HP L.11.09, Release Note

Page 1: ...te Downloading and booting software release L 10 20 or greater for the first time automatically enables SNMP access to the hpSwitchAuth MIB objects If this is not desirable for your network ProCurve recommends thatyou disable it after downloading and rebooting with the latest switch software For more information refer to Switch Management Access Security on page 8 and Using SNMP To View and Config...

Page 2: ... product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com Disclaimer HEWLETT PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors...

Page 3: ...witch Management Access Security 8 Default Settings Affecting Security 8 Local Manager Password 9 Inbound Telnet Access and Web Browser Access 9 Secure File Transfers 9 SNMP Access Simple Network Management Protocol 10 Physical Access to the Switch 11 Other Provisions for Management Access Security 12 Network Access Security 13 Access Control Lists ACLs 13 Web and MAC Authentication 13 Secure Shel...

Page 4: ...9 Enhancements 33 DHCP Snooping Overview 33 Enabling DHCP Snooping 33 Enabling DHCP Snooping on VLANS 36 Configuring DHCP Snooping Trusted Ports 36 Configuring Authorized Server Addresses 37 Using DHCP Snooping with Option 82 38 The DHCP Binding Database 41 Release L 10 10 Enhancements 44 Release L 10 11 Enhancements 44 Release L 10 20 Enhancements 45 Spanning Tree Per Port BPDU Filtering 46 Spann...

Page 5: ...n Affects VLAN Operation 79 System Location and Contact String Size Increase 85 Show VLAN Ports CLI Command Enhancement 87 Configuring the Privilege Mode Option 91 Send SNMP v2c Informs 92 RADIUS Server Unavailable 94 Concurrent TACACS and SFTP 97 MSTP VLAN Configuration Enhancement 97 Rebooting and Reloading the Switch 103 Release L 11 09 Enhancements 105 Software Fixes in Release L 10 01 L 11 09...

Page 6: ...vi Release L 10 23 113 Release L 10 24 113 Release L 10 25 114 Release L 10 26 115 Release L 10 27 115 Release L 10 28 115 Release L 11 08 116 Release L 11 09 117 ...

Page 7: ...are Version 1 Go to the ProCurve Networking Web site at www procurve com 2 Click on Software updates in the sidebar 3 Under Latest software click on Switches To Download Product Documentation You will need the Adobe Acrobat Reader to view print and or copy the product documentation 1 Go to the ProCurve Networking Web site at www procurve com 2 Click on Technical support then Product manuals 3 Clic...

Page 8: ... an Xmodem transfer from a PC or Unix workstation do either of the following Select Download OS in the Main Menu of the switch s menu interface and select the Xmodem option Use the copy xmodem command in the switch s CLI page 4 Use the download utility in ProCurve Manager Plus Not e Downloading new software does not change the current switch configuration The switch configu ration is contained in ...

Page 9: ...server it displays the progress message shown in figure 1 When the CLI prompt re appears the switch is ready to reboot to activate the downloaded software Figure 1 Message Indicating the Switch Is Ready To Activate the Downloaded Software 3 Use the show flash command to verify that the new software version is in the expected flash area primary or secondary 4 Reboot the switch from the flash area t...

Page 10: ...r example to change the baud rate in the switch to 115200 execute this command ProCurve config console baud rate 115200 If you use this option be sure to set your terminal emulator to the same baud rate Changing the console baud rate requires saving to the Startup Config with the write memory command Alternatively you can logout of the switch and change your terminal emulator speed and allow the s...

Page 11: ...guration change you must save the running configuration to the startup config file Startup Config File Exists in flash non volatile memory and preserves the most recently saved configuration as the permanent configuration When the switch reboots for any reason an exact copy of the current startup config file becomes the new running config file in volatile memory When you use the CLI to make a conf...

Page 12: ...ies 5406zl 5406zl 48G 5412zl and 5412zl 96G and Switch 8212zl L Switch 4200vl Series 4204vl 4208vl 4202vl 72 and 4202vl 48G M Switch 3400cl Series 3400 24G and 3400 48G M 08 51 though M 08 97 or M 10 01 and greater Series 6400cl 6400cl 6XG CX4 and 6410cl 6XG X2 M 08 51 though M 08 95 or M 08 99 to M 08 100 and greater N Switch 2810 Series 2810 24G and 2810 48G PA PB Switch 1800 Series Switch 1800 ...

Page 13: ...are Version J8768A ProCurve Switch vl 24 port Gig T Module L 10 23 J9030A ProCurve Switch 4208vl 72GS 68 10 100 1000 4 SFP L 10 23 J9033A ProCurveSwitchvl20 portGig T 4 portSFPModule L 10 23 J9064A ProCurve Switch 4204vl 48GS 44 10 100 1000 4 SFP L 10 23 J8766A ProCurve Switch vl 10 GbE X2 Module L 11 08 Operating System Internet Explorer Java Windows NT 4 0 SP6a 5 00 5 01 5 01 SP1 6 0 SP1 Sun Jav...

Page 14: ...ccess security features and applications For information on specific features refer to the software manuals provided for your switch model Caution In its default configuration the switch is open to unauthorized access of various types ProCurve recommends that you review this section to help ensure that you recognize the potential for unauthorized switch and network access and are aware of the feat...

Page 15: ...ides Telnet like connections through encrypted and authenticated transactions SSLv3 TLSv1 provides remote web browser access to the switch via encrypted paths between the switch and management station clients capable of SSL TLS operation For information on SSH and SSL TLS refer to the chapters on these topics in the Advanced Traffic Management Guide for your switch Also access security on the swit...

