ProCurve Switch Best Practices
description
Transcript of ProCurve Switch Best Practices
-
2008 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
HP ProCurve NetworkingAndy GallacherNov, 2009
-
Agenda
Physical Infrastructure (Cabling, 10 GbE)Link technologies (Auto MDIX, Negotiation)Design methodologies (Link aggregation,
VLANs, STP)Server TeamingRouter Redundancy (VRRP)
Product Overview & Whats New
ProCurve Manager
-
Technical Phone Support / Firmware Upgrades
Industry Standards
ProCurve Manager SW(Network Management Software shipped with each switch)
Lifetime Warranty(ALL hubs and switches/routing switches to 8200zl)
Price/Performance(ProCurve is often 20-30% less than the
competition)
HP ProCurve: Quick Facts
-
4ProCurve Positioned
in Gartners Leaders
Quadrant
Magic Quadrant for Enterprise LAN (Global), 2009, Mark Fabbi, Tim Zimmerman, 30 April 2009.
Magic Quadrant:Enterprise LAN (Global), 2009
The Gartner Magic Quadrant is copyrighted April 2009 by Gartner, Inc., and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartners analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the Leaders quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
The Magic Quadrant graphic was published by Gartner, Inc., as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from HP ProCurve.
-
Why HP ProCurve Networking? Customer Value
Superior return on IT Price/performance leadershipEngineered for affordability
Secure solutionsTrusted partner
Security and Trust
Proactive networkingFocused on innovation and ease of use
Reduced complexity
Highly availableHP quality and industry-best warrantyReliability
-
Switches Wireless LAN WAN
Scalable core-to-edge switches based on open standards unify
the network & reduce complexity
802.11n wireless solutions provide networking access, management and security.
WAN solutions provide adaptable, unified edge-to-edge
network connectivity.
Data Center Network Management Network Security
DC solutions provide policy-based, automated provisioning of
network and server resources.
Device handling capabilities such as mapping, configuration and monitoring across the network.
Security features embedded throughout the network that detect
and respond to threats.
HP ProCurve product categories
Secure RouterAccess Point & Controller
Core & Edge Switches
DCM Controller
-
ProCurve Switching Portfolio
EnterpriseNetworks
Small BusinessNetworks
EstablishedTechnology
Simple,Cost
EffectiveConnectivity
Layer 2,Web managed,
Unmanaged
2810, 2510,1800, 1700,
1400
TraditionalEdge
BasicEnterprise
Edge
Layer 3 lite, Security,
Sflow
4200, 2800, 2610,2910
LAN Enterprise
High-Function
Edge (AEA)&
Core/Distribution
Full Layer 3
5400, 3500,WAN
DataCenter
Data CenterSpecific Design
Layers 2 & 3,Automatedprovisioning
6600, 6120DC Connection
Manager
Core/ Distribution
Core&
Distribution /Aggregation
8200,6200
Full Layer 3+, Layer 4, HA
-
Fu
n
c
t
i
o
n
a
l
i
t
y
Price/Performance
LAN Enterprise SwitchesPortfolio Overview
2520G-PoE2520-PoE
2810
2910al-PoE2910al
Lite Layer 3 Managed
Layer 2Managed
2610-PWR2610
1700 Layer 2Web Managed
2510G/2510: Managed layer 2 feature set 24 or 48 10/100 or Gigabit ports Two SFP ports for fiber connectivity Quiet operation for open space deployment
1810G/1700: Plug and play connectivity Basic network configuration capabilities Excellent migration from unmanaged switches Silent operation for open space deployment
2810: Managed Layer 2 feature set with 24 or 48 Gig ports sFlow, source port filtering, enhanced security Redundancy with RPS support Four SFP ports for fiber connectivity More robust/granular QoS
2610/2610-PWR: Access layer 10/100 switch Static IP routes enable routing between VLANs Robust and granular security and QoS policies Redundancy with RPS support
2910al/2910al-PoE: High performance gigabit access switch Four optional 10-Gigabit ports (CX4 and/or SFP+) IEEE 802.3af/802.3at functionality (PoE/PoE+) Layer 2 switching with static and RIP IP routing Lifetime Warranty, sFlow, ACLs and rate limiting
1810G
2510G2510
2520G/2520: Managed layer 2 PoE switch family 8 or 24 10/100 or Gigabit ports Ability to prioritize traffic using QoS for reliable VoIP deployments Quiet operation and small form-factor for open space deployment
GA Nov. 1 2009
EstablishedTechnology
TraditionalEdge
-
LAN Enterprise Switches(Same ASIC and features)
9
3500 10/100 Non-PoE
3500 10/100 PoE/PoE+
3500yl 1G PoE/PoE+
5406zl PoE/PoE+5412zl PoE/PoE+
8212zl 8206zl
Expanding The ProVisionFamilyExpanding The ProVisionFamily
-
2008 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
Whats New
-
Introducing the ProCurve 2520/2520G Switch Series (Established Technology)
2520-8-PoE - 8 10/100-T ports + two shared 10/100/1000-T SFP ports for fiber connectivity
2520G-8-PoE - 8 10/100/1000-T ports + two shared 10/100/1000-T SFP ports for fiber connectivity
2520-24-PoE - 24 10/100-T ports +2 10/100/1000-T ports + two shared 10/100/1000-T or SFP ports for fiber connectivity
2520G-24-PoE - 22 10/100/1000-T ports + four shared 10/100/1000-T or SFP ports for fiber connectivity
HP ProCurve 2520G-24-PoE Switch (J9280A)
HP ProCurve 2520-8-PoE Switch (J9137A) HP ProCurve 2520-24-PoE Switch (J9138A)
HP ProCurve 2520G-8-PoE Switch (J9279A)
-
12
3500 10/100 Portfolio (LAN Enterprise)
J Number Official Product Description
J9470A HP ProCurve 3500-24 Switch
J9472A HP ProCurve 3500-48 Switch
J9471A HP ProCurve 3500-24-PoE Switch
J9473A HP ProCurve 3500-48-PoE Switch
These switches have no expansion slots for the ProCurve Switch yl Module, so they do not have the yl designation.
