ProCurve Switch Best Practices

2008 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.

HP ProCurve NetworkingAndy GallacherNov, 2009

Agenda

Physical Infrastructure (Cabling, 10 GbE)Link technologies (Auto MDIX, Negotiation)Design methodologies (Link aggregation,

VLANs, STP)Server TeamingRouter Redundancy (VRRP)

Product Overview & Whats New

ProCurve Manager

Technical Phone Support / Firmware Upgrades

Industry Standards

ProCurve Manager SW(Network Management Software shipped with each switch)

Lifetime Warranty(ALL hubs and switches/routing switches to 8200zl)

Price/Performance(ProCurve is often 20-30% less than the

competition)

HP ProCurve: Quick Facts

4ProCurve Positioned

in Gartners Leaders

Quadrant

Magic Quadrant for Enterprise LAN (Global), 2009, Mark Fabbi, Tim Zimmerman, 30 April 2009.

Magic Quadrant:Enterprise LAN (Global), 2009

The Gartner Magic Quadrant is copyrighted April 2009 by Gartner, Inc., and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartners analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the Leaders quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The Magic Quadrant graphic was published by Gartner, Inc., as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from HP ProCurve.

Why HP ProCurve Networking? Customer Value

Superior return on IT Price/performance leadershipEngineered for affordability

Secure solutionsTrusted partner

Security and Trust

Proactive networkingFocused on innovation and ease of use

Reduced complexity

Highly availableHP quality and industry-best warrantyReliability

Switches Wireless LAN WAN

Scalable core-to-edge switches based on open standards unify

the network & reduce complexity

802.11n wireless solutions provide networking access, management and security.

WAN solutions provide adaptable, unified edge-to-edge

network connectivity.

Data Center Network Management Network Security

DC solutions provide policy-based, automated provisioning of

network and server resources.

Device handling capabilities such as mapping, configuration and monitoring across the network.

Security features embedded throughout the network that detect

and respond to threats.

HP ProCurve product categories

Secure RouterAccess Point & Controller

Core & Edge Switches

DCM Controller

ProCurve Switching Portfolio

EnterpriseNetworks

Small BusinessNetworks

EstablishedTechnology

Simple,Cost

EffectiveConnectivity

Layer 2,Web managed,

Unmanaged

2810, 2510,1800, 1700,

1400

TraditionalEdge

BasicEnterprise

Edge

Layer 3 lite, Security,

Sflow

4200, 2800, 2610,2910

LAN Enterprise

High-Function

Edge (AEA)&

Core/Distribution

Full Layer 3

5400, 3500,WAN

DataCenter

Data CenterSpecific Design

Layers 2 & 3,Automatedprovisioning

6600, 6120DC Connection

Manager

Core/ Distribution

Core&

Distribution /Aggregation

8200,6200

Full Layer 3+, Layer 4, HA

Fu

n

c

t

i

o

n

a

l

i

t

y

Price/Performance

LAN Enterprise SwitchesPortfolio Overview

2520G-PoE2520-PoE

2810

2910al-PoE2910al

Lite Layer 3 Managed

Layer 2Managed

2610-PWR2610

1700 Layer 2Web Managed

2510G/2510: Managed layer 2 feature set 24 or 48 10/100 or Gigabit ports Two SFP ports for fiber connectivity Quiet operation for open space deployment

1810G/1700: Plug and play connectivity Basic network configuration capabilities Excellent migration from unmanaged switches Silent operation for open space deployment

2810: Managed Layer 2 feature set with 24 or 48 Gig ports sFlow, source port filtering, enhanced security Redundancy with RPS support Four SFP ports for fiber connectivity More robust/granular QoS

2610/2610-PWR: Access layer 10/100 switch Static IP routes enable routing between VLANs Robust and granular security and QoS policies Redundancy with RPS support

2910al/2910al-PoE: High performance gigabit access switch Four optional 10-Gigabit ports (CX4 and/or SFP+) IEEE 802.3af/802.3at functionality (PoE/PoE+) Layer 2 switching with static and RIP IP routing Lifetime Warranty, sFlow, ACLs and rate limiting

1810G

2510G2510

2520G/2520: Managed layer 2 PoE switch family 8 or 24 10/100 or Gigabit ports Ability to prioritize traffic using QoS for reliable VoIP deployments Quiet operation and small form-factor for open space deployment

GA Nov. 1 2009

EstablishedTechnology

TraditionalEdge

LAN Enterprise Switches(Same ASIC and features)

9

3500 10/100 Non-PoE

3500 10/100 PoE/PoE+

3500yl 1G PoE/PoE+

5406zl PoE/PoE+5412zl PoE/PoE+

8212zl 8206zl

Expanding The ProVisionFamilyExpanding The ProVisionFamily


Whats New

Introducing the ProCurve 2520/2520G Switch Series (Established Technology)

2520-8-PoE - 8 10/100-T ports + two shared 10/100/1000-T SFP ports for fiber connectivity

2520G-8-PoE - 8 10/100/1000-T ports + two shared 10/100/1000-T SFP ports for fiber connectivity

2520-24-PoE - 24 10/100-T ports +2 10/100/1000-T ports + two shared 10/100/1000-T or SFP ports for fiber connectivity

2520G-24-PoE - 22 10/100/1000-T ports + four shared 10/100/1000-T or SFP ports for fiber connectivity

HP ProCurve 2520G-24-PoE Switch (J9280A)

HP ProCurve 2520-8-PoE Switch (J9137A) HP ProCurve 2520-24-PoE Switch (J9138A)

HP ProCurve 2520G-8-PoE Switch (J9279A)

12

3500 10/100 Portfolio (LAN Enterprise)

J Number Official Product Description

J9470A HP ProCurve 3500-24 Switch

J9472A HP ProCurve 3500-48 Switch

J9471A HP ProCurve 3500-24-PoE Switch

J9473A HP ProCurve 3500-48-PoE Switch

These switches have no expansion slots for the ProCurve Switch yl Module, so they do not have the yl designation.

13

8206zl Base SystemJ9475A (LAN Enterprise/Core)

Includes:1x chassis1x management

module2x fabric modules 1x system support

module 1x fan tray6 interface/services

module slots

Mgmt Modules

Interface/Service Module Slots

Fabric Modules

Rear:Fan Tray, Power Supplies

6 RU

8206zl Front View

14

8206zl vs. 8212zl8206zl 8212zl

Target Market Moderate-port-count network deployments Higher port-count network deployments

Port Density Up to 144 10/100/1000Up to 24 10GbEUp to 288 10/100/1000

Up to 48 10GbE

Rack Units Occupied 6 RU 9 RU

Performance 322.8 Gbps 646 Gbps

Throughput 240.2 mpps 428 mpps

L2/L3 L3 services when running at L2; L3 routing with Premium LicenseL3 services when running at L2; L3

routing with Premium LicenseOptimized Port Environment GbE 10 GbE GbE 10 GbE

High Availability Dual/slotted mgmt/fabric; passive backplane; redundant powerDual/slotted mgmt/fabric; passive

backplane; redundant power

PoE/PoE+ Yes, standard Yes, standard

Interface/Services Modules 6 supported 12 supported

InternalPower Supplies

2 supported: up to 1800 watts PoE/PoE+ power

4 supported: up to 3600 watts PoE/PoE+ power

*The price reflects the new 8212zl base system, J8715B, which does not include the premium license.

15

Known zl Interface ModulesJ8702A: 24-Port 10/100/1000 PoE zl Module

J8705A: 20-Port 10/100/1000 PoE + 4-Port Mini-GBIC/SFP zlModuleLH-LC, LX-LC, SX-LC, BX, 1000Base-T Mini-GBIC/SFP support100-Meg xcvrs (100-FX) for SFP slots

J8706A: 24-Port Mini-GBIC zl ModuleLH-LC, LX-LC, SX-LC, BX, 1000Base-T Mini-GBIC support

J8707A: 4-Port 10GbE X2 zl ModuleCX4, SR, LR, J8707A - zl 4-Port LRM, or ER optics support

J8708A - 4-Port 10GbE CX4 zl ModuleCX4, SR, LR, J8707A - zl 4-Port LRM, or ER optics support

Used with both the 8200zl and 5400zl switches

16

HP ProCurve zl Power Supplies

New!

Used with both 8200zl and 5400zl

8212zl/5412zl: Up to 4 power supplies, 3600W PoE/PoE+

(5400 watts with Power Supply Shelf)

8206zl/5406zl: Up to 2 power supplies, 1800W PoE/PoE+

(3600W with Power Supply Shelf)

Chassis Power

PoEPower

PoE+ Power

875W Power Supply J8712A(110-127/200-240 VAC)

600W 273W

1500W Power Supply J8713A(220 VAC only)

600W 900W

1500W Power Supply J9306A(110-127/200-240 VAC)

600W 300W/900W300W/900W

Power Supply Shelf J8714A 0

Up to 1800W

Up to 1800W

875W zl Power Supply

1500W zl Power Supply

1500W PoE+zl Power Supply

(J8712A) (J8713A) (J9306A)

Input Voltage 110127 VAC 200240 VAC 200220 VAC 110127 VAC 200240 VAC

Input Current 11.5 A 5.7 A 10 A 13 A 10 A

PoE Power 273 W 273 W 900 W 300 W 900 W

Frequency 50/60 Hz 50/60 Hz 50/60 Hz 50/60 HZ 50/60 Hz

PoE/PoE+ PoE PoE PoE PoE+ PoE+

HP ProCurve zl Power Supply SpecsElectrical Characteristics

New!

