Configuracion

HP ExpertOneWeb-based Training

Getting Started with HP Switching & RoutingRev. 13.31 Course ID: 00731204Track: HP ATP FlexNetwork Solutions V1 certification

Copyright2013HewlettPackardDevelopmentCompany,L.P.Theinformationcontainedhereinissubjecttochangewithoutnotice.TheonlywarrantiesforHPproductsandservicesaresetforthintheexpresswarrantystatementsaccompanyingsuchproductsandservices.Nothinghereinshouldbeconstruedasconstitutinganadditionalwarranty.HPshallnotbeliablefortechnicaloreditorialerrorsoromissionscontainedherein.ThisisanHPcopyrightedworkthatmaynotbereproducedwithoutthewrittenpermissionofHP.YoumaynotusethesematerialstodelivertrainingtoanypersonoutsideofyourorganizationwithoutthewrittenpermissionofHP.

Getting Started with HP Switching & RoutingWeb-based TrainingRev.13.31

Rev. 13.31 1 1

HP Switch Overview Module 1

Module 1: HP Switch Overview

Objectives

After completing this module, you should be able to:

Explain how HP switches help organizations meet todays business and technical challenges

Explain how the HP ProVision command line interface (CLI) and the Comware CLI are separated into different privilege levels and identify tasks that can be completed at each level

Describe the following types of switches and explain how they

Core, distribution, and access layer switchesLayer 2 and Layer 3 switchesModular and fixed-port switchesManaged, smart-managed, and unmanaged switches

are used in todays networks:

ProVisionComware

After completing this module, you should be able to: Describe the following types of switches and explain how they are used

in todays networks: Core, distribution, and access layer switches Layer 2 and Layer 3 switches Modular and fixed-port switches Managed, smart-managed, and unmanaged switches

Explain how HP switches help organizations meet todays business and technical challenges

Explain how the HP ProVision command line interface (CLI) and the Comware CLI are separated into different privilege levels and identify tasks that can be completed at each level

Getting Started with HP Switching and Routing

1 2 Rev. 13.31


Lesson 1: Introduction

In this lesson, you will review what small, medium, and large companies require from their network to meet their current business goals.

You will then learn how HP helps IT organizations meet these requirements, allowing companies to move beyond the limitations of aging, traditional networks.

In this lesson, you will review what small, medium, and large companies require from their network to meet their current business goals. You will then learn how HP helps IT organizations meet these requirements, allowing companies to move beyond the limitations of aging, traditional networks.

HP Switch Overview

Rev. 13.31 1 3


Current networking challenges

Data center

Campus LAN

Branch office

Introduction To understand the challenges companies are facing today, you should consider three areas: data center, campus LAN, and branch office. Data Center Companies, seeking to improve efficiency and save money, are consolidating resources in centralized data centers, which are rapidly evolving and generating dramatic changes: Server virtualization, which allows a single physical system to host

multiple virtual machines, increases the demand for bandwidth at the data center edge. The portability of virtual servers also means that the network edge must constantly adjust to new services.

Traditional client-server application models drove traffic from the workstation to the server (north-south). In the data center, cloud computing and federated applications now drive more traffic between servers (east-west).

Administrators also want to converge LAN and Storage Area Network (SAN) traffic.

To accommodate all of these services, the network must deliver high performance, high flexibility, high scalability, high availability, and low latency. To keep up, you also need a single pane of glass management tool through which you can manage all components.


1 4 Rev. 13.31

Campus LAN Companies are moving resources out of the LAN and into the data center and private or public clouds, driving more traffic across WAN connections. At the same time, documents and applicationssuch as Unified Communications and Collaboration (UC&C) solutionsare becoming more media rich, increasing the need for more bandwidth and less latency. If the network cannot deliver, the user experience suffers. Users are also relying more heavily on mobile devicesincreasingly as their preferred method of accessand wireless LANs (WLANs) are being deployed in hospitals, campuses, warehouses, and other spaces. Campus networks must transform to support the delivery of applications and services to wired and mobile workers alike. Unfortunately, existing WLAN deployments often deliver a substandard user experience. Branch office Rather than deploy services at each branch office, companies are consolidating services at centralized data centers. Resource consolidation increases the demand for bandwidth and low latency on WAN links. Companies are also reducing the number of IT staff at branch office or even eliminating them. While these changes may save money and increase efficiency, they introduce new challenges for branch office solutions. Customers need fast, reliable WAN connections and solutions that can survive locally when a WAN outage occurs.

HP Switch Overview

Rev. 13.31 1 5


Customer requirements

Companies of all sizessmall, medium, and largenow find themselves with networks that hinder rather than drive the delivery of high-quality network services.

Companies have But they need

An infrastructure that supports connectivity but does not add intelligence in a coherent fashion

An infrastructure that responds to diverse users and applications appropriately and consistently

A complicated system of management solutions for different segments of the network

A single-pane-of-glass solution that manages the entire infrastructure

Separate silos of servers that experience differing traffic loads

All of their resources to work efficiently all of the time

Companies of all sizessmall, medium, and largenow find themselves with networks that hinder rather than drive the delivery of high-quality network services. Companies have An infrastructure that supports connectivity but does not add intelligence

in a coherent fashion A complicated system of management solutions for different segments of

the network Separate silos of servers that experience differing traffic loads But they need An infrastructure that responds to diverse users and applications

appropriately and consistently A single-pane-of-glass solution that manages the entire infrastructure All of their resources to work efficiently all of the time


1 6 Rev. 13.31


Converged networks with HP FlexNetwork

Introduction To help companies evolve their network to meet these needs, HP provides the FlexNetwork architecture. HP FlexFabric HP FlexFabric creates a low-latency, highly resilient infrastructure, uniquely tuned for adapting to a virtualized environment, on which compute and storage traffic converges.

HP FlexCampus HP FlexCampus converges wired and wireless networks to deliver secure identity-based access to employees and guests.

HP FlexBranch HP FlexBranch simplifies the deployment and management of standardized, secure, responsive, and resilient end-to-end solutions across many branches.

HP FlexManagement HP FlexManagement converges management of all network components into a single solution, helping to orchestrate network management according to business needs.

HP Switch Overview

Rev. 13.31 1 7

HP FlexNetwork HP FlexNetwork is based on open standards. It is scalable, secure, and agile. Although divided into different components, the HP FlexNetwork offers a consistent set of services and a unified management solution.


1 8 Rev. 13.31


HP FlexFabric LAN/SAN convergence

Introduction Another issue facing companies is having to manage LANs and Storage Area Networks (SANs) as separate infrastructures. Companies want to simplify and save money by converging data and storage traffic onto a single network. However, traditional Ethernet does not meet storages need for high-speed, lossless delivery. HP provides servers with Converged Network Adaptors (CNAs) as well as Fibre Channel over Ethernet (FCoE) switches, enabling companies to benefit from the first phase of LAN/SAN convergence. 1) In a traditional network, the LAN and SAN are completely separate

physical networks, one devoted to data traffic and the other to storage. Servers require two sets of NICs, and different groups manage each network, increasing costs and creating logistical problems.

HP Switch Overview

Rev. 13.31 1 9


HP FlexFabric LAN/SAN convergence (cont.)

2) HP servers and switches provide an interim step toward LAN/SAN convergence. In this step, the SAN still hosts the storage components. However, the server connects only to the LAN, using its Converged Network Adapters to handle both data and storage traffic. This phase allows customers to save money on server components without requiring a pitchfork upgrade for storage.


1 10 Rev. 13.31


HP FlexFabric LAN/SAN convergence (cont.)

3) With full convergence, LAN and SAN traffic traverse the same network infrastructure and both are managed through a single pane of glass.

HP Switch Overview

Rev. 13.31 1 11


Open standards

HP is also committed to supporting industry open standards. Open standards give companies the freedom to implement multivendor solutions and ensure continuing support for a converged networkno matter what applications are later deployed.

Make it easy to integrate new applications into core business practices

Increase application flexibility

Help reduce costs

Thus, HP products:

HP AllianceOne

For example, HP AllianceOne, an extensive system of partnerships, tests a wide variety of solutions across the server, storage, and network components of the HP FlexNetwork.

