HP 2520-24 Configuration Manual Download Page 70 | Manualshive

Page: 70 / 110

background image

3-2

IPv6 Management Security Features

Authorized IP Managers for IPv6

•

You configure authorized IPv4 manager addresses using the

ip autho-

rized-managers

command. For more information, refer to the “Using

Authorized IP Managers” chapter in the

Access Security Guide

.

•

You configure authorized IPv6 manager addresses using the

ipv6

authorized-managers

command. For more information, see “Configur-

ing Authorized IP Managers for Switch Access” on page 3-3.

■

You can block all IPv4-based or all IPv6-based management stations from
accessing the switch by entering the following commands:

•

To block access to all IPv4 manager addresses while allowing access
to IPv6 manager addresses, enter the

ip authorized-managers 0.0.0.0

command.

•

To block access to all IPv6 manager addresses while allowing access
to IPv4 manager addresses, enter the

ipv6 authorized-managers ::

com-

mand. (The double colon represents an IPv6 address that consists of
all zero’s:

0:0:0:0:0:0:0:0

.)

■

You configure each authorized manager address with Manager or Opera-
tor-level privilege to access the switch in a Telnet, SNMPv1, or SNMPv2c
session. (Access privilege for SSH, SNMPv3, and web browser sessions
are configured through the access application, not through the Authorized
IP Managers feature.)

•

Manager privilege allows full access to all web browser and console
interface screens for viewing, configuration, and all other operations
available in these interfaces.

•

Operator privilege allows read-only access from the web browser and
console interfaces.

■

When you configure station access to the switch using the Authorized IP
Managers feature, the settings take precedence over the access config-
ured with local passwords, servers, RADIUS-assigned settings,
port-based (802.1X) authentication, and port security settings.

As a result, the IPv6 address of a networked management device must be
configured with the Authorized IP Managers feature before the switch can
authenticate the device using the configured settings from other access
security features. If the Authorized IP Managers feature disallows access
to the device, then access is denied. Therefore, with authorized IP man-
agers configured, logging in with the correct passwords is not sufficient
to access a switch through the network unless the station requesting
access is also authorized in the switch’s Authorized IP Managers config-
uration.

«
...
68
69
70
71
72
...
»

Summary of Contents for 2520-24

Page 1: ...HP Switch Software HP 2520 8 PoE Switch HP 2520 24 PoE Switch Software version S 15 09 August 2012 IPv6 Configuration Guide ...

Page 2: ......

Page 3: ...HP Networking 2520 Switches IPv6 Configuration Guide August 2012 S 15 09 ...

Page 4: ...ge without notice HEWLETT PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this material The only warra...

Page 5: ...6 on a VLAN 1 12 Neighbor Discovery ND 1 12 Duplicate Address Detection DAD 1 14 DAD Operation 1 14 Configuring DAD 1 15 View the Current IPv6 Addressing Configuration 1 17 Router Access and Default Router Selection 1 23 Router Advertisements 1 23 Router Solicitations 1 24 Default IPv6 Router 1 24 Router Redirection 1 25 View IPv6 Gateway Route and Router Neighbors 1 25 Viewing Gateway and IPv6 Ro...

Page 6: ...mmands Supported 2 21 IP Preserve for IPv6 2 24 3 IPv6 Management Security Features Authorized IP Managers for IPv6 3 1 Usage Notes 3 1 Configuring Authorized IP Managers for Switch Access 3 3 Using a Mask to Configure Authorized Management Stations 3 3 Displaying an Authorized IP Managers Configuration 3 10 Additional Examples of Authorized IPv6 Managers Configuration 3 10 Secure Shell SSH for IP...

Page 7: ...mand 4 11 Configuring Debug Destinations 4 12 Configuring an IPv6 Syslog Server 4 12 For more information see Configuring Debug and Event Log Messaging on page 4 11 4 13 Logging Command 4 13 Displaying a Debug Syslog for Configuration 4 14 A IPv6 Terminology ...

Page 8: ......

Page 9: ...switch interfaces and introduces basic operations Management and Configuration Guide Describes how to configure manage and monitor basic switch operation Advanced Traffic Management Guide Explainshowtoconfiguretraffic management features such as VLANs MSTP QoS and Meshing Access Security Guide Explains how to configure access security fea tures and user authentication on the switch IPv6 Configurat...

Page 10: ...vancedTraffic Management Access Security Guide Basic Operation Guide 802 1Q VLAN Tagging X 802 1p Priority X 802 1X Authentication X AAA Authentication X Authorized IP Managers X Auto MDIX Configuration X BOOTP X Config File X Console Access X Copy Command X Debug X DHCP Configuration X DHCP Bootp Operation X Diagnostic Tools X Downloading Software X Eavesdrop Protection X Event Log X Factory Defa...

Page 11: ...X MAC Lockdown X MAC Lockout X MAC based Authentication X Monitoring and Analysis X Multicast Filtering X Network Management Applications LLDP SNMP X Passwords X Ping X Port Configuration X Port Security X Port Status X Port Trunking LACP X Port Based Access Control 802 1X X Feature Management and Configuration AdvancedTraffic Management Access Security Guide Basic Operation Guide ...