HP ProCurve 6600 Switch Series (Data Center)

Product # Description

J9263A HP ProCurve 6600-24G(24) 1G ports

J9264A HP ProCurve 6600-24G-4XG(24) 1G ports, (4) 10G ports

J9265A HP ProCurve 6600-24XG Switch(24) 10G ports

J9451A HP ProCurve 6600-48G Switch(48) 1G ports

J9452A HP ProCurve 6600-48G-4XG Switch(48) 1G ports and (4) 10G ports

ProCurve ONE Services zl Module

Striking a Balance19

Core

Data Center

Edge

Branch

SKU: J9289A Intel T7500 Core 2 Duo, 4G Main Memory, 4G

Flash, 250GB 7200RPM SATA HDD 2 x 10G Ethernet connections to backplane Warranty: Industry-Leading Lifetime, HDD

exception: Five years*

Supported in zl series chassis 5400zl for edge and branch (4U/7U) 8200 with high availability for core and

distribution (9U)

ProCurve ONE Alliance Partners (1/26/09)

Striking a Balance20

21

Services Modules

J9289A HP ProCurve ONE Services zl Module

J9155A- HP ProCurve TMS zl Module

J9370A - HP ProCurve MSM765zl Mobility Controller

J9371A - HP ProCurve MSM760/765 40 AP License

9 HP PCM 3.0 Overview HP PCM 3.0 Enhancements New Architecture (10 Agents) Enhanced Custom Group Management Granular User Profiles Support For Cisco Devices

PCM 3.0 Licensing Plug-in Applications for PCM 3.0

PCM 3.0 Use Models Upgrade PCM 2.3 to PCM 3.0 Maintenance and Troubleshooting

HP ProCurve Manager 3.0 (HP PCM 3.0) Overview

c-Class BladeSystem Interconnect Types Pass-thru module

For scenarios where one-to-one server to network connections are required

Equivalent to a patch panel Virtual Connect module

Simplest, and most flexible connectivity to a network

Appears as a L2 bridge to the network Ethernet switch

Interconnect aggregation and cable reduction using a managed switch

Provides typical L2 switching feature set and may offer L3 routing capabilities

6120G/XG Hardware Overview:Front Panel

Module locator LED Blueselected

Module status LED Greennormal,

Amberfault

2x 1GbE SFP ports Copper, and SX and

LX optics

Console port Type A

mini-USB

Clear button

4x 10/100/1000 RJ-45 ports

For 10GbE & 1GbE ports:Link status LED Greenconnected,

AmberfaultLink activity LED Green flashingactivity

Link status LED Greenconnected, AmberfaultLink activity LED Green flashing10/100 activity Amber flashing1000 activity

Midplane 16x 1GbE internal ports for server/storage blade access 1x 10GbE internal port for switch-to-switch access

1x 10GbE CX4 port CX4 cable

Resetbutton(recessed)

2x 10GbE XFP ports DAC, SR and LR optics

6120XG Hardware Overview:Front Panel

Module locator LED Blueselected

Module status LED Greennormal,

Amberfault

5x 10GbE SFP+ ports DAC, and SR, LR,

and LRM optics

1x 10GbE CX4 port CX4 cable

Midplane 16x 10GbE internal ports for server/storage blade access 2x 10GbE internal port for switch-to-switch access

2x 10GbE SFP+ ports DAC, and SR, LR,

and LRM optics

individually shared ports

(23, 24)

2x 10GbE internalS2S ports

shared port(17)

-- or --

Console port Type A

mini-USB

Clear button

1x 10GbE SFP+ port DAC, and SR, LR,

and LRM optics

-- or --

Resetbutton

dedicated ports (18, 19, 20, 21, 22)

10GbE SFP+ ports also support use of 1GbE SFP (SX, LX, Gig-T) transceivers

Blade Switch Comparisons

L2, IPv6 host, 32K MAC , 256 VLANs

L2 (upgradeable to L3 & IPv6), 8K MAC, 1K VLANs

L2+, 8K MAC, 1K VLANs

L2, L3, VRRP, 16K MAC , 1K VLANs

L2, IPv6 host, 16K MAC , 256 VLANs

Forwarding/ Routing

4 SFP or2 X2NoneNone

1 CX42 XFP

1 SFP+/CX45 SFP+2 SFP+/S2S

1 CX42 XFP

External 10GbE ports

512 MB RAM640 MB flash

None 1

ProCurve 6120XG

1 year

No

QoS and 802.1p

1K groups

ACLs, SSH, RADIUS & TACACS+ auth

HTTPSSNMPv3


4 RJ-45

HP 1:10Gb Ethernet BL-c

1 year

No

Extensive, highly granular with rate limiting & traffic shaping

1K groups

ACLs, 802.1X, Web, MAC auth

SNMPv3

128 MB RAM32 MB Flash

4 SFP/RJ-45 4 RJ-45

Cisco 3020

1 year

Stackwise

Extensive, highly granular with rate limiting & traffic shaping

1K groups

ACLs, 802.1X, Web, MAC auth

SNMPv3


4 SFP/RJ-45 4 RJ-45

Cisco 3120G

4 RJ-45

Cisco 3120X

Ingress, L3/L4 prioritizationRate Limiting/ QoS

NoStacking

Warranty

IGMP Multicast

Access Security

Management

Memory

External 1GbE ports

a

LLDP-MEDSNMPv3


ProCurve 6120G/XG

2 SFP4 RJ-45

802.1X, Web, MAC auth

256 groups

Lifetime

1 1GbE SFP optics (SX and LX) and Gig-T transceivers can be installed in any of the external 10GbE ports.

Software FeaturesGeneral Networking Features IEEE 802.1D MAC Bridges IEEE 802.1p Priority IEEE 802.1Q VLANs IEEE 802.1v VLAN classification by Protocol

and Port QOS (COS, TOS, DSCP) IEEE 802.1D RSTP (formerly 802.1w) IEEE 802.1Q MSTP (formerly 802.1s) BPDU Protection and STP root guard IEEE 802.3ad LACP IEEE 802.3x Flow Control RFC 792 ICMP Broadcast Throttling RFC 951 BOOTP and RFC 1542 Extensions RFC 2030 SNTP RFC 2131 DHCP Information Option with DHCP

Protection TFTP, SFTP, FTP Uni-Directional Link Detection IPv6 Host ICMP Rate-limiting

IP Multicast IGMPv1, v2 & v3 (Data Driven)

Device Management CLI Access Using Console, Telnet, or SSH HTTP and HTTPS Web Management Access SSHv1/SSHv2 Management Access HP Onboard Administrator Integration OOBM (with DHCP client default) Authorized Managers List

Security Concurrent Port-Based 802.1X, Web and MAC

Authentication RADIUS & TACACS+ Port Security MAC Address Lockout

Monitor and Diagnostics Port Mirroring RMON v1/v2

Network Management LLDP-MED Syslog Protocol SNMPv1/v2c/v3

453154-B21HP 1Gb RJ-45 SFP Option Kit443756-B21HP XFP 850nm SR Module

487649-B21 HP 10GbE SFP+ .5m Direct Attach Cable

537963-B21 HP 10GbE SFP+ 5m Direct Attach Cable

455886-B21 HP SFP+ LR Transceiver455889-B21 HP SFP+ LRM Transceiver


455883-B21 HP SFP+ SR Transceiver

453151-B21HP 1Gb SX SFP Option Kit

443757-B21HP XFP 1310nm LR Module


498358-B21HP ProCurve 6120G/XG Blade Switch


516733-B21HP ProCurve 6120XG Blade Switch

Description Part No.

Parts Information

Two blade switchesTwo blade switches

HP ISS partsHP ISS parts

Parts Information (cont.)

J9285A/BHP ProCurve 10-GbE SFP+ 7m Direct Attach CableJ9300AHP ProCurve 10-GbE XFP-SFP+ 1m Direct Attach CableJ9301AHP ProCurve 10-GbE XFP-SFP+ 3m Direct Attach CableJ9302AHP ProCurve 10-GbE XFP-SFP+ 5m Direct Attach Cable

J9151AHP ProCurve SFP+ LR TransceiverJ9152AHP ProCurve SFP+ LRM TransceiverJ9281A/BHP ProCurve 10-GbE SFP+ 1m Direct Attach Cable

J9150AHP ProCurve SFP+ SR Transceiver

J9283A/BHP ProCurve 10-GbE SFP+ 3m Direct Attach Cable

Description Part No.