HP is also committed to supporting industry open standards. Open standards give companies the freedom to implement multivendor solutions and ensure continuing support for a converged networkno matter what applications are later deployed. For example, HP AllianceOne, an extensive system of partnerships, tests a wide variety of solutions across the server, storage, and network components of the HP FlexNetwork. Thus, HP products: Make it easy to integrate new applications into core business practices Increase application flexibility Help reduce costs


1 12 Rev. 13.31


HP warranty

For many switches, HP provides a lifetime warranty, which includes:

Fans and power supplies

Advanced replacement at no cost

Next-day business delivery

Software maintenance

Technical assistance

Some restrictions apply. For complete warranty information, visit:

http://www.hp.com/networking/warranty

For many switches, HP provides a lifetime warranty, which includes: Fans and power supplies Advanced replacement at no cost Next-day business delivery Software maintenance Technical assistance Some restrictions apply. For complete warranty information, visit: http://www.hp.com/networking/warranty

HP Switch Overview

Rev. 13.31 1 13


Green business technology

In addition, HP is committed to developing energy-efficient products. Some of HPs green technologies include options such as low-power idle mode and the ability to power down unused Ethernet ports on switches. Most energy efficient functions are easily monitored and managed. Several of HPs switches have earned the Miercom Certified Green Standard for networking devices.

In addition, HP is committed to developing energy-efficient products. Some of HPs green technologies include options such as low power idle mode and the ability to power down unused Ethernet ports on switches. Most energy efficient functions are easily monitored and managed. Several of HPs switches have earned the Miercom Certified Green Standard for networking devices.


1 14 Rev. 13.31


Lesson 1: Summary

In this lesson, you learned how HP is helping companies transform their network, providing an infrastructure that responds to diverse users and applications appropriately and consistently.

You also learned that this highly scalable network architecture is built on the FlexFabric architecture.

Because the FlexNetwork is built on open standards, you are not locked into proprietary applications or services. You can choose solutions that best meet your companys needs.

In this lesson, you learned how HP is helping companies transform their network, providing an infrastructure that responds to diverse users and applications appropriately and consistently.

You also learned that this highly scalable network architecture is built on the FlexFabric architecture.

Because the FlexNetwork is built on open standards, you are not locked into proprietary applications or services. You can choose solutions that best meet your companys needs.

HP Switch Overview

Rev. 13.31 1 15



In this lesson, you will begin to learn about switch technology. Specifically, you will learn how switches can be categorized based on the following criteria:

Deployment in the network architecture

Open Systems Interconnection (OSI) layer

Manageability

Form factor

Support for stacking technologies

In this lesson, you will begin to learn about switch technology. Specifically, you will learn how switches can be categorized based on the following criteria: Deployment in the network architecture Open Systems Interconnection (OSI) layer Manageability Form factor Support for stacking technologies


1 16 Rev. 13.31


Deployment options: three-tier networks

Switches can be categorized by where they are deployed in the network environment. Traditional networks are organized into three tiers:

Core switches establish the backbone of the network.

Distribution switches are consolidation points for LAN access or server access switches and connect to the core switches.

LAN or server access switches support workstations and servers.

Switches can be categorized by where they are deployed in the network environment. Traditional networks are organized into three tiers: Core switches establish the backbone of the network. Distribution switches are consolidation points for LAN access or server

access switches and connect to the core switches. LAN or server access switches support workstations and servers.

HP Switch Overview

Rev. 13.31 1 17


Deployment options: two-tier networks

HP also supports two-tier networks:

The distribution layer is eliminated; the LAN and server access switches connect directly to the core switches.

Traffic flows directly from the edge to the core, reducing latency.

HP also supports two-tier networks: The distribution layer is eliminated; the LAN and server access switches

connect directly to the core switches. Traffic flows directly from the edge to the core, reducing latency.


1 18 Rev. 13.31


Layer 2 and Layer 3 switches

Introduction Switches are also categorized based on their ability to forward traffic at the Data Link or the Network Layer of the Open Systems Interconnection (OSI) model. Layer 1 The Physical Layer controls the physical medium, defining the electrical and mechanical specifications for the network connection. Layer 2 The Data Link Layer describes the procedures (called protocols) that control data transfer across the physical infrastructure. Layer 3 The Network Layer is primarily responsible for logical addressing and the routing of traffic across internetworks. Layer 4 The Transport Layer ensures the reliable transfer of data between hosts. It provides flow control, error checking, and data recovery. Layer 5 The Session Layer defines the process of establishing and maintaining a session (a two-way communication) between two applications.

HP Switch Overview

Rev. 13.31 1 19

Layer 6 The Presentation Layer translates the data from the lower layers to a format that can be used by the Application Layer. Layer 7 The Application Layer defines how applications access network services. Ethernet Ethernet is a Layer 1 and Layer 2 protocol. It defines the electrical and mechanical specifications of the physical media that the network uses and also controls data transfer across the physical infrastructure. Layer 2 switch A Layer 2 switch forwards traffic based on the frames Data Link Layer information, specifically the hardware address, which is called the Media Access Control (MAC) address. (You will learn more about Layer 2 forwarding later in this course.) Layer 3 switch A Layer 3 switch can route traffic based on Network Layer information. To route traffic, Layer 3 switches must have the appropriate IP route. Layer 3 switches support static routes and routes learned through routing protocols. Some switches support only static routes and are called Light Layer 3 switches. (You will learn more about Layer 3 routing later in this course.)


1 20 Rev. 13.31


Switch manageability

Smart web-managedUnmanaged

Managed

Introduction Switches are also categorized based on their level of manageability. Managed Managed switches support Simple Network Management Protocol (SNMP) and allow you to configure each ports communication parameters and many other aspects of the switch through a command line interface (CLI). Many managed switches also provide a graphical user interface, such as a Web browser interface. All of HPs enterprise switches are managed. Smart web-managed Smart web-managed switches, as the name suggests, can be managed through a Web browser interface. The Web browser interface is designed to be intuitive, making it easy to configure and manage switch features. In addition, these switch support Simple Network Management Protocol (SNMP). You can, therefore, manage them through a centralized SNMP console. Unmanaged Unmanaged switches provide basic Layer 2 switching and are not configurable. These switches are commonly referred to as plug-and-play switches and are designed for small to medium businesses (SMBs) that need basic switch functionality.

HP Switch Overview

Rev. 13.31 1 21


Form factor

Fixed-port switches

Modular switches

Flex-chassis switches

Introduction Another way switches are categorized is by their form factor or physical frame. (Regardless of their form factor, all types of switches support high-speed links, either through traditional copper cabling or fiber optic cabling.) Fixed-port switches Fixed-port switches have a predefined number of ports. Typically, the switch is one rack unit (RU). An RU refers to the amount of vertical space the hardware will take up in an equipment rack in the wiring, server room, or data center. For example, most server racks have 42U, meaning that they can accommodate 42 1U devices. Modular switches Modular switches do not have a defined number of ports. Instead, port type and density in a modular switch are defined by the type and number of modules that are installed in the chassis. Flex-chassis switches Flex-chassis switches contain a number of fixed ports as well as room to accommodate a limited number of modules, which allow you to add extra high-speed ports or advanced features or services.


1 22 Rev. 13.31


Meshed stacking and IRF

Meshed stacking

Introduction Switches may also be categorized based on their support for stacking. Traditional stacking enables you to connect several switches and manage them through a single IP address. HP also offers two, more advanced stacking technologies: meshed stacking and Intelligent Resilient Framework (IRF). Meshed stacking Available on the HP 3800 Switch Series, meshed stacking allows you to aggregate up to five switches to form a fully meshed stack for resiliency and management via a single interface. Direct links run to and from each switch in the stack, forming a single logical switch.

HP Switch Overview

Rev. 13.31 1 23


Meshed stacking and IRF (cont.)