Page 16: ...ccess or no access co existing with SNMPv1 and v2c if necessary For more on SNMPV3 refer to the next subsection and to the chapter titled Configuring for Network Management Applications in the Management and Configuration Guide for your switch SNMP Access to the Switch s Authentication Configuration MIB A management station running an SNMP networked device management application such as ProCurve M...

Page 17: ...in the Management and Configuration Guide for your switch Physical Access to the Switch Physical access to the switch allows the following use of the console serial port CLI and Menu interface for viewing and changing the current configuration and for reading status statistics and log messages use of the switch s Clear and Reset buttons for these actions clearing removing local password protection...

Page 18: ... your switch RADIUS Authentication For each authorizedclient RADIUS can be used to authenticate operator or manager access privileges on the switch via the serial port CLI and Menu interface Telnet SSH and Secure FTP Secure Copy SFTP SCP access methods Refer to the chapter titled RADIUS Authentication and Accounting in the Access Security Guide for your switch TACACS Authentication This applicatio...

Page 19: ...dvanced Traffic Management Guide for your switch model Web and MAC Authentication These options are designed for application on the edge of a network to provide port based security measures for protecting private networks and the switch itself from unauthorized access Because neither method requires clients to run any special supplicant software both are suitable for legacy systems and temporary a...

Page 20: ...ure alternative to TFTP for transferring sensitive switch information Refer to the chapter titled Configuring Secure Shell SSH in the Access Security Guide for your switch model For more on SC and SFTP refer to the section titled Using Secure Copy and SFTP in the File Transfers appendixoftheManagement and Configuration Guidefor your switch model Secure Socket Layer SSLv3 TLSv1 This feature include...

Page 21: ...t based or client based authentication through a RADIUS server to protect the switch from unauthorized access and to enable the use of RADIUS based user profiles to control client access to network services Included in the general features are the following client based access control supporting up to 32 authenticated clients per port port based access control allowing authentication by a single c...

Page 22: ...ic VLAN MAC lockout This feature enables blocking of a specific MAC address so that the switch drops all traffic to or from the specified address IP lockdown Available on Series 2600 and 2800 switches only this feature enables restric tion of incoming traffic on a port to a specific IP address subnet and denies all other traffic on that port Refer to the chapter titled Configuring and Monitoring P...

Page 23: ...r use on the network edge It is primarily focused on the class of worm like malicious code that tries to replicate itself by taking advantage of weaknesses in network applications behind unsecured ports In this case the malicious code tries to create a large number of outbound IP connections on a routed interface in a short time Connection Rate filtering detects hosts that are generating routed tr...

Page 24: ...tions have been added to CLI spanning tree legacy path cost Use 802 1D values for default path cost no spanning tree legacy path cost Use 802 1t values for default path cost The legacy path cost CLI command does not affect or replace functionality of the spanning tree force version command The spanning tree force version controls whether MSTP will send and process 802 1w RSTP or 802 1D STP BPDUs R...

Page 25: ...Management Guide for your switch When the routing switch is used as a DHCP relay agent with Option 82 enabled it inserts a relay agent information option into client originated DHCP packets being forwarded to a DHCP server The option automatically includes two suboptions Circuit ID the identity of the port through which the DHCP request entered the relay agent Remote ID the identity IP address of ...

Page 26: ...switch Requires that a Management VLAN is already configured on the switch If the Management VLAN is multinetted then the primary IP address configured for the Management VLAN is used for the remote ID ip Specifies the IP address of the VLAN on which the client DHCP packet enters the routing switch In the case of a multinetted VLAN the remote ID suboption uses the IP address of the subnet on which...

Page 27: ...via an snmp request Beginning with software release L 10 06 the 4200vl switches have added the following show sFlow commands that allow you to see sFlow status via the CLI Client Remote ID giaddr DHCP Server X 10 38 10 1 10 39 10 1 A only If a DHCP client is in the Management VLAN then its DHCP requests can go only to a DHCP server that is also in the Management VLAN Routing to other VLANs is not ...

Page 28: ...ation to present detailed Layer 2 to Layer 7 usage statistics Viewing SFlow Configuration The showsflowagent command displays read only switch agent information The version information shows the sFlow MIB support and software versions the agent address is typically the ip address of the first vlan configured on the switch Figure 3 Viewing sFlow Agent Information Syntax show sflow destination Displ...

Page 29: ... this can also be set by the management station The show sflow sampling polling command displays information about sFlow sampling and polling on the switch You can specify a list or range of ports for which to view sampling information Figure 5 Example of Viewing sFlow Sampling and Polling Information The show sflow all command combines the outputs of the preceding three show commands including sF...

Page 30: ...ted As a result each switch continues to send traffic on the ports connected to the failed link When UDLD is enabled on the trunk ports on each ProCurve switch the switches detect the failed link block the ports connected to the failed link and use the remaining ports in the trunk group to forward the traffic Similarly UDLD is effective for monitoring fiber optic links that use two uni direction f...

Page 31: ...unplugged disabled or fixed The port can also be unblocked by disabling UDLD on the port Configuration Considerations UDLD is configured on a per port basis and must be enabled at both ends of the link See the note below for a list of ProCurve switches that support UDLD To configure UDLD on a trunk group you must configure the feature on each port of the group individually Configuring UDLD on a tr...

Page 32: ...packet You can specify from 10 100 in 100 ms increments where 10 is 1 second 11 is 1 1 seconds and so on Default 50 5 seconds Syntax link keepalive retries num Determines the maximum number of retries to send UDLD control packets The num parameter specifies the maximum number of times the port will try the health check You can specify a value from 3 10 Default 5 Syntax no interface port list link ...