Only version B DACs can be purchased going forward

Only version B DACs can be purchased going forward

XFP connector on one end, SFP+ connector on the otherApplicable to 6120G/XG

XFP connector on one end, SFP+ connector on the otherApplicable to 6120G/XG


Cable Infrastructure

Cable specifications for full-duplex Ethernet

Maximum distance

1000Base-SX Multimode (62.5 micron) 275 meters

1000Base-SX Multimode (50 micron) 500 meters

1000Base-LX

100/1000Base-T

Single-mode (9 micron)

Category 5e UTP

10 kilometers

100 meters

1000Base-LX ** Multimode (62.5 or 50 micron) 550 meters

Interface type Cable supported

100-BX 10 kilometersSingle-mode (9 micron)

1000-BX Single-mode (9 micron) 10 kilometers

Cable specifications for full-duplex Ethernet

Interface type Cable supported Maximum distance

10G-CX4 4X Twinax (Infiniband-style) 15 meters

10GBASE-ER 40 kilometersSingle-mode (9 micron)

10GBASE-LR 10 kilometersSingle-mode (9 micron)

10GBASE-SR 2-33 metersMultimode (62.5 micron)

10GBASE-LRM 220 metersMultimode (62.5 micron)

http://www.hp.com/rnd/support/faqs/10-GbE-trans.htm

10GBASE-SR 300 meters Multimode (50 micron/2000 Mhz)

Connector Types

HP ProCurve Mini GBIC / TransceiversJ4858C 1000Base-SX port Type 1000Base-SX Connector: LC maximum distance 220 meters

J4859C 1000Base-LX port Type 1000Base-LX Connector: LC maximum distance 10 km

J4860C 1000Base-LH port Type 1000Base-LH Connector: LC maximum distance 70 km

J8177B 1000BT SPF;Connector RJ45 100 meters

J9054B 100FX SPF;Connector RJ45 100 meters

J9142B 1000-BX-D SFP-LCConnector: LC maximum distance 10 km

J9143B 1000-BX-U SFP-LCConnector: LC maximum distance 10 km

J9099B 100-BX-D SFP-LCConnector: LC maximum distance 10 km

J9100B 100-BX-U SFP-LCConnector: LC maximum distance 10 km

Xenpak X2 GBIC mGBIC(or SFP+)

Transceiver Packaging Comparison

PNB doesnt support

GBICs in any of our

products

9300 3400cl & 6400cl

10Gig only 10Gig only Gigabit only Gigabit/10 GbE

SFP+ 10G Technology Next gen technology enables lower cost per

10G port Supports Direct Attach Cable (DAC) for very low cost

over short ranges

Smaller form factor than X2 or XFP Provides higher port density Same form factor as Gig SFP

Provides thermal benefits leading to power savings

SFP+ consumes 1W per port X2 consumes 4W per port

Supports 10G SR, LR, LRM

36

37

SFP+ A new form-factor (size & shape) for 10-Gigabit modular transceivers

Same size & shape as a "mini-GBIC" (SFP)

Supports three existing 10-Gigabit technologies: SR, LRM, LR

HP ProCurve Switch Accessories

10G SFP+ Transceivers

Product #

Description US List

J9150A ProCurve 10-GbE SFP+ SR Transceiver

J9151A ProCurve 10-GbE SFP+ LR Transceiver

J9152A ProCurve 10-GbE SFP+ LRM Transceiver

38

What is a Direct Attach cable? A one-piece unit consisting of an SFP+ form-factor transceiver at each

end with permanently-attached cabling between Delivers the 10-Gigabit signal from end to end Initial length offerings:

1m, 3m, 7m

HP ProCurve Switch Accessories

10G SFP+ Direct Attach Cables

Product #

Description US List

J9281B ProCurve 10-GbE SFP+ 1m Direct Attach Cable



9802.3af ieee standard (48 volts , 15.4 watts)9Existing cable plant (Cat 3,5,5e,6)9Either data pairs or non data pairs (1/2 & 3/6) & (4/5

& 7/8)915.4 watts maximum at end-span device9Phones draws from 3 watts and higher9PoE+ for PTZ cameras, 802.11n (Future PC battery)9End-span refers to an Ethernet switch with embedded

Power 9Mid-span devices are placed between legacy switches

and the powered devices. 9Centralized Power

Power over Ethernet (PoE)

Why Support PoE+? Advantages of PoE+ over PoE: Increases maximum power to PDs Dynamic and granular power negotiation

Enables support for additional devices: 802.11n access points Video IP phones Thin clients Pan-Tilt-Zoom cameras

Backwards compatible with PoE

PoE+ Specifications PoE+ (IEEE 802.3at) sets new specifications for: 1. Wattage

Maximum delivered to PD increased to 24W Maximum at switch port increased to 30W

2. Voltage levels Minimum increased to 50V

3. Current Maximum increased to 600mA

4. Cabling Supports only Cat5E and newer

Typical VoIP Infrastructure

PSTN

Mitel 3300IP PBX

Typical VoIP InfrastructureTwo port switch built into phone

Single UTP cable to phone

PC/Workstation connected to phone

Two VLANs to phone ( VoIP tagged, Data untagged)

Voice VLAN tagged with 802.1p priority set

The interface-connector-cable combination can have a significant impact on the performance of the network. Be careful and note that a particular type of connector does not ensure a particular type of cable.

An LC could be connecting either multimode or single mode. The mini-GBICs look the same. Read the label!

Tricks & Tips


Auto MDIX

HP / IEEE Auto MDIX Automatically adjusts for straight-through or

crossover cables on all 10/100 and 10/100/1000 ports

1000T (Cross-Over)

100T (Straight-Thru)

Tricks & Tips It may be necessary in some environments to disable auto MDIX.

Auto MDIX Manual Mode:

interface < port-list > mdix-mode < automdix | mdi | mdix>

The options include auto-MDIX (the default), MDI, and MDI-X. Benefits: Minimizes auto-MDIX

capability when connecting switch to switch links.


Auto Negotiation

Ethernet Transmission modesHalf Duplex: Data transmission over a Ethernet link capable of

transmitting in either direction, but not simultaneously. For Ethernet, the CSMA/CD method is a half duplex protocol. If it receives traffic while transmitting, it reports a collision

Full Duplex: Data transmission over a circuit capable of

transmitting in both directions simultaneously.

Auto Negotiation The auto-negotiation mechanism allows the two interfaces

on a link to select the best common mode automatically, the moment a cable is plugged in.

The problem is that it looks great on paper, but it doesn't always work as intended. Although the final Fast Ethernet standard did contain a section on auto-negotiating, that section was one of the last things put into the standard and many vendors had already implemented their own auto-sensing systems and deployed them before the standard was ratified.

If this wasn't bad enough, there is no standard for detecting modes at 10Mb.

Ethernet Errors In a shared environment, collisions may result in: Giants due to the concatenation of frames that were

transmitted at the same time Runts due to the fragmentation of frames that were

transmitted at the same time In a fully switched environment: Collisions indicate a mode mismatch, i.e. half- vs. full-

duplex CRC errors Detected when the value in the appended 4-byte Frame

Check Sequence does not match the CRC calculated by the receiving station

May be present in either shared or switched environment

Tricks & TipsSet system wide network resources to the maximum fix speed and duplex mode.

Speed and duplex command:

interface < port-list > speed-duplex 100-full

Benefits: Minimizes auto-negotiation

capability when connecting switch to servers links.

Interface Status

show interface brief

Tricks & Tips Speed and duplex command:interface < port-list > speed-duplex auto 100

Benefits: Minimizes auto-negotiation

capability when connecting switch to servers links.


Virtual LANs

Interconnecting IP networks (LAN)

Every host in an IP network has a unique IP address

In this example, hosts in the same wiring closet are in the same Broadcast domain IP network

Traffic between hosts in the same IP network is forwarded by switches using destination Layer 2 (MAC) address

Traffic between hosts in different IP networks is forwarded by the router using destination Layer 3 (IP) address

IP Network 1 IP Network 2 IP Network 3

Router: connection point for wiring closets

Interconnecting networks (VLANs)

Every host in an IP network has a unique IP address

In this example, hosts in the same wiring closet are in different VLANs Broadcast domain IP network

Traffic between hosts in the same IP VLAN is forwarded by switches using destination Layer 2 (MAC) address

Traffic between hosts in different IP networks is forwarded by the switch using destination Layer 3 (IP) address

All Networks All Networks All Networks

Router: connection point for wiring closets

Layer 3 Switch: connection point for wiring closets

VLAN = broadcast domain = IP network address = IP Subnet

VLAN ID assignments

Users should be arranged into VLANs (and thus IP address ranges) based on:

Internal Departments; Engineering, Administration Accounting Resource Requirements

Should have access to all of the hosts in the suite Should have access to the Internet, email hosting, and remote

backup depending on whether they have subscribed to those services

Should not have access to resources in other tenants suites End user customers for ISPs

VLAN ID assignmentsA network should have a minimum of 3 VLANs:

A Server VLANNetwork Management VLANUser/Data VLAN


Network Design Methodology

Steps for design and deploymentRegardless of the size of the project, the basic steps in the design process are:

Assess customer needs and requirementsDevelop and propose a solution

Logical Physical

Implement and document the solution

Assessing customer needsIn assessing the needs of the network, plan for the following requirements:Port types and quantitiesCabling to support specified ports Amount and type of data anticipatedUser resource needs

Anticipate growth in the enterprise and its networkExamine existing network infrastructureCan the requirements be met within customers budget?