IRF

IRF IRF allows you to combine multiple switches, creating a single resilient virtual switch. To other devices on the network, each IRF system appears to be one device, which has one MAC address and one bridge ID. Routing updates originate from this one device. The IRF system draws on each switchs capabilities during normal operation. As a result, the IRF system provides high performance while greatly simplifying the design and operations of data center and campus networks. In addition, the IRF system provides both device-level and link-level redundancy. If a switch (or a switch component) fails or becomes unavailable, the IRF system can quickly and seamlessly fail over, preventing service interruption and guaranteeing complete continuity for business-critical applications. IRF runs on many HP switches, including the HP 5120, 5500, 5800, 5820, 5830, 7500, 9500, 10500, and 12500 Switch Series. Benefits IRF and meshed stacking offer many benefits over traditional stacking: Unified management: You can manage the stack through a single

master switch.


1 24 Rev. 13.31

High availability: IRF and meshed stacking provide N:1 failover and redundant links.

Increased performance: All available links remain active and provide load balancing, which increases efficiency in switching and routing.

Scalability: You can increase network bandwidth and processing capabilities by adding switches to the meshed stack or IRF system.

Flattened architecture: By enabling access layer switches to share highly available links to the core, meshed stacking and IRF help customers create low-latency, two-tier architectures in both the campus LAN and data center.

HP Switch Overview

Rev. 13.31 1 25


Lesson 2: Summary

In this lesson, you learned how switches can be categorized based on criteria such as the network tier where they are deployed, Layer 2 or 3 functionality, manageability, form factor, and stacking capability.

In this lesson, you learned how switches can be categorized based on criteria such as the network tier where they are deployed, Layer 2 or 3 functionality, manageability, form factor, and stacking capability.


1 26 Rev. 13.31



In this lesson, you will begin to apply what you have learned about switches. You will take a look at a few HP switches, considering features such as their form factor, manageability, forwarding and switching capabilities, and stacking capabilities.

You will also learn how to access and begin managing HP switches.

In this lesson, you will begin to apply what you have learned about switches. You will take a look at a few HP switches, considering features such as their form factor, manageability, forwarding and switching capabilities, and stacking capabilities.

You will also learn how to access and begin managing HP switches.

HP Switch Overview

Rev. 13.31 1 27


HP switch portfolio

FlexFabric switches

Featured Switch Series

Form Factor

Switches Manageability Forwarding & Routing

Power over Ethernet (PoE)

Stacking/ IRF

5800 Switch Series Flex-chassis

5800-24G, 5800-24G-PoE+, & 5800-24G-SFP

5800-48G, 5800-48G-PoE, & 5800-48G with 2 slots

5800AF-48G

Managed Layer 3/4 Yes IRF with up to 9 switches

5820 Switch Series Flex-chassis

5820-14XG-SFP+ with 2 slots

5820-24XG-SFP+ 5820AF-24XG

Managed Layer 3/4 No IRF with up to 9 switches

5830 Switch Series Fixed-port 5830AF-48G with 1 interface slot

5830AF-96G


5920 Switch Series Fixed-port 5920AF-24XG Managed Layer 3/4 No IRF with up to 4 switches

12500 Switch Series Modular 12504 (4 slots) 12508 (8 slots) 12518 (18 slots)


Introduction You will now be introduced to several switches in each part of the FlexNetwork architecture. And because small businesses have specific technical, management, and budget requirements, you will examine switches ideally suited for these environments. FlexFabric switches This table provides basic information about some of the switches that can be used to implement FlexFabric. To view information about other switches that play a role in FlexFabric, go to http://www.hp.com/go/networking.


1 28 Rev. 13.31


HP switch portfolio (cont.)

FlexCampus switches


Form Factor Switches Manageability Forwarding & Routing

PoE Stacking

2530 Switch Series Fixed 2530-24G 2530-48G 2530-24G-PoE+ 2530-48G-PoE+

Managed Layer 2 Yes (designatedswitches)

Yes, up to 16 switches

3800 Switch Series Fixed 3800-24G-2SFP+ 3800-24G-2XG 3800-24G-PoE+-2XG 3800-24G-PoE+-2SFP+ 3800-48G-PoE+-4SFP+ 3800-48G-4SFP+ 3800-48G-4XG 3800-48G-PoE+-4XG 3800-24SFP-2SFP+

Managed Layer 3/4 Yes (designatedswitches)

Meshed stacking

8200 zl Switch Series

Modular 8206 zl 8212 zl

Managed Layer 3/4 Yes (designatedmodules)

No

10500 Switch Series Modular 10504 10508 & 10508-V* 10512


FlexCampus switches This table provides basic information about some of the switches that can be used to implement FlexCampus. To view information about other switches that play a role in FlexCampus, go to http://www.hp.com/go/networking. (Keep in mind that some FlexCampus switches, such as the 2530 Switch Series, can be deployed in FlexBranch as well.)

HP Switch Overview

Rev. 13.31 1 29



FlexBranch switches


Form Factor

Switches Manageability Forwarding& Routing

PoE Stacking/IRF

2620 Switch Series Fixed-port 2620-24, 26020-24-PP0E+, & 2620-24-PoE+

2620-48 & 2620-48-PoE+


Up to 16 switches

2910 al Switch Series

Fixed-port 2910-24G al 2910-48G al 2910-24-G-PoE+ al 2910-48G-PoE+ al


Up to 16 switches

2920 Switch Series Fixed-port 2920-24G 2920-24G-PoE+ 2920-48G 2920-48G-PoE+


Up to 4 switches

5400 zl Switch Series

Modular 5406 zl 5412 zl

Managed Layer 3/4 Yes (designatedmodules)

No

5500 HI Switch Series

Fixed-port 5500-24G-4SFP HI Switch with 2 Interface Slots

5500-48G-4SFP HI Switch with 2 Interface Slots


FlexBranch switches This table provides basic information about some of the switches that can be used to implement FlexBranch. To view information about other switches that play a role in FlexBranch, go to http://www.hp.com/go/networking. (Keep in mind that some switches, such as the 2620, 2910 al, 2920, and 5400 zl, can be deployed in FlexCampus as well.)


1 30 Rev. 13.31



Small business switches


Form Factor Switches Manageability Forwarding & Routing

PoE Stacking

1410 Switch Series Fixed-port 1410-8G 1410-16G 1410-24G 1410-8 1410-16 1410-24 1410-24-2G

Unmanaged Layer 2 No No

1810 Switch Series Fixed-port 1810-8G v2 1810-24G v2 1810-48G 1810-8 v2 1810-24 v2

Web browserInterface; SNMP v1 & v2

Layer 2 No No

1910 Switch Series Modular 1910-48G 1910-24G-PoE 1910-24G 1910-16G 1910-8G 1910-8G-PoE+

Web browserInterface; SNMP v1, v2, & v3

Light Layer 3 (32 static routes)

Yes (designatedswitches)

No

Small business switches Small businesses need to provide competitive services but do not have the budgets and IT staff of larger companies. They need switches that are easy to deploy and manage. To see a complete list of switches for small businesses, visit http://www.hp.com/go/networking.

HP Switch Overview

Rev. 13.31 1 31


Switch software

HP managed switches run one of the following:

Both ProVision software and Comware software provide many of the same features. There are some differences, of course, but a detailed comparison is beyond the scope of this course. For now, you simply need to understand that the software determines the structure of the command line interface (CLI) and the commands you enter. (For more in-depth information, attend Building SMB Networks with HP Technologies, which is an instructor-led training course.)

You will now learn more about ProVision and Comware switches.

ProVision software Comware software

The 8200 zl Switch Series runs the ProVision software.

The 10500 Switch Series runs the Comware software.

HP managed switches run one of the following: ProVision software Comware software Both ProVision software and Comware software provide many of the same features. There are some differences, of course, but a detailed comparison is beyond the scope of this course. For now, you simply need to understand that the software determines the structure of the command line interface (CLI) and the commands you enter. (For more in-depth information, attend Building SMB Networks with HP Technologies, which is an instructor-led training course.) You will now learn more about ProVision and Comware switches.