Page 33: ... ration level ProCurve config link keepalive retries 4 Configuring UDLD for Tagged Ports The default implementation of UDLD sends the UDLD control packets untagged even across tagged ports If an untagged UDLD packet is received by a non ProCurve switch that switch may reject the packet To avoid such an occurrence you can configure ports to send out UDLD control packets that are tagged with a speci...

Page 34: ... enabled ports on the switch Syntax clear link keepalive statistics Clears UDLD statistics This command clears the packets sent packets received and transitions counters in the show link keepalive statistics display Port 5 has been disabled by the System Administrator ProCurve config show link keepalive Total link keepalive enabled ports 4 Keepalive Retries 3 Keepalive Interval 1 sec Port Enabled ...

Page 35: ...Port 1 Current State up Neighbor MAC Addr 0000a1 b1c1d1 Udld Packets Sent 1000 Neighbor Port 5 Udld Packets Received 1000 State Transitions 2 Port Blocking no Link vlan 1 Port 2 Current State up Neighbor MAC Addr 000102 030405 Udld Packets Sent 500 Neighbor Port 6 Udld Packets Received 450 State Transitions 3 Port Blocking no Link vlan 200 Port 3 Current State off line Neighbor MAC Addr n a Udld P...

Page 36: ...port 7 belongs to VLAN 1 and 22 but the user tries to configure UDLD on port 7 to send tagged packets in VLAN 4 the configuration will be accepted The UDLD control packets will be sent tagged in VLAN 4 which may result in the port being blocked by UDLD if the user does not configure VLAN 4 on this port no vlan 22 tagged 20 Possible configuration problem detected on port 18 UDLD VLAN configuration ...

Page 37: ...e reception of incoming frames Prerequisite As documented in the IEEE 802 1X standard the disabling of incoming traffic and transmission of outgoing traffic on an 802 1X aware egress port in an unauthenticated state using the aaa port access controlled directions in command is supported only if The port is configured as an edge port in the network using the spanning tree edge port command The 802 ...

Page 38: ...raversing the network Operating Notes Using the aaa port access controlled directions in command you can enable the transmission of Wake on LAN traffic on unauthenticated egress ports that are configured for 802 1X Because a port can be configured for more than one type of authentication to protect the switch from unauthorized access the last setting you configure with the aaa port access controll...

Page 39: ...ommand Condition for Dropping a Packet Packet Types A packet from a DHCP server received on an untrusted port DHCPOFFER DHCPACK DHCPNACK If the switch is configured with a list of authorized DHCP server addresses and a packet is received from a DHCP server on a trusted port with a source IP address that is not in the list of authorized DHCP server addresses DHCPOFFER DHCPACK DHCPNACK Unless config...

Page 40: ...enter a URL in the format tftp ip addr ascii string The maximum number of characters for the URL is 63 option Add relay information option Option 82 to DHCP client packets that are being forwarded out trusted ports The default is yes add relay information trust Configure trusted ports Only server packets received on trusted ports are forwarded Default untrusted verify Enables DHCP packet validatio...

Page 41: ...tistics ProCurve config show dhcp snooping DHCP Snooping Information DHCP Snooping Yes Enabled Vlans Verify MAC Yes Option 82 untrusted policy drop Option 82 Insertion Yes Option 82 remote id mac Store lease database Not configured Port Trust B1 No B2 No B3 No ProCurve config show dhcp snooping stats Packet type Action Reason Count server forward from trusted port 8 client forward to trusted port ...

Page 42: ...g enabled on VLAN 4 Figure 12 Example of DCHP Snooping on a VLAN Configuring DHCP Snooping Trusted Ports By default all ports are untrusted To configure a port or range of ports as trusted enter this command ProCurve config dhcp snooping trust port list You can also use this command in the interface context in which case you are not able to enter a list of ports ProCurve config dhcp snooping vlan ...

Page 43: ...ource address in the authorized server list in order to be considered valid If no authorized servers are configured all servers are considered valid You can configure a maximum of 20 authorized servers To configure a DHCP authorized server address enter this command in the global configuration context ProCurve config dhcp snooping authorized server ip address ProCurve config dhcp snooping trust B1...

Page 44: ...lay Option 82 command are ignored when snooping is controlling Option 82 insertion Option 82 inserted in this manner allows the association of the client s lease with the correct port even when another device is acting as a DHCP relay or when the server is on the same subnet as the client Note DHCP snooping only overrides the Option 82 settings on a VLAN that has snooping enabled not on VLANS with...

Page 45: ... in the packet remote id Set the value used for the remote id field of the relay information option mac The switch mac address is used for the remote id This is the default subnet ip The IP address of the VLAN the packet was received on is used for the remote id If subnet ip is specified but the value is not set the MAC address is used mgmt ip The management VLAN IP address is used as the remote i...

Page 46: ...igure 15 Example of DHCP Snooping Option 82 using the VLAN IP Address Disabling the MAC Address Check DHCP snooping drops DHCP packets received on untrusted ports when the check address chaddr field in the DHCP header does not match the source MAC address of the packet default behavior To disable this checking use the no form of this command ProCurve config dhcp snooping verify mac ProCurve config...

Page 47: ... this location use this command Syntax no dhcp snooping database file tftp ip address ascii string delay 15 86400 timeout 0 86400 file Must be in Uniform Resource Locator URL format tftp ip address ascii string The maximum filename length is 63 characters delay Number of seconds to wait before writing to the database Default 300 seconds timeout Number of seconds to wait for the database file trans...