Plan for port types and quantitiesTo determine the number and type of switches, consider:Number of edge ports

One user per port Often determined by existing cabling

Number of wiring closets Using modular edge switches can minimize the total number of

switches (7 slots x 24 ports = 168 edge ports) Stackable switches support up to 48 edge ports

Distribution and/or core switches Number of edge switch uplinks may determine whether all edge

switches will terminate at a common core switch or be aggregatedat intermediate level distribution switches

Plan for cabling to support specified bandwidth requirementsUse existing cabling whenever possible Distances between edge ports and cubicles must be 100 meters or

less for 100TX/1000T Category 5 or better for 100Base-TX Category 5e or better for 1000Base-T

For existing copper cabling with runs longer than 100 meters, the choices are: Statically configure interface level speed-duplex parameter to auto-10 to

assure reliable connections Install new cabling (may be cost-prohibitive for some customers)

Use fiber for switch-to-switch distances greater than 100 meters 1000Base-LX, 1000Base-SX, 1000Base-LH 100Base-FX

Plan for amount and type of traffic Determine characteristics of the traffic to be carried over links between switches: Location of high traffic hosts and anticipated volume

Servers Applications that generate high volume

Applications requiring prioritization Voice Video

Multicast support Distance learning Meetings

Traffic requirements can indicate a need for higher speed edge ports and/or higher capacity uplinks

Understand user resource requirementsDetermine resources to be made available to users and whether availability of those resources is critical

Identify users with common resource requirements This information may be used to defined VLAN boundaries

Identify resources whose availability is critical Provide redundant links and/or redundant switches Balance high availability needs with customers budget constraints

Addressing and ProtocolsPrivate address range versus Public (NAT)Version IP4 versus IP6Protocols IP, IPX, Appletalk, SNA, DecnetDo protocols need to be routableRouting protocols RIPv1, RIPv2, OSPF, BGP or

proprietary Define VLAN's

By Protocol By security compartment Physical location

Hierarchical Address Scheme

10.50.0-254.0

10.40.0-254.0

10.30.0-254.0

10.20.0-254.0

10.10.0-254.0

10.0.0-254.0

VLAN (3rd Octet)

0A32xx

0A28xx

0A1Exx

0A14xx

0A0Axx

0A00xx

IPX Address

10.50.0.0

10.40.0.0

10.30.0.0

10.20.0.0

10.10.0.0

10.0.0.0

Site (2nd Octet)

Campus 4

Campus 3

Campus 2

Campus 1

District Office

Wide Area Network (WAN)

Network 10.0.0.0

13Reserved for Networking Devices

8-20

170Primary DHCP Range51-220

30Static addresses for hosts and printers

21-50

35Backup DHCP Range221-255

Firewall

Router Interfaces

VRRP Secondary

VRRP Primary

Reserved

Meaning/Usage

1

4

1

1

0

# of devices

7

3-6

2

1

0

Decimal Value Range

Each 256 Host Subnet will be broken down into sub categories as follows:

This breakdown of the address space allows for a maximum of 170 DHCP addressable devices and 30 servers/printers per subnet or VLAN.

Security Physical Access Network Access (802.1x) Server Access Network Management passwords Firewalls, ACLs Internet, DMZ Wireless

Develop and propose a solutionBased on the information gathered during the assessment phase:Diagram the physical connectivity

Switches, including any modular accessories Port counts, types, and speeds

Produce a list of required equipment

Implement and document the solutionBased on the information you gathered in the assessment phase, create configurations

Create passwords to prevent unauthorized accessCreate VLANs specified in the design Enable high availability features where specified by the

design Create any prioritization policiesEnable remote management if required

Create VLANs and port membersCreate VLANsAssign access ports as untagged members of the

appropriate VLAN for hosts with non-Q-compliant network adapters

Define tagged VLAN membership for switch-to-switch links as necessary

Enable high-availability featuresEnable high-availability features as specified by the

designAll versions of Spanning Tree interoperate

with HP Switch MeshingRouter Redundancy (XRRP,VRRP, HSRP)Server Teaming

Your design may require more than onehigh-availability feature

Be sure to include switch-to-switch links as tagged members of all VLANs whose traffic might be carried in the event of link failure

Enable prioritizationFor hosts that require the edge switch to set and mark

priority, define the policies or port level priorities that willaccomplish the goals of the design

For Q-compatible hosts that are capable of setting priorities on their own behalf: Set policies that override illegitimate 802.1p priority settings Avoid setting user-defined policies that override legitimate 802.1p

priority settings

Links that will carry prioritized traffic must be tagged members of relevant VLANs or the tags will be stripped, eliminating end-to-end prioritization

Hierarchical network designthe Internet

Core Layer(no end stations connect here L2)

Distribution Layer

(interconnects edge switches L3)

Access Layer(edge switches -all end stations

connect here L2)

Hierarchical network designthe Internet

Core / Distribution Layer

Access Layer(edge switches -all end stations connect here)

Design Terminology

Access Layer: Sometimes referred to as the edge. It is the bottom layer of a

hierarchical model, it provides users with network access. Usually layer 2 connectivity (non routed)

Distribution Layer: Middle layer of a hierarchical model. The distribution layer interconnects

the core and access layers. This is where routing is performed.Usually layer 3 with filtering.

Core Layer: The top layer of a hierarchical model. Traditionally passes packets to

the distribution layer only. Usually layer 2 for performance.

Requires addtional layer 3 switches/routers

More advanced feature sets

Not suitable for large number of distribution uplinks to core.

Lowest cost per port

Cost

More complex. Requires routing switches per distribution layer

Better distributed traffic control via.

Centralized control. Traffic bottlenecks

Less Complex (Single pair of routing switches)

Network Complexity

Isolates L2 issues within the each distribution layer

L2 issues can affect the core

Layer 2 Problem Isolation

DisadvantageAdvantageDisadvantageAdvantage

3 Tier Architecture2 Tier Architecture


Spanning Tree Protocol (STP)

Spanning Tree Protocol

The Spanning Tree Protocol automatically detects loops in the network topology and blocks the links that lead to less desirable paths.

Three Versions IEEE 802.1d (Original STP) IEEE 802.1w (Rapid STP) IEEE 802.1s (Multi instance STP)

Spanning Tree Protocol Defaults

STP is NOT enabled by default.

Rapid STP is the default version when enabled spanning-tree

Multi-instance STP is the default version for newer ProCurve switches.

Spanning Tree Protocol

Spanning Tree is a standard method for enabling automatic network redundancy and high availability at layer 2. Used in multivendorenvironments

STP Step 1: Block ports

The first step in defining a loop-free topology is to place all normal STP ports into Blocking state

This prevents user traffic from being forwarded until loops are resolved

Fast ports transition to Forwarding immediately (RSTP)

BB

BB B B

BBB

B

BBBB

Switch_A Switch_B

Forwarding due to Fast mode



Every STP switch generates BPDUs and sends them through all ports BPDUs are updated and forwarded by all switches through all ports

Within about 30 seconds, one of the switches becomes the Root of the Spanning Tree

Only the Root continues sending BPDUs Other switches continue to update and forward BPDUs

STP Step 2: Generate BPDUsand elect Root switch

BB

BB B B

BBB

B

BBBB

Forwarding

Root

Forwarding Forwarding

STP Step 3: Calculate path costs to Root

In this network, each link has a cost of 5

As each switch updates the BPDUs, the result is a cumulative path cost to the root

This enables each switch to determine which of its ports leads to the lowest cost path to the root

10

Forwarding

Root


1055 5

510

10 10

10

Every port on the Root Bridge transitions to the Forwarding state The root port on each switch transitions to the Forwarding state For each backup link, the designated port transitions to

the Forwarding state The port on the other side of the backup link remains in the Blocking

state

STP Step 4: Change some port statesto Forwarding


Forwarding

Root

Root port

Root port

BB FFF B

FF F F

F

FFFRoot port

Root port

Designated ports

Spanning Tree Edge Ports Enable admin-edge on ports connected to end

nodes. During spanning tree establishment, ports with admin-edge enabled transition immediately to the forwarding state. Disable this feature on any switch port that is connected to another switch, bridge, or hub.

spanning-tree < port-list > admin-edge-port

Adapting to changes in port state

When a link fails, the constant nature of the hello messages causes another port to become the root port

If the Root switch fails, all of the switches will block their ports until another switch is established as the Root and the appropriate ports transition to Forwarding state


Forwarding

Failed linkB F

F B

FF F F

F

FFRoot port

Root port

Root portF

Root port

Switch_B

Switch_ESwitch_D

Switch_C

Switch_ARoot

Not configuring the Root bridge may not give you the desired effect Higher speed links can be blocked in favor of a lower path cost to the Root Bridge

STP Root Bridge Selection



Forwarding

Linksys (WET54GS5)5 port switch (802.1d)

00045A The Linksys Group

000625 The Linksys Group

000a57 Hewlett Packard

000d9d Hewlett Packard

000e7f Hewlett Packard

Mode l WAP11

Instant Wireless SeriesNetwork Access Point

Power

LI NKACTInstant WirelessT M

1515 15 15 10

10

2020

10 2015 15

20 10

STP Root Bridge Selection

If Bridge Priority is not administratively-defined, which of these switches will become the Root Bridge?

All things being equal the switch with the lowest MAC address becomes the Root Bridge.