Page 12: ...odem X Spanning Tree MSTP X SSH Secure Shell Encryption X SSL Secure Socket Layer X Stack Management Stacking X Syslog System Information X TACACS Authentication X Telnet Access X TFTP X Time Protocols TimeP SNTP X Troubleshooting X VLANs X Web based Authentication X Web UI X Feature Management and Configuration AdvancedTraffic Management Access Security Guide Basic Operation Guide ...

Page 13: ...P and ND for IPv6 are enabled with default values when IPv6 is first enabled and can either be left in their default settings or reconfigured as needed For more information on ICMP refer to View the Current IPv6 Addressing Configura tion on page 1 17 For more on ND refer to Neighbor Discovery ND on page 1 12 Note The switch is capable of operating in dual stack mode where IPv4 and IPv6 run concurr...

Page 14: ...ocal address A DHCPv6 server can provide other services such as the addresses of time servers For this reason you may want to enable DHCP even if you are using another method to configure IPv6 addressing on the VLAN 2 If IPv6 DHCP service is not enabled on the VLAN then either Enable IPv6 on the VLAN This automatically configures a link local address with an EUI 64 interface identifier Statically ...

Page 15: ... tentative until verified as unique by Duplicate Address Detection Refer to Duplicate Address Detec tion DAD on page 1 14 Enabling IPv6 with an Automatically Configured Link Local Address This command enables automatic configuration of a link local address Syntax no ipv6 enable If IPv6 has not already been enabled on a VLAN by another IPv6commandoptiondescribedinthischapter thiscommand enables IPv...

Page 16: ...nabling autoconfig or rebooting the switch with autoconfig enabled on a VLAN causes the switch to configure IPv6 addressing on the VLAN using router advertisements and an EUI 64 interface identifier page 1 12 A link local address always uses the prefix fe80 0 0 0 With IPv6 enabled the VLAN uses received router advertise ments to designate the default IPv6 router Refer to Default IPv6 Router on pag...

Page 17: ...ot received on the VLAN after autoconfig is enabled a link local address will be present but no global unicast addresses will be autoconfigured Notes If a link local address is already configured on the VLAN a later autoconfigured global unicast address uses the same device identifier as the link local address Autoconfigured and DHCPv6 assigned global unicast addresses with the same prefix are mut...

Page 18: ...enabled theVLANusesreceivedrouteradvertisementstodesignate thedefaultIPv6router Referto RouterAccessandDefaultRouterSelection on page 1 23 Enabling DHCPv6 Enabling the DHCPv6 option on a VLAN allows the switch to obtain a global unicast address and an NTP network time protocol server assignment for a Timep server If a DHCPv6 server is not needed to provide a global unicast address to a switch inte...

Page 19: ...ot been reached If a DHCPv6 server responds with an IPv6 address assign ment this address is assigned to the VLAN The DHCPv6 assigned address will be dropped if it has the same subnet as another address already assigned to the VLAN by an earlier autoconfig command After verification of uniqueness by DAD an IPv6 address assigned to the VLAN by an DHCPv6 server is set to the preferred and valid life...

Page 20: ...ed global unicast addresses are mutually exclusive on a given VLAN That is configuring DHCPv6 on a VLAN erases any static global unicast addresses previously configured on that VLAN and the reverse A statically configured link local address will not be affected by configuring DHCPv6 on the VLAN For the same subnet on the switch a DHCPv6 global unicast address assignment takes precedence over an au...

Page 21: ...lowed per VLAN interface device identifier The low order 64 bits in 16 bit blocks comprise this value in a link local address xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx Where a static link local address is already configured a new autoconfigured global unicast addresses assignment uses the same device identifier as the link local address Notes An existing link local address is replaced and is not dep...

Page 22: ...age 1 12 Refer also to Disabling IPv6 on a VLAN on page 1 12 Syntax no ipv6 address network prefix device id prefix length no ipv6 address network prefix prefix length eui 64 If IPv6 is not already enabled on a VLAN either of these command options do the following enable IPv6 on the VLAN configure a link local address using the EUI 64 format statically configure a global unicast address If IPv6 is...

Page 23: ...er must be transmitting router advertisements on the VLAN If an autoconfigured global unicast address already exists for the same subnetasanew staticallyconfiguredglobalunicastaddress thestatically configured address is denied In the reverse case you can add an auto config command to the VLAN configuration but it will not be imple mented unless the static address is removed from the configuration ...

Page 24: ...red on a VLAN IPv6 remains enabled on that VLAN In this case removing the only IPv6 enabling command fromtheconfigurationdisablesIPv6operationontheVLAN Thatis todisable IPv6 on a VLAN all of the following commands must be removed from the VLAN s configuration ipv6 enable ipv6 address dhcp full rapid commit ipv6 address autoconfig ipv6 address fe80 device identifier link local ipv6 address prefix d...

Page 25: ...icitation message containing a solicited node multicast address that corre sponds to the IPv6 address of the destination device on the VLAN When the destination device receives the neighbor solicitation it responds with a neighbor advertisement message identifying its link layer address When the initiating device receives this advertisement the two devices are ready to exchange traffic on the VLAN...

Page 26: ...ns DAD for this address by sending a neighbor solicitation to the All Nodes multicast address ff02 1 This operation discovers other devices on the VLAN and verifies whether the proposed unicast address assignment is unique on the VLAN During this time the address being checked for unique ness is held in a tentative state and cannot be used to receive traffic other than neighbor solicitations and n...