-
13
8206zl Base SystemJ9475A (LAN Enterprise/Core)
Includes:1x chassis1x management
module2x fabric modules 1x system support
module 1x fan tray6 interface/services
module slots
Mgmt Modules
Interface/Service Module Slots
Fabric Modules
Rear:Fan Tray, Power Supplies
6 RU
8206zl Front View
-
14
8206zl vs. 8212zl8206zl 8212zl
Target Market Moderate-port-count network deployments Higher port-count network deployments
Port Density Up to 144 10/100/1000Up to 24 10GbEUp to 288 10/100/1000
Up to 48 10GbE
Rack Units Occupied 6 RU 9 RU
Performance 322.8 Gbps 646 Gbps
Throughput 240.2 mpps 428 mpps
L2/L3 L3 services when running at L2; L3 routing with Premium LicenseL3 services when running at L2; L3
routing with Premium LicenseOptimized Port Environment GbE 10 GbE GbE 10 GbE
High Availability Dual/slotted mgmt/fabric; passive backplane; redundant powerDual/slotted mgmt/fabric; passive
backplane; redundant power
PoE/PoE+ Yes, standard Yes, standard
Interface/Services Modules 6 supported 12 supported
InternalPower Supplies
2 supported: up to 1800 watts PoE/PoE+ power
4 supported: up to 3600 watts PoE/PoE+ power
*The price reflects the new 8212zl base system, J8715B, which does not include the premium license.
-
15
Known zl Interface ModulesJ8702A: 24-Port 10/100/1000 PoE zl Module
J8705A: 20-Port 10/100/1000 PoE + 4-Port Mini-GBIC/SFP zlModuleLH-LC, LX-LC, SX-LC, BX, 1000Base-T Mini-GBIC/SFP support100-Meg xcvrs (100-FX) for SFP slots
J8706A: 24-Port Mini-GBIC zl ModuleLH-LC, LX-LC, SX-LC, BX, 1000Base-T Mini-GBIC support
J8707A: 4-Port 10GbE X2 zl ModuleCX4, SR, LR, J8707A - zl 4-Port LRM, or ER optics support
J8708A - 4-Port 10GbE CX4 zl ModuleCX4, SR, LR, J8707A - zl 4-Port LRM, or ER optics support
Used with both the 8200zl and 5400zl switches
-
16
HP ProCurve zl Power Supplies
New!
Used with both 8200zl and 5400zl
8212zl/5412zl: Up to 4 power supplies, 3600W PoE/PoE+
(5400 watts with Power Supply Shelf)
8206zl/5406zl: Up to 2 power supplies, 1800W PoE/PoE+
(3600W with Power Supply Shelf)
Chassis Power
PoEPower
PoE+ Power
875W Power Supply J8712A(110-127/200-240 VAC)
600W 273W
1500W Power Supply J8713A(220 VAC only)
600W 900W
1500W Power Supply J9306A(110-127/200-240 VAC)
600W 300W/900W300W/900W
Power Supply Shelf J8714A 0
Up to 1800W
Up to 1800W
-
875W zl Power Supply
1500W zl Power Supply
1500W PoE+zl Power Supply
(J8712A) (J8713A) (J9306A)
Input Voltage 110127 VAC 200240 VAC 200220 VAC 110127 VAC 200240 VAC
Input Current 11.5 A 5.7 A 10 A 13 A 10 A
PoE Power 273 W 273 W 900 W 300 W 900 W
Frequency 50/60 Hz 50/60 Hz 50/60 Hz 50/60 HZ 50/60 Hz
PoE/PoE+ PoE PoE PoE PoE+ PoE+
HP ProCurve zl Power Supply SpecsElectrical Characteristics
New!
-
HP ProCurve 6600 Switch Series (Data Center)
Product # Description
J9263A HP ProCurve 6600-24G(24) 1G ports
J9264A HP ProCurve 6600-24G-4XG(24) 1G ports, (4) 10G ports
J9265A HP ProCurve 6600-24XG Switch(24) 10G ports
J9451A HP ProCurve 6600-48G Switch(48) 1G ports
J9452A HP ProCurve 6600-48G-4XG Switch(48) 1G ports and (4) 10G ports
-
ProCurve ONE Services zl Module
Striking a Balance19
Core
Data Center
Edge
Branch
SKU: J9289A Intel T7500 Core 2 Duo, 4G Main Memory, 4G
Flash, 250GB 7200RPM SATA HDD 2 x 10G Ethernet connections to backplane Warranty: Industry-Leading Lifetime, HDD
exception: Five years*
Supported in zl series chassis 5400zl for edge and branch (4U/7U) 8200 with high availability for core and
distribution (9U)
-
ProCurve ONE Alliance Partners (1/26/09)
Striking a Balance20
-
21
Services Modules
J9289A HP ProCurve ONE Services zl Module
J9155A- HP ProCurve TMS zl Module
J9370A - HP ProCurve MSM765zl Mobility Controller
J9371A - HP ProCurve MSM760/765 40 AP License
-
9 HP PCM 3.0 Overview HP PCM 3.0 Enhancements New Architecture (10 Agents) Enhanced Custom Group Management Granular User Profiles Support For Cisco Devices
PCM 3.0 Licensing Plug-in Applications for PCM 3.0
PCM 3.0 Use Models Upgrade PCM 2.3 to PCM 3.0 Maintenance and Troubleshooting
HP ProCurve Manager 3.0 (HP PCM 3.0) Overview
-
c-Class BladeSystem Interconnect Types Pass-thru module
For scenarios where one-to-one server to network connections are required
Equivalent to a patch panel Virtual Connect module
Simplest, and most flexible connectivity to a network
Appears as a L2 bridge to the network Ethernet switch
Interconnect aggregation and cable reduction using a managed switch
Provides typical L2 switching feature set and may offer L3 routing capabilities
-
6120G/XG Hardware Overview:Front Panel
Module locator LED Blueselected
Module status LED Greennormal,
Amberfault
2x 1GbE SFP ports Copper, and SX and
LX optics
Console port Type A
mini-USB
Clear button
4x 10/100/1000 RJ-45 ports
For 10GbE & 1GbE ports:Link status LED Greenconnected,
AmberfaultLink activity LED Green flashingactivity
Link status LED Greenconnected, AmberfaultLink activity LED Green flashing10/100 activity Amber flashing1000 activity
Midplane 16x 1GbE internal ports for server/storage blade access 1x 10GbE internal port for switch-to-switch access
1x 10GbE CX4 port CX4 cable
Resetbutton(recessed)
2x 10GbE XFP ports DAC, SR and LR optics
-
6120XG Hardware Overview:Front Panel
Module locator LED Blueselected
Module status LED Greennormal,
Amberfault
5x 10GbE SFP+ ports DAC, and SR, LR,
and LRM optics
1x 10GbE CX4 port CX4 cable
Midplane 16x 10GbE internal ports for server/storage blade access 2x 10GbE internal port for switch-to-switch access
2x 10GbE SFP+ ports DAC, and SR, LR,
and LRM optics
individually shared ports
(23, 24)
2x 10GbE internalS2S ports
shared port(17)
-- or --
Console port Type A
mini-USB
Clear button
1x 10GbE SFP+ port DAC, and SR, LR,
and LRM optics
-- or --
Resetbutton
dedicated ports (18, 19, 20, 21, 22)
10GbE SFP+ ports also support use of 1GbE SFP (SX, LX, Gig-T) transceivers
-
Blade Switch Comparisons
L2, IPv6 host, 32K MAC , 256 VLANs
L2 (upgradeable to L3 & IPv6), 8K MAC, 1K VLANs
L2+, 8K MAC, 1K VLANs
L2, L3, VRRP, 16K MAC , 1K VLANs
L2, IPv6 host, 16K MAC , 256 VLANs
Forwarding/ Routing
4 SFP or2 X2NoneNone
1 CX42 XFP
1 SFP+/CX45 SFP+2 SFP+/S2S
1 CX42 XFP
External 10GbE ports
512 MB RAM640 MB flash
None 1
ProCurve 6120XG
1 year
No
QoS and 802.1p
1K groups
ACLs, SSH, RADIUS & TACACS+ auth
HTTPSSNMPv3
256 MB RAM64 MB flash
4 RJ-45
HP 1:10Gb Ethernet BL-c
1 year
No
Extensive, highly granular with rate limiting & traffic shaping
1K groups
ACLs, 802.1X, Web, MAC auth
SNMPv3
128 MB RAM32 MB Flash
4 SFP/RJ-45 4 RJ-45
Cisco 3020
1 year
Stackwise
Extensive, highly granular with rate limiting & traffic shaping
1K groups
ACLs, 802.1X, Web, MAC auth
SNMPv3
256 MB RAM64 MB flash
4 SFP/RJ-45 4 RJ-45
Cisco 3120G
4 RJ-45
Cisco 3120X
Ingress, L3/L4 prioritizationRate Limiting/ QoS
NoStacking
Warranty
IGMP Multicast
Access Security
Management
Memory
External 1GbE ports
a
LLDP-MEDSNMPv3
512 MB RAM256 MB flash
ProCurve 6120G/XG
2 SFP4 RJ-45
802.1X, Web, MAC auth
256 groups
Lifetime
1 1GbE SFP optics (SX and LX) and Gig-T transceivers can be installed in any of the external 10GbE ports.