1 32 Rev. 13.31


Switch management interfaces

ProVision CLI

ProVision menu interface

ProVision Web browser interface

Comware CLI

Comware Web browser interface

Introduction Both ProVision and Comware switches are managed primarily through their CLI. ProVision switches offer two additional management interfaces: the menu interface and the Web browser interface. Some Comware switches also provide a Web browser interface. Keep in mind that the CLI is the primary interface for both ProVision and Comware switches, and this course will focus on that interface. ProVision CLI The example above shows the ProVision CLI. You will learn more about how to access the CLI and navigate in it in the next slides. ProVision menu interface The example above shows the ProVision menu interface, which you initially access through the CLI by entering the menu command. As mentioned earlier, this course will not cover the menu interface, focusing instead on the CLI. ProVision Web browser interface The example above shows the ProVision web browser interface. As mentioned earlier, this course will not cover the web browser interface, focusing instead on the CLI.

HP Switch Overview

Rev. 13.31 1 33

Comware CLI The example above shows the Comware CLI. You will learn more about how to access the CLI and navigate in it in the next slides. Comware Web browser interface The example above shows the Comware web browser interface. As mentioned earlier, this course will not cover the web browser interface, focusing instead on the CLI.


1 34 Rev. 13.31


In-band and out-of-band management

Introduction You can access a switchs CLI in two ways. What is out-of-band management? With out-of-band management, you connect your management station to the switchs console port with a serial cable and access the CLI with terminal emulation software. This is called out-of-band management because you are not connecting to the switch through a network port. Some Comware switches also permit you to connect to an AUX port through a modem connection. What is in-band management? With in-band management, your management communications run over network connections. You require IP connectivity to the switch through a direct or indirect Ethernet connection. To open a management session, you must use terminal emulation software that supports either Telnet or Secure Shell (SSH). With the Telnet protocol, data is transmitted in clear text and is vulnerable to snooping. With the SSH protocol, data is encrypted. You will learn more about SSH in Module 2: Security. What application do you need to access the CLI? There are many options, but one commonly used terminal emulation application is Tera Term, which is shareware that you can download and use for free.

HP Switch Overview

Rev. 13.31 1 35


HP ProVision switches: management users

You can access the CLI of an HP ProVision switch as operator or manager:

Operator provides read-only access. You can view only statistics and configuration information.

Manager provides read-write access. You can make configuration changes and view information.

You can protect access to the switch by configuring a password for each user. At factory default settings, there are no passwords for either user.

You can access the CLI of an HP ProVision switch as operator or manager:

Operator provides read-only access. You can view only statistics and configuration information.

Manager provides read-write access. You can make configuration changes and view information.

You can protect access to the switch by configuring a password for each user. At factory default settings, there are no passwords for either user.


1 36 Rev. 13.31


HP ProVision switches: CLI structure

View Switch prompt Tasks

Operator Switch> View statistics and configuration information.

Manager Switch# Begin configuring the switch (such as updating system software).

Global configuration Switch(config)# Make configuration changes to the switch features.

Context configuration Switch ()#

Examples:Switch(vlan-1)#Switch(rip)#

Make configuration changes within a specific context, such as to a VLAN, one or more ports, or routing protocols.

Introduction The HP ProVision switch CLI is organized into different levels, or contexts. You can tell the context by the switch prompt. Operator context The > symbol in the switch prompt indicates you are at the operator level. At this level you can view statistics and configuration information. To move to the manager level, enter enable. If a manager password has been configured on the switch, you will be prompted to enter that password. Manager context The # symbol in the switch prompt appears at the manager level. From this context, you can view additional information and begin managing the switch. For example, you can update the switch software. To move to the global configuration context, enter configure terminal (or a command shortcut such as config). Global configuration context The word config in the switch prompt indicates you are at the global configuration context. At this context, you can make configuration changes to the systems software features. Context configuration From the global configuration context, you can enter commands to move to other contexts, from which you configure particular settings. For example, you might move to a physical interface context or a VLAN context to

HP Switch Overview

Rev. 13.31 1 37

configure settings specific to that interface or VLAN. You can also access contexts for protocols such as Routing Information Protocol (RIP) or Open Shortest Path First (OSPF). The prompt changes to indicate the context as shown in these examples: Switch(vlan-1)# Switch(rip)#


1 38 Rev. 13.31


HP Comware switches: User interfaces

Introduction On Comware switches, you access the CLI through user interfaces. Inband management In-band access, which allows multiple users to access the switch through the IP network, uses virtual interfaces VTY0, VTY1, VTY2, and so on. At a switchs default settings, you are required to enter a password for these interfaces, but to eliminate a potential security weakness, the switch does not have a default password. You must configure a unique password for your particular company. To access a Comware switch for the first time, you must use out-of-band management. You can then configure a password for in-band management or change the authentication method to any of the three methods described for out-of-band management. Out-of-band management Out-of-band connections use the AUX0 interface and require no password at default settings, enabling initial access to the switch. You can leave this default authentication method (none) for out-of-band management, or you can configure the AUX0 interface to require users to log in with a password or with a username and password. If you require a username and password (an authentication method called scheme authentication), the switch checks the credentials against a local list of users or an external authentication server, as dictated by its Authentication, Authorization, and Accounting (AAA) domain settings.

HP Switch Overview

Rev. 13.31 1 39


HP Comware switches: CLI command levels

On Comware switches, each CLI command is associated with one of four command levels. The command level for each command is configurable, but most network managers leave the commands at the default settings.

The figure below shows the four command levels and the types of commands that are available at each level.

CLIcommand

levels

3

2

1

0

Manager: System (file and user) management commands (read-write)

System: Services configuration commands (read-write)

Monitor: Basic read-only commands

Visitor: Diagnosis commands such as ping and traceroute

On Comware switches, each CLI command is associated with one of four command levels. The command level for each command is configurable, but most network managers leave the commands at the default settings. The figure below shows the four command levels and the types of commands that are available at each level.


1 40 Rev. 13.31


HP Comware switches: Privilege levels

The types of commands that you can enter depend on your privilege level, which the Comware switch assigns you when you log in. Privilege levels equate to the CLI command levels.

You may enter any command that is available to your current privilege level and lower.

Visitor

System

Monitor

CLI Command Levels

Manager

System

Monitor

Visitor

super 3

super 2

super 1

super 0

User Privilege Levels

3

2

1

0

Manager

To move between levels, simply enter super .

To move to a higher level, enter the super password for that level. For example, to move to the manager level, enter super 3 .

You can always move to a lower level than your current level although this action is not necessary because you have access to those commands at the higher level.

The types of commands that you can enter depend on your privilege level, which the Comware switch assigns you when you log in. Privilege levels equate to the CLI command levels. You may enter any command that is available to your current privilege level and lower. To move between levels, simply enter super . To move to a higher level, enter the super password for that level. For

example, to move to the manager level, enter super 3 . You can always move to a lower level than your current level although

this action is not necessary because you have access to those commands at the higher level.

HP Switch Overview

Rev. 13.31 1 41


HP ProVision switches: CLI structure

Introduction The Comware CLI is divided into views, each of which contains a set of related commands. In addition to having the privilege to enter a particular command, you must be in the correct view. As the table shows, the switch prompt indicates the current view. User view The user view is indicated by angle brackets (). In this view, you can view settings, troubleshoot system problems, and manage files. You can move to the system view by entering the command: system-view. System view The system view is indicated by square brackets ([ ]). In this view, you can make configuration changes to the switchs software. You can also access other command views. You can return to the user view by entering quit.

Other command views Other command views give you access to configure interfaces, both physical and virtual, including the user interfaces. Many other features can be configured within their specific view mode. To exit a specific view and return to the system view, enter quit.


1 42 Rev. 13.31


HP CLI help

Both HP ProVision and Comware CLIs offer help features to assist you in navigating the interface. The table shows the common help commands for both.

You want to: HP ProVision HP Comware

View a brief description for all available commands at your context or view

help [Enter]?[Tab]

?

View commands that start with certain letters

?[Tab]

?

