Home
/
HP
/
6400cl
/
Management Manual

HP 6400cl, Management Manual, Page: 363 / 664

Share

Page: 363 / 664

HP 6400cl Management Manual Download Page 363

Access Control Lists (ACLs) for the Series 5300xl Switches

Planning an ACL Application

■

What traffic can you implicitly block by taking advantage of the
implicit

deny IP any

to deny traffic that you have not explicitly

permitted? This can reduce the number of entries needed in an ACL.

■

What traffic should you permit? In some cases you will need to
explicitly identify permitted traffic. In other cases, depending on your
policies, you can insert a

permit any

entry at the end of an ACL. This

means that all IP traffic not specifically matched by earlier entries in
the list will be permitted.

Security

ACLs can enhance security by blocking routed IP traffic carrying an unautho
rized source IP address (SA). This can include:

■

Blocking access to or from subnets in your network

■

Blocking access to or from the internet

■

Blocking access to sensitive data storage or restricted equipment

■

Preventing the use of specific TCP or UDP functions (such as Telnet,
SSH, web browser) for unauthorized access

You can also enhance switch management security by using ACLs to block
bridged IP traffic that has the switch itself as the destination address (DA).

C a u t i o n

ACLs can enhance network security by blocking selected IP traffic, and can
serve as one aspect of maintaining network security.

However, because ACLs

do not provide user or device authentication, or protection from malicious
manipulation of data carried in IP packet transmissions, they should not
be relied upon for a complete security solution

.

N o t e

ACLs in the Series 5300XL switches do not screen non-IP traffic such as
AppleTalk and IPX.

9-17

«
...
361
362
363
364
365
...
»

Summary of Contents for 6400cl

Page 1: ...HP ProCurve Series 6400cl Switches Series 5300xl Switches Series 3400cl Switches Advanced Traffic Management Guide www hp com go hpprocurve ...

Page 2: ......

Page 3: ...HP Procurve Series 6400cl Switches Series 5300xl Switches Series 3400cl Switches Advanced Traffic Management Guide January 2005 Rev B E 09 xx or Greater M 08 6x or Greater ...

Page 4: ... Disclaimer The information contained in this document is subject to change without notice HEWLETT PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connecti...

Page 5: ...Need Only a Quick Start 1 8 IP Addressing 1 8 To Set Up and Install the Switch in Your Network 1 8 2 Static Virtual LANs VLANs Contents 2 1 Overview 2 2 Introduction 2 3 General VLAN Operation 2 3 Types of Static VLANs Available in the Switch 2 4 Port Based VLANs 2 4 Protocol Based VLANs 2 4 Designated VLANs 2 4 Terminology 2 5 Static VLAN Operation 2 6 VLAN Environments 2 7 VLAN Operation 2 8 Rou...

Page 6: ...s 2 24 Adding or Changing a VLAN Port Assignment 2 25 CLI Configuring Port Based and Protocol Based VLAN Parameters 2 27 Web Viewing and Configuring VLAN Parameters 2 37 802 1Q VLAN Tagging 2 38 Special VLAN Types 2 43 VLAN Support and the Default VLAN 2 43 The Primary VLAN 2 43 The Secure Management VLAN 2 44 Preparation 2 46 Configuration 2 47 Deleting the Management VLAN 2 48 Operating Notes fo...

Page 7: ...ort Options for Handling GVRP Unknown VLANs 3 7 Per Port Options for Dynamic VLAN Advertising and Joining 3 9 GVRP and VLAN Access Control 3 11 Port Leave From a Dynamic VLAN 3 11 Planning for GVRP Operation 3 12 Configuring GVRP On a Switch 3 13 Menu Viewing and Configuring GVRP 3 13 CLI Viewing and Configuring GVRP 3 14 Web Viewing and Configuring GVRP 3 18 GVRP Operating Notes 3 18 4 Multimedia...

Page 8: ...served Multicast Addresses from IP Multicast Filtering 4 20 5 PIM DM Dense Mode on the 5300xl Switches Contents 5 1 Overview 5 2 Introduction 5 3 Feature Overview 5 4 PIM DM Operation 5 4 Multicast Flow Management 5 7 General Configuration Elements 5 9 Terminology 5 9 PIM DM Operating Rules 5 10 Configuring PIM DM on the Series 5300xl Switches 5 11 PIM Global Configuration Context 5 12 PIM VLAN In...

Page 9: ... 9 Transitioning from STP to RSTP 6 10 Configuring RSTP 6 11 Optimizing the RSTP Configuration 6 11 CLI Configuring RSTP 6 12 Menu Configuring RSTP 6 18 Web Enabling or Disabling RSTP 6 20 802 1D Spanning Tree Protocol STP 6 21 Menu Configuring 802 1D STP 6 21 CLI Configuring 802 1D STP 6 24 STP Fast Mode 6 28 Fast Uplink Spanning Tree Protocol STP 6 29 Terminology 6 31 Operating Rules for Fast Up...

Page 10: ...c Port Connectivity Parameters 6 61 Configuring MST Instance Parameters 6 63 Configuring MST Instance Per Port Parameters 6 66 Enabling or Disabling Spanning Tree Operation 6 69 Enabling an Entire MST Region at Once or Exchanging One Region Configuration for Another 6 69 Displaying MSTP Statistics and Configuration 6 71 Displaying MSTP Statistics 6 71 Displaying the MSTP Configuration 6 74 Operati...

Page 11: ...o Packets 3400cl and 6400cl Switches Only 7 24 Requirements and Restrictions 7 25 8 Quality of Service QoS Managing Bandwidth More Effectively Contents 8 1 Introduction 8 2 Terminology 8 5 Overview 8 6 Classifiers for Prioritizing Outbound Packets 8 9 5300xl Packet Classifiers and Evaluation Order 8 9 3400cl 6400cl Packet Classifiers and Evaluation Order 8 10 Preparation for Configuring QoS 8 13 P...

Page 12: ...the Basis of the ToS Precedence Bits 8 37 Assigning an 802 1p Priority to IPv4 Packets on the Basis of Incoming DSCP 8 38 Assigning a DSCP Policy on the Basis of the DSCP in IPv4 Packets Received from Upstream Devices 8 42 Details of QoS IP Type of Service 8 46 QoS Layer 3 Protocol Priority 5300xl Switches Only 8 49 Assigning a Priority Based on Layer 3 Protocol 8 49 QoS VLAN ID VID Priority 8 51 ...

Page 13: ...n ACL Application 9 16 Traffic Management and Improved Network Performance 9 16 Security 9 17 Guidelines for Planning the Structure of an ACL 9 18 ACL Configuration and Operating Rules 9 18 How an ACE Uses a Mask To Screen Packets for Matches 9 20 What Is the Difference Between Network or Subnet Masks and the Masks Used with ACLs 9 20 Rules for Defining a Match Between a Packet and an Access Contr...

Page 14: ...abling or Disabling ACL Filtering on a VLAN 9 46 Deleting an ACL from the Switch 9 47 Displaying ACL Data 9 48 Display an ACL Summary 9 48 Display the Content of All ACLs on the Switch 9 49 Display the ACL Assignments for a VLAN 9 50 Displaying the Content of a Specific ACL 9 51 Display All ACLs and Their Assignments in the Switch Startup Config File and Running Config File 9 53 Editing ACLs and C...

Page 15: ...anning an ACL Application on a Series 3400cl or Series 6400cl Switch 10 16 Switch Resource Usage 10 16 Prioritizing and Monitoring ACL IGMP QoS and Rate Limiting Feature Usage 10 17 ACL Resource Usage and Monitoring 10 17 Standard ACLs 10 18 Extended ACLs 10 18 Managing ACL Resource Consumption 10 20 Oversubscribing Available Resources 10 20 Troubleshooting a Shortage of Per Port Resources 10 21 E...

Page 16: ...lways Be a Match 10 41 A Configured ACL Has No Effect Until You Apply It to an Interface 10 41 Using the CLI To Create an ACL 10 41 General ACE Rules 10 41 Using CIDR Notation To Enter the ACL Mask 10 42 Configuring and Assigning a Numbered Standard ACL 10 43 Configuring and Assigning a Numbered Extended ACL 10 48 Configuring a Named ACL 10 54 Enabling or Disabling ACL Filtering on an Interface 10...

Page 17: ...P Routing Features Contents 11 1 Overview of IP Routing 11 3 IP Interfaces 11 4 IP Tables and Caches 11 4 ARP Cache Table 11 5 IP Route Table 11 5 IP Forwarding Cache 11 6 IP Route Exchange Protocols 11 7 IP Global Parameters for Routing Switches 11 7 IP Interface Parameters for Routing Switches 11 9 Configuring IP Parameters for Routing Switches 11 10 Configuring IP Addresses 11 10 Changing the R...

Page 18: ...ts 11 22 RIP Global Parameters 11 22 RIP Interface Parameters 11 22 Configuring RIP Parameters 11 23 Enabling RIP 11 23 Changing the RIP Type on a VLAN Interface 11 24 Changing the Cost of Routes Learned on a VLAN Interface 11 24 Configuring RIP Redistribution 11 25 Define RIP Redistribution Filters 11 25 Modify Default Metric for Redistribution 11 26 Enable RIP Route Redistribution 11 26 Changing...

Page 19: ...rameters 11 47 Virtual Link Parameter Descriptions 11 47 Defining Redistribution Filters 11 48 Modifying Default Metric for Redistribution 11 49 Enabling Route Redistribution 11 50 Modifying Redistribution Metric Type 11 50 Administrative Distance 11 50 Modifying OSPF Traps Generated 11 51 Modifying OSPF Standard Compliance Setting 11 52 Displaying OSPF Information 11 53 Displaying General OSPF Co...

Page 20: ...the Current DHCP Relay Configuration 11 75 Syntax show ip helper address vlan id 11 75 UDP Broadcast Forwarding on 5300xl Switches 11 76 Overview 11 76 Subnet Masking for UDP Forwarding Addresses 11 77 Configuring and Enabling UDP Broadcast Forwarding 11 78 Globally Enabling UDP Broadcast Forwarding 11 78 Configuring UDP Broadcast Forwarding on Individual VLANs 11 78 Displaying the Current IP Forw...

Page 21: ...15 Configuration Examples 12 16 Configuration for Figure 12 2 Single VLAN Example 12 16 Configuration for Figure 12 4 Multiple VLANs 12 17 Displaying XRRP Data 12 18 Comparison Between XRRP and VRRP 12 21 Messages Related to XRRP Operation 12 22 13 Stack Management for the Series 3400cl and 6400cl Switches Contents 13 1 Introduction to Stack Management on Series 3400cl and Series 6400cl Switches 1...

Page 22: ...ommander or Member to a Member of Another Stack 13 23 Monitoring Stack Status 13 24 Using the CLI To View Stack Status and Configure Stacking 13 28 Using the CLI To View Stack Status 13 30 Using the CLI To Configure a Commander Switch 13 32 Adding to a Stack or Moving Switches Between Stacks 13 34 Using the CLI To Remove a Member from a Stack 13 39 Using the CLI To Access Member Switches for Confi...

Page 23: ...ax Statements 1 2 Command Prompts 1 3 Screen Simulations 1 3 Keys 1 4 Related Publications 1 4 Getting Documentation From the Web 1 6 Sources for More Information 1 7 Need Only a Quick Start 1 8 IP Addressing 1 8 To Set Up and Install the Switch in Your Network 1 8 1 1 ...

Page 24: ... product documentation available for the above listed switches refer to Related Publications on page 1 4 Conventions This guide uses the following conventions for command syntax and displayed information Command Syntax Statements Syntax aaa port access authenticator port list control authorized auto unauthorized Vertical bars separate alternative mutually exclusive elements Square brackets indicat...

Page 25: ... Showing a Simulated Screen In some cases brief command output sequences appear without figure iden tification For example HPswitch config clear public key HPswitch config show ip client public key show_client_public_key cannot stat keyfile Port Numbering Conventions HPProCurvestackableswitchesdesignate individual ports with sequential numbers 1 2 3 etc HP ProCurve chassis switches designate indiv...

Page 26: ...Started Guide Use the Installation and Get ting Started Guide shipped with your switch to prepare for and perform the physical installation This guide also steps you through connecting the switch to your network and assigning IP addressing as well as describing the LED indications for correct operation and trouble analysis A PDF version of this guide is also provided on the Product Documentation C...

Page 27: ...tication SSH Secure Shell and SSL Secure Socket Layer operation 802 1X Port Based Access Control Port Security operation with MAC based control Authorized IP Manager security KMS Key Management System HP provides PDF versions of the switch documentation on the Product Documentation CD ROM shipped with the switch You can also download the latest version of any HP ProCurve switch manual PDF format f...

Page 28: ...the Web 1 Go to the HP Procurve website at http www hp com go hpprocurve 2 Click on technical support 3 Click on manuals 4 Click on the product for which you want to view or download a manual 2 3 4 Figure 1 2 Example of How To Locate Product Manuals on the HP ProCurve Website 1 6 ...

Page 29: ...fic command in the CLI type the command name followed by help For example Figure 1 4 Example of How To Display Help for a CLI Command If you need information on specific features in the HP Web Browser Interface hereafter referred to as the web browser interface use the online help available for the web browser interface For more information on web browser Help refer to Online Help for the HP Web B...

Page 30: ...elect 8 Run Setup For more on using the Switch Setup screen see the Installation and Getting Started Guide you received with the switch To Set Up and Install the Switch in Your Network I m p o r t a n t Use the HP Procurve Installation and Getting Started Guide shipped with the switch for the following Notes cautions and warnings related to installing and using the switch and its related modules I...

Page 31: ...ing VLANs 2 16 Multiple VLAN Considerations 2 17 Single Forwarding Database Operation 2 18 Example of an Unsupported Configuration and How To Correct It 2 19 Multiple Forwarding Database Operation 2 20 Configuring VLANs 2 21 802 1Q VLAN Tagging 2 38 Special VLAN Types 2 43 VLAN Support and the Default VLAN 2 43 The Primary VLAN 2 43 The Secure Management VLAN 2 44 Voice VLANs 2 49 Effect of VLANs ...

Page 32: ...s covered by this manual For general information on how to use the switch s built in interfaces refer to these chapters in the Management and Configuration Guide for your switch Chapter 3 Using the Menu Interface Chapter 4 Using the Command Line Interface CLI Chapter 5 Using the HP Web Browser Interface Chapter 6 Switch Memory and Configuration 2 2 ...

Page 33: ... General VLAN Operation A VLAN is comprised of multiple ports operating as members of the same subnet broadcast domain Ports on multiple devices can belong to the same VLAN and traffic moving between ports in the same VLAN is bridged or switched Traffic moving between different VLANs must be routed A static VLAN is an 802 1Q compliant VLAN configured with one or more ports that remain members rega...

Page 34: ...ide improved security and availability for management traffic The Default VLAN Thisport basedVLAN is always present inthe switch and in the default configuration includes all ports as members page 2 43 The Primary VLAN The switch uses this port based VLAN to run certain features and management functions including DHCP Bootp responses for switch management In the default configuration the Default V...

Page 35: ...or protocol based VLAN configured in switch memory See also Dynamic VLAN Tagged Packet A packet that carries an IEEE 802 1Q VLAN ID VID which is a two byte extension that precedes the source MAC address field of an ethernet frame A VLAN tag is layer 2 data and is transparent to higher layers Tagged VLAN A VLAN that complies with the 802 1Q standard including priority settings and allows a port to ...

Page 36: ...ation in the chapter on configuring IP addressing in the Basic Management and Configuration Guide for the switch You can also use multiple IP addresses to create multiple subnets within the same VLAN For more on this topic refer to the chapter on configuring IP addressing in the Basic Management and Configuration Guide for the switch Untagged A port can be a member of one untagged port A port can ...

Page 37: ...nd Series 6400cl switches do not support SNA and DEClat protocol VLANs Commands vlan VID tagged untagged e port list vlan VID protocol ipx ipv4 ipv6 arp for appletalk sna declat netbeui Configuring vlan VID tagged untagged e port list Static VLANs VLAN Environments You can configure different VLAN types in any combination Note that the default VLAN will always be present For more on the default VL...

Page 38: ...on the switch must go through the external router In this case VLANs W and X can exchange traffic through the external router but traffic in VLANs Y and Z is restricted to the respective VLANs Note that VLAN 1 the default VLAN is also present but not shown The default VLAN cannot be deleted from the switch However ports assigned to other VLANs can be removed from the default VLAN if desired If int...

Page 39: ...4 Yes Yes IPv6 Yes1 ARP Yes1 AppleTalk Yes1 SNA2 3 DEClat2 3 NETbeui2 1Requires an external router to route between VLANs 2Not a routable protocol type End stations intended to receive traffic in these protocols must be attached to the same physical network 3 Protocol VLAN type not supported on the Series 3400cl and 6400cl switches Overlapping Tagged VLANs A port can be a member of more than one V...

Page 40: ...lue Server ProCurve Switch Red VLAN Red VLAN Blue VLAN Blue VLAN Red VLAN The same link carries Red VLAN and Blue VLAN traffic Figure 2 4 Example of Connecting Multiple VLANs Through the Same Link Introducing Tagged VLAN Technology into Networks Running Legacy Untagged VLANs You can introduce 802 1Q compliant devices into net works that have built untagged VLANs based on earlier VLAN technology Th...

Page 41: ...on VLANs refer to Overview of Using VLANs page 2 43 Menu Configuring VLAN Parameters page 2 21 CLI Configuring VLAN Parameters page 2 21 Web Viewing and Configuring VLAN Parameters page 2 37 VLAN Tagging Information page 2 38 Effect of VLANs on Other Switch Features page 2 51 VLAN Restrictions page 2 53 Per Port Static VLAN Configuration Options The following figure and table show the options you ...

Page 42: ...ed VLAN instead of a tagged VLAN A port can be an untagged member of only one port based VLAN A port can also be an untagged member of only one protocol based VLAN for any given protocol type For example if the switch is configured with the default VLAN plus three protocol based VLANs that include IPX then port 1 can be an untagged member of the default VLAN and one of the protocol based VLANS No ...

Page 43: ...s only over static port based VLANs Multiple VLAN Types Configured on the Same Port A port can simultaneously belong to both port based and protocol based VLANs Protocol Capacity A protocol based VLAN can include up to three protocol types In protocol VLANs using the IPv4 protocol ARP must be one of these protocol types to support normal IP network operation Otherwise IP traffic on the VLAN is dis...

Page 44: ...ket s VID Untagged Packet Forwarding To enable an inbound port to forward an untagged packet the port must be an untagged member of either a protocol VLAN matching the packet s protocol or an untagged member of a port based VLAN That is when a port receives an incoming untagged packet it processes the packet according to the following ordered crite ria a If the port has no untagged VLAN membership...

Page 45: ...the packet on that protocol VLAN Is the port a member of an untagged port based VLAN No Drop the packet Yes Forward the packet on the port based VLAN Figure 2 7 Untagged VLAN Operation Tagged Packet Forwarding If a port is a tagged member of the same VLAN as an inbound tagged packet received on that port then the switch forwards the packet to an outbound port on that VLAN To enable the forwarding ...

Page 46: ...derations on page 2 17 General Steps for Using VLANs 1 Plan your VLAN strategy and create a map of the logical topology that will result from configuring VLANs Include consideration for the interaction between VLANs and other features such as Spanning Tree Protocol port trunking and IGMP Refer to Effect of VLANs on Other Switch Features on page 2 51 If you plan on using dynamic VLANs include the p...

Page 47: ...ress Thus connecting a Series 5300XL 3400cl or 6400cl multiple forwarding database switch to a single forwarding database switch where multiple VLANs exist imposes some cabling and port VLAN assignment restrictions Table 2 5 illustrates the functional difference between the two database types Table 2 5 Example of Forwarding Database Content Multiple Forwarding Database MAC Address Destination VLAN...

Page 48: ...he switch tries to send the packet to the port listed for that MAC address But if the destination port is in a different VLAN than the VLAN on which the packet was received the switch drops the packet This is not a problem for a switch with a multiple forwarding database refer to table 2 6 above because the switch allows multiple instances of a given MAC address one for each valid destination Howe...

Page 49: ...ion field Because the 8000M has not yet learned this MAC address it does not find the address in its address table and floods the packet out all ports including the VLAN 1 link port A1 to the 5300xl The 5300xl then routes the packet through the VLAN 2 link to the 8000M which forwards the packet on to PC B Because the 8000M received the packet from the 5300xl on VLAN 2 port B1 the 8000M s single fo...

Page 50: ...n port A1 and the 8000M will send traffic to either VLAN on the 5300xl To increase the network bandwidth of the connection between the devices you can use a trunk of multiple physical links rather than a single physical link Multiple Forwarding Database Operation If you want to connect a switch covered by this guide to another switch that has a multiple forwarding database you can use either or bo...

Page 51: ...ht VLANs You can reconfigure the switch to support up to 256 VLANs Also in the default configuration all ports on the switch belong to the default VLAN and are in the same broadcast multicast domain The default VLAN is also the default Primary VLAN refer to The Primary VLAN on page 2 43 In addition to the default VLAN you can configure additional static VLANs by adding new VLAN names and VIDs and ...

Page 52: ...e Primary VLAN field and use the space bar to select from the existing options Note that the Primary VLAN must be a static port based VLAN To enable or disable dynamic VLANs select the GVRP Enabled field and use the Space bar to toggle between options For GVRP informa tion refer to chapter 3 GVRP Not e For optimal switch memory utilization set the number of VLANs at the number you will likely be u...

Page 53: ...ting the Need To Reboot the Switch If you changed the VLAN Support option you must reboot the switch before the Maximum VLANs change can take effect You can go on to configure other VLAN parameters first but remember to reboot the switch when you are finished If you did not change the VLAN Support option a reboot is not necessary 4 Press 0 to return to the Main Menu 2 23 ...

Page 54: ... VLAN ID 1 Name _ 3 Type in a VID VLAN ID number This can be any number from 2 to 4094 that is not already being used by another VLAN The switch reserves 1 for the default VLAN Remember that a VLAN must have the same VID in every switch in which you configure that same VLAN GVRP dynamically extends VLANs with correct VID numbering to other switches Refer to chapter 3 GVRP 4 Press v to move the cur...

Page 55: ...r Changing a VLAN Port Assignment Adding or Changing a VLAN Port Assignment Use this procedure to add ports to a VLAN or to change the VLAN assign ment s for any port Ports not specifically assigned to a VLAN are automat ically in the default VLAN 1 From the Main Menu select 2 Switch Configuration 8 VLAN Menu 3 VLAN Port Assignment You will then see a VLAN Port Assignment screen similar to the fol...

Page 56: ...Space bar to make your assignment selection No Tagged Untagged or Forbid Not e For GVRP Operation If you enable GVRP on the switch No converts to Auto which allows the VLAN to dynamically join an advertised VLAN that has the same VID See Per Port Options for Dynamic VLAN Advertising and Joining on page 3 9 Untagged VLANs Only one untagged VLAN is allowed per port Also there must be at least one VL...

Page 57: ... Return to the Main menu CLI Configuring Port Based and Protocol Based VLAN Parameters In the factory default state all ports on the switch belong to the port based default VLAN DEFAULT_VLAN VID 1 and are in the same broadcast multicast domain The default VLAN is also the Primary VLAN For more on this topic refer to The Primary VLAN on page 2 43 You can configure up to 255 additional static VLANs ...

Page 58: ...y if the switch is running with GVRP enabled and one or more ports has dynamically joined an advertised VLAN In the default configuration GVRP is disabled Refer to chapter 3 GVRP Syntax show vlans Maximum VLANs to support Shows the number of VLANs the switch can currently support Default 8 Maximum 256 Primary VLAN Refer to The Primary VLAN on page 2 43 Management VLAN Refer to The Secure Managemen...

Page 59: ...ch For example When GVRP is disabled the default Dynamic VLANsdonotexistonthe switchanddonotappear in this listing Refer to chapter 3 GVRP Figure 2 18 Example of Show VLAN Listing GVRP Enabled Displaying the Configuration for a Particular VLAN This command uses the VID to identify and display the data for a specific static or dynamic VLAN Syntax show vlans vlan id 802 1Q VLAN ID The VLAN identific...

Page 60: ...umbo packets For more on jumbos refer to the chapter titled Port Traffic Controls in the Management and Configuration Guide for your switch Port Information Lists the ports configured as members of the VLAN DEFAULT Shows whether a port is a tagged or untagged member of the listed VLAN Unknown VLAN Shows whether the port can become a dynamic member of an unknown VLAN for which it receives an advert...

Page 61: ...VLANs on the switch As part of implementing a new setting you must execute a write memory command to save the new value to the startup config file and then reboot the switch Note If multiple VLANs exist on the switch you cannot reset the maximum number of VLANs to a value smaller than the current number of VLANs For example to reconfigure the switch to allow 10 VLANs Notethatyoucan execute these t...

Page 62: ...d static VLAN The switch will not reassign the Primary VLAN function to a protocol VLAN If you re assign the Primary VLAN to a non default VLAN you cannot later delete that VLAN from the switch until you again re assign the Primary VLAN to another port based static VLAN For example if you wanted to reassign the Primary VLAN to VLAN 22 and rename the VLAN with 22 Primary and display the result Rena...

Page 63: ... one or more ports belong only to this VLAN then the CLI prompts you to remove the ports from the VLAN before deleting it 5300xl Switches with Pre E 09 xx Software Same as for the 3400cl and 6400cl switches 5300xl Switches with E 09 xx or Greater Software If one or more ports belong only to the VLAN to be deleted the CLI notifies you that these ports will be moved to the default VLAN and prompts y...

Page 64: ...ating a new static VLAN specifies a non default VLAN name Also used to change the current name of an existing VLAN Avoid spaces and the following characters in the ascii name string entry and To include a blank space in a VLAN name enclose the name in single or double quotes or voice Designates a VLAN for VoIP use For more on this topic refer to Voice VLANs on page 2 49 For example to create a new...

Page 65: ...membership Allows port based VLANs only For this command vlan id refers to the VID of the dynamic VLAN membership Use showvlan to help identify the VID you need to use This command requires that GVRP is running on the switch and a port is currently a dynamic member of the selected VLAN After you convert a dynamic VLAN to static you must configure the switch s per port participation in the VLAN in ...

Page 66: ...t Available if GVRP is enabled on the switch Returns the per port settings for the specified VLAN to Auto operation Note that Auto is the default per port setting for a static VLAN if GVRP is running on the switch For information on dynamic VLAN and GVRP operation refer to the chapter titled GVRP in the Advanced Traffic Management Guide for your switch For example suppose you have a VLAN named VLA...

Page 67: ...N Parameters In the web browser interface you can do the following Add VLANs Rename VLANs Remove VLANs Configure VLAN tagging mode per port Configure GVRP mode Select a new Primary VLAN To configure other static VLAN port parameters you will need to use either the CLI or the menu interface available by Telnet from the web browser interface 1 Click on the Configuration tab 2 Click on Vlan Configura...

Page 68: ...LAN traffic that should be forwarded Even if the port belongs to only one VLAN it forwards inbound tagged traffic only if it is a tagged member of that VLAN If the only authorized inbound VLAN traffic on a port arrives untagged then the port must be an untagged member of that VLAN This is the case where the port is connected to a non 802 1Q compliant device or is assigned to only one VLAN For exam...

Page 69: ...traffic will go out only the Green ports and so on Devices connected to these ports do not have to be 802 1Q compliant However because both the Red VLAN and the Green VLAN are assigned to port X7 at least one of the VLANs must be tagged for this port In switch Y VLANs assigned to ports Y1 Y4 can all be untagged because there is only one VLAN assignment per port Devices connected to these ports do ...

Page 70: ...gged Any port with two or more VLANs of the same type can have one such VLAN assigned as Untagged All other VLANs of the same type must be configured as Tagged That is Port Based VLANs Protocol VLANs A port can be a member of one untagged port based VLAN All other port based VLAN assignments for that port must be tagged A port can be an untagged member of one protocol based VLAN of each protocol t...

Page 71: ...Untagged Packet Forwarding and figure 2 7 Tagged Packet Forwarding and figure 2 8 Example In the following network switches X and Y and servers S1 S2 and the AppleTalk server are 802 1Q compliant Server S3 could also be 802 1Q compliant but itmakes no difference for this example This network includes both protocol based AppleTalk VLANs and port based VLANs AppleTalk Server Switch X X1 X2 X3 X6 X5 ...

Page 72: ...AT 1 VLAN AT 2 VLAN Red VLAN Green VLAN Switch Y Port AT 1 VLAN AT 2 VLAN Red VLAN Green VLAN X1 Untagged Tagged No No X2 No No Untagged Tagged X3 No Untagged Untagged Tagged X4 No No No Untagged X5 No No Untagged No Y1 No No Untagged Tagged Y2 No No No Untagged Y3 No Untagged No No Y4 No No No Untagged Y5 No No Untagged No X6 Untagged No No No Y6 No Untagged Untagged Tagged No means the port is n...

Page 73: ...res and management functions run on only one VLAN in the switch and because DHCP and Bootp can run per VLAN there is a need for a dedicated VLAN to manage these features and ensure that multiple instances of DHCP or Bootp on different VLANs do not result in conflicting configurationvaluesfortheswitch ThePrimaryVLANistheVLANtheswitch uses to run and manage these features and data In the factory def...

Page 74: ...s of January 2005 the Secure Management VLAN feature is available on these HP ProCurve switches Switch 6108 Series 6400cl switches Series 5300xl switches Series 4100gl switches Series 3400cl switches Series 2800 switches Series 2600 switches If you configure a Secure Management VLAN access to the VLAN and to the switch s management functions Menu CLI and web browser interface is available only thr...