Page 27: ...ling DAD bypasses checks for uniqueness on newly configured addresses If a reboot is performed while DAD is disabled the duplicate address check is not performed on any IPv6 addresses configured on the switch Default 3 enabled Range 0 600 0 disabled The no form of the command restores the default setting 3 Syntax ipv6 nd ns interval milliseconds Used on VLAN interfaces to reconfigure the neighbor ...

Page 28: ...che of neighboring switches to be updated If a previously configured unicast address is changed a neighbor adver tisement is sent on the VLAN to notify other devices and also for duplicate address detection If DAD is disabled when an address is configured the address is assumed to be unique and is assigned to the interface Syntax ipv6 nd reachable time milliseconds Used on VLAN interfaces to confi...

Page 29: ... not configured per VLAN ND DAD Indicates whether DAD is enabled the default or disabled Using ipv6 nd dad attempts 0 disables neighbor discovery Refer to Duplicate Address Detection DAD on page 1 14 DAD Attempts Indicates the number of neighbor solicitations the switch transmits per address for duplicate IPv6 address detection Implemented when a new address is configured or when an interface with...

Page 30: ...Lists each IPv6 address and prefix length configured on the indicated VLAN Address Status Tentative DAD has not yet confirmed the address as unique and is not usable for sending and receiving traffic Preferred The address has been confirmed as unique by DAD and usable for sending and receiving traffic The Expiry time shown for this address by the show ipv6 vlan vid command output is the preferred ...

Page 31: ...ateway 10 0 9 80 ND DAD Enabled DAD Attempts 3 Vlan Name DEFAULT_VLAN IPv6 Status Disabled Vlan Name VLAN10 IPv6 Status Enabled Address Address Origin IPv6 Address Prefix Length Status autoconfig 2620 0 a03 e102 127 64 preferred dhcp 2620 0 a03 e102 212 79ff fe88 a100 64 preferred manual fe80 127 64 preferred Syntax show ipv6 nd Displays the current IPv6 neighbor discovery settings on the configur...

Page 32: ...VLAN and the expiration data Expiry for each address IPv6 Routing This setting is always Disabled Refer to Router Access and Default Router Selection on page 1 23 Default Gateway Lists the IPv4 default gateway if any configured on the switch This is a globally configured router gateway address and is not configured per VLAN ND DAD Shows whether Neighbor Discovery ND is enabled The default setting ...

Page 33: ...ted VLAN indicates whether IPv6 is disabled the default or enabled Refer to Config uring IPv6 Addressing on page 1 3 IPv6 Address Prefix Length Lists each IPv6 address and prefix length configured on the indicated VLAN Expiry Lists the lifetime status of each IPv6 address listed for a VLAN Permanent The address will not time out and need renewal or replacement date time The date and time that the ...

Page 34: ...erred Syntax show run In addition to the other elements of the current configuration this command lists the statically configured global unicast IPv6 addressing and the current IPv6 configuration per VLAN The listing may include one or more of the following depending on what other IPv6 options are configured on the VLAN Any stateless address autoconfiguration SLAAC commands in the configuration ar...

Page 35: ...nk local addresses of IPv6 routers on the VLAN For devices other than routers the switch must use neighbor discovery to learn these addresses building a list of default reachable routers along with router lifetime and prefix lifetime data learning the prefixes and the valid and preferred lifetimes to use for stateless autoconfigured global unicast addresses This is required for autoconfiguration o...

Page 36: ... unless a new IPv6 setting is configured IPv6 on the VLAN is disabled then re enabled or the VLAN itself is disconnected then recon nected Default IPv6 Router If IPv6 is enabled on a VLAN where there is at least one accessible IPv6 router theswitchselectsadefaultIPv6router Referto EnablingAutoconfiguration of a Global Unicast Address and a Default Router Identity on a VLAN on page 1 4 If the switc...

Page 37: ...perVLAN Thisincludesinformationreceivedinrouter advertisements from IPv6 routers on VLANs enabled with IPv6 on the switch Viewing Gateway and IPv6 Route Information Syntax show ipv6 route ipv6 addr connected This command displays the routes in the switch s IPv6 routing table ipv6 addr Optional Limits the output to show the gateway to the specified IPv6 address connected Optional Limits the output ...

Page 38: ...nfigured on the Switch Link Local Address Configured on the Switch Link Local Address Assigned to the Loopback Address Syntax show ipv6 routers vlan vid This command lists the switch s IPv6 router table entries for all VLANs configured on the switch or for a single VLAN This output provides information about the IPv6 routers from which routing advertisements RAs have been received on the switch vl...

Page 39: ...time the address is available including the preferred lifetime and the additional time if any allowed for the address to exist in the deprecated state Refer to Address Lifetimes on page 1 28 Preferred Lifetime The length of time during which the address can be used freely as both a source and a destination address for traffic exchanges with other devices Refer to Address Lifetimes on page 1 28 On ...

Page 40: ... as a destination for existing communication exchanges but is not used for new exchanges or as a source for traffic sent from the interface A new preferred address and its deprecated counterpart will both appear in the show ipv6 vlan vid output as long as the deprecated address is within its valid lifetime Valid Lifetime This is the total time the address is available and is equal to or greater th...