Page 48: ... Logging To enable debug logging for DHCP snooping use this command Operational Notes DHCP is not configurable from the web management interface or menu interface If packets are received at too high a rate some may be dropped and need to be re transmitted ProCurve recommends running a time synchronization protocol such as SNTP in order to track lease times accurately A remote server must be used t...

Page 49: ...server packet is received from a server that is not configured as an authorized server Ceasing unauthorized server logs for duration More than one unauthorized server packet was dropped To avoid filling the log file with repeated attempts unauthorized server transmit attempts will not be logged for the specified duration Received untrusted relay information from client mac address on port port num...

Page 50: ...ot be added to it Write database to remote file failed errno error num An error occurred while writing the temporary file and sending it using tftp to the remote server DHCP packets being rate limited Too many DHCP packets are flowing through the switch and some are being dropped Snooping table is full The DHCP binding table is full and subsequent bindings are being dropped Release L 10 10 Enhance...

Page 51: ...osure enhancement See TCP UDP Port Closure on page 54 Enhancement PR_1000330743 Denial of Service logging enhancement with imple mentation of Instrumentation Monitor See Instrumentation Monitor on page 56 Enhancement PR_1000338847 Added support for the Advanced Encryption Standard AES privacy protocol for SNMPv3 See Adding SNMPv3 Users With AES on page 60 Enhancement PR_1000339546 Addition of the ...

Page 52: ...service attacks with spoofing spanning tree BPDUs by dropping incoming BPDU frames Note BPDU protection imposes a more secure mechanism that implements port shut down and a detection alert when an errant BPDU frame is received see page 49 for details BPDU protection will take precedence over BPDU filtering if both features have been enabled on the same port Configuring STP BPDU Filters The followi...

Page 53: ...rant BPUDUs received 65 MST Region Boundary Yes External Path Cost 200000 External Root Path Cost 420021 Administrative Hello Time Use Global Operational Hello Time 2 AdminEdgePort No OperEdgePort No AdminPointToPointMAC Force True OperPointToPointMAC Yes Aged BPDUs Count 0 Loop back BPDUs Count 0 TC ACK Flag Transmitted 0 TC ACK Flag Received 0 MST MST CFG CFG TCN TCN BPDUs Tx BPDUs Rx BPDUs Tx B...

Page 54: ...s filter state Figure 21 Example of BPDU Filter Status in Show Spanning Tree Configuration Command ProCurve show spanning tree Multiple Spanning Tree MST Information STP Enabled Yes Force Version MSTP operation IST Mapped VLANs 1 7 Protected Ports Filtered Ports A6 A7 Row showing ports with BPDU filters enabled ProCurve config show configuration spanning tree spanning tree A7 bpdu filter spanning ...

Page 55: ...minology BPDU Acronym for bridge protocol data unit BPDUs are data messages that are exchanged between the switches within an extended LAN that use a spanning tree protocol topology BPDU packets contain information on ports addresses priorities and costs and ensure that the data ends up where it was intended to go BPDU messages are exchanged across bridges to detect loops in a network topology The...

Page 56: ...nning Tree Protocol MSTP standard Under standard settings your MSTP configured switch interoperates effectively with both STP IEEE 802 1D and RSTP IEEE 802 1w spanning tree devices For more information refer to the chapter entitled Multiple Instance Spanning Tree Operation in the Advanced Traffic Management Guide for your switch Configuring BPDU Protection The following commands allow you to confi...

Page 57: ... release L 10 20 the 4200 switches allow by default manager only SNMP read write access to a subset of the authentication MIB objects for the following features ProCurve show spanning tree 1 10 Multiple Spanning Tree MST Information STP Enabled Yes Force Version MSTP operation IST Mapped VLANs 1 7 Protected Ports 3 7 9 Filtered Ports 10 Prio Designated Hello Port Type Cost rity State Bridge Time P...

Page 58: ...MIB are not returned via SNMP and the response to SNMP queries for such information is a null string However SNMP sets can be used to configure password and key MIB objects To help prevent unauthorized access to the switch s authentication MIB ProCurve recommends enhancing security according to the guidelines under Switch Management Access Security on page 8 If you do not want to use SNMP access t...

Page 59: ...vel SNMP read write access to the switch s authentica tion configuration hpSwitchAuth MIB Default included Syntax show snmp server The output for this command has been enhanced to display the current access status of the switch s authentication configuration MIB in the Excluded MIBs field ProCurve config snmp server mib hpswitchauthmib excluded ProCurve config show snmp server SNMP Communities Com...

Page 60: ...efer to the following command listings For details on each service refer to the latest version of the switch s software documentation available on the ProCurve Networking Web site Enabling Disabling TFTP The TFTP server and client can be enabled and or disabled independently Port Service 69 TFTP 161 SNMP 520 RIP 1507 Stacking SNMP Syntax no tftp client server ProCurve config show run Running confi...

Page 61: ...ing Disabling RIP To enable disable RIP use the following command Note The router rip command exists in previous software versions In this implementation however RIP must be enabled in order to open the port on the switch Enables or disables the TFTP client client Enables or disables the TFTP client Default disabled server Enables or disables the TFTP server Default disabled Note Both the tftpcomm...

Page 62: ...ed with a virus that is trying to spread itself ip address count The number of destination IP addresses learned in the IP forwarding table Some attacks fill the IP forwarding table causing legitimate traffic to be dropped system resource usage Denial of Service logging The percentage of system resources in use Some Denial of Service DoS attacks will cause excessive system resource usage resulting ...