Page 75: ...ch C Management Workstations Switches A B and C are connected by ports belonging to the management VLAN Hub X is connected to a switch port that belongs to the management VLAN As a result the devices connectedtoHubXare included in the management VLAN Other devices connected to the switches through ports that are not in the managementVLANare excluded from management traffic Figure 2 27 Example of P...

Page 76: ...Y Shipping Dept VLAN VID 20 N Y N N N DEFAULT VLAN VID 1 Y Y Y Y N Y Y N N N N N N N N N Y Y N N N N N N Y Y Y Y Y Y Y Y Preparation 1 Determine a VID and VLAN name suitable for your Management VLAN You must manually configure the IP addressing for the Management VLAN The switch does not allow the Management VLAN to acquire an IP address through DHCP Bootp 2 Plan your Management VLAN topology to u...

Page 77: ...the switch Configuration Syntax no management vlan vlan id vlan name Configures an existing VLAN as the management VLAN The no form disables the management VLAN and returns the switch to its default management operation Default Disabled In this case the VLAN returns to standard VLAN operation For example suppose you have already configured a VLAN named My_VLAN with a VID of 100 Now you want to con...

Page 78: ...figure a different VID in the running config file the switch uses the running config version until you either use the write memory command or reboot the switch During a Telnet session to the switch if you configure the Management VLAN to a VID that excludes the port through which you are connected to the switch you will continue to have access only until you terminate the session by logging out or...

Page 79: ... traffic and shields your voice traffic from broadcast storms This section describes how to configure the switch for voice VLAN operation Operating Rules for Voice VLANs You must statically configure voice VLANs GVRP and dynamic VLANs do not support voice VLAN operation Configure all ports in a voice VLAN as tagged members of the VLAN This ensures retentionoftheQoS Qualityof Service priority inclu...

Page 80: ...en the switch forwards all traffic on that VLAN at normal priority If the ports in a voice VLAN are tagged members then the switch forwards all traffic on that VLAN at whatever priority the traffic has when received inbound on the switch Using the switch s QoS VLAN ID VID Priority option you can change the priority of voice VLAN traffic moving through the switch If all port member ships on the voi...

Page 81: ...eration with VLANs Depending on the spanning tree option configured on the switch the span ning treefeaturemayoperateasasingle instanceacrossallportsontheswitch regardless of VLAN assignments or multiple instance on a per VLAN basis For single instance operation this means that if redundant physical links exist between the switchand another 802 1Q device all but one link will be blocked regardless...

Page 82: ...ress ARP will resolve the IP address to this single MAC address In a topology where a switch covered by this guide has multiple VLANs and must be connected to a device having a single forwarding database such as the Switch 4000M some cabling restric tions apply For more on this topic refer to Multiple VLAN Considerations on page 2 17 Port Trunks When assigning a port trunk to a VLAN all ports in t...

Page 83: ...ed VLAN of each protocol type When assigning a port to multiple protocol based VLANs sharing the same type the port can be an untagged member of only one such VLAN With routing enabled on the switch the switch can route traffic between Multiple port based VLANs A port based VLAN and an IPv4 protocol based VLAN A port based VLAN and an IPv6 protocol based VLAN An IPv4 protocol based VLAN and an IPv...

Page 84: ...Static Virtual LANs VLANs VLAN Restrictions This page is intentionally unused 2 54 ...

Page 85: ...ptions for Dynamic VLAN Advertising and Joining 3 9 GVRP and VLAN Access Control 3 11 Port Leave From a Dynamic VLAN 3 11 Planning for GVRP Operation 3 12 Configuring GVRP On a Switch 3 13 Menu Viewing and Configuring GVRP 3 13 CLI Viewing and Configuring GVRP 3 14 Web Viewing and Configuring GVRP 3 18 GVRP Operating Notes 3 18 3 1 ...

Page 86: ...bed in chapter 2 Static Virtual LANs VLANs For general information on how to use the switch s built in interfaces refer to these chapters in the Management and Configuration Guide for your switch Chapter 3 Using the Menu Interface Chapter 4 Using the Command Line Interface CLI Chapter 5 Using the HP Web Browser Interface Chapter 6 Switch Memory and Configuration 3 2 ...

Page 87: ... understand and use GVRP you must have a working knowledge of 802 1Q VLAN tagging Refer to chapter 2 Static Virtual LANs VLANs GVRP uses GVRP Bridge Protocol Data Units GVRP BPDUs to adver tise static VLANs In this manual a GVRP BPDU is termed an advertisement Advertisements are sent outbound from ports on a switch to the devices directly connected to those ports While GVRP is enabled on the switc...

Page 88: ...advertised using BPDUs Bridge Protocol Data Units out all ports regardless of whether a port is up or assigned to any particular VLAN A GVRP aware port on another device that receives the advertisements over a link can dynamically join the advertised VLAN A dynamic VLAN that is a VLAN learned through GVRP is tagged on the port on which it was learned Also a GVRP enabled port can forward an adverti...

Page 89: ...dvertisement of VID 3 Port 2 is already statically configured for VID 3 9 Port 3 receives advertise ment of VID 3 AND becomes a member of VID 3 Still not a member of VIDs 1 2 10 Port 1 advertises VID 3 7 Port 5 receives advertise ment of VID 3 AND becomes a member of VID 3 Still not a member of VIDs 1 2 8 Port 4 advertises VID 3 6 Port 6 advertises VID 3 1 4 6 5 Switch 1 GVRP On 2 Switch 2 GVRP On...

Page 90: ...Ns must be disabled in GVRP unaware devices to allow tagged packets to pass through A GVRP aware port receiving advertisements has these options If there is not already a static VLAN with the advertised VID on the receiving port then dynamically create the VLAN and become a member If the switch already has a static VLAN assignment with the same VID as in the advertisement and the port is configure...

Page 91: ...same way that you would any other static manually created VLAN Per Port Options for Handling GVRP Unknown VLANs An unknown VLAN is a VLAN that the switch learns of by receiving an advertisement for that VLAN on a port that is not already a member of that VLAN If the port is configured to learn unknown VLANs then the VLAN is dynamically created and the port becomes a tagged member of the VLAN For e...

Page 92: ...rtfromjoininganynewdynamicVLANsforwhichitreceives an advertisement Allows the port to advertise other VLANs that have at least one other port as a member Disable Causes the port to ignore and drop all GVRP advertisements it receives and also prevents the port from sending any GVRP advertisements The CLI show gvrp command and the menu interface VLAN Support screen show a switch s current GVRP confi...

Page 93: ...epending on your topology Enabling a Port for Dynamic Joins You can configure a port to dynami cally join a static VLAN The join will then occur if that port subsequently receives an advertisement for the static VLAN This is done by using the Auto and Learn options described in table 3 2 on the next page Parameters for Controlling VLAN Propagation Behavior You can con figure an individual port to ...

Page 94: ...sements Will advertise dynamic VLANs that have at least one other port as a member The port Will become a member of specified VLAN if it receives advertisements for this VLAN Will advertise this VLAN Will not become a member of newdynamicVLANsforwhich it receives advertisements Will advertise dynamic VLANs that have at least one other port on the same switch as a member The port Will not become a ...

Page 95: ...r settings allow all of the switch s ports to transmit and receive dynamic VLAN adver tisements GVRP advertisements and to dynamically join VLANs The two preceding sections describe the per port features you can use to control and limit VLAN propagation To summarize you can Allow a port to advertise and or join dynamic VLANs Learn mode the default Allow a port to send VLAN advertisements but not r...

Page 96: ... manually create static VLANs in order to propagate VLANs throughout the segment 4 Determine security boundaries and how the individual ports in the seg ment will handle dynamic VLAN advertisements See table 3 1 on page 3 8 and table 3 2 on page 3 10 5 Enable GVRP on all devices you want to use with dynamic VLANs and configure the appropriate Unknown VLAN parameter Learn Block or Disable for each ...

Page 97: ...RPoperation referto Per PortStatic VLAN Configuration Options on page 2 11 Menu Viewing and Configuring GVRP 1 From the Main Menu select 2 Switch Configuration 8 VLAN Menu 1 VLAN Support Figure 3 4 The VLAN Support Screen Default Configuration 2 Do the following to enable GVRP and display the Unknown VLAN fields a Press E for Edit b Use v to move the cursor to the GVRP Enabled field c Press the Sp...

Page 98: ...ption for any ports you want to change 4 When you finish making configuration changes press Enter then S for Save to save your changes to the Startup Config file CLI Viewing and Configuring GVRP GVRP Commands Used in This Section drop all incoming advertisements and do not transmit any advertisements show gvrp below gvrp page 3 15 unknown vlans page 3 15 Displaying the Switch s Current GVRP Config...

Page 99: ...n the Switch This command enables GVRP on the switch Syntax gvrp This example enables GVRP HPswitch config gvrp This example disables GVRP operation on the switch HPswitch config no gvrp Enabling and Disabling GVRP On Individual Ports When GVRP is enabled on the switch use the unknown vlans command to change the Unknown VLAN field for one or more ports You can use this command at either the Manage...

Page 100: ...ng the Static and Dynamic VLANs Active on the Switch Syntax show vlans The show vlans command lists all VLANs present in the switch For example in the following illustration switch B has one static VLAN the default VLAN with GVRP enabled and port 1 configured to Learn for Unknown VLANs Switch A has GVRP enabled and has three static VLANs the default VLAN VLAN 222 and VLAN 333 In this scenario swit...

Page 101: ...hrough Port 1 Figure 3 9 Example of Listing Showing Dynamic VLANs Converting a Dynamic VLAN to a Static VLAN If a port on the switch has joined a dynamic VLAN you can use the following command to convert that dynamic VLAN to a static VLAN Syntax static dynamic vlan id Converts the a dynamic VLAN to a static VLAN For example to convert dynamic VLAN 333 from the previous example to a static VLAN HPs...

Page 102: ...ult state the switch supports eight VLANs Thus in a case where four static VLANs are configured on the switch the switch can accept up to four additional VLANs in any combination of static and dynamic Any additional VLANs advertised to the switch will not be added unless you first increase the Maximum VLANs setting In the Menu inter face click on 2 Switch Configuration 8 VLAN Menu 1 VLAN Support I...

Page 103: ...ly automat ically creates tagged VLANs on the links to the advertising devices Similarly the switch advertises its static VLANs to other GVRP aware devices as well as the dynamic VLANs the switch has learned A GVRP enabled switch does not advertise any GVRP learned VLANs out of the port s on which it originally learned of those VLANs While GVRP is enabled on the switch you cannot apply any ACLs to...

Page 104: ...GVRP GVRP Operating Notes This page intentionally unused 3 20 ...

Page 105: ...isabling IGMP 4 11 How IGMP Operates 4 11 Operation With or Without IP Addressing 4 13 Automatic Fast Leave IGMP 4 13 Forced Fast Leave IGMP 4 15 Configuration Options for Forced Fast Leave 4 15 Listing the Forced Fast Leave Configuration 4 16 Configuring Per Port Forced Fast Leave IGMP 4 18 Using the Switch as Querier 4 19 Excluding Well Known or Reserved Multicast Addresses from IP Multicast Fil...

Page 106: ...basis and how to config ure it with the switch s built in interfaces For general information on how to use the switch s built in interfaces refer to these chapters in the Management and Configuration Guide for your switch Chapter 3 Using the Menu Interface Chapter 4 Using the Command Line Interface CLI Chapter 5 Using the HP Web Browser Interface Chapter 6 Switch Memory and Configuration 4 2 ...

Page 107: ...t traffic it receives on a given VLAN through all ports on that VLAN except the port on which it received the traffic This can result in significant and unnecessary bandwidth usage in networks where IP multi cast traffic is a factor Enabling IGMP allows the ports to detect IGMP queries and report packets and manage IP multicast traffic through the switch IGMP is useful in multimedia applications s...

Page 108: ...ultipoint or multicast communication application Querier A required IGMP device that facilitates the IGMP protocol and traffic flow on a given LAN This device tracks which ports are connected to devices IGMP clients that belong to specific multicast groups and triggers updates of this information A querier uses data received from the queries to determine whether to forward or block multicast traff...

Page 109: ...s to any of the following states Auto the default Causes the switch to interpret IGMP packets and to filter IP multicast traffic based on the IGMP packet information for ports belonging to a multicast group This means that IGMP traffic will be forwarded on a specific port only if an IGMP host or multicast router is connected to the port Blocked Causes the switch to drop all IGMP transmissions rece...

Page 110: ...page 4 20 For more information refer to How IGMP Operates on page 4 11 CLI Configuring and Displaying IGMP IGMP Commands Used in This Section show ip igmp configuration ip igmp high priority forward auto ethernet port list blocked ethernet port list forward ethernet port list querier show ip igmp page 4 7 page 4 8 page 4 10 page 4 9 page 4 9 page 4 9 page 4 10 Refer to the section titled Internet ...

Page 111: ...witch including per port data For IGMP operating status refer to the section titled Internet Group Man agement Protocol IGMP Status in appendix B Monitoring and Analyzing Switch Operation of the Management and Configuration Guide for you switch For example suppose you have the following VLAN and IGMP configurations on the switch VLAN ID VLAN Name IGMP Enabled Forward with High Priority Querier 1 D...

Page 112: ...P Configuration for A Specific VLAN Enabling or Disabling IGMP on a VLAN You can enable IGMP on a VLAN along with the last saved or default IGMP configuration whichever was most recently set or you can disable IGMP on a selected VLAN Syntax no ip igmp Enables IGMP on a VLAN Note that this command must be executed in a VLAN context For example here are methods to enable and disable IGMP on the defa...

Page 113: ...bound multicast traffic carrying the same multicast address as is configured in the static filter Refer to the section titled Filter Types and Operation in the Port Traffic Controls chapter of the Management and Configuration Guide for your switch For example suppose you wanted to configure IGMP as follows for VLAN 1 on the 100 1000T ports on a module in slot 1 Ports A1 A2 auto Filter multicast tr...

Page 114: ...mp high priority forward Configures high priority for IGMP traffic on VLAN 1 HPswitch vlan 1 ip igmp high priority forward Same as above command but in the VLAN 1 context level HPswitch vlan 1 no ip igmp high priority forward Returns IGMP traffic to normal priority HPswitch show ip igmp config Show command to display results of above high priority commands Configuring the Querier Function Syntax n...

Page 115: ...et Protocol IP suite IP manages multicast traffic by using switches multicast routers and hosts that support IGMP In Hewlett Pack ard s implementation of IGMP a multicast router is not necessary as long as a switch is configured to support IGMP with the querier feature enabled A set of hosts routers and or switches that send or receive multicast data streams to or from the same source s is termed ...

Page 116: ...st traffic from a specific group it joins the group by sending an IGMP report join request to the network The multicast group specified in the join request is determined by the requesting application running on the IGMP client When a networking device with IGMP enabled receives the join request for a specific group it forwards any IP multicast traffic it receives for that group through the port on...

Page 117: ... ports in the VLAN to Auto Yes None the default Blocked or Forward ConfigureIGMPtrafficforwardingtonormalor Yes None high priority forwarding Age Out IGMP group addresses when the last IGMP client on a port in the VLAN leaves the group Support Fast Leave IGMP and Forced Fast Leave IGMP below Yes Yes Requires that another IGMP device in the VLAN has an IP address and can operate as Querier This can...

Page 118: ...client 3 The end node subsequently leaves the multicast group Then the switch does not need to wait for the Querier status update interval but instead immediately removes the IGMP client from its IGMP table and ceases transmitting IGMP traffic to the client If the switch detects multiple end nodes on the port automatic Fast Leave does not activate regardless of whether one or more of these end nod...

Page 119: ...tiple end nodes receives a Leave Group request from one end node for a given multicast group X Forced Fast Leave activates and waits a small amount of time to receive a join request from any other group X member on that port If the port does not receive a join request for that group within the forced leave interval the switch then blocks any further group X traffic to the port Configuration Option...

Page 120: ...Ports in the Switch Go to the switch s command prompt and use the walkmib command as shown below 1 From the Main Menu select 5 Diagnostics 4 Command Prompt 2 Do one of the following If VLANs are not enabled on the switch go to step 3 If VLANs are enabled on the switch i You will be prompted to select a VLAN For example ii Because you can list the Forced Fast Leave state for all ports on the switch...

Page 121: ... a Forced Fast Leave Listing where all Ports are Members of the Default VLAN To List the Forced Fast Leave State for a Single Port See the Note on VLAN Numbers on page 4 15 Use the switch s CLI and use the getmib command as shown below Syntax getmib hpSwitchIgmpPortForcedLeaveState vlan number port number OR getmib 1 3 6 1 4 1 11 2 14 11 5 1 7 1 15 3 1 5 vlan number port number For example the fol...

Page 122: ...ed Fast Leave disabled This procedure enables or disables Forced Fast Leave on ports in a given VLAN See the Note on VLAN Numbers on page 4 15 For example suppose that your switch has a six port gigabit module in slot A and port C1 is a member of the default VLAN In this case the port number is 53 In the MIB slot A ports 1 24 slot B ports 27 50 slot C ports 53 79 and so on To enable Forced Fast Le...

Page 123: ...le on the same VLAN If the switch becomes the Querier for a particular VLAN for example the DEFAULT_VLAN then subsequently detects queries transmitted from another device on the same VLAN the switch ceases to operate as the Querier for that VLAN If this occurs the switch Event Log lists a pair of messages similar to these I 01 15 01 09 01 13 igmp DEFAULT_VLAN Other Querier detected I 01 15 01 09 0...

Page 124: ... packets entered the VLAN The following table lists the 32 well known address groups 8192 total addresses that IGMP does not filter on the Series 5300XL switches as well as on the 1600M 2400M 2424M 2650M 4000M 4100GL 6108M 8000M and Series 2500 switches Table 4 2 IP Multicast Address Groups Excluded from IGMP Filtering Groups of Consecutive Groups of Consecutive Addresses in the Range of Addresses...

Page 125: ...the multicast destination address es for as long as the IGMP group is active If the IGMP group subsequently deacti vates the switch returns filtering control to the static filter Reserved Addresses Excluded from IP Multicast IGMP Filtering Traffic to IP multicast groups in the IP address range of 224 0 0 0 to 224 0 0 255 will always be flooded because addresses in this range are well known or rese...

Page 126: ...Multimedia Traffic Control with IP Multicast IGMP Excluding Well Known or Reserved Multicast Addresses from IP Multicast Filtering This page is intentionally unused 4 22 ...

Page 127: ...guring PIM DM on the Series 5300xl Switches 5 11 PIM Global Configuration Context 5 12 PIM VLAN Interface Configuration Context 5 15 Displaying PIM Data and Configuration Settings on the Series 5300xl Switches 5 22 Displaying PIM Route Data 5 23 Displaying PIM Status 5 27 Operating Notes 5 34 Troubleshooting 5 36 Messages Related to PIM Operation 5 37 Applicable RFCs 5 40 Exceptions to Support for...

Page 128: ...ng of multimedia traffic control with IP multicast IGMP which is described in chapter 4 Multimedia Traffic Control with IP Multicast IGMP For general information on how to use the switch s built in interfaces refer to these chapters in the Management and Configuration Guide for your switch Chapter 3 Using the Menu Interface Chapter 4 Using the Command Line Interface CLI Chapter 5 Using the HP Web ...

Page 129: ...n 3 enables and controls multicast traffic routing on the Switch Series 5300XL devices PIM DM is used in networks where at any given time multicast group mem bers exist in relatively large numbers and are present in most subnets PIM DM operates with any unicast IPv4 routing protocol available on the switch However note that PIM DM uses flooding to initially propagate a multicast group to a network...

Page 130: ...r determining multicast flows XRRP PIM DM is fully interoperable with XRRP to quickly transition multicast routes in the event of a failover MIB Support With some exceptions PIM DM supports the parts of the Multicast Routing MIB applicable to PIM DM operation Refer to Excep tions to Support for RFC 2932 Multicast Routing MIB on page 5 41 PIM Draft Specifications Compatible with PIM DM draft specif...

Page 131: ...ticast address remain in that group as long as they continue to issue periodic joins On the Switch Series 5300XL devices PIM DM interoperates with IGMP and the switch s routing protocols Note that PIM DM operates independently of the routing protocol you choose to run on your switches meaning you can use PIM DM with RIP OSPF or static routes configured PIM DM utilizes a unicast routing table to fi...

Page 132: ...wn above The routing switch maintains individual branches in the multicast tree as long as there is at least one host maintaining a membership in the multicast group When all of the hosts in a particular VLAN drop out of the group PIM DM prunes that VLAN from the multicast tree Similarly if the routing switch detects a join from a host in a pruned VLAN it adds that branch back into the tree Not e ...

Page 133: ...andwidth Conservation A 5300XL multi cast router if directly connected to a multicast source such as a video conferencing application periodically transmits state refresh packets to downstreammulticastrouters Onroutersthathaveprunedthemulticastflow the state refresh packets keep the pruned state alive On routers that have been added to the network after the initial flooding and pruning of a multic...

Page 134: ...roup these routers on the same multicast tree to avoid the additional flood prunecyclesontherouters that do support state refresh These HP 5300XL multicast routers supportthestaterefreshfeaturebut must handle periodic flood prune cycles for the downstream routers that lack this feature These HP 5300XL multicast routers support the state refresh feature and do not require periodic flood prune cycle...

Page 135: ...nging to the VLAN 5 Enable PIM DM at the global level on the routing switch and on the VLANs where you want to allow routed multicast traffic Not e When you initially enable PIM DM HP recommends that you leave the PIM DM configuration parameters at their default settings You can then assess performance and make configuration changes where a need appears Terminology Flow Multicast traffic moving be...

Page 136: ...ress of the server transmitting the multicast traffic and the multicast address to which the server is transmitting the traffic Source S In IP multicast traffic on the switch the source S is the unicast address of the server transmitting the multicast traffic A single S G pair consists of unicast source address and a multicast group address See also S G Pair PIM DM Operating Rules The routing swit...

Page 137: ... PIM Global Context Commands no ip multicast routing no router pim state refresh trap PIM Interface Context Commands no ip pim 5 12 5 12 5 13 5 13 5 15 all source ip address 5 15 hello interval hello delay graft retry interval max graft retries lan prune delay propagation delay override delay ttl threshold 5 15 5 16 5 16 5 17 5 17 5 18 5 18 5 19 5 11 ...

Page 138: ...where you want multicast routing to operate enable the same option 4 Enable the following in each VLAN context where you want multicast routing to operate IP RIP or IP OSPF IP PIM Any non default VLAN level IP PIM settings you want to apply PIM Global Configuration Context Note PIM DM operation requires a routing protocol enabled on the routing switch You can use RIP OSPF and or static routing The...

Page 139: ...trap when the hardware multicast routing table MRT is full 1023 active flows In this state any additional flows are handled by the software MRT which increases processing time for the affected flows Default Disabled software mrt full Enable Disable notification trap when the routing switch s software multicast routing table is full that is when routing resources for active flows are exhausted Defa...

Page 140: ...3 below Enables IP routing Enables multicast routing Enables PIM Enables RIP Configures a non default State Refresh timer Sets an SNMP trap to notify an SNMPmanagementstationifthe hardware multicast routing table fills with active flows Using show config displays the configuration changes resulting from the above commands Figure 5 3 Example of Configuring PIM DM on a Routing Switch at the Global L...

Page 141: ...ess to designate a single subnet in cases where multicast routers on the same multinetted VLAN are not configured with identical sets of subnet IP addresses Use all if the multinetted VLAN is configured with the same set of subnet addresses Default The Primary VLAN Syntax ip pim hello interval 5 30 vlan vid ip pim hello interval 5 30 Changes the frequency at which the routing switch transmits PIM ...

Page 142: ... with connections to multiple routers if all of the connected routers sent Hello packets at the same time then the receiving router could become momentarilyoverloaded This value randomizes the transmission delay to a time between 0 and the hello delay setting Using 0 means no delay After the routing switch sends the initial Hello Packet to a newly detected VLAN interface it sends subsequent Hello ...

Page 143: ... command Default 3 attempts Syntax ip pim lan prune delay vlan vid ip pim lan prune delay Enables the LAN Prune Delay option on the current VLAN With lan prune delay enabled the routing switch informs downstream neighbors how long it will wait before pruning a flow after receiving a prune request Other downstream routers on the same VLAN must send a Join to override the prune before the lan prune ...

Page 144: ...ream routing switch initially floods traffic from multicast group X to VLAN Y if one of the routing switches on VLAN Y does not want this traffic it issues a prune response to the upstream neighbor The upstream neighbor then goes into a prune pending state for group X on VLAN Y During this period the upstream neighbor continues to forward the traffic During the pending period another routing switc...

Page 145: ... of the TTL setting of incoming multicast packets A value that is too high can allow multicast traffic to go beyond your internal network A value that is too low may prevent some intended hosts from receiving the desired multicast traffic Default 0 forwards multicast traffic regardless of packet TTL setting Example of Configuring PIM DM Operation at the VLAN Level The network in figure 5 4 uses VL...

Page 146: ...the network are not multinetted on the routing switches and it is not necessary to configure a source address for multicast routing on these other VLANs In this example the multicast source transmits packets with a TTL time to live of 192 To prevent these packets from moving beyond routers 2 and 3 you would configure the TTL in the downstream routers below routers 2 and 3 at 190 It is not necessar...

Page 147: ...N 25 MulticastRoutingConfiguration for Global Level Enables IP routing required for multicast routing Indicates the source IP address formulticastpacketsforwardedon this VLAN Multicast Routing Configuration for VLAN 25 Multicast Routing Configurations for VLANs 27 and 29 Figure 5 6 The Configuration Supporting Multicast Routing on the 5300XL 1 Routing Switch Shown in Figure 5 4 Page 5 20 5 21 ...

Page 148: ...tches Displaying PIM Data and Configuration Settings on the Series 5300xl Switches Command Page show ip mroute 5 23 interface vid 5 24 multicast ip addr 5 25 source ip addr show ip pim 5 27 interface 5 28 5 29 vid mroute multicast group address multicast source address 5 30 5 31 neighbor ip address 5 33 5 34 5 22 ...

Page 149: ...terface VLAN from which the multicast traffic is coming A blank field for a given multicast group indicates that the multicast server is directly connected to the routing switch VLAN The interface on which the multicast traffic is moving For example the next figure displays the show ip route output on the 5300XL 2 routing switch in figure 5 4 on page 5 20 This case illustrates two multicast groups...

Page 150: ...s having a TTL lower than this value When a packet arrives the routing switch decrements it s TTL by 1 then compares the decremented packet TTL to the value set by this command A TTL Threshold setting of 0 the default means all multicast packets are forwarded regardless of the TTL value they carry A multicast packet must have a TTL greater than 1 when it arrives at the routing switch Other wise th...

Page 151: ...ectly connected to the routing switch VLAN Lists the VLAN ID VID on which the routing switch received the specified multicast flow Up Time Sec The elapsed time in seconds since the routing switch learned the information for the current instance of the indicated multicast flow Expiry Time Sec Indicates the remaining time in seconds before the routing switch ages out the current flow group membershi...

Page 152: ...orwarding datagrams in the current VLAN Up Time Sec Indicates the elapsed time in seconds since the routing switch learned the displayed information about the current multicast flow Expiry Time Shows the remaining time in seconds until the Next Hop routing switch ages out the current flow group membership on the indicated VLAN Includes the date calcu lated for the age out event This value decremen...

Page 153: ... rejoin a multicast network after the initial flood and prune This enables hosts on such routers to join a multicast group without having to wait for a flood and prune cycle PIM routers having the state refresh capability can eliminate all but an initial flood and prune cycle PIM routers without this capability periodically trigger a flood and prune cycle on the path between the PIM router and the...

Page 154: ...in Figure 5 4 on Page 5 20 Syntax show ip pim interface Lists the PIM interfaces VLANs currently configured in the routing switch VLAN Lists the VID of each VLAN configured on the switch to support PIM DM IP Address Lists the IP addresses of the PIM interfaces VLANs Mode Shows dense only Figure 5 11 Example Output for the 5304XL 1 Routing Switch in Figure 5 4 on Page 5 20 5 28 ...

Page 155: ... Command VLAN n a vlan vid ip pim IP n a vlan vid ip pim all ip addr Mode dense n a PIM Dense only Hello Interval sec 30 ip pim hello interval 5 30 Hello Hold Time 105 Theroutingswitchcomputesthisvaluefromthecurrent Hello Interval and includes it in the Hello packets the routing switch sends to neighbor routers Neighbor routers use this value to determine how long to wait for another Hello packet ...

Page 156: ...m the IP multicast routing table IP MRT When invoked without parameters lists all PIM entries currently in the routing switch s IP MRT Group Address Lists the multicast group addresses currently active on the routing switch Source Address Lists the multicast source address for each Group Address Metric Indicates the path cost upstream to the multicast source Used when multiple multicast routers co...

Page 157: ...the source address Metric Indicates the path cost upstream to the multicast source Used when multiple multicast routers contend to determine the best path to the multicast source The lower the value the better the path Metric Pref Used when multiple multicast routers contend to determine the path to the multicast source When this value differs between routers PIM selects the router with the lowest...

Page 158: ...t Another multicast router connected to the same VLAN has been elected to provide the path for the specified multicast group traffic Other Used where the VLAN is in the pruned state for any reason other than the above two reasons such as no neighbors exist and no directly con nected hosts have done joins This example displays the MRT data on the first of the two multicast groups shown in figure 5 ...

Page 159: ...fresh packet originating from the upstream multicast router The upstream multicast router issues state refresh packets for the current group as long as it either continues to receive traffic for the current flow or receives state refresh packets for the current flow from another upstream multicast router Reset by a new flow for the current multicast group on the VLAN The timer expires reaches 0 In...

Page 160: ... PIM Routers without State Refresh Messaging Capability A PIM router without a state refresh messaging capability learns of currently active flows in a multicast network through periodic flood and prune cycles on the path back to the source The Switch Series 5300XL devices sense downstream multicast routers that do not have the state refresh capability and will period ically flood active multicast...