-
Software FeaturesGeneral Networking Features IEEE 802.1D MAC Bridges IEEE 802.1p Priority IEEE 802.1Q VLANs IEEE 802.1v VLAN classification by Protocol
and Port QOS (COS, TOS, DSCP) IEEE 802.1D RSTP (formerly 802.1w) IEEE 802.1Q MSTP (formerly 802.1s) BPDU Protection and STP root guard IEEE 802.3ad LACP IEEE 802.3x Flow Control RFC 792 ICMP Broadcast Throttling RFC 951 BOOTP and RFC 1542 Extensions RFC 2030 SNTP RFC 2131 DHCP Information Option with DHCP
Protection TFTP, SFTP, FTP Uni-Directional Link Detection IPv6 Host ICMP Rate-limiting
IP Multicast IGMPv1, v2 & v3 (Data Driven)
Device Management CLI Access Using Console, Telnet, or SSH HTTP and HTTPS Web Management Access SSHv1/SSHv2 Management Access HP Onboard Administrator Integration OOBM (with DHCP client default) Authorized Managers List
Security Concurrent Port-Based 802.1X, Web and MAC
Authentication RADIUS & TACACS+ Port Security MAC Address Lockout
Monitor and Diagnostics Port Mirroring RMON v1/v2
Network Management LLDP-MED Syslog Protocol SNMPv1/v2c/v3
-
453154-B21HP 1Gb RJ-45 SFP Option Kit443756-B21HP XFP 850nm SR Module
487649-B21 HP 10GbE SFP+ .5m Direct Attach Cable
537963-B21 HP 10GbE SFP+ 5m Direct Attach Cable
455886-B21 HP SFP+ LR Transceiver455889-B21 HP SFP+ LRM Transceiver
487652-B21 HP 10GbE SFP+ 1m Direct Attach Cable
455883-B21 HP SFP+ SR Transceiver
453151-B21HP 1Gb SX SFP Option Kit
443757-B21HP XFP 1310nm LR Module
487658-B21 HP 10GbE SFP+ 7m Direct Attach Cable
498358-B21HP ProCurve 6120G/XG Blade Switch
487655-B21 HP 10GbE SFP+ 3m Direct Attach Cable
516733-B21HP ProCurve 6120XG Blade Switch
Description Part No.
Parts Information
Two blade switchesTwo blade switches
HP ISS partsHP ISS parts
-
Parts Information (cont.)
J9285A/BHP ProCurve 10-GbE SFP+ 7m Direct Attach CableJ9300AHP ProCurve 10-GbE XFP-SFP+ 1m Direct Attach CableJ9301AHP ProCurve 10-GbE XFP-SFP+ 3m Direct Attach CableJ9302AHP ProCurve 10-GbE XFP-SFP+ 5m Direct Attach Cable
J9151AHP ProCurve SFP+ LR TransceiverJ9152AHP ProCurve SFP+ LRM TransceiverJ9281A/BHP ProCurve 10-GbE SFP+ 1m Direct Attach Cable
J9150AHP ProCurve SFP+ SR Transceiver
J9283A/BHP ProCurve 10-GbE SFP+ 3m Direct Attach Cable
Description Part No.