Forwarding

Linksys (WET54GS5)5 port switch (802.1d)

00045A The Linksys Group

000625 The Linksys Group

000a57 Hewlett Packard

000d9d Hewlett Packard

000e7f Hewlett Packard

Model WAP11


Power

LI NKACTInstant WirelessTM

FB F B F

F

FF

F FB F

F F

Root

Root port

Connecting devices in default mode with STP enabled can change network paths

End to end connect path may not be best path to the network resource Mis-configure Root Bridge can cause network performance issue

STP Root Bridge

User

Server

Root

Model WAP11


Power

LI NKACTInstant WirelessTM

STP Root Bridge

DEMO

Root Bridge

Rapid Spanning Tree

HP 5406_#1IP= 10.10.1.1

HP DL360Server Teaming

(TLB)IP= 10.10.50.10

HP 5406_#2IP= 10.10.1.2

HP 2650IP= 10.10.1.3

VRRPVLAN 1= 10.10.1.1VLAN 2 = 10.10.2.1VLAN 3 =10.10.3.1VLAN 4 =10.10.4.1VLAN 5 =10.10.5.1VLAN 6 =10.10.6.1VLAN 7 =10.10.7.1VLAN 8 =10.10.8.1VLAN 9 =10.10.9.1VLAN 10=10.10.10.1VLAN 50=10.10.50.1


Port B24

HP nc6000VLAN 5

IP= 10.10.5.100DG= 10.10.5.1

Port 49 Port 50

Port A1 Port A1

Port 2 Port 1

F4

Port 1

Port B24

1000LX (Mode conditioning patch cord)

1000SX (Multimode patch cord)

10 Gigabit

STP and RSTP IEEE 802.1D STP and IEEE

802.1w RSTP address loop protection for link redundancy in networks regardless of the use of VLANs

Links can be left unused since all VLANs must use the same physical topology

STP and RSTP

rootbridge

VLAN 1VLAN 11

VLAN 12

Original STP:IEEE 802.1D-1998

Rapid STP (RSTP): IEEE 802.1w-2001

Change to link cost and bridge priority values:IEEE 802.1t-2001

IEEE 802.1D-2006

VLAN 1VLAN 11

VLAN 12

VLAN 1VLAN 11

VLAN 12

3

Multi-Instance Spanning Tree ProtocolMSTP (802.1s)

Multi-Instance Spanning Tree is an multiple instances of STP. Redundant links carry different VLANs. Used in multivendorenvironments

Odd VLANs

Even VLANs

PVST supports a spanning tree instance for each configured VLAN Yields a 1-to-1 mapping of VLANs

to STP instances and therefore separate processes

VLAN-specific BPDUs are used for each VLAN

Uses ISL trunking and allows a VLAN trunk to be forwarding for some VLANs while blocking others

PVST+ provides the same functionality as PVST, but supports 802.1Q trunking

Rapid-PVST+ incorporates convergence time improvements similar in concept to RSTP

Cisco PVST+ and Rapid-PVST+

root forVLAN 1

VLAN 1VLAN 11

VLAN 12

VLAN 1VLAN 11

VLAN 12

VLAN 1VLAN 11

VLAN 12

root forVLAN 11

root forVLAN 12

6

Comparing PVST+ and MSTP In response to a need to allow

standards compliant 802.1D/w/Q switches to have multiple logical paths for redundancy, IEEE 802.1s MSTP was developed

802.1s enhanced 802.1Q by allowing groups of VLANs to be assigned to different spanning trees Instances may be chosen to match

number of possible logical paths through the layer 2 network

Often, only a few instances are required instead of 1-to-1 ratio of VLANs to instances with PVST+

PVST+

root forVLAN 1

VLAN 1VLAN 11

VLAN 12

VLAN 1VLAN 11

VLAN 12

VLAN 1VLAN 11

VLAN 12

root forVLAN 11

root forVLAN 12

MSTPVLANs

1,12

VLAN11

root MSTI 2

root MSTI 1

VLANs 1,12

VLAN11

VLANs 1,12 VLAN

11

7

CiscoProCurve Scenario 1: Rapid-PVST+

Pro: Simple and you can still use PVST+ or Rapid-PVST+ for the backbone

Con: There is no load balancing

blocked port

Configured for STP, RSTP, or MSTP

root for VLANs 1, 11, 12, 13

backup root forVLANs 1, 11, 12, 13

Cisco environment running PVST+ or Rapid-PVST+

CiscoSwitch_A

CiscoSwitch_B

ProCurveSwitch_C

10

CiscoProCurve Scenario 2: MSTP (802.1s)

Pro: VLAN load balancing Con: More configuration required

Configured for MSTP

root for VLANs 1, 11, 12, 13

backup root forVLANs 1, 11, 12, 13

Cisco environment running MSTP (IEEE 802.1s)

CiscoSwitch_A

CiscoSwitch_B

ProCurveSwitch_C

10

Spanning Tree Problems Unstable Spanning-Tree operation can be caused by factors and

conditions that include: Uni-directional links Rogue devices talking STP Continuous STP topology changes due to flapping ports or end-user

ports not set to edge mode (portfast) Loops not detected by STP

70

Blocked gigabit link

root bridgeRogue switch

Spanning Tree Hardening Features

KeepaliveLoop Protection

Root-GuardRoot-Guard

Remote-Fault Notification (RFN) using Auto-negotiation

Remote-Fault Notification (RFN) using Auto-negotiation

Uni-directional Link Detection (UDLD)

Uni-directional Link Detection (UDLD)

BPDU Protection

ProCurve

BPDU-Guard

Cisco

72

RFN Operation

74

RFN is optional but enabled by default on 1000BaseX ports on Cisco and ProCurve switches when auto-negotiation is used. Always use auto-negotiation on 1000BaseX ports.

RFN operates

at Layer 1

RFN operates

at Layer 1

Switch_AMAC/RS

Switch_BMAC/RS

fiber break

TX idle or frames loss of signal

RX idle or frames TX idle or frames

Switch_AMAC/RS

Switch_BMAC/RS

fiber break


RX idle or frames TX remote fault

Switch_AMAC/RS

Switch_BMAC/RS

fiber break


RX remote fault

Switch_AMAC/RS

Switch_BMAC/RS

fiber break

TX idle loss of signal

TX remote fault

RX remote fault TX remote fault

UDLD Operation UDLD involves an exchange of protocol packets

between neighboring devicesBoth devices on the link must support UDLD and have it

enabled on the respective portshello I am switch A, port 1/1

Does not work since Cisco and ProCurve have different implementations

acknowledge hello

hello I am switch A, port a1

acknowledge hello

Cisco

ProCurve

ProCurve

76

UDLD operates

at Layer 2

UDLD operates

at Layer 2

Cisco

Cisco

ProCurve

UDLD Configuration Comparison UDLD performs tasks that auto-negotiation cannot perform,

such as detecting the identities of neighbors and shutting down misconnected ports

78

Global for all fiber portsSwitch(config)# udld aggressiveOr interface specificSwitch(config)# interface gig1/1Switch(config-if)# udld port aggressive

Interface specific:Switch(config)# interface a1 Switch(eth-a1)# link-keepalive

Recovery is done automatically

ProCurveUDLD

Recovery configured globally:Switch(config)# errdisable recovery udld interval 300

CiscoUDLD

BPDU Protection (security enhancement ) Spanning Tree Protocol operation is not protected

in any way from rogue STP devices or malicious attacks.

BPDU Protection is configurable on a per port basis and allows explicitly determine the legal boundary of STP domain.

BPDU Protection should be applied to the edge ports that are connected to the end user devices., which normally do not run STP.

BPDU Protection and BPDU-Guard Configuration Comparison These respective features should be enabled on end-user ports

STP BPDUs should not be allowed to be received on those ports If a BPDU is received, the port is put in an errdisable state (Cisco) or the port is

disabled (ProCurve)

79

Global for all fiber portsSwitch(config)# spanning-tree portfast bpduguard defaultOr interface specificSwitch(config)# interface gig1/1Switch(config-if)# spanning-tree bpduguard enable

Interface specific:Switch(config)# interface a1 Switch(eth-a1)# spanning-tree bpdu-protectionRecovery configured globally:Switch(config)# spanning-tree bpdu-protection-timeout 300

ProCurveBPDU Protection

Recovery configured globally:Switch(config)# errdisable recovery bpduguard interval 300

CiscoBPDU-Guard

Loop Protection Additional protection for networks from L2

forwarding loops.

An undetectable loop can be formed if an unmanaged device attached to the network consumes and does not forward Spanning Tree packets.

Tricks & Tips Loop protection operates by periodically sending out a special multicast packet. If the switch receives its own packet back then a loop has been detected and the receiving port will be disabled.

loop-protect

Cisco Keepalive Operation

ProCurveSwitch 408

Ciscoswitch

80

Will cause all frames including BPDUs to be looped back


Will cause all frames excluding BPDUs to be looped back even if STP is not supported on the switch


Cisco keepalive feature maydetect this condition and put the port in errdisable state (enabled by default)But, if BPDU-Guard is configured, it will detect it

Cisco keepalive feature maydetect this condition and put the port in errdisable state (enabled by default)But, if BPDU-Guard is configured, it will detect it

Cisco keepalive feature maydetect this condition and put the port in errdisable state (enabled by default)But, BPDU-Guard is not able to detect it

Cisco keepalive feature maydetect this condition and put the port in errdisable state (enabled by default)But, BPDU-Guard is not able to detect it

NetGear FS105

ProCurve Loop Protect Operation

ProCurveSwitch 408

ProCurveswitch

82





ProCurve Spanning Tree willdetect this condition and block the port if STP is enabled

ProCurve Spanning Tree willdetect this condition and block the port if STP is enabled

If enabled, the ProCurve Loop Protect feature will detect this condition and disable the port

If enabled, the ProCurve Loop Protect feature will detect this condition and disable the port

NetGear FS105

Spanning Tree Root Guard Configuration Comparison

85

Interface specific:Switch(config)# interface gig1/1Switch(config-if)# spanning-tree guard root

Interface specific:Switch(config)# spanning-tree a1 root-guard


ProCurveRoot Guard


CiscoRoot Guard

Tricks & TipsVersion of Spanning Tree needs to be enabled

spanning-tree (Default ?)