Page 41: ... used as a replacement for a deprecated address can be acquired from a manual DHCPv6 or autoconfiguration source Address Source Lifetime Criteria Link Local Permanent Statically Configured Unicast Permanent Autoconfigured Global Finite Preferred and Valid Lifetimes DHCPv6 Configured Finite Preferred and Valid Lifetimes ...

Page 42: ...1 30 IPv6 Addressing Configuration Address Lifetimes ...

Page 43: ...or solicita tion has been received at the source verifying that traffic has been received at the destination The switch maintains an IPv6 neighbor cache that is populated as a result of communication with other devices on the same VLAN You can view and clear the contents of the neighbor cache using the commands described in this section Viewing the Neighbor Cache Neighbor discovery occurs when the...

Page 44: ... only when VLAN is specified and indicates the length of time the entry has remained unused Port Identifies the switch port on which the entry was learned If this field is empty for a given address then the address is configured on the switch itself State A neighbor destination is reachable from a given source address if confirmation has been received at the source veri fying that traffic has been...

Page 45: ...d In such cases the fastest way to restore optimum traffic movement on a VLAN may be to statically clear the neighbor table instead of waiting for the unwanted entries to time out HP Switch config show ipv6 neighbor IPv6 ND Cache Entries IPv6 Address MAC Address State Type Port 2001 db8 260 212 101 0013c4 dd14b0 STALE dynamic 1 2001 db8 260 214 1 15 001279 88a100 REACH local fe80 1 1 001279 88a100...

Page 46: ...rom the neighbor cache Local IPv6 addresses that is IPv6 addresses configured on the VLAN interface for the switch on which the command is executed are not removed Removed addresses are listed in the command output HP Switch config clear ipv6 neighbors HP Switch config show ipv6 neighbors HP Switch show ipv6 neighbors IPv6 ND Cache Entries IPv6 Address MAC Address State Type Port fe80 213 c4ff fed...

Page 47: ...same VLAN requires the link local address and and interface scope link local addr Specifies the link local IPv6 address of the destination device vlan vid Suffix specifying the interface on which the destination device is located No spaces are allowed in the suffix TelnetforGlobalUnicastAddressesrequiresaglobalunicast address for the destination Also the switch must be receiving router advertiseme...

Page 48: ... switch for both IPv4 and IPv6 Command output includes the following Session The session number The switch allows one outbound session and up to five inbound sessions Privilege Manager or Operator From Console for outbound sessions or the source IP address of the inbound session To The destination of the outbound session if in use HP Switch show telnet Telnet Activity Session 1 Privilege Manager F...

Page 49: ...or this param eter are oobm inbound Telnet access is enabled only on the out of band management port data inbound Telnet access is enabled only on the data ports both inbound Telnet access is enabled on both the out of band management port and on the data ports This is the default value Refer to Appendix I Network Out of Band Management in the Management and Configuration Guide for more informa ti...

Page 50: ...peration Commands Affecting SNTP Function show sntp Display the current SNTP configuration timesync sntp timep Enable either SNTP or Timep as the time synchronization method on the switch without affecting the configuration of either no timesync Enable time synchronization Requires a timesync method to also be enabled The no version disable time synchronization without affecting the configuration ...

Page 51: ...ority of the server ad dressing being configured When the SNTP mode is set to uni cast and more than one server is configured this value determines the order in which the configured servers will be accessed for a time value The switch polls multiple servers in order until a response is received or all servers on the list have been tried without success Up to three server addresses IPv6 and or IPv4...

Page 52: ... by vlan followed immediately without spaces by the VLAN identifier Syntax show sntp Displays the current SNTP configuration including the following Time Sync Mode Indicates whether timesync is disabled or set to either SNTP or Timep Default timep SNTP Mode Indicates whether SNTP uses the broadcast or unicast method of contacting a time server The broadcast option does not require you to configure...

Page 53: ...Switch config show sntp SNTP Configuration Time Sync Mode Sntp SNTP Mode Broadcast Poll Interval sec 720 719 Priority SNTP Server Address Protocol Version 1 2001 db8 215 60ff fe79 8980 7 2 10 255 5 24 3 This example illustrates the command output when both IPv6 and IPv4 server addresses are configured Commands Affecting Timep Function show timep Display the current timep configuration timesync snt...

Page 54: ...his command at the global config level as shown below Switch config ip timep manual fe80 215 60ff fe7a adc0 vlan10 Syntax ip timep dhcp interval 1 9999 ip timep manual ipv6 addr ipv4 addr interval 1 9999 oobm Used at the global config level to configure a Timep server ad dress Note The switch allows one Timep server configuration timep dhcp Configures the switch to obtain the address of a Timep se...

Page 55: ... management command can also be used to display Timep server information Syntax show timep Displays the current Timep configuration including the following Time Sync Mode Indicates whether timesync is disabled or set to either SNTP or Timep Default Disabled Timep Mode Indicates whether Timep is configured to use a DHCP server to acquire a Timep server address or to use a statically configured Time...

Page 56: ...igure TFTP file transfers between the switch and a TFTP server or other host device on the network refer to the File Transfers appendix in the Management and Configuration Guide for your switch To upload and or download files to the switch using TFTP in an IPv6 network you must 1 Enable TFTP for IPv6 on the switch see Enabling TFTP for IPv6 on page 2 15 2 Enter a TFTP copy command with the IPv6 ad...