Only version B DACs can be purchased going forward
Only version B DACs can be purchased going forward
XFP connector on one end, SFP+ connector on the otherApplicable to 6120G/XG
XFP connector on one end, SFP+ connector on the otherApplicable to 6120G/XG
-
2008 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
Cable Infrastructure
-
Cable specifications for full-duplex Ethernet
Maximum distance
1000Base-SX Multimode (62.5 micron) 275 meters
1000Base-SX Multimode (50 micron) 500 meters
1000Base-LX
100/1000Base-T
Single-mode (9 micron)
Category 5e UTP
10 kilometers
100 meters
1000Base-LX ** Multimode (62.5 or 50 micron) 550 meters
Interface type Cable supported
100-BX 10 kilometersSingle-mode (9 micron)
1000-BX Single-mode (9 micron) 10 kilometers
-
Cable specifications for full-duplex Ethernet
Interface type Cable supported Maximum distance
10G-CX4 4X Twinax (Infiniband-style) 15 meters
10GBASE-ER 40 kilometersSingle-mode (9 micron)
10GBASE-LR 10 kilometersSingle-mode (9 micron)
10GBASE-SR 2-33 metersMultimode (62.5 micron)
10GBASE-LRM 220 metersMultimode (62.5 micron)
http://www.hp.com/rnd/support/faqs/10-GbE-trans.htm
10GBASE-SR 300 meters Multimode (50 micron/2000 Mhz)
-
Connector Types
-
HP ProCurve Mini GBIC / TransceiversJ4858C 1000Base-SX port Type 1000Base-SX Connector: LC maximum distance 220 meters
J4859C 1000Base-LX port Type 1000Base-LX Connector: LC maximum distance 10 km
J4860C 1000Base-LH port Type 1000Base-LH Connector: LC maximum distance 70 km
J8177B 1000BT SPF;Connector RJ45 100 meters
J9054B 100FX SPF;Connector RJ45 100 meters
J9142B 1000-BX-D SFP-LCConnector: LC maximum distance 10 km
J9143B 1000-BX-U SFP-LCConnector: LC maximum distance 10 km
J9099B 100-BX-D SFP-LCConnector: LC maximum distance 10 km
J9100B 100-BX-U SFP-LCConnector: LC maximum distance 10 km
-
Xenpak X2 GBIC mGBIC(or SFP+)
Transceiver Packaging Comparison
PNB doesnt support
GBICs in any of our
products
9300 3400cl & 6400cl
10Gig only 10Gig only Gigabit only Gigabit/10 GbE
-
SFP+ 10G Technology Next gen technology enables lower cost per
10G port Supports Direct Attach Cable (DAC) for very low cost
over short ranges
Smaller form factor than X2 or XFP Provides higher port density Same form factor as Gig SFP
Provides thermal benefits leading to power savings
SFP+ consumes 1W per port X2 consumes 4W per port
Supports 10G SR, LR, LRM
36
-
37
SFP+ A new form-factor (size & shape) for 10-Gigabit modular transceivers
Same size & shape as a "mini-GBIC" (SFP)
Supports three existing 10-Gigabit technologies: SR, LRM, LR
HP ProCurve Switch Accessories
10G SFP+ Transceivers
Product #
Description US List
J9150A ProCurve 10-GbE SFP+ SR Transceiver
J9151A ProCurve 10-GbE SFP+ LR Transceiver
J9152A ProCurve 10-GbE SFP+ LRM Transceiver
-
38
What is a Direct Attach cable? A one-piece unit consisting of an SFP+ form-factor transceiver at each
end with permanently-attached cabling between Delivers the 10-Gigabit signal from end to end Initial length offerings:
1m, 3m, 7m
HP ProCurve Switch Accessories
10G SFP+ Direct Attach Cables
Product #
Description US List
J9281B ProCurve 10-GbE SFP+ 1m Direct Attach Cable
J9283B ProCurve 10-GbE SFP+ 3m Direct Attach Cable
J9285B ProCurve 10-GbE SFP+ 7m Direct Attach Cable
-
9802.3af ieee standard (48 volts , 15.4 watts)9Existing cable plant (Cat 3,5,5e,6)9Either data pairs or non data pairs (1/2 & 3/6) & (4/5
& 7/8)915.4 watts maximum at end-span device9Phones draws from 3 watts and higher9PoE+ for PTZ cameras, 802.11n (Future PC battery)9End-span refers to an Ethernet switch with embedded
Power 9Mid-span devices are placed between legacy switches
and the powered devices. 9Centralized Power
Power over Ethernet (PoE)
-
Why Support PoE+? Advantages of PoE+ over PoE: Increases maximum power to PDs Dynamic and granular power negotiation
Enables support for additional devices: 802.11n access points Video IP phones Thin clients Pan-Tilt-Zoom cameras
Backwards compatible with PoE
-
PoE+ Specifications PoE+ (IEEE 802.3at) sets new specifications for: 1. Wattage
Maximum delivered to PD increased to 24W Maximum at switch port increased to 30W
2. Voltage levels Minimum increased to 50V
3. Current Maximum increased to 600mA
4. Cabling Supports only Cat5E and newer
-
Typical VoIP Infrastructure
PSTN
Mitel 3300IP PBX
-
Typical VoIP InfrastructureTwo port switch built into phone
Single UTP cable to phone
PC/Workstation connected to phone
Two VLANs to phone ( VoIP tagged, Data untagged)
Voice VLAN tagged with 802.1p priority set
-
The interface-connector-cable combination can have a significant impact on the performance of the network. Be careful and note that a particular type of connector does not ensure a particular type of cable.
An LC could be connecting either multimode or single mode. The mini-GBICs look the same. Read the label!
Tricks & Tips
-
2008 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
Auto MDIX
-
HP / IEEE Auto MDIX Automatically adjusts for straight-through or
crossover cables on all 10/100 and 10/100/1000 ports
1000T (Cross-Over)
100T (Straight-Thru)
-
Tricks & Tips It may be necessary in some environments to disable auto MDIX.
Auto MDIX Manual Mode:
interface < port-list > mdix-mode < automdix | mdi | mdix>
The options include auto-MDIX (the default), MDI, and MDI-X. Benefits: Minimizes auto-MDIX
capability when connecting switch to switch links.
-
2008 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
Auto Negotiation
-
Ethernet Transmission modesHalf Duplex: Data transmission over a Ethernet link capable of
transmitting in either direction, but not simultaneously. For Ethernet, the CSMA/CD method is a half duplex protocol. If it receives traffic while transmitting, it reports a collision
Full Duplex: Data transmission over a circuit capable of
transmitting in both directions simultaneously.
-
Auto Negotiation The auto-negotiation mechanism allows the two interfaces
on a link to select the best common mode automatically, the moment a cable is plugged in.
The problem is that it looks great on paper, but it doesn't always work as intended. Although the final Fast Ethernet standard did contain a section on auto-negotiating, that section was one of the last things put into the standard and many vendors had already implemented their own auto-sensing systems and deployed them before the standard was ratified.
If this wasn't bad enough, there is no standard for detecting modes at 10Mb.
-
Ethernet Errors In a shared environment, collisions may result in: Giants due to the concatenation of frames that were
transmitted at the same time Runts due to the fragmentation of frames that were
transmitted at the same time In a fully switched environment: Collisions indicate a mode mismatch, i.e. half- vs. full-
duplex CRC errors Detected when the value in the appended 4-byte Frame
Check Sequence does not match the CRC calculated by the receiving station
May be present in either shared or switched environment
-
Tricks & TipsSet system wide network resources to the maximum fix speed and duplex mode.
Speed and duplex command:
interface < port-list > speed-duplex 100-full
Benefits: Minimizes auto-negotiation
capability when connecting switch to servers links.
Interface Status
show interface brief
-
Tricks & Tips Speed and duplex command:interface < port-list > speed-duplex auto 100
Benefits: Minimizes auto-negotiation
capability when connecting switch to servers links.