Auto-complete a command Type as many characters as necessary to identify the command uniquely and press [Tab]

Note that you do not have to complete the command. You just need to enter enough characters to complete the command.

View the options for a command

? ?

View hotkeys No help option display hotkey

Both HP ProVision and Comware CLIs offer help features to assist you in navigating the interface. The table shows the common help commands for both.

HP Switch Overview

Rev. 13.31 1 43


ProVision switches: CLI compatibility

display commands

Frequently used commands

Fundamental commands

Introduction Because many companies have both ProVision and Comware switches, HP has been focusing on providing CLI compatibility within the ProVision software. Specifically, HP has been adding support for certain Comware commands within the ProVision CLI. This effort is designed to help network administrators who are familiar with Comware commands to use the ProVision CLI more easily. The following switches provide this CLI compatibility: HP 8200 zl Switch Series HP 6600 Switch Series HP 6200 yl Switch Series HP 5400 zl Switch Series HP 3500 Switch Series HP 3800 Switch Series HP 2910al Switch Series HP 2915 Switch Series HP 2615 Switch Series HP 2620 Switch Series Note that this course outlines the CLI compatibility support available at the time the course was published. Check your ProVision switch documentation to learn more about the switches and the software versions that support this


1 44 Rev. 13.31

feature and to determine the exact Comware commands that are supported. display commands Many HP switches that run the ProVision software support more than 200 Comware display commands, which allow you to view information about the switch and its configuration. (Natively, ProVision switches support show commands, which provide similar functionality as display commands.) Frequently used commands To help network administrators who are familiar with Comware switches to easily manage ProVision switches, HP has also added support for common Comware commands that allow you to move within the CLI hierarchy, reverse (or undo) a command, and save a configuration (as shown in the examples provided). Fundamental commands To help network administrators who are familiar with Comware switches manage ProVision switches more easily, HP has also added support for fundamental Comware configuration commands, such as the file management commands shown here. Extended help HP has also added extended help messages to the ProVision help feature. These messages will help network administrators who are familiar with Comware identify the equivalent command on the ProVision switch. When this feature is enabled, these network administrators can simply type the first part of the Comware configuration command and press the [tab] key. The help feature then will provide a reference to the correct ProVision command. It may also provide guidance on the next action for those configuration items that may not be intuitive due to naming or concept differences between Comware and ProVision software. Of course, not all Comware configuration commands require the new help feature: Some configuration commands are identical, or very similar, to ProVision commands. Using these commands is self-explanatory.

HP Switch Overview

Rev. 13.31 1 45


Summary

In this module you have learned about :

The benefits of HP switches

The different ways in which switches are categorized

In-band and out-of-band management access

CLI structure of HP ProVision and Comware switches

In this module you have learned about: The benefits of HP switches The different ways in which switches are categorized In-band and out-of-band management access CLI structure of HP ProVision and Comware switches


1 46 Rev. 13.31

PAGE INTENTIONALLY LEFT BLANK

Rev. 13.31 2 1

Security Module 2

Module 2: Security

Objectives

This module introduces you to the basics of network security. You will learn about todays security landscape and evolving threats. You will also learn the basics of securing HP networking infrastructure devices from improper access.


Describe ways in which attackers gain unauthorized access to a network

Explain factors that make a network vulnerable to unauthorized access

Take the proper measures to physically secure infrastructure devices for unauthorized access

This module introduces you to the basics of network security. You will learn about todays security landscape and evolving threats. You will also learn the basics of securing HP networking infrastructure devices from improper access. After completing this module, you should be able to: Describe ways in which attackers gain unauthorized access to a network Explain factors that make a network vulnerable to unauthorized access Take the proper measures to physically secure infrastructure devices for

unauthorized access


2 2 Rev. 13.31

Module 2: Security

Introduction

As soon as you connect a switch or router to a network, it becomes part of the networks security environment. It can be either a secure or a weak link in the networks defenses.

To ensure that you deploy a switch securely, you must understand the types of threats that travel through the network infrastructure or even target the network infrastructure itself.

As soon as you connect a switch or router to a network, it becomes part of the networks security environment. It can be either a secure or a weak link in the networks defenses. To ensure that you deploy a switch securely, you must understand the types of threats that travel through the network infrastructure or even target the network infrastructure itself.

Security

Rev. 13.31 2 3

Module 2: Security

Overview of attacks

First, consider the source of threats and attacks.

Originally, security solutions were designed to protect a trusted network from external threats. Although external threats still exist, attacks often originate within the network.

Some authorized users might intentionally launch attacks. Malicious employees, former employees, contractors, or guests could access data inappropriately, misuse resources, or launch attacks.

Authorized users can also unintentionally introduce threats: connecting insecure or infected devices to the network, opening infected files, downloading applications with hidden malware, using weak passwords, or leaking passwords.

First, consider the source of threats and attacks. Originally, security solutions were designed to protect a trusted network from external threats. Although external threats still exist, attacks often originate within the network. Some authorized users might intentionally launch attacks. Malicious employees, former employees, contractors, or guests could access data inappropriately, misuse resources, or launch attacks. Authorized users can also unintentionally introduce threats: connecting insecure or infected devices to the network, opening infected files, downloading applications with hidden malware, using weak passwords, or leaking passwords.


2 4 Rev. 13.31

Module 2: Security

Common attacks

Unauthorized access

Denial of Service (DoS)

Impersonation

Reconnaissance

Malware

Viruses and Worms

Introduction You should be aware of several broad categories of threats, which might originate externally or internally. Unauthorized Access Unauthorized attacks occur when an unauthorized user accesses your network either by guessing, stealing, or cracking a password or by finding insecure network access points. Hackers might be able to crack passwords by trying many different dictionary words or by wiretapping and eavesdropping on communications. Hackers can also trick users into revealing passwords or find passwords that are stored insecurely. Denial of Service (DoS) DoS attacks occur when hackers are able to overwhelm a networks resources. For example, hackers might generate enough traffic to consume available bandwidth or send a server or infrastructure device so much traffic that the devices processor is continually at 100 percent utilization. By tying up these resources, hackers prevent valid users from accessing network services. Hackers also use Distributed DoS (DDoS) attacks, transforming many computers into zombies that launch the attack and magnify the power of the attack while concealing the source. In a variation, called a reflective DDoS attack, the zombie computers send spoofed requests to Internet

Security

Rev. 13.31 2 5

reflectors (Web servers and so forth). The reflectors then flood the spoofed address, which is the target of the attack. Impersonation Impersonation attacks occur when attackers masquerade as legitimate resource providers to steal private information or install malware on a workstation. Two common types of impersonation attacks are man-in-the-middle (MITM) attacks and phishing attacks: In an MITM attack, hackers intercept communications between two

endpoints that believe they are communicating with each other and replace the contents of the communication.

In a phishing attack, the hacker poses as a trusted server and tricks users into sending passwords or other sensitive data.

Reconnaissance Reconnaissance attacks are used to gather information about a network and to discover potential vulnerabilities a hacker can exploit. Hackers often use tools that can be legitimately used as troubleshooting tools such as: Port scanners, to find open TCP or UDP ports Network mapping software, which discovers information about all

available endpoints and applications on a network Malware Malware describes any software designed to use network resources or infiltrate network devices without the knowledge or consent of the device owner. Types of malware include: Adware, which displays unwanted pop-up ads on infected systems Spyware, which records Web sites visited, keystrokes, and other

personal information, which can be used for identity theft or unauthorized network access

Rootkits, which allow a hacker to hijack the system, using it as a backdoor to access other resources or turning it into a zombie to launch attacks

Trojan horses, which are programs that users intentionally install without knowing the program contains malware

Viruses and worms, which are malicious bits of code. (Viruses and worms are covered as their own topic in this section.)

Viruses and Worms Viruses and worms are small, malicious bits of code that self-replicate and propagate. The terms virus and worm are often used interchangeably, but there is a difference between the two. Viruses spread through files, which users must open, while worms propagate using network connections.