Page 57: ...nd the Menu interface Download OS screen become unavailable The no tftp client server command does not affect auto TFTP operation For more information see Using Auto TFTP for IPv6 on page 2 19 Syntax no tftp client server listen oobm data both Enables TFTP for IPv4 and IPv6 client or server functionality so that the switch can Use TFTP client functionality to access IPv4 or IPv6 based TFTP servers...

Page 58: ...or example fe80 123 vlan10 If this is a global unicast address use this IPv6 format ipv6 addr For example 2001 db8 123 target is one of the following values autorun cert file Copies an autorun trusted certificate to the switch autorun key file Copies an autorun key file to the switch command file Copies a file stored on a remote host and executes the ACL command script on the switch Depending on t...

Page 59: ...tware image enter the reload or boot system flash command pub key file Copies a public key file to the switch startup config Copies a configuration file on a remote host to the startup configuration file on the switch oobm For switches that have a separate out of band manage ment port specifies that the transfer will be through the out of band management interface Default is transfer through the d...

Page 60: ...cause of a system crash You can copy crash information from an individual slot or from the master crash file on the switch crash log slot id master Copies the contents of the crash log to the specified file path on a remote host The crash log contains processor specific operational data that is used to determine the cause of a system crash You can copy the contents of the crash log from an individ...

Page 61: ...lash boot image set to primary flash the default enter the boot or the reload command or cycle the power to the switch To reset the boot image to primary flash use boot set default flash primary ipv6 addr If this is a link local address use this IPv6 address format fe80 device id vlan vid For example fe80 123 vlan10 If this is a global unicast address use this IPv6 format ipv6 addr For example 200...

Page 62: ..._14_01 swi must be different from the version number currently in the primary flash image The current TFTP client status enabled or disabled does not affect auto TFTP operation Refer to Enabling TFTP for IPv6 on page 2 15 Completion of the auto TFTP process may require several minutes while the switch executes the TFTP transfer to primary flash and then reboots again The no form of the command dis...

Page 63: ...ttings SNMP notifications including SNMP version 1 or SNMP version 2c traps SNMPv2c informs SNMPv3 notification process including traps Advanced RMON Remote Monitoring management E PCM or E PCM management applications Flow sampling using sFlow Standard MIBs such as the Bridge MIB RFC 1493 and the Ethernet MAU MIB RFC 1515 SNMP Configuration Commands Supported IPv6 addressing is supported in the fo...

Page 64: ...re 2 9 Executed at the global config level to configure an SNMP trap receiver to receive SNMPv1 and SNMPv2c traps SNMPv2c informs and optionally event log messages snmp server listen oobm data both For switches with a separate out of band management port specifies whether the switch listens for SNMP traps on the out of band management interface the data interface or both Syntax snmpv3 targetaddres...

Page 65: ...rver SNMP Communities Community Name MIB View Write Access public Manager Unrestricted marker Manager Unrestricted Trap Receivers Link Change Traps Enabled on Ports All All Traps Category Current Status SNMP Authentication Extended Password change Enabled Login failures Enabled Port Security Enabled Authorization Server Contact Enabled Address Community Events Type Retry Timeout 15 29 17 218 publi...

Page 66: ...at you do not invoke IP Preserve by entering a command from the CLI Figure 2 10 Example of How to Enter IP Preserve in a Configuration File HP Switch config show snmpv3 targetaddress snmpTargetAddrTable rfc2573 Target Name IP Address Parameter 1 10 29 17 218 1 2 10 29 17 219 2 PP 217 10 29 17 217 marker_p PP 218 2620 0 260 211 217 a4ff feff 1f70 marker_p An IPv6 address is displayed on two lines J...

Page 67: ...IP Preserve is suspended The IPv6 addressing specified in the downloaded configuration file is implemented when the switch copies the file and reboots If the downloaded file specifies DHCP Bootp as the source for the IPv6 address of VLAN 1 the switch uses the IPv6 address assigned by the DHCP Bootp server If the file specifies a dedicated IPv6 address and subnet mask for VLAN 1 and a Gateway IPv6 ...

Page 68: ...lt gateway 2001 db8 0 7 5 snmp server community public Unrestricted vlan 1 name DEFAULT_VLAN untagged 1 10 13 24 1 24 ip address 2001 db8 214 c2ff fe4c e480 exit spanning tree Trk1 priority 4 password manager Because the switch s IPv6 address and default gateway were statically configured not assigned by a DHCP server when the switch boots up with the IP Preserve startup configurationfile seeFigur...

Page 69: ...Telnet and other terminal emulation applications Web browser interface SNMP with a correct community name As with the configuration of IPv4 management stations the Authorized IP Managers for IPv6 feature allows you to specify the IPv6 based stations that can access the switch Usage Notes Up to ten authorized IPv4 and IPv6 manager addresses can be configured on a switch where each address applies t...

Page 70: ...Pv1 or SNMPv2c session Access privilege for SSH SNMPv3 and web browser sessions areconfiguredthroughtheaccessapplication notthroughtheAuthorized IP Managers feature Manager privilege allows full access to all web browser and console interface screens for viewing configuration and all other operations available in these interfaces Operator privilege allows read only access from the web browser and ...