A root bridge should be configured

spanning-tree priority 1 or 0

Switch to switch links need to be configured for transitioning or learning (802.1w)

no spanning-tree admin-edge-port

Tricks & TipsCompatibility mode for 802.1d devices (Cisco)

no spanning-tree < port-list > mcheck

Spanning tree status and information

show spanning-tree

Edge-port Defaults

Disable edge-port on switch links no spanning-tree edge-port

Default6400


Default4200

CommandEdge-port disabled

Edge-port enabled

Switch

Enable edge-port on node ports spanning-tree edge-port

Default6200


Default5400


Default5300


Default3500


Default2900


Default2810


Default2800


Default2600


Default2510


Default2500

Tricks & Tips BPDU Protection should be enabled on ALL edge ports to determine the legal boundary of STP domain.

spanning-tree bpdu-protection

Spanning tree traps

spanning-tree traps errant-bpdu

BPDU Filter BPDU Filter Passively preventing the switch from

receiving and transmitting BPDU frames on a specific port. Locks the port into STP forwarding state

Used to interconnect STP domains

Example: LAN Extension service

Tricks & Tips BPDU Filter should be enabled on edge ports to lock the port into STP forwarding state.

spanning-tree bpdu-filter

Spanning Tree Configure root bridgeSpanning-tree priority 0

Edge Features (End Device)Admin-edge-port Loop-protectBpdu-protection

Separate STP DomainsBpdu-filter

CORE-A CORE-B

DATA & MGMT VOIP

DATA & MGMT VOIP

Internet

Spanning Tree Protocol Summary

Version mismatches (Cisco versus ieee)

Root bridge

Requires Planning, Design and Implementation

Define STP edge ports (admin-edge or auto-edge)

Define STP boundary (BPDU protection)

Identify ports for STP filtering (LAN extension) Self Pace Training

http://www.procurve.com/training/training/technical/npi/MSTP.htm


Link Aggregation or Trunking

Link aggregation Link aggregation

Increasing capacity between switches and Servers

Load sharing Static vs. dynamic

Challenge: Increasing switch link capacity

Six 1000Base-T full-duplex servers((6 x 1000Mb) x 2)

Six 1000Base-T full-duplex servers((6 x 1000Mb) x 2)

full-duplex gigabit fiber links

The full-duplex gigabit link provisioned between each 2600 switch and the5304xl core switch carries traffic to and from six full-duplex gigabit servers

To increase the capacity of the connection between the core and the 2600 switches, a second link may be aggregated with the existing link

Terminology (Trunking) HP, Foundry, 3ComTrunking = Link aggregation= LACP

CiscoTrunking = Vlan trunking = VLAN tagging (ISL,802.1q)

NortelTrunking = TDM voiceTrunking = Split Multi-link trunking

Requirements for link aggregationLink aggregation is also known as port trunkingin HP ProCurve documentation Requirements for port trunking:HP ProCurve 2500, 2600, 2800, and 4100gl series, and

6108 switches allow up to eight links to be aggregatedThe links in a port trunk must:

Be coterminous, i.e., they must begin togetherand end together

Support the same mode and flow control options

Link Aggregation MethodsHP Port Trunking Does not use a protocol to set up the trunk Port trunking is compatible with other trunking methods because it is

statically defined

Fast EtherChannel (FEC) ** No longer Supported FEC is a Cisco standard with widespread compatibility with other

switches and multiple-adapter servers

Link Aggregation Control Protocol (LACP) LACP is defined by IEEE standard 802.3ad Both sides may be statically defined; however, LACP also supports a

dynamic method for recognizing aggregated links

All three methods use both source and destination addresses for load sharing

HP ProCurve Supported Trucks

4 trunks4 ports per trunk6400


# of trunksSwitch Families








6 trunks 4 ports per trunk2600

2 trunks4 port trunk2510

1 trunk4 port trunk2500

Interoperability FEC, LACP, and HP Trunk

LACP

Foundry

LACPLACPLACPLACP or HP Trunk

ProCurve(LACP,HP Trunk)

ProCurve 3comNortelCisco

Tricks & Tips

Configure trunks before connecting cables:

trunk 25-26 trk1

Unless dynamic LACP is utilized, disabled LACP on all interfaces:

interface < port-list > no lacp

Ensure server trunks (teaming) are coterminous and switch ports are configured correctly. Intel BroadcomAIXHP

Link Aggregation

DEMO


HP Switch Meshing

HP Switch Meshing

HP Switch Meshing is another option for providing Layer 2 redundancy. Switch meshing is a load-balancing technology that enhances reliability and performance

HP Switch Meshing

Switch Meshing is an HP proprietary method for enabling automatic network redundancy and high availability at layer 2. Used in HPProCurve environments

Terminology (Switch Meshing) A group of meshed switch ports exchanging

meshing protocol packets is called a switch mesh domain

A switch mesh domain can contain up to 12 switches. Each switch can have up to 24 meshed ports

An edge switch has some mesh ports and some non-meshed ports. Switches 1-5 are edge switches

HP Switch Meshing Switch meshing is a load-balancing technology that enhances reliability and

performance in these ways:

Provides significantly better bandwidth utilization than either Spanning Tree Protocol (STP) or standard port trunking.

Uses redundant links that remain open to carry traffic, removing any single point of failure for disabling the network, and allowing quick responses to individual link failures. This also helps to maximize investments in ports and cabling.

Unlike trunked ports, the ports in a switch mesh can be of different types and speeds. For example, a 10Base-FL port and a 1GB port can be

included in the same switch mesh.

Non-meshing switchconfigured with STP

Non-meshing switchconfigured with STP

Blocking State

6

Switch Meshing compatibility with STP and RSTP

1

4

2

3

To interoperate with non-meshing switches within the Layer 2 domain, enable STP or RSTP on meshed switches

The mesh appears to non-meshing switches STP/RSTP switches as a single switch

Port Trunk 5

Meshing and RSTP enabled on all switches

Conversation-based load balancingDetermining lowest cost pathWhen the mesh is fully initialized, each path through the

mesh is assigned a cost based on link speed, outbound and inbound queue depths, and packet drop counts

Costs are recalculated every 30 seconds At any given moment, one path is considered the lowest cost path

Forwarding decisionsFrames that are part of a new conversation are forwarded

over the current lowest cost path Frames that are part of an established conversation are

forwarded through the same port as the first frame in that conversation

HP Switch Meshing design guidelinesA mesh consists of up to 12 HP ProCurve series switches

A switch can have up to 24 meshed ports using any combination of media types and link speeds

Meshing and IP routing cannot simultaneously be enabled on the same switch

Meshing is enabled per port Enable only on ports that directly connect to other meshed ports

HP Switch Meshing supports full mesh and partial mesh topologies

Summary: HP Switch MeshingHP Switch Meshing can be used to improve availability

while increasing capacity within a Layer 2 switched network

HP Switch Meshing is similar to the Spanning Tree Protocol in that it allows designers to create topologies that contain redundant paths HP Switch Meshing deals with redundant links in a more intelligent

way than STP or RSTP Instead of placing redundant links in the Blocking state, switches

using HP Switch Meshing can use all available links to forward traffic

The operation of HP Switch Meshing is transparentto non-meshing devices

Switch Meshing Supported Families

62005400

35005300

6400

MeshingSwitch Families

8200

3400

Tricks & Tips When meshing is added to or removed from ports, switches must be rebooted

The Mesh is automatically made a tagged member of all user-defined VLANs on the switch, immediately enabling the included links to carry traffic for all VLANs

A meshed switch cannot perform IP forwarding between VLANs. Can not route and mesh simultaneously

Meshing

DEMO


Server Adapter Teaming

Server Adapter Teaming Multiple Adapters function as single Virtual Adapter (VA) Devices communicate with VA: can not tell multiple

physical adapters IEEE compliant for L2 and L3 identities Other network devices Must see single MAC and Protocol

(1 entry in ARP cache) When Team initializes Driver reads BIA (Burned In

Address or MAC) for each physical adapterPick one MAC as Primary AdapterARP replies Team provides for server is Primary Adapter MAC

Team Failover and MAC/IP Management

Failover: MAC of Primary (PA) and one Non-Primary (NPA)

swapped, Non-Primary becomes Primary Swap MACs: Results in Team always known by one

MAC/one Protocol (IP) When Team Transmits: PA transmits using teams MAC and

IP Non-Primaries: always transmit own MAC and Teams IP NFT and TLB: MAC address used to transmit always

different than PA SLB: Additional switch intelligence allows all Teamed

adapters use same Team MAC

Teaming Modes

Network Fault Tolerance (NFT)

Transmit Load Balancing (TLB)

Switch-assisted Load Balancing (SLB)

Distributed Distributed TrunkingTrunking (K.14.xx)(K.14.xx)

Network Fault Tolerance (NFT) Simple redundancy Two to eight ports in a fault-tolerant team One defined primary adapter (PA) Any speed, any media Team can be split across switches

Remaining adapters are Standby: Non-Primary Adapters

Remain idle unless PA failsAll adapters can transmit and receive heartbeats


User User

ServerPrimary Adapter

Backup Adapter


logical viewlogical view

NFT before failure

NFT after failure

s

w

i

t

c

h

s

w

i

t

c

h

NIC 1

NIC 2 not active / dead

NIC 1

NIC 2

not active / dead

transmit / receive data


Team Members

CAN be split across >1 switch for switch redundancy

MUST be in same broadcast domain (VLAN)

Connect ALL team members to the same VLAN

If Switch Redundancy Required: HP recommends redundant links

between Switches with Spanning Tree enabled

STP fastmode or RSTP

Transmit Load Balancing (TLB) Two to eight ports in a team as 1 Virtual Adapter A single common speed Team can be split across switches All NFT features plus TLB TCP/IP protocol only Previously called Adaptive Load Balancing (ALB)

Allows server to load balance transmitted traffic from serverReceived traffic NOT load balanced

Primary Adapter receives ALL traffic to server, also transmits

Non-Primary only transmit frames


User User

ServerPrimary Adapter

Backup Adapter


s

w

i

t

c

h

s

w

i

t

c

h

TLB before failure

TLB after failure

NIC 1

NIC 2

NIC 3


transmit data, onlytransmit data, only





NIC 1

NIC 2

NIC 3

Team Members

CAN be split across >1 switch for switch redundancy

MUST be in same broadcast domain (VLAN)

Connect ALL team members to the same VLAN

If Switch Redundancy Required: HP recommends redundant links

between Switches with Spanning Tree enabled

STP fastmode or RSTP

Switch Assisted Load Balancing (SLB)

All adapters transmit & receive at same speed

All ports must be connected to the SAME switchSwitch must be configured for SAME mode (LACP)!!!

Incorporates all features of NFT and TLB Adds load Balancing Receive Traffic 2-8 adapters act as single virtual adapter Load balances all traffic regardless of protocol

Compatible with HP ProCurve Port Trunking IEEE 802.3ad Link Aggregation Control Protocol (Static LACP) Cisco EtherChannel (Static Mode Only, No PAgP) Others (Extreme, Intel, Bay/Nortel, etc.)

SLB is NOT Server Load Balancing (works with Server Load Balancing)

All adapters in SLB Team equal

Server Teaming (SLB)

User User

Server

Switch Assisted Load Balancing (SLB)

Team Members

All adapters transmit & receive Adapters must support a

common speed Must be used with an intelligent

switch that supports this type of teaming

All ports must be part of the same switch trunk (LACP)

s

w

i

t

c

h

s

w

i

t

c

h

SLB before failure

SLB after failure

NIC 1

NIC 2

NIC 3




NIC 1

NIC 2

NIC 3




Distributed Trunking (Server to Switch)

User User

Server (LACP team)

DT Switch

K.14.xx

DT Switch

K.14.xx

Distributed Trunking (Server to Switch) Distributed Trunking is a link aggregation technique,

where two or more links across two switches are aggregated together to form a trunk.

This feature uses a new protocol DTIP to overcome this limitation and support link aggregation for the links spanning across the switches. DT provides node-level L2 resiliency in an L2 network, when one of the switches fails.

Distributed Trunking is included in switch software starting with version K.14. In this initial release, only Server-to-Switch Distributed Trunking is supported.

Distributed Trunking (Server to Switch)Limitations/Restrictions Meshing and Distributed trunking features are mutually exclusive Routing and Distributed trunking feature are mutually exclusive. IGMP and DHCP snooping, arp-protect, STP are not supported on DT trunks. QinQ in mixed VLAN mode and DT are mutually exclusive. ISC ports will be part of all VLANs i.e. it will become member of a VLAN once

that VLAN configured. ISC Port can be an individual port or manual LACP trunk but dynamic LACP

trunk cant be configured as ISC port. Maximum of 8 links in a DT trunk across two switches is supported with max of

4 links per DT switch. The current limitation of 60 manual trunks in a switch, will now include DT

manual trunks too Only one ISC (inter-switch connect) link is supported per switch for max of 60 DT

trunks supported in the switch Spanning Tree Protocol is disabled (PDUs are filtered) on DT ports.

Supported team types summary

3Caldera Open Server 5

3Caldera OpenUnix 8

333Linux333Novell NetWare 4-6333Windows 2003333Windows 2000

SLBTLBNFTOperating

system

Tricks & TipsEnable RSTP or STP with fastmode

Ensure SLB server trunks are coterminous and switch ports are configured correctly.

Mixing adapters with different hardware features in TLB and SLB teams lowest common

denominator of features every team member must

support the feature for it to be used

Using adapters with mixed speeds in TLB teams higher speed adapters may

be under utilized

Tricks & Tips Different Network Interfaces (NICs) manufactures use different terms.

IntelBroadcomAIX

HP 5406_#1IP= 10.10.1.1


(TLB)IP= 10.10.50.10

HP 5406_#2IP= 10.10.1.2

HP 2650IP= 10.10.1.3



Port B24

HP nc6000VLAN 5

IP= 10.10.5.100DG= 10.10.5.1

Port 49 Port 50

Port A1 Port A1

Port 2 Port 1

F4

Port 1

Port B24

P o we r

F a u lt

L o c a to r

E F

C D

A

ProCurve NetworkingHP Innovation

zlP roC urve24p G ig-Tzl M odule J8702A

P o E -In teg rated 10/100/1000B ase-T P o rts (1-24) - P o rts are IE E E A u to MD I/MD I-X

1 5

62

3

4

7 1 1

1 28

9

1 0

1 3 1 7

1 81 4

1 5

1 6

1 9 2 3

2 42 0

2 1

2 2 zlP roC urve24p G ig-Tzl M odule J8702A


1 5

62

3

4

7 1 1

1 28

9

1 0

1 3 1 7

1 81 4

1 5

1 6

1 9 2 3

2 42 0

2 1

2 2

C o n s o leR eset C lear

A u xiliary P o rt

P ro C u rv e S witc h 5 4 0 0 zlMa n a g e me n t Mo d u le

J 8 7 2 6 A

In tern alP o wer

P o EP wr

2

1

2

4

1

3

P oE

Temp

Fan

Flash

D IMM

Mgmt

C hasTestLE D ModeMo d u les

S tatu sA ct

FD x

S pd U sr

P oE

H

J

LK

I

G

F

D

B

E

C

A

P ro C u rv e

S w itc h 5 4 0 6 z lJ 8 6 9 9 A

P o EU s e

z l Mo d u le so n ly

B

P o we r

F a u lt

h p P r o C u r v e

Sw itc h 2 6 5 0 -p w rJ 8 1 6 5 A

U se only one (T or M) for Gigabit port

G ig -TP o rts

1 0 /1 0 0 B a se -T X P o rts a re H P A u to -MD I-X , Gig -T p o rts a re IE E E A u to MD I/MD I-X

P oE

P oE -R eady 10/100B ase-T X Ports (1-48)

M in i-G B IC

P o rts

MTMT

17

28

39

41 0

51 1

61 2

1 31 9

1 42 0

1 52 1

1 62 2

1 72 3

1 82 4

off = 10Mbps flash = 100Mbps on = 1000MbpsSpd Mode

S tatus

LE DMode

R eset

Fan

Test

R P S

E P S

A ct

FD xS pd

C lear

P oE

2 53 1

2 63 2

2 73 3

2 83 4

2 93 5

3 03 6

3 74 3

3 84 4

3 94 5

4 04 6

4 14 7

4 24 8

5 04 9

P o w e r

F a u lt

L o c a to r

E F

C D

A




1 5

62

3

4

7 1 1

1 28

9

1 0

1 3 1 7

1 81 4

1 5

1 6

1 9 2 3

2 42 0

2 1



1 5

62

3

4

7 1 1

1 28

9

1 0

1 3 1 7

1 81 4

1 5

1 6

1 9 2 3

2 42 0

2 1

2 2


A u xiliary P o rt


J 8 7 2 6 A

In tern alP o wer

P o EP wr

2

1

2

4

1

3

P oE

Temp

Fan

Flash

D IMM

Mgmt


S tatu sA ct

FD x

S pd U sr

P oE

H

J

LK

I

G

F

D

B

E

C

A

P ro C u rv e

S w itc h 5 4 0 6 z lJ 8 6 9 9 A

P o EU s e


B



10 Gigabit

Teaming with TLB

Server Teaming (TLB)

DEMO


Virtual Router Redundancy Protocol(VRRP)

Virtual Router Redundancy Protocol (VRRP)

VRRP (Virtual Router Redundancy Protocol) is the feature used by the HP ProCurve Series 3500yl, 5400zl, & 6200yl family of switches to provide router redundancy, or fail-over, to one or more backup routers in case one fails.

XRRP (XL Router Redundancy Protocol) is the feature used by the HP ProCurve Series 5300XL & 3400 family of switches to provide router redundancy, or fail-over, to a backup router in case one fails.

Allows you to configure one or more switches to behave as backup routers for each other.

Terminology (VRRP) Virtual Router A Virtual Router (VR) instance consists

of one Owner router and one or more Backup routers belonging to the same network. Any VR instance exists within a specific VLAN, and all members of a given VR must belong to the same subnet. In a multinetted VLAN, multiple VRs can be configured. The Owner operates as the VRs Master unless it becomes unavailable, in which case the highest-priority backup becomes the VRs Master.

Master The physical router that is currently providing the virtual router interface to the host computers.

Advertisement Interval The time interval at which the Master router sends out VRRP packets on each virtual router interface.

Virtual Router Redundancy Protocol (VRRP)

User User

ServerDefault Gateway10.0.1.1

10.0.2.1

Default Gateway

10.0.1.1

Default Gateway

10.0.2.1

Protective Domain

VRRP Normal Operation On a given VLAN, a VR includes two or more

member routers configured with a virtual IP address that is also configured as a real IP address on one of the routers, plus a virtual router MAC address. The router that owns the IP address is configured to operate as the Owner of the VR for traffic-forwarding purposes, and by default has the highest VRRP priority in the VR. The other router(s) in the VR have a lower priority and are configured to operate as Backups in case the Owner router becomes unavailable.

The configuration is done for each VLAN

VRRP Fail-Over Operation The Owner normally operates as the Master for a VR. But if it becomes

unavailable, then a failover to a Backup router belonging to the same VR occurs, and this Backup becomes the current Master. If the Owner recovers, a failback occurs, and Master status reverts to the Owner. (Note that using more than one Backup provides additional redundancy, meaning that if both the Owner and the highest-priority Backup fail, then another, lower-priority Backup can take over as Master.

The current Master router sends periodic advertisements to inform the other router(s) in the VR of its operational status. If the backup VR(s) fail to receive a Master advertisement within the timeout interval, the current Master is assumed to be unavailable and a new Master is elected from the existing Backups. The timeout interval for a VR is three times the advertisement interval configured on the VR(s) in the network or subnet. In the default VRRP configuration, the advertisement interval is one second and the resulting timeout interval is three seconds.

Router Redundancy Protocol (VRRP)

User User

ServerDefault Gateway10.0.1.1

10.0.2.1

Default Gateway

10.0.1.1

Default Gateway

10.0.2.1

Protective Domain

VRRP Supported Families

54008200

62003500

VRRPXRRPSwitch Families

9300/9400

640034005300

XRRP Versus Ciscos HSRP

Load Balancing within VLAN

Single Hot Standby

Load Balancing across VLANs

ProCurve XRRP

Cisco HSRP

Tricks & TipsVRRP uses the following multicast MAC address for its protocol packets: 00-00-5E-00-01-< VRid >

XRRP uses the following multicast MAC address for its protocol packets: 0101-E794-0640

Never set up a default or static route that points to the peer router as the path.

Routers must have identical connectivity. That is, they must have the same access to all remote subnets, and the route costs of the access must be the same.

HP 5406_#1IP= 10.10.1.1


(TLB)IP= 10.10.50.10

HP 5406_#2IP= 10.10.1.2

HP 2650IP= 10.10.1.3



Port B24

HP nc6000VLAN 5

IP= 10.10.5.100DG= 10.10.5.1

Port 49 Port 50

Port A1 Port A1

Port 2 Port 1

F4

Port 1

Port B24

P o we r

F a u lt

L o c a to r

E F

C D

A




1 5

62

3

4

7 1 1

1 28

9

1 0

1 3 1 7

1 81 4

1 5

1 6

1 9 2 3

2 42 0

2 1



1 5

62

3

4

7 1 1

1 28

9

1 0

1 3 1 7

1 81 4

1 5

1 6

1 9 2 3

2 42 0

2 1

2 2


A u xiliary P o rt


J 8 7 2 6 A

In tern alP o wer

P o EP wr

2

1

2

4

1

3

P oE

Temp

Fan

Flash

D IMM

Mgmt


S tatu sA ct

FD x

S pd U sr

P oE

H

J

LK

I

G

F

D

B

E

C

A

P ro C u rv e

S w itc h 5 4 0 6 z lJ 8 6 9 9 A

P o EU s e


B

P o we r

F a u lt

h p P r o C u r v e

Sw itc h 2 6 5 0 -p w rJ 8 1 6 5 A

U se only one (T or M) for Gigabit port

G ig -TP o rts

1 0 /1 0 0 B a se -T X P o rts a re H P A u to -MD I-X , Gig -T p o rts a re IE E E A u to MD I/MD I-X

P oE

P oE -R eady 10/100B ase-T X Ports (1-48)

M in i-G B IC

P o rts

MTMT

17

28

39

41 0

51 1

61 2

1 31 9

1 42 0

1 52 1

1 62 2

1 72 3

1 82 4

off = 10Mbps flash = 100Mbps on = 1000MbpsSpd Mode

S tatus

LE DMode

R eset

Fan

Test

R P S

E P S

A ct

FD xS pd

C lear

P oE

2 53 1

2 63 2

2 73 3

2 83 4

2 93 5

3 03 6

3 74 3

3 84 4

3 94 5

4 04 6

4 14 7

4 24 8

5 04 9

P o w e r

F a u lt

L o c a to r

E F

C D

A




1 5

62

3

4

7 1 1

1 28

9

1 0

1 3 1 7

1 81 4

1 5

1 6

1 9 2 3

2 42 0

2 1



1 5

62

3

4

7 1 1

1 28

9

1 0

1 3 1 7

1 81 4

1 5

1 6

1 9 2 3

2 42 0

2 1

2 2


A u xiliary P o rt


J 8 7 2 6 A

In tern alP o wer

P o EP wr

2

1

2

4

1

3

P oE

Temp

Fan

Flash

D IMM

Mgmt


S tatu sA ct

FD x

S pd U sr

P oE

H

J

LK

I

G

F

D

B

E

C

A

P ro C u rv e

S w itc h 5 4 0 6 z lJ 8 6 9 9 A

P o EU s e


B



10 Gigabit

Router Redundancy with VRRP

Default Gateway10.10.5.1

VRRP

DEMO


Connection Rate Filtering (Virus Throttling)

REMEMBER!

No other vendor has added capabilities like these to their switches

First to the industry!Cutting edge technology (developed at HP Labs) for mainstream customers at affordable pricesIts a free upgrade

The Virus Problem Most anti-virus software

works by preventing infection

Works well but occasionally fails Anti-virus software fails to

recognize new viruses Client/server/security

software not up-to-date Worms can spread very

rapidly and cause lots of damage SQLSlammer Sasser

05:29 Jan 25 0 infected

06:00 Jan 25 74855 infected

Todays Limited Solutions

Signature-based detection (known malicious code)Targeted at viruses that have been seen beforeHave to touch the client since that is where the virus is

actually detected Ineffective initially with unknown viruses

Could lead to network paralysis with quick spreading viruses

Solving a different virus concernAssumes all clients entering the networking are

homogeneous No acceptance for outside clients like other vendors sales reps,

contract employees, etc.

Competitions only solution Only a partial solution

How do you manage the unknown, often the most destructive?

For Virus Throttling ProCurve targets the virus (worm) behavior

Advantages to ProCurve Security ArchitectureVirus Throttling

Works without knowing anything about the virusHandles unknown virusesNeeds no signature updates

Protects network infrastructureNetwork and switches will stay up and running, even

when under attack

NotificationWhen a host is throttled, a SNMP trap and log event is

generated IT staff have time to react, before the problem escalates

to a crisis

ProCurves Security Advantages Virus Throttling is uniqueMonitors all ports simultaneouslyEasy to configureNo periodic updates needed

Some competitors have behavioural detection that is similar but Requires an external appliance or special switch module

Extra cost

The Solution: Virus Throttling

As the worm virus tries to spread: the switch detects the activity and automatically either:

throttles traffic from these nodes at the routed VLAN boundary greatly slows the virus spread allows time to react without bringing the network down for the

infected client

or

prevents all traffic from infected client from being routed to other parts of the network stops virus spread

but also prevents all traffic from infected client to be routed to the rest of the network

Virus Throttling Caveats Throttling automatically occurs only for traffic

across routed VLANsRouting is required, no automatic affect in pure L2

environmentsOther nodes on the VLAN with the infected client are still

at risk Traffic from infected clients continues to be forwarded in the L2

environment BUT

The network manager is notified of virus activity and can take steps through PCM+ to find and shut down the switch port where the virus is entering the network.

The Solution: Virus ThrottlingIn an L2 Environment

If you are running PCM+ 1.6 or laterPCM+ gets the trap from the switch identifying the IP

address of the infected clientNet Mgr can then:

Use PCM+ to find the switch port associated with this IP address Shut down the switch port preventing the virus from entering the

network at L2 as well. Net Mgr can now deal with just the client, not the rest of the

network

Virus Throttling in an L2 Environment

1. Switch detects virus activity

2. Alerts PCM+ with IP addr and MAC addr of infected client

X

Traffic blocked

3. Net Manager alerted

4. Manager uses Find Switch Port utility to locate client switch port

5. Manager shuts down that switch port

Virus

PCM+

Virus Throttling

6200

8200

5400

3500

Virus ThrottlingSwitch Families

5300 (L3)

Virus Throttling Enabled


HP ProCurve Manager and ProCurve Manager Plus

HP ProCurve Manager implementsCommand from the Center

Windows-based network management solution

Enables configuration and monitoring of network devices from a central location

Two versions available: Standard and PLUS

Provides necessary tools to effectively manage your network, including:

Auto-

ProCurve Switch Best Practices

Documents

Transcript of ProCurve Switch Best Practices