2 6 Rev. 13.31

Viruses and worms are often polymorphic/metamorphic. They use self-encryption and self-alteration to disguise themselves and avoid detection by anti-virus software. Unchecked, viruses and worms can spread rampant through an unprotected network and cause enormous amounts of damage to vital files and network resources.

Security

Rev. 13.31 2 7

Module 2: Security

Need for physical security

Introduction As you have learned, internal users can unwittingly allow their endpoints to become compromised, and hackers can then use the endpoints to launch harmful attacks. Consider what can happen if hackers compromise a network infrastructure device, which supports hundreds or even thousands of users traffic. Protecting your infrastructure begins by controlling who has physical access to these devices. Modules or the switch With physical access to the switch, malicious users can remove modules from modular switches or steal the entire switch. Console port If a hacker has physical access to the switch and no one has restricted access to the console port, the hacker can easily establish a terminal session to the command-line interface (CLI) of the switch through that console port. Hackers that gain management access can hijack the switch and gain unauthorized access, perform network reconnaissance attacks, initiate DoS attacks, and disable security features. By default, both HP Comware and ProVision switches are not configured with a password for console port access.


2 8 Rev. 13.31

Reset and Clear buttons ProVision switches have Reset and Clear buttons. Some Comware switches have Reset buttons. These buttons are provided to help troubleshoot problems and allow you to reboot the switch, reset the switch to factory default settings, and clear management passwords. However, an unauthorized user could use these functions to disable a switch or gain management access to it. Ports Users with physical access to a switch can disconnect or move Ethernet cables, causing a DoS attack for users or other services connected through that link. Power cord Users with physical access to a switch can unplug the power, causing a DoS for users or other services connected through the switch.

Security

Rev. 13.31 2 9

Module 2: Security

Defense in depth

To confront these threats, organizations require Defense in Depth. This layered approach to security employs multiple solutions to guard against the same threat. For example:

A switch is locked away from unauthorized access, and a password also protects its management interfaces.

Switches enforce authentication to prevent most users who would maliciously release a virus from ever connecting. An Intrusion Prevention System (IPS) blocks viruses introduced by devices owned by legitimate users who do not know their devices are infected.

To confront these threats, organizations require Defense in Depth. This layered approach to security employs multiple solutions to guard against the same threat. For example: A switch is locked away from unauthorized access, and a password also

protects its management interfaces. Switches enforce authentication to prevent most users who would

maliciously release a virus from ever connecting. An Intrusion Prevention System (IPS) blocks viruses introduced by devices owned by legitimate users who do not know their devices are infected.


2 10 Rev. 13.31

Module 2: Security

HP Security and Risk ManagementPrinciples

Build it in

Make it intelligent

Protect what matters

Introduction Managing multiple layers of security can be challenging, particularly as valuable data proliferates and becomes dispersed in Bring Your Own Device (BYOD) and cloud solutions. HP Security and Risk Management solutions help companies integrate security across the enterprise. Build it in Rather than bolt on security as an after-thought, HP solutions build security into every component and also ensure that each component participates in the integrated, business-level strategy. Make it intelligent HP security solutions collect information from end-to-end. By combining and correlating information from many areas, including endpoints, applications, and network infrastructure devices, security solutions can make intelligent choices that protect the company and prove regulatory compliance without interfering with productivity. Protect what matters HP helps to maximize the value of security solutions by ensuring that these solutions protect the data that is most valuable to the business.

Security

Rev. 13.31 2 11

Module 2: Security

Security and Risk ManagementAreas

The HP Security and Risk Management portfolio includes solutions in six areas.

Security governance, risk, and compliance

Operations security

Application security

Endpoint security

Network security

Data center security

Introduction The HP Security and Risk Management portfolio includes solutions in six areas. Security governance, risk, and compliance The HP Information Security Management (ISM) service replaces disparate security processes with an integrated service that governs security for the entire enterprise from endpoint to network to application to the cloud. Operations security HP operations security solutions integrate security solutions and processes with overarching business orchestration solutions and processes. Application security From the earliest stages of application architecture, whether for in-house applications or cloud services, HP helps you to design the appropriate security measures and build them into the application. Endpoint security HP provides a wide portfolio of solutions for securing servers, desktops, laptops, printers, and other endpointsas well as solutions for ensuring proper access control and data protection for BYOD.


2 12 Rev. 13.31

Network security Each component of the network infrastructure supports secure data transmission with built-in protections against exploits and unauthorized network traffic. In addition, HP provides industry-leading network security solutions such as next-generation firewalls and HP TippingPoint IPSs. Data center security Several HP services help you to design a complete, integrated security solution for all components of your data center or private cloud, including both physical and virtual components of servers and the network infrastructure.

Security

Rev. 13.31 2 13

Module 2: Security

Security built into the network infrastructure

Introduction Although this course does not cover specific security services and solutions, HP network infrastructure devices do play a role in an overall security solution. The HP network infrastructure provides a solid foundation for secure communications. Secure device management HP switches enable you to implement best practices for managing them securely. You will delve into the details later in this module. Built-in protection against DHCP attacks Used on most networks today, Dynamic Host Configuration Protocol (DHCP) is vulnerable to attacks such as address spoofing and address exhaustion. With address spoofing, a rogue DHCP server assigns invalid addresses to network devices so these devices cannot operate on the network. With address exhaustion, an attacker requests IP addresses from a legitimate DHCP server until the DHCP servers supply of available IP addresses (pool) is exhausted. When a DHCP servers IP pool is exhausted, valid network hosts cannot receive an IP address and cannot access the network. HP switches can provide protection against these attacks by setting trusted ports for particular DHCP messages.


2 14 Rev. 13.31

Built-in protection against STP attacks Spanning Tree Protocol (STP), which you will learn more about in Module 6: Redundancy, enables redundant network links. Devices running STP exchange Bridge Protocol Data Units (BPDUs) to determine active network links; other links are disabled. In an STP attack, a rogue device sends spoofed BPDUs, joins the spanning tree, and affects link selection, which wreaks havoc on the network. HP switches offer BPDU protection and guard features, which ensure that untrusted BPDUs are dropped. Some switches have additional features for ignoring unauthorized STP messages. Built-in protection against ARP attacks Switches and other devices use Address Resolution Protocol (ARP) to resolve IP addresses to MAC addresses. Switches maintain a table of known IP addresses and the associated MAC addresses. Rogue devices use ARP attacks to poison these tables, so that network IP addresses are associated with the MAC addresses of rogue devices. When traffic is sent to these rogue devices, attackers can gather confidential information. HP switches can protect against ARP poisoning. They use DHCP snooping to build tables that specify the expected ports for particular MAC addresses and, based on those expectations, reject suspicious ARP messages.

Security

Rev. 13.31 2 15

Module 2: Security

Intelligent decisions supported by the network infrastructure

Introduction The HP network infrastructure devices also help to collect information and enforce intelligent security decisions. Basic access control Basic access control ensures that only authorized users, as defined by business policies, are allowed to connect to the network and use network resources. Basic access control ensures that a stranger cannot connect a laptop to an open network port in your office and join the company network without first passing an authentication test. Basic access control also protects wireless LANs (WLANs), checking the credentials of wireless users and devices as they initially connect and roam across the campus. This access control also manages the rights of authorized users after they connect to the network, according to business policies. Endpoint integrity Endpoint integrity forms a key element of a BYOD solution. Authorized users may still endanger the network if they use insecure devices. An insecure device is not properly protected: It might not have a firewall or anti-virus software, or its anti-virus software might be out of date. It might be running unauthorized software or be infected by malware. Endpoint integrity isolates such devices until they are brought into compliance.


2 16 Rev. 13.31

For example, an authorized user connects to the network with a device that has outdated anti-virus software. Endpoint integrity ensures that the device is quarantined and the user is notified of the problem. The device is not allowed out of quarantine and allowed normal access to the network until the user updates the antivirus software. Security policy enforcement HP switches can take a number of actions to support policies configured centrally, including blocking all traffic, applying VLAN assignments, and so on. In addition, a number of HP switches support OpenFlow, an emerging network virtualization technology. As one of the mechanisms delivering Software-Defined Networking (SDN), OpenFlow forms the foundation for complete abstraction and centralization of the network control plane, promising to extend network virtualization in many innovative ways. OpenFlow works by replacing a network infrastructure devices own processing and forwarding decisions with decisions programmed on an ongoing basis by centralized controllers. In addition, switches that support OpenFlow will be able to collect information and enforce decisions for a security solution that interfaces with the SDN controller. Integration with centralized logging and management solutions HP switches can send logs and SNMP traps to centralized solutions that archive and manage logs and events across the enterprise.