-
2008 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
Virtual LANs
-
Interconnecting IP networks (LAN)
Every host in an IP network has a unique IP address
In this example, hosts in the same wiring closet are in the same Broadcast domain IP network
Traffic between hosts in the same IP network is forwarded by switches using destination Layer 2 (MAC) address
Traffic between hosts in different IP networks is forwarded by the router using destination Layer 3 (IP) address
IP Network 1 IP Network 2 IP Network 3
Router: connection point for wiring closets
-
Interconnecting networks (VLANs)
Every host in an IP network has a unique IP address
In this example, hosts in the same wiring closet are in different VLANs Broadcast domain IP network
Traffic between hosts in the same IP VLAN is forwarded by switches using destination Layer 2 (MAC) address
Traffic between hosts in different IP networks is forwarded by the switch using destination Layer 3 (IP) address
All Networks All Networks All Networks
Router: connection point for wiring closets
Layer 3 Switch: connection point for wiring closets
VLAN = broadcast domain = IP network address = IP Subnet
-
VLAN ID assignments
Users should be arranged into VLANs (and thus IP address ranges) based on:
Internal Departments; Engineering, Administration Accounting Resource Requirements
Should have access to all of the hosts in the suite Should have access to the Internet, email hosting, and remote
backup depending on whether they have subscribed to those services
Should not have access to resources in other tenants suites End user customers for ISPs
-
VLAN ID assignmentsA network should have a minimum of 3 VLANs:
A Server VLANNetwork Management VLANUser/Data VLAN
-
2008 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
Network Design Methodology
-
Steps for design and deploymentRegardless of the size of the project, the basic steps in the design process are:
Assess customer needs and requirementsDevelop and propose a solution
Logical Physical
Implement and document the solution
-
Assessing customer needsIn assessing the needs of the network, plan for the following requirements:Port types and quantitiesCabling to support specified ports Amount and type of data anticipatedUser resource needs
Anticipate growth in the enterprise and its networkExamine existing network infrastructureCan the requirements be met within customers budget?
-
Plan for port types and quantitiesTo determine the number and type of switches, consider:Number of edge ports
One user per port Often determined by existing cabling
Number of wiring closets Using modular edge switches can minimize the total number of
switches (7 slots x 24 ports = 168 edge ports) Stackable switches support up to 48 edge ports
Distribution and/or core switches Number of edge switch uplinks may determine whether all edge
switches will terminate at a common core switch or be aggregatedat intermediate level distribution switches
-
Plan for cabling to support specified bandwidth requirementsUse existing cabling whenever possible Distances between edge ports and cubicles must be 100 meters or
less for 100TX/1000T Category 5 or better for 100Base-TX Category 5e or better for 1000Base-T
For existing copper cabling with runs longer than 100 meters, the choices are: Statically configure interface level speed-duplex parameter to auto-10 to
assure reliable connections Install new cabling (may be cost-prohibitive for some customers)
Use fiber for switch-to-switch distances greater than 100 meters 1000Base-LX, 1000Base-SX, 1000Base-LH 100Base-FX
-
Plan for amount and type of traffic Determine characteristics of the traffic to be carried over links between switches: Location of high traffic hosts and anticipated volume
Servers Applications that generate high volume
Applications requiring prioritization Voice Video
Multicast support Distance learning Meetings
Traffic requirements can indicate a need for higher speed edge ports and/or higher capacity uplinks
-
Understand user resource requirementsDetermine resources to be made available to users and whether availability of those resources is critical
Identify users with common resource requirements This information may be used to defined VLAN boundaries
Identify resources whose availability is critical Provide redundant links and/or redundant switches Balance high availability needs with customers budget constraints
-
Addressing and ProtocolsPrivate address range versus Public (NAT)Version IP4 versus IP6Protocols IP, IPX, Appletalk, SNA, DecnetDo protocols need to be routableRouting protocols RIPv1, RIPv2, OSPF, BGP or
proprietary Define VLAN's
By Protocol By security compartment Physical location
-
Hierarchical Address Scheme
10.50.0-254.0
10.40.0-254.0
10.30.0-254.0
10.20.0-254.0
10.10.0-254.0
10.0.0-254.0
VLAN (3rd Octet)
0A32xx
0A28xx
0A1Exx
0A14xx
0A0Axx
0A00xx
IPX Address
10.50.0.0
10.40.0.0
10.30.0.0
10.20.0.0
10.10.0.0
10.0.0.0
Site (2nd Octet)
Campus 4
Campus 3
Campus 2
Campus 1
District Office
Wide Area Network (WAN)
Network 10.0.0.0
13Reserved for Networking Devices
8-20
170Primary DHCP Range51-220
30Static addresses for hosts and printers
21-50
35Backup DHCP Range221-255
Firewall
Router Interfaces
VRRP Secondary
VRRP Primary
Reserved
Meaning/Usage
1
4
1
1
0
# of devices
7
3-6
2
1
0
Decimal Value Range
Each 256 Host Subnet will be broken down into sub categories as follows:
This breakdown of the address space allows for a maximum of 170 DHCP addressable devices and 30 servers/printers per subnet or VLAN.
-
Security Physical Access Network Access (802.1x) Server Access Network Management passwords Firewalls, ACLs Internet, DMZ Wireless
-
Develop and propose a solutionBased on the information gathered during the assessment phase:Diagram the physical connectivity
Switches, including any modular accessories Port counts, types, and speeds
Produce a list of required equipment
-
Implement and document the solutionBased on the information you gathered in the assessment phase, create configurations
Create passwords to prevent unauthorized accessCreate VLANs specified in the design Enable high availability features where specified by the
design Create any prioritization policiesEnable remote management if required
-
Create VLANs and port membersCreate VLANsAssign access ports as untagged members of the
appropriate VLAN for hosts with non-Q-compliant network adapters
Define tagged VLAN membership for switch-to-switch links as necessary
-
Enable high-availability featuresEnable high-availability features as specified by the
designAll versions of Spanning Tree interoperate
with HP Switch MeshingRouter Redundancy (XRRP,VRRP, HSRP)Server Teaming
Your design may require more than onehigh-availability feature
Be sure to include switch-to-switch links as tagged members of all VLANs whose traffic might be carried in the event of link failure
-
Enable prioritizationFor hosts that require the edge switch to set and mark
priority, define the policies or port level priorities that willaccomplish the goals of the design
For Q-compatible hosts that are capable of setting priorities on their own behalf: Set policies that override illegitimate 802.1p priority settings Avoid setting user-defined policies that override legitimate 802.1p
priority settings
Links that will carry prioritized traffic must be tagged members of relevant VLANs or the tags will be stripped, eliminating end-to-end prioritization
-
Hierarchical network designthe Internet
Core Layer(no end stations connect here L2)
Distribution Layer
(interconnects edge switches L3)
Access Layer(edge switches -all end stations
connect here L2)
-
Hierarchical network designthe Internet
Core / Distribution Layer
Access Layer(edge switches -all end stations connect here)
-
Design Terminology
Access Layer: Sometimes referred to as the edge. It is the bottom layer of a
hierarchical model, it provides users with network access. Usually layer 2 connectivity (non routed)
Distribution Layer: Middle layer of a hierarchical model. The distribution layer interconnects
the core and access layers. This is where routing is performed.Usually layer 3 with filtering.
Core Layer: The top layer of a hierarchical model. Traditionally passes packets to
the distribution layer only. Usually layer 2 for performance.