Page 161: ... memory resources If the routing switch regularly exceeds the hardware limit of 1022 flows and begins routing flows in software you may want to move some hosts that create multicast demand to another routing switch or reduce the number of VLANs on the routing switch by moving some VLANs to another routing switch Note that the routing switch generates a log message if it either routes a flow in sof...

Page 162: ...ged out if they are unused for a period of time Heavy Memory Usage Heavy use of PIM many S G flows over many VLANs combined with other memory intensive features can oversubscribe memory resources and impact overall performance If available memory is exceeded the switch drops any new multicast flows and generates appropri ate Event Log messages Corrective actions can include reducing the number of ...

Page 163: ...Note that this is not the IP TTL Failed alloc of HW alpha str for flow There are more than 1022 active flows The switch routes multicast address source address the excess through software which processes traffic at a slower rate If this will be an ongoing or chronic condition dup msg cnt transfer some of the flows to another router Failed to alloc a PIM data type pkt The router was unable to alloc...

Page 164: ...androuter counter ports Multicast Hardware Failed to Indicates a hardware failure that halts hardware Initialize counter processing of PIM traffic The software will continue to process PIM traffic at a slower rate Contact your HP customer care center No IP address configured on VID PIM has detected a VLAN without an IP address Configure vlan id dup msg cnt an IP address on the indicated VLAN Pkt d...

Page 165: ...D on which the packet was sent Unable to alloc text str table The router was not able to create some tables PIM DM counter uses Indicates thattherouterislow onmemoryresources Remedies include one or more of the following Reduce the number of configured VLANs by moving some VLANs to another router Free up system resources by disabling another feature such as one of the spanning tree protocols or ei...

Page 166: ...uting protocol Unless you are using static routes you will need to retain a minimum of one unicast routing protocol Another option that may help is to reduce the number of configured QoS filters Move some hosts that create multicast demand to another router Applicable RFCs PIM on the Switch Series 5300XL devices is compatible with these RFCs RFC 3376 Internet Group Management Protocol Version 3 RF...

Page 167: ...castOctets ipMRouteInterfaceOutMcastOctets ipMRouteInterfaceHCInMcastOctets ipMRouteInterfaceHCOutMcastOctets ipMRouteBoundaryTable ipMRouteBoundaryEntry ipMRouteBoundaryIfIndex ipMRouteBoundaryAddress ipMRouteBoundaryAddressMask ipMRouteBoundaryStatus OBJECT TYPE ipMRouteScopeNameTable ipMRouteScopeNameEntry ipMRouteScopeNameAddress ipMRouteScopeNameAddressMask ipMRouteScopeNameLanguage ipMRouteS...

Page 168: ...PIM DM Dense Mode on the 5300xl Switches Exceptions to Support for RFC 2932 Multicast Routing MIB This page is intentionally unused 5 42 ...

Page 169: ... 6 45 How MSTP Operates 6 47 Terminology 6 50 Operating Rules 6 52 Transitioning from STP or RSTP to MSTP 6 53 Tips for Planning an MSTP Application 6 54 Steps for Configuring MSTP 6 55 Configuring MSTP Operation Mode and Global Parameters 6 57 Configuring Basic Port Connectivity Parameters 6 61 Configuring MST Instance Parameters 6 63 Configuring MST Instance Per Port Parameters 6 66 Enabling or ...

Page 170: ... Disable RSTP STP RSTP is selected as the default protocol Reconfiguring Whole Switch Values Reconfiguring Per Port Values priority 128 mode norm Default n a Disabled Protocol Version RSTP Force Version RSTP operation Switch Priority 8 Hello Time 2 s Max Age 20 s Forward Delay 15 s Path Cost Depends on port type Priority 8 Edge Port Yes Point to point Force true MCheck Yes page 6 21 page 6 12 page...

Page 171: ...an bring down the network Single Instance spanning tree operation 802 1D STP and 802 1w RSTP ensures that only one active path at a time exists between any two nodes in a physical network In networks where there is more than one physical active path between any two nodes enabling single instance spanning tree ensures one active path between such nodes by blocking all redundant paths Multiple Insta...

Page 172: ...11 12 Switch A Root for Instance 1 VLANs 10 11 12 Switch B Instance 1 VLANs 10 11 12 Switch C Instance 2 VLANs 20 21 22 Switch A Instance 2 VLANs 20 21 22 Switch B Root for Instance 2 VLANs 20 21 22 Switch C Switch A Root for Instance 1 Switch B Root for Instance 2 Path blocked for VLANs in instance 1 Path blocked for VLANs in instance 2 Region A Logical Topology Path blocked for VLANs in instance...

Page 173: ...inguish between VLANs when identifying redundant physical links In this case if VLANs are configured on the switch see STP Operation with 802 1Q VLANs on page RSTP and STP Operation with 802 1Q VLANs on page 6 7 The RSTP 802 1w and STP 802 1D Spanning Tree Options C a u t i o n Spanning tree interprets a switch mesh as a single link Because the switch automatically gives faster links a higher prio...

Page 174: ...1w has been introduced If your network currently uses 802 1D STP and you are not yet ready to implement RSTP you can apply STP to the switch until such time as you are ready to move ahead with RSTP STP on the switches covered by this guide offers the full range of STP features found in earlier product releases including STP Fast Mode for Overcoming Server Access Failures If an end node is configur...

Page 175: ...node B 1 3 Backup redundant path from node A to node B 4 2 3 2 path cost 100 Figure 6 2 General Example of Redundant Paths Between Two Nodes In the factory default configuration spanning tree operation is off If a redun dant link loop exists between nodes in your network you should enable the spanning tree operation of your choice Not e Spanning tree retains its current parameter settings when dis...

Page 176: ...ocking any links or losing any bandwidth Problem STP enabled with 2 separate non trunked links blocks a VLAN link Solution STP enabled with one trunked link Nodes 1 and 2 cannot communicate because STP is blocking the link Nodes 1 and 2 can communicate because STP seesthe trunk as a single link and 802 1Q tagged VLANs enable the use of one trunked link for both VLANs Figure 6 3 Example of Using a ...

Page 177: ... operation 8 2 s 20 s 15 s depends on port type 8 Yes Force true Yes reconfiguring per port values As indicated in the manual the spanning tree protocol is used to ensure that only one active path ata time exists between any two end nodes in the network in which your switch is installed Multiple paths cause a loop in the network over which broadcast and multicast messages are repeated continuously...

Page 178: ...nce times though there are some changes that you should make to the RSTP default configuration See Opti mizing the RSTP Configuration below for more information on these changes Not e Under some circumstances it is possible for the rapid state transitions employed by RSTP to result in an increase in the rates of frame duplication and misordering in the switched LAN In order to allow RSTP switches ...

Page 179: ...he point to point mac value to false on all ports that are connected to shared LAN segments that is to connections to hubs CLI spanning tree ethernet port list point to point mac force false Menu Main Menu 2 Switch Configuration 4 Spanning Tree Operation for each appropriate port select Point to Point Force False 3 Set the edge port value to false for all ports connected to other switches bridges ...

Page 180: ...page 6 16 page 6 16 page 6 16 page 6 16 page 6 16 page 6 16 Refer to 802 1D Spanning Tree Protocol STP on page 6 21 This command lists additional RSTP STP MSTP monitoring data that is not covered in this section Refer to the section titled Spanning Tree Protocol Information in the Monitoring and Analyzing Switch Operation appendix of the Management and Configuration Guide for your switch Viewing t...

Page 181: ...iation no span This command enables spanning tree with the current parameter settings or disables spanning tree using the no option without losing the most recently configured parameter settings Enabling STP Instead of RSTP If you decide for whatever reason that you would prefer to run the IEEE 802 1D STP version of spanning tree then issue the following command Syntax spanning tree protocol versi...

Page 182: ... the spanning tree is the root The lower the priority value the higher the priority The value you enter has changed from the STP value The range is 0 61440 but for RSTP the value is entered as a multiple a step of 4096 You enter a value in the range 0 15 The default value of 32768 is derived by the default setting of 8 Displaying the RSTP configuration show spanning tree config shows 8 but display...

Page 183: ...ch Using this facility you can completely configure spanning tree the way you want and then enable it This method minimizes the impact on the network operation Syntax spanning tree protocol version rstp stp force version rstp operation stp compatible priority 0 15 maximum age 6 40 seconds hello time 1 10 seconds forward delay 4 30 seconds Defaults See the table on the previous page Abbreviations s...

Page 184: ...available only with RSTP or MSTP operation path cost 10 Mbps 2 000 000 Assigns an individual port cost that the switch uses to determine which ports 100 Mbps 200 000 are the forwarding ports The range is 1 to 200 000 000 or auto 1 Gbps 20 000 Bydefault thisparameterisautomaticallydeterminedbytheporttype asshown by thedifferentdefaultvalues Ifyou havepreviouslyconfigureda specificvalue for this par...

Page 185: ...costs and new default path cost values to account for higher network speeds These values are different than the values defined by 802 1D STP as shown below Port Type 802 1D STP Path Cost RSTP and MSTP Path Cost 10 Mbps 100 2 000 000 100 Mbps 10 200 000 1 Gbps 5 20 000 Because the maximum value for the path cost allowed by 802 1D STP is 65535 devices running that version of spanning tree cannot be ...

Page 186: ...er field 4 Press the Space bar to select the version of spanning tree you wish to run RSTP or STP Note Ifyouchangetheprotocolversion youwillhavetorebootthe switch for the change to take effect See step 9 and step 10 5 Press the Tab or down arrow key to go to the STP Enabled field Note that when you do this the remaining fields on the screen will then be appro priate for the version of spanning tre...

Page 187: ... line then press H for Help to display the online help 8 Repeat step 6 for each additional parameter you want to change Please see Optimizing the RSTP Configuration on page 6 11 for recom mendations on configuring RSTP to make it operate the most efficiently 9 When you are finished editing parameters press Enter to return to the Actions line and press S to save the currently displayed spanning tre...

Page 188: ...elected protocol version enabling spanning tree through the web browser interface will enable RSTP with its current configuration To configure the other span ning tree features telnet to the switch console and use the CLI or menu To enable or disable spanning tree using the web browser interface 1 Click on the Configuration tab 2 Click on Device Features 3 Enable or disable spanning tree 4 Click o...

Page 189: ...P Figure 6 6 The Default Spanning Tree Operation Screen 2 Press E for Edit to highlight the Protocol Version field In the default configuration this field is set to RSTP 3 Press the Space bar once to change the field to STP This changes the Protocol Version selection to the 802 1D Spanning Tree Protocol 4 Press v to highlight the STP Enabled field 5 Press the Space bar to select Yes Yes in this fi...

Page 190: ...u need information on STP parameters press Enter to select the Actions line then press H to get help 8 Repeat step 7 for each additional parameter you want to change Note For information on the Mode parameter see STP Fast Mode on page 6 28 9 When you are finished editing parameters press Enter to return to the Actions line 10 Press S to save the currently displayed STP parameter settings You will ...

Page 191: ...cating a Reboot Is Needed to Implement a Configuration Change 11 Press 0 to return to the Main menu Figure 6 9 The Main Menu Indicating a Reboot Is Needed To Implement a Configuration Change 12 Press 6 to reboot the switch This implements the Protocol Version change steps 2 and 3 on page 6 21 6 23 ...

Page 192: ...6 page 6 26 page 6 27 page 6 27 page 6 27 page 6 27 Viewing the Current STP Configuration Syntax show spanning tree config Regardless of whether STP is disabled the default this command lists the switch s full STP configuration including general settings and port settings When the switch is configured for 802 1D STP this command displays infor mation similar to the following Command Listing when S...

Page 193: ...ation on the switch use the spanning tree command again to enable STP operation Syntax spanning tree protocol version stp write memory boot For example Figure 6 11 Steps for Changing Spanning Tree Operation to the 802 1D Protocol Enabling or Disabling Spanning Tree Operation on the Switch Syntax no spanning tree This command enables or disables spanning tree operation for either spanning tree vers...

Page 194: ...n adversely affect network performance HP recommends that you use the default STP parameter settings You should not change these settings unless you have a strong understanding of how STP operates For more on STP see the IEEE 802 1D standard Reconfiguring General STP Operation on the Switch You can config ure one or more of the following parameters Table 6 3 General STP Operating Parameters Name D...

Page 195: ...tree port list path cost 1 65535 priority 0 255 mode norm fast Enables STP if not already enabled and configures the per port parameters listed in table 6 4 Table 6 4 Per Port STP Parameters Name Default Range Function path cost Ethernet 100 1 65535 Assignsanindividualportcostthattheswitchuses 10 100Tx 10 100 Fx 10 Gigabit 5 to determine which ports are the forwarding ports priority 128 0 255 Used...

Page 196: ...re configured to automatically try to access a network server when ever the end node detects a network connection Typical server access includes to Novell servers DHCP servers and X terminal servers If the server access is attempted during the time that the switch port is negotiating its STP state the server access will fail To provide support for this end node behavior the switches covered by thi...

Page 197: ... 802 1D STP to improve the recovery convergence time in wiring closet switches with redundant uplinks Specifically a switch having redundant links toward the root device can decrease the convergence time or failover to a new uplink STP root port to as little as ten seconds To realize this performance the switch must be Used as a wiring closet switch also termed an edge switch or a leaf switch Conf...

Page 198: ...er 1999 Not e When properly implemented fast uplink STP offers a method for achieving faster failover times than standard STP and is intended for this purpose for instances where 802 1D STP has been chosen over 802 1w RSTP To use fast uplink STP configure fast uplink Mode Uplink only on the switch s upstream ports that is two or more ports forming a group of redundant links in the direction of the...

Page 199: ...witch For more information see Spanning Tree Protocol STP in chapter 9 Configuring Advanced Features in the Management and Configuration Guide for your switch tree uplink port upstream port A switch port linked to a port on another switch that is sequentially closer to the STP root device For example ports A and B in figure 6 12 on page 6 30 are uplink ports wiring closet switch Another term for a...

Page 200: ... seconds Scenario 2 If Switch 1 fails then Switch 2 becomes the root switch The link between Switch 3 and Switch 2 begins forwarding The link between Switch 2 and the LAN begins forwarding Operating Rules for Fast Uplink A switch with ports configured for fast uplink must be an edge switch and not either an interior switch or the STP root switch Configure fast uplink on only the edge switch ports ...

Page 201: ...plink should not be configured on both ends of a point to point link but only on the uplink port of an edge switch Ensure that the switch you intend as a backup root device will in fact become the root if the primary root fails and that no ports on the backup root device are configured for fast uplink operation For example if the STP Priority is the same on all switches default 32768 then the swit...

Page 202: ...peration 2 In the default STP configuration RSTP is the selected protocol version If this is the case on your switch you must change the Protocol Version to STP in order to use Fast Uplink STP If the Protocol Version is set to RSTP the default as shown in this example go to step 3 IftheProtocolVersionissettoSTP therestofthescreenwillappear as shown in figure 6 17 In this case go to step 4 on page ...

Page 203: ...panning Tree Operation screen you will then see a screen with the following The asterisk indicates thatyoumustrebootthe switchtoimplementthe configuration change from RSTP to STP Figure 6 16 Changing from RSTP to STP Requires a System Reboot e Press 0 zero to return to the Main Menu then 6 to reboot the switch f After you reboot the switch enter the menu command at the CLI to return to the Main Me...

Page 204: ...ration Screen 4 On the ports and or trunks you want to use for redundant fast uplink connections change the mode to Uplink In this example port A1 and Trk1 using ports A2 and A3 provide the redundant uplinks for STP a Press E for Edit then enable STP on the switch by using the Space bar to select Yes in the Spanning Tree Enabled field b Use Tab to move to the Mode field for port A1 c Use the Space...

Page 205: ...nks Configured for Fast Uplink STP 5 Press S forSave tosavetheconfigurationchangestoflash non volatile memory To View Fast Uplink STP Status Continuing from figures 6 17 and 6 18 in the preceding procedure this task uses the same screen that you would use to view STP status for other operating modes 1 From the Main Menu select 1 Status and Counters 7 Spanning Tree Information 6 37 ...

Page 206: ... be the STP root device Figure 6 19 Example of STP Status with Trk1 Trunk 1 as the Path to the STP Root Device 2 Press S for Show ports to display the status of individual ports Links to PC or Workstation End Nodes Redundant STP Link in Fast Uplink Mode Redundant STP Link in Fast Uplink Mode Figure 6 20 Example of STP Port Status with Two Redundant STP Links 6 38 ...

Page 207: ...nk STP You can view fast uplink STP using the same show commands that you would use for standard STP opera tion Syntax show spanning tree Lists STP status Syntax show spanning tree config Lists STP configuration for the switch and for individual ports For example figures 6 21 and 6 22 illustrate a possible topology STP status listing and STP configuration for a switch with STP enabled and the swit...

Page 208: ...o the STP root device RedundantSTPlinkintheBlocking state Links to PC or Workstation End Nodes Redundant STP link in the Forwarding state See the Root Port field above This is the currently active path to the STP root device Figure 6 22 Example of a Show Spanning Tree Listing for the Topology Shown in Figure 6 21 6 40 ...

Page 209: ...sestheCLI to configure the switch for the fast uplink operation shown in figures 6 21 6 22 and 6 23 The example assumes that ports A2 and A3 are already config ured as members of the port trunk Trk1 and all other STP parameters are left in their default state Note that the default STP Protocol Version is RSTP Rapid STP or 802 1w Thus if the switch is set to the STP default you must change it to th...

Page 210: ...tion When configured fast uplink STP operates on the designated ports in a running switch How ever if the switch experiences a reboot the fast uplink ports Mode Uplink use the longer forwarding delay used by ports on standard 802 1D STP non fast uplink This prevents temporary loops that could otherwise result while the switch is determining the STP status for all ports That is on ports configured ...

Page 211: ...the trunk are set to fast uplink Mode Uplink You must still specifically configure the trunk Mode setting to Uplink Similarly if you eliminate a trunk the Mode setting on the individual ports in the trunk will return to their previous settings For Troubleshooting Information on Fast Uplink Refer to the section titled Spanning Tree Protocol STP and Fast Uplink Problems in appendix C Troubleshooting...

Page 212: ...a port belongs to multiple VLANs it may be dynamically blocked in one spanning tree instance but forwarding in another instance This achieves load balancing across the network while keeping the switch s CPU load at a moderate level by aggre gating multiple VLANs in a single spanning tree instance Like RSTP MSTP provides fault tolerance through rapid automatic reconfiguration if there is a failure ...

Page 213: ...witch Running STP Switch Running STP Switch Running RSTP Switch Running RSTP Switch Running RSTP Common Spanning Tree CST MST Region MST Region Common and Internal Spanning Tree CIST Figure 6 25 Example of MSTP Network with Legacy STP and RSTP Devices Connected Common and Internal Spanning Tree CIST The CIST identifies the regions in a network and administers the CIST root bridge for the network t...

Page 214: ...rk An STP or RSTP network operates as a single instance network A region can include two types of STP instances Internal Spanning Tree Instance IST Instance This is the default spanning tree instance in any MST region It provides the root switch for the region and comprises all VLANs configured on the switches in the region that are not specifically assigned to Multiple Spanning Tree Instances MST...

Page 215: ...feature that enables you to exchange MSTP config urations with a single command Refer to Enabling an Entire MST Region at Once or Exchanging One Region Configuration for Another on page 6 69 Not e The switch automatically senses port identity and type and automatically defines spanning tree parameters for each type as well as parameters that apply across the switch Although these parameters can be...

Page 216: ...ce Figure 6 26 Active Topologies Built by Three Independent MST Instances While allowing only one active path through a given instance MSTP retains any redundant physical paths in the instance to serve as backups blocked paths in case the existing active path fails Thus if an active path in an instance fails MSTP automatically activates unblocks an available backup to serve as the new active path ...

Page 217: ...Spanning Tree instance MSTI in a region the regional root may be a different switch that is not necessarily connected to another region The MSTP switches block redundant links within each LAN segment across all instances and between regions to prevent any traffic loops As a result each individual instance spanning tree within a region deter mines its regional root bridge designated bridges and des...

Page 218: ...ink and 802 1Q tagged VLANs enable the use of one trunked link for both VLANs Figure 6 27 Example of Using a Trunked Link To Support Multiple VLAN Connectivity within the Same MST Instance Not e All switches in a region should be configured with the VLANs used in that region and all ports linking MSTP switches together should be members of all VLANs in the region Otherwise the path to the root for...

Page 219: ... Spanning Tree Protocol A network supporting MSTP allows multiple spanning tree instances within configured regions and a single spanning tree among regions STP bridges and RSTP bridges MSTP BPDU MSTP Bridge Protocol Data Unit These BPDUs carry region specific information such as the region identifier region name and revision number If a switch receives an MSTP BPDU with a region identifier that d...

Page 220: ...ive physical communication path between any two regions or between an MST region and an STP or RSTP switch MSTP blocks any other physical paths as long as the currently active path remains in service Within a network an MST region appears as a virtual RSTP bridge to other spanning tree entities other MST regions and any switches running 802 1D or 802 1w spanning tree protocols Within an MSTI there...

Page 221: ...as appropriate Because MSTP is so efficient at establishing the network path HP highly recommends that you update all of your 5300xl switches to support 802 1s MSTP All 3400cl 6400cl switch software versions support 802 1s Also for switches that do not support 802 1s MSTP HP recommends that you update to RSTP to benefit from the convergence times of less than one second under optimal circumstances...

Page 222: ...STP switches in a given region supporting the same set of VLANs Within each region determine the VLAN membership for each spanning tree instance Eachinstancerepresentsa singleforwardingpathforallVLANs in that instance There is one logical spanning tree path through the following Any inter regional links Any IST or MST instance within a region Any legacy 802 1D or 802 1w switch or group of switches...

Page 223: ...The switch supports MSTP configuration through the CLI After you specify MSTP and reboot the switch as described above the switch removes the Spanning Tree option from the Menu interface If you later reconfigure the switch to use STP or RSTP the switch returns the Spanning Tree option to the Menu interface This section assumes that you have already 1 Configured the MSTP operation mode This specifi...

Page 224: ...u must include a minimum of one VID You can add more VIDs later if desired spanning tree instance 1 16 vlan vid To move a VLAN from one instance to another first use no spanning tree instance n vlan vid to unmap the VLAN from the current instance then add the VLAN to the other instance While the VLAN is unmapped from an MSTI it is associated with the region s IST instance Configure the priority fo...

Page 225: ...n mstp 6 58 spanning tree config name ascii string 6 58 spanning tree config revision revision number 6 59 spanning tree max hops hop count 6 59 spanning tree force version 6 60 stp compatible rstp operation mstp operation spanning tree hello time 1 10 6 60 The commands in this section apply on the switch level and do not affect individual port configurations 6 57 ...

Page 226: ...on at Once or Exchanging One Region Configuration for Another on page 6 69 Not e The following commands are available only when the switch is configured for MSTP protocol operation Syntax no spanning tree config name ascii string This command resets the configuration name of the MST region in which the switch resides This name can include up to 32 nonblank characters and is case sensitive On all s...

Page 227: ...want to maintain the same region name Using the pending option to maintain two different configuration options for the same physical region Note that this setting must be the same for all MSTP switches in the same MST region Range 0 65535 Default 0 Note This option is available only when the switch is configured for MSTP operation Syntax spanning tree max hops hop count This command resets the num...

Page 228: ... protocols is not required This command is available when the protocol version is set to mstp see protocol version later Note that even when mstp operation is selected if the switch detects an 802 1D BPDU or an 802 1w BPDU on a port it communicates with the device linked to that port using STP or RSTP BPDU packets Also if errors are encountered as described in the Note on MSTP Rapid State Transiti...

Page 229: ...ort Enable edge port on ports connected to end nodes During spanning tree establishment ports with edge port enabled transition immediately to the forwarding state Disable this feature on any switch port that is connected to another switch bridge or hub Default No disabled The no spanning tree port list edge port command disables edge port operation on the specified ports mcheck Forces a port to s...

Page 230: ...CIST root then the upstream CIST root s port hello time setting overrides the hello time setting configured on switch X Default Per Port setting Use Global Default Global Hello Time 2 path cost auto 1 200000000 Assigns an individual port cost that the switch uses to determine which ports are forwarding ports in a given spanning tree In the default configuration auto the switch determines a port s ...

Page 231: ...id vid vid 6 61 no spanning tree instance 1 16 spanning tree instance 1 16 priority 0 15 6 63 spanning tree priority 0 15 6 64 Syntax spanning tree instance 1 16 vlan vid vid vid no spanning tree instance 1 16 Configuring MSTP on the switch automatically configures the IST instance and places all statically configured VLANs on the switch into the IST instance This command creates a new MST instanc...

Page 232: ...f the same VLAN s Traffic in VLANs assigned to a numbered STP instance in a given region moves to other regions through the root switch for that instance The priority range for an MSTP switch is 0 61440 However this command specifies the instance priority as a multiplier 0 15 of 4096 That is when you specify an instance pri ority value of 0 15 the actual priority assigned to the switch for the spe...

Page 233: ...nnected regions for the traffic in VLANs assigned to the region s IST instance Traffic in VLANs assigned to a numbered STP instance in a given region moves to other regions through the root switch for that instance The priority range for an MSTP switch is 0 61440 However this command specifies the priority as a multiplier 0 15 of 4096 That is when you specify a priority value of 0 15 the actual pr...

Page 234: ...200000000 This command assigns an individual port cost for the specified MST instance For a given port the path cost setting can be different for different MST instances to which the port may belong The switch uses the path cost to determine which ports are the forwarding ports in the instance that is which links to use for the active topology of the instance and which ports to block The settings ...

Page 235: ...h is priority multiplier x 16 For example if you configure 2 as the priority multiplier on a given port in an MST instance then the actualPriority setting is 32 Thus after you specify the port priority multiplier in an instance the switch displays the actual port priority and not the multiplier in the show spanning tree instance 1 16 or show spanning tree port list instance 1 16 displays You can v...

Page 236: ...rity as a multiplier 0 15 of 16 That is when you specify a priority multiplier of 0 15 the actual priority assigned to the switch is priority multiplier x 16 For example configuring 5 as the priority multiplier on a given port in the IST instance for a region creates an actual Priority setting of 80 Thus after you specify the port priority multiplier for the IST instance the switch displays the ac...

Page 237: ...nning tree pending apply config name config revision instance reset 6 70 This operation exchanges the currently active MSTP configuration with the currently pending MSTP configuration It enables you to implement a new MSTP configuration with minimal network disruption or to exchange MSTP configurations for testing or troubleshooting purposes When you configure or reconfigure MSTP the switch re cal...

Page 238: ...u want to configure 7 Use the show spanning tree pending command to review your pending configuration page 6 77 8 Use the spanning tree pending apply command to exchange the currently active MSTP configuration with the pending MSTP configuration Syntax spanning tree pending apply config name config revision instance reset apply Exchanges the currently active MSTP configuration with the pending MST...

Page 239: ...he Common Spanning Tree This command displays the MSTP statistics for the connections between MST regions in a network Syntax show spanning tree This command displays the switch s global and regional spanning tree status plus the per port spanning tree operation at the regional level Note that values for the following parameters appear only for ports connected to active devices Designated Bridge H...

Page 240: ...iondisabled indicates the port is configured for connecting to a LAN segment that includes a bridge or switch Yes indicates the port is configured for a host end node link Refer to the edge port description under Configuring Basic Port Connectivity Parameters on page 6 61 Yes means the switch is operating the port as if it is connected to switch bridge or end node but not a hub Identifies the over...

Page 241: ...Statistics for a Specific MST Instance Syntax show spanning tree instance ist 1 16 This command displays the MSTP statistics for either the IST instance or a numbered MST instance running on the switch Figure 6 29 Example of MSTP Statistics for a Specific Instance on an MSTP Switch 6 73 ...

Page 242: ...ommand For information on these parameters refer to Configuring Basic Port Connectivity Parameters on page 6 61 Syntax show spanning tree port list config This command shows the same data as the above command but lists the spanning tree port parameter settings for only the specified port s and or trunk s You can list data for a series of ports and port trunks by specifying the first and last port ...

Page 243: ...for the specified instance Syntax show spanning tree port list config instance ist 1 16 This command shows the same data as the above command but lists the spanning tree port parameter settings for only the specified port s and or trunk s You can list data for a series of ports and port trunks by specifying the first and last port or trunk of any consecutive series of ports and trunks For example ...

Page 244: ...figuration Digest from the VID to MSTI configuration mappings on the switch itself As required by the 802 1s standard all MSTP switches within the same region must have the same VID to MSTI assignments and any given VID can be assigned to either the IST or one of the MSTIs within the region Thus the MSTP Configuration Digest must be identical for all MSTP switches intended to belong to the same re...

Page 245: ... Enabling an Entire MST Region at Once or Exchanging One Region Configuration for Another on page 6 69 Syntax show spanning tree pending instance mst config instance 1 16 ist Lists region instance I D and VLAN information for the specified pending instance mst config Lists region IST instance VLAN s numbered instances and assigned VLAN information for the pending MSTP configuration Figure 6 33 Exa...

Page 246: ...cation of VLANs to MSTIs may not be identical among all switches in a region A Switch Intended To Operate Within a Region Does Not Receive Traffic from Other Switches in the Region An MSTP switch intended for a particular region may not have the same configuration name or region revisionnumberasthe otherswitchesintendedforthesame region TheMSTP Configuration Name and MSTP Configuration Revision nu...