Page 71: ...in a different manner Configuring Single Station Access To authorize only one IPv6 based station for access to the switch enter the IPv6 address of the station and set the mask to FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF Syntax no ipv6authorized managers ipv6 addr ipv6 mask access operator manager Configures one or more authorized IPv6 addresses to access the switch where ipv6 mask specifies the ma...

Page 72: ... FFFF FFFF FFFF FFFF FFFF FFFF FFFF only a station having an IPv6 address of FE80 202 B3FF FE1E 8329 has management access to the switch Figure 3 1 Mask for Configuring a Single Authorized IPv6 Manager Station Configuring Multiple Station Access To authorize multiple stations to access the switch without having to re enter the ipv6 authorized managers command for each station carefully select the ...

Page 73: ...s not have to match the setting of the same bit in the specified IPv6 address Figure 3 2 shows the binary expressions represented by individual hexadeci mal values in an ipv6 mask parameter Figure 3 2 Hexadecimal Mask Values and Binary Equivalents Hexadecimal Value in an IPv6 Mask Binary Equivalent 0 0000 1 0001 2 0010 3 0011 4 0100 5 0101 6 0110 7 0111 8 1000 9 1001 A 1010 B 1011 C 1100 D 1101 E ...

Page 74: ...first corresponding 126 bits in an authorized IPv6 address to be the same as in the specified IPv6 address 2001 DB8 0000 0000 244 17FF FEB6 D37C However the last two bits are set 1st Block 2nd Block 3rd Block 4th Block 5th Block 6th Block 7th Block 8th Block Manager or Operator Level Access IPv6 Mask FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFC The F value in the first 124 bits of the mask specifies th...

Page 75: ... equivalent of FFF8 that is used to specify valid subnet IDs in the IPv6 addresses of authorized stations is 1111 1111 1111 1000 The three off bits 1000 in the last part of the this block FFF8 of the mask allow for eight possible authorized IPv6 stations 2001 DB8 0000 0000 244 17FF FEB6 D37D 2001 DB8 0000 0001 244 17FF FEB6 D37D 2001 DB8 0000 0002 244 17FF FEB6 D37D 2001 DB8 0000 0003 244 17FF FEB...

Page 76: ...ock 5th Block 6th Block 7th Block 8th Block Manager or Operator Level Access IPv6 Mask FFFF FFFF FFFF FFF8 FFFF FFFF FFFF FFFF Inthisexample theIPv6maskallowsup to four stations in different subnets to access the switch This authorized IP manager configuration is useful if only management stations are specified by the authorized IPv6 addresses Refer to Figure 3 4 for how the bitmap of the IPv6 mas...

Page 77: ...he fourth block of the IPv6 address Conversely bits 0 2 are variable and in an authorized IPv6 address may be either on 1 or off 0 As a result assuming that the seventh and eighth bytes fourth hexadecimal block of an IPv6 address are used as the subnet ID only the following binary expressionsandhexadecimalsubnetIDsaresupportedinthisauthorizedIPv6 manager configuration Figure 3 8 Binary Equivalents...

Page 78: ...ddress with the ipv6 authorized managers command you must also enter a VLAN ID in the format vlan vlan id HP Switch show ipv6 authorized managers IPv6 Authorized Managers Address 2001 db8 0 7 5 Mask ffff ffff ffff ffff ffff ffff ffff ffff Access Manager Address 2001 db8 a 1c e3 3 Mask ffff ffff ffff ffff ffff ffff ffff fffe Access Manager Address 2001 db8 214 c2ff fe4c e480 Mask ffff ffff ffff fff...

Page 79: ...y two stations in the subnets defined by 0x0006 and 0x0007 in the fourth block of an authorized IPv6 address Switch config ipv6 authorized managers 2001 db8 0000 0007 231 17ff fec5 c967 ffff ffff ffff fffe ffff ffff ffff ffe0 access operator The following ipv6authorized managerscommand authorizes a single automat ically generated EUI 64 IPv6 address with manager level access privilege Switch confi...

Page 80: ...F FFFF FFFF FFFF FFFF and manager the default values Note that it is not necessary to enter either of these parameters Switch config ipv6 authorized managers 2001 db8 a05b 17ff fec5 3f61 Deleting an Authorized IP Manager Entry Enter only the IPv6 address of the configured authorized IP manager station that you want to delete with the no form of the command for example Switch config no ipv6 authori...

Page 81: ...he switch or on a RADIUS or TACACS server Secure Copy SCP and Secure FTP SFTP client applications You can use either one SCP session or one SFTP session at a given time to perform secure file transfers to and from the switch Configuring SSH for IPv6 By default SSH is automatically enabled for IPv4 and IPv6 connections on a switch You can use the ip ssh command options to reconfigure the default SS...

Page 82: ...bles SSH on the switch to connect to an SCP or SFTP client application to transfer files to and from the switch over IPv4 or IPv6 Default Disabled Note Enabling filetransfer automatically disables TFTP client and TFTP server functionality For more information refer to Secure Copy and Secure FTP for IPv6 on page 3 17 mac MAC type Allows configuration of the set of MACs that can be selected Valid ty...

Page 83: ...RSA or DSA public key The text string for the public key must be a single quoted token If the keystring contains double quotes it can be quoted with single quotes keystring The following restrictions for a keystring apply A keystring cannot contain both single and double quotes A keystring cannot have extra characters such as a blank space or a new line To improve readabil ity you can add a backla...