-
Requires addtional layer 3 switches/routers
More advanced feature sets
Not suitable for large number of distribution uplinks to core.
Lowest cost per port
Cost
More complex. Requires routing switches per distribution layer
Better distributed traffic control via.
Centralized control. Traffic bottlenecks
Less Complex (Single pair of routing switches)
Network Complexity
Isolates L2 issues within the each distribution layer
L2 issues can affect the core
Layer 2 Problem Isolation
DisadvantageAdvantageDisadvantageAdvantage
3 Tier Architecture2 Tier Architecture
-
2008 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
Spanning Tree Protocol (STP)
-
Spanning Tree Protocol
The Spanning Tree Protocol automatically detects loops in the network topology and blocks the links that lead to less desirable paths.
Three Versions IEEE 802.1d (Original STP) IEEE 802.1w (Rapid STP) IEEE 802.1s (Multi instance STP)
-
Spanning Tree Protocol Defaults
STP is NOT enabled by default.
Rapid STP is the default version when enabled spanning-tree
Multi-instance STP is the default version for newer ProCurve switches.
-
Spanning Tree Protocol
Spanning Tree is a standard method for enabling automatic network redundancy and high availability at layer 2. Used in multivendorenvironments
-
STP Step 1: Block ports
The first step in defining a loop-free topology is to place all normal STP ports into Blocking state
This prevents user traffic from being forwarded until loops are resolved
Fast ports transition to Forwarding immediately (RSTP)
BB
BB B B
BBB
B
BBBB
Switch_A Switch_B
Forwarding due to Fast mode
Forwarding due to Fast mode
Forwarding due to Fast mode
-
Every STP switch generates BPDUs and sends them through all ports BPDUs are updated and forwarded by all switches through all ports
Within about 30 seconds, one of the switches becomes the Root of the Spanning Tree
Only the Root continues sending BPDUs Other switches continue to update and forward BPDUs
STP Step 2: Generate BPDUsand elect Root switch
BB
BB B B
BBB
B
BBBB
Forwarding
Root
Forwarding Forwarding
-
STP Step 3: Calculate path costs to Root
In this network, each link has a cost of 5
As each switch updates the BPDUs, the result is a cumulative path cost to the root
This enables each switch to determine which of its ports leads to the lowest cost path to the root
10
Forwarding
Root
Forwarding Forwarding
1055 5
510
10 10
10
-
Every port on the Root Bridge transitions to the Forwarding state The root port on each switch transitions to the Forwarding state For each backup link, the designated port transitions to
the Forwarding state The port on the other side of the backup link remains in the Blocking
state
STP Step 4: Change some port statesto Forwarding
Forwarding Forwarding
Forwarding
Root
Root port
Root port
BB FFF B
FF F F
F
FFFRoot port
Root port
Designated ports
-
Spanning Tree Edge Ports Enable admin-edge on ports connected to end
nodes. During spanning tree establishment, ports with admin-edge enabled transition immediately to the forwarding state. Disable this feature on any switch port that is connected to another switch, bridge, or hub.
spanning-tree < port-list > admin-edge-port
-
Adapting to changes in port state
When a link fails, the constant nature of the hello messages causes another port to become the root port
If the Root switch fails, all of the switches will block their ports until another switch is established as the Root and the appropriate ports transition to Forwarding state
Forwarding Forwarding
Forwarding
Failed linkB F
F B
FF F F
F
FFRoot port
Root port
Root portF
Root port
Switch_B
Switch_ESwitch_D
Switch_C
Switch_ARoot
-
Not configuring the Root bridge may not give you the desired effect Higher speed links can be blocked in favor of a lower path cost to the Root Bridge
STP Root Bridge Selection
In this network, each link has a cost of 5
Forwarding Forwarding
Forwarding
Linksys (WET54GS5)5 port switch (802.1d)
00045A The Linksys Group
000625 The Linksys Group
000a57 Hewlett Packard
000d9d Hewlett Packard
000e7f Hewlett Packard
Mode l WAP11
Instant Wireless SeriesNetwork Access Point
Power
LI NKACTInstant WirelessT M
1515 15 15 10
10
2020
10 2015 15
20 10
-
STP Root Bridge Selection
If Bridge Priority is not administratively-defined, which of these switches will become the Root Bridge?
All things being equal the switch with the lowest MAC address becomes the Root Bridge.
In this network, each link has a cost of 5
Forwarding Forwarding
Forwarding
Linksys (WET54GS5)5 port switch (802.1d)
00045A The Linksys Group
000625 The Linksys Group
000a57 Hewlett Packard
000d9d Hewlett Packard
000e7f Hewlett Packard
Model WAP11
Instant Wireless SeriesNetwork Access Point
Power
LI NKACTInstant WirelessTM
FB F B F
F
FF
F FB F
F F
Root
Root port
-
Connecting devices in default mode with STP enabled can change network paths
End to end connect path may not be best path to the network resource Mis-configure Root Bridge can cause network performance issue
STP Root Bridge
User
Server
Root
Model WAP11
Instant Wireless SeriesNetwork Access Point
Power
LI NKACTInstant WirelessTM
-
STP Root Bridge
DEMO
-
Root Bridge
Rapid Spanning Tree
HP 5406_#1IP= 10.10.1.1
HP DL360Server Teaming
(TLB)IP= 10.10.50.10
HP 5406_#2IP= 10.10.1.2
HP 2650IP= 10.10.1.3
VRRPVLAN 1= 10.10.1.1VLAN 2 = 10.10.2.1VLAN 3 =10.10.3.1VLAN 4 =10.10.4.1VLAN 5 =10.10.5.1VLAN 6 =10.10.6.1VLAN 7 =10.10.7.1VLAN 8 =10.10.8.1VLAN 9 =10.10.9.1VLAN 10=10.10.10.1VLAN 50=10.10.50.1
VRRPVLAN 1= 10.10.1.2VLAN 2 = 10.10.2.2VLAN 3 =10.10.3.2VLAN 4 =10.10.4.2VLAN 5 =10.10.5.2VLAN 6 =10.10.6.2VLAN 7 =10.10.7.2VLAN 8 =10.10.8.2VLAN 9 =10.10.9.2VLAN 10=10.10.10.2VLAN 50=10.10.50.2
Port B24
HP nc6000VLAN 5
IP= 10.10.5.100DG= 10.10.5.1
Port 49 Port 50
Port A1 Port A1
Port 2 Port 1
F4
Port 1
Port B24
1000LX (Mode conditioning patch cord)
1000SX (Multimode patch cord)
10 Gigabit
-
STP and RSTP IEEE 802.1D STP and IEEE
802.1w RSTP address loop protection for link redundancy in networks regardless of the use of VLANs