Page 247: ... Meshing 7 11 CLI To View and Configure Switch Meshing 7 14 Viewing Switch Mesh Status 7 14 CLI Configuring Switch Meshing 7 17 Operating Notes for Switch Meshing 7 18 Flooded Traffic 7 18 Unicast Packets with Unknown Destinations 7 19 Spanning Tree Operation with Switch Meshing 7 20 Filtering Security in Meshed Switches 7 22 IP Multicast IGMP in Meshed Switches 7 22 Static VLANs 7 23 Dynamic VLAN...

Page 248: ...twork and allowing quick responses to individual link failures This also helps to maximize invest ments in ports and cabling Unlike trunked ports the ports in a switch mesh can be of different types and speeds 10 and 100 Mbps gigabit and 10 gigabit For example a 10Base FL port and a 1GB port can be included in the same switch mesh Switch 1 Meshed Switch 4 Meshed Switch 3 Meshed Switch 2 Meshed W W...

Page 249: ...th between these nodes may be through switch 3 if network conditions have changed significantly Not e Themac age time parameterdetermineshowlonganinactive pathassignment remains in memory Refer to System Information in the chapter titled Interface Access System Information and Friendly Port Names in the Management and Configuration Guide for your switch Because Redundant Paths Are Active Meshing A...

Page 250: ...orts can have multiple redundant links without creating broadcast storms Switch 2 Switch Non Mesh Switch Non Mesh Switch 3 Switch 4 Hub Hub Hub Switch 1 W W W W W W Switch Mesh Domain Edge Switches 1 2 4 Figure 7 2 Example of a Switch Mesh Domain in a Network Edge Switch This is a switch that has some ports in the switch meshing domain and some ports outside of the domain See figure 7 2 above 7 4 ...

Page 251: ...ths of five hops or fewer through the same mesh will continue to operate Hub links between meshed switch links are not allowed If the switch has multiple static VLANs and you configure a port for meshing the port becomes a tagged member of all such VLANs If you remove a port from meshing it becomes an untagged member of only the default VLAN A port configured as a member of a static trunk LACP FEC...

Page 252: ... in the same mesh domain with Series 5300xl 3400cl or 6400cl switches then GVRP must be disabled on all switches in the mesh If a switch in the mesh has a particular static vlan configured then all switches in the mesh must have that static vlan configured If a switch in the mesh has IGMP enabled then all switches in the mesh must have IGMP enabled If a switch in the mesh has CDP enabled then all ...

Page 253: ...figured in the switch For more on GVRP refer to chapter 3 GVRP GVR P Note HP Procurve 1600M 2400M 2424M 4000M 8000M switches do not offer the GVRP feature If any of these switches are in your switch mesh then GVRP must be disabled on any 3400cl 6400cl or 5300xl switches in the mesh Not e A switch mesh domain figure 7 1 on page 7 2 cannot include either a switch that is not configured for meshing o...

Page 254: ...sh backward compat command Using a Heterogeneous Switch Mesh You can use 3400cl 6400cl and 5300xl switches together with any of the older HP Procurve Switch 1600M 2400M 2424M 4000M 8000M models These restrictions also apply All 3400cl 6400cl and 5300xl switches in the mesh must be placed in backward compatible mode This is done with the mesh backward compat command The older models cannot be used ...

Page 255: ... Switch Figure 7 5 Example of an Unsupported Heterogeneous Topology Where Duplicate MAC Addresses Come Through Different Switches Regardless of the VLANs Used Host Both links use the same MAC address 5300xl 6400cl or3400cl Switch Switch 4000M LAN Tagged VLAN 20 Creating the mesh with only one Series 5300xl 3400cl or 6400cl switch connected to the host and using tagged VLANs for multiple connection...

Page 256: ...Thus in a mesh domain populated with all three types of switches ABC must be disabled which is the default setting on all of the 8000M 4000M 2424M 2400M 1600M switches in the domain Bringing Up a Switch Mesh Domain When a meshed port detects a non meshed port on the opposite end of a point to point connection the link will be blocked Thus as you bring up switch meshing on various switches you may ...

Page 257: ... IGMP and STP To avoid unnecessary system disruption plan the mesh bring up to mini mize temporary port blocking Refer to Bringing Up a Switch Mesh Domain on page 7 10 To view the current switch mesh status on the switch use the CLI show mesh command page 7 14 Menu To Configure Switch Meshing 1 From the Main Menu select 2 Switch Configuration 2 Port Trunk Settings 2 Press E for Edit to access the ...

Page 258: ...to your mesh domain the screen would appear similar to figure 7 9 PortsA1andA2configured for meshing Figure 7 9 Example of Mesh Group Assignments for Several Ports 6 Repeat step 5 for all ports you want in the mesh domain Not e s For meshed ports leave the Type setting blank Meshed ports do not accept a Type setting All meshed ports in the switch automatically belong to the same mesh domain See fi...

Page 259: ...e Switch 8 Press 0 to return to the Main menu 9 To activate the mesh assignment s from the Main menu reboot the switch by pressing the following keys a 6 for Reboot Switch b Space bar to select Yes c 13 to start the reboot process The switch cannot dynamically reconfigure ports to enable or disable mesh ing so it is always necessary to reboot the switch after adding or deleting a port in the switc...

Page 260: ...d the MAC address of the port on the opposite end of the link Peer Port Reading the Show Mesh Output For each port configured for meshing the State column indicates whether the port has an active link to the mesh or is experiencing a problem The status of the backwards compatibility option is also displayed For more details on the backwards compatibility option see CLI Configuring Switch Meshing o...

Page 261: ...hub Topology Error Two meshed switches are connected via a hub and traffic from other non meshed devices is flowing into the hub The show mesh listing includes the MAC addresses of the adjacent switch and direct connection port on the adjacent switch Topology Example with Show Mesh Supposethatyouhavethe following topology Series 5300XL Switch A1 B1 C1 D1 Switch Port Not Configured for Meshing Swit...

Page 262: ...on another non adjacent device that is also connected to the non meshed switch or hub However meshing will not operate properly through this connection B1 Yes Not connected to another device C1 Yes Connected to a meshed port on the same adjacent switch as D1 with meshing operating properly D1 Yes Connected to a meshed port on the same adjacent switch as C1 with meshing operating properly Figure 7 ...

Page 263: ...0cl or 5300xl switches This command does not require a reboot to take effect All meshed ports on a switch belong to the same mesh domain Thus to configure multiple meshed ports on a switch you need to 1 Specify the ports you want to operate in the mesh domain 2 Use write memory to save the configuration to the startup config file 3 Reboot the switch For example to configure meshing on ports A1 A4 ...

Page 264: ...ssign traffic paths between devices that are newly active on the mesh This means that after an assigned path between two devices has timed out new traffic between the same two devices may take a different path than previously used To display information on the operating states of meshed ports and the identities of adjacent meshed ports and switches see Viewing Switch Mesh Status on page 7 14 Flood...

Page 265: ...does not flood the packet onto the mesh Instead the switch sends a query on the mesh to learn the location of the unicast destination The meshed switches then send 802 2 test packets through their non meshed ports After the unicast destination is found and learned by the mesh subsequent packets having the same destination address will be forwarded By increasing the MAC Age Time you can cause the s...

Page 266: ...hed Switch Server Meshed Switch Server Meshed Switch Meshed Switch Switch Switch STP RSTP or MSTP Blocking a Redundant Link Figure 7 17 Example Using STP Without and With Switch Meshing If you enable STP RSTP or MSTP on any meshed switch you should enable the same spanning tree protocol on all switches in the mesh That is if you are going to use spanning tree in a switch mesh all switches in the m...

Page 267: ...nfiguration on page 6 11 STP or RSTP should be configured on non mesh devices that use redundant links to interconnect with other devices or with multiple switch mesh domains For example Non Mesh Switch STP Block STP Block Mesh Domain Mesh Domain Non Mesh Switch Figure 7 19 Interconnecting Switch Mesh Domains with Redundant Links In the above case of multiple switch meshes linked with redundant tr...

Page 268: ...P or MSTPoperation Because a packet crossing a mesh may traverse several links within the mesh using smaller than default settings for the RSTP Hello Time and Forward Delay timers can cause unnecessary topology changes and end node connectivity prob lems For more on spanning tree refer to the chapter titled Spanning Tree Opera tion in this manual Also you may want to examine the IEEE 802 1d 802 1w...

Page 269: ...etween the mesh andnon meshed devices belong to specific VLANs and do not allow packets originating in a specific VLAN to enter non meshed devices that do not belong to that same VLAN It is necessary to use a router to communicate between VLANs For example in the following illustration traffic from host A entering the switch mesh can only exit the mesh at the port for hosts B and E Traffic from ho...

Page 270: ...comes a member of every VLAN configured on the switch If a port in a meshed domain does not belong to any VLANs configured to support jumbo traffic then the port drops any jumbo packets it receives from other devices In this regard if a mesh domain includes any HP ProCurve Series 5300xl switches and or HP ProCurve 1600M 2400M 2424M 4000M 8000M switches along with Series 3400cl and 6400cl switches ...

Page 271: ...s five switches Figure 7 22 shows a fully interconnected mesh SW 1 SW 2 SW 3 SW 7 SW 5 Server Farm Server Farm Switches SW 1 through SW 12 form the maximum size switch mesh domain SW 9 SW 11 SW 4 SW 8 SW 6 SW 10 SW 12 Note that more than one link is allowed between any two switches in the domain As shown here meshing allowsmultipleredundant linksbetweenswitchesin the domain Note also that a switch...

Page 272: ...switches do not offer this feature Thus in a switch mesh comprised of 3400cl 6400cl and or 5300xl switches and any of the 1600M 2400M 2424M 4000M 8000M switches ABC must be disabled which is the default setting on the 1600M 2400M 2424M 4000M 8000M switches Network Monitor Port If a network monitor port is configured broad cast packets may be duplicated on this port if more than one port is being m...

Page 273: ...e switch mesh Rate Limiting Not Recommended on Meshed Ports Rate Limiting can reduce the efficiency of paths through a mesh domain See also Operating Rules on page 7 5 For additional information on troubleshooting meshing problems refer to Using a Heterogeneous Switch Mesh on page 7 8 and Mesh Related Prob lems in appendix C Troubleshooting of the Management and Configuration Guide for your switch...

Page 274: ...Switch Meshing Operating Notes for Switch Meshing This page is intentionally unused 7 28 ...

Page 275: ...e for Outbound Traffic 8 22 Viewing the QoS Configuration 8 22 QoS UDP TCP Priority 8 24 QoS IP Device Priority 8 30 QoS IP Type of Service ToS Policy and Priority 8 36 QoS Layer 3 Protocol Priority 5300xl Switches Only 8 49 QoS VLAN ID VID Priority 8 51 QoS Source Port Priority 8 57 Differentiated Services Codepoint DSCP Mapping 8 62 Note On Changing a Priority Setting 8 65 IP Multicast IGMP Inte...

Page 276: ...is not always feasible and does not completely eliminate the potential for network congestion There will alwaysbepointsinthenetworkwheremultipletrafficstreamsmergeorwhere network links will change speed and capacity The impactand numberofthese congestion points will increase over time as more applications and devices are added to the network When not if network congestion occurs it is important to...

Page 277: ... type s Forward with 802 1p priority Downstream Switch Tagged VLANs on at least some inbound ports Traffic arrives with the priority set in the VLAN tag Carry priority downstream on tagged VLANs Downstream Switch Tagged VLANs on inbound and outbound ports Traffic arrives with priority set by edge switch Forward with 802 1p priority Set Priority Honor Priority Change Priority Figure 8 1 Example of ...

Page 278: ...or lower priority regardless of current network bandwidth or the relative priority setting of the traffic when it is received on the switch Change upgrade or downgrade the priority of outbound traffic Override illegal packetprioritiessetbyupstreamdevicesorapplications that use 802 1Q VLAN tagging with 802 1p priority tags Avoid or delay the need to add higher cost NICs network interface cards to i...

Page 279: ...es some codepoints are configured with default 802 1p priority settings for Assured Forwarding and Expedited Forwarding In the default QoS configuration for the 3400cl 6400cl switches one codepoint 101110 is set for Expedited Forwarding All other codepoints are unused and listed with No override for a priority DSCP policy A DSCP configured with a specific 802 1p priority 0 7 Default No override Us...

Page 280: ...and a five bit low order Type of Service field Later implementations may use this byte as a six bit high order Differentiated Services field and a two bit low order reserved field See also IP precedence bits and DSCP elsewhere in this table A device linked directly or indirectly to an inbound switch port That is the switch receives traffic from upstream devices Overview QoS settings operate on two...

Page 281: ...l can carry an 802 1p priority that can be usedbydownstreamdeviceshavingmoreorlessthanthefourpriority levels in the switches covered by this guide Also if the packet enters the switch with an 802 1p priority setting QoS can override this setting if configured with an 802 1p priority rule to do so Not e s If your network uses only one VLAN and therefore does not require VLAN tagged ports you can st...

Page 282: ...if the packet is in a VLAN tagged environment then the above setting is also added to the packet as an 802 1p priority for use by downstream devices and applications shown in table 8 3 In either case an IP packet can also carry a priority policy to downstream devices by using DSCP marking in the ToS byte Table 8 3 Mapping Series 5300XL and 3400cl 6400cl QoS Priority Settings to Device Queues Prior...

Page 283: ...stination or source IP address 3 IP Type of Service ToS field IP packets only 4 Protocol Priority IP IPX ARP DEC LAT AppleTalk SNA and NetBeui 5 VLAN Priority 6 Incoming source port on the switch 7 lowest Incoming 802 1p Priority present in tagged VLAN environments Where multiple classifier types are configured a 5300xl switch uses the highest to lowest search order shown in table 8 4 to identify ...

Page 284: ...ach one in turn to the packet and concludes with the QoS policy for the highest precedence classi fier Note that if the highest precedence classifier is configured to apply a DSCP policy then both the DSCP in the packet and the 802 1p priority applied to the packet can be changed However if the highest precedence classifier is configured to apply an 802 1p priority rule only the 802 1p priority in...

Page 285: ... QoS configuration this packet takes precedence over another packet that has the matching IP address as a source address This can occur for example on an outbound port in a switch mesh environment Also if the source and destination IP addresses SA and DA in the same packet match for different QoS policies the DA takes precedence Default state No IP address prioritization If a packet does not meet ...

Page 286: ... that is the port on which the packet entered the switch If a packet does not meet the criteria for source port priority then precedence defaults to Incoming 802 1p criteria below 7 Incoming Where a VLAN tagged packet enters the switch through a port that is a tagged member of that 802 1p VLAN if QoS is not configured to override the packet s priority setting the switch uses the Priority packet s ...

Page 287: ...ion Also to use a service policy in this manner the downstream devices must be configured to interpret and use the DSCP carried in the IP packets 2 This priority corresponds to the 802 1p priority scheme and is used to determine the packet s port queue priority When used in a VLAN tagged environment this priority is also assigned as the 802 1p priority carried outbound in packets having an 802 1Q ...

Page 288: ...iorities Prioritize traffic by sending specific packet types determined by QoS classifier to different outbound port queues on the switch Propagate a service policy by reconfiguring the DSCP in outbound IP packets according to packet type The packet is placed in an outbound port queue according to the 802 1p priority configured for that DSCP policy The policy assumes that downstream devices can be...

Page 289: ...at some point the switch would not support further QoS ACL and or Rate Limiting configuration This section describes resource planning for QoS features on a 3400cl or 6400cl switch For ACL planning refer to chapter 10 AccessControlLists ACLs fortheSeries3400clandSeries6400clSwitches For information on Rate Limiting refer to the Rate Limiting section in the chapter titled Port Traffic Controls of t...

Page 290: ...er port ACL mask on all ports Table 8 10 describes rule resource use for each QoS classifier type Table 8 10 QoS Rule Resource Usage QoS Classifier Port Application Rules Used TCP and UDP All Ports in the Switch 2 per TCP or UDP Application Device Priority 2 per IP Address ToS IP Precedence 8 ToS Diff Services 1 per Codepoint1 VLAN All Ports in the VLAN 1 per VLAN Source Port Specified Port s 1 pe...

Page 291: ...lticast protocol can either fully subscribe the 120 rules available on a given port or leave an insufficient number of rules available for configuring another QoS policy on the switch If there are not enough rules on the port to support another QoS policy you cannot configure an additional policy on that port Because most QoS features are applied to all ports having one or more ports with insuffic...

Page 292: ... the port If the port has insufficient rule resources to add the VLAN s QoS configuration The port is added to the VLAN The QoS classifiers configured on the VLAN are not added to the port which means that the port does not honor the QoS policies configured for the VLAN The switch generates this message in the Event Log cos Vlan 1 QoS not configured on all new ports Some QoS resources exceeded Tro...

Page 293: ...some policies to other devices Another alternative is to inspect the switch s existing QoS ACL and Rate Limiting configurations for unnecessary entries or inefficient applications that could be removed or revised to achieve the desired policies with less resource usage Tables 8 9 and 8 10 on page 8 16 or the information displayed by the qos resources help command can help you to determine the reso...

Page 294: ... use only ten rules for implementing the five device priority QoS instances Figure 8 4 Example of QoS Resource Usage with Device Priority and VLAN QoS Implemented Table 8 11 Per P ort Resource Usage in Figure 8 4 Port Five QoS Device Priorities VLAN 111 VLAN 222 Rules Usage Yes Yes Yes 2 rules per device priority QoS instance 10 rules 1 rule 1 rule 1 rule per VLAN QoS instance Yes Yes Yes 2 rules ...

Page 295: ...ap and in this case uses three rules one for each codepoint invoked in the switch s current DSCP configuration 101110 the default 001111 and 001010 Adding another Diff Services assignment such as assign ing inbound packets with a codepoint of 000111 to the Expedited Forwarding policy 101110 would use one more rule on all ports Figure 8 5 Example of Rule Resources in the Default Configuration Assig...

Page 296: ...abled page 8 57 Not e In addition to the information in this section on the various QoS classifiers refer to QoS Operating Notes and Restrictions on page 8 70 Viewing the QoS Configuration All of these commands are available on the 5300xl switches All except the protocol priority command are available on the 3400cl 6400cl switches Exam ples of the show qos output are included with the example for ...

Page 297: ...LAN ID and source port show outputs automatically list No override for priority options that have not been config ured This means that if you do not configure a priority for a specific option QoS does not prioritize packets to which that option applies resulting in the No override state In this case IP packets received through a VLAN tagged port receive whatever 802 1p priority they carry in the 8...

Page 298: ...resupportedonlyforIPv4packetsonly Formore information on packet type restrictions refer to Details of Packet Criteria and Restrictions for QoS Support on page 8 70 Options for Assigning Priority Priority control options for TCP or UDP packets carrying a specified TCP or UDP port number include 802 1p priority DSCP policy Assigning a new DSCP and an associated 802 1p priority inbound packets must b...

Page 299: ...d port it carries the 802 1p priority with it to the next downstream device Default Disabled Note On 3400cl 6400cl switches this feature is not supported for IPv4 packets with IP options For more information on packet type restrictions refer to table 8 15 on page 8 70 no qos udp port tcp port tcp udp port number Deletes the specified UDP or TCP port number as a QoS classifier show qos tcp udp port...

Page 300: ...r UDP Port Number Not e The Series 5300xl switches do not support DSCP policies on IPv4 packets with IP options The 3400cl 6400cl switches do not support TCP UDP QoS policies on packets with IP options For more information on packet type restrictions refer to Details of Packet Criteria and Restrictions for QoS Support on page 8 70 This option assigns a previously configured DSCP policy codepoint a...

Page 301: ...for assigning a DSCP policy 2 Determine the DSCP policy for packets carrying the selected TCP or UDP port number a Determine the DSCP you want to assign to the selected packets This codepoint will be used to overwrite re mark the DSCP carried in packets received from upstream devices b Determine the 802 1p priority you want to assign to the DSCP 3 Configure the DSCP policy by using qos dscp map to...

Page 302: ... Default No override for most codepoints See table 8 14 on page 8 63 Syntax qos udp port tcp port tcp or udp port number dscp codepoint Assigns a DSCP policy to outbound packets having the specified TCP or UDP application port number and overwrites the DSCP in these packets with the assigned codepoint value This policy includes an 802 1p pri ority and determines the packet s queue in the out bound...

Page 303: ...914 TCP 000010 1 1001 UDP 000010 1 1 Determine whether the DSCPs already have priority assignments which could indicate use by existing applications Also a DSCP must have a priority configured before you can assign any QoS classifiers to use it The DSCPs for this example have not yet been assigned an 802 1p priority level Figure 8 9 Display the Current DSCP Map Configuration 2 Configure the DSCP p...

Page 304: ...e selected packets with the new DSCPs specified in the above policies Assign the 802 1p priorities in the above policies to the selected packets QoS IP Device Priority QoS Classifier Precedence 2 The IP device option which applies only to IPv4 packets enables you to use up to the following IP address limits source or destination as QoS classifiers 5300xl Switches 256 IP addresses 3400cl 6400cl Swi...

Page 305: ... to Classifiers for Prioritizing Outbound Packets on page 8 9 For a given IP address you can use only one of the above options at a time However for different IP addresses you can use different options Assigning a Priority Based on IP Address This option assigns an 802 1p priority to all IPv4 packets having the specified IP address as either a source or destination If both match the priority for t...

Page 306: ...ot be applied to IPv4 packets having IP options For more information on packet criteria and restrictions refer to table 8 15 on page 8 70 This option assigns a previously configured DSCP policy codepoint and 802 1p priority to outbound IP packets having the specified IP address either source or destination That is the switch 1 Selects an incoming IPv4 packet on the basis of the source or destinati...

Page 307: ... Services Codepoint DSCP Mapping on page 8 62 Not e s A codepoint must have an 802 1p priority assignment 0 7 before you can configure a policy for prioritizing packets by IP address If a codepoint you want to use shows No override in the Priority column of the DSCP map show qos dscp map then you must assign a 0 7 priority before proceeding On 5300xl switches DSCP policies cannot be applied to IPv...

Page 308: ... show qos device priority Displays a listing of all QoS Device Priority classifiers currently in the running config file Forexample supposeyouwantedtoassigntheseDSCPpoliciestothepackets identified by the indicated IP addresses IP Address DSCP Policies DSCP Priority 10 28 31 1 000111 7 10 28 31 130 000101 5 10 28 31 100 000010 1 10 28 31 101 000010 1 1 Determine whether the DSCPs already have prior...

Page 309: ... DSCP policies to the selected device IP addresses and display the result Figure 8 15 The Completed Device Priority Codepoint Configuration The switch will now apply the DSCP policies in figure 8 14 to IPv4 packets received on the switch with the specified IP addresses source or destination This means the switch will Overwrite the original DSCPs in the selected packets with the new DSCPs specified...

Page 310: ...is of its codepoint and assigns a new codepoint and corresponding 802 1p priority Use the qos dscp map command to specify a priority for any codepoint page 8 62 Assign an 802 1p Priority This option reads the DSCP of an incoming IPv4 packet and without changing this codepoint assigns the 802 1p priority to the packet as configured in the DSCP Policy Table page 8 62 This means that a priority value...

Page 311: ...ity determines the packet s queue in the outbound port to which it is sent If the packet leaves the switch on a tagged port it carries the 802 1p priority with it to the next downstream device ToS IP Precedence Default Disabled no qos type of service Disables all ToS classifier operation including prioritiza tion using the precedence bits show qos type of service When ip precedence is enabled or i...

Page 312: ...ks all packets received on port A5 with a particular DSCP you can configure a downstream interior switch B to handle such packets with the desired priority regardless of whether 802 1Q tagged VLANs are in use LAN A5 Edge Switch A LAN Interior Switch B Work Group Work Group Marked Traffic from port A5 on Edge Switch A Other Traffic Figure 8 17 Interior Switch B Honors the Policy Established in Edge...

Page 313: ...oints configured with No override are not used The codepoint is not configured for a new DSCP policy assignment Thus the switch does not allow the same incoming codepoint DSCP to be used simultaneously for directly assigning an 802 1p priority and also assign ing a DSCP policy For a given incoming codepoint if you configure one option and then the other the second overwrites the first To use this ...

Page 314: ...st disable or redirect the other diffserv codepoint s DSCP policy before you can disable or change the codepoint For example in figure 8 18 you cannot change the priority for the 000000 codepoint until you redirect the DSCP policy for 000001 away from using 000000 as a policy Refer to Note On Changing a Priority Setting on page 8 65 Refer also to Differentiated Services Codepoint DSCP Mapping on p...

Page 315: ...g an 802 1p priority without changing the packet s DSCP Note All codepoints without a DSCP Policy entry are availablefordirect802 1ppriority assignment Figure 8 18 Example Showing Codepoints Available for Direct 802 1p Priority Assignments Notice that codepoints 000000 and 001001 are named as DSCP policies by other codepoints 000001 and 000110 respectively This meansthey arenotavailableforchanging...

Page 316: ...rom an upstream or edge switch 2 Create a new policy by using qos dscp map codepoint priority 0 7 to configure an 802 1p priority for the codepoint you will use to overwrite the DSCP the packet carries from upstream For more on this topic refer to Differentiated Services Codepoint DSCP Mapping on page 8 62 3 Use qos type of service diff services incoming DSCP dscp outgoing DSCP to change the polic...

Page 317: ...s the DSCP policy assigned to the codepoint and returns the codepoint to the 802 1p priority setting it had before the DSCP policy was assigned This will be either a value from 0 7 or No override Syntax show qos type of service Displays a listing of codepoints with any corresponding DSCP policy re assignments for outbound packets Also lists the 802 1p priority for each codepoint that does not have...

Page 318: ...lity of Service for Outbound Traffic The DSCPs for this example have not yet been assigned an 802 1p priority level Figure 8 20 Display the Current DSCP Map Configuration 2 Configure the policies in the DSCP table Figure 8 21 Example of Policies Configured with Optional Names in the DSCP Table 8 44 ...

Page 319: ...cies to the codepoints in the selected packet types The specified DSCP policies overwrite the original DSCPs on the selected packets and use the 802 1p priorities previously configured in the DSCP policies in step 2 Figure 8 22 Example of Policy Assignment to Outbound Packets on the Basis of the DSCP in the Packets Received from Upstream Devices 8 45 ...

Page 320: ...can configure the switch to assign a new codepoint to an IPv4 packet along with a corresponding 802 1p priority 0 7 To use this option in the simplest case you would a Configure a specific DSCP with a specific priority in an edge switch b Configure the switch to mark a specific type of inbound traffic with that DSCP and thus create a policy for that traffic type c Configure the internal switches i...

Page 321: ...d illustrates the diffserv bits and precedence bits in the ToS byte Note that the Precedence bits are a subset of the Differentiated Services bits Field Destination MAC Address Source MAC Address 802 1Q Field Type Version ToS Byte Packet FF FF FF FF FF FF 08 00 09 00 00 16 08 00 45 E 0 Differentiated Services Codepoint Rsvd Precedence Bits 1 1 E 0 0 0 0 0 0 1 Figure 8 23 The ToS Codepoint and Prec...

Page 322: ...epending on the 802 1p priority used the packet will leave the switch through one of the following queues 1 2 low priority 0 3 normal priority 4 5 high priority 6 7 high priority If No override the default has been configured for a specified codepoint then the packet is not prioritized by ToS and by default is sent to the normal priority queue IPPacketSentOut Same as above plus the IP Prece Same a...

Page 323: ...he switch receives traffic carrying that protocol then this traffic is assigned the priority configured for this classifier For operation when other QoS classifiers apply to the same traffic refer to Classifiers for Prioritizing Outbound Packets on page 8 9 Syntax qos protocol ip ipx arp dec_lat appletalk sna netbeui priority 0 7 Configures an 802 1p priority for outbound packets having the specif...

Page 324: ...on 2 Disable the QoS IP protocol classifier downgrade the ARP priority to 4 and again display the QoS protocol configuration Figure 8 24 shows the command sequence and displays for the above steps Configures IP Appletalk and ARP as QoS classifiers Displays the result of the above commands Removes IP as a QoS classifier Changes the priority of the ARP QoS classifier Displays the result of these cha...

Page 325: ...carry ing a specified VLAN ID include 802 1p priority DSCP policy Assigning a new DSCP and an associated 802 1p priority inbound packets must be IPv4 For operation when other QoS classifiers apply to the same traffic refer to Classifiers for Prioritizing Outbound Packets on page 8 9 Not e QoS with VID priority applies to static VLANs only and applying QoS to dynamic VLANs created by GVRP operation...

Page 326: ...it to the next downstream device You can configure one QoS classifier for each VLAN ID Default No override Syntax no vlan vid qos Removes the specified VLAN ID as a QoS classifier and resets the priority for that VLAN to No override Syntax show qos vlan priority Displays a listing of the QoS VLAN ID classifiers currently in the running config file with their priority data 1 For example suppose tha...

Page 327: ...Returning a QoS Prioritized VLAN to No override Status Assigning a DSCP Policy Based on VLAN ID VID This option assigns a previously configured DSCP policy codepoint and 802 1p priority to outbound IP packets having the specified VLAN ID VID That is the switch 1 Selects an incoming IP packet on the basis of the VLAN ID it carries 2 Overwrites the packet s DSCP with the DSCP configured in the switc...

Page 328: ... in this section and to Differentiated Services Codepoint DSCP Mapping on page 8 62 Not e A codepoint must have an 802 1p priority 0 7 before you can configure the codepoint for use in prioritizing packets by VLAN ID If a codepoint you want to use shows No override in the Priority column of the DSCP Policy table show qos dscp map then assign a priority before proceeding 4 Configure the switch to a...

Page 329: ...r the specified VLAN Syntax show qos device priority Displays a listing of all QoS VLAN ID classifiers cur rently in the running config file For example suppose you wanted to assign this set of priorities VLAN ID DSCP Priority 40 000111 7 30 000101 5 20 000010 1 1 000010 1 1 Determine whether the DSCPs already have priority assignments which could indicate use by existing applications This is not ...

Page 330: ...d DSCPs 3 Assign the DSCP policies to the selected VIDs and display the result Figure 8 30 The Completed VID DSCP Priority Configuration The switch will now apply the DSCP policies in figure 8 30 to packets received on the switch with the specified VLAN IDs This means the switch will Overwrite the original DSCPs in the selected packets with the new DSCPs specified in the above policies Assign the ...

Page 331: ...US Server You can use a RADIUS server to impose a QoS source port priority during an 802 1X port access authentication session Refer to the RADIUS chapter in the Access Security Guide for your switch January 2005 or later Assigning a Priority Based on Source Port This option assigns a priority to all outbound packets having the specified source port You can configure this option by either specifyi...

Page 332: ...ity for the specified source port s to No override Syntax show qos port priority Lists the QoS port priority classifiers with their priority data For example suppose that you want to prioritize inbound traffic on the following source ports Source Port Priority A1 A3 2 A4 3 B1 B4 5 C1 C3 6 You would then execute the following commands to prioritize traffic received on the above ports Figure 8 31 Co...

Page 333: ... DSCP configured in the switch for such packets 3 Assigns the 802 1p priority configured in the switch for the new DSCP Refer to Differentiated Services Codepoint DSCP Mapping on page 8 62 4 Forwards the packet through the appropriate outbound port queue 3400cl 6400cl Switch Restriction On the 3400cl 6400cl switches mix ing ToS DSCP policies and 802 1p priorities is not recommended Refer to the No...

Page 334: ...rt Syntax qos dscp map codepoint priority 0 7 This command is optional if a priority has already been assigned to the codepoint The command creates a DSCP policy by assigning an 802 1p priority to a specific DSCP When the switch applies this priority to a packet the priority determines the packet s queue in the outbound port to which it is sent If the packet leaves the switch on a tagged port it c...

Page 335: ...ions This is not a problem as long as the configured priorities are acceptable for all applications using the same DSCP Refer to the Note On Changing a Priority Setting on page 8 65 Also a DSCP must have a priority configured before you can assign any QoS classifiers to use it The DSCPs for this example have not yet been assigned an 802 1p priority level Figure 8 33 Display the Current Configurati...

Page 336: ...on Refer to the RADIUS chapter in the Access Security Guide for your switch January 2005 or later Differentiated Services Codepoint DSCP Mapping The DSCP Policy Table associates an 802 1p priority with a specific ToS byte codepoint in an IPv4 packet This enables you to set a LAN policy that operates independently of 802 1Q VLAN tagging In the default state most of the 64 codepoints do not assign a...

Page 337: ...ide No override No override No override No override No override 1 No override 1 No override 2 No override No override No override 0 No override 0 No override 010110 010111 011000 011001 011010 011011 011100 011101 011110 011111 100000 100001 100010 100011 100100 100101 100110 100111 101000 101001 101010 3 No override No override No override 4 No override 4 No override 5 No override No override No ...

Page 338: ...ype of Service to be in diff services mode Quickly Listing Non Default Codepoint Settings Table 8 14 lists the switch s default codepoint priority settings If you change the priority of any codepoint setting to a non default value and then execute write memory the switch will list the non default setting in the show config display For example in the default configuration the following codepoint se...

Page 339: ...a VLAN None Note On Changing a Priority Setting If a QoS classifier is using a policy codepoint and associated priority in the DSCP Policy table you must delete or change this usage before you can change the priority setting on the codepoint Otherwise the switch blocks the change and displays this message Cannot modify DSCP Policy codepoint in use by other qos rules In this case use show qos class...

Page 340: ... codepoint policy or leave them as they were after step 2 above Example of Changing the Priority Setting on a Policy When One or More Classifiers Are Currently Using the Policy Suppose that codepoint 000001 is in use by one or more classifiers If you try to change its priority you see a result similar to the following Figure 8 37 Example of Trying To Change the Priority on a Policy In Use by a Cla...

Page 341: ...sifiers To Configure Quality of Service for Outbound Traffic Threeclassifiersuse the codepoint that is to be changed Two classifiers do not usethecodepointthat is to be changed Figure 8 38 Example of a Search to Identify Classifiers Using a Codepoint You Want To Change 8 67 ...

Page 342: ...nt for the device priority classifier That is assign it to No override b Create a new DSCP policy to use for re assigning the remaining classifiers c Assign the port priority classifier to the new DSCP policy d Assign the udp port 1260 classifier to an 802 1p priority 3 Reconfigure the desired priority for the 000001 codepoint HPswitch config qos dscp map 000001 priority 4 4 You could now re assig...

Page 343: ... packet is serviced by the high priority queue when leaving the switch IGMP High Priority QoSConfiguration Affects Packet Switch Port Output Queue Outbound 802 1p Setting Requires Tagged VLAN Not Enabled Yes Determined by QoS Determined by QoS Enabled See above para High As determined by QoS if QoS is graph active QoS Messages in the CLI Message Meaning DSCP Policy decimal codepoint not You have a...

Page 344: ... is an optional extra field in the header of an IP packet If a 3400cl or 6400cl switch is configured with a UDP TCPclassifierandapacketwithanIPoptionisreceived theswitchusesthenext highestclassifierthatisconfigured and applicable to actually match and classify the packet 2All Switches For explicit QoS support of IPv6 packets force IPv6 traffic into its own set of VLANs and then configure VLAN base...

Page 345: ...tries EachTCP UDPportQoSconfiguration uses four entries All other classifier configurations use one entry each Series3400cl and Series 6400cl All 120 Configuring device IP address or TCP UDP QoS entries reduces this maximum See the Notes column Attempting to exceed the above limits generates the following message in the CLI Unable to add this QoS rule Maximum number entry already reached 5300xl On...

Page 346: ...es Not Supported Useofaninbound802 1ppacketpriority as a classifier for remapping a packet s outbound priority to different 802 1p priority For example where inbound packets carry an 802 1p priority of 1 QoS cannot be configured use this priority as a classifier for changing the outbound priority to 0 8 72 ...

Page 347: ...lanning an ACL Application 9 16 Traffic Management and Improved Network Performance 9 16 Security 9 17 Guidelines for Planning the Structure of an ACL 9 18 ACL Configuration and Operating Rules 9 18 How an ACE Uses a Mask To Screen Packets for Matches 9 20 What Is the Difference Between Network or Subnet Masks and the Masks Used with ACLs 9 20 Rules for Defining a Match Between a Packet and an Acc...

Page 348: ... and Assigning a Numbered Extended ACL 9 38 Configuring a Named ACL 9 44 Enabling or Disabling ACL Filtering on a VLAN 9 46 Deleting an ACL from the Switch 9 47 Displaying ACL Data 9 48 Display an ACL Summary 9 48 Display the Content of All ACLs on the Switch 9 49 Display the ACL Assignments for a VLAN 9 50 Displaying the Content of a Specific ACL 9 51 Display All ACLs and Their Assignments in the...

Page 349: ...tain TCP or UDP applications such as Telnet SSH web browser and SNMP for transactions between specific source and destination IP addresses Application Access Security Eliminates unwanted IP TCP or UDP traffic in a path by filtering packets where they enter or leave the switch on specific VLAN interfaces ACLs on the 5300xl switches can filter traffic to or from a host a group of hosts or entire sub...

Page 350: ...address mask 1 operator src port tcp udp id any host dest ip addr dest ip address mask 1 operator dest port tcp udp id log 2 Configuring Standard HPswitch config no ip access list standard name str 1 99 9 4 Named ACLs 4 HPswitch config std nacl deny permit any host src ip addr src ip address mask 1 log 2 Configuring Extended HPswitch config no ip access list extended name str 100 199 Named ACLs HP...

Page 351: ...a include Source IP address and mask standard and extended ACLs Destination IP address and mask extended ACLs only TCP or UDP application port numbers optional extended ACLs only Access Control List ACL A list or set consisting of one or more explicitly configured Access Control Entries ACEs and terminating with an implicit deny default which drops any packets that do not have a match with any exp...

Page 352: ...pe of Access Control List uses layer 3 IP criteria composed of source and destination IP addresses and optionally TCP or UDP port criteria to determine whether there is a match with an IP packet You can apply extended ACLs to either inbound or outbound routed traffic and to any inbound switched or routed traffic with a DA belonging to the switch itself Extended ACLs require an identification numbe...

Page 353: ... port on the same VLAN subnet that is traffic arriving on and leaving the switch on the same VLAN Refer also to ACL Inbound and Outbound Application Points on page 9 8 Permit An ACE configured with this action allows the switch to forward a routed packet for which there is a match within an applicable ACL SA The acronym for Source IP Address In an IP packet this is the source IP address carried in...

Page 354: ...f the following criteria Source and destination IP addresses TCP application criteria UDP application criteria Connection Rate ACL An optional feature used with Connection Rate fil tering based on virus throttling technology and available in 5300xl switches running software release E 09 xx or greater For more information refer to the chapter titled Virus Throttling in the Access Security Guide for...

Page 355: ...nters and leaves the switch in the same VLAN VLAN A 18 28 10 1 One Subnet VLAN C 18 28 40 1 18 28 30 1 Multiple Subnets VLAN B 18 28 20 1 One Subnet 5300XL Switch with IP Routing Enabled 18 28 10 5 18 28 20 99 18 28 30 33 18 28 40 17 Because of multinetting traffic routed from 18 28 40 17 to 18 28 30 33 remains in VLAN C This allowsyoutoapplyeither an inbound or an outboundACLtofilterthe same traf...

Page 356: ... has more entries than you can easily enter or edit using the CLI alone Refer to Editing ACLs and Creating an ACL Offline on page 9 53 General Steps for Planning and Configuring ACLs 1 Identify the traffic type to filter Options include Any routed IP traffic Routed TCP traffic only Routed UDP traffic only 2 The SA and or the DA of routed traffic you want to permit or deny 3 Determine the best poin...

Page 357: ...ound traffic assign the ACL to the statically configured VLAN on which the traffic exits from the switch The only excep tion to these rules is for an ACL configured to screen inbound traffic with a destination IP address on the switch In this case an ACL assigned to a VLAN screens traffic addressed to an IP address on the switch regardless of whether IP routing is also enabled ACLs do not screen o...

Page 358: ...y one inbound ACL and one outbound ACL to each static VLAN configured on the switch The complete range of options per VLAN includes No ACL assigned to a static VLAN In this case all traffic entering or leaving the switch on the VLAN does so without any ACL filtering which is the default One ACL assigned to filter either the inbound or the outbound traffic entering or leaving the switch on a static...

Page 359: ...CE and so on When a match is found the switch invokes the configured action for that entry permit or drop the packet and no further comparisons of the packet are made with the remaining ACEs in the ACL This means that when the switch finds an ACE whose criteria matches a packet it invokes the action configured for that ACE and any remaining ACEs in the ACL are ignored Because of this sequential pr...

Page 360: ...CE Is there a match No Yes End Perform action permit or deny 1 If a match is not found with the first ACE in an ACL the switchproceedstothenext ACE and so on 2 If a match with an explicit ACE is subsequently found the packet is either permit ted forwarded or denied dropped depending on the action specified in the matching ACE In this case the switch ignores all sub sequent ACEs in the ACL 3 If a m...

Page 361: ...t matching this criterion are compared to the next entry in the list 1 Permits IP traffic routed from source address 11 11 11 42 Packets matching this criterion are permitted and will not be compared to any later ACE in the list Packets not matching this criterion will be compared to the next entry in the list 4 Permits Telnet traffic routed from source address 11 11 11 33 Packets matching this cr...

Page 362: ...tries Planning an ACL Application Before creating and implementing ACLs you need to define the policies you want your ACLs to enforce and understand how your ACLs will impact your network users Traffic Management and Improved Network Performance You can use ACLs to block unnecessary traffic caused by individual hosts workgroups or subnets and to block user access to subnets devices and services An...

Page 363: ...ddress SA This can include Blocking access to or from subnets in your network Blocking access to or from the internet Blocking access to sensitive data storage or restricted equipment Preventing the use of specific TCP or UDP functions such as Telnet SSH web browser for unauthorized access You can also enhance switch management security by using ACLs to block bridged IP traffic that has the switch...

Page 364: ... an ACE allowing a small group of workstations to use a specialized printer should occur earlier in an ACL than an entry used to block widespread access to the same printer ACL Configuration and Operating Rules Routing Except for any IP traffic with a DA on the switch itself ACLs filter only routed traffic Thus if routing is not enabled on the switch there is no routed traffic for ACLs to filter T...

Page 365: ...cket filtering on an interface replaces any other ACL previously configured for the same purpose For example if you configured ACL 100 to filter inbound traffic on VLAN 20 but later you configured ACL 112 to filter inbound traffic on this same VLAN ACL 112 replaces ACL 100 as the ACL to use for filtering inbound traffic on VLAN 20 ACLs Operate On Static VLANs You can assign an ACL to any VLAN that...

Page 366: ... 252 195 255 255 255 0 first three octets The fourth octet 18 38 252 195 255 255 248 0 first two octets and the left The right most three bits of the most five bits of the third octet third octet and all bits in the fourth octet Thus the bits set to 1 in a network mask define the part of an IP address to use for the network number and the bits set to 0 in the mask define the part of the address to...

Page 367: ...of all zeros means the only match is an IP address identical to the host IP address specified in the ACL Depending on your network a single ACE that allows a match with more than one source or destination IP address may allow a match with multiple subnets For example in a network with a prefix of 31 30 240 and a subnet mask of 255 255 240 0 the left most 20 bits applying an ACL mask of 0 0 31 255 ...

Page 368: ...5 produces this policy in an ACL listing IP Address Mask 18 28 100 15 0 0 0 0 This policy states that every bit in every octet of a packet s SA must be the same as the corresponding bit in the SA defined in the ACE A group of IP addresses fits the matching criteria In this case you provide both the IP address and the mask For example access list 1 permit 18 28 32 1 0 0 0 31 IP Address Mask 18 28 3...

Page 369: ...l four octets of an IP address Example of Allowing Only One IP Address Host Option Sup pose for example that you have configured the ACL in figure 9 5 to filter inbound packets on VLAN 20 Because the mask is all zeros the ACE policy dictates that a match occurs only when the source IP address on such packets is identical to the IP address configured in the ACE ip access list standard Fileserver pe...

Page 370: ...ourbitsofthe second octet 18 32 47 0 255 0 255 In the second octet the rightmost four bits are wildcard bits See row D in table 9 4 below Table 9 4 Mask Effect on Selected Octets of the IP Addresses in Table 9 3 IP Octet Mask Octet 128 64 32 16 8 4 2 Addr Range A 0 all bits 252 1 1 1 1 1 1 0 0 B 7 last 3 bits 248 255 1 1 1 1 1 0 or 1 0 or 1 0 or 1 C 0 all bits 195 1 1 0 0 0 0 1 1 D 15 last 4 bits ...

Page 371: ...es and stores the ACL s in the switch configuration 2 Assign an ACL This applies the ACL to either the inbound or outbound traffic on a designated VLAN 3 Enable IP routing Except for instances where the switch is the destina tion assigned ACLs screen IP traffic only when routing is enabled on the switch Caution Regarding Source routing is enabled by default on the switch and can be used to overrid...

Page 372: ...age 9 16 ACL Configuration Structure After you enter an ACL command you may want to inspect the resulting configuration This is especially true where you are entering multiple ACEs into an ACL Also it will be helpful to understand the configuration structure when using later sections in this chapter The basic ACL structure includes three elements 1 List type and name This identifies the ACL as sta...

Page 373: ... IP addressing and an optional log command available with deny statements ip access list type id string permit host source ip address deny source ip address acl mask log permit any exit Figure 9 6 Example of the General Structure for a Standard ACL For example figure 9 7 shows how to interpret the entries in a standard ACL ACL List Heading with List Type and ID String Name or Number Mask ACE Actio...

Page 374: ...ation IP addressing Optional ACL log command ip access list type id string permit deny ip source ip address source acl mask destination ip address destination acl mask log permit deny tcp source ip address source acl mask operator port id destination ip address destination acl mask operator port id log permit deny udp source ip address source acl mask operator port id destination ip address destin...

Page 375: ...cifies all destination IP addresses Denies TCP Port 80 traffic to any destination from any source Figure 9 9 Example of a Displayed Extended ACL Configuration ACL Configuration Factors The Sequence of Entries in an ACL Is Significant When the switch uses an ACL to determine whether to permit or deny a packet on a particular VLAN it compares the packet to the criteria specified in the individual Ac...

Page 376: ...uted and packets from that device will not be compared against any later entries in the list 4 A packet from TCP source address 18 28 18 100 with a destination address of 18 28 237 1 will be permitted forwarded Since no earlier lines in the list have filtered TCP packets from 18 28 18 100 and destined for 18 28 237 1 the switch will use this line to evaluate such packets Any packets that meet this...

Page 377: ... You Can Assign an ACL Name or Number to a VLAN Even if the ACL Does Not Yet Exist in the Switch s Configuration In this case if you subsequently create an ACL with that name or number the switch automatically applies each ACE as soon as you enter it in the running config file Similarly if you modify an existing ACE in an ACL you already applied to a VLAN the switch automatically implements the ne...

Page 378: ...ect on filtering because the first instance preempts any subsequent duplicates For more information refer to Editing ACLs and Creating an ACL Offline on page 9 53 Using CIDR Notation To Enter the ACL Mask You can use CIDR Classless Inter Domain Routing notation to enter ACL masks The switch interprets the bits specified with CIDR notation as the IP address bits in an ACL and the corresponding IP a...

Page 379: ...ng to degrade network performance This gives you an opportunity to troubleshoot without sacrificing performance for users outside of the problem area You can configure up to 255 standard ACL assignments depending on how many extended ACL assignments are already configured The switch allows a maximum of 255 unique ACL identities standard and extended combined You can identify each standard ACL with...

Page 380: ...L on page 9 44 deny permit Specifies whether to deny drop or permit forward a packet that matches the ACE criteria any host src ip addr ip addr mask length any Performs the specified action on any IP packet Use this criterion to designate packets from any IP address host host ip address Performs the specified action on any IP packet having the host ip address as the source Use this criterion to de...

Page 381: ...is enabled on the switch Refer to Enable ACL Deny Logging on page 9 59 Use the debug command to direct ACL logging output to the current console session and or to a Syslog server Note that you must also use the logging ip addr command to specify the IP addresses of Syslog servers to which you want log messages sent See also Enable ACL Deny Logging on page 9 59 Syntax vlan vid ip access group ASCII...

Page 382: ... with an ACL assigned to a VLAN such as the one shown in this example IP routing must be enabled on the switch Otherwise no ACL filtering occurs ACL 50 is listed in the switch configuration ACL 50 is assigned to filter inbound traffic on VLAN 10 Show config lists any ACLs and ACL assignments configured in the startup config Figure 9 11 Example of Configuring a Standard ACL To Permit Only Traffic f...

Page 383: ...nd dropped The deny any with which the switch implicitly concludes all ACLs is preempted by this line Note To enable traffic filtering with an ACL assigned to a VLAN such as the one shown in this example IP routing must be enabled on the switch Otherwise no ACL filtering will occur ACL 60 is listed in the switch configuration ACL 60 is assigned to filter inbound traffic on VLAN 20 Show config list...

Page 384: ... UDP port if the IP protocol is TCP or UDP Destination TCP or UDP port if the IP protocol is TCP or UDP TCP or UDP comparison operator if the IP protocol is TCP or UDP You can configure up to 100 extended ACLs with a numeric name in the range of 100 199 You can also configure extended ACLs with alphanumeric names Refer to Configuring a Named ACL on page 9 44 The switch allows a maximum of 255 ACLs...

Page 385: ... ACL already exists this command adds a new explicit ACE to the end of the ACL For a match to occur the packet must have the source and destination IP addressing criteria specified by this command as well as any protocol specific TCP or UDP port number criteria specified by the command To create a named ACL refer to Configuring a Named ACL on page 9 44 100 199 Specifies the ACL ID number The switc...

Page 386: ... can be in either dotted decimal format or CIDR format with the number of significant bits Refer to Using CIDR Notation To Enter the ACL Mask on page 9 32 The mask is applied to the IP address in the ACL to define which bits in a packet s source IP address must exactly match the IP address configured in the ACL and which bits need not match Note that specifying a group of contiguous IP addresses m...

Page 387: ...e range start port nbr end port nbr Port Number or Well Known Port Name Use the TCP or UDP port number required by your application The switch also accepts these well known TCP or UDP port names as an alternative to their corresponding port numbers TCP bgp dns ftp http imap4 ldap nntp pop2 pop3 smtp ssl telnet UDP bootpc dns ntp radius radius old rip snmp snmp trap tftp To list the above names pre...

Page 388: ...med ACL on page 9 44 Example of an Extended ACL Suppose that you want to implement these policies on a Series 5300XL switch configured for IP routing and membership in VLANs 10 20 and 30 A Permit Telnet traffic from 10 10 10 44 to 10 10 20 78 deny all other IP traffic from network 10 10 10 0 VLAN 10 to 10 10 20 0 VLAN 20 and permit all other IP traffic from any source to any destination See A in f...

Page 389: ...ng an ACL A Refer to figure 9 13 above B Refer to figure 9 13 above Enabling ip routing activates ACL operation on routed traffic Executing write memory saves the configuration changes to the startup config file Figure 9 14 Example of Configuration Commands for an Extended ACL 9 43 ...

Page 390: ...dr ip addr mask length oper dest port tcp udp id log These commands create an ACE in the named ACL list and Indicate the action deny or permit to take on a packet if there is a match between a packet and the criteria in the complete ACE Specify the packet protocol type IP TCP or UDP and if TCP or UDP the comparison operator Specify the source and destination addressing options required for a match...

Page 391: ... ACLs For explanations of the individual parameters in the preceding syntax statements refer to the syntax descriptions under Configuring and Assigning a Numbered Standard ACL on page 9 33 or Configuring and Assigning a Numbered Extended ACL on page 9 38 For example figure 9 15 shows the commands for creating an ACL in the Named ACL context with these parameters ACL Name Action Protocol SourceIP A...

Page 392: ...erating rules refer to ACL Configuration and Operating Rules on page 9 18 Syntax no vlan vid ip access group ascii string in out where ascii string either a ACL name or an ACL ID number Assigns an ACL to a VLAN You can use either the global configuration level or the VLAN context level to assign an ACL to a VLAN or remove an ACL from a VLAN Note The switch allows you to assign a nonexistent ACL na...

Page 393: ... VLAN Context Figure 9 16 Methods for Enabling and Disabling ACLs Deleting an ACL from the Switch Syntax no ip access list standard name str 1 99 no ip access list extended name str 100 199 Removes the specified ACL from the switch s running config file Note Deleting an ACL does not delete any assignment of that ACL to a specific VLAN If you need to delete an ACL assignment refer to Enabling or Di...

Page 394: ...show running includes configured ACLs and assignments existing in the running config file Display an ACL Summary This command lists the configured ACLs regardless of whether they are assigned to any VLANs Syntax show access list List a summary table of the name type and application status of all ACLs configured on the switch For example In this switch ACLs 105 and Red VLAN Inbound exist in the con...

Page 395: ...d syntax for all ACLs currently configured on the switch Note Notice that you can use the output from this command for input to an offline text file in which you can edit add or delete ACL commands Refer to Editing ACLs and Creating an ACL Offline on page 9 53 Thisinformationalsoappearsintheshowrunningdisplay Ifyouexecutedwrite memory after configuring an ACL it appears in the show config display ...

Page 396: ...ACLs assigned to a VLAN in the running config file Note Thisinformationalsoappearsintheshowrunningdisplay Ifyouexecutedwrite memory after configuring an ACL it appears in the show config display For example if you assigned a standard ACL with an ACL ID of 1 to filter inbound traffic on VLAN 10 you could quickly verify this assignment as follows Indicates that A standard ACL with the ID of 1 is ass...

Page 397: ...g display Syntax show access list acl id Display detailed information on the content of a specific ACL configured in the running config file For example suppose you configured the following two ACLs in the switch ACL ID ACL Type Desired Action 1 Standard Deny IP traffic from 18 28 236 77 and 18 29 140 107 Permit IP traffic from all other sources 105 Extended Permit any TCP traffic from 18 30 133 2...

Page 398: ...he Access Control Entry ACE in the specified ACL action Permit forward or deny drop a packet when it is compared to the criteria in the applicable ACE and found to match IP In Standard ACLs The source IP address to which the configured mask is applied to determine whether there is a match with a packet In Extended ACLs The source and destination IP addresses to which the corresponding configured m...

Page 399: ...n ACL offline then use a TFTP server to upload the ACL as a command file The offline method page 9 56 provides a useful alternative to using the CLI for creating or editing large ACLs Using the CLI To Edit ACLs The switch applies individual ACEs in the order in which they occur in an ACL You can use the CLI to delete individual ACEs from anywhere in an ACL and to append new ACEs to the end of an A...

Page 400: ... a new ACL the switch inserts it as the last ACL in the startup config file Executing write memory saves the running config file to the startup config file Deleting Any ACE from an ACL You can delete an ACE from an ACL by repeating the ACE s entry command preceded by the no statement Syntax no access list acl id permit deny any host ip addr mask length Deletes an ACE from a standard ACL All variab...

Page 401: ...tes an ACE in ACL 22 Removes the same ACE fromACL22 regardlessof the ACE s position in the ACL Figure 9 21 Example of Deleting an ACE from a Standard ACL Figure 9 22 shows an example of deleting an ACE from an extended ACL Use no access list to remove this line from ACL 103 ACL 103 Before Removing the Second deny ACE ACL 103 After Removing the Second deny ACE Figure 9 22 Example of Deleting an ACE...

Page 402: ...download the file as a list of commands to the switch Creating an ACL Offline Use a text editor that allows you to create an ASCII text file txt If you are replacing an ACL on the switch with a new ACL that uses the same number or name syntax begin the command file with a no command to remove the earlier version of the ACL from the switch s running config file Otherwise the switch will append the ...

Page 403: ... 10 10 20 40 Allow any access to the server from all other addresses on VLAN 20 Permit internet access to these two IP address on VLAN 20 but deny access to all other addresses on VLAN 20 without ACL logging 10 10 20 98 10 10 20 21 Deny all other traffic from VLAN 20 to VLAN 10 Deny all traffic from VLAN 30 10 10 30 0 to the server at 10 10 10 100 on VLAN 10 without ACL logging but allow any other...

Page 404: ... Commentsarenot saved in the switch configuration Blank lines in the file cause breaks in the displayed line numberingsequence when you copy the command file to the switch Thisisnormal operation See figure 9 25 Figure 9 24 Example of a txt File Designed for Creating an ACL 2 After you copy the above txt file to a TFTP server the switch can access you would then execute the following command Figure...

Page 405: ...explicit deny action You can use ACL logging to help Test your network to ensure that your ACL configuration is detecting and denying the traffic you do not want forwarded Receive notification when the switch detects attempts to transmit traffic you have designed your ACLs to reject The switch sends ACL messages to Syslog and optionally to the current console Telnet or SSH session You can configur...

Page 406: ...cludes the information illustrated in figure 9 26 Mar 1 10 04 45 18 28 227 101 ACL ACL 03 01 03 10 04 45 denied tcp 13 28 227 3 1025 VLAN 227 10 10 20 2 23 1 packets Indicates the VLAN on which the ACL is assigned the packet s destination IP address the destination TCP or UDP port number 0 if the protocol is IP or you do not specify a port Begins the actual message generated by the ACL itself and ...

Page 407: ... from IP address 18 38 100 127 on VLAN 100 Configure the switch to send an ACL log message to the console and to a Syslog server at IP address 18 38 110 54 on VLAN 110 if the switch detects a match denying Telnet access from 18 38 100 127 This example assumes that IP routing is already configured on the switch VLAN 110 18 38 110 1 Subnet 110 18 38 110 54 VLAN 100 18 38 100 1 18 38 100 127 Subnet 1...

Page 408: ...bles you to selectively test specific devices or groups However excessive logging can affect switch performance For this reason HP recommends that you remove the logging option from ACEs for which you do not have a present need Also avoid config uring logging where it does not serve an immediate purpose Note that ACL logging is not designed to function as an accounting method See also Apparent Fai...

Page 409: ... Adding To an Active ACL Policy If you assign an ACL to a VLAN and subsequently add or replace ACEs in that ACL each new ACE becomes active when you enter it Note When an ACEbecomesactive itscreensthepacketsresulting fromnewtraffic connections It does not screen packets resulting from currently open traffic connections If you invoke a new ACE to screen packets in a currently open traffic connectio...

Page 410: ...Access Control Lists ACLs for the Series 5300xl Switches General ACL Operating Notes This page is intentionally unused 9 64 ...

Page 411: ...tizing and Monitoring ACL IGMP QoS and Rate Limiting Feature Usage 10 17 ACL Resource Usage and Monitoring 10 17 Standard ACLs 10 18 Extended ACLs 10 18 Managing ACL Resource Consumption 10 20 Oversubscribing Available Resources 10 20 Troubleshooting a Shortage of Per Port Resources 10 21 Example of ACL Resource Usage 10 23 Viewing the Current Per Port Rule and Mask Usage 10 23 Traffic Management ...

Page 412: ...nabling or Disabling ACL Filtering on an Interface 10 57 Deleting an ACL from the Switch 10 58 Displaying ACL Data 10 58 Display an ACL Summary 10 59 Display the Content of All ACLs on the Switch 10 59 Display the ACL Assignments for an Interface 10 60 Displaying the Content of a Specific ACL 10 61 Displaying the Current Per Port ACL Resources 10 63 Display All ACLs and Their Assignments in the Sw...

Page 413: ... ACLsatthe edgeofthe networkorsubnetremovesunwanted traffic as soon as possible and thus helps to improve system performance ACLs on the 3400cl 6400cl switches filter inbound traffic only and can rapidly consumeswitchresources Also ACLs QoS andRate Limitingsharethesame per port mask resources on these switches For these reasons the best places to apply ACLs on the 3400cl 6400cl switches are in edg...

Page 414: ...0cl and Series 6400cl switches and how to monitor the results of ACL actions Notes Unlike the HP ProCurve Series 5300xl switches it is not necessary to enable routing on 3400cl 6400cl switches to support ACL operation ACLs can enhance network security by blocking selected IP traffic and can serve as one aspect of maintaining network security However because ACLs do not provide user or device authe...

Page 415: ... host src ip addr src ip address mask 1 log 2 Configuring Extended HPswitch config no ip access list extended name str 100 199 10 54 Named ACLs HPswitch config std nacl deny permit ip 10 54 any host src ip addr src ip address mask 1 any host dest ip addr dest ip address mask 1 log 2 HPswitch config std nacl deny permit tcp udp 10 54 any host src ip addr src ip address mask 1 eq tcp udp port well k...

Page 416: ...a packet if it meets the criteria The elements composing the criteria include Source IP address and mask standard and extended ACLs Destination IP address and mask extended ACLs only TCP or UDP application port numbers optional extended ACLs only Access Control List ACL A list or set consisting of one or more explicitly configured Access Control Entries ACEs and terminating with an implicit deny d...

Page 417: ...ACE See also SA Deny An ACE configured with this action causes the switch to drop an inbound packet for which there is a match within an applicable ACL As an option you can configure the switch to generate a logging output to a Syslog server and a console session Extended ACL This type of Access Control List uses layer 3 IP criteria composed of source and destination IP addresses and optionally TC...

Page 418: ...utbound traffic or internally where routed traffic moves between VLANs That is ACL operation is not affected by enabling or disabling routing on the switch Refer also to ACL Inbound Application Points on page 10 9 Permit An ACE configured with this action allows a port or trunk to permit an inbound packet for which there is a match within an applicable ACL Per Port Mask An internally applied templ...

Page 419: ...ly control a performance problem by limiting traffic from a subnet group of devices or a single device This can block all inbound IP traffic from the configured source but does not block traffic from other sources within the network This ACL type uses a numeric ID of 1 through 99 or an alphanumeric ID string You can specify a single host a finite group of hosts or any host Extended ACL Use extende...

Page 420: ...st configured on port 3 The subnet mask for this example is 255 255 255 0 Port 1 Port 2 Figure 10 2 Example of Filter Applications Features Common to All ACLs On any port or static trunk you can apply one ACL to inbound traffic Any ACL can have multiple entries ACEs You can apply any one ACL to multiple ports and trunks A source or destination IP address and a mask together can define a single hos...

Page 421: ...re you are using explicit deny ACEs you can optionally use the ACL logging feature to help verify that the switch is denying unwanted packets where intended Remember that excessive ACL logging activity can degrade the switch s performance Refer to Enable ACL Deny Logging on page 10 71 5 Create the ACLs in the selected switches 6 Assign the ACLs to filter the inbound traffic on ports and or static ...

Page 422: ...age 10 9 Switched or routed traffic entering the switch and having an IP address on the switch as the destination You can apply one inbound ACL to each port and static trunk configured on the switch The complete range of options per interface includes No ACL assigned In this case all traffic entering the switch on the interface does so without any ACL filtering which is the default One ACL assigne...

Page 423: ...t If there is not a match it tries the second ACE and so on When a match is found the switch invokes the configured action for that entry permit or drop the packet and no further comparisons of the packet are made with the remaining ACEs in the ACL This means that when the switch finds an ACE whose criteria matches a packet it invokes the action configured for that ACE and any remaining ACEs in th...

Page 424: ...th ACE Is there a match No Yes End Perform action permit or deny 1 If a match is not found with the first ACE in an ACL the switchproceedstothenext ACE and so on 2 If a match with an explicit ACE is subsequently found the packet is either permit ted forwarded or denied dropped depending on the action specified in the matching ACE In this case the switch ignores all sub sequent ACEs in the ACL 3 If...

Page 425: ...kets not matching this criterion are compared to the next entry in the list 1 Permits IP traffic inbound from source address 11 11 11 42 Packets matching this criterion are permitted and will not be compared to any later ACE in the list Packets not matching this criterion will be compared to the next entry in the list 4 Permits Telnet traffic from source address 11 11 11 33 Packets matching this c...

Page 426: ...any any Planning an ACL Application on a Series 3400cl or Series 6400cl Switch Before creating and implementing ACLs you should understand the Series 3400cl and Series 6400cl switch resources available per port to support ACL operation define the policies you want your ACLs to enforce and understand how your ACLs will impact your network users Switch Resource Usage ACLs IGMP QoS and Rate Limiting ...

Page 427: ...VLAN This means that in most cases a QoS config uration applies to multiple ports while an ACL configuration applies only to specifically designated ports Adding ACLs consumes per port ACL mask resources rapidly If ACLs are more important on particular 3400cl or 6400cl switch ports than IGMP then you should plan and configure your ACL resource usage first for those ports then give attention to con...

Page 428: ...ort masks This method of ordering ACEs unnecessarily consumes port masks and reduces the capacity of an ACL to accept ACEs requiring different port masks 15 28 247 1 24 10 0 8 0 32 15 28 253 1 24 10 0 8 105 32 15 28 247 1 255 255 255 0 10 0 8 0 0 0 0 0 15 28 253 1 255 255 255 0 10 0 8 0 0 0 0 0 An ACL with no ACEs except a permit any or a deny any uses only one rule and one mask because the IP add...

Page 429: ... Different protocol IP as opposed to TCP UDP specified in either the SA or DA3 1 1 Closing an ACL with a deny ip any any or permit ip any any ACE preceded by an IP ACE with the same SA and DA ACL masks 0 0 Closing an ACL with a deny ip any any or permit ip any any ACE preceded by an IP ACE with different SA and or DA ACL masks 1 1 1In a given standard ACL consecutive ACEs must have identical ACL m...

Page 430: ...DP applications among consecutive ACEs in an assigned ACL can rapidly consume per port mask resources Also in almost all cases adding a new ACE to an ACL consumes one per port rule An extensive ACL configuration can fully subscribe the 120 rule resources available on one or more ports espe cially when QoS and Rate Limiting are also configured on the switch Config uring IGMP uses one per port ACL m...

Page 431: ...ation of QoS policies have depleted the rule resources on ports 4 and 5 to the point where there are not enough rules remaining for applying an ACL and only enough rules on port 3 for a minimal ACL At a minimum the policies previously configured on ports 4 and 5 must be reduced to free up enough rule resources to allow you to apply an ACL to these ports Depending on the ACL you want to apply to po...

Page 432: ...en if IGMP is configured then the remedy is to reduce mask consumption by a Ensuring that the ACEs in the list are in a sequence that takes optimum advantage of the switch s ability to re use a mask on con secutive ACEs in a list Refer to table 10 2 on page 10 18 b Removing enough ACEs from the ACL to reduce mask consumption to no more than the available maximum If an ACL requires more rule resour...

Page 433: ...t rules and masks In the default configuration there are 120 rules and 8 per port ACL masks available on each port These masks arereservedforACLsand IGMP use Figure 10 7 Example of Available Per Port Rules and ACL Masks Standard ACL Using a Subset of the Switch s Ports Suppose that ports 1 4 on a 3400cl or 6400cl switch belong to the following VLANs VLAN 1 10 10 10 1 VLAN 2 10 10 11 1 VLAN 3 10 10...

Page 434: ...0 in the fourth octet it is necessary to use and ACE that specifies the rightmost five bits of the octet The overlap1 can be illustrated as shown here Bit Values in the Fourth Octet 128 64 32 16 8 4 2 1 Bits Needed To Deny Hosts 31 255 4th Octet Mask 0 0 0 224 Bits Needed To Permit Hosts 1 30 4th Octet Mask 0 0 0 31 1 Formoreonthistopic referto RulesforDefiningaMatchBetweenaPacket andanAccessContr...

Page 435: ...e per port rule It does not consume a per port mask because both entries use the same ACL mask 0 0 0 255 ACE 3consumesoneper portruleandone per portmask Theadditionalper portmask is used because the ACL mask for ACE 3 is different from the ACL mask used in the immediately preceding ACE 0 0 0 0 as opposed to 0 0 0 255 ACE 4consumesoneper portruleandone per portmask Theadditionalper portmask is used...

Page 436: ... number of ACEs in a given ACL or a large number of ACLs which increases the complexity of your solution and rapidly consumes the per port rule and mask resources What traffic can you implicitly block by taking advantage of the implicitdenyanytodeny traffic thatyouhave notexplicitly permitted This can reduce the number of entries needed in an ACL and make more economical use of switch resources Wh...

Page 437: ...idual ACEs in the ACL to filter traffic Some applications require high usage of the per port resources the switch uses to support ACLs as well as the rules used by QoS and Rate Limiting applications In these cases it is important to order the individual ACEs in a list to avoid unnecessarily using resources For more on this topic refer to Planning an ACL Application on a Series 3400cl or Series 640...

Page 438: ...l be permitted and will not encounter the deny ip any ACE the switch automatically includes at the end of the ACL For an example refer to figure 10 5 on page 10 15 Explicitly Permitting Any IP Traffic Entering a permit any or a permit ip any any ACE in an ACL permits all IP traffic not previously permitted or denied by that ACL Any ACEs listed after that point do not have any effect and unnecessar...

Page 439: ...ween VLANs within the switch between subnets in a multinetted VLAN or at the interface where the traffic exits from the switch See figure 10 2 on page 10 10 Before Modifying an Applied ACL You Must First Remove It from All Assigned Interfaces An ACL cannot be changed while it is assigned to an interface Before Deleting an Applied ACL You Must First Remove It from All Interfaces to Which It Is Assi...

Page 440: ... Address Host Address 18 38 252 195 255 255 255 0 first three octets The fourth octet 18 38 252 195 255 255 248 0 first two octets and the left The right most three bits of the most five bits of the third octet third octet and all bits in the fourth octet Thus the bits set to 1 in a network mask define the part of an IP address to use for the network number and the bits set to 0 in the mask define...

Page 441: ...s is a match Conversely a mask of all zeros means the only match is an IP address identical to the host IP address specified in the ACL Depending on your network a single ACE that allows a match with more than one source or destination IP address may allow a match with multiple subnets For example in a network with a prefix of 31 30 240 and a subnet mask of 255 255 240 0 the leftmost 20 bits apply...

Page 442: ...list 1 permit host 18 28 100 15 produces this policy in an ACL listing IP Address Mask 18 28 100 15 0 0 0 0 This policy states that every bit in every octet of a packet s SA must be the same as the corresponding bit in the SA defined in the ACE A group of IP addresses fits the matching criteria In this case you provide both the IP address and the mask For example access list 1 permit 18 28 32 1 0 ...

Page 443: ...E applies this method to all four octets of an IP address Example of Allowing Only One IP Address Host Option Sup pose for example that you have configured the ACL in figure 10 8 to filter inbound packets on port 20 Because the mask is all zeros the ACE policy dictates that a match occurs only when the source IP address on such packets is identical to the IP address configured in the ACE ip access...

Page 444: ...the first octet andtheleftmostfourbitsofthe second octet 10 32 47 0 255 0 255 In the second octet the rightmost four bits are wildcard bits See row D in table 10 6 below Table 10 6 Mask Effect on Selected Octets of the IP Addresses in Table 10 5 IP Octet Mask Octet 128 64 32 16 8 4 2 Addr Range A 3 0 all bits 252 1 1 1 1 1 1 0 0 B 3 7 last 3 bits 248 255 1 1 1 1 1 0 or 1 0 or 1 0 or 1 C 4 0 all bi...

Page 445: ...ing is enabled by default on the switch and can be used to override the Use of Source ACLs For this reason if you are using ACLs to enhance network security the Routing recommended action is to disable source routing on the switch To do so execute no ip source route Types of ACLs Standard ACL Uses only a packet s source IP address as a criterion forpermittingordenyingthepacket ForastandardACLID us...

Page 446: ... identifies the ACL as standard or extended and shows the ACL name 2 One or more deny permit list entries ACEs One entry per line Element Stnd Ext Notes ID Range 1 99 100 199 You can also use an alphanumeric name of up to 64 characters including spaces Minimum ACEs per ACL 1 Maximum ACEs Per ACL 120 Maximum ACEs per 1024 Insomecases ruleusagebyACLs IGMP Switch QoS and Rate Limiting and mask usage ...

Page 447: ...e General Structure for a Standard ACL For example figure 10 10 shows how to interpret the entries in a standard ACL ACL List Heading with List Type and ID String Name or Number Mask ACE Action permit or deny End of List Marker Source IP Address Optional Logging Command Figure 10 10 Example of a Displayed Standard ACL Configuration with Two ACEs Extended ACL Configuration Structure Individual ACEs...

Page 448: ...ure 10 11 General Structure for an Extended ACL For example figure 10 12 shows how to interpret the entries in an extended ACL Optional Source UDP or TCP Operator and Port Number In this case the ACL specifies UDP port 69 packetscomingfromthe source IP address Protocol Types End of List Marker Source IP Addresses and Masks Upper entry denies certain UDP packets from a single host Lowerentrydeniesa...

Page 449: ...ch is found the switch applies the indicated action permit or deny to the packet This is significant because once a match is found for a packet subsequent ACEs in the same ACL will not be used for that packet regardless of whether they match the packet For example suppose that you have applied the ACL shown in figure 10 10 to inbound traffic on port 10 ip access list extended 101 deny ip 10 28 235...

Page 450: ... destination address will be denied dropped Since in this example the intent is to block TCP traffic from 10 28 18 100 to any destination except the destination stated in line 4 this line must follow line 4 If their relative positions were exchanged all TCP traffic from 10 28 18 100 would be dropped including the traffic for the 10 28 18 1 destination 6 Any packet from any IP source address to any...

Page 451: ...tchstoresACLsintheconfigurationfile Thus untilyouactuallyassign an ACL to an interface it is present in the configuration but not used Using the CLI To Create an ACL Command Page access list standard ACLs 10 43 access list extended ACLs 10 48 ip access list named ACLs 10 54 You can use either the switch CLI or an offline text editor to create an ACL This section describes the CLI method which is r...

Page 452: ...L masks The switch interprets the bits specified with CIDR notation as the IP address bits in an ACL and the corresponding IP address bits in a packet The switch then converts the mask to inverse notation for ACL use Table 10 8 Examples of CIDR Notation for Masks IPAddressUsedInanACL with CIDR Notation Resulting ACL Mask Meaning 18 38 240 125 15 0 1 255 255 The leftmost 15 bits must match the rema...

Page 453: ...m a specific address a group of addresses or a subnet This allows you to isolate traffic problems generated by a specific device group of contiguous devices or a subnet threatening to degrade network performance This gives you an opportunity to troubleshoot without sacrificing performance for users outside of the problem area You can identify each standard ACL with a number in the range of 1 99 or...

Page 454: ...ACL on page 10 54 deny permit Specifies whether to deny drop or permit forward a packet that matches the ACE criteria any host src ip addr ip addr mask length any Performs the specified action on any IP packet Use this criterion to designate packets from any IP address host host ip address Performs the specified action on any IP packet having the host ip address as the source Use this criterion to...

Page 455: ...r to Enable ACL Deny Logging on page 10 71 Use the debug command to direct ACL logging output to the current console session and or to a Syslog server Note that you must also use the logging ip addr command to specify the IP addresses of Syslog servers to which you want log messages sent See also Enable ACL Deny Logging on page 10 71 Syntax interface port list trunk access group ASCII STR in Assig...

Page 456: ...n the above three commands show access list resources shows the per port rule and ACL mask usage on port 10 and all other ports on the switch ACL 50 islistedasassignedtofilterinbound traffic on port 10 Show config lists any ACLs and ACL assignments configured in the startup config Figure 10 15 Example of Configuring a Standard ACL To Permit Only Traffic from Specific IP Addresses In a situation op...

Page 457: ...e Denies IP traffic from the indicatedIPaddress Since for this example ACL 60 is a new list this command also creates the ACL Denies IP traffic from the indicated IP address Permits IP traffic from all sources Traffic from the IP sources in the first two lines is already filtered and dropped The deny any with which the switch implicitly concludes all ACLs is preempted by this ACE but is still pres...

Page 458: ... ACE criteria This enables you to more closely define your IP packet filtering criteria These criteria include Source and destination IP addresses required in one of the following options Specific host IP Subnet or group of IP addresses Any IP address IP protocol IP TCP or UDP Source TCP or UDP port if the IP protocol is TCP or UDP Destination TCP or UDP port if the IP protocol is TCP or UDP TCP o...

Page 459: ...If the ACL already exists this command adds a new explicit ACE to the end of the ACL For a match to occur the packet must have the source and destination IP addressing criteria specified by this command as well as any protocol specific TCP or UDP port number criteria specified by the command To create a named ACL refer to Configuring a Named ACL on p age 10 54 100 199 Specifies the ACL ID num ber ...

Page 460: ...P addresses The mask can be in either dotted decimal format or CIDR format with the number of significant bits Refer to Using CIDR Notation To Enter the ACL Mask on page 10 42 The mask is applied to the IP addressin the ACL to define which bits in a packet s source IP address must exactly match the IP address configured in the ACL and which bits need not match Note that specifying a group of conti...

Page 461: ... any host dest ip addr ip addr mask length In an extended ACL this parameter defines the destination IP address DA that a packet must carry in order to have a match with the ACE The options are the same as shown for src ip addr dest port tcp udp id In an extended ACL this parameter defines the TCP or UDP destination port number a packet must carry in order to have a match with the extended ACE The...

Page 462: ...traffic from network 10 10 10 0 VLAN 10 to 10 10 20 0 VLAN 20 and permit all other IP traffic from any source to any destination See A in figure 10 17 below B Permit FTP traffic from IP address 10 10 20 100 on port 2 to 10 10 30 55 Deny FTP traffic from other hosts on network10 10 20 0 to any destina tion but permit all other traffic VLAN 10 10 10 10 1 VLAN 20 10 10 20 1 VLAN 30 10 10 30 1 1 3 2 3...

Page 463: ...7 above write memory writes the configuration changes to the startup config file ACL110 appliedtoport1 consumestwoper port rules and three ACL masks ACL 120 applied to port 2 also consumes two per port rules and three ACL masks Access List configuration in the switch s startup config file Figure 10 18 Example of Configuration Commands for an Extended ACL 10 53 ...

Page 464: ...est ip addr ip addr mask length oper dest port tcp udp id log These commands create an ACE in the named ACL list and Indicate the action deny or permit to take on a packet if there is a match between a packet and the criteria in the complete ACE Specify the packet protocol type IP TCP or UDP and if TCP or UDP the comparison operator Specify the source and destination addressing options required fo...

Page 465: ...nded 100 199 ACLs For explanations of the individual parameters in the preceding syntax statements refer to the syntax descriptions under Configuring and Assigning a Numbered St andard ACL on pa ge 10 43 or Configuring and Assigning a Numbered Extended ACL on page 10 48 For example figure 10 19 shows the commands for creating an ACL in the Named ACL context with these parameters ACL Name Action Pr...

Page 466: ... Configuring and Assigning an ACL Configured Source IP Address and Mask Configured Destination IP Address and Mask Command Entry for Source IP Address and Mask Command Entry for Destination IP Address and Mask Figure 10 19 Using the Named ACL Context To Configure an ACL 10 56 ...

Page 467: ...n where ascii string either a ACL name or an ACL ID number Assigns an ACL to a physical interface which can be any combination of ports and or trunks that d o notalready have an ACL assignment You can use either the global configuration level or the interface context level to assign an ACL to an interface or remove an ACL from an interface Enablingan ACL from the Global Configuration Level Enablin...

Page 468: ...n page 10 57 Displaying ACL Data ACL Commands Function Page show access list show access list config show access list ports all interface show access list acl name string show access list resources show config show running View a brief listing of all ACLs on the switch 10 59 Display the ACL lists configured in the switch 10 59 List the name and type of ACLs assigned to all 10 60 ports on the switc...

Page 469: ...packet filtering Figure 10 21 Example of a Summary Table of Access lists Term Meaning Type Shows whether the listed ACL is std Standard source address only or ext Extended protocol source and destination data Appl Shows whether the listed ACL has been applied to an interface yes no Name Shows the name or ID number assigned to each ACL configured in the switch Display the Content of All ACLs on the...

Page 470: ...Ls configured in the switch you will see results similar to the following Figure 10 22 Example of an ACL Configured Syntax Listing Display the ACL Assignments for an Interface This command briefly lists the identification and type s of ACLs currently assigned to a particular interface one or more ports and or trunks in the running config file The switch allows up to one inbound ACL assignment per ...

Page 471: ...on port 3 and that another standard ACL with an ID of 2 is assigned to filter inbound traffic on port 7 and Trk1 trunk 1 Figure 10 23 Example of Listing the ACL Assignment for an Interface Displaying the Content of a Specific ACL This command displays a specific ACL configured in the running config file in an easy to read tabular format Note Thisinformationalsoappearsintheshowrunningdisplay Ifyoue...

Page 472: ...traffic from 18 30 133 27 to any destination Deny any other IP traffic from 18 30 133 1 255 Permit all other IP traffic from any source to any destination Inspect the ACLs as follows Listing for a Standard ACL Listing for an Extended ACL IndicateswhethertheACL isassignedtoaninterface Indicates whether the ACL is assigned to an interface Indicates source and destination entries in the ACL Indicates...

Page 473: ...g IP address in the ACE to determine whether a packet matches the filtering criteria proto Used only in extended ACLs to specify the packet protocol type to filter Must be either IP TCP or UDP oper Used only in extended ACLs where a TCP or UDP port type and number have been entered Specifies how to compare the corresponding TCP or UDP port number in a packet to the port number in the ACE port s Us...

Page 474: ...he same resource table This table indicatesthecombinedresourceuse of both features plus Rate Limiting and IGMP if configured Refer to page 10 17 Figure 10 25 Example of a Show Access List Resources Command Output Display All ACLs and Their Assignments in the Switch Startup Config File and Running Config File The show config and show running commands include in their listings any configured ACLs an...

Page 475: ...ew ACEs to the end of an ACL However the CLI method does not allow you to insert a new ACE between two existing ACEs Note Before editing an assigned ACL you must use the no interface interface access group acl in command to remove the ACL from all interfaces to which it is assigned Using the CLI To Edit a Short ACL To insert a new ACE between exist ing ACEs in a short ACL you may want to delete th...

Page 476: ...he no statement Syntax noaccess list interface permit deny any host ip addr mask length Deletes an ACE from a standard ACL All variable parame ters in the command must be an exact match with their counterparts in the ACE you want to delete no access list interface permit deny ip tcp udp src addr any host ip addr mask length operator src port num dest addr any host ip addr mask length operator dest...

Page 477: ...apply an ACL to multiple interfaces and one of those interfaces does not have sufficient resources to support the ACL the command will fail for all specified interfaces For more on per port ACL resources refer to Planning an ACL Application on a Series 3400cl or Series 6400cl Switch on page 10 16 For longer ACLs that would be difficult or time consuming to accurately create or edit in the CLI you ...

Page 478: ...se the switch will append the new ACEs in the ACL you download to the existing ACL For example if you plan to use the Copy command to replace ACL 103 you would place this command at the beginning of the edited file no ip access list extended 103 no ip access list extended 103 ip access list extended 103 deny tcp 0 0 0 0 255 255 255 255 10 10 10 2 0 0 0 0 eq 23 log permit ip 0 0 0 0 255 255 255 255...

Page 479: ...erver at 10 10 10 100 without ACL logging but allow any other traffic from port 5 1 To create an ACL offline for the above requirements you would create a txt file with the content shown in figure 10 29 Youcanusethe charactertodenoteacomment The file stored on your TFTP server retains comments and they appear when you use copy to downloadtheACLcommandfile Commentsarenot saved in the switch configu...

Page 480: ...mmand and the ACL is not configured 3 Next assign the new ACL to the intended interface which in this example is for port 2 HPswitch config interface 2 access group 160 in 4 Inspect the effect of the ACL on the switch s per port resources ACL 160 used six per port rules and 5 ACL masks on port 2 This means that ACL 160 could be replaced with a larger ACL that uses up to three more masks The switch...

Page 481: ...transmit traffic you have designed your ACLs to reject The switch sends ACL messages to Syslog and optionally to the current console Telnet or SSH session You can configure up to six Syslog server destinations Requirements for Using ACL Logging The switch configuration must include an ACL 1 assigned to an interface and 2 containing an ACE configured with the deny action and the log option To scree...

Page 482: ...s assigned Begins the actual message generated by the ACL itself and indicates message type ACL date and time of generation Note To fit this illustration on the page the portion of the message generated by the Syslog server itself is shown in the line above the portion of the message generated by the switch Depending on the terminal emulator you use you may see information similar to this which in...

Page 483: ... to send an ACL log message to the console and to a Syslog server at IP address 10 38 110 54 on port 11 if the switch detects a match denying Telnet access from 10 38 100 127 10 38 110 54 10 38 100 127 Syslog Server Configure extended ACL 143 here to deny Telnet access to inbound Telnet traffic from IP address 10 38 100 127 Block Telnet access to the network from this host 3400cl or 6400cl Switch ...

Page 484: ... Logging enables you to selectively test specific devices or groups However excessive logging can affect switch performance For this reason HP recommends that you remove the logging option from ACEs for which you do not have a present need Also avoid config uring logging where it does not serve an immediate purpose Note that ACL logging is not designed to function as an accounting method See also ...

Page 485: ...Adding To an Active ACL Policy If you assign an ACL to an interface and subsequently want to add or replace ACEs in that ACL you must first remove the ACL from all assigned interfaces Note When an ACEbecomesactive itscreensthepacketsresulting fromnewtraffic connections It does not screen packets resulting from currently open traffic connections If you invoke a new ACE to screen packets in a curren...

Page 486: ...indicated ACL cannot be applied to an interface because an ACL is already assigned to the interface The command fails for all included interfaces including any that do not already have an ACL assigned Duplicate access control entry The switch detects an attempt to create a duplicate ACE in the same ACL 10 76 ...

Page 487: ...g ARP Parameters 11 11 Configuring Forwarding Parameters 11 13 Configuring ICMP 11 15 Configuring Static IP Routes 11 17 Static Route Types 11 17 Static IP Route Parameters 11 18 Static Route States Follow Port States 11 18 Configuring a Static IP Route 11 19 Configuring the Default Route 11 19 Configuring a Null Route 11 19 Configuring RIP 11 21 Overview of RIP 11 21 RIP Parameters and Defaults 1...

Page 488: ...DP Broadcast Forwarding on 5300xl Switches 11 76 Overview 11 76 Subnet Masking for UDP Forwarding Addresses 11 77 Configuring and Enabling UDP Broadcast Forwarding 11 78 Displaying the Current IP Forward Protocol Configuration 11 80 Operating Notes for UDP Broadcast Forwarding 11 81 Messages Related to UDP Broadcast Forwarding 11 81 Configuring Static Network Address Translation NAT for Intranet A...

Page 489: ...r IP routing support the number of hosts indicated below Switch Model Downstream Network Subnet Hosts Addresses 5300xl Chassis Total 192 000 n a 5300xl Chassis Per Module 128 000 n a 3400cland6400clStackables 8 000 1 000 Throughout this chapter the 5300xl 3400cl and 6400cl switches are referred to as routing switches When IP routing is enabled on your switch it behaves just like any other IP route...

Page 490: ...tyoucannotconfigure192 168 1 1 24and192 168 1 2 24onthesame routing switch You can configure multiple IP addresses on the same VLAN ThenumberofIPaddressesyoucanconfigureonanindividualVLANinterface is 8 You can use any of the IP addresses you configure on the routing switch for Telnet Web management or SNMP access as well as for routing Not e All HP Procurve devices support configuration and displa...

Page 491: ...RP reply from the device The software can learn an entry when the switch or routing switch receives an ARP request from another IP forwarding device or an ARP reply Here is an example of a dynamic entry IP Address MAC Address Type Port 1 207 95 6 102 0800 5afc ea21 Dynamic 6 Each entry contains the destination device s IP address and MAC address To configure other ARP parameters see Configuring AR...

Page 492: ... the IP route table received the route Toconfigure astaticIP route see Configuringa StaticIP Route onpage 11 19 IP Forwarding Cache The IP forwarding cache provides a fast path mechanism for forwarding IP packets The cache contains entries for IP destinations When an HP ProCurve routing switch has completed processing and addressing for a packet and is ready to forward the packet the device checks...

Page 493: ...that routers use to identify themselves to other routers when exchanging route information OSPF uses the router ID toidentify routers RIP does not use the router ID The lowest numbered IP address configured on the lowest numbered routing interface 11 10 Address Resolution Protocol ARP A standard IP mechanism that routers use to learn the Media Access Control MAC address of a device on the network ...

Page 494: ...1 2 on page 11 9 Disabled 11 14 ICMPRouter Discovery Protocol IRDP An IP protocol that a router can use to advertise the IP addresses of its router interfaces to directly attached hosts You can enable or disable the protocol at the Global CLI Config level You also can enable or disable IRDP and configure the following protocol parameters on an individual VLAN interface basis at the VLAN Interface ...

Page 495: ... A numeric cost the router adds to RIP routes learned on the interface RIP routes 1 one 11 23 ICMP Router Discovery Protocol IRDP Locally overrides the global IRDP settings See table 11 1 on page 11 7 for global IRDP information Disabled 11 71 IP helper address The IP address of a UDP application server such as a BootP or DHCP server or a directed broadcast address IP helper addresses allow the ro...

Page 496: ...nd Configuration Guide for your switch Changing the Router ID In most configurations a routing switch has multiple IP addresses usually configuredondifferentVLAN interfaces Asa result a routingswitch s identity to other devices varies depending on the interface to which the other device is attached Some routing protocols including Open Shortest Path First OSPF identify a routing switch by just one...

Page 497: ...tch The device can be the packet s final destination or the next hop router toward the destination The routing switch encapsulates IP packets in Layer 2 packets regardless of whether the ultimate destination is locally attached or is multiple router hops away Since the routing switch s IP route table and IP forwarding cache contain IP address information but not MAC address information the routing...

Page 498: ... does not contain an entry for the destination IP address the routing switch broadcasts an ARP request out all its IP interfaces The ARP request contains the IP address of the destination If the device with the IP address is directly attached to the routing switch the device sends an ARP response containing its MAC address The response is a unicast packet addressed directly to the routing switch T...

Page 499: ...et if the sub nets are on different network cables and thus is not answered An ARP request from one sub net can reach another sub net when both sub nets are on the same physical segment Ethernet cable since MAC layer broadcasts reach all the devices on the segment Proxy ARP is disabled by default on HP routing switches To enable Proxy ARP enter the following commands from the VLAN context level in...

Page 500: ... IP multicasting instead of all sub net broadcasting Forwarding for all types of IP directed broadcasts is disabled by default You can enable forwarding for all types if needed You cannot enable forwarding for specific broadcast types To enable forwarding of IP directed broadcasts enter the following CLI command HPswitch config ip directed broadcast Syntax no ip directed broadcast HP software make...

Page 501: ...annot deliver to its destination the routing switch discards the packet and sends a message back to the device that sent the packet to the routing switch The message informs the device that the destination cannot be reached by the routing switch Address Mask replies You can enable or disable ICMP address mask replies Disabling Replies to Broadcast Ping Requests By default HP devices are enabled to...

Page 502: ...d in the destination IP address of the packet Port The destination host does not have the destination TCP or UDP port specified in the packet In this case the host sends the ICMP Port Unreachable message to the HP device which in turn sends the message to the host that sent the packet Protocol The TCP or UDP protocol on the destination host is not running This message is different from the Port Un...

Page 503: ...strative distance than any other routes from different sources to the same destination the routing switch places the route in the IP route table OSPF See RIP but substitute OSPF for RIP Statically configured route You can add routes directly to the route table When you add a route to the IP route table you are creating a static IP route This section describes how to add static routes to the IP rou...

Page 504: ...ble The fixed metric for static IP routes is 1 The route s administrative distance Thevaluethattheroutingswitch uses to compare this route with routes from other route sources to the same destination before placing a route in the IP route table This param eter does not apply to routes that are already in the IP route table The fixed administrative distance for static IP routes is 1 The fixed metri...

Page 505: ...te to the IP route table Configuring a Static IP Route To configure an IP static route with a destination address of 192 0 0 0 255 0 0 0 and a next hop router IP address of 195 1 1 1 enter the following commands HPswitch config ip route 192 0 0 0 255 0 0 0 195 1 1 1 Syntax ip route dest ip addr mask bits next hop ip addr The dest ip addr is the route s destination The dest mask is the network mask...

Page 506: ...uting switch will drop packets that contain this address in the destination field instead of forwarding them The ip mask parameter specifies the network mask Ones are significant bits and zeros allow any value For example the mask 255 255 255 0 matches on all hosts within the Class C sub net address specified by ip addr Alter natively you can specify the number of bits in the network mask For exam...

Page 507: ...ng switch s route table the routing switch replaces the older route with the newer one The routing switch then includes the new path in the updates it sends to other RIP routers including HP routing switches RIP routers including HP routing switches also can modify a route s cost generally by adding to it to bias the selection of a route for a given destination In this case the actual number of ro...

Page 508: ...P can redistribute static and connected routes RIP Disabled redistributes connected routes by default when RIP is enabled RIP Interface Parameters 11 4 lists the VLAN interface RIP parameters and their default values Not e RIP interface configuration is performed on VLAN interfaces in the switches covered by this manual Table 11 4 RIP Interface Parameters Parameter Description Default RIP version ...

Page 509: ...e or unreachable toaroutebefore advertising it on the same interface as the one on which the routing switch learned the route receive Define the RIP version for incoming packets V2 only send Define the RIP version for outgoing packets V2 only Configuring RIP Parameters Use the following procedures to configure RIP parameters on a system wide and individual VLAN interface basis Enabling RIP RIP is ...

Page 510: ...p v1 only v1 compatible v2 v2 only Changing the Cost of Routes Learned on a VLAN Interface By default the switch interface increases the cost of a RIP route that is learned on the interface The switch increases the cost by adding one to the route s metric before storing the route You can change the amount that an individual VLAN interface adds to the metric of RIP routes learned on the interface N...

Page 511: ... routes and directly connected routes only Redistribu tion of any other routing protocol into RIP is not currently supported When you configure redistribution for RIP you can specify that static or connected routes are imported into RIP routes Likewise OSPF redistribution supports the import of static or connected routes into OSPF routes To configure for redistribution define the redistribution ta...

Page 512: ...metric of 4 to all routes imported into RIP enter the following commands HPswitch config router rip HPswitch rip default metric 4 Syntax default metric value The value can be from 1 15 The default is 1 Enable RIP Route Redistribution Not e Do not enable redistribution until you have configured the redistribution filters Otherwise the network might get overloaded with routes that you did not intend...

Page 513: ... s maximum valid route cost of 15 Poison reverse is enabled by default Disabling poison reverse causes the routing switch to revert to Split horizon Poison reverse is an extension of Split horizon To disable Poison reverse on an interface and thereby enable Split horizon enter the following HPswitch config vlan 1 HPswitch vlan 1 no ip rip poison reverse Syntax no ip rip poison reverse Entering the...

Page 514: ...ol on the router RIP must be enabled here and on the VLAN interface for RIP to be active The default is disabled Auto summary Status of Auto summary for all interfaces running RIP If auto summary is enabled then subnets will be summarized to a class network when advertising outside of the given network Default Metric Sets the default metric for imported routes This is the metric that will be adver...

Page 515: ... RIP 2 or RIP 2 version 1 compatible update messages Metric The path cost a measurement used to determine the best RIP route path 1 is the best 15 is the worse 16 is unreachable Auth RIP messages can be required to include an authentication key if enabled on the interface RIP Peer Information RIP Peers are neighboring routers from which the routing switch has received RIP updates IP Address IP add...

Page 516: ...rface Output See RIP Interface Information on the previous page for definitions of these fields You can also display the information for a single RIP VLAN interface by specifying the VLAN ID for the interface or specifying the IP address for the interface Displaying RIP interface information by VLAN ID For example to show the RIP interface information for VLAN 1000 use the showip ripinterface vlan...

Page 517: ...r any reason Sent updates The number of RIP routing updates that have been sent on this interface Displaying RIP interface information by IP Address For example to show the RIP interface information for the interface with IP address 100 2 0 1 enter the show ip rip interface command as shown below Figure 11 4 Example of Show IP RIP Interface Output by IP Address The information shown in this displa...

Page 518: ...icks How many seconds have passed since the routing switch received an update from this peer neighbor Displaying RIP information for a specific peer For example to show the RIP peer information for the peer with IP address 100 1 0 100 enter show ip rip peer 100 1 0 100 HPswitch show ip rip peer 100 0 1 100 RIP peer information for 100 0 1 100 IP Address 100 1 0 100 Bad routes 0 Last update timetic...

Page 519: ... described on page 11 25 configures the routing switch to cause RIP to advertise connected routes that are not running RIP and static routes The display shows whether RIP redistribution is enabled or disabled for connected and static routes Displaying RIP Redistribution Filter restrict Information TodisplayRIPrestrictfilterinformation entertheshowipriprestrictcommand at any context level HPswitch ...

Page 520: ...r link Network link Summary link Autonomous system AS summary link AS external link OSPF is built upon a hierarchy of network components The highest level of the hierarchy is the Autonomous System AS An autonomous system is defined as a number of networks all of which share the same routing and administration characteristics An AS can be divided into multiple areas Each area represents a collectio...

Page 521: ...cts one router to serve as the designated router DR and another router on the segment to act as the backup designated router BDR This arrangement minimizes the amount of repetitive information that is forwarded on the network by forwarding all messages to the designated router and backup designated routers responsible for forwarding the updates throughout the network Designated Router Election In ...

Page 522: ...ant with the RFC 1583 OSPF V2 specification These switches can also be config ured to operate with the latest OSPF standard RFC 2328 Not e For details on how to configure the system to operate with the RFC 2328 see Configuring OSPF on page 11 38 Reduction of Equivalent AS External LSAs An OSPF ASBR uses AS External link advertisements AS External LSAs to originate advertisements of a route to anot...

Page 523: ...xternal LSA Reduction The AS External LSA reduc tion feature behavior changes under the following conditions There is one ASBR advertising originating a route to the external desti nation but one of the following happens A second ASBR comes on line AsecondASBRthatisalreadyon linebeginsadvertisinganequivalent route to the same destination In either case above the HP switch with the higher router ID...

Page 524: ...nk changes to address ranges changes to global values for redistribution addition of new virtual links The only configuration change that requires you to disable and then re enable OSPF operation is reconfiguring the Router ID Configuring OSPF To begin using OSPF on the switch perform the steps outlined below 1 Enable routing on the routing switch 1 Enable OSPF on the routing switch 2 Assign the a...

Page 525: ...SPF Parameters You can modify or set the following global and interface OSPF parameters Global Parameters Modify OSPF standard compliance setting Assign an area Define an area range Define the area virtual link Set global default metric for OSPF Define redistribution metric type Enable redistribution Define redistribution restrict filters Modify OSPF Traps generated Interface Parameters Assign int...

Page 526: ...or the disabled protocol in flash memory If you subsequently restart OSPF that previous configuration will be applied Assigning OSPF Areas Once OSPF is enabled on the system you can assign areas Assign an IP address or number as the area ID for each area The area ID is representative of only the primary IP address To include secondary addresses you must enable OSPF on them separately or use the al...

Page 527: ...t is provided by the Area Border Router ABR The no summary parameter applies only to stub areas and disables summary LSAs from being sent into the area See Disabling Summary LSAs below Disabling Summary LSAs By default the switch sends summary LSAs LSA type 3 into stub areas You can further reduce the number of LSAs sent into a stub area by configuring the switch to stop sending summary LSAs into ...

Page 528: ...ave up to 8 range addresses Example To define an area range for sub nets on 193 45 5 1 and 193 45 6 2 enter the following commands HPswitch config router ospf HPswitch ospf area 192 45 5 1 range 193 45 0 0 255 255 0 0 HPswitch ospf area 193 45 6 2 range 193 45 0 0 255 255 0 0 Syntax area ospf area id backbone range ip addr mask length no advertise The ospf area id parameter specifies the area numb...

Page 529: ... For simplicity each of these parameters has a default value No change to these default values is required except as needed for specific network configurations VLAN default values can be modified using the following CLI commands at the VLAN interface level of the CLI ip ospf area ip addr ip ospf authentication key password ip ospf md5 auth key chain chain name str ip ospf cost num ip ospf dead int...

Page 530: ... the name of the key chain that you have previously configured by using the KMS commands Cost Indicates the overhead required to send a packet across an interface You can modify the cost to differentiate between 100 Mbps and 1000 Mbps 1 Gbps links The default cost is always 1 Dead interval Indicates the number of seconds that a neighbor router waits for a hello packet from the current switch befor...

Page 531: ...ection to the backbone Two parameters must be defined for all virtual links transit area ID and neighbor router The transit area ID represents the shared area of the two ABRs and serves as the connection point between the two routers This number should match the area ID value The neighbor router field is the router ID IP address of the router that is physically connected to the backbone when assig...

Page 532: ...e backbone area Area 0 To provide backbone access to Routing Switch A you can add a virtual link between Routing Switch A and Routing Switch C using Area 1 as a transit area To configure the virtual link you define the link on the router that is at each end of the link No configuration for the virtual link is required on the routers in the transit area To configure the virtual link on Routing Swit...

Page 533: ...l links it is calculated by route calcula tion You can modify default values for virtual links using the following CLI command at the OSPF router level of the CLI as shown in the following syntax Syntax area num ip addr virtual link ip addr authentication key string md5 auth key chain chain name str dead interval num hello interval num retransmit interval num transmit delay num The parameters are ...

Page 534: ...transmit Interval The interval between the re transmission of link state advertisements to router adjacencies for this interface The range is 0 3600 seconds The default is 5 seconds Transmit Delay The period of time it takes to transmit Link State Update packets on the interface The range is 0 3600 seconds The default is 1 second Dead Interval The number of seconds that a neighbor routerwaits for ...

Page 535: ...permitted for all routes by default Syntax restrict ip addr ip mask ip addr prefix length This command prevents any routes with a destination address that is included in the range specified by the address mask pair from being redistributed by OSPF Modifying Default Metric for Redistribution The default metric is a global parameter that specifies the cost applied to all OSPF routes by default The d...

Page 536: ...ics are the same units as internal OSPF metrics and can be compared directly Type 2 metrics are not directly comparable and are treated as larger than the largest internal OSPF metric The default value is type 2 To modify the default value to type 1 enter the following command HPswitch config ospf router metric type type1 Syntax metric type type1 type2 The default is type2 Administrative Distance ...

Page 537: ...pported on switches covered in this guide and their associated MIB objects from RFC 1850 Table 11 5 OSPF Traps and Associated MIB Objects OSPF Trap Name MIB Object interface state change trap virtual interface state change trap neighbor state change trap virtual neighbor state change trap interface config error trap virtual interface config error trap interface authentication failure trap virtual ...

Page 538: ...tate change trap Syntax no snmp server trap ospf ospf trap Modifying OSPF Standard Compliance Setting Not e All routes in an AS should be configured with the same compliance setting If any routers in a domain support only RFC 1583 then all routers must be configured with 1583 compatibility If all the routers support RFC 2178 or RFC 2328 you should disable RFC 1583 compatibility on all the routers ...

Page 539: ... 11 56 11 57 11 60 11 62 11 68 11 65 11 66 Displaying General OSPF Configuration Information To display general OSPF configuration information enter show ip ospf general at any CLI level HPswitch show ip ospf general OSPF General Status OSPF protocol enabled Router ID 10 0 8 36 RFC 1583 compatibility compatible Default import metric 1 Default import metric type external type 2 Area Border yes AS B...

Page 540: ...ic type indicates the metric type type 1 or type 2 that will be used for any routes redistributed into OSPF by this routing switch Area Border indicates whether this routing switch is currently acting as an area border router AS Border indicates whether this routing switch is currently acting as an autonomous system border router redistributing routes External LSA Count indicates the total number ...

Page 541: ...information Table 11 7 CLI Display of OSPF Area Information This Field Displays Area ID The identifier for this area Type The area type which can be either normal or stub Cost The metric for the default route that the routing switch will inject into a stub area if the routing switch is an ABR for the area This value only applies to stub areas SPFR The number of times the routing switch has run the...

Page 542: ...e Output Syntax show ip ospf external link state The OSPF external link state display shows the following information Table 11 8 CLI Display of OSPF External Link State Information This Field Displays Link State ID LSA ID for this LSA Normally the destination of the external route but may have some host bits set Router ID Router ID of the router that originated this external LSA Age Current age in...

Page 543: ... 000302050a0309000a00082580000005c3b30024ffffff008000000a0000000000000000 000302050a030a000a00082580000005b8bd0024ffffff008000000a0000000000000000 000002050a0321000a000824800009cdb9dd0024ffffff00800000010000000000000000 Figure 11 13 Example of the Output for Show IP OSPF External Link State Advertise Displaying OSPF Interface Information To display OSPF interface information enter show ip ospf int...

Page 544: ...os from other routers on this interface before we run designated router election DR this switch is the designated router for this interface BDR this switch is the backup designated router for this interface DROTHER this router is not the designated router or backup designated router for this interface Auth type none or simple will be none if no authentication key is config ured simple if an authen...

Page 545: ...p ospf interface vlan vlan id ip addr The OSPF interface display for a specific VLAN or IP address has the same information as the non specific show ip ospf interface command for the IP Address Area ID Status State Auth type Cost and Priority fields See the information for the general command above for definitions of these fields The show ip ospf interface command for a specific VLAN or IP address...

Page 546: ...u enter this command the switch displays an output similar to the following OSPF Link State Database for Area 0 0 0 0 Advertising LSA Type Link State ID Router ID Age Sequence Checksum Router 10 0 8 32 10 0 8 32 65 0x80000281 0x0000a7b6 Router 10 0 8 33 10 0 8 33 1638 0x80000005 0x0000a7c8 Network 10 3 2 37 10 0 8 37 1695 0x80000006 0x00000443 Summary 10 3 16 0 10 0 8 33 1638 0x80000007 0x0000c242...

Page 547: ...umber of the current instance of this LSA Chksum Hex LSA checksum value Other options for this command The status keyword is optional and can be omitted The output can be filtered to show a subset of the total output by specifying the area id link state id router id LSA type or sequence number options The advertise keyword displays the hexadecimal data in the specified LSA packet the actual conten...

Page 548: ...80000004c12a001c0000000000000002 OSPF Link State Database for Area 10 3 16 0 Advertisements 000202010a0008210a0008218000027fd33d0054050000050a031900ffffff0003000001 000102010a0008220a00082280000284dc500060000000060a031500ffffff0003000001 000102020a0311220a0008228000027bf9080020ffffff000a0008220a000821 Figure 11 17 Example of the Output for Show IP OSPF Link State Advertise Displaying OSPF Neighbor...

Page 549: ...ignated Router are selected from the set of neighbors in the 2Way state or greater EXSTART The firststep increatingan adjacencybetweenthetwoneighboringrouters The goal of this step is to decide which router is the master and to decide upon the initial Database Description DD sequence number Neighbor conversations in this state or greater are called adjacencies EXCHANGE The switch is describing its...

Page 550: ... type Status connected enabled static enabled Figure 11 19 Example of Output for Show IP OSPF Redistribute The display shows whether redistribution of each of the route types connected and static is enabled Displaying OSFPF Redistribution Filter restrict Information As described under Defining Redistribution Filters on page 11 48 you can configure the redistribution filters on the routing switch t...

Page 551: ...Display of OSPF Virtual Neighbor Information Field Description Router ID The router ID of this virtual neighbor configured Area ID The area ID of the transit area for the virtual link to this neighbor configured State The state of the adjacency with this virtual neighbor The possible values are the same as the OSPF neighbor states See the State parameter definition in table 11 12 on page 11 63 Not...

Page 552: ...g information Table 11 14 CLI Display of OSPF Virtual Link Information Field Description Transit Area ID Area ID of transit area for the virtual link Neighbor Router Router ID of the virtual neighbor Authentication none or simple same as for normal interface Interface State The state of the virtual link to the virtual neighbor The possible values are DOWN the routing switch has not yet found a rou...

Page 553: ...F Virtual Link ip addr In this display these fields show the same type of information as described for the general OSPF virtual link display Transit Area ID Neighbor Router Authentication and Interface State This display shows the following additional information Table 11 15 CLI Display of OSPF Virtual Link Information Specific IP Address Field Description Events The number of times the virtual li...

Page 554: ...k Mask Advertise 10 3 16 0 Summary 10 3 16 0 255 255 255 0 yes OSPF interface configuration Admin Authen IP Address Area ID Status Type Type Cost Pri 10 3 2 35 backbone enabled BCAST none 1 1 10 3 3 35 backbone enabled BCAST none 1 1 10 3 16 35 10 3 16 0 enabled BCAST none 1 1 10 3 32 35 10 3 32 0 enabled BCAST none 1 1 OSPF configured interface timers Transit Retransmit Hello Dead IP Address Dela...

Page 555: ...e area This value only applies to stub areas Stub Summary LSA send or don t send indicates the state of the no summary option for the stub area Thevalueindicatesiftheareais totallystubby nosummariessentfromotherareas or just stub summaries sent Only applies to stub areas and only takes effect if the routing switch is the ABR for the area Stub Metric Type This value is always ospf metric Currently ...

Page 556: ...he following parameters If you enable IRDP on individual VLAN interfaces you can configure these parameters on an individual VLAN inter face basis Packet type The routing switch can send Router Advertisement messages as IP broadcasts or as IP multicasts addressed to IP multicast group 224 0 0 1 The default packet type is IP broadcast Hold time Each Router Advertisement message contains a hold time...

Page 557: ...an individual VLAN interface and configure IRDP param eters enter commands such as the following HP config vlan 1 HP vlan 1 ip irdp maxadvertinterval 400 This example shows how to enable IRDP on a specific interface VLAN 1 and change the maximum advertisement interval for Router Advertisement messages to 400 seconds Syntax no ip irdp broadcast multicast holdtime seconds maxadvertinterval seconds m...

Page 558: ...ange the maxadvertinterval parameter the software auto matically adjusts the minadvertinterval parameter to be three fourths the new value of the maxadvertinterval parameter If you want to override the automatically configured value you can specify an interval from 1 to the current value of the maxadvertinterval parameter preference number This parameter specifies the IRDP preference level of this...

Page 559: ...nts The DHCP relay agent transfers the DHCP messages from DHCP clients located on a subnet without DHCP server to other subnets It also relays answers from DHCP servers to DHCP clients DHCP Packet Forwarding The DHCP relay agent on the routing switch forwards DHCP client packets to all DHCP servers that are configured in the table administrated for each VLAN Unicast Forwarding The packets are forw...

Page 560: ...ring this command HPswitch config dhcp relay To disable the DHCP Relay function enter the command HPswitch config no dhcp relay Configuring a Helper Address At the VLAN configuration CLI context level enter the commands to add the DHCP server s IP address to the VLANs list For example to configure a helper address for VLAN 1 enter these commands HPswitch conf vlan 1 HPswitch vlan 1 ip helper addre...

Page 561: ...in the default configuration itdoes notappear in these listings unless it is disabled Non Default DHCP Relay Setting Figure 11 26 Example of Startup Config Listing with DHCP Relay Disabled Listing the Currently Configured DHCP Helper Addresses Syntax show ip helper address vlan id This command shows the currently configured IP Helper addresses regardless of whether DHCP Relay is enabled For exampl...

Page 562: ...d on the VLAN then the switch routes the packet to the appropriate subnet Each entry can designate either a single device or a single subnet The switch ignores any entry that designates multiple subnets Not e The number of UDP broadcast forwarding entries supported is affected by the number of IP helper addresses configurted to support DHCP Relay Refer to Operating Notes for UDP Broadcast Forwardi...

Page 563: ... address configured in VLAN 1 must be on this VLAN Also the destination VLAN for UDP 1812 from clients on VLAN 1 VLAN 3 15 75 12 1 255 255 255 0 None N A Destination VLAN for UDP 1813 broadcasts from clients on VLAN 1 Not e If an IP server or subnet entry is invalid a switch will not try to forward UDP packets to the configured device or subnet address Subnet Masking for UDP Forwarding Addresses T...

Page 564: ...mands configured in VLANs on the switch Default Disabled Configuring UDP Broadcast Forwarding on Individual VLANs This command routes an inbound UDP broadcast packet received from a client on the VLAN to the unicast or broadcast address configured for the UDP port type Syntax no ip forward protocol udp ip address port number port name Used in a VLAN context to configure or remove a server or broad...

Page 565: ...et at the specified broadcast address For more information on UDP port numbers refer to TCP UDP Port Number Ranges on page 11 81 port name Allows use of common names for certain well known UDP port numbers You can type in the specific name instead of having to recall the corresponding number dns Domain Name Service 53 ntp Network Time Protocol 123 netbios ns NetBIOS Name Service 137 netbios dgm Ne...

Page 566: ...in the switch or on a specific VLAN Global Display Showing UDP Broadcast ForwardingStatus and Configured Forwarding Addresses for Inbound UDP Broadcast Traffic for All VLANs Configured on the Router Figure 11 28 Displaying Global IP Forward Protocol Status and Configuration Display Showing UDP Broadcast Forwarding Status and the Configured Forwarding Addresses for inbound UDP Broadcast Traffic on ...

Page 567: ...ana org Then click on Protocol Number Assignment Services P Under Directory of General Assigned Numbers heading Port Numbers Messages Related to UDP Broadcast Forwarding Message Meaning udp bcast forward IP Routing support must be enabled first Appears in the CLI if an attempt to enable UDP broadcast forwarding has been made without IP routing being enabled first Enable IP routing then enable UDP ...

Page 568: ...ppear to logically reside in the public region of your network instead of in a hidden region This is done by mapping a virtual public IP address to the actual private IP address of the device you want to make accessible to clients in the public region For example A B C Static NAT Table Client Name IPSeeninCorporate Public Region Configured Private IP A 15 33 235 10 10 10 10 11 B 15 33 235 32 10 10...

Page 569: ...m general network users private ip This is the IP address of a device in a region of your network that you want to remain hidden from general network users This address is the actual IP address configured on the device public ip This is the virtual IP address you want to use to access from the public region of the network a specific device residing in the hidden portion of the network With NAT con...

Page 570: ... public region A 15 33 235 10 B 15 33 235 32 C 15 33 235 38 To configure the static NAT mapping between the actual IP addresses config ured on the devices and the corresponding virtual IP addresses HPswitch config ip nat static 10 10 10 11 15 33 235 10 HPswitch config ip nat static 10 10 10 12 15 33 235 32 HPswitch config ip nat static 10 10 10 13 15 33 235 38 The above commands create the virtual...

Page 571: ...5300xl switches is a method for accessing a private region within an intranet It is not the dynamic NAT often used for IP address translation from private IP addresses to registered global IP addresses on the internet and is not supported for Internet NAT applica tions Non NAT hosts in the same subnet VLAN as NAT hosts will be routed normally That is the IP addresses of hosts without a static NAT ...

Page 572: ...IP Routing Features Configuring Static Network Address Translation NAT for Intranet Applications on the 5300xl Switches This page is intentionally unused 11 86 ...

Page 573: ...ple VLAN Operation 12 6 XRRP Operating Notes 12 9 Configuring XRRP 12 11 Customizing the XRRP Configuration 12 12 Enabling and Disabling XRRP 12 15 Configuration Rules 12 15 Configuration Examples 12 16 Configuration for Figure 12 2 Single VLAN Example 12 16 Configuration for Figure 12 4 Multiple VLANs 12 17 Displaying XRRP Data 12 18 Comparison Between XRRP and VRRP 12 21 Messages Related to XRRP...

Page 574: ... are configured to provide fail over protection for each other Virtual Router A virtual routing device that provides a router interface to host computers that are accessing it Each physical router in the Protection Domain can own a virtual router On fail over one physical router may own all the virtual routers in the Protection Domain Move ment of the virtual router responsibility as part of the X...

Page 575: ...to the host computers that are using the routers Not e To accomplish this transfer both routers in the Protection Domain must have identical network access so that each can get to all the same subnets and the same end nodes without going through each other Figure 12 1 shows an example of a Protection Domain being used to provide redundant connectivity between some clients and the network servers t...

Page 576: ... VLANs are down each physical router behaves as the Master of all of its XRRP virtual router interfaces The Master and Owner of each interface is the same In the example shown in figure 12 2 the XRRP configuration is done in VLAN 5 For Domain 2 Router 1 is given the IP address of 10 1 1 1 and Router 2 is given the address 10 1 1 2 XRRP assigns MAC addresses MAC A to Router 1 and MAC B to Router 2 ...

Page 577: ...nd the MAC address of the failed router Single VLAN Operation Infigure 12 3 thelinkbetweenthelayer 2switchandRouter 2fails Asaresult Router 2 no longer hears any link signals on VLAN 5 and the communication between Router 2 and Router 1 is disabled Router 1 after not hearing XRRP packets from Router 2 will take over the IP addresses from Router 2 for the VLAN 5 interfaces and it will take over the...

Page 578: ...ual router in the Protection Domain Even if one or more VLANs are still operating correctly when one VLAN fails a link signal is no longer detected by the router from any device in the VLAN the router with the failed VLAN will stop its operation as the Master of its owned virtual router interfaces The fail over is a total router fail over The router with the failed VLAN stops routing on all of its...

Page 579: ...ver all of its virtual router resources This function is referred to as fast fail over Because it occurs as soon as link signal is lost the fail over can take as little as one second to complete Figure 12 4 Fast Fail Over with Partial VLAN Failure When Router 2 makes the fast fail over request if Router 1 has no failed VLANs then it will take control of Router 2 s virtual interfaces If Router 1 al...

Page 580: ...ersfrom Router 2 Figure 12 5 Standard XRRP Fail Over with Total VLAN Failure If the cause of the total VLAN access failure as shown in figure 17 5 is because of a complete router failure due to building power loss for example the routerthat remainsactive will waitforthethree XRRPadvertisement intervals and will then take control of the failed router s IP and MAC addresses If both routers are still...

Page 581: ...st MAC address for its protocol packets 0101 E794 0640 Use of Proxy ARP on non XRRP VLANs Although it is not disallowed you should not configure Proxy ARP on non XRRP VLANs on a router running XRRP To do so will potentially cause loss connectivity on those non XRRP VLANs should the router fail over to the other router in the Protection Domain Thenon XRRP VLANs willnot fail over howeverthe XRRP ass...

Page 582: ...n Alternately you can ensure that the SNMP requests are made on the management VLAN or other non XRRP interface Multiple VLAN Considerations When using multiple VLANs some consideration must be given to whether the router interfaces are connected to devices that have a multiple forwarding database a MAC address table for each VLAN If the switch at the other end of a router interface connection has...

Page 583: ...Single Forwarding to Multiple Forwarding Database Devices in a Multiple VLAN Environment As of this printing the HP Procurve switches that do not have a multiple forwarding database include 1600M 2400M 2424M 4000M and 8000M switches Series 2500 switches Some older HPAdvanceStack switches For more information refer to Multiple VLAN Considerations on page 2 17 Configuring XRRP Configuring XRRP is pe...