Page 84: ...tch The listen parameter is available only on switches that have a separate out of band management port Values for this parameter are oobm inbound SSH access is enabled only on the out of band management port data inbound SSH access is enabled only on the data ports both inbound SSH access is enabled on both the out of band management port and on the data ports This is the default value Refer to A...

Page 85: ...ssion allowing you to use a secure SSH tunnel to Transfer files and update Switch software images Distributenewsoftwareimageswithautomatedscriptsthatmakeiteasier to upgrade multiple switches simultaneously and securely HP Switch show ip ssh SSH Enabled Yes Secure Copy Enabled No TCP Port Number 22 Timeout sec 120 Host Key Type RSA Host Key Size 2048 Ciphers aes128 cbc 3des cbc aes192 cbc aes256 cb...

Page 86: ...ransfer com mands and software utilities to use Notes Enabling SSH file transfer disables TFTP and Auto TFTP operation The switch supports one SFTP session or one SCP session at a time All files on the switch have read write permission However several SFTP commands such as create or remove are not supported and return an error message For more information on how to configure SCP or SFTP in an SSH ...

Page 87: ...te Limiting ICMP rate limiting controls the rate at which ICMPv6 generates error and informational messages for features such as neighbor solicitations neighbor advertisements path MTU discovery PMTU duplicate address discovery DAD neighbor unreachability detection NUD router discovery neighbor discovery NDP ICMPv6 error message generation is enabled by default The rate of message generation can b...

Page 88: ... 10 tokens are allowed in the token bucket If the token bucket is full a new token cannot be added until an existing token is used to enable sending an ICMP message You can increase or decrease both the frequency with which used tokens can be replaced and optionally the number of tokens allowed to exist error interval Specifies the time interval in milliseconds between successive token adds Increa...

Page 89: ... device by sending IP packets ICMP Echo Requests To use a ping6 command with an IPv6 host name or fully qualified domain names refer to DNS Resolver for IPv6 on page 4 8 Youcanissuesingleormultiplepingtestswithvaryingrepetitionsandtimeout periods to wait for a ping reply Replies to each ping test are displayed on the console screen To stop a ping test before it finishes press Ctrl C For more infor...

Page 90: ...v6 DNS server switch number Number of an IPv6 based switch that is a member of a switch stack IPv6 subnet Valid values 1 16 oobm For switches that have a separate out of band management OOBM port oobm specifies that the traffic originates from the out of band management port repetitions 1 10000 Number of times that IPv6 ping packets are sent to the destination IPv6 host Default 1 timeout 1 60 Numb...

Page 91: ...peration before it finishes press Ctrl C For more information about how to configure and use a traceroute operation refer to the Troubleshooting appendix in the Management and Configura tion Guide HP Switch ping6 fe80 2 1 vlan10 fe80 0000 0000 0000 0000 0000 0002 0001 is alive time 975 ms Switch ping6 2001 db8 a 1c e3 3 repetitions 3 2001 0db8 0000 0000 000a 001c 00e3 0003 is alive iteration 1 tim...

Page 92: ...local address where vlan vlan id specifies the VLAN ID number hostname Host name of an IPv6 host device configured on an IPv6 DNS server oobm For switches that have a separate out of band management OOBM port oobm specifies that the traffic originates from the out of band management port minttl Minimum number of hops allowed for each probe packet sent along the route Default 1 Range 1 255 If the m...

Page 93: ...t 3 Range 1 5 source ipv6 addr vid The source IPv6 address or VLAN of the traceroute device or the VLAN ID on which the traceroute packet is being sent dstport 1 34000 Destination port srcport 1 34000 Source port HP Switch traceroute6 2001 db8 10 traceroute to 2001 db8 10 1 hop min 30 hops max 5 sec timeout 3 probes 1 2001 db8 a 1c e3 3 0 ms 0 ms 0 ms 2 2001 db8 0 7 5 7 ms 3 ms 0 ms 3 2001 db8 214...

Page 94: ...ing in the current Management and Configuration Guide for your switch Syntax no ip dns server address priority 1 3 ip addr oobm Used at the global config level to configure the address and priority of a DNS server Allows for configuring up to three servers providing DNS service The servers must all be acces sible to the switch The command allows both IPv4 and IPv6 servers in any combination and an...

Page 95: ... at the global config level to configure the domain suffix that is automatically appended to the host name entered with a command supporting DNS operation Configuring the domain suffix is optional if you plan to use fully qualified domain names in all cases instead of just entering host names You can configure up to three addresses for DNS servers in the same or different domains However you can c...

Page 96: ...r to DNS Resolver in appendix C Troubleshooting in the current Management and Configuration Guide for your switch Viewing the Current Configuration Use the show ip dns command to view the current DNS server configuration Use the show run command to view both the current DNS server addresses and the current DNS domain name in the active configuration Operating Notes In software release S 15 XX DNS ...

Page 97: ...overy events LLDP events Use the logging severity severity level system module system module command to select a subset of Event Log messages to send to an external device for debugging purposes according to Severity level System module Debug Command Syntax no debug ipv6 debug type Configures the types of IPv6 messages that are sent to Syslog servers or other configured debug destinations where de...