Links can be left unused since all VLANs must use the same physical topology
STP and RSTP
rootbridge
VLAN 1VLAN 11
VLAN 12
Original STP:IEEE 802.1D-1998
Rapid STP (RSTP): IEEE 802.1w-2001
Change to link cost and bridge priority values:IEEE 802.1t-2001
IEEE 802.1D-2006
VLAN 1VLAN 11
VLAN 12
VLAN 1VLAN 11
VLAN 12
3
-
Multi-Instance Spanning Tree ProtocolMSTP (802.1s)
Multi-Instance Spanning Tree is an multiple instances of STP. Redundant links carry different VLANs. Used in multivendorenvironments
Odd VLANs
Even VLANs
-
PVST supports a spanning tree instance for each configured VLAN Yields a 1-to-1 mapping of VLANs
to STP instances and therefore separate processes
VLAN-specific BPDUs are used for each VLAN
Uses ISL trunking and allows a VLAN trunk to be forwarding for some VLANs while blocking others
PVST+ provides the same functionality as PVST, but supports 802.1Q trunking
Rapid-PVST+ incorporates convergence time improvements similar in concept to RSTP
Cisco PVST+ and Rapid-PVST+
root forVLAN 1
VLAN 1VLAN 11
VLAN 12
VLAN 1VLAN 11
VLAN 12
VLAN 1VLAN 11
VLAN 12
root forVLAN 11
root forVLAN 12
6
-
Comparing PVST+ and MSTP In response to a need to allow
standards compliant 802.1D/w/Q switches to have multiple logical paths for redundancy, IEEE 802.1s MSTP was developed
802.1s enhanced 802.1Q by allowing groups of VLANs to be assigned to different spanning trees Instances may be chosen to match
number of possible logical paths through the layer 2 network
Often, only a few instances are required instead of 1-to-1 ratio of VLANs to instances with PVST+
PVST+
root forVLAN 1
VLAN 1VLAN 11
VLAN 12
VLAN 1VLAN 11
VLAN 12
VLAN 1VLAN 11
VLAN 12
root forVLAN 11
root forVLAN 12
MSTPVLANs
1,12
VLAN11
root MSTI 2
root MSTI 1
VLANs 1,12
VLAN11
VLANs 1,12 VLAN
11
7
-
CiscoProCurve Scenario 1: Rapid-PVST+
Pro: Simple and you can still use PVST+ or Rapid-PVST+ for the backbone
Con: There is no load balancing
blocked port
Configured for STP, RSTP, or MSTP
root for VLANs 1, 11, 12, 13
backup root forVLANs 1, 11, 12, 13
Cisco environment running PVST+ or Rapid-PVST+
CiscoSwitch_A
CiscoSwitch_B
ProCurveSwitch_C
10
-
CiscoProCurve Scenario 2: MSTP (802.1s)
Pro: VLAN load balancing Con: More configuration required
Configured for MSTP
root for VLANs 1, 11, 12, 13
backup root forVLANs 1, 11, 12, 13
Cisco environment running MSTP (IEEE 802.1s)
CiscoSwitch_A
CiscoSwitch_B
ProCurveSwitch_C
10
-
Spanning Tree Problems Unstable Spanning-Tree operation can be caused by factors and
conditions that include: Uni-directional links Rogue devices talking STP Continuous STP topology changes due to flapping ports or end-user
ports not set to edge mode (portfast) Loops not detected by STP
70
Blocked gigabit link
root bridgeRogue switch
-
Spanning Tree Hardening Features
KeepaliveLoop Protection
Root-GuardRoot-Guard
Remote-Fault Notification (RFN) using Auto-negotiation
Remote-Fault Notification (RFN) using Auto-negotiation
Uni-directional Link Detection (UDLD)
Uni-directional Link Detection (UDLD)
BPDU Protection
ProCurve
BPDU-Guard
Cisco
72
-
RFN Operation
74
RFN is optional but enabled by default on 1000BaseX ports on Cisco and ProCurve switches when auto-negotiation is used. Always use auto-negotiation on 1000BaseX ports.
RFN operates
at Layer 1
RFN operates
at Layer 1
Switch_AMAC/RS
Switch_BMAC/RS
fiber break
TX idle or frames loss of signal
RX idle or frames TX idle or frames
Switch_AMAC/RS
Switch_BMAC/RS
fiber break
TX idle or frames loss of signal
RX idle or frames TX remote fault
Switch_AMAC/RS
Switch_BMAC/RS
fiber break
TX idle or frames loss of signal
RX remote fault
Switch_AMAC/RS
Switch_BMAC/RS
fiber break
TX idle loss of signal
TX remote fault
RX remote fault TX remote fault
-
UDLD Operation UDLD involves an exchange of protocol packets
between neighboring devicesBoth devices on the link must support UDLD and have it
enabled on the respective portshello I am switch A, port 1/1
Does not work since Cisco and ProCurve have different implementations
acknowledge hello
hello I am switch A, port a1
acknowledge hello
Cisco
ProCurve
ProCurve
76
UDLD operates
at Layer 2
UDLD operates
at Layer 2
Cisco
Cisco
ProCurve
-
UDLD Configuration Comparison UDLD performs tasks that auto-negotiation cannot perform,
such as detecting the identities of neighbors and shutting down misconnected ports
78
Global for all fiber portsSwitch(config)# udld aggressiveOr interface specificSwitch(config)# interface gig1/1Switch(config-if)# udld port aggressive
Interface specific:Switch(config)# interface a1 Switch(eth-a1)# link-keepalive
Recovery is done automatically
ProCurveUDLD
Recovery configured globally:Switch(config)# errdisable recovery udld interval 300
CiscoUDLD
-
BPDU Protection (security enhancement ) Spanning Tree Protocol operation is not protected
in any way from rogue STP devices or malicious attacks.
BPDU Protection is configurable on a per port basis and allows explicitly determine the legal boundary of STP domain.
BPDU Protection should be applied to the edge ports that are connected to the end user devices., which normally do not run STP.
-
BPDU Protection and BPDU-Guard Configuration Comparison These respective features should be enabled on end-user ports
STP BPDUs should not be allowed to be received on those ports If a BPDU is received, the port is put in an errdisable state (Cisco) or the port is
disabled (ProCurve)
79
Global for all fiber portsSwitch(config)# spanning-tree portfast bpduguard defaultOr interface specificSwitch(config)# interface gig1/1Switch(config-if)# spanning-tree bpduguard enable
Interface specific:Switch(config)# interface a1 Switch(eth-a1)# spanning-tree bpdu-protectionRecovery configured globally:Switch(config)# spanning-tree bpdu-protection-timeout 300
ProCurveBPDU Protection
Recovery configured globally:Switch(config)# errdisable recovery bpduguard interval 300
CiscoBPDU-Guard
-
Loop Protection Additional protection for networks from L2
forwarding loops.