Security

Rev. 13.31 2 17

Module 2: Security

Ensuring physical security

Introduction While implementing a complete security solution might lie beyond your realm of responsibility, you can do your part by ensuring that you deploy infrastructure devices securely. Earlier you learned about vulnerabilities that can arise when a switch lacks physical security. Modules or the switch Whenever possible, you should store switches in a secure, locked, and preferably camera-monitored room. If this is not possible, you should bolt the switch in place. Console port To protect management access to the switchs console port, you should store the switch in a secure, locked, and preferably camera-monitored room. If you cannot secure the switch physically, you should disable the console port. You should consider setting a secure password for console access even on physically secure switches.


2 18 Rev. 13.31

Reset and Clear buttons You should do one of the following: Store the switch in a secure, locked, and preferably camera-monitored

room so that only authorized staff can use the buttons. Configure the switch to disable the buttons. (The Building SMB Networks

with HP Technologies course will teach you how.)

Ports The only way to protect against a user disconnecting cables is to store the switch in a secure, locked, and preferably camera-monitored room. Power cord The only way to protect against a user removing the switch power is to store the switch in a secure, locked, and preferably camera-monitored room.

Security

Rev. 13.31 2 19

Module 2: Security

Authenticating management users

You will now focus on securing your network infrastructure devices by authenticating management users. Specifically, you will learn how to:

Ensure that only authorized users have access to a switch

Distinguish between the levels of access provided to management users

Console port (might not be necessary if the device is physically secure)

Telnet

Secure Shell (SSH)

HTTP and HTTP over Secure Sockets Layer (HTTPS)

You should generally set up authentication for all forms of management access:

You will now focus on securing your network infrastructure devices by authenticating management users. Specifically, you will learn how to: Ensure that only authorized users have access to a switch Distinguish between the levels of access provided to management users You should generally set up authentication for all forms of management access: Console port (might not be necessary if the device is physically secure) Telnet Secure Shell (SSH) HTTP and HTTP over Secure Sockets Layer (HTTPS)


2 20 Rev. 13.31

Module 2: Security

Authentication on Comware switches

Introduction As you learned previously, Comware switches have several user interfaces, which control various forms of management access. For each interface, you can select one of the following authentication methods: None: No authentication is required (not recommended). Password: All users who log in through the same interface use the same

password and receive the same level of access. Authentication, Authorization, and Accounting (AAA): Users

authenticate to either a local list or to an external server (usually a RADIUS server). They are authorized for the level of management access associated with their account.

The figure shows the AAA authentication process. Step 1 When a user attempts to establish a management session, the switch prompts the user for his or her credentials. Step 2 The user supplies the credentials: a user name and password.

Security

Rev. 13.31 2 21

Step 3 The switch forwards the login credentials to a RADIUS or TACACS server for validation. (Alternatively, the switch could have a local record of user accounts and validate the credentials itself.) Step 4 The server validates the login credentials and notifies the switch whether or not to grant the user access. If the user is granted access, the server also tells the switch what level of access the user receives. The switch enforces the decision.


2 22 Rev. 13.31

Module 2: Security

Authentication on ProVision switches

Introduction HP ProVision switches also support multiple authentication methods. You can select a primary and backup method for each access method: Telnet, SSH, console, or Web. None: No authentication is required (not recommended). Local authentication: All operators log in with a single operator account,

and all managers log in with a single manager account. Remote RADIUS or TACACS+ authentication: The switch sends a

request to an authentication sever (usually a RADIUS server). Each management user has a unique user account, and when a user logs in successfully, the authentication server assigns each user an attribute for either operator or manager access.

The figure illustrates the steps in the local authentication process. Step 1 When a user attempts to open a management session, the switch prompts the user for a password. Step 2 The user submits a password. If the password matches the manager or operator password, the user receives manager or operator privilege, respectively. If the user does not enter valid credentials, he or she cannot access the switch.

Security

Rev. 13.31 2 23

Module 2: Security

1Secure management protocols

When you manage a switch, you send vital information over the connection. For out-of-band management, such as with a connection to the console port of the switch, you can be certain that no one can intercept the data.

The out-of-band console connection does not provide encryption but is free from snooping.

With in-band management, however, the vital data crosses the shared network. Hackers might be able to intercept and read data sent in clear-text and then use that data to obtain unauthorized access to your switches or to impersonate network servers.

You must protect the datas privacy by using secure management protocols that support encryption.

2 Access the CLI with SSHv2 to encrypt in-band management traffic.

3 Access the Web interface with HTTPS to encrypt in-band management traffic.

When you manage a switch, you send vital information over the connection. For out-of-band management, such as with a connection to the console port of the switch, you can be certain that no one can intercept the data. With in-band management, however, the vital data crosses the shared network. Hackers might be able to intercept and read data sent in clear-text and then use that data to obtain unauthorized access to your switches or to impersonate network servers. You must protect the datas privacy by using secure management protocols that support encryption.


2 24 Rev. 13.31

Module 2: Security

SSHv2

Introduction SSHv2 ensures the privacy and integrity of management traffic by: Securing authentication Encrypting management traffic SSH establishes a secure tunnel between your management station and the switch. The figure shows the process of establishing the tunnel and logging the user in. Step 1 The management station establishes a secure tunnel on the SSHv2 Transport Layer. The station and the switch agree on shared encryption and hash keys using the secure Diffie-Hellman exchange. Using these keys, the station and switch can transform data so that hackers cannot tamper with it (hash keys) or read it (encryption keys). When establishing the tunnel, the switch also uses a public-private key pair to prove its identity, which ensures that the management station does not send credentials to an imposter. For more information about hashing and the Diffie-Hellman exchange, refer to the HP Network Infrastructure Security Technologies WBT.

Security

Rev. 13.31 2 25

Step 2 The switch requests the management users credentials. The credentials are passed to the switch through the secure tunnel. The switch can then authenticate the user locally or to a remote server, as previously discussed. Step 3 The management station and switch establish communication channels to transmit the management session data within the secure tunnel.


2 26 Rev. 13.31

Module 2: Security

HTTPS

Introduction HTTPS uses the Secure Sockets Layer (SSL) protocol. Like SSHv2, SSL creates a secure tunnel using encryption and hashing keys generated in a Diffie-Hellman exchange. The figure illustrates the process. Step 1 Your management station and the switch establish a secure tunnel using the SSL protocol. When establishing the tunnel, the switch authenticates itself using a digital certificate. Step 2 All further communications run securely over the encrypted SSL connection. These communications include your authentication credentials and all management traffic after you log in successfully.

Security

Rev. 13.31 2 27

Module 2: Security

SSH and HTTP requirements

How do I set up HTTPS on HP Comware switches? How do I set up HTTPS on HP ProVision switches?

How do I set up SSH on HP Comware switches? How do I set up SSH on HP ProVision switches?

Introduction Read the following questions to learn how to use the secure management protocols. How do I set up HTTPS on HP Comware switches? On Comware switches, you need to generate and export a certificate request, which you then have signed by a certificate authority (CA). A CA is a trusted third-party company that certifies identities. You must then install the signed certificate and enable the HTTPS server on the switch. If you have software version 5.20 F2218P01-US or later, you can simply enable HTTPS, which automatically generates a self-signed certificate. In addition, the Comware switches require user accounts for HTTPS access, so you must configure at least one VTY user interface that uses AAA (scheme) authentication, either to the local list or to a RADIUS server. The users account must specify a service type of web. How do I set up HTTPS on HP ProVision switches? On ProVision switches, you need to generate and export a certificate request, which you then have signed by a certificate authority (CA). A CA is a trusted third-party company that certifies identities. You must then install the signed certificate and enable HTTPS on the switch.


2 28 Rev. 13.31

You can alternatively generate a self-signed certificate and enable HTTPS. You can choose any option that you learned about earlier for authenticating operators and managers. How do I set up SSH on HP Comware switches? On Comware switches, you must generate a public/private key pair for SSH. You can install the public key on management stations SSH clients manually or trust the key the first time you connect. You must also enable the SSH server, which is disabled by default. The Comware switches require user accounts for SSH access, so you must configure at least one VTY user interface that uses AAA (scheme) authentication, either to the local list or to a RADIUS server. You must create an SSH user on the switch for each local or RADIUS user who is allowed SSH access. The SSH user settings indicate whether this user authenticates with a password or uses public-key authentication. Password authentication allows SSH users to log in with the password in their accounts. If you select public-key authentication, you must generate a public/private key pair on each authorized managers SSH client and install the public keys on the switch. How do I set up SSH on HP ProVision switches? On ProVision switches, you must generate a public/private key pair for SSH. You can install the public key on management stations SSH clients manually or trust the key the first time you connect. You can also use SSH keys to authorize managers. Generate a public/private key pair on each authorized managers SSH client. Then install those keys on the switch as authorized client keys. Alternatively, operators and managers can just authenticate with usernames and passwords, using the options that you learned about earlier.

Security

Rev. 13.31 2 29

Module 2: Security

Summary

In this module, you learned about network threats and the measures you can take to protect against these threats. Specifically, you learned about:

Threats originating from inside and outside a companys network

HPs defense strategy that helps protect against threats, no matter where they originate

Methods for securing your infrastructure, both from physical tampering and unauthorized access

In this module, you learned about network threats and the measures you can take to protect against these threats. Specifically, you learned about: Threats originating from inside and outside a companys network HPs defense strategy that helps protect against threats, no matter where

they originate Methods for securing your infrastructure, both from physical tampering

and unauthorized access


2 30 Rev. 13.31

PAGE INTENTIONALLY LEFT BLANK

Rev. 13.31 3 1

VLANs Module 3

Module 3: VLANS

Objectives

This module explains one of the most fundamental aspects of managing todays networks, virtual LANs (VLANs).

Describe how VLANs are used in todays networks

Explain how the 802.1Q standard enables network infrastructure devices to transmit and receive traffic from multiple network segments


Explain how to configure VLANs on HP Comware and ProVision switches

Explain the terms tagged, untagged, access port, trunk port, and hybrid port as they relate to VLANs

This module explains one of the most fundamental aspects of managing todays networks, virtual LANs (VLANs). After completing this module, you should be able to: Describe how VLANs are used in todays networks Explain how the 802.1Q standard enables network infrastructure devices

to transmit and receive traffic from multiple network segments Explain how to configure VLANs on HP Comware and ProVision switches Explain the terms tagged, untagged, access port, trunk port, and hybrid

port as they relate to VLANs


3 2 Rev. 13.31

Module 3: VLANS

Definition of a VLAN

A LAN is typically defined as a group of connected devices in close physical proximity. A virtual LAN (VLAN), on the other hand, is not defined by physical proximity. A VLAN is a logical group of devices that has been assigned to a particular subnet.

VLANs can span multiple switches and can be used to segment the otherwise flat structure of a LAN.

This course focuses on port-based VLANs, which are defined on switch ports.have been assigned to VLAN 10, some to VLAN 20, and others to VLAN 30.

In this example network, some switch ports

A LAN is typically defined as a group of connected devices in close physical proximity. A virtual LAN (VLAN), on the other hand, is not defined by physical proximity. A VLAN is a logical group of devices that has been assigned to a particular subnet. VLANs can span multiple switches and can be used to segment the otherwise flat structure of a LAN. This course focuses on port-based VLANs, which are defined on switch ports. In this example network, some switch ports have been assigned to VLAN 10, some to VLAN 20, and others to VLAN 30.

VLANs

Rev. 13.31 3 3

Module 3: VLANS

IP addressing for VLANs

In the example network, VLAN 10 is associated with 10.1.10.0/24, VLAN 20 with 10.1.20.0/24, and VLAN 30 with 10.1.30.0/24.

All VLANs are located within the larger 10.1.0.0/16 subnet.

NOTE: In this course, Classless Inter-Domain Routing (CIDR) is used to express network IP addresses. In place of the subnet mask, CIDR uses a prefix length, which indicates how many bits are in the network portion of the address. For more information about CIDR, see Request for Comments (RFC) 1519 (http://www.ietf.org/rfc/rfc1519.txt).

Each VLAN is associated with an IP subnet.

Each VLAN is associated with an IP subnet. In the example network, VLAN 10 is associated with 10.1.10.0/24, VLAN 20 with 10.1.20.0/24, and VLAN 30 with 10.1.30.0/24. All VLANs are located within the larger 10.1.0.0/16 subnet. Note: In this course, Classless Inter-Domain Routing (CIDR) is used to express network IP addresses. In place of the subnet mask, CIDR uses a prefix length, which indicates how many bits are in the network portion of the address. For more information about CIDR, see Request for Comments (RFC) 1519 (http://www.ietf.org/rfc/rfc1519.txt).


3 4 Rev. 13.31

Module 3: VLANS

Need for VLANs on todays network

Introduction Now that you have a basic understanding of what VLANs are, you should consider why companies use them. Security Todays networks provide services for different groups of users, such as employees, partners, and visitors. If all of these users are on the same subnet, it is easier for users to compromise security. For example, visitors might be able to view employees data as that data is transmitted across the network. They might try to access data center servers when they should only access the Internet. You can (and should) implement security to prevent unauthorized users from accessing these servers. However, users might still be able to launch scans, use a protocol analyzer to view traffic on the wire, or launch attacks. Companies can use VLANs to isolate traffic and help to ensure users only have access to the resources to which they should be granted access, increasing security. Broadcast domain An Ethernet network is, by definition, a broadcast domain. Devices on Ethernet networks send broadcasts to discover other devices or to provide information about themselves.

VLANs

Rev. 13.31 3 5

Broadcasts are forwarded to all devices in the broadcast domain, which defines the portion of the network to which devices can send traffic at the Data Link layer. A routing switch or router is required to route data between broadcast domains. In a large broadcast domain, broadcasts can negatively affect the endpoints that must process them and consume bandwidth. VLANs improve network performance. They break large broadcast domains into smaller broadcast domains, ensuring that every devices broadcasts do not flood the entire network infrastructure.


3 6 Rev. 13.31

Module 3: VLANS

Example of network segmentation with VLANs

Introduction Now you will look at an example of how a network designer might use VLANs to segment a company network. In this example, the company is using subnet 10.1.0.0/16. The network designer must plan the VLANs and IP addresses in tandem. Each VLAN will be associated with a unique IP subnet, and each department will be assigned to one or more VLANs. Phase 1: Design For the IP addressing scheme, each subnet will have a subnet mask of 255.255.255.0 (/24), which means that the network address uses the first three octets: The first octet for all subnets is 10 because the company is using

private addresses in the 10.0.0.0/8 block. The second octet is being used as a site identifier. In the scenario above,

1 has been assigned to identify this building. For other buildings, the company uses different values in the second octet.

The third octet includes the VLAN ID. Each department or type of user will be assigned a different VLAN ID.

The fourth octet is the host portion of the IP address. Certain addresses are reserved; 1 to 30 are used for servers, printers, and other shared network devices.

VLANs

Rev. 13.31 3 7

Users workstations can receive IP addresses in the 30 to 180 range. The remaining host numbers are reserved for future expansion. Phase 2: Guests The network designer knows that guests will need to access the network, primarily so that they can connect to the Internet while they are on-site. The network designer assigns VLAN 10 and subnet 10.1.10.0/24 to guests. Phase 3: IT The network designer assigns the IT group VLANs 1 and 5. VLAN 1 is

Configuracion

Documents

Transcript of Configuracion