Page 98: ... buffer in switch memory Use the logging syslog ipv6 addr command to configure the Syslog server at the specified IPv6 destination address Configuring an IPv6 Syslog Server Syslog for IPv6 is a client server logging tool that allows a client switch to send event notification messages to n IPv6 networked device operating with Syslog server software Messages sent to a Syslog server can be stored to ...

Page 99: ... message types are configured they are also sent to the Syslog server no logging removes all currently configured Syslog logging destinations from the running configuration no logging syslog ipv4 address removes only the specified Syslog logging destination from the running configuration Note The no logging command does not delete the Syslog server addresses stored in the startup configuration To ...

Page 100: ...ystem Module and Severity Levels on an IPv6 Syslog Server HP Switch config show debug Debug Logging Destination None Enabled debug types None are enabled HP Switch config logging fe80 215 60ff fe7a adc0 HP Switch config write memory HP Switch config show debug Debug Logging Destination Logging fe80 215 60ff fe7a adc0 Facility user Severity debug System module all pass Enabled debug types event Dis...

Page 101: ...ess by using the CLI to manually enter a static address Referred to as Static Address Configuration in this guide See Static Address Configuration below MTU Maximum Transmission Unit The largest frame size allowed on a given path or device RA Router Advertisement Refer to Router Access and Default Router Selection on page 1 23 SLAAC Stateless Address Autoconfiguration Static Address A permanently ...

Page 102: ...A 2 IPv6 Terminology ...

Page 103: ...t of static address 1 11 autoconfigured unicast address DHCPv6 precedence 1 8 autorun TFTP download of key file 2 16 TFTP download of trusted certificate 2 16 auto TFTP disabled 2 19 downloading software images 2 19 for IPv6 2 19 B binary expressions of IPv6 address 3 5 3 9 C clear neighbor cache 2 1 2 3 command file TFTP download and running command script 2 16 command output TFTP upload on remot...

Page 104: ...ng debug configuration 4 14 DNS configuration 4 8 domain name 4 9 view configuration 4 10 documentation feature matrix 6 latest versions 5 release notes 5 E EUI in IPv6 address autoconfiguration 1 5 1 11 used in IPv6 address autoconfiguration 1 3 event log compared to debug Syslog operation 4 10 debugging by severity level 4 11 debugging by system module 4 11 Event Log Message Reference Guide 5 TF...

Page 105: ...tion 1 22 global unicast address autoconfiguration 1 5 global unicast address manual configuration 1 10 IP Preserve 2 24 link local address autoconfiguration 1 3 link local address manual configuration 1 9 link local suffix 2 5 2 9 2 12 neighbor cache clear 2 3 neighbor cache view 2 2 neighbor discovery 1 12 2 1 routing between different VLANs 1 23 selecting default router on a VLAN 1 24 SNMP supp...

Page 106: ...eroute 4 6 with ping 4 4 outbound Telnet6 2 4 P ping6 4 3 preferred address 1 18 preferred lifetime 1 18 of global unicast address 1 5 1 7 1 9 use of IPv6 address as source or destination 1 28 priority public key file TFTP download 2 17 R router advertisements used in IPv6 1 23 routing DHCPv6 server asigned address 1 7 displaying IPv6 routing table 1 25 1 26 IPv6 global unicast address autoconfigu...

Page 107: ...ery 1 13 SSH filetransfer 2 20 overview 3 12 SSHv2 restriction 3 16 version 1 3 16 startup config TFTP download 2 17 TFTP upload on remote device 2 18 static address configuration 1 9 effect of autoconfig 1 11 suffix link local address 2 5 2 9 2 12 Syslog compared to event log 4 10 configuring IPv6 server address 4 12 configuring IPv6 Syslog servers 4 12 displaying Syslog configuration 4 14 event ...

Page 108: ...ported in IPv6 2 21 troubleshooting configuring Syslog servers 4 12 using CLI session 4 12 using Syslog servers 4 10 V valid lifetime of global unicast address 1 5 1 7 use of deprecated IPv6 address as source or destination 1 28 VLAN DHCPv6 server assigned address 1 7 displaying IPv6 configuration 1 20 1 22 displaying IPv6 routing table 1 26 global unicast address autoconfiguration 1 5 global unic...

Page 109: ......

Page 110: ...s subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP will not be liable for technical or editorial errors or omissions contained herein August 2012 Manual Part Number 5998 3621 ...

Reviews:

No comments

Related manuals for 2520-24

Brand: IOGear Pages: 10

EdgeSwitch 10 XP

Brand: Ubiquiti Pages: 13

AW-FGT-100C-120

Brand: Vivotek Pages: 2

Brand: Sarowin Pages: 9

SEHI SEHI100TX-

Brand: Cabletron Systems Pages: 75

Brand: Comtech EF Data Pages: 70

Brand: Versitron Pages: 46

Brand: Stahl Pages: 28

Brand: Novy Pages: 12

Brand: Black Box Pages: 132

Champion KD-4X4XC

Brand: Key Digital Pages: 8

Brand: Cooper Crouse-Hinds Pages: 24

Brand: C4i Pages: 22

Brand: StarTech.com Pages: 2

Brand: N-Tron Pages: 2

ATLONA AT-HDR-SW-51

Brand: Panduit Pages: 58

Brand: F&F Pages: 15

Brand: AETEK Pages: 2

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands