field Default Control Command Max Graft Retries vlan < vid > ip pim graft-retries < 1 - 10 > Override Interval 2500 vlan <...
Page 157
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches This output shows the routing switch is receiving two multicast groups from an upstream device at 27.27.30.2. The metric shows that the routing switch is directly connected to “...
Page 158
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches DownStream Interfaces: – VLAN: Lists the VID of the destination VLAN on the next- hop multicast router. Prune Reason: Identifies the reason for pruning the flow to the –...
Page 159
PIM-DM (Dense Mode) on the 5300xl Switches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Syntax: show ip pim [neighbor] Lists PIM neighbor information for all PIM neighbors connected to the routing switch: IP Address: Lists the IP address of a neighbor multicast router. VLAN: Lists the VLAN through which the routing switch connects to the indicated neighbor.
This periodic flooding is not necessary if all of the downstream multicast routers are HP ProCurve 5300XL devices. (The HP ProCurve Routing Switch Series 9300 and the routers offered by some other vendors do not offer the state refresh capability.)
Page 161
PIM-DM (Dense Mode) on the 5300xl Switches Operating Notes Flow Capacity. The routing switch provides an ample multicast environ ment, supporting 1022 multicast flows in hardware across a maximum of 64 VLANs. (A flow comprises a unicast source address and a multicast group address, regardless of the number of active hosts belonging to the multicast group at any given time.) While the typical multicast environment should not normally exceed 1022 flows, the routing switch can support up to 978 addi...
PIM-DM (Dense Mode) on the 5300xl Switches Troubleshooting Troubleshooting Symptom: Noticeable slowdown in some multicast traffic. If the switch is supporting more than 1022 active flows. This generates the message Unable to learn HW IP multicast groups, table FULL in the Event Log because there is no room in the hardware Multicast Routing Table to add another Multicast Group.
Failed to initialize < text-str > as a Indicates an internal error. Report the incident to your HP customer care center and re-install the router software. call back routine (<counter>) I/F configured with IP <...
Page 164
Multicast Hardware Failed to processing of PIM traffic. The software will continue to Initialize (<counter>) process PIM traffic at a slower rate. Contact your HP customer care center. PIM has detected a VLAN without an IP address. Configure No IP address configured on VID an IP address on the indicated VLAN.
Page 165
PIM-DM (Dense Mode) on the 5300xl Switches Messages Related to PIM Operation Message Meaning Rcvd pkt from rtr < ip-address >, unkwn A packet received from the router at < ip-address > is an unknown PIM packet type. (The < value > variable is the pkt type <...
PIM-DM (Dense Mode) on the 5300xl Switches Applicable RFCs Message Meaning Multicast routing is unable to acquire memory for a flow. Unable to alloc a msg buffer for Router memory is oversubscribed. Reduce the number of < text-message > (<counter>) VLANs or the number of features in use.
PIM-DM (Dense Mode) on the 5300xl Switches Exceptions to Support for RFC 2932 - Multicast Routing MIB Exceptions to Support for RFC 2932 - Multicast Routing MIB These MIB objects are not supported in the 5300XL routing switch. ipMRouteInterfaceRateLimit ipMRouteInterfaceInMcastOctets ipMRouteInterfaceOutMcastOctets ipMRouteInterfaceHCInMcastOctets ipMRouteInterfaceHCOutMcastOctets...
Page 168
PIM-DM (Dense Mode) on the 5300xl Switches Exceptions to Support for RFC 2932 - Multicast Routing MIB — This page is intentionally unused. — 5-42...
Spanning-Tree Operation Overview Overview STP Features 802.1D Spanning Tree Default Menu Protocol Viewing the STP page 6-21 page 6-12 — Configuration Enable/Disable STP Disabled page 6-21 page 6-25 page 6-43 Reconfiguring General priority: 32768 page 6-21 page 6-26 — Operation max age: 20 s hello time: 2 s fwd.
Page 171
Spanning-Tree Operation Overview 802.1s Spanning Tree Default Menu Protocol Viewing the MSTP Status — page 6-71 — and Configuration Enable/Disable MSTP and Disabled — page 6-57 — Configure Global Parameters Configuring Basic Port edge-port: No — page 6-61 — Connectivity Parameters mcheck: Yes and hello-time: 2...
Page 172
Spanning-Tree Operation Overview configured with VLANs grouped into two instances, as follows: VLANs Instance 1 Instance 2 10, 11, 12 20, 21, 22 The logical and physical topologies resulting from these VLAN/Instance groupings result in blocking on different links for different VLANs: Region “A”: Logical Topology Path blocked for VLANs in instance 2.
You should enable spanning tree operation in any switch that is part of a a n d 8 0 2 . 1 w redundant physical link (loop topology). (HP recommends that you do so on S p a n ni n g - T r e e all switches belonging to a loop topology.) This topic is covered in more detail...
RSTP is designed to be compatible with IEEE 802.1D STP, and HP recom mends that you employ it in your network. For more information, refer to “Transitioning from STP to RSTP”...
Spanning-Tree Operation The RSTP (802.1w) and STP (802.1D) Spanning Tree Options How STP and RSTP Operate The switch automatically senses port identity and type, and automatically defines spanning-tree parameters for each type, as well as parameters that apply across the switch. You can use the default values for these parameters, or adjust them as needed.
Page 176
Spanning-Tree Operation The RSTP (802.1w) and STP (802.1D) Spanning Tree Options dant links by using a port trunk. The following example shows how you can use a port trunk with 802.1Q (tagged) VLANs and spanning tree without unnecessarily blocking any links or losing any bandwidth. Problem: Solution: STP enabled with 2...
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) Transitioning from STP to RSTP IEEE 802.1w RSTP is designed to be compatible with IEEE 802.1D STP. Even if all the other devices in your network are using STP, you can enable RSTP on your switch, and even using the default configuration values, your switch will interoperate effectively with the STP devices.
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) Configuring RSTP The default switch configuration has spanning tree disabled with RSTP as the selected protocol. That is, when spanning tree is enabled, RSTP is the version of spanning tree that is enabled, by default. Optimizing the RSTP Configuration To optimize the RSTP configuration on your switch, follow these steps (note that for the Menu method, all of these steps can be performed at the same...
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) CLI: Configuring RSTP Spanning Tree Commands in This Section STP RSTP Page for RSTP Use show spanning-tree config Below on this page spanning-tree 6-13 protocol-version <rstp | stp> page 6-14 force-version page 6-14 <rstp-operation | stp-compatible>...
Page 181
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) Figure 6-4. Example of the Spanning Tree Configuration Display (HP Series 3400cl Switch) Enabling or Disabling RSTP. Issuing the command to enable spanning tree on the switch implements, by default, the RSTP version of spanning tree for all physical ports on the switch.
Page 182
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) Reconfiguring Whole-Switch Spanning Tree Values. You can configure one or more of the following parameters, which affect the spanning tree operation of the whole switch: Table 6-1. Whole-Switch RSTP Parameters Parameter Default Description protocol-version RSTP Identifies which of the spanning tree protocols will be used when spanning tree...
Page 183
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) N o t e Executing the spanning-tree command alone enables spanning tree. Executing the command with one or more of the whole-switch RSTP parameters shown in the table on the previous page, or with any of the per-port RSTP parameters shown in the table on page 6-16, does not enable spanning tree.
Page 184
Forwarding state. In this way, the ports operate very similarly to ports that are configured in “fast mode” under the STP implementation in previous HP switch software. Disable this feature on all switch ports that are connected to another switch, or bridge, or hub.
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) Menu: Configuring RSTP 1. From the console CLI prompt, enter the menu command. HP Procurve Switch # menu From the switch console Main Menu, select 2. Switch Configuration … 4. Spanning Tree Operation (for Edit) to highlight the Protocol Version parameter field.
Page 187
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) Figure 6-5. Example of the RSTP Configuration Screen 7. Press the key or use the arrow keys to go to the next parameter you [Tab] want to change, then type in the new value or press the Space bar to select to select the Actions –>...
Spanning-Tree Operation Configuring Rapid Reconfiguration Spanning Tree (RSTP) Web: Enabling or Disabling RSTP In the web browser interface, you can enable or disable spanning tree on the switch. If the default configuration is in effect such that RSTP is the selected protocol version, enabling spanning tree through the web browser interface will enable RSTP with its current configuration.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) 802.1D Spanning-Tree Protocol (STP) Menu: Configuring 802.1D STP From the Main Menu, select: 2. Switch Configuration … 4. Spanning Tree Operation Use this field to select the 802.1D version of STP. Figure 6-6. The Default “Spanning Tree Operation” Screen 2. Press (for ) to highlight the Protocol Version field.
Page 190
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) Use this field to enable spanning tree. Read-Only Fields Figure 6-7. Enabling Spanning-Tree Operation 6. If the remaining STP parameter settings are adequate for your network, go to step 10. 7. Use [Tab] or the arrow keys to select the next parameter you want to change, then type in the new value or press the Space Bar to select a value.
Page 191
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) Figure 6-8. The Configuration Menu Indicating a Reboot Is Needed to Implement a Configuration Change 11. Press to return to the Main menu. Figure 6-9. The Main Menu Indicating a Reboot Is Needed To Implement a Configuration Change 12. Press to reboot the switch.
Page 193
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) Configuring the Switch To Use the 802.1D Spanning Tree Protocol (STP). In the default configuration, the switch is set to RSTP (that is, 802.1w Rapid Spanning Tree), and spanning tree operation is disabled. To reconfigure the switch to 802.1D spanning tree, you must: Change the spanning tree protocol version to stp.
Page 194
C a u t i o n Because incorrect STP settings can adversely affect network performance, HP recommends that you use the default STP parameter settings. You should not change these settings unless you have a strong understanding of how STP operates.
Page 195
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) N o t e Executing spanning-tree alone enables STP. Executing spanning-tree with one or more of the above “STP Operating Parameters” does not enable STP. It only configures the STP parameters (regardless of whether STP is actually running (enabled) on the switch).
(Forwarding or Blocking, as determined by the STP negotiation). This sequence takes two times the forward delay value configured for the switch. The default is 15 seconds on HP switches, per the IEEE 802.1D standard recommendation, resulting in a total STP negotiation time of 30 seconds. Each switch port goes through this start-up sequence whenever the network con...
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) To Enable or Disable Fast Mode for a Switch Port: You can use either the CLI or the menu interface to toggle between STP Fast mode and STP Normal mode. (To use the menu interface, see “Menu: Configuring 802.1D STP”...
Page 198
STP. However, because fast uplink should be configured only on the switch’s uplink ports, the device(s) on the other end of the links can be either HP devices or another vendor’s devices, regardless of whether they support fast uplink. For example: Port A is the STP root port.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) Terminology Term Definition downlink port A switch port that is linked to a port on another switch (or to an end node) that is sequentially further away from the STP root device. For example, port “C” in figure 6-12, above, is a (downstream port) downlink port.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) In figure 6-13, STP is enabled and in its default configuration on all switches, unless otherwise indicated in table 6-5, below: Table 6-5. STP Parameter Settings for Figure 6-13 STP Parameter Switch “1” Switch “2” Switch “3”...
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) Edge switches cannot be directly linked together using fast-uplink ports. ■ For example, the connection between switches 4 and 5 in figure 6-14 is not allowed for fast-uplink operation. Switch The ports that make up Switch Switch this link...
Page 202
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) To View and/or Configure Fast-Uplink STP. This procedure uses the Spanning Tree Operation screen to enable STP and to set the Mode for fast- uplink STP operation. From the Main Menu select: 2. Switch Configuration … 4.
Page 203
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) 3. If the Protocol Version is set to RSTP (as shown in figure 6-15), do the following: ) to move the cursor to the Protocol Version field. Press Edit b. Press the Space bar once to change the Protocol Version field to STP. Press to return to the command line.
Page 204
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) In this example, ports 2 and 3 have already been configured as a port trunk (Trk1), which appears at the end of the port listing. All ports (and the trunk) are in their default STP configuration. Note: In the actual menu screen, you must scroll the cursor down the port list to view the trunk configuration...
Page 205
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) STP is enabled. Port A1 and Trk1 are now configured for fast-uplink STP. Figure 6-18. Example of STP Enabled with Two Redundant Links Configured for Fast-Uplink STP 5. Press (for Save ) to save the configuration changes to flash (non-volatile) memory.
Page 206
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) Indicates which uplink is the active path to the STP root device. Note: A switch using fast-uplink STP must never be the STP root device. Figure 6-19. Example of STP Status with Trk1 (Trunk 1) as the Path to the STP Root Device Press (for...
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) In figure 6-20: • Port A1 and Trk1 (trunk 1; formed from ports 2 and 3) are redundant fast-uplink STP links, with trunk 1 forwarding (the active link) and port A1 blocking (the backup link). (To view the configuration for port A1 and Trk1, see figure 6-18 on page 6-37.) •...
Page 208
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) Indicates that Trk1 (Trunk 1) provides the currently active path to the STP root device. Redundant STP link in the Blocking state. Links to PC or Workstation End Nodes Redundant STP link in the Forwarding state.
Page 209
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) STP Enabled on the Switch Fast-Uplink Configured on Port 1 and Trunk 1 (Trk1) Figure 6-23. Example of a Configuration Supporting the STP Topology Shown in Figure 6-21 Using the CLI To Configure Fast-Uplink STP. This example uses the CLI to configure the switch for the fast-uplink operation shown in figures 6-21, 6- 22, and 6-23.
Spanning-Tree Operation 802.1D Spanning-Tree Protocol (STP) Lists STP configuration. Shows the default STP protocol 1. Changes the Spanning-Tree protocol to STP (required for Fast-Uplink). 2. Saves the change to the startup-configuration 3. Reboots the switch. (Required for this configuration change.) Figure 6-24.
Spanning-Tree Operation Web: Enabling or Disabling STP N o t e When you add a port to a trunk, the port takes on the STP mode configured for the trunk, regardless of which STP mode was configured on the port before it was added to the trunk.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) 802.1s Multiple Spanning Tree Protocol (MSTP) The 802.1D and 802.1w spanning tree protocols operate without regard to a network’s VLAN configuration, and maintain one common spanning tree throughout a bridged network. Thus, these protocols map one loop-free, logical topology on a given physical topology.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) MSTP Structure MSTP maps active, separate paths through separate spanning tree instances and between MST regions. Each MST region comprises one or more MSTP switches. Note that MSTP recognizes an STP or RSTP LAN as a distinct spanning-tree region.
Page 214
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) MST Region: An MST region comprises the VLANs configured on physically connected MSTP switches. All switches in a given region must be configured with the same VLANs and Multiple Spanning Tree Instances (MSTIs). Internal Spanning Tree (IST): The IST administers the topology within a given MST region.
The switch automatically senses port identity and type, and automatically defines spanning-tree parameters for each type, as well as parameters that apply across the switch. Although these parameters can be adjusted, HP strongly recommends leaving these settings in their default configurations unless the proposed changes have been supplied by an experienced network administrator who has a strong understanding of the IEEE 802.1D/w/s...
Page 216
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) How Separate Instances Affect MSTP Operation. Assigning different groups of VLANs to different instances ensures that those VLAN groups use independent forwarding paths. For example, in figure 6-26 each instance has a different forwarding path. Path through IST Instance to Other Regions Region “X”...
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Within a region, traffic routed between VLANs in separate instances can take only one physical path. To ensure that traffic in all VLANs within a region can travel between regions, all of the boundary ports for each region should belong to all VLANs configured in the region.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) an instance by using a port trunk. The following example shows how you can use a port trunk with 802.1Q (tagged) VLANs and MSTP without unnecessarily blocking any links or losing any bandwidth. Problem: Solution: An MST instance with two...
Page 219
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) and designated port for each region. The CIST includes the Common Spanning Tree (CST), the Internal Spanning Tree (IST) within each region, and any multiple spanning-tree instances (MSTIs) in a region. Common Spanning Tree (CST): Refers to the single forwarding path the switch calculates for STP (802.1D) and RSTP (802.1w) topologies, and for inter-regional paths in MSTP (802.1s) topologies.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Operating Rules All switches in a region must be configured with the same set of VLANs, ■ as well as the same MST configuration name and MST configuration number. ■ Within a region, a VLAN can be allocated to either a single MSTI or to the region’s IST instance.
802.1D or 802.1w STP BPDU packets, as appropriate. Because MSTP is so efficient at establishing the network path, HP highly recommends that you update all of your 5300xl switches to support 802.1s/ MSTP.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) incompatibility between devices running the older 802.1D STP and your switch running MSTP or RSTP. Please see the “Note on Path Cost” on page 6-17 for more information on adjusting to this incompatibility. Tips for Planning an MSTP Application ■...
Region Revision Number: spanning-tree config revision • Optional MSTP parameter changes for region settings: HP recommends that you leave these parameters at their default settings for most networks. Refer to the “Caution” on page 6-47. – The maximum number of hops before the MSTP BPDU is dis...
Page 224
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) – Force-Version operation spanning-tree force-version – Forward Delay spanning-tree forward-delay – Hello Time (used if the switch operates as the root device.) spanning-tree hello-time – Maximum age to allow for STP packets before discarding spanning-tree max-age –...
Page 226
HP recommends that you not activate spanning tree operation until you have finished configuring all devices in your network. Refer to “Enabling an Entire MST Region at Once or Exchanging One Region Configuration for Another”...
Page 227
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Syntax: spanning-tree config-revision < revision-number > This command configures the revision number you designate for the MST region in which you want the switch to reside. This setting must be the same for all switches residing in the same region.
Page 228
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Syntax: spanning-tree force-version < stp-compatible | rstp-operation | mstp operation > Sets the spanning-tree compatibility mode. When the switch is configured with MSTP mode, this command forces the switch to emulate behavior of earlier versions of spanning tree protocol or return to MSTP behavior.
6-65 The basic port connectivity parameters affect spanning-tree links at the global level. In most cases, HP recommends that you use the default settings for these parameters and apply changes on a per-port basis only where a nondefault setting is clearly indicated by the circumstances of individual links.
Page 230
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Syntax: spanning-tree < port-list > < hello-time | path-cost | point-to-point-mac | priority > [ hello-time < global | 1 - 10 > When the switch is the CIST root, this parameter specifies the interval (in seconds) between periodic BPDU transmissions by the designated ports.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) priority < 0..15 > MSTP uses this parameter to determine the port(s) to use for forwarding. The port with the lowest priority number has the highest priority. The range is 0 to 240, and is configured by specifying a multiplier in the range of 0 - 15.
Page 232
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Syntax: spanning-tree instance < 1..16 > priority < 0 .. 15 > This command sets the switch (bridge) priority for the desig nated instance. This priority is compared with the priorities of other switches in the same instance to determine the root switch for the instance.
Page 233
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Syntax: spanning-tree priority < 0 .. 15 > This command sets the switch (bridge) priority for the designated region in which the switch resides. The switch compares this priority with the priorities of other switches in the same region to determine the root switch for the region.
Page 235
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Syntax: spanning-tree instance < 1..16 > [e] < port-list > priority <priority-multiplier> This command sets the priority for the specified port(s) in the specified MST instance. (For a given port, the priority setting can be different for different MST instances to which the port may belong.) The priority range for a port in a given MST instance is 0-255.
Page 236
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Syntax: spanning-tree [e] < port-list > priority < priority-multiplier > This command sets the priority for the specified port(s) for the IST (that is, Instance 0) of the region in which the switch resides.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Enabling or Disabling Spanning Tree Operation This command enables or disables spanning tree operation for any spanning tree protocol enabled on the switch. Before using this command to enable spanning tree, ensure that the version you want to use is active on the switch. Syntax: [no] spanning-tree Enabling spanning tree with MSTP configured implements MSTP for all physical ports on the switch, according to the...
Page 238
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) 1. Configure the VLANs you want included in any instances in the new region. When you create the pending region, all VLANs configured on the switch will be assigned to the pending IST instance unless assigned to other, pending MST instances.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) 9. To view the current pending MSTP configuration, use the show spanning- tree pending command (page 6-77). Displaying MSTP Statistics and Configuration Command Page MSTP Statistics: show spanning-tree [< port-list >] below show spanning-tree instance <...
Page 240
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Switch’s Spanning Tree Configuration and Identity of VLANs Configured in the Switch for the IST Instance Identifies the overall spanning-tree root for the network. Lists the switch’s MSTP root data for connectivity with other regions and STP or RSTP devices.
Page 241
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Displaying Switch Statistics for a Specific MST Instance. Syntax: show spanning-tree instance < ist | 1..16 > This command displays the MSTP statistics for either the IST instance or a numbered MST instance running on the switch. Figure 6-29.
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Displaying the MSTP Configuration Displaying the Global MSTP Configuration. This command displays the switch’s basic and MST region spanning-tree configuration, including basic port connectivity settings. Syntax: show spanning-tree config The upper part of this output shows the switch’s global spanning-tree configuration that applies to the MST region.
Page 243
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Displaying Per-Instance MSTP Configurations. These commands dis plays the per-instance port configuration and current state, along with instance identifiers and regional root data. Syntax: show spanning-tree config instance < ist | 1..16 > The upper part of this output shows the instance data for the specified instance.
Page 244
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Displaying the Region-Level Configuration in Brief. This command output is useful for quickly verifying the allocation of VLANs in the switch’s MSTP configuration and for viewing the configured region identifiers. Syntax: show spanning-tree mst-config This command displays the switch’s regional configuration.
Page 245
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Displaying the Pending MSTP Configuration. This command displays the MSTP configuration the switch will implement if you execute the span ning-tree pending apply command (Refer to “Enabling an Entire MST Region at Once or Exchanging One Region Configuration for Another” on page 6-69.) Syntax: show spanning-tree pending <...
Spanning-Tree Operation 802.1s Multiple Spanning Tree Protocol (MSTP) Operating Notes SNMP MIB Support for MSTP. MSTP is a superset of the STP/802.1D and RSTP/802.1w protocols and uses the MIB objects defined for these two protocols. Also, as of December, 2003, there has been no formal MIB definition published for 802.1s MSTP managed objects.
Switch Meshing Introduction Introduction Switch meshing is a load-balancing technology that enhances reliability and performance in these ways: ■ Provides significantly better bandwidth utilization than either Spanning Tree Protocol (STP) or standard port trunking. Uses redundant links that remain open to carry traffic, removing any ■...
Page 249
Switch Meshing Introduction Finding the Fastest Path. Using multiple switches redundantly linked together to form a meshed switch domain, switch meshing dynamically distributes traffic across load-balanced switch paths by seeking the fastest paths for new traffic between nodes. In actual operation, the switch mesh periodically determines the best (lowest latency) paths, then assigns these paths as the need arises.
Switch Meshing Switch Meshing Fundamentals Switch Meshing Fundamentals Terminology Switch Mesh Domain. This is a group of meshed switch ports exchanging meshing protocol packets. Paths between these ports can have multiple redundant links without creating broadcast storms. Switch 1 Switch Switch Switch 2 Switch 3...
For example, if you update the software version on one Series 5300xl switch, then you must update the software version on any other Series 5300xl in the mesh. HP recommends that you always use the most recent software version available for the switches in...
Page 252
Switch Meshing Switch Meshing Fundamentals If meshing is configured on the switch, the routing features (IP routing, ■ RIP, and OSPF) must be disabled. That is, the switch’s meshing and routing features cannot be enabled at the same time. ■ The spanning-tree configuration must be the same for all switches in the mesh (enabled or disabled).
Page 253
3, “GVRP”.) G V R P N o t e HP Procurve 1600M/2400M/2424M/4000M/8000M switches do not offer the GVRP feature. If any of these switches are in your switch mesh, then GVRP must be disabled on any 3400cl, 6400cl, or 5300xl switches in the mesh.
Linking a non-mesh device or port into the mesh causes the meshed switch port(s) connected to that device to shut down. Backward The HP ProCurve 3400cl, 6400cl, and 5300xl switches can interoperate with Compatibility Note older devices in a switch mesh only after being placed in backwards compat...
Page 255
Switch Meshing Switch Meshing Fundamentals The Switch 4000M is not Scenario 1: In a heteroge supported in topologies nous mesh, creating the allowing the same MAC mesh with only one 5300xl, address on multiple Untagged VLAN 1 3400cl, 3400cl, or 6400cl switch Switch switches.
This is because Mesh Domain "B" includes a Switch 1600M, 2400M 2424M, 4000M, or 8000M. Figure 7-7. Example of Topology Where Adjacent Switch Meshes Cannot Be Merged Into a Single Mesh Automatic Broadcast Control (ABC) on HP Procurve 8000M/4000M/ ■...
Switch Meshing Configuring Switch Meshing Configuring Switch Meshing Preparation Before configuring switch meshing: ■ Review the Operating Rules (page 7-5), and particularly the restrictions and requirements for using switch meshing in environments that include static trunks, multiple static VLANs, GVRP, IGMP, and STP. To avoid unnecessary system disruption, plan the mesh bring-up to mini...
Page 258
Switch Meshing Configuring Switch Meshing 3. In the Group column, move the cursor to the port you want to assign to the switch mesh. Press [M] to choose Mesh for the selected port. 5. Use the up-arrow or down-arrow key to select the next port you want to include in your mesh domain, then press again.
Page 259
Switch Meshing Configuring Switch Meshing The asterisk indicates that you must reboot the switch to cause the Mesh configuration change to take effect. Figure 7-10. After Saving a Mesh Configuration Change, Reboot the Switch Press [0] to return to the Main menu. 9. To activate the mesh assignment(s) from the Main menu, reboot the switch by pressing the following keys: [6] (for Reboot Switch)
Switch Meshing Configuring Switch Meshing CLI: To View and Configure Switch Meshing Port Status and Configuration Features Feature Default Menu viewing switch mesh status below configuring switch meshing Disabled Viewing Switch Mesh Status Syntax: show mesh Lists the switch ports configured for meshing, along with the State of each mesh-configured connection, the MAC address of the switch on the opposite end of the link (Adjacent Switch), and the MAC address of the port on the opposite end of the...
Page 261
Switch Meshing Configuring Switch Meshing Table 7-1. State Descriptions for Show Mesh Output State Meaning Established The port is linked to a meshed port on another switch and meshing traffic is flowing across the link. The show mesh listing includes the MAC addresses of the adjacent switch and direct connection port on the adjacent switch.
Page 262
Switch Meshing Configuring Switch Meshing Table 7-2. Operating Details for Figure 7-12 Port Meshing? Connection Connected to a port that may not be configured for meshing Connected to a switch port on a device that is not configured for meshing (another switch, or a hub).
Switch Meshing Configuring Switch Meshing CLI: Configuring Switch Meshing Syntax: [no] mesh [e] < port-list > Enables or disables meshing operation on the specified ports. [no] mesh backward-compat Enables or disables the switch for backward compatible mode. This allows the 3400cl, 6400cl, and 5300xl switches to interoperate with the 8000M/4000M/2424M/2400M/1600M switches in the same switch mesh.
Switch Meshing Operating Notes for Switch Meshing Operating Notes for Switch Meshing In a switch mesh domain traffic is distributed across the available paths with an effort to keep latency the same from path to path. The path selected at any time for a connection between a source node and a destination node is based on these latency and throughput cost factors: Outbound queue depth, or the current outbound load factor for any given...
Also, in an IP environment, HP recommends that you configure IP addresses on meshed switches. This makes the discovery mechanism more robust, which contributes to decreased latency.
Switch Meshing Operating Notes for Switch Meshing Spanning Tree Operation with Switch Meshing Using STP or RSTP with several switches and no switch meshing configured can result in unnecessarily blocking links and reducing available bandwidth. For example: Solution: Problem: Enabling meshing on links between STP enabled and creating switch ports removes STP blocks on traffic bottlenecks.
Page 267
Switch Meshing Operating Notes for Switch Meshing = Non-mesh Switch Ports Figure 7-18. Connecting a Switch Mesh Domain to Non-Meshed Devices Note on the Edge- When using RSTP or MSTP and interconnecting 3400cl, 6400cl, or 5300xl in a Port Mode in RSTP mesh with switches that are not in the mesh, all the non-mesh switch ports and MSTP (as indicated in the figure above) should have the edge-port parameter dis...
Switch Meshing Operating Notes for Switch Meshing this condition occurs, the meshed switch that has a blocked link will automat ically increase the cost on the external (non-meshed) link to the point where STP or RSTP will block the external link and unblock the meshed link. This process typically resolves itself in approximately 30 seconds.
Switch Meshing Operating Notes for Switch Meshing Static VLANs In a network having a switch mesh domain and multiple static VLANs config ured, all static VLANs must be configured on each meshed switch, even if no ports on the switch are assigned to any VLAN. (The switch mesh is a member of all static VLANs configured on the switches in the mesh.) When static VLANs are configured, the mesh is seen as a single entity by each VLAN.
VLANs configured to support jumbo traffic, then the port drops any jumbo packets it receives from other devices. In this regard, if a mesh domain includes any HP ProCurve Series 5300xl switches and/or HP ProCurve 1600M/ 2400M/2424M/4000M/8000M switches along with Series 3400cl and 6400cl switches configured to support jumbo traffic, only the 3400cl and 6400cl switches can transmit and receive jumbo packets.
Switch Meshing Operating Notes for Switch Meshing Requirements and Restrictions Supported Mesh Domain Size: ■ • In a partially interconnected mesh domain, where there is not a direct connection from every meshed switch to every other meshed switch, the recommended maximum is 12 switches. Figure 7-21 shows a meshed backbone with the maximum supported switch count in a partially interconnected mesh domain.
Page 272
Operating Notes for Switch Meshing Mesh Support Within the Domain: All switches in the mesh domain, ■ including edge switches, must support the HP switch meshing protocol. Switch Hop Count in the Mesh Domain: A maximum of five (meshed) ■...
Page 273
Switch Meshing Operating Notes for Switch Meshing switches detects a duplicate MAC address entering the mesh through separate switches, the 1600M/2400M/2424M/4000M/8000M switch will not be allowed into the switch mesh. ■ Rate-Limiting Not Recommended on Meshed Ports: Rate-Limiting can reduce the efficiency of paths through a mesh domain. (See also “Operating Rules”...
Page 274
Switch Meshing Operating Notes for Switch Meshing — This page is intentionally unused. — 7-28...
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction Introduction QoS Feature Default Menu UDP/TCP Priority Disabled — page 8-24 Refer to the Online Help. IP-Device Priority Disabled — page 8-30 “ IP Type-of-Service Priority Disabled — page 8-36 “ LAN Protocol Priority Disabled —...
Page 277
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction Quality of Service is a general term for classifying and prioritizing traffic throughout a network. That is, QoS enables you to establish an end-to-end traffic priority policy to improve control and throughput of important data. You can manage available bandwidth so that the most important traffic goes first.
Page 278
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction QoS is implemented in the form of rules or policies that are configured on the switch. While you can use QoS to prioritize only the outbound traffic while it is moving through the switch, you derive the maximum benefit by using QoS in an 802.1Q VLAN environment (with 802.1p priority tags) or in an untagged VLAN environment (with DSCP policies) where QoS can set priorities that downstream devices can support without re-classifying the traffic.
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction Terminology Term Use in This Document 802.1p priority A traffic priority setting carried by a VLAN-tagged packet moving from one device to another through ports that are tagged members of the VLAN to which the packet belongs. This setting can be from 0 - 7.
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction Term Use in This Document outbound port For any port, a buffer that holds outbound traffic until it can leave the switch through that port. There queue are four outbound queues for each port in the switch: high, medium, normal, and low. Traffic in a port’s high priority queue leaves the switch before any traffic in the port’s medium priority queue, and so-on.
Page 281
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction Configuring a priority for outbound packets and a service (prior ■ ity) policy for use by downstream devices: • DSCP Policy: This feature enables you to set a priority policy in outbound IP packets.
Page 282
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction You can configure a QoS priority of 0 through 7 for an outbound packet. When the packet is then sent to a port, the QoS priority determines which outbound queue the packet uses: Table 8-2.
5300xl switches. N o t e O n U s i n g HP recommends that you configure a minimum number of the available QoS M u l t i p l e classifiers for prioritizing any given packet type.
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction 3400cl/6400cl Packet Classifiers and Evaluation Order The 3400cl/6400cl switches provide six QoS classifiers (packet criteria) you can use to configure QoS priority. Table 8-5. 3400cl/6400cl Classifier Search Order and Precedence Search Order Precedence QoS Classifier 6 (lowest) Incoming 802.1p Priority (present in tagged VLAN environments) Incoming source-port on the switch...
Page 285
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction In general, the precedence of QoS classifiers should be considered when configuring QoS policies. For example, suppose that a system administrator has used an 802.1p priority rule to assign a high priority for packets received on VLAN 100, but has also used another 802.1p priority rule to assign a normal priority for TCP port 80 packets received on the switch.
Page 286
Quality of Service (QoS): Managing Bandwidth More Effectively Introduction Precedence Criteria Overview Layer 3 Note: This classifier is available in the 5300xl switches, but not in the 3400cl/6400cl switches. Protocol To prioritize traffic in a 3400cl or 6400cl switch according to protocol type, configure the switch Priority to place traffic of the desired protocol type in a specific VLAN, and then apply the VLAN classifier.
Quality of Service (QoS): Managing Bandwidth More Effectively Preparation for Configuring QoS Preparation for Configuring QoS QoS operates in VLAN-tagged and VLAN-untagged environments. If your network does not use multiple VLANs, you can still implement the 802.1Q VLAN capability for packets to carry their 802.1p priority to the next down stream device.
Page 288
Quality of Service (QoS): Managing Bandwidth More Effectively Preparation for Configuring QoS For more on how QoS operates with the preceding traffic types, see ‘‘Precedence Criteria for QoS Classifiers’’, on page 8-11.) 2. Select the QoS option you want to use. Table 8-8 lists the traffic types (QoS classifiers) and the QoS options you can use for prioritizing or setting a policy on these traffic types: Table 8-8.
Quality of Service (QoS): Managing Bandwidth More Effectively Preparation for Configuring QoS DSCPs in IP packets from the switch, configure them to do so by enabling ToS Differentiated Service mode and making sure the same DSCP policies are configured. 5. If you are planning a QoS configuration on a 3400cl or 6400cl switch, refer to the next section, “Planning QoS for the Series 3400cl/6400cl Switches”.
Quality of Service (QoS): Managing Bandwidth More Effectively Preparation for Configuring QoS QoS Resource Usage and Monitoring on 3400cl/6400cl Switches QoS, ACLs, multicast protocols, and Rate-Limiting configurations on the 3400cl/6400cl switches use rule resources on a per-port basis. Per-Port rule usage is reserved as shown below: Table 8-9.
Quality of Service (QoS): Managing Bandwidth More Effectively Preparation for Configuring QoS The following two CLI commands are unique to the 3400cl/6400cl switches and are useful for planning and monitoring rule usage in a QoS configuration. Syntax: qos resources help Provides a quick reference on how QoS and ACLs use rule resources for each configuration option.
Quality of Service (QoS): Managing Bandwidth More Effectively Preparation for Configuring QoS Configuring a Policy When There Are Not Enough Rules Available On a Target Port. Attempting to configure a QoS policy on the switch, on a VLAN, or on selected ports when there are not enough rules available on one or more ports that are subject to the command results in the following: ■...
Quality of Service (QoS): Managing Bandwidth More Effectively Preparation for Configuring QoS At a minimum, the policies configured on port 5 must be reduced to free up enough rule resources to add a new QoS policy. Depending on the QoS policy you want to add, existing policies on ports 3 and 4 may have to be reduced.
Page 294
Quality of Service (QoS): Managing Bandwidth More Effectively Preparation for Configuring QoS All ports are configured for five QoS device priorities. VLANs 111 and 222 are configured for QoS priority. Ports 1 and 2 use 12 rules; 10 for implementing the 5 device priority QoS instances and one each for implementing the 2 VLAN QoS instances (111 and 222).
Page 295
Quality of Service (QoS): Managing Bandwidth More Effectively Preparation for Configuring QoS Demonstrating How the Switch Uses Resources in DSCP Configurations. In the default configuration, the DSCP map is configured with one DSCP policy (Expedited Forwarding; 101110 with a “7” priority) but, because no ToS Diff-Services options are configured, no rules are used.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Using QoS Classifiers To Configure Quality of Service for Outbound Traffic QoS Feature Default Menu UDP/TCP Priority Disabled — page 8-24 Refer to Online Help. IP-Device Priority Disabled —...
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic type-of-service Displays the current type-of-service priority configu ration. The display output differs according to the ToS option used: IP Precedence: Refer to figure 8-16 on page 8-37. ■...
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Note As mentioned in table 8-6, the 3400cl/6400cl switches do not include the layer 3 protocol classifier. However, you can still apply a QoS priority to non-IP Layer 3 protocol traffic by grouping such traffic into separate VLANs, as desired, and then assigning a priority based on VLAN membership.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Assigning an 802.1p Priority Based on TCP or UDP Port Number This option assigns an 802.1p priority to (IPv4) TCP or UDP packets as described below.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Values in these two Indicates 802.1p priority Shows the 802.1p priority columns define the assignments are in use for assignment for packets QoS classifiers to packets with 23 or 80 as a with the indicated QoS...
Page 301
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 3. Assigns the 802.1p priority configured in the switch for the new DSCP. (Refer to “Differentiated Services Codepoint (DSCP) Mapping” on page 8-62.) Forwards the packet through the appropriate outbound port queue.
Page 302
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Syntax: qos dscp-map < codepoint > priority < 0 - 7 > This command is optional if a priority has already been assigned to the <...
Page 303
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic For example, suppose you wanted to assign these DSCP policies to the packets identified by the indicated UDP and TDP port applications: Port Applications DSCP Policies DSCP...
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 3. Assign the DSCP policies to the selected UDP/TCP port applications and display the result. DSCP Policy Classifier Figure 8-11. The Completed DSCP Policy Configuration for the Specified UDP/TCP Port Applications The switch will now apply the DSCP policies in figure 8-11 to IPV4 packets received in the switch with the specified UDP/TCP port applications.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic N o t e The switch does not allow a QoS IP-device priority for the Management VLAN IP address, if configured. If there is no Management VLAN configured, then the switch does not allow configuring a QoS IP-device priority for the Default VLAN IP address.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic For example, configure and list the 802.1p priority for packets carrying the following IP addresses: IP Address 802.1p Priority 10.28.31.1 10.28.31.130 10.28.31.100 10.28.31.101 Figure 8-12.
Page 307
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 3400cl/6400cl Switch Restriction. On the 3400cl/6400cl switches, “mix ing” ToS DSCP policies and 802.1p priorities is not recommended. Refer to the Note on page 8-10.
Page 308
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Syntax: qos device-priority < ip-address > dscp < codepoint > Assigns a DSCP policy to packets carrying the specified IP address, and overwrites the DSCP in these packets with the <...
Page 309
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Configure the priorities for the DSCPs you want to use. DSCP Policies Configured in this step. Figure 8-14. Assigning 802.1p Priorities to the Selected DSCPs Assign the DSCP policies to the selected device IP addresses and display the result.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic QoS IP Type-of-Service (ToS) Policy and Priority QoS Classifier Precedence: 3 This feature applies only to IPv4 traffic and performs either of the following: ToS IP-Precedence Mode: All IP packets generated by upstream devices ■...
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Assigning an 802.1p Priority to IPv4 Packets on the Basis of the ToS Precedence Bits If a device or application upstream of the switch sets the precedence bits in the ToS byte of IPv4 packets, you can use this feature to apply that setting for prioritizing packets for outbound port queues.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic To replace this option with the ToS diff-services option, just configure diff services as described below, which automatically disables IP-Precedence. To disable IP-Precedence without enabling the diff-services option, use this command: HPswitch(config)# no qos type-of-service...
Page 313
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Operating Notes Different applications may use the same DSCP in their IP packets. Also, the same application may use multiple DSCPs if the application originates on different clients, servers, or other devices.
Page 314
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Syntax: qos type-of-service diff-services < codepoint > Causes the switch to read the < codepoint > (DSCP) of an incoming IPv4 packet and, when a match occurs, assign a corresponding 802.1p priority, as configured in the switch’s DSCP table (page 8-63).
Page 315
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic configure an 802.1p priority of 7 for packets received with a DSCP of 000110, and then enable diff-services: Executing this command displays the current ToS configuration and shows that the selected DSCP is not currently in use.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Assigning a DSCP Policy on the Basis of the DSCP in IPv4 Packets Received from Upstream Devices The preceding section describes how to forward a policy set by an edge (or upstream) switch.
Page 317
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Syntax: qos type-of-service diff-services < current-codepoint > dscp < new-codepoint > Configures the switch to select an incoming IP packet carry ing the <current-codepoint >...
Page 318
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic The DSCPs for this example have not yet been assigned an 802.1p priority level. Figure 8-20. Display the Current DSCP-Map Configuration Configure the policies in the DSCP table: Figure 8-21.
Page 319
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Assign the policies to the codepoints in the selected packet types. The specified DSCP policies overwrite the original DSCPs on the selected packets, and use the 802.1p priorities previously configured in the DSCP policies in step 2.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Details of QoS IP Type-of-Service IP packets include a Type of Service (ToS) byte. The ToS byte includes: ■ A Differentiated Services Codepoint (DSCP): This element is com prised of the upper six bits of the ToS byte).
Page 321
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Figure 8-23 shows an example of the ToS byte in the header for an IPv4 packet, and illustrates the diffserv bits and precedence bits in the ToS byte. (Note that the Precedence bits are a subset of the Differentiated Services bits.) Field: Destination...
Page 322
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Table 8-12. How the Switch Uses the ToS Configuration ToS Option: Outbound Port IP Precedence Differentiated Services (Value = 0 - 7) IP Packet Sent Out Depending on the value of the IP For a given packet carrying a ToS codepoint that the switch has...
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic QoS Layer-3 Protocol Priority (5300xl Switches Only) (This feature is available only on the Series 5300xl switches.) QoS Classifier Precedence: 4 The QoS protocol option enables you to use these protocols as QoS classifiers: ■...
Page 324
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic For example: 1. Configure QoS protocol classifiers with IP at 0 (normal), ARP at 5 (medium), and AppleTalk at 7 (high) and display the QoS protocol config uration.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic QoS VLAN-ID (VID) Priority QoS Classifier Precedence: 5 The QoS protocol option enables you to use the VLAN-ID quantities listed below as QoS classifiers. ■...
Page 326
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Syntax: vlan < vid > qos priority < 0 - 7 > Configures an 802.1p priority for outbound packets belong ing to the specified VLAN. This priority determines the packet’s queue in the outbound port to which it is sent.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 2. You would then execute the following commands to prioritize the VLANs by VID: Figure 8-26. Configuring and Displaying QoS Priorities on VLANs If you then decided to remove VLAN_20 from QoS prioritization: In this instance, No- override indicates that VLAN 20 is not...
Page 328
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 3400cl/6400cl Switch Restriction. On the 3400cl and 6400cl switches, “mixing” ToS DSCP policies and 802.1p priorities is not recommended. Refer to the Note on page 8-10. For more on DSCP, refer to “Terminology”...
Page 329
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Syntax: vlan < vid > qos dscp < codepoint > Assigns a DSCP policy to packets carrying the specified IP address, and overwrites the DSCP in these packets codepoint with the assigned <...
Page 330
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Configure the priorities for the DSCPs you want to use. Priorities Configured in this step. Figure 8-29. Assign Priorities to the Selected DSCPs Assign the DSCP policies to the selected VIDs and display the result.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic QoS Source-Port Priority QoS Classifier Precedence: 6 The QoS source-port option enables you to use a packet’s source-port on the switch as a QoS classifier. Where a particular source-port classifier has the highest precedence in the switch for traffic entering through that port, then traffic received from the port is marked with the source-port classifier’s configured priority level.
Page 332
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Syntax: no interface < port-list > qos Disables use of the specified source-port(s) for QoS classi fier(s) and resets the priority for the specified source-port(s) No-override Syntax: show qos port-priority Lists the QoS port-priority classifiers with their priority...
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic If you then decided to remove port A1 from QoS prioritization: In this instance, No-override indicates that port A1 is not prioritized by QoS. Figure 8-32.
Page 334
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic a. Determine the DSCP you want to assign to the selected packets. (This codepoint will be used to overwrite the DSCP carried in packets received through the source-port from upstream devices.) b.
Page 335
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic For example, suppose you wanted to assign this set of priorities: Source-Port DSCP Priority 000111 B1-B3 000101 B4, C2 000010 1. Determine whether the DSCPs already have priority assignments, which could indicate use by existing applications.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 3. Assign the DSCP policies to the selected source-ports and display the result. Figure 8-35. The Completed Source-Port DSCP-Priority Configuration Radius Override Field. During a client session authenticated by a RADIUS server, the server can imose a port priority that applies only to that client session.
Page 337
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Syntax: show qos dscp-map Displays the DSCP Policy Table. qos dscp-map < codepoint > priority < 0 - 7 > [name < ascii-string >] Configures an 802.1p priority for the specified codepoint and, optionally, an identifying (policy) name.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Default Priority Settings for Selected Codepoints In a few cases, such as 001010 and 001100, a default policy (implied by the DSCP standards for Assured-Forwarding and Expedited-Forwarding) is used.
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Figure 8-36. Example of Show Config Listing with Non-Default Priority Settings in the DSCP Table Effect of “No-override”. In the QoS Type-of-Service differentiated services mode, a No-override assignment for the codepoint of an outbound packet means that QoS is effectively disabled for such packets.
Page 340
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 2. Change the classifier configurations by assigning them to a different DSCP policy, or to an 802.1p priority, or to No-override. Reconfigure the desired priority for the 000001 codepoint.
Page 341
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic Three classifiers use the codepoint that is to be changed. Two classifiers do not use the codepoint that is to be changed. Figure 8-38.
Page 342
Quality of Service (QoS): Managing Bandwidth More Effectively Using QoS Classifiers To Configure Quality of Service for Outbound Traffic 2. Change the classifier configurations by assigning them to a different DSCP policy, or to an 802.1p priority, or to No-override. For example: a. Delete the policy assignment for the device-priority classifier.
Quality of Service (QoS): Managing Bandwidth More Effectively IP Multicast (IGMP) Interaction with QoS IP Multicast (IGMP) Interaction with IGMP high-priority-forward causes the switch to service the subscribed IP multicast group traffic at high priority, even if QoS on the switch has relegated the traffic to a lower priority.
On IPv4 packets with IP options, the 5300xl switches support QoS for 802.1p priority policies, but does not do any DSCP re-marking for DSCP policies. All Switches: For explicit QoS support of IP subnets, HP recommends ■ forcing IP subnets onto separate VLANs and then configuring VLAN-based classifiers for those VLANs.
Page 345
Quality of Service (QoS): Managing Bandwidth More Effectively QoS Operating Notes and Restrictions 3400cl and 6400cl Switches Only—SAP-Encapsulated Packet ■ Restriction: Except for source-port QoS and VLAN QoS, the 3400cl/ 6400cl switches do not support QoS (or ACL) operation for SAP- Encapsulated packets.
Page 346
Quality of Service (QoS): Managing Bandwidth More Effectively QoS Operating Notes and Restrictions All Switches—Not Supported: Use of an inbound 802.1p packet priority ■ as a classifier for remapping a packet’s outbound priority to different 802.1p priority. For example, where inbound packets carry an 802.1p priority of 1, QoS cannot be configured use this priority as a classifier for changing the outbound priority to 0.
ACLs on the 5300xl switches can filter traffic to or from a host, a group of hosts, or entire subnets. This chapter describes how to configure, apply, and edit ACLs in a network populated with HP Series 5300XL switches (with IP routing support enabled) and how to monitor the results of ACL actions. Notes ACLs can enhance network security by blocking selected IP traffic, and can serve as part of your network security program.
Page 350
Access Control Lists (ACLs) for the Series 5300xl Switches Introduction For ACL filtering to take effect, configure an ACL and then assign it to either the inbound or outbound traffic on a statically configured VLAN on the switch. (Except for ACEs that screen traffic to an IP address on the switch itself, ACLs assigned to VLANs can operate only while IP routing is enabled.
Access Control Lists (ACLs) for the Series 5300xl Switches Terminology Action Command Page Deleting an ACL from HPswitch(config)# no ip access-list the Switch < standard | extended > < name-str | 1-99 | 100 -199 > < in | out > Displaying ACL Data HPswitch(config)# show access-list HPswitch(config)# show access-list config...
Page 352
Access Control Lists (ACLs) for the Series 5300xl Switches Terminology ACL Mask: Follows any IP address (source or destination) listed in an ACE. Defines which bits in a packet’s corresponding IP addressing must exactly match the IP addressing in the ACE, and which bits need not match (wildcards).
Page 353
Access Control Lists (ACLs) for the Series 5300xl Switches Terminology – The packet’s DA is for an IP address configured on the switch itself. (This increases your options for protecting the switch from unauthorized management access.) Because ACLs are assigned to VLANs, an ACL that filters inbound traffic on a particular VLAN examines packets meeting the above criteria that have entered the switch through any port on that VLAN.
Access Control Lists (ACLs) for the Series 5300xl Switches Overview Overview Types of IP ACLs Standard ACL: Use a standard ACL when you need to permit or deny traffic based on source IP address only. Standard ACLs are also useful when you need to quickly control a performance problem by limiting traffic from a subnet, group of devices, or a single device.
Access Control Lists (ACLs) for the Series 5300xl Switches Overview You would assign either an inbound ACL on VLAN “A” or an outbound ■ ACL on VLAN “B” to filter a packet routed between subnets; that is, from the workstation 18.28.10.5 on VLAN “A” to the server at 18.28.20.99 on VLAN “B”.
Access Control Lists (ACLs) for the Series 5300xl Switches Overview You can apply any one ACL to multiple VLANs. ■ A source or destination IP address and a mask, together, can define a ■ single host, a range of hosts, or all hosts. ■...
Page 357
Access Control Lists (ACLs) for the Series 5300xl Switches Overview 6. Assign the ACLs to filter the inbound and/or outbound traffic on static VLAN interfaces configured on the switch. 7. Enable IP routing on the switch. (Except for an ACL configured to filter traffic having the switch itself as the destination IP address, IP routing must be enabled before ACLs will operate.) Test for desired results.
Access Control Lists (ACLs) for the Series 5300xl Switches ACL Operation ACL Operation Introduction An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). An ACL applies only to the switch in which it is configured.
Access Control Lists (ACLs) for the Series 5300xl Switches ACL Operation The Packet-Filtering Process Sequential Comparison and Action. When the switch uses an ACL to fil ter a packet, it sequentially compares each ACE’s filtering criteria to the corresponding data in the packet until it finds a match. For a packet with a source IP address of 18.28.156.3, the switch: 1.
Page 360
Access Control Lists (ACLs) for the Series 5300xl Switches ACL Operation N o t e o n I m p l i c i t For ACLs configured to filter inbound packets on a VLAN, remember that D e n y Implicit Deny filters routed packets and any bridged packets with a DA specifying the switch itself.
Page 361
Access Control Lists (ACLs) for the Series 5300xl Switches ACL Operation Note The order in which an ACE occurs in an ACL is significant. For example, if an ACL contains six ACEs, but the first ACE is a “permit IP any”, then the ACL permits all IP traffic, and the remaining ACEs in the list do not apply, even if they specify criteria that would make a match with any of the traffic permitted by the first ACE.
Access Control Lists (ACLs) for the Series 5300xl Switches Planning an ACL Application It is important to remember that this ACL (and all ACLs) include an implicit “deny IP any”. That is, routed IP packets (and switched packets having the switch as the destination IP address) that the ACL does not explicitly permit or deny will be implicitly denied, and therefore dropped instead of forwarded on the VLAN.
Access Control Lists (ACLs) for the Series 5300xl Switches Planning an ACL Application What traffic can you implicitly block by taking advantage of the ■ implicit deny IP any to deny traffic that you have not explicitly permitted? This can reduce the number of entries needed in an ACL. What traffic should you permit? In some cases you will need to ■...
Access Control Lists (ACLs) for the Series 5300xl Switches Planning an ACL Application Guidelines for Planning the Structure of an ACL The first step in planning a specific ACL is to determine where you will apply it. (Refer to “ACL Inbound and Outbound Application Points” on page 9-8.) You must then determine the order in which you want the individual ACEs in the ACL to filter traffic.
Page 365
Access Control Lists (ACLs) for the Series 5300xl Switches Planning an ACL Application permit any packets that you have not expressly denied, you must enter a permit any or permit ip any any as the last ACE in an ACL. Because, for a given packet the switch sequentially applies the ACEs in an ACL until it finds a match, any packet that reaches the permit any or permit ip any any entry will be permitted, and will not encounter the “deny ip...
Access Control Lists (ACLs) for the Series 5300xl Switches Planning an ACL Application How an ACE Uses a Mask To Screen Packets for Matches When the switch applies an ACL to inbound or outbound traffic in a VLAN, each ACE in the ACL uses an IP address and ACL mask to enforce a selection policy on the packets being screened.
Access Control Lists (ACLs) for the Series 5300xl Switches Planning an ACL Application Rules for Defining a Match Between a Packet and an Access Control Entry (ACE) For a given ACE, when the switch compares an IP address and ■ corresponding mask in the ACE to an IP address carried in a packet: •...
Page 368
Access Control Lists (ACLs) for the Series 5300xl Switches Planning an ACL Application Every IP address and mask pair (source or destination) used in an ■ ACE creates one of the following policies: • Any IP address fits the matching criteria. In this case, the switch automatically enters the IP address and mask in the ACE.
Page 369
Access Control Lists (ACLs) for the Series 5300xl Switches Planning an ACL Application Example of How the Mask Bit Settings Define a Match . Assume an ACE where the second octet of the mask for an SA is 7 (the rightmost three bits are “on”, or “1”) and the second octet of the corresponding SA in the ACE is 31 (the rightmost five bits).
Page 370
Access Control Lists (ACLs) for the Series 5300xl Switches Planning an ACL Application Examples Allowing Multiple IP Addresses. Table 9-3 provides examples of how to apply masks to meet various filtering requirements. Table 9-3. Example of Using an IP Address and Mask in an Access Control Entry IP Address in the ACE Mask Policy for a Match Between a...
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Configuring and Assigning an ACL ACL Feature Page Configuring and Assigning a Numbered, Standard ACL 9-33 Configuring and Assigning a Numbered, Extended ACL 9-38 Configuring a Named ACL 9-44 Enabling or Disabling ACL Filtering 9-46...
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Types of ACLs Standard ACL: Uses only a packet's source IP address as a criterion ■ for permitting or denying the packet. For a standard ACL ID, use either a unique numeric string in the range of 1-99 or a unique name string of up to 64 alphanumeric characters.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL always functions when the switch uses an ACL to filter packets. (You cannot delete the implicit “deny any”, but you can supersede it with a “permit any” statement.) Standard ACL Structure Individual ACEs in a standard ACL include only a permit/deny “type”...
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Extended ACL Configuration Structure Individual ACEs in an extended ACL include: A permit/deny “type” statement ■ ■ Source IP addressing ■ Optional TCP or UDP port type with optional source port ID and operator and/or optional destination port ID and operator Destination IP addressing ■...
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL For example, figure 9-9 shows how to interpret the entries in an extended ACL. ACL List Heading with Specifies all destination List Type and ID String IP addresses.
Page 376
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL ip access-list extended "101" Destination Source Source and Destination deny ip 18.28.235.10 0.0.0.0 0.0.0.0 255.255.255.255 IP Addresses for the ACE in line 4 of the deny ip 18.28.245.89 0.0.0.0 0.0.0.0 255.255.255.255 ACL.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL In Any ACL, There Will Always Be a Match As indicated in figure 9-10, the switch automatically uses an implicit “deny IP any” (Standard ACL) or “deny IP any any” (Extended ACL) as the last ACE in any ACL.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL You can use either the switch CLI or an offline text editor to create an ACL. This section describes the CLI method, which is recommended for creating short ACLs.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Configuring and Assigning a Numbered, Standard ACL This section describes how to configure numbered, standard ACLs. To configure named ACLs, refer to “Configuring a Named ACL” on ■...
Page 380
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Syntax: [no] access-list Creates an ACE in the specified (1-99) access list and indicates the action (deny or permit) to take on a packet if there is a match between the packet and the criterion in the entry.
Page 381
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL The mask is applied to the IP address in the ACL to define which bits in a packet’s source IP address must exactly match the IP address configured in the ACL and which bits need not match.
Page 382
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL • Permits IP traffic from the indicated IP address. Since, for this example, ACL 50 is a new list, this command also creates the ACL. • Permits IP traffic from the indicated IP address.
Page 383
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL • Denies IP traffic from the indicated IP address. Since, for this example, ACL 60 is a new list, this command also creates the ACL. • Denies IP traffic from the indicated IP address.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Configuring and Assigning a Numbered, Extended ACL This section describes how to configure numbered, extended ACLs. To configure named ACLs, refer to “Configuring a Named ACL” on ■...
Page 385
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Syntax: [no] access-list Creates an ACE in the specified (100-199) access list and: • Indicates the action (deny or permit) to take on a packet if there is a match between the packet and the criteria in the complete ACE.
Page 386
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL < any | host < src-ip-addr > | ip-addr/mask -length > In an extended ACL, this parameter defines the source IP address (SA) that a packet must carry in order to have a match with the ACE.
Page 387
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Comparison Operators: eq < tcp/udp-port-nbr > • — “Equal To”; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be equal to <...
Page 388
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL [log] Optional; generates an ACL log message if: • The action is deny. (This option is not configurable for Permit.) • There is a match. • ACL logging is enabled on the switch. (Refer to “Enabling ACL Logging on the Switch”...
Page 389
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL (Refer to figure 9-13, above.) (Refer to figure 9-13, above.) Enabling ip routing activates ACL operation on routed traffic. Executing write memory saves the configuration changes to the startup-config file.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Configuring a Named ACL You can use the “Named ACL” context to configure a standard or extended ACL with an alphanumeric name instead of a number. Note that the command structure for configuring a named ACL differs from that for a numbered ACL.
Page 391
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL < name-str | 1-99 | 100-199 > Consists of an alphanumeric string of up to 64 case- sensitive characters. If you include a space in the string, you must also enclose the string with quotes.
Access Control Lists (ACLs) for the Series 5300xl Switches Configuring and Assigning an ACL Command Entry for Command Entry for Destination IP Address Source IP Address and Mask and Mask Configured Source IP Configured Destination IP Address and Mask Address and Mask Figure 9-15.
Access Control Lists (ACLs) for the Series 5300xl Switches Deleting an ACL from the Switch Enabling an ACL from the Global Configuration Level Enabling an ACL from a VLAN Context. Disabling an ACL from the Global Configuration Level Disabling an ACL from a VLAN Context.
Access Control Lists (ACLs) for the Series 5300xl Switches Displaying ACL Data Displaying ACL Data ACL Commands Function Page show access-list View a brief listing of all ACLs on the switch. 9-48 show access-list config Display the CLI commands for generating the ACL 9-49 commands configured in the switch.
Access Control Lists (ACLs) for the Series 5300xl Switches Displaying ACL Data Display the Content of All ACLs on the Switch This command lists the configuration details for every ACL configured in the running-config file, regardless of whether you have assigned any to filter traffic on VLANs configured on the switch.
Access Control Lists (ACLs) for the Series 5300xl Switches Displaying ACL Data Display the ACL Assignments for a VLAN This command briefly lists the identification and type(s) of ACLs currently assigned to a particular VLAN in the running-config file. (The switch allows up to two ACL assignments per VLAN;...
Access Control Lists (ACLs) for the Series 5300xl Switches Displaying ACL Data Displaying the Content of a Specific ACL This command displays a specific ACL configured in the running config file in an easy-to-read tabular format. Note This information also appears in the show running display. If you executed write memory after configuring an ACL, it appears in the show config display.
Page 398
Access Control Lists (ACLs) for the Series 5300xl Switches Displaying ACL Data Listing for a Standard ACL Indicates whether the ACL is assigned to a VLAN. Listing for an Extended ACL Indicates that the source Indicates whether the ACL is assigned to a VLAN. TCP port can be any value.
Access Control Lists (ACLs) for the Series 5300xl Switches Editing ACLs and Creating an ACL Offline Display All ACLs and Their Assignments in the Switch Startup-Config File and Running-Config File The show config and show running commands include in their listings any configured ACLs and any ACL assignments to VLANs.
Access Control Lists (ACLs) for the Series 5300xl Switches Editing ACLs and Creating an ACL Offline General Editing Rules You can delete any ACE from an ACL by repeating the ACE’s entry ■ command, preceded by the “no” statement. When you enter a new ACE, the switch inserts it as the last entry of the specified ACL.
Page 401
Access Control Lists (ACLs) for the Series 5300xl Switches Editing ACLs and Creating an ACL Offline For example, the first of the following two commands creates an ACE in ACL 22 and the second deletes the same ACE: Creates an ACE in ACL 22. Removes the same ACE from ACL 22, regardless of the ACE’s position in the...
Access Control Lists (ACLs) for the Series 5300xl Switches Editing ACLs and Creating an ACL Offline Working Offline To Create or Edit an ACL For longer ACLs that would be difficult or time-consuming to accurately create or edit in the CLI, you can use the offline method: Begin by doing one of the following: To edit one or more existing ACLs, use copy command-output tftp to •...
Page 403
Access Control Lists (ACLs) for the Series 5300xl Switches Editing ACLs and Creating an ACL Offline For example, suppose that you wanted to create an extended ACL to fulfill the following requirements (Assume a subnet mask of 255.255.255.0.): ■ ID: “Controls for VLAN 20" Deny Telnet access to a server at 10.10.10.100 on VLAN 10 from these ■...
Page 404
Access Control Lists (ACLs) for the Series 5300xl Switches Editing ACLs and Creating an ACL Offline You can use the “ “ character to denote a comment. The file stored on your TFTP server retains comments, and they appear when you use copy to download the ACL command file.
Access Control Lists (ACLs) for the Series 5300xl Switches Enable ACL “Deny” Logging Note If a transport error occurs, the switch does not execute the command and the ACL is not configured. Next, assign the new ACL to the intended VLAN which, in this example, is for inbound traffic on VLAN 20.
Access Control Lists (ACLs) for the Series 5300xl Switches Enable ACL “Deny” Logging Debug must be enabled for ACLs and one or both of the following: ■ • logging (for sending messages to Syslog) • Session (for sending messages to the current console interface) ACL Logging Operation When the switch detects a packet match with an ACE and the ACE includes both the deny action and the optional log parameter, an ACL log message is...
Page 407
Access Control Lists (ACLs) for the Series 5300xl Switches Enable ACL “Deny” Logging b. If you are using a Syslog server, use the logging command to configure the server’s IP address. (You can configure up to six Syslog servers.) Ensure that the switch can access any Syslog servers you specify. Configure one or more ACLs with the deny action and the log option.
■ However, excessive logging can affect switch performance. For this reason, HP recommends that you remove the logging option from ACEs for which you do not have a present need. Also, avoid config uring logging where it does not serve an immediate purpose. (Note that ACL logging is not designed to function as an accounting method.) See also "Apparent Failure To Log All "Deny"...
When the ACL configuration includes TCP or UDP options, the switch operates in “strict” TCP and UDP mode for increased control. The switch compares all TCP and UDP packets against the ACLs. (In the HP Series 9300 Routing Switches, the Strict TCP and Strict UDP modes are optional and must be specifically invoked.)
Page 410
Access Control Lists (ACLs) for the Series 5300xl Switches General ACL Operating Notes — This page is intentionally unused. — 9-64...
Page 411
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Contents Introduction ..........10-3 Terminology .
Page 412
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Contents Configuring and Assigning an ACL ......10-35 Overview .
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Introduction Introduction Feature Default Menu Numbered ACLs Standard ACLs None — 10-43 — Extended ACLs None — 10-48 — Named ACLs — 10-54 — Enable or Disable an ACL —...
Page 414
TCP, or UDP traffic by filtering packets where they enter the switch on specific physical ports or trunks. This chapter describes how to configure, apply, and edit ACLs in HP ProCurve Series 3400cl and Series 6400cl switches and how to monitor the results of ACL actions.
Page 415
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Introduction Table 10-1. Comprehensive Command Summary Action Command Page Configuring Standard HPswitch(config)# [no] access-list < 1-99 > < deny | permit > 10-43 (Numbered) ACLs < any | host <src-ip-addr > | src-ip-address/mask > [log] Configuring Extended HPswitch(config)# [no] access-list <100-199>...
HPswitch(config)# show config HPswitch(config)# show running Terminology 3400cl/6400cl Switches: An all-inclusive reference to the HP ProCurve 3400cl and 6400cl switches. Access Control Entry (ACE): An ACE is a policy consisting of criteria and an action to take (permit or deny) on a packet if it meets the criteria. The elements composing the criteria include: •...
Page 417
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Terminology ACL Mask: Follows an IP address (source or destination) listed in an ACE to specify either a subnet or a group of devices. Defines which bits in a packet’s corresponding IP addressing must exactly match the IP address...
Page 418
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Terminology Inbound Traffic: For the purpose of defining where the switch applies ACLs to filter traffic, inbound traffic is any IP packet that: • Enters the switch through a physical port. •...
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Overview Standard ACL: This type of Access Control List uses layer-3 IP criteria of source IP address to determine whether there is a match with an inbound IP packet. You can apply a standard ACL to inbound traffic on a port or trunk, including any inbound traffic with a DA belonging to the switch itself.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Overview The switch can apply ACL filtering to traffic entering the switch on ports and/ or trunks configured to apply ACL filters. For example, in figure 10-2 you would assign an inbound ACL on port 1 to filter a packet from the workstation 10.28.10.5 to the server at 10.28.20.99.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Overview You can configure ACLs using either the CLI or a text editor. The text-editor method is recommended when you plan to create or modify an ACL that has more entries than you can easily enter or edit using the CLI alone.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches ACL Operation ACL Operation Introduction An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). An ACL applies only to the switch in which it is configured.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches ACL Operation The Packet-Filtering Process Sequential Comparison and Action. When the switch uses an ACL to fil ter a packet, it sequentially compares each ACE’s filtering criteria to the corresponding data in the packet until it finds a match.
Page 424
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches ACL Operation N o t e o n I m p l i c i t For ACLs configured to filter inbound packets, note that Implicit Deny filters D e n y any packets, including those with a DA specifying the switch itself.
Page 425
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches ACL Operation Note The order in which an ACE occurs in an ACL is significant. For example, if an ACL contains six ACEs, but the first ACE is a “permit IP any”, then the ACL permits all IP traffic, and the remaining ACEs in the list do not apply, even if they specify criteria that would make a match with any of the traffic permitted by the first ACE.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch It is important to remember that this ACL (and all ACLs) include an implicit deny any. That is, inbound IP packets (including switched packets having the switch as the destination IP address) that the ACL does not explicitly permit or deny will be implicitly denied, and therefore dropped.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Prioritizing and Monitoring ACL, IGMP, QoS, and Rate Limiting Feature Usage If you want to configure ACLs and either QoS or Rate-Limiting (or both) on the same 3400cl or 6400cl port(s), plan and implement your per-port configu...
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Standard ACLs: Each ACE, including the implicit deny any ACE in a standard ACL, ■ uses one port rule. ■...
Page 429
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch and subnet mask are duplicates of the IP address and subnet mask used for the implicit deny ip any any ACE that the switch automatically includes at the end of every ACL.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch The following two CLI commands are unique to the 3400cl/6400cl switches and are useful for planning and monitoring rule and mask usage in an ACL configuration.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Troubleshooting a Shortage of Per-Port Resources As noted above, a lack of available per-port rules can be caused by a combi nation of ACL, IGMP, QoS, and Rate-Limiting applications.
Page 432
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch the switch’s existing configuration for unnecessary QoS and rate-limiting entries or inefficient applications that could be removed or revised to achieve the desired policies with less resource usage.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Example of ACL Resource Usage This example illustrates how to check for current per-port rule and mask availability, and then how to create and assign an ACL, and then to verify its effect on per-port rule and mask resources.
Page 434
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Permit inbound VLAN 3 traffic on all ports. ■ Because all ports in the example have the same inbound traffic requirements for ACL filtering, the system administrator needs to create only one ACL for application to all four ports.
Page 435
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Every standard ACL has at least two ACEs; the first ACE that you configure, and the implicit deny any ACE that follows all other configured ACEs in the ACL.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Traffic Management and Improved Network Performance You can use ACLs to block unnecessary traffic caused by individual hosts, workgroups, or subnets, and to block user access to subnets, devices, and services.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch You can also enhance switch management security by using ACLs to block inbound IP traffic that has the switch itself as the destination address (DA). C a u t i o n ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of maintaining network security.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch ACL Configuration and Operating Rules Per-Interface ACL Limits. At a minimum an ACL must have one, ■...
Page 439
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch ACLs Operate On Ports and Static Trunk Interfaces: You can ■ assign an ACL to any port and/or any statically configured trunk on the switch.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch How an ACE Uses a Mask To Screen Packets for Matches When the switch applies an ACL to inbound traffic on an interface, each ACE in the ACL uses an IP address and ACL mask to enforce a selection policy on the packets being screened.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Rules for Defining a Match Between a Packet and an Access Control Entry (ACE) For a given ACE, when the switch compares an IP address and ■...
Page 442
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Every IP address and mask pair (source or destination) used in an ■ ACE creates one of the following policies: •...
Page 443
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Example of How the Mask Bit Settings Define a Match . Assume an ACE where the second octet of the mask for an SA is 7 (the rightmost three bits are “on”, or “1”) and the second octet of the corresponding SA in the ACE is 31 (the rightmost five bits).
Page 444
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Examples Allowing Multiple IP Addresses. Table 10-5 provides exam ples of how to apply masks to meet various filtering requirements. Table 10-5.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Configuring and Assigning an ACL ACL Feature Page Configuring and Assigning a Numbered, Standard ACL 10-43 Configuring and Assigning a Numbered, Extended ACL 10-48 Configuring a Named ACL 10-54...
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL You should carefully plan your ACL application before configuring specific ACLs. For more on this topic, refer to “Planning an ACL Application on a Series 3400cl or Series 6400cl Switch”...
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Standard ACL Structure Individual ACEs in a standard ACL include only a permit/deny “type” state ment, the source IP addressing, and an optional log command (available with “deny”...
Page 448
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Optional ACL log command (available for “Deny” ACLs only) ■ ip access-list < type > “< id-string >”< permit | deny > ip Note: The optional log <...
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL ACL Configuration Factors ACL Resource Consumption Consumption of per-port rules and masks can be a significant factor in switches using extensive ACL applications. In this case, resource usage takes precedence over other factors when planning and configuring ACLs.
Page 450
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Table 10-7. Effect of the ACL in Figure 10-13 on Inbound Traffic on the Assigned Port Line # Action Shows list type (extended) and ID (101). A packet from IP source address 10.28.235.10 will be denied (dropped).
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL In Any ACL, There Will Always Be a Match As indicated in figure 10-13, the switch automatically uses an implicit “deny IP any” (Standard ACL) or “deny IP any any” (Extended ACL) as the last ACE in any ACL.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Duplicate ACEs are allowed in an ACL. However, multiple instances ■ of an ACE have no effect on filtering because the first instance preempts any subsequent duplicates.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Configuring and Assigning a Numbered, Standard ACL Configuring Named ACLs “Configuring a Named ACL” on page 10-54 Configuring Extended, “Configuring and Assigning a Numbered, Extended ACL” on page Numbered ACLs 10-48 To configure named ACLs, refer to “Configuring a Named ACL”...
Page 454
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Syntax: [no] access-list Creates an ACE in the specified (1-99) access list and indicates the action (deny or permit) to take on a packet if there is a match between the packet and the criterion in the entry.
Page 455
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL The mask is applied to the IP address in the ACL to define which bits in a packet’s source IP address must exactly match the IP address configured in the ACL and which bits need not match.
Page 456
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL • Permits IP traffic from the indicated IP address. Since, for this example, ACL 50 is a new list, this command also creates the ACL.
Page 457
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Denies IP traffic from the indicated IP address. Since, for this example, ACL 60 is a new list, this command also creates the ACL. Denies IP traffic from the indicated IP address.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Configuring and Assigning a Numbered, Extended ACL This section describes how to configure numbered, extended ACLs. To con- figure other ACL types, refer to the following table. To Configure: Refer To: Standard, numbered ACLs “Configuring and Assigning a Numbered, Standard ACL”...
Page 459
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Syntax: [no] access-list Creates an ACE in the specified (100-199) access list and: • Indicates the action (deny or permit) to take on a packet if there is a match between the packet and the criteria in the complete ACE.
Page 460
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL < any | host < src-ip-addr > | ip-addr/mask -length > In an extended ACL, this parameter defines the source IP address (SA) that a packet must carry in order to have a match with the ACE.
Page 461
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Comparison Operator: eq < tcp/udp-port-nbr > • — “Equal To”; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be equal to <...
Page 462
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Example of an Extended ACL. Suppose that you want to implement these policies on ports 1, 2, and 3: A. Permit Telnet traffic from 10.10.10.44 inbound on port 1 to 10.10.20.78, deny all other inbound IP traffic from network 10.10.10.0 (VLAN 10) to 10.10.20.0 (VLAN 20), and permit all other IP traffic from any source to any destination.
Page 463
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL (Refer to figure 10-17, above.) (Refer to figure 10-17, above.) write memory writes the configuration changes to the startup-config file. Access-List configuration in the switch’s startup-config file.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Configuring a Named ACL You can use the “Named ACL” context to configure a standard or extended ACL with an alphanumeric name instead of a number. Note that the command structure for configuring a named ACL differs from that for a numbered ACL.
Page 465
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL < name-str | 1-99 | 100-199 > Consists of an alphanumeric string of up to 64 case- sensitive characters. If you include a space in the string, you must also enclose the string with quotes.
Page 466
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Command Entry for Command Entry for Destination IP Address Source IP Address and Mask and Mask Configured Destination IP Configured Source IP Address and Mask Address and Mask Figure 10-19.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Configuring and Assigning an ACL Enabling or Disabling ACL Filtering on an Interface You can configure one ACL to filter inbound traffic on multiple interfaces. For limits and operating rules, refer to “ACL Configuration and Operating Rules” on page 10-28.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Deleting an ACL from the Switch Deleting an ACL from the Switch Syntax: no ip access-list standard < name-str | 1-99 > no ip access-list extended < name-str | 100-199 > Removes the specified ACL from the switch’s running config file.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Displaying ACL Data Display an ACL Summary This command lists the configured ACLs, regardless of whether they are assigned to any interfaces. Syntax: show access-list List a su mmary table of t h e name, type, and ap plication status of all ACLs configured on the switch.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Displaying ACL Data Note Notice that you can use the output from this command for input to an offline text file in which you can edit, add, or delete ACL commands. Refer to “Editing ACLs and Creating an ACL Offline”...
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Displaying ACL Data For example, if you assigned a standard ACL with an ACL-ID of “1” to filter inbound traffic on port 10, you could quickly verify this assignment as follows: Indicates that a standard ACL with the ID of “2”...
Page 472
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Displaying ACL Data For example, suppose you configured the following two ACLs in the switch: ACL ID ACL Type Desired Action Standard • Deny IP traffic from 18.28.236.77 and 18.29.140.107. •...
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Displaying ACL Data Table 10-9. Descriptions of Data Types Included in Show Access-List < interface > Output Field Description Name The ACL identifier. Can be a number from 1 to 199, or a name. Type Standard or Extended.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Displaying ACL Data Indicates that one rule and two masks have been used. All other ports show the default quantity of rules and masks, which means that there are no ACLs or QoS assigned to these other ports on the switch.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Editing ACLs and Creating an ACL Offline Editing ACLs and Creating an ACL Offline Earlier sections of this chapter describe how to use the CLI to create an ACL. Beginning with “Using the CLI To Edit ACLs”, below, describes how to use the CLI to edit existing ACLs.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Editing ACLs and Creating an ACL Offline Deleting the last ACE from a numeric ACL, removes the ACL from ■ the configuration. Deleting the last ACE from a named ACL leaves the ACL in memory.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Editing ACLs and Creating an ACL Offline ACL 103 Before Removing the Second “deny” ACE. Use no access-list to remove this line from ACL 103. ACL 103 After Removing the Second “deny”...
Page 478
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Editing ACLs and Creating an ACL Offline HPswitch# copy command-output 'show access-list config' tftp 10.28.227.2 acl02.txt pc • To create a new ACL, just open a text file in the appropriate directory on a TFTP server accessible to the switch.
Page 479
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Editing ACLs and Creating an ACL Offline Allow any inbound access from all other addresses on port 2: ■ ■ Permit internet access to the following two IP addresses through port 24, but deny access to all other addresses through this port (without ACL logging).
Page 480
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Editing ACLs and Creating an ACL Offline 2. After you copy the above .txt file to a TFTP server the switch can access, you would then execute the following command to download the file to the switch’s startup-config file: Figure 10-30.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Enable ACL “Deny” Logging HPswitch(config)# show running 6. If the configuration appears satisfactory, save it to the startup-config file: HPswitch(config)# write memory Enable ACL “Deny” Logging ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match with an ACE that results in an explicit “deny”...
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Enable ACL “Deny” Logging ACL Logging Operation When the switch detects a packet match with an ACE and the ACE includes both the deny action and the optional log parameter, an ACL log message is sent to the designated debug destination.
Page 483
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches Enable ACL “Deny” Logging For example, suppose that you want to do the following: On port 10, configure an extended ACL with an ACL-ID of 143 to deny ■...
■ However, excessive logging can affect switch performance. For this reason, HP recommends that you remove the logging option from ACEs for which you do not have a present need. Also, avoid config uring logging where it does not serve an immediate purpose. (Note that ACL logging is not designed to function as an accounting method.) See also "Apparent Failure To Log All "Deny"...
When the ACL configuration includes TCP or UDP options, the switch operates in “strict” TCP and UDP mode for increased control. The switch compares all TCP and UDP packets against the ACLs. (In the HP Series 9300 Routing Switches, the Strict TCP and Strict UDP modes are optional and must be specifically invoked.)
Page 486
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches General ACL Operating Notes The indicated ACL cannot be applied to an interface because an ACL is already assigned to the interface. The command fails for all included interfaces, including any that do not already have an ACL assigned.
IP Routing Features Overview of IP Routing Overview of IP Routing The HP Procurve Series 5300xl, 3400cl, and 6400cl switches offer the following IP routing features: IP Static Routes – up to 256 static routes ■ ■ RIP (Router Information Protocol) – supports RIP Version 1, Version 1 compatible with Version 2 (default), and Version 2 OSPF (Open Shortest Path First) –...
Telnet, Web management, or SNMP access, as well as for routing. N o t e All HP Procurve devices support configuration and display of IP address in classical sub-net format (example: 192.168.1.1 255.255.255.0) and Classless Interdomain Routing (CIDR) format (example: 192.168.1.1/24). You can use either format when configuring IP address information.
IP Routing Features Overview of IP Routing ARP Cache Table The ARP cache contains entries that map IP addresses to MAC addresses. Generally, the entries are for devices that are directly attached to the routing switch. An exception is an ARP entry for an interface-based static IP route that goes to a destination that is one or more router hops away.
IP Forwarding Cache The IP forwarding cache provides a fast-path mechanism for forwarding IP packets. The cache contains entries for IP destinations. When an HP ProCurve routing switch has completed processing and addressing for a packet and is ready to forward the packet, the device checks the IP forwarding cache for an entry to the packet’s destination.
IP Routing Features Overview of IP Routing IP Route Exchange Protocols The switch supports the following IP route exchange protocols: ■ Routing Information Protocol (RIP) Open Shortest Path First (OSPF) ■ These protocols provide routes to the IP route table. You can use one or more of these protocols, in any combination.
Page 494
IP Routing Features Overview of IP Routing Parameter Description Default See page Time to Live The maximum number of routers (hops) through 64 hops Refer to the (TTL) which a packet can pass before being discarded. chapter titled Each router decreases a packet’s TTL by 1 before “Configuring IP forwarding the packet.
IP Routing Features Overview of IP Routing IP Interface Parameters for Routing Switches 11-2 lists the interface-level IP parameters for routing switches. Table 11-2. IP Interface Parameters – Routing Switches Parameter Description Default See page IP address A Layer 3 network interface address; separate IP None configured chapter 7 addresses on individual VLAN interfaces.
N o t e Routing Information Protocol (RIP) does not use the router ID. By default, the router ID on an HP routing switch is the lowest numbered IP interface configured on the device. If you prefer, you can explicitly set the router ID to any valid IP address. The IP address cannot be in use on another device in the network.
The < ip-addr > can be any valid, unique IP address. N o t e You can specify an IP address used for an interface on the HP routing switch, but do not specify an IP address in use by another device.
Page 498
A MAC broadcast is not routed to other networks. However, some routers, including HP routing switches, can be configured to reply to ARP requests from one network on behalf of devices on another network. See “Enabling Proxy ARP”...
(Ethernet cable), since MAC-layer broadcasts reach all the devices on the segment. Proxy ARP is disabled by default on HP routing switches. To enable Proxy ARP, enter the following commands from the VLAN context level in the CLI:...
HPswitch(config)# ip directed-broadcast Syntax: [no] ip directed-broadcast HP software makes the forwarding decision based on the routing switch's knowledge of the destination network prefix. Routers cannot determine that a message is unicast or directed broadcast apart from the destination network prefix.
Reply Limit – You can enable or disable ICMP reply rate limiting. ■ Disabling ICMP Messages HP devices are enabled to reply to ICMP echo messages and send ICMP Destination Unreachable messages by default. You can selectively disable the following types of Internet Control Message Protocol (ICMP) messages: ■...
Configuring IP Parameters for Routing Switches Disabling ICMP Destination Unreachable Messages By default, when an HP device receives an IP packet that the device cannot deliver, the device sends an ICMP Unreachable message back to the host that sent the packet. The following types of ICMP Unreachable messages are generated: ■...
Configuring Static IP Routes Disabling ICMP Redirects You can disable ICMP redirects on the HP routing switch. only on a global basis, for all the routing switch interfaces. To disable ICMP redirects globally, enter the following command at the global CONFIG level of the CLI:...
IP Routing Features Configuring Static IP Routes Null (reject) – the static route consists of the destination network ■ address and network mask, and the reject parameter. Typically, the null route is configured as a backup route for discarding traffic if the primary route is unavailable.
IP Routing Features Configuring Static IP Routes The following command configures a static route to 207.95.7.0, using 207.95.6.157 as the next-hop gateway. HPswitch(config)# ip route 207.95.7.0/24 207.95.6.157 When you configure a static IP route, you specify the destination address for the route and the next-hop gateway or routing switch interface through which the routing switch can reach the route.
Page 506
IP Routing Features Configuring Static IP Routes To configure a null static route to drop packets destined for network 209.157.22.x, enter the following commands: HPswitch(config)# ip route 209.157.22.0 255.255.255.0 reject HPswitch(config)# write memory Syntax: ip route < ip-addr > < ip-mask > reject ip route <...
(a number representing distance) to measure the cost of a given route. The cost is a distance vector because the cost often is equivalent to the number of router hops between the HP routing switch and the destina tion network.
IP Routing Features Configuring RIP RIP Parameters and Defaults The following tables list the RIP parameters, their default values, and where to find configuration information. RIP Global Parameters 11-3 lists the global RIP parameters and their default values. Table 11-3. RIP Global Parameters Parameter Description Default...
IP Routing Features Configuring RIP Parameter Description Default IP address The routes that a routing switch learns or advertises The routing switch can be controlled. learns and advertises all RIP routes on all RIP interfaces loop The method the routing switch uses to prevent routing Poison reverse prevention loops caused by advertising a route on the same interface as the one on which the routing switch...
IP Routing Features Configuring RIP N o t e IP routing must be enabled prior to enabling RIP. The first command in the preceding sequence enables IP routing. Changing the RIP Type on a VLAN Interface When you enable RIP on a VLAN interface, RIPv2-only is enabled by default. You can change the RIP type to one of the following on an individual VLAN interface basis: Version 1 only...
IP Routing Features Configuring RIP These commands configure vlan-1 to add 5 to the cost of each route learned on the interface. Syntax: ip rip metric < 1-16 > Configuring RIP Redistribution You can configure the routing switch to redistribute connected and static routes into RIP.
IP Routing Features Configuring RIP Syntax: restrict < ip-addr > < ip-mask > | < ip-addr /< prefix length > This command prevents any routes with a destination address that is included in the range specified by the address/mask pair from being redistributed by RIP.
IP Routing Features Configuring RIP Changing the Route Loop Prevention Method RIP can use the following methods to prevent routing loops: ■ Split horizon - the routing switch does not advertise a route on the same interface as the one on which the routing switch learned the route. Poison reverse - the routing switch assigns a cost of 16 (“infinity”...
IP Routing Features Configuring RIP Displaying General RIP Information To display general RIP information, enter show ip rip at any context level. The resulting display will appear similar to the following: Figure 11-1.Example of General RIP Information Listing The display is a summary of Global RIP information, information about interfaces with RIP enabled, and information about RIP peers.
Page 515
IP Routing Features Configuring RIP Queries – The number of RIP queries that have been received by the ■ routing switch. ■ RIP Interface Information – RIP information on the VLAN interfaces on which RIP is enabled. • IP Address – IP address of the VLAN interface running rip. •...
IP Routing Features Configuring RIP Displaying RIP Interface Information To display RIP interface information, enter the show ip rip interface command at any context level. The resulting display will appear similar to the following: Figure 11-2.Example of Show IP RIP Interface Output See “RIP Interface Information”...
IP Routing Features Configuring RIP The information in this display includes the following fields, which are defined under ““RIP Interface Information” on page 11-29: IP Address, Status, Send mode, Recv mode, Metric, and Auth. The information also includes the following fields: ■...
Page 518
IP Routing Features Configuring RIP The resulting display will appear similar to the following: HPswitch# show ip rip peer RIP peer information IP Address Bad routes Last update timeticks --------------- ----------- --------------------- 100.1.0.100 100.2.0.100 100.3.0.100 100.10.0.100 Figure 11-5. Example of Show IP RIP Peer Output This display lists all neighboring routers from which the routing switch has received RIP updates.
IP Routing Features Configuring RIP Displaying RIP Redistribution Information To display RIP redistribution information, enter the show ip rip redistribute command at any context level: HPswitch# show ip rip redistribute RIP redistributing Route type Status ---------- -------- connected enabled static enabled Figure 11-7.
IP Routing Features Configuring OSPF Configuring OSPF This section describes how to configure OSPF using the CLI interface. To display OSPF configuration information and statistics, see “Displaying OSPF Information” on page 11-53. Overview of OSPF OSPF is a link-state routing protocol. The protocol uses link-state advertise ments (LSA) to update neighboring routers regarding its interfaces and infor...
IP Routing Features Configuring OSPF An OSPF router can be a member of multiple areas. Routers with membership in multiple areas are known as Area Border Routers (ABRs). Each ABR maintains a separate topological database for each area the router is in. Each topological database contains all of the LSA databases for each router within a given area.
IP Routing Features Configuring OSPF When multiple HP switches on the same network are declaring themselves as DRs, then both priority and router ID are used to select the designated router and backup designated routers. When only one router on the network claims the DR role despite neighboring routers with higher priorities or router IDs, this router remains the DR.
Page 523
A second ASBR that is already on-line begins advertising an equivalent route to the same destination. In either case above, the HP switch with the higher router ID floods the AS External LSAs and the other HP switch flushes its equivalent AS External LSAs.
IP Routing Features Configuring OSPF Dynamic OSPF Activation and Configuration OSPF is automatically activated when you enable it. The protocol does not require a software reload. Without ever having to reset the switch, you can change and save all the OSPF configuration options, including the following: ■...
IP Routing Features Configuring OSPF Configuration Rules If the switch is to operate as an ASBR, you must enable redistribution. ■ When you do that, ASBR capability is automatically enabled. ■ All VLAN interfaces on which you wish to run OSPF must be assigned to one of the defined areas.
IP Routing Features Configuring OSPF N o t e When using the CLI, you set global level parameters at the OSPF CONFIG Level of the CLI. To reach that level, make sure routing is enabled and then enter the command router ospf at the global CONFIG Level. Interface param eters for OSPF are set at the VLAN CONFIG Level using the CLI command ip ospf.
Page 527
IP Routing Features Configuring OSPF Example: Here is an example of the commands to set up several OSPF areas. HPswitch(ospf)# area 192.5.1.0 HPswitch(ospf)# area 200.5.0.0 HPswitch(ospf)# area 0.0.0.0 HPswitch(ospf)# write memory Syntax: area < num > | < ip-addr > [normal | stub < cost > [no-summary]] The <...
IP Routing Features Configuring OSPF N o t e This feature applies only when the switch is configured as an Area Border Router (ABR) for the area. To completely prevent summary LSAs from being sent to the area, disable the summary LSAs on each OSPF router that is an ABR for the area.
IP Routing Features Configuring OSPF Assigning VLANs to an Area Once you define OSPF areas, you can assign VLANs to the areas. All VLANs in the switch must be assigned to one of the defined areas on an OSPF router. When a VLAN is assigned to an area, the primary IP address is automatically included in the assignment.
Page 530
IP Routing Features Configuring OSPF Authentication-key: OSPF supports two methods of authentication for each VLAN—simple password and MD5. In addition, the value can be set to none, meaning no authentication is performed. Only one method of authentication can be active on a subnet at a time. The default authentication value is none. The two authentication methods are configured by different commands: Simple password –...
IP Routing Features Configuring OSPF Assigning Virtual Links It is highly recommended that all ABRs (area border routers) have either a direct or indirect link to the OSPF backbone area (0.0.0.0 or 0). If an ABR does not have a physical link to the area backbone, the ABR can configure a virtual link to another router within the same area, which has a physical connection to the area backbone.
Page 532
IP Routing Features Configuring OSPF OSPF Area 0 HP 5308xl “C” Router ID 209.157.22.1 OSPF Area 1 OSPF Area 2 “transit area” HP 5308xl HP 5308xl “A” Router ID 10.0.0.1 Figure 11-9. Defining OSPF virtual links within a network Example. Figure 11-9 shows an OSPF area border router, Routing Switch-A, that is cut off from the backbone area (Area 0).
IP Routing Features Configuring OSPF To configure the virtual link on Routing Switch-C, enter the following commands: HPswitch(ospf)# area 1 virtual-link 10.0.0.1 HPswitch(ospf)# write memory Syntax: area <ip-addr> | <num> virtual-link <router-id> The area < ip-addr > | < num > parameter specifies the transit area. The <router-id>...
IP Routing Features Configuring OSPF Simple password – Use the area <num> | <ip-addr> virtual-link <ip-addr> ■ authentication-key <password> command. The simple password method of authentication requires you to configure an alphanumeric password on an interface. The simple password setting takes effect immediately. All OSPF packets transmitted on the interface contain this password.
IP Routing Features Configuring OSPF N o t e Do not enable redistribution until you have configured the redistribution filters. Otherwise, the network might get overloaded with routes that you did not intend to redistribute. Example: To configure the switch acting as an ASBR to filter out redistribu tion of static or connected routes on network 10.0.0.0, enter the following commands: HPswitchASBR(config)# router ospf...
IP Routing Features Configuring OSPF Enabling Route Redistribution N o t e Do not enable redistribution until you have configured the redistribution “restrict” filters. Otherwise, the network might get overloaded with routes that you did not intend to redistribute. To enable redistribution of connected and static IP routes into OSPF, enter the following commands.
IP Routing Features Configuring OSPF Modifying OSPF Traps Generated OSPF traps as defined by RFC 1850 are supported on the switches covered in this guide. OSPF trap generation is enabled by default. When using the CLI, you can disable all or specific OSPF trap generation by entering the following CLI command: HPswitch(ospf)# no snmp-server trap ospf To later re-enable the trap feature, enter the command:...
IP Routing Features Configuring OSPF OSPF Trap Name MIB Object originate-lsa-trap ospfOriginateLsa originate-maxage-lsa-trap ospfMaxAgeLsa link-state-database-overflow-trap ospfLsdbOverflow link-state-database-approaching-overflow-trap ospfLsdbApproachingOverflow Examples: 1. To stop an OSPF trap from being collected, use the following CLI command: HPswitch(ospf)# no trap < ospf-trap > 2. To disable reporting of the neighbor-state-change-trap, enter the following command: HPswitch(ospf)#no trap neighbor-state-change-trap 3. To reinstate the trap, enter the following command:...
IP Routing Features Configuring OSPF Displaying OSPF Information You can use CLI commands to display the following OSPF information: OSPF Information Type Page General Information 11-53 Area information 11-55 External link state information 11-56 Interface information 11-57 Link state information 11-60 Neighbor information 11-62...
Page 540
IP Routing Features Configuring OSPF Syntax: show ip ospf general The following fields are shown in the OSPF general status display: Table 11-6. CLI Display of OSPF General Information This Field... Displays... OSPF protocol indicates whether OSPF is currently enabled. Router ID the Router ID that this routing switch is currently using to identify itself...
IP Routing Features Configuring OSPF Displaying OSPF Area Information To display OSPF area information, enter show ip ospf area at any CLI level: HPswitch> show ip ospf area OSPF Area Information Area ID Type Cost SPFR ASBR LSA Checksum --------------- ------ ----- ------ ---- ---- ----- ---------- 0.0.0.0 normal 0 0x0000781f...
IP Routing Features Configuring OSPF Displaying OSPF External Link State Information To display external link state information, enter show ip ospf external-link-state at any CLI level. When you enter this command, an output similar to the following is displayed: HPswitch# show ip ospf external-link-state Link State ID Router ID Sequence #...
IP Routing Features Configuring OSPF The advertise keyword displays the hexadecimal data in the specified LSA packet, the actual contents of the LSAs. This can also be filtered as above by including the link-state-id, router-id, or sequence-number options. HPswitch# show ip ospf external-link-state advertise OSPF External LSAs Advertisements ------------------------------------------------------------------------...
Page 544
IP Routing Features Configuring OSPF Syntax: show ip ospf interface [vlan < vlan-id > | < ip-addr >] The OSPF interface display shows the following information: Table 11-9. CLI Display of OSPF Interface Information This Field... Displays... IP Address The local IP address for this interface. Status enabled or disabled - whether OSPF is currently enabled on this interface.
IP Routing Features Configuring OSPF Displaying OSPF Interface Information for a Specific VLAN or IP Address To display OSPF interface information for a specific VLAN or IP address, enter show ip ospf interface < ip-addr > at any CLI level. For example: HPswitch# show ip ospf interface 10.3.18.36 OSPF Interface Status for 10.3.18.36 IP Address...
IP Routing Features Configuring OSPF This Field... Displays... Hello Interval Configured hello interval for this interface. Rtr Dead Interval Configured router dead interval for this interface. Designated IP address of the router that has been elected designated Router router on this interface. Backup Desig.
Page 547
IP Routing Features Configuring OSPF Syntax: show ip ospf link-state The OSPF link state display shows contents of the LSA database, one table for each area. The following information is shown: Table 11-11. CLI Display of OSPF Link State Information This Field...
IP Routing Features Configuring OSPF An example of the show ip ospf link-state advertise is: OSPF Link State Database for Area 0.0.0.0 Advertisements ------------------------------------------------------------------------ 000202010a0008200a00082080000281a7b60054000000050a030e00ffffff0003000001... 000202010a0008210a00082180000006a5c90024010000010a0008230a03112104000002 000102010a0008230a00082380000015755d006c010000070a030600ffffff0003000001... 000202020a0302250a0008258000000702440024ffffff000a0008250a0008230a000820 000202030a0310000a00082180000008c043001cffffff0000000002 000102030a0310000a00082380000009a859001cffffff0000000001 000002030a0310000a00082480000009ac53001cffffff0000000002 000202040a0008240a000821800000032abb001c000000000000000b 000102040a0008240a00082380000004c12a001c0000000000000002 OSPF Link State Database for Area 10.3.16.0 Advertisements ------------------------------------------------------------------------ 000202010a0008210a0008218000027fd33d0054050000050a031900ffffff0003000001...
Page 549
IP Routing Features Configuring OSPF This display shows the following information. Table 11-12. CLI Display of OSPF Neighbor Information Field Description Router ID The router ID of the neighbor. The OSPF priority of the neighbor. The priority is used during election of the Designated Router (DR) and Backup designated Router (BDR).
IP Routing Features Configuring OSPF Displaying OSFPF Redistribution Information As described under “Enabling Route Redistribution” on page 11-50, you can configure the routing switch to redistribute connected and static routes into OSPF. When you redistribute a route into OSPF, the routing switch can use OSPF to advertise the route to its OSPF neighbors.
IP Routing Features Configuring OSPF This display shows the configured restrict entries. Displaying OSPF Virtual Neighbor Information To display OSPF virtual neighbor information, enter show ip ospf virtual- neighbor at any CLI level. OSPF Virtual Interface Neighbor Information Router ID Area ID State IP Address...
IP Routing Features Configuring OSPF Displaying OSPF Virtual Link Information To display OSPF virtual link information, enter show ip ospf virtual-link at any CLI level. HPswitch# show ip ospf virtual-link OSPF Virtual Interface Status Transit AreaID Neighbor Router Authentication Interface State --------------- --------------- --------------- --------------- 10.3.16.0 10.0.8.33...
Page 553
IP Routing Features Configuring OSPF Example: To get OSPF virtual link information for IP address 10.0.8.33, enter show ip ospf virtual-link 10.0.8.33. A display similar to the following is shown. HPswitch# show ip ospf virtual-link 10.0.8.33 OSPF Virtual Interface Status for interface 10.0.8.33 Transit AreaID : 10.3.16.0 Neighbor Router : 10.0.8.33...
IP Routing Features Configuring OSPF Displaying OSPF Route Information To display OSPF route and other OSPF configuration information, enter show ip ospf at any CLI level: HPswitch# show ip ospf OSPF Configuration Information OSPF protocol : enabled Router ID : 10.0.8.35 Currently defined areas: Stub Stub...
Page 555
IP Routing Features Configuring OSPF Syntax: show ip ospf This screen has a lot of information, most of it already covered in other show commands. The following table shows definitions for the fields: Table 11-16. CLI Display of OSPF Route and Status Information Field Description OSPF protocol...
Some types of hosts use the Router Solicitation messages to discover their default gateway. When IRDP is enabled on the HP routing switch, the routing switch responds to the Router Solicitation messages. Some clients interpret this response to mean that the routing switch is the default gateway. If another router is actually the default gateway for these clients, leave IRDP disabled on the HP routing switch.
To enable IRDP on an individual VLAN interface and configure IRDP param eters, enter commands such as the following: HP(config)# vlan 1 HP(vlan-1)# ip irdp maxadvertinterval 400 This example shows how to enable IRDP on a specific interface (VLAN 1) and change the maximum advertisement interval for Router Advertisement messages to 400 seconds.
IP Routing Features Configuring IRDP for the routing switch to the hold time specified in the new advertisement. If the hold time of an advertisement expires, the host discards the adver tisement, concluding that the router interface that sent the advertisement is no longer available.
IP Routing Features Configuring DHCP Relay Configuring DHCP Relay Overview The Dynamic Host Configuration Protocol (DHCP) is used for configuring hosts with IP address and other configuration parameters without human intervention. The protocol is composed of three components: the DHCP client, the DHCP server, and the DHCP relay agent.
IP Routing Features Configuring DHCP Relay Minimum Requirements for DHCP Relay Operation For the DHCP Relay agent to work, the following steps must be completed: DHCP Relay is enabled on the routing switch (the default setting) A DHCP server is servicing the routing switch IP Routing is enabled on the routing switch There is a route from the DHCP server to the routing switch and back 5. An IP Helper address is configured on the routing switch, set to the IP...
IP Routing Features Configuring DHCP Relay Viewing the Current DHCP Relay Configuration Determining the DHCP Relay Setting. Use show config (or show running for the running-config file) to list the current DHCP Relay setting. Note that because DHCP Relay is enabled in the default configuration, it does not appear in these listings unless it is disabled.
IP Routing Features UDP Broadcast Forwarding on 5300xl Switches UDP Broadcast Forwarding on 5300xl Switches This feature applies only to the 5300xl switches. Overview Some applications rely on client requests sent as limited IP broadcasts addressed to a UDP application port. If a server for the application receives such a broadcast, the server can reply to the client.
IP Routing Features UDP Broadcast Forwarding on 5300xl Switches For example, VLAN 1 (15.75.10.1) is configured to forward inbound UDP packets as shown in table 11-17: Table 11-17. Example of a UDP Packet-Forwarding Environment Interface Subnet Forwarding Notes Address Mask Address Port VLAN 1...
IP Routing Features UDP Broadcast Forwarding on 5300xl Switches Configuring and Enabling UDP Broadcast Forwarding To configure and enable UDP broadcast forwarding on the switch: Enable routing. Globally enable UDP broadcast forwarding. 3. On a per-VLAN basis, configure a forwarding address and UDP port type for each type of incoming UDP broadcast you want routed to other VLANs.
Page 565
IP Routing Features UDP Broadcast Forwarding on 5300xl Switches — Continued from the preceding page. — < ip-address >: This can be either of the following: • The unicast address of a destination server on another subnet. For example: 15.75.10.43. • The broadcast address of the subnet on which a destination server operates.
IP Routing Features UDP Broadcast Forwarding on 5300xl Switches Displaying the Current IP Forward-Protocol Configuration Syntax show ip forward-protocol [ vlan < vid >] Displays the current status of UDP broadcast forwarding and lists the UDP forwarding address(es) configured on all static VLANS in the switch or on a specific VLAN.
IP Routing Features UDP Broadcast Forwarding on 5300xl Switches Operating Notes for UDP Broadcast Forwarding Maximum Number of Entries. The number of UDP broadcast entries and IP helper addresses combined can be up to 16 per VLAN, with an overall maximum of 256 on the switch.
Translation (NAT) for Intranet Applications on the 5300xl Switches This section applies only to the HP ProCurve Series 5300xl switches. Static NAT is useful in applications where you want to conceal a “private”, or hidden region of your network from the general population of users in the “public”...
IP Routing Features Configuring Static Network Address Translation (NAT) for Intranet Applications on the 5300xl Switches table the switch maintains when NAT is configured. Note also that static NAT operates at the layer 3 level. IP addresses embedded in layers 4 - 7, as is the case with some applications, are not translated by static NAT.
Page 570
IP Routing Features Configuring Static Network Address Translation (NAT) for Intranet Applications on the 5300xl Switches Example. This example uses the topology in figure 11-30 on page 11-82: ■ The switch is connected to the corporate intranet through VLAN 100 (IP address: 15.33.235.1).
IP Routing Features Configuring Static Network Address Translation (NAT) for Intranet Applications on the 5300xl Switches Displaying Static NAT Statistics and Configuration Syntax: show ip nat Displays the current IP NAT static configuration in the running-config file and the current IP NAT counters. Total Translations: Displays a 32-bit counter showing the number of packets in which IP NAT has translated the source or destination IP address from a private address to a public...
Page 572
IP Routing Features Configuring Static Network Address Translation (NAT) for Intranet Applications on the 5300xl Switches — This page is intentionally unused. — 11-86...
Page 573
Router Redundancy Using XRRP Contents Introduction to XRRP ......... . 12-2 Terminology .
Router Redundancy Using XRRP Introduction to XRRP Introduction to XRRP XRRP (XL Router Redundancy Protocol) provides router redundancy, or failover, to a backup router in case one fails. XRRP is similar to the industry standard VRRP (Virtual Router Redundancy Protocol), although the details of the operation are different.
Protection Domain. In figure 1, it is Domain 2. See “Configuring XRRP” on page 12-11 for information on how to configure XRRP. Figure 12-1. XRRP Protection Domain The clients are connected to the routers through a Layer 2 switch (in this case an HP Procurve Switch 4108gl). 12-3...
Router Redundancy Using XRRP Overview of XRRP Operation XRRP During Normal Router Operation For each router, XRRP defines a virtual router, using the IP address that you have configured on the router interface, and for which XRRP assigns a virtual MAC address based on the Protection Domain ID and the XRRP router number of the router that owns the interface.
Router Redundancy Using XRRP Overview of XRRP Operation XRRP Fail-Over Operation If all access to a VLAN from one of the routers in the Protection Domain fails, the routing function of that router is automatically transferred to the other router in the Protection Domain. The master of the virtual router in the Protection Domain sends out multicast advertisements at the XRRP advertise...
Router Redundancy Using XRRP Overview of XRRP Operation N o t e Figure 12-3 shows a single interface on VLAN 5, but multiple interfaces could exist. For the fail-over to occur, Router-2 must have lost communication on all the VLAN 5 interfaces. When the fail-over occurs, Router-1 would take over as the Master of the IP address for Router-2 on VLAN 5.
Page 579
Router Redundancy Using XRRP Overview of XRRP Operation Fast Fail-Over. As shown in figure 12-4, if the same link goes down as was shown in figure 12-3, the standard fail-over does not occur. As soon as Router-2 detects the loss of link signal from any device in VLAN 5, it immediately requests, through VLAN 6, that Router-1 to take over all of its virtual router resources.
Page 580
Router Redundancy Using XRRP Overview of XRRP Operation Standard Fail-Over. In the multiple-VLAN situation in which all communi- cation between the routers in the Protection Domain is lost, the standard XRRP fail-over occurs. As shown in figure 6, Router-2 has lost communications on all of its XRRP virtual router interfaces.
Router Redundancy Using XRRP Overview of XRRP Operation If Communication is Maintained Through Non-XRRP Interfaces. In some cases, it may be possible that all connectivity is lost between the routers on all their XRRP virtual router interfaces, in which case XRRP operates and both routers try to take control of all the virtual routers in the Protection Domain, but if connectivity still exists on non-XRRP VLANs, a situation could occur in which both routers allow and use the same MAC addresses on the...
Page 582
Switch (Routing Enabled) Figure 12-6. Example of a Valid Topology for Devices Having Multiple Forwarding Databases in a Multiple VLAN Environment As of this printing, the HP Procurve switches having a multiple forwarding database include: ■ Series 5300XL ■...
Switch (Routing Enabled) Figure 12-7. Example of a Solution for Single-Forwarding to Multiple-Forwarding Database Devices in a Multiple VLAN Environment As of this printing, the HP Procurve switches that do not have a multiple forwarding database include:: ■ 1600M, 2400M, 2424M, , ■...
Router Redundancy Using XRRP Configuring XRRP Customizing the XRRP Configuration To customize the XRRP configuration, use any of the following XRRP command options at the CLI global configuration level: Syntax: xrrp domain < 1-16 > no xrrp xrrp [ router < 1-2 >] xrrp failback <...
Page 585
Router Redundancy Using XRRP Configuring XRRP xrrp failback < 10-999 > This command sets the XRRP fail back time in seconds. The fail back time is the delay that a router will wait before trying to take back control of all the XRRP virtual routers it owns after its VLANs come back up.
Page 586
Router Redundancy Using XRRP Configuring XRRP • To specifically identify the virtual router interfaces on the other router in the Protection Domain, you would enter an xrrp instance command with the ip parameter. For example, on Router-1 in VLAN 5, to identify the virtual router interface on Router-2 that has the IP address 10.1.1.2 and mask length 24, you would enter the following command: xrrp instance 2 5 ip 10.1.1.2/24...
Router Redundancy Using XRRP Configuring XRRP N o t e For every VLAN on which you wish to run XRRP, you must first configure the VLAN with an IP address. Enabling and Disabling XRRP Syntax: [no] xrrp Once you have completed the XRRP customization, as described in the previous section, use the xrrp command by itself to enable XRRP opera...
Router Redundancy Using XRRP Configuring XRRP Configuration Examples The following configuration examples create the XRRP setups in the single VLAN and multiple VLAN environments shown in the figures earlier in this chapter. Configuration for Figure 12-2 – Single VLAN Example See the figure on page 12-4.
Router Redundancy Using XRRP Configuring XRRP Configuration for Figure 12-4 – Multiple VLANs See the figure on page 12-7. Router-1 Configuration Explanation HPswitch (vlan-5)# ip address 10.1.1.1/24 Configures the IP address of the router interface in VLAN 5. HPswitch (vlan-6)# ip address 10.2.1.1/24 Configures the IP address of the router interface in VLAN 6.
Router Redundancy Using XRRP Displaying XRRP Data Displaying XRRP Data To verify XRRP configuration and for XRRP status and statistics information display, use the following CLI show xrrp commands at either the Manager level or the global configuration level: Syntax: show xrrp traps This command displays the information on the configured XRRP traps.
Page 591
Router Redundancy Using XRRP Displaying XRRP Data The keyword instance can be used to display configuration information for the virtual router instance(s). If no parameters are specified after this keyword, the information for all virtual routers is displayed, otherwise the information for the particular virtual router is displayed by specifying the owner-router- number and the vlan-id in the command.
Page 592
Router Redundancy Using XRRP Displaying XRRP Data The keyword instance can be used to display statistics information for the virtual router instance(s) on the switch. If no parameters are specified after this keyword, the information for all virtual routers is displayed, otherwise the information for the particular virtual router is displayed by specifying the owner-router-number and the vlan-id in the command.
Router Redundancy Using XRRP Comparison Between XRRP and VRRP Comparison Between XRRP and VRRP The following information compares the characteristics of XRRP and the industry standard VRRP. ■ XRRP will allow a router to respond to SNMP requests on the virtual router IP address even if it is not the owner.
Router Redundancy Using XRRP Messages Related to XRRP Operation Messages Related to XRRP Operation These messages appear in the Event Log and, if Syslog Debug is configured, in the designated Debug destinations. Message Meaning Indicates that a message buffer could not be Unable to alloc a msg buffer from routine <...
Page 595
Router Redundancy Using XRRP Messages Related to XRRP Operation Message Meaning Indicates that XRRP was not able to allocate a packet Failed to alloc a pkt buf for an XRRP pkt from < routine-name > for transmission. This indicates that the system is critically low on resources.
Page 596
Router Redundancy Using XRRP Messages Related to XRRP Operation Message Meaning No local IP addr < IP-address-in-hex > from Indicates that XRRP received a packet with an IP rtr < router-num >, on < vid-num >. address that doesn't match any of the configured IP addresses on the associated virtual router.
Page 597
Router Redundancy Using XRRP Messages Related to XRRP Operation Message Meaning Remote rtr < router-num > domain Indicates that the remote router is miss-configured < domain-num > is miss-configured relative to the local router. This condition will prevent fail-over except when complete router failure has occurred.
Page 598
Router Redundancy Using XRRP Messages Related to XRRP Operation — This page is intentionally unused. — 12-26...
Introduction to Stack Management on Series 3400cl and Series 6400cl Switches HP ProCurve Stack Management (stacking) enables you to use a single IP address and standard network cabling to manage a group of up to 16 total switches in the same IP subnet (broadcast domain). Using stacking, you can: ■...
Page 601
Stack Management for the Series 3400cl and 6400cl Switches Introduction to Stack Management on Series 3400cl and Series 6400cl Switches Summary of Stacking Features Feature Default Menu view stack status view status of a single switch page 13-25 page 13-30 Refer to thru Online page 13-27...
Stack Management for the Series 3400cl and 6400cl Switches Introduction to Stack Management on Series 3400cl and Series 6400cl Switches Components of HP ProCurve Stack Management Table 13-1. Stacking Definitions Stack Consists of a Commander switch and any Member switches belonging to that Commander’s stack.
Page 603
Stack Management for the Series 3400cl and 6400cl Switches Introduction to Stack Management on Series 3400cl and Series 6400cl Switches Use the Commander’s console or web Wiring Closet "A" browser interface to access the user Member Switch 1 Candidate Switch interface on any Member switch in IP Address: None Assigned IP Address: None Assigned...
Stack Management for the Series 3400cl and 6400cl Switches Introduction to Stack Management on Series 3400cl and Series 6400cl Switches Operating Rules for Stacking General Rules ■ Stacking is an optional feature (enabled in the default configuration) and can easily be disabled. Stacking has no effect on the normal operation of the switch in your network.
Stack Management for the Series 3400cl and 6400cl Switches Introduction to Stack Management on Series 3400cl and Series 6400cl Switches Specific Rules Table 13-2. Specific Rules for Commander, Candidate, and Member Switch IP Addressing and Number Allowed Passwords SNMP Communities Stack Name Per Stack Commander IP Addr: Requires an...
(if more than one stack Commander is configured in a subnet or broadcast domain). If you plan to install more than one stack in a subnet, HP recommends that you leave Auto Grab disabled on all Commander switches and manually add Members to their stacks.
Page 607
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management Options for Configuring a Commander and Candidates. Depending on how Commander and Candidate switches are configured, Candidates can join a stack either automatically or by a Commander manually adding (“pulling”) them into the stack.
Page 608
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management Default stacking configuration (Stack State set to Candidate, and Auto ■ Join set to Yes) Same subnet (broadcast domain) and default VLAN as the ■ Commander (If VLANs are used in the stack environment, see "Stacking Operation with a Tagged VLAN"...
Page 609
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management 2. Configure the Commander switch. Doing this first helps to establish consistency in your stack configuration, which can help prevent startup problems. • A stack requires one Commander switch. If you plan to implement more than one stack in a subnet (broadcast domain), the easiest way to avoid unintentionally adding a Candidate to the wrong stack is to manually control the joining process by leaving the...
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management Using the Menu Interface To View Stack Status and Configure Stacking Using the Menu Interface To View and Configure a Commander Switch 1. Configure an IP address and subnet mask on the Commander switch. (Refer to the Management and Configuration Guide for your switch.) Display the Stacking Menu by selecting Stacking in the Main Menu.
Page 611
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management 4. Move the cursor to the Stack State field by pressing (for Edit). Then use the Space bar to select the Commander option. 5. Press the downarrow key to display the Commander configuration fields in the Stack Configuration screen.
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management Using the Menu To Manage a Candidate Switch Using the menu interface, you can perform these actions on a Candidate switch: ■ Add (“push”) the Candidate into an existing stack ■...
Page 613
1 to 300 seconds. Note: All switches in the stack must be set to the same transmis sion interval to help ensure proper stacking operation. HP recom mends that you leave this parameter set to the default 60 seconds.
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management 6. Press (for Save) to save your configuration changes and return to the Stacking menu. Using the Commander To Manage The Stack The Commander normally operates as your stack manager and point of entry into other switches in the stack.
Page 615
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management For status descriptions, see the table on page 13-44. Figure 13-9. Example of the Stack Management Screen (for Add) to add a Candidate. You will then see this screen listing 2. Press the available Candidates: The Commander automatically selects an...
Page 616
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management • If the desired Candidate has a Manager password, press the downarrow key to move the cursor to the Candidate Password field, then type the password. • If the desired Candidate does not have a password, go to step 6. 6. Press to return to the Actions line, then press (for Save) to...
Page 617
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management 2. Stacking Status (All) You will then see the Stacking Status (All) screen: For status descriptions, see the table on page 13-44. This column lists the MAC Addresses for switches Using the MAC addresses for these discovered (in the local Members, you can move them between...
Page 618
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management Do one of the following: • If the stack containing the Member you are moving has a Manager password, press the downarrow key to select the Candidate Password field, then type the password. •...
Page 619
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management To remove a Member from a stack, use the Stack Management screen. From the Main Menu, select: 9. Stacking... 4. Stack Management You will then see the Stack Management screen: For status descriptions, see the table on page 13-44.
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management 4. To continue deleting the selected Member, press the Space bar once to select Yes for the prompt, then press to complete the deletion. The [Enter] Stack Management screen updates to show the new stack Member list. Using the Commander To Access Member Switches for Configuration Changes and Monitoring Traffic After a Candidate becomes a stack Member, you can use that stack’s...
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management Main Menu for stack Member named "Coral Sea" (SN = 1 from figure 13-16) Figure 13-17. The eXecute Command Displays the Console Main Menu for the Selected Stack Member 2. You can now make configuration changes and/or view status data for the selected Member in the same way that you would if you were directly connected or telnetted into the switch.
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management Press (for Back) to return to the Stacking Menu. To display Stack Configuration menu for the switch you are moving, select 3. Stack Configuration Press (for Edit) to select the Stack State parameter. 6. Use the Space bar to select Member, then press [v] to move to the Com...
Page 623
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management Using Any Stacked Switch To View the Status for All Switches with Stacking Enabled. This procedure displays the general status of all switches in the IP subnet (broadcast domain) that have stacking enabled. 1. Go to the console Main Menu for any switch configured for stacking and select: 9.
Page 624
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management You will then see the Commander’s Stacking Status screen: Figure 13-19. Example of the Commander’s Stacking Status Screen Viewing Member Status. This procedure displays the Member’s stacking information plus the Commander’s status, IP address, and MAC address. To display the status for a Member: Go to the console Main Menu of the Commander switch and select 9.
Page 625
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management Figure 13-20. Example of a Member’s Stacking Status Screen Viewing Candidate Status. This procedure displays the Candidate’s stacking configuration. To display the status for a Candidate: 1. Use Telnet (if the Candidate has a valid IP address for your network) or a direct serial port connection to access the menu interface Main Menu for the Candidate switch and select 9.
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management Using the CLI To View Stack Status and Configure Stacking The CLI enables you to do all of the stacking tasks available through the menu interface.) Table 13-6. CLI Commands for Configuring Stacking on a Switch CLI Command Operation show stack...
Page 627
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management CLI Command Operation [no] stack member Commander: Adds a Candidate to stack membership. “No” form removes a Member from stack membership. To easily determine the MAC address of a <switch-num>...
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management Using the CLI To View Stack Status You can list the stack status for an individual switch and for other switches that have been discovered in the same subnet. Syntax: show stack [candidates | view | all] Viewing the Status of an Individual Switch.
Page 629
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management Viewing the Status of all Stack-Enabled Switches Discovered in the IP Subnet. The next example lists all the stack-configured switches discovered in the IP subnet. Because the switch on which the show stack all command was executed is a candidate, it is included in the “Others”...
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management Using the CLI To Configure a Commander Switch You can configure any stacking-enabled switch to be a Commander as long as the intended stack name does not already exist on the broadcast domain. (When you configure a Commander, you automatically create a corresponding stack.) Before you begin configuring stacking parameters:...
Page 631
Syntax: no stack stack commander < stack name > Suppose, for example, that an HP switch named “Bering Sea” is a Member of a stack named “Big_Waters”. To use the switch’s CLI to convert it from a stack Member to the Commander of a new stack named “Lakes”, you would use the...
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management The output from this command tells you the MAC address of the current stack Commander. Removes the Member from the “Big_Waters” stack. Converts the former Member to the Com mander of the new “Lakes”...
Page 633
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management Using the Commander’s CLI To Manually Add a Candidate to the Stack. To manually add a candidate, you will use: ■ A switch number (SN) to assign to the new member. Member SNs range from 1 to 15.
Page 634
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management For example, if the 3400cl-48 in the above listing did not have a Manager password and you wanted to make it a stack Member with an , you would execute the following command: HPswitch(config)# stack member 2 mac-address 0060b0- dfla00...
Page 635
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management The Candidate’s Auto Join is set to Yes (and you do not want to enable ■ Auto Grab on the Commander) or the Candidate’s Auto Join is set to No. ■...
Page 636
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management Syntax: stack member < switch-number > mac-address < mac-addr > [ password < password-str >] In the destination Commander, use show stack all to find the MAC address of the Member you want to pull into the destination stack.
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management Syntax: no stack name < stack name> stack join < mac-address > If you don’t know the MAC address of the destination Commander, you can to identify it. show stack all For example, suppose you have a switch operating as the Commander for a temporary stack named “Test”.
Page 638
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management Use show stack view to list the stack Members. For example, suppose that you wanted to use the Commander to remove the “North Sea” Member from the following stack: Remove this Member from the stack.
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management You would then execute this command in the “North Sea” switch’s CLI to remove the switch from the stack: North Sea(config)# no stack join 0030c1-7fec40 Using the CLI To Access Member Switches for Configuration Changes and Traffic Monitoring After a Candidate becomes a Member, you can use the telnet command from the Commander to access the Member’s CLI or console interface for the same...
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management SNMP Community Operation in a Stack Community Membership In the default stacking configuration, when a Candidate joins a stack, it automatically becomes a Member of any SNMP community to which the Commander belongs, even though any community names configured in the Commander are not propagated to the Member’s SNMP Communities listing.
(Enables stacking on the switch.) Transmission Interval All switches in the stack must be set to the same transmission interval to help ensure proper stacking operation. HP recommends that you leave this param eter set to the default 60 seconds. Syntax: stack transmission-interval <...
Stack Management for the Series 3400cl and 6400cl Switches Configuring Stack Management Stacking uses only the primary VLAN on each switch in a stack. ■ The primary VLAN can be tagged or untagged as needed in the ■ stacking path from switch to switch. ■...
Page 643
configured but not used … 10-41 configured, not used … 10-41 Index configuring offline … 10-11 contiguous ACEs, differences … 10-18 contiguous ACEs, mask use … 10-18 Numerics contiguous ACEs, resource use … 10-18 copy operation appends … 10-68 802.1p priority (QoS) create, CLI method …...
Page 644
mask, defined … 10-7 standard, example … 10-45 mask, multiple IP addresses … 10-34 standard, resource use … 10-18 mask, one IP address … 10-33 standard, structure … 10-37 mask, per-port, defined … 10-8 standard, use … 10-9, 10-43 match, always … 10-41 static VLAN requirement …...
Page 645
configuring offline … 9-10 maximum allowed … 9-18, 9-33 connection-rate ACL … 9-6, 9-8 name or number assignment … 9-31 copy operation appends … 9-56 name string, maximum characters … 9-26, 9-33 create, CLI method … 9-32 nonexistent i.d., assign … 9-31 DA, defined …...
Page 646
ACL-5300xl, standard numeric I.D. range … 9-26 blocked link from STP operation … 6-8, 6-50 active path … 6-3 blocked port address from IGMP operation … 4-5 IP … 11-10 from STP operation … 6-7, 6-48 administrative distance, OSPF … 11-50 Bootp advertisement interval, XRRP gateway ignored …...
Page 647
RSTP from the CLI … 6-12 enabling from the menu … 6-18 XRRP per-port parameters … 6-16 CLI … 12-15 whole switch parameters … 6-14 enabling OSPF … 11-40 spanning tree protocol … 6-7, 6-48 enabling RIP … 11-23 static IP routes … 11-17, 11-19 enabling RSTP XRRP …...
Page 648
with QoS … 8-51 GARP See GVRP gateway, manual config … 2-44 helper address for DHCP Relay … 11-74 global parameters hop count, mesh switch OSPF … 11-39 See also mesh. RIP … 11-22 GVRP … 6-46 ACLs, restriction … 3-19 advertisement …...
Page 649
VLAN Proxy ARP, enabling … 11-13 enabling IRDP … 11-71 required for ACLs … 9-3, 9-4 XRRP configuration … 12-13 RIP interface parameters configuration … 11-21 OSPF … 11-39 displaying configuration and status … 11-27 RIP … 11-22 enabling … 11-23 general information …...
Page 654
No override, effect of … 8-65 See IGMP. overview … 8-1 restrict redistribution prioritizing traffic based on IP ToS field … 8-36 OSPF priority settings map to outbound queues … 8-8 configuring … 11-48 priority settings mapped to downstream displaying … 11-64 devices …...
Page 656
blocked link … 6-8, 6-50 active paths … 6-52 blocked port … 6-7, 6-48 bandwidth loss … 6-49 BPDU … 6-5 benefit … 6-44 broadcast storm … 6-3, 6-9 blocked traffic … 6-49 caution, fast-uplink … 6-30 boundary port, region … 6-51, 6-52 configuring per-port parameters …...
Page 657
general operation … 6-3, 6-44 redundant links … 6-49 GVRP … 6-46, 6-53 region … 6-3, 6-45, 6-46 hello-time, CIST root, propagated … 6-52, 6-60 region name … 6-51, 6-58 hello-time, override … 6-52 region root switch … 6-46 hello-time, propagated … 6-52 region, configuration name …...
Page 658
See Class of Service. benefits … 13-2 transit area disable for meshing … 7-5 OSPF … 11-45 minimum software version, other HP trap switches … 13-8 OSPF … 11-51 primary … 13-44 XRRP … 12-18 See also virtual stacking.
Page 659
OSPF … 11-45 port configuration … 2-42 displaying information … 11-66 port monitoring … 2-52 parameters … 11-47 port restriction … 2-53 virtual neighbor port trunk … 2-52 OSPF port-based … 2-4 displaying information … 11-65 primary … 2-32, 2-43, 13-8, 13-32, 13-44 virtual router, XRRP primary, CLI command …...
Page 660
See also GVRP. web browser interface single forwarding database … 2-17 enabling RSTP … 6-20 SNA VLAN not supported … 2-7 web browser interface, for configuring spanning tree operation … 6-7 IGMP … 4-11 static … 2-3, 2-5, 2-21, 2-27, 2-44 STP …...