Page 584: ...e router is in The router can be in only one domain The default value is 1 This value cannot be changed if there is at least one virtual router instance running on the router To change the value after XRRP is operating you must first disable XRRP use the no xrrp command xrrp router 1 2 This command sets the unique number for the router within a given Protection Domain No two routers in the same Pr...

Page 585: ...irtual router instance ID virtual router owner number and VLAN ID of the virtual router that detected the error To enable all the traps use the command xrrp trap all To disable the traps use the no form of the command with the trap name to disable a specific trap or with all to disable all the traps By default all the traps are disabled no xrrp instance owner router number vlan id This command con...

Page 586: ...xample to remove the virtual interface in the above example from the fail over protection provided by Router 1 you would enter the following command no xrrp instance 2 5 ip 10 1 1 2 24 You cannot remove an individual IP address if it is the only IP address associated with the backup router Variable Parameters In addition the following variable parameters can be specified by the xrrp instance comma...

Page 587: ...cannot be used XRRP cannot be configured on the management VLAN or on any VLAN that gets its IP address through DHCP or Bootp XRRP must be disabled before the Protection Domain number or the router number configuration can be changed Use the no xrrp command to disable XRRP Dynamic reconfiguration You should be aware that although XRRP can be reconfigured while it is running dynamic configurations ...

Page 588: ...2 24 HPswitch config xrrp HPswitch config write memory Configures the IP address of the router interface in VLAN 5 Sets the identity of the Protection Domain Sets the XRRP router number Creates the XRRP virtual router interface Identifies the virtual router interface on Router 2 for which Router 1 is providing fail over protection Enables XRRP operation on Router 1 Saves this configuration to star...

Page 589: ...in Sets the XRRP router number Creates the XRRP virtual router interface in VLAN 5 Identifies the virtual router interface on Router 2 for which Router 1 is providing fail over protection in VLAN 5 Creates the XRRP virtual router interface in VLAN 6 Identifies the virtual router interface on Router 2 for which Router 1 is providing fail over protection in VLAN 6 Enables XRRP operation on Router 1 ...

Page 590: ...e En abled ma ster transition Di sabled au thentication failure Disabled Figure 12 8 Example of Output for Show XRRP Traps Syntax show xrrp config global instance owner router num vlan id This command displays XRRP configuration information Invoked without parameters it shows global and virtual routers configuration on the switch If the global keyword is specified then the generic configuration in...

Page 591: ... A uthentication Type Simple Text Password A uthentication Key password A dvertise Interval 5 I P Address Subnet Mask 1 0 1 1 1 2 55 255 248 0 1 0 2 1 1 2 55 255 248 0 Figure 12 10 Example of Output for Show XRRP Config Instance owner router number vlan id Syntax show xrrp statistics global instance owner router num vlan id router router num This command displays XRRP status and statistics informa...

Page 592: ...tion Owne r Router Number 1 VLAN ID 5 Oper ational State Master Up T ime 64 mins Pkts Rx 0 Pkts Tx 780 Zero Priority Rx 0 Zero Priority Tx 0 Bad Version Pkts 0 Mismatched Pswd Pkts 0 Mism atched IP Pkts 0 Mismatched Interval Pkts 0 Figure 12 12 Example of Output for Show XRRP Statistics Instance owner router number vlan id The keyword router can be used to display statistics information for the sp...

Page 593: ...s in the fail over domain and up to 16 domains connected to a given VLAN VRRP uses a flat space with up to 255 virtual routers in a level 2 switch fabric However these 255 virtual routers can be used over on every VLAN with VRRP XRRP will warn you of mismatched configurations between the routers but will attempt to use the current master configuration whenever possible when these mismatches occur ...

Page 594: ...en XRRP is disabled on one router but not disabled on its peer Indicates that some other device on the network currently has the IP address configured and XRRP wanted to take control of this secondary address XRRPwillnot takeovertheaddressuntilthissituation has been corrected so as to avoid the creation of a duplicate IP address on the network It will however checkatthefailoverperiod 3timestheadve...

Page 595: ...XRRP received an XRRP packet that contained a checksum error Indicates that XRRP received an XRRP packet that contained an illegal domain number domain must be between 1 and 16 This indicates that XRRP received an XRRP packet that contained an illegal router number router must be between 1 and 2 Indicates that XRRP received an XRRP packet that contained a the local routers router number This indic...

Page 596: ...r will not force the remote miss configuration flag to be set so fail over can still occur Indicates a configuration error This indicates that XRRP received a packet with an authentication error This error will not force the remote miss configuration flag to be set so fail over can still occur Indicates a configuration error Indicates that XRRP received a packet with a mismatchedadvertisementinter...

Page 597: ...etected If a local miss configuration been corrected then the message willstartwithLocal Iftheremoterouterconfiguration has been corrected then the message will start with Remote All miss configuration errors must be corrected Local or Remote for this message to occur Note DetectionofRemotemiss configurations will time out if the remote router stops sending XRRP packets Indicates that an XRRP rout...

Page 598: ...Router Redundancy Using XRRP Messages Related to XRRP Operation This page is intentionally unused 12 26 ...

Page 599: ...e Stacking 13 12 Using the Commander To Manage The Stack 13 16 Monitoring Stack Status 13 24 Using the CLI To View Stack Status and Configure Stacking 13 28 Using the CLI To View Stack Status 13 30 Using the CLI To Configure a Commander Switch 13 32 Adding to a Stack or Moving Switches Between Stacks 13 34 Using the CLI To Remove a Member from a Stack 13 39 Using the CLI To Access Member Switches ...

Page 600: ... switches to your network without having to first perform IP addressing tasks Stacking Support on HP ProCurve Switches As of October 2004 the following HP ProCurve switches include stacking HP ProCurve Switch 6108 HP ProCurve Series 6400cl HP ProCurve Series 4100gl HP ProCurve Series 3400cl HP ProCurve Series 2600 HP ProCurve Series 2800 HP ProCurve Series 2500 HP ProCurve Switch 8000M1 HP ProCurv...

Page 601: ...enable disable candidate Auto Join enabled Yes page13 14 page13 36 push a candidate into a stack n a page13 14 page13 36 configure a switch to be a commander n a page13 12 page13 32 push a member into another stack n a page13 23 page13 38 remove a member from a stack n a page13 20 page13 39 or page13 40 pull a candidate into a stack n a page13 16 page13 35 pull a member from another stack n a page...

Page 602: ... Stack named Engineering consists of Commander and Switch C Switch B is a Candidate eligible to join the stack Commander Switch A Member Switch C Member Switch B After Switch B joins the stack thus changing from a Candidate to a Member of the stack Stack Stack Name Engineering Stack Name Engineering Figure 13 1 Illustration of a Switch Moving from Candidate to Member General Stacking Operation Aft...

Page 603: ... Manager Password leader UsetheCommander sconsoleorweb browser interface to access the user interface on any Member switch in the same stack Network Backbone Figure 13 2 Example of Stacking with One Commander Controlling Access to Wiring Closet Switches Interface Options You can configure stacking through the switch s menu interface CLI or the web browser interface For information on how to use th...

Page 604: ...switches numbered 0 15 including the Commander always numbered 0 There is no limit on the number of stacks in the same IP subnet broadcast domain however a switch can belong to only one stack If multiple VLANs are configured stacking uses only the primary VLAN on any switch In the factory default configuration the DEFAULT_VLAN is the primary VLAN See Stacking Operation with Multiple VLANs Configur...

Page 605: ... stack member In the factory default configu ration the switch auto matically acquires an IP address if your networkincludesDHCP service Ifacandidatehasapassword it cannot be automatically added to a stack In this case if you want the Candidate in a stack you must manually add it to the stack Stack Name N A Member IP Addr Optional Configuring an IP address allows access via Telnet or web browser i...

Page 606: ...Configuring Stack Management Overview of Configuring and Bringing Up a Stack This process assumes that All switches you want to include in a stack are connected to the same subnet broadcast domain IfVLANsare enabledonthe switchesyouwanttoinclude inthe stack then the ports linking the stacked switches must be on the primary VLAN in each switch which in the default configuration is the default VLAN ...

Page 607: ...to Join Passwords Automatically add Candidate to Stack Causes the first 15 eligible discovered switches in the subnet to automatically join a stack Yes Yes default No default Manually add Candidate to Stack Prevent automatic joining of switches you don t want in the stack No default Yes default Optional Yes No Optional Yes Yes default or No Configured Prevent a switch from being a Candidate N A Di...

Page 608: ...ocesses see pages 13 12 through 13 35 for the menu interface and pages 13 28 through 13 40 for the CLI 1 Determine the naming conventions for the stack You will need a stack name Also to help distinguish one switch from another in the stack you can configure a unique system name for each switch Otherwise the system name for a switch appearing in the Stacking Status screen appears as the stack name...

Page 609: ... the Commander to assign IP addressing or make other configuration changes 4 Make a record of any Manager passwords assigned to the switches intended for your stack that are not currently members You will use these passwords to enable the protected switches to join the stack 5 If you are using VLANs in the stacking environment you must use the default VLAN for stacking links For more information s...

Page 610: ...igure a Commander Switch 1 Configure an IP address and subnet mask on the Commander switch Refer to the Management and Configuration Guide for your switch 2 Display the Stacking Menu by selecting Stacking in the Main Menu Figure 13 5 The Default Stacking Menu 3 Display the Stack Configuration menu by pressing 3 to select Stack Configuration Figure 13 6 The Default Stack Configuration Screen 13 12 ...

Page 611: ...Grab setting then press the downarrow key No the default prevents automatic joining of Candidates that have their Auto Join set to Yes Yes enables the Commander to automatically take a Candidate into the stack as a Member if the Candidate has Auto Join set to Yes the default Candidate setting and does not have a previously configured password 8 Accept or change the transmission interval default 60...

Page 612: ... following table lists the Candidate s configuration options Table 13 4 Candidate Configuration Options in the Menu Interface Parameter Default Setting Other Settings Stack State Candidate Commander Member or Disabled Auto Join Yes No Transmission 60 Seconds Range 1 to 300 seconds Interval Using the Menu To Push a Switch Into a Stack Modify the Switch s Configuration or Disable Stacking on the Swi...

Page 613: ...to a specific Commander s stack i Use the space bar to select Member ii Press Tab once to display the Commander MAC Address param eter then enter the MAC address of the desired Commander To change Auto Join or Transmission Interval use Tab to select the desired parameter and To change Auto Join use the Space bar To change Transmission Interval type in the new value in the range of 1 to 300 seconds...

Page 614: ...ually Add a Candidate to a Stack In the default configuration you must manually add stack Members from the Candidate pool Reasons for a switch remaining a Candidate instead of becoming a Member include any of the following Auto Grab in the Commander is set to No the default Auto Join in the Candidate is set to No Note When a switch leaves a stack and returns to Candidate status its Auto Join param...

Page 615: ...cally selects an available switch number SN You have the optionofassigninganyotheravailablenumber Candidate List Figure 13 10 Example of Candidate List in Stack Management Screen 3 Either accept the displayed switch number or enter another available number The range is 0 15 with 0 reserved for the Commander 4 Use the downarrow key to move the cursor to the MAC Address field then type the MAC addre...

Page 616: ...4 New Member added in step 6 Figure 13 11 Example of Stack Management Screen After New Member Added Using the Commander s Menu To Move a Member From One Stack to Another Where two or more stacks exist in the same subnet broadcast domain you can easily move a Member of one stack to another stack if the destination stack is not full If you are using VLANs in your stack environ ment see Stacking Oper...

Page 617: ... that you want to move and note its MAC address then press B for Back to return to the Stacking Menu 4 Display the Commander s Stack Management screen by selecting 4 Stack Management For an example of this screen see figure 13 9 on page 13 17 5 Press A for Add to add the Member You will then see a screen listing any available candidates See figure 13 10 on page 13 17 Note that you will not see the...

Page 618: ...to the Member s interface and entering the MAC address of the destination stack Commander in the Member s Commander MAC Address field Using this method moves the Member to another stack without a need for knowing the Manager password in that stack but also blocks access to the Member from the original Commander Using the Commander s Menu To Remove a Stack Member These rules affect removals from a ...

Page 619: ...scriptions see the table on page 13 44 Stack Member List Figure 13 13 Example of Stack Management Screen with Stack Members Listed 2 Use the downarrow key to select the Member you want to remove from the stack Figure 13 14 Example of Selecting a Member for Removal from the Stack 3 Type D for Delete to remove the selected Member from the stack You will then see the following prompt Figure 13 15 The...

Page 620: ...ack s Commander to access the Member s console interface for the same configu ration and monitoring that you would do through a Telnet or direct connect access 1 From the Main Menu select 9 Stacking 5 Stack Access You will then see the Stack Access screen For status descriptions see the table on page 13 44 Figure 13 16 Example of the Stack Access Screen Use the downarrow key to select the stack Me...

Page 621: ...nder s Stack Access screen a Return to the Member s Main Menu b Press 0 for Logout then Y for Yes c Press Return You should now see the Commander s Stack Access screen For an example see figure 13 16 on page 13 22 Converting a Commander or Member to a Member of Another Stack When moving a commander the following procedure returns the stack mem bers to Candidate status with Auto Join set to No and ...

Page 622: ...r stack environment see Stacking Operation with a Tagged VLAN on page 13 43 This can help you in such ways as determining the stacking configuration for individual switches identifying stack Members and Candidates and determining the status of individual switches in a stack See table 13 5 on page 13 24 Table 13 5 Stack Status Environments Screen Name Commander Member Candidate Stack Status This Sw...

Page 623: ...ured for stacking and select 9 Stacking 2 Stacking Status All You will then see a Stacking Status screen similar to the following For status descriptions see the table on page 13 44 Figure 13 18 Example of Stacking Status for All Detected Switches Configured for Stacking Viewing Commander Status This procedure displays the Commander and stack configuration plus information identifying each stack m...

Page 624: ...us the Commander s status IP address and MAC address To display the status for a Member 1 Go to the console Main Menu of the Commander switch and select 9 Stacking 5 Stack Access 2 Use the downarrow key to select the Member switch whose status you want to view then press X for eXecute You will then see the Main Menu for the selected Member switch 3 In the Member s Main Menu screen select 9 Stackin...

Page 625: ...date s stacking configuration To display the status for a Candidate 1 Use Telnet if the Candidate has a valid IP address for your network or a direct serial port connection to access the menu interface Main Menu for the Candidate switch and select 9 Stacking 1 Stacking Status This Switch You will then see the Candidate s Stacking Status screen Figure 13 21 Example of a Candidate s Stacking Screen ...

Page 626: ...idual status all Lists all stack Commanders Members and Candidates with their individual status no stack Any Stacking Capable Switch Enables or disables stacking on the switch Default Stacking Enabled no stack commander stack name Candidate or Commander Converts a Candidate to a Commander or changes the stack name of an existing commander No form eliminates named stack and returns Commander and st...

Page 627: ...tack member To view the list of SN assignments for a stack execute the show stack command in the Commander s CLI no stack join mac addr Candidate Causes the Candidate to join the stack whose Commander has the indicatedMAC address No form isusedin a Member to remove it from the stack of the Commander having the specified address Member Pushes the member to another stack whose Commander has the indi...

Page 628: ...s how to use the CLI in a to display the stack status for that switch In this case the switch is in the default stacking configuration Syntax show stack Figure 13 22 Example of Using the Show Stack Command To List the Stacking Configuration for an Individual Switch Viewing the Status of Candidates the Commander Has Detected This example illustrates how to list stack candidates the Commander has di...

Page 629: ...ack all command was executed is a candidate it is included in the Others category Syntax show stack all Figure 13 24 Result of Using the Show Stack All Command To List Discovered Switches in the IP Subnet Viewing the Status of the Commander and Current Members of the Commander s Stack The next example lists all switches in the stack of the selected switch Syntax show stack view Figure 13 25 Exampl...

Page 630: ...st have an IP address in order for stacking to operate properly For more on the primary VLAN see The Primary VLAN on page 2 43 2 Configure a Manager password on the switch intended for commander The Commander s Manager password controls access to stack Mem bers For more on passwords see the local manager and operator pass word information in the Access Security Guide for your switch Configure the ...

Page 631: ...onvert the Member to the Commander of a New Stack This procedure requires that you first remove the Member from its current stack then create the new stack If you do not know the MAC address for the Commander of the current stack use show stack to list it Syntax no stack stack commander stack name Suppose for example that an HP switch named Bering Sea is a Member of a stack named Big_Waters To use...

Page 632: ...rom other stacks that may exist in the same subnet You cannot add a Candidate that the Commander has not discovered In its default configuration the Commander s Auto Grab parameter is set to No to give you manual control over which switches join the stack and when they join This prevents the Commander from automatically trying to add every Candidate it finds that has Auto Join set to Yes the defau...

Page 633: ...der automatically adds a new Member it assigns an SN from the available pool of unused SNs In this stack the only SNs in use are 0 and 1 so youcan useanySNnumberfrom 2through 15 for new Members The SN of 0 is always reserved for the stack Commander Figure 13 28 Example of How To Determine Available Switch Numbers SNs To display all discovered Candidates with their MAC addresses execute show stack ...

Page 634: ...ng a New Member Using Auto Join on a Candidate In the default configuration a Candi date s Auto Join parameter is set to Yes meaning that it will automatically join a stack if the stack s Commander detects the Candidate and the Com mander s Auto Grab parameter is set to Yes You can disable Auto Join on a Candidate if you want to prevent automatic joining in this case There is also the instance whe...

Page 635: ...se that a Candidate named North Sea with Auto Join off and a valid IP address of 10 28 227 104 is running on a network You could Telnet to the Candidate use show stack all to determine the Commander s MAC address and then push the Candidate into the desired stack 1 Telnet to the Candidate named North Sea 2 Use show stack all to display the Commander s MAC address 3 Set the Candidate CLI to Config ...

Page 636: ...ng command to pull the desired switch into the new stack HPswitch config stack member 1 mac address 0060b0 df1a00 Where 1 is an unused switch number SN Since a password is not set on the Candidate a password is not needed in this example You could then use show stack all again to verify that the move took place Using a Member CLI To Push the Member into Another Stack You can use the Member s CLI t...

Page 637: ...Candidate HelpsyoutoidentifytheMACaddressofthe Commander for the Big_Waters stack Adds the former Test Commander to the Big_Waters stack Figure 13 33 Example of Command Sequence for Converting a Commander to a Member Using the CLI To Remove a Member from a Stack You can remove a Member from a stack using the CLI of either the Commander or the Member Not e When you remove a Member from a stack the ...

Page 638: ...tch from the stack HPswitch config no stack member 3 mac address 0030c1 7fc700 where 3 is the North Sea Member s switch number SN 0030c1 7fc700 is the North Sea Member s MAC address Using the Member s CLI To Remove the Member from a Stack Syntax no stack join mac addr To use this method you need the Commander s MAC address which is available using the show stack command in the Member s CLI For exa...

Page 639: ...ch number SN assigned by the Com mander to each member range 1 15 To find the switch number for the Member you want to access execute the show stack view command in the Commander s CLI For example suppose that you wanted to configure a port trunk on the switch named North Sea in the stack named Big_Waters Do do so you would go to the CLI for the Big_Waters Commander and execute show stack view to ...

Page 640: ...ember it stillbelongstothepublicSNMPcommunitybecause it has IP addressing of its own But with the loss of stack Membership Switch 1 loses membership in the blue and red communities because they are not specifically configured in the switch If Member Switch 2 ceases to be a stack Member it loses membership in all SNMP communities If Member Switch 3 ceases to be a stack Member it loses membership in...

Page 641: ...enable stacking on the switch before it can become a Candidate Member or Commander Disabling a Member Removes the Member from the stack and changes it to a stand alone nonstacking switch You must re enable stacking on the switch before it can become a Candidate Member or Commander Disabling a Candidate Changes the Candidate to a stand alone non stacking switch Syntax no stack Disables stacking on ...

Page 642: ...er has lost connectivity to its Commander Down Commander Up The Member has stacking connectivity with the Commander Mismatch This maybe a temporary conditionwhile aCandi dateistryingtojoinastack IftheCandidatedoes not join then stack configuration is inconsistent Member Down A Memberhasbecome detachedfrom the stack A possible cause is an interruption to the link between the Member and the Commande...

Page 643: ...guous ACEs differences 10 18 contiguous ACEs mask use 10 18 contiguous ACEs resource use 10 18 copy operation appends 10 68 create CLI method 10 41 DA defined 10 7 10 8 definitions 10 6 deny any implicit 10 10 10 12 10 13 10 16 10 26 10 27 10 28 10 36 10 39 10 41 deny any implicit supersede 10 36 deny any implicit switched packets 10 14 deny any rule use 10 18 deny defined 10 7 editing 10 41 end 1...

Page 644: ...e also ACL 5300xl sequence ACEs 10 41 source routing caution 10 11 10 35 standard ACL resource use 10 19 standard defined 10 9 10 35 standard example 10 45 standard resource use 10 18 standard structure 10 37 standard use 10 9 10 43 static VLAN requirement 10 11 10 28 10 29 supernetting 10 31 supersede implicit deny any 10 39 switched packets 10 14 syntax See command syntax Syslog See ACL 3400cl 6...

Page 645: ...IP address 9 23 match always 9 31 match criteria 9 22 match example 9 23 match ignored 9 18 maximum allowed 9 18 9 33 name or number assignment 9 31 name string maximum characters 9 26 9 33 nonexistent i d assign 9 31 number of entries 9 9 offline creation 9 56 operation with PIM 5 35 operator comparison 9 40 outbound traffic defined 9 7 performance degraded 9 10 permit defined 9 7 planning 9 10 9...

Page 646: ...f QoS 8 1 bandwidth loss spanning tree 6 49 blocked link from STP operation 6 8 6 50 blocked port from IGMP operation 4 5 from STP operation 6 7 6 48 Bootp gateway ignored 2 44 BPDU 3 3 6 5 bridge protocol data unit 3 3 broadcast domain 2 3 broadcast storm 6 3 6 9 7 4 broadcast traffic 7 18 effect of ACL 9 63 enabling forwarding of directed 11 14 broadcast traffic 3400cl 6400cl effect of ACL 10 75...

Page 647: ...nnecting 7 26 downstream device QoS definition 8 5 effect of priority settings 8 8 DR designated router OSPF 11 35 election 11 35 DSCP Policy Table 8 63 policy defined 8 5 See also priority E enabling XRRP CLI 12 15 enabling OSPF 11 40 enabling RIP 11 23 enabling RSTP CLI 6 13 menu interface 6 18 web browser interface 6 20 enabling STP CLI 6 13 event log See log examples XRRP configuration 12 16 E...

Page 648: ...witch 3 11 recommended tagging 3 11 standard 3 3 tagged dynamic VLAN 3 4 unknown VLAN 3 11 unknown VLAN options 3 7 VLAN behavior 2 11 VLAN dynamic adds 2 25 VLAN maximum 3 18 with QoS 8 51 H helper address for DHCP Relay 11 74 hop count mesh switch See also mesh I IANA 9 41 10 51 11 81 ICMP configuring 11 15 disabling messages 11 15 IEEE 802 1 standard 7 22 IGMP benefits 4 3 configuration 4 11 co...

Page 649: ...ting table 11 68 enabling 11 40 enabling redistribution 11 50 general information 11 53 overview 11 34 redistribution information 11 64 overview 11 3 parameter configuring 11 10 Proxy ARP enabling 11 13 required for ACLs 9 3 9 4 RIP configuration 11 21 displaying configuration and status 11 27 enabling 11 23 general information 11 28 interface information 11 30 overview 11 21 parameters and defaul...

Page 650: ...defined 7 4 dynamic vlan 7 24 edge switch 7 4 7 18 filtering 7 22 GVRP 7 24 GVRP requirement 7 6 hop count 7 5 7 25 See mesh hop count hub not allowed 7 5 7 7 IGMP requirement 7 6 increase STP cost 7 21 IP routing not allowed 7 6 jumbo packets 7 24 LACP dynamic trunk effect 7 5 link blocked 7 21 link to non mesh switch 7 20 links multiple 7 26 management VLAN 2 48 maximum domain size 7 25 multicas...

Page 651: ...42 ASBR 11 35 authentication description 11 44 MD5 11 44 11 48 simple password 11 44 11 48 autonomous system 11 34 configuration rules 11 39 configuring 11 34 displaying information 11 53 area 11 55 external LSA 11 56 interface 11 57 11 59 LSA 11 60 neighbor 11 62 redistribution 11 64 route 11 68 virtual link 11 66 virtual neighbor 11 65 DR designated router 11 35 election 11 35 enabling 11 40 glo...

Page 652: ...ware 5 10 5 13 flow multicast limit 5 10 5 37 flow software 5 10 5 13 flow VLAN limit 5 4 forwarding state 5 7 general application 5 3 general operation 5 4 graft packets 5 16 5 17 group entry age out 5 25 hello hold time 5 15 5 29 hello interval effect 5 15 host 5 9 IGMP required per VLAN 5 9 IGMP requirement 5 3 5 35 IGMP version 1 5 4 IGMP version 2 5 4 IGMP version 3 5 4 IGMP per VLAN 5 5 IP a...

Page 653: ...6 42 port based access control no mesh 7 5 precedence bits QoS definition 8 5 primary VLAN See VLAN priority 4 5 802 1p priority defined 8 5 codepoint defined 8 5 downstream device defined 8 5 DSCP policy defined 8 5 DSCP defined 8 5 inbound port defined 8 5 outbound port defined 8 5 upstream device defined 8 6 priority QoS criteria for prioritizing packets 8 9 protocol priority 8 49 type of servi...

Page 654: ...ee IGMP restrict redistribution OSPF configuring 11 48 displaying 11 64 RIP displaying 11 33 revision number 6 51 RFC 2178 11 36 RFC 2178 compliance enabling for OSPF 11 52 RFC 2932 5 4 RFC 2932 MIB exceptions 5 41 RFCs PIM applicable 5 40 RIP changing RIP type 11 24 changing route loop prevention 11 27 changing the RIP metric 11 24 configuring 11 21 11 23 displaying information 11 27 11 28 displa...

Page 655: ...distribution information 11 33 restrict filter information 11 33 source routing 3400cl 6400cl caution 10 11 source routing 5300xl caution 9 11 9 25 source routing caution 10 35 static route types 11 17 routing UDP broadcast forward See UDP broadcast forwarding RSTP configuring 6 11 configuring per port parameters 6 16 configuring whole switch parameters 6 14 configuring with the CLI 6 12 configuri...

Page 656: ...2 1D connection requirement 6 61 802 1Q VLANs 6 49 802 1s standard compliant 6 44 802 1w as a region 6 51 activation 6 58 active path 6 48 active paths 6 52 bandwidth loss 6 49 benefit 6 44 blocked traffic 6 49 boundary port region 6 51 6 52 boundary port VLAN membership 6 49 BPDU 6 49 6 55 6 59 6 60 6 61 BPDU requirement 6 51 BPDU function 6 51 bridge 6 51 bridge designated for region 6 51 cautio...

Page 657: ...ns 6 53 6 55 redundant links 6 49 region 6 3 6 45 6 46 region name 6 51 6 58 region root switch 6 46 region configuration name 6 78 region Configuration Revision number 6 78 region defined 6 51 region enabling 6 69 region root bridge 6 50 region RSTP bridge 6 52 region switch configuration 6 52 region switch excluded 6 78 region view configuration 6 76 region VLAN assignments 6 51 regional boundar...

Page 658: ...icit deny any 3400cl 6400cl 10 36 supersede implicit deny any 5300xl 9 27 switch meshing See mesh Syslog See ACL 3400cl6400cl logging See ACL 5300xl logging T tables ARP cache 11 5 IP 11 4 IP route 11 5 terminology XRRP 12 2 ToS See Class of Service transit area OSPF 11 45 trap OSPF 11 51 XRRP 12 18 trunk spanning tree example 6 50 Type of Service using to prioritize IP traffic 8 36 Type of Servic...

Page 659: ...19 multiple VLANs on port 2 40 non routable 2 48 number allowed including dynamic 2 25 per port configuration options 2 12 port assignment 2 25 port configuration 2 42 port monitoring 2 52 port restriction 2 53 port trunk 2 52 port based 2 4 primary 2 32 2 43 13 8 13 32 13 44 primary CLI command 2 28 2 31 primary select in menu 2 22 primary web configure 2 37 primary with DHCP 2 13 prioritizing tr...

Page 660: ...atic 802 1s spanning tree 6 46 voice VLAN See VLAN VoIP See VLAN voice W warranty 1 ii web browser interface enabling RSTP 6 20 web browser interface for configuring IGMP 4 11 STP 6 43 wildcard ACL 3400cl 6400cl defined 10 9 wildcard 3400cl 6400cl See ACL 3400cl 6400cl wildcard 5300xl See ACL 5300xl wildcard 5300xl ACL defined 9 7 write memory 3 18 X XRRP advertisement interval 12 2 configuring 12...

Page 661: ...operation 12 3 owner 12 2 peer router connectivity requirements 12 10 Protection Domain 12 2 show statistics 12 19 show traps 12 18 terminology 12 2 virtual router 12 2 xrrp command domain parameter 12 12 failback parameter 12 13 instance parameter 12 13 router parameter 12 12 syntax 12 12 trap parameter 12 13 Index 19 ...

Page 662: ... This page is intentionally unused 20 Index ...

Page 663: ......

Page 664: ...ange without notice Copyright 2000 2005 Hewlett Packard Development Company L P Reproduction adaptation or translation without prior written permission is prohibited except as allowed under the copyright laws January 2005 Rev B Manual Part Number 5990 6051 ...

Reviews:

No comments