Page 63: ...tion is reported 4 times persists for more than 15 minutes then alerts cease for 15 minutes If after 15 minutes the condition still exists the alerts cease for 30 minutes then for 1 hour 2 hours 4 hours 8 hours and after that the persisting condition is reported once a day Note that ProCurve switches also have the ability to send event log entries to a syslog server mac moves min The average numbe...

Page 64: ...efault threshold setting when enabled 1000 med learn discards The number of MAC address learn events per minute discarded to help free CPU resources when busy Default threshold setting when enabled 100 med login failures The count of failed CLI login attempts or SNMP management authen tication failures per hour Default threshold setting when enabled 10 med mac address count The number of MAC addre...

Page 65: ...st the alert threshold for the MAC address count to a specific value ProCurve config instrumentation monitor mac address count 767 To enable monitoring of learn discards with the default medium threshold value ProCurve config instrumentation monitor learn discards To disable monitoring of learn discards ProCurve config no instrumentation monitor learn discards To enable or disable SNMP trap genera...

Page 66: ...your switch for details on adding SNMPv3 users C a u t i o n If you add an SNMPv3 user without authentication and or privacy to a group that requires either feature the user will not be able to access the switch Ensure that you add a user with the appropriate security level to an existing security group To configure an SNMPv3 user you must first add the user name to the list of known users with th...

Page 67: ...s send disable configured it shuts down the port from which the packet was sent You can configure the disable timer parameter for the amount of time you want the port to remain disabled 0 to 604800 seconds If you configure a value of zero the port will not be re enabled Syntax no snmpv3 user user_name Adds or deletes a user entry for SNMPv3 Authorization and privacy are optional but to use privacy...

Page 68: ...s taken If send disable is configured the port that transmitted the packet is disabled If no disable is configured the port is not disabled Default send disable trap loop detected Allows you to configure loop protection traps The loop detected trap indicates that a loop was detected on a port disable timer 0 604800 How long in seconds a port is disabled when a loop has been detected A value of zer...

Page 69: ...J9030A ProCurve Switch 4208vl 72GS 68 10 100 1000 4 SFP J9033A ProCurve Switch vl 20 port Gig T 4 port SFP Module J9064A ProCurve Switch 4204vl 48GS 44 10 100 1000 4 SFP ProCurve config show loop protect 1 4 Status and Counters Loop Protection Information Transmit Interval sec 5 Port Disable Timer sec 5 Loop Detected Trap Enabled Loop Loop Loop Time Rx Port Port Protection Detected Count Since Las...

Page 70: ... the request It is sometimes desirable for security reasons to send SNMP replies from the same IP address as the one on which the corresponding SNMP request was received You can configure this capability with the snmp serverresponse source and snmp servertrap source commands For example to use the destination IP address as the source IP address enter this command ProCurve config snmp server respon...

Page 71: ...s type of service diff services is also configured Release L 10 26 Enhancements Software fixes only no new enhancements never released Release L 10 27 Enhancements Software fixes only no new enhancements Syntax no snmp server trap source IP ADDR loopback 0 7 Allows you to specify the source IP address for the trap pdu The no form of the command resets the switch to the default behavior compliant w...

Page 72: ...a result the attacker can intercept traffic for other hosts in a classic man in the middle attack The attacker gains access to any traffic sent to the poisoned address and can capture passwords e mail and VoIP calls or even modify traffic before resending it Another way in which the ARP cache of known IP addresses and associated MAC addresses can be poisonedisthroughunsolicitedARPresponses Forexam...

Page 73: ...e the ARP cache Dynamic ARP protection is implemented in the following ways on a switch You can configure dynamic ARP protection only from the CLI you cannot configure this feature from the web or menu interfaces Line rate Dynamic ARP protection copies ARP packets to the switch CPU evaluates the packets and then re forwards them through the switch software During this process if ARP packets are re...

Page 74: ...n the other hand if Switch A does not support dynamic ARP protection and you configure the port on Switch B connected to Switch A as trusted Switch B opens itself to possible ARP poisoning from hosts attached to Switch A Figure 2 Configuring Trusted Ports for Dynamic ARP Protection Take into account the following configuration guidelines when you use dynamic ARP protection in your network You shou...

Page 75: ...c IP to MAC addressbindingsin the DHCP binding database The switch uses manually configured static bindings for DHCP snooping and dynamic ARP protection To add the static configuration of an IP to MAC binding for a port to the database enter the ip source binding command at the global configuration level Syntax no arp protect trust port list port list Specifies a port number or a range of port num...

Page 76: ...evel You can configure one or more of the validation checks The following example of the arp protect validate command shows how to configure the validation checks for source MAC address and destination AMC address ProCurve config arp protect validate src mac dst mac Syntax no arp protect validate src mac dst mac ip src mac Optional Drops any ARP request or response packet in which the source MAC a...

Page 77: ...failure and IP validation failures enter the show arp protect statistics command Figure 4 Show arp protect statistics Command ARP Protection Information Enabled Vlans 1 4094 Validate dst mac src mac Port Trust B1 Yes B2 Yes B3 No B4 No B5 No ProCurve config show arp protect ProCurve config show arp protect statistics Status and Counters ARP Protection Counters for VLAN 1 Forwarded pkts 10 Bad sour...

Page 78: ...nt Support has been added for the ProCurve Switch 4200vl Series single port 10 GbE module J8766A See Operating Rules for 4200vl Series 10 GbE Port Trunks on page 73 Enhancement PR_1000415155 The ARP age timer was enhanced from the previous limit of 240 minutes to allow for configuration of values up to 1440 minutes 24 hours or infinite 99 999 999 seconds or 3 2 years See ARP Age Timer Increase on ...

Page 79: ...cation method to be used when the RADIUS server is unavailable for the primary port access method See RADIUS Server Unavailable on page 94 Enhancement PR_1000443349 This enhancement is to allow the concurrent use of SFTP with TACACS authentication for SSH connections See Concurrent TACACS and SFTP on page 97 Enhancement PR_1000457691 This enhancement allows the mapping of all theoret ically availa...

Page 80: ...type LACP or Trunk All LACP ports in the same trunk group must be either all static LACP or all dynamic LACP A trunk appears as a single port labeled Dyn1 for an LACP dynamic trunk or Trk1 for a static trunk of type LACP Trunk on various menu and CLI screens For spanning tree or VLAN operation configuration for all ports in a trunk is done at the trunk level You cannot separately configure individ...

Page 81: ...set from 1 to 1440 minutes 24 hours If the option infinite is configured the internal ARP age timeout is set to 99 999 999 seconds approximately 3 2 years An arp age value of 0 zero is stored in the configuration file to indicate that infinite has been configured This value also displays with the show commands and in the menu display Menu Switch Configuration IP Config Default 20 minutes ProCurve ...

Page 82: ...ow running config Running configuration J9091A Configuration Editor Created on release K 12 XX hostname 8200LP module 2 type J8702A module 3 type J8702A module 4 type J8702A ip default gateway 15 255 120 1 ip arp age 1000 snmp server community public Unrestricted snmp server host 16 180 1 240 public vlan 1 name DEFAULT_VLAN untagged B1 B24 C1 C24 D1 D24 ip address 15 255 120 85 255 255 248 0 exit ...

Page 83: ...ys denied Security Notes The local usernames and passwords configured in the hpSwitchAuth MIB are not returned via SNMP and the response to SNMP queries for such information is a null string However SNMP sets can be used to configure local username and password MIB objects To help prevent unauthorized access to the switch s local username and password authentication MIB objects ProCurve recommends...

Page 84: ...on hpSwitchAuth MIB objects excluded Disables manager level SNMP write access to the switch s local username and password authentication configuration hpSwitchAuth MIB objects Default included Syntax show snmp server The command output now includes the current access status of the switch s local username and password authentication configuration MIB objects in the Excluded MIBs field ProCurve conf...

Page 85: ...nt based authentication andeither Web or MAC authentication at the same time on a port with a maximum of 32 clients allowed on the port The default is one client Web authentication and MAC authentication are mutually exclusive on the same port Also you must disable LACP on ports configured for any of these authentication methods For more information refer to the Configuring Port Based Access Contr...

Page 86: ... a VLAN by a RADIUS server or an authorized client VLAN configuration is an untagged member of the VLAN for the duration of the authenticated session This applies even ifthe port is also configuredin the switch as a tagged member of the same VLAN The following restrictions apply If the port is assigned as a member of an untagged static VLAN the VLAN must already be configured on the switch If the ...

Page 87: ...ort for the authentication session is advertised as an existing VLAN If this temporary VLAN assignment causes the switch to disable a different untagged static or dynamic VLAN configured on the port the disabled VLAN assignment is not advertised When the authentication session ends the switch Removes the temporary untagged VLAN assignment and stops advertising it Re activates and resumes advertisi...

Page 88: ...he Menu Interface View In Figure 3 if RADIUS authorizes an 802 1X client on port 2 with the requirement that the client use VLAN 22 then VLAN 22 becomes available as Untagged on port 2 for the duration of the session VLAN 33 becomes unavailable to port 2 for the duration of the session because there can be only one untagged VLAN on any port To view the temporary VLAN assignment as a change in the ...

Page 89: ...ut port 2 is temporarily configured as untagged on VLAN 22 for an 802 1X session This temporary configuration change is necessary to accommodate an 802 1X client s access authenticated by a RADIUS server in which the server included an instruction to assign the client session to VLAN 22 Note In the current VLAN configuration port 2 is only listed as a member of VLAN 22 in show vlan 22 output when ...

Page 90: ...earned through GVRP in the temporary untagged VLAN assigned by a RADIUS server on an authenticated port in an 802 1X MAC or Web authentication session Enter the no form of this command to disable the use of GVRP learned VLANs in an authentication session For information on how to enable a switch to dynamically create 802 1Q compliant VLANs refer to the GVRP chapter in the Access Security Guide Not...

Page 91: ...re information refer to the GVRP chapter in the Advanced Traffic Management Guide 3 If you disable the use of dynamic VLANs in an authentication session using the no aaa port access gvrp vlans command client sessions that were authenticated with a dynamic VLAN continue and are not deauthenticated This behavior differs form how static VLAN assignment is handled in an authentication session If you r...

Page 92: ...see the complete text The menu interface is shown in Figure 8 ProCurve Switch 5406zl config show system information Status and Counters General System Information System Name Blue Switch System Contact George_Johnson System Location North Data Room MAC Age Time sec 300 Time Zone 0 Daylight Time Rule None Software revision K 12 06 Base MAC Addr 001279 898c00 ROM Version K 11 03 Serial Number SG344P...

Page 93: ... be displayed if assigned along with tagged or untagged membership modes Displaying the VLAN Membership of One or More Ports MENU ProCurve Switch 5406zl 24 Oct 2006 12 41 47 TELNET MANAGER MODE Switch Configuration System Information System Name Blue Switch System Contact Bill_Smith System Location characters of the location are missing It s too long Inactivity Timeout min 0 0 MAC Age Time sec 300...

Page 94: ...ded below Port name The user specified port name if one has been assigned VLAN ID The VLAN identification number or VID Name The default or specified name assigned to the VLAN For a static VLAN the default name consists of VLAN x where x matches the VID assigned to that VLAN For a dynamic VLAN the name consists of GVRP_x where x matches the applicable VID Status Port Based Port Based static VLAN P...

Page 95: ...ow VLAN Ports Cumulative Listing ProCurve show vlan ports a1 a33 Status and Counters VLAN Information for ports A1 A33 VLAN ID Name Status Voice Jumbo 1 DEFAULT_VLAN Port based No No 10 VLAN_10 Port based Yes No 20 VLAN_20 Protocol No No 33 GVRP_33 Dynamic No No ProCurve ...

Page 96: ...ort based Yes No Tagged Status and Counters VLAN Information for ports A2 Port name Uplink_Port VLAN ID Name Status Voice Jumbo Mode 1 DEFAULT_VLAN Port based No No Untagged 20 VLAN_20 Protocol No No Tagged 33 GVRP_33 Dynamic No No Tagged Status and Counters VLAN Information for ports A3 VLAN ID Name Status Voice Jumbo Mode 1 DEFAULT_VLAN Port based No No Untagged Status and Counters VLAN Informat...

Page 97: ...at if the primary method fails authen tication is denied The command also reconfigures the number of access attempts to allow in a session if the first attempt uses an incorrect username password pair Using the Privilege Mode Option for Login When using TACACS to control user access to the switch you must first login with your username at the Operator privilege level using the password for Operato...

Page 98: ...that destination Informs requests can be sent several times until a response is received from the SNMP manager or the configured retry limits are reached The request may also timeout To enable SNMP informs enter this command To configure SNMP informs request options use the following commands To specify the manager that receives the informs request use the snmp server host command Syntax no snmp s...

Page 99: ...ork management stations Note In all cases the switch sends any threshold trap s or informs to the network management station s that explicitly set the threshold s traps informs Select whether SNMP traps or informs are sent to this management station For more information on SNMP informs see Enabling and Configuring SNMP Informs on page 92 version 1 2c 3 Select the version of SNMP being used Note SN...

Page 100: ...hable Configuring RADIUS Authentication You can configure the switch for RADIUS authentication through the following access methods Console Either direct serial port connection or modem connection Telnet Inbound Telnet must be enabled the default SSH To use RADIUS for SSH access first configure the switch for SSH operation ProCurve config show snmp server SNMP Communities Community Name MIB View W...

Page 101: ...ntax aaa authentication console telnet ssh web enable login radius Configures RADIUS as the primary password authentication method for console Telnet SSH and the web browser interface The default primary enable login authentica tion is local local none authorized Provides options for secondary authentication default none Syntax aaa authentication port access chap radius eap radius local Configures...

Page 102: ...ercase Specifies the MAC address format to be used in the RADIUS request message This format must match the format used to store the MAC addresses in the RADIUS server Default no delimiter no delimiter specifies an aabbccddeeff format single dash specifies an aabbcc ddeeff format multi dash specifies an aa bb cc dd ee ff format multi colon specifies an aa bb cc dd ee ff format no delimiter upperca...

Page 103: ...to this version and you have configured MSTI entries instances mapped to VLANs they will be removed from the configuration file when booting to the prior version of software You must do one of the following if you want to install or reload a prior version of the software 1 Remove all MSTP mappings from the config file and then reconfigure the instance mapping after you are running the desired soft...

Page 104: ... identifiers region name and revision number Flexibility By preconfiguring identical VLAN ID to MSTI mappings on all switches in an MST region you can combine switches that support different maximum numbers of VLANs Network stability You can reduce the interruptions in network connectivity caused by the regeneration of spanning trees in the entire network each time a configuration change in VLAN t...

Page 105: ... as the Configuration Digest for the Series 3500 5400 6200 switches running this enhancement See Figure 5 and Figure 6 Syntax no spanning tree instance 1 16 vlan vid vid vid no spanning tree instance 1 16 Configuring MSTP on the switch automatically configures the IST instance and places all statically and dynamically configured VLANs on the switch into the IST instance This command creates a new ...

Page 106: ...on Switches other than ProCurve Series 3500 5400 6200 Operating Notes Configuring MSTP on the switch automatically configures the Internal Spanning Tree IST instance and places all statically and dynamically configured VLANs on the switch into the IST instance The spanning tree instance vlan command creates a new MST instance and moves the VLANs you specify from the IST to the MSTI ProCurve config...

Page 107: ...nfigured static and dynamic VLANs in the IST instance and requiring you to manually assign individual static VLANs to an MSTI The valid VLAN IDs that you can map to a specified MSTI are from 1 to 4094 The VLAN ID to MSTI mapping does not require a VLAN to be already configured on the switch The MSTP VLAN enhancement allows you to preconfigure MSTP topologies before the VLAN IDs associated with eac...

Page 108: ...e K 12 51 Enter the show flash command to see the results The switch is now running the software version K 12 51 Figure 9 Show Flash Command after Upgrading the Switch to a New Version of the Software K 12 51 5 If you want to run the prior software version K 12 43 in this example enter this command ProCurve config boot system flash secondary config configK1243 cfg ProCurve config show config files...

Page 109: ...s the switch supports you must reboot the switch in order to implement the change Reload automatically saves your configuration changes and reboots the switch from the same software image you have been using Scheduled Reload Beginning withsoftwarereleaseK 11 34 additionalparametershavebeenadded to the reload command to allow for a scheduled reboot of the switch via the CLI Syntax reload after dd h...

Page 110: ...sh Boot Attempts from an Empty Flash Location In this case the switch aborts the attempt and displays Image does not exist Operation aborted Interaction of Primary and Secondary Flash Images with the Current Configuration The switch has one startup config file which it always uses for reboots regardless of whether the reboot is from primary or secondary flash Also for rebooting purposes it is not ...

Page 111: ...ved across reboots If the switch is rebooted before a scheduled reload command is executed the command is effectively cancelled When entering a reload at or reload after command a prompt will appear to confirm the command before it can be processed by the switch For the reload at command if mm dd yy are left blank the current day is assumed Release L 11 09 Enhancements Software fixes only no new e...

Page 112: ...sh Stacking PR_1000297510 When using Web User Interface and the switch is commander for stacking the switch may crash with a message similar to PPC Bus Error exception vector 0x300 Stack frame 0x01731de8 HW Addr 0x02800007 IP 0x0022dc30 Task tHttpd Task ID 0x1731fb0 fp 0x0167d180 sp 0x01731ea8 lr 0x IGMP PR_1000301557 Data driven IGMP requires an IP address on a VLAN to work properly IP Forwarding...

Page 113: ...AN however it cannot communicate with other ports on the Unauthorized VLAN Web Stacking PR_1000308933 Added Web User Interface stacking support for the new Series 3500yl switches providing a 3500yl back of box display when the 4200vl is stack commander and a 3500yl is a stack member Release L 10 03 Problems Resolved in Release L 10 03 Not a general release Crash PR_1000282359 The switch may crash ...

Page 114: ...R_1000327132 The Switch may crash with a message similar to Software exception in ISR at btmDmaApi c 304 DHCP Enhancement PR_1000311957 Added option to configure the switch to use the management VLAN IP address in the Option 82 field See DHCP Option 82 Using the Management VLAN IP Address for the Remote ID on page 19 for details Enhancement PR_1000290489 Enhancement to display Port Name along with...

Page 115: ...not display data correctly in the status field CLI PR_1000334412 Operator level can save Manager privilege level changes to the configuration sFlow Enhancement PR_1000337714 Added new show sflow commands to the CLI See Show sFlow Commands on page 21 for details Web UI PR_1000331431 The QoS Configuration Tab is not working correctly when using the Web User Interface Release L 10 07 Problems Resolve...

Page 116: ..._1000342461 When a trunk is configured on an uplink port the command show lldp info remote port number reports incorrect information for the remote manage ment address Enhancement PR_1000355089 This enhancement increases the maximum number of 802 1X users per port to 8 Enhancement PR_1000355877 802 1X Controlled Directions enhancement with this change administrators can use Wake on LAN with comput...

Page 117: ...ech transceiver CLI command output now contains the HP part number and revision information for all transceivers on the switch Source Port Filtering PR_1000352851 SourcePortFilteringontrunksdoesnotwork when both the source and destination are trunk ports even though the switch accepts the configuration Trunking PR_1000364354 When a switch with 30 or more trunks is rebooted the switch may crash wit...

Page 118: ...RADIUS configuration Enhancement PR 1000292455 Implemented rate display for ports on CLI New command show interface port utilization Not available on Menu or Web Interface Enhancement PR_1000311510 Ping conformance as defined in RFC 2925 Enhancement PR_1000331027 TCP UDP port closure enhancement Enhancement PR_1000330743 Denial of Service logging enhancement Enhancement PR_1000338847 Added support...

Page 119: ...I PR_1000240838 If an invalid time is entered using clock set command the switch responds with an invalid date error CLI PR_1000199785 The tab help function command completion for IP RIP authen tication is inaccurate The help selection lists OCTET STR Set authentication key when it should be ASCII STR Set RIP auhentication key maximum 16 characters CLI PR_1000373443 The CLI update command help tex...

Page 120: ...BPDU Protection PR_1000395569 BPDU protection fails after module hot swap CLI Counters PR_1000379222 Jumbo sized frames received decrement Total Rx Errors counters 32 bit counter rolls from 0 backwards to 4 294 967 295 and continues to decrement with each received Jumbo frame CLI PR_1000380660 The show tech transceivers CLI command displays the wrong message when inserting an A version transceiver...

Page 121: ... PCM from collecting sampling data Crash PR_1000421322 When issuing config related CLI commands such as show run or show tech or when PCM attempts to retrieve the configuration file via TFTP from a switch having a large configuration file the switch may crash with a message similar to Software exception at exception c 373 in tTftpDmn task ID 0x11cfaa8 Memory system error at 0x1175550 memPartFree W...

Page 122: ...plays logical trunk information SCP PR_1000740259 SCP Secure Copy of configuration crashes the switch Web UI PR_1000744332 Help pages are not available from the Web interface Reboot PR_1000743918 When it is under stress the switch may unexpectedly reboot without leaving a crash log CLI PR_1000399532 The loop protect is unable to process disable timer and transmit interval Enhancement Support has b...

Page 123: ...w for configuration of values up to 1440 minutes 24 hours or infinite 99 999 999 seconds or 3 2 years Enhancement PR_1000457691 This enhancement allows the mapping of all theoret ically available VLAN IDs 1 4094 to an MSTP instance even if some of the VLANs are not currently configured on the switch Enhancement PR_1000408960 RADIUS assigned GVRP VLANs are now supported Release L 11 09 Problems Res...

Page 124: ... 2006 2008 Hewlett Packard Development Company LP The information contained herein is subject to change without notice February 2008 Manual Part Number 5991 4696 ...