An undetectable loop can be formed if an unmanaged device attached to the network consumes and does not forward Spanning Tree packets.
-
Tricks & Tips Loop protection operates by periodically sending out a special multicast packet. If the switch receives its own packet back then a loop has been detected and the receiving port will be disabled.
loop-protect
-
Cisco Keepalive Operation
ProCurveSwitch 408
Ciscoswitch
80
Will cause all frames including BPDUs to be looped back
Will cause all frames including BPDUs to be looped back
Will cause all frames excluding BPDUs to be looped back even if STP is not supported on the switch
Will cause all frames excluding BPDUs to be looped back even if STP is not supported on the switch
Cisco keepalive feature maydetect this condition and put the port in errdisable state (enabled by default)But, if BPDU-Guard is configured, it will detect it
Cisco keepalive feature maydetect this condition and put the port in errdisable state (enabled by default)But, if BPDU-Guard is configured, it will detect it
Cisco keepalive feature maydetect this condition and put the port in errdisable state (enabled by default)But, BPDU-Guard is not able to detect it
Cisco keepalive feature maydetect this condition and put the port in errdisable state (enabled by default)But, BPDU-Guard is not able to detect it
NetGear FS105
-
ProCurve Loop Protect Operation
ProCurveSwitch 408
ProCurveswitch
82
Will cause all frames including BPDUs to be looped back
Will cause all frames including BPDUs to be looped back
Will cause all frames excluding BPDUs to be looped back even if STP is not supported on the switch
Will cause all frames excluding BPDUs to be looped back even if STP is not supported on the switch
ProCurve Spanning Tree willdetect this condition and block the port if STP is enabled
ProCurve Spanning Tree willdetect this condition and block the port if STP is enabled
If enabled, the ProCurve Loop Protect feature will detect this condition and disable the port
If enabled, the ProCurve Loop Protect feature will detect this condition and disable the port
NetGear FS105
-
Spanning Tree Root Guard Configuration Comparison
85
Interface specific:Switch(config)# interface gig1/1Switch(config-if)# spanning-tree guard root
Interface specific:Switch(config)# spanning-tree a1 root-guard
Recovery is done automatically
ProCurveRoot Guard
Recovery is done automatically
CiscoRoot Guard
-
Tricks & TipsVersion of Spanning Tree needs to be enabled
spanning-tree (Default ?)
A root bridge should be configured
spanning-tree priority 1 or 0
Switch to switch links need to be configured for transitioning or learning (802.1w)
no spanning-tree admin-edge-port
-
Tricks & TipsCompatibility mode for 802.1d devices (Cisco)
no spanning-tree < port-list > mcheck
Spanning tree status and information
show spanning-tree
-
Edge-port Defaults
Disable edge-port on switch links no spanning-tree edge-port
Default6400
Disable edge-port on switch links no spanning-tree edge-port
Default4200
CommandEdge-port disabled
Edge-port enabled
Switch
Enable edge-port on node ports spanning-tree edge-port
Default6200
Enable edge-port on node ports spanning-tree edge-port
Default5400
Disable edge-port on switch links no spanning-tree edge-port
Default5300
Enable edge-port on node ports spanning-tree edge-port
Default3500
Enable edge-port on node ports spanning-tree edge-port
Default2900
Enable edge-port on node ports spanning-tree edge-port
Default2810
Disable edge-port on switch links no spanning-tree edge-port
Default2800
Disable edge-port on switch links no spanning-tree edge-port
Default2600
Enable edge-port on node ports spanning-tree edge-port
Default2510
Disable edge-port on switch links no spanning-tree edge-port
Default2500
-
Tricks & Tips BPDU Protection should be enabled on ALL edge ports to determine the legal boundary of STP domain.
spanning-tree bpdu-protection
Spanning tree traps
spanning-tree traps errant-bpdu
-
BPDU Filter BPDU Filter Passively preventing the switch from
receiving and transmitting BPDU frames on a specific port. Locks the port into STP forwarding state
Used to interconnect STP domains
Example: LAN Extension service
-
Tricks & Tips BPDU Filter should be enabled on edge ports to lock the port into STP forwarding state.
spanning-tree bpdu-filter
-
Spanning Tree Configure root bridgeSpanning-tree priority 0
Edge Features (End Device)Admin-edge-port Loop-protectBpdu-protection
Separate STP DomainsBpdu-filter
CORE-A CORE-B
DATA & MGMT VOIP
DATA & MGMT VOIP
Internet
-
Spanning Tree Protocol Summary
Version mismatches (Cisco versus ieee)
Root bridge
Requires Planning, Design and Implementation
Define STP edge ports (admin-edge or auto-edge)
Define STP boundary (BPDU protection)
Identify ports for STP filtering (LAN extension) Self Pace Training
http://www.procurve.com/training/training/technical/npi/MSTP.htm
-
2008 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
Link Aggregation or Trunking
-
Link aggregation Link aggregation
Increasing capacity between switches and Servers
Load sharing Static vs. dynamic
-
Challenge: Increasing switch link capacity
Six 1000Base-T full-duplex servers((6 x 1000Mb) x 2)
Six 1000Base-T full-duplex servers((6 x 1000Mb) x 2)
full-duplex gigabit fiber links
The full-duplex gigabit link provisioned between each 2600 switch and the5304xl core switch carries traffic to and from six full-duplex gigabit servers
To increase the capacity of the connection between the core and the 2600 switches, a second link may be aggregated with the existing link
-
Terminology (Trunking) HP, Foundry, 3ComTrunking = Link aggregation= LACP
CiscoTrunking = Vlan trunking = VLAN tagging (ISL,802.1q)
NortelTrunking = TDM voiceTrunking = Split Multi-link trunking
-
Requirements for link aggregationLink aggregation is also known as port trunkingin HP ProCurve documentation Requirements for port trunking:HP ProCurve 2500, 2600, 2800, and 4100gl series, and
6108 switches allow up to eight links to be aggregatedThe links in a port trunk must:
Be coterminous, i.e., they must begin togetherand end together
Support the same mode and flow control options
-
Link Aggregation MethodsHP Port Trunking Does not use a protocol to set up the trunk Port trunking is compatible with other trunking methods because it is
statically defined
Fast EtherChannel (FEC) ** No longer Supported FEC is a Cisco standard with widespread compatibility with other
switches and multiple-adapter servers
Link Aggregation Control Protocol (LACP) LACP is defined by IEEE standard 802.3ad Both sides may be statically defined; however, LACP also supports a
dynamic method for recognizing aggregated links
All three methods use both source and destination addresses for load sharing
-
HP ProCurve Supported Trucks
4 trunks4 ports per trunk6400
36 trunks8 ports per trunk4200
# of trunksSwitch Families
60 trunks8 ports per trunk6200
60 trunks8 ports per trunk5400
36 trunks8 ports per trunk5300
60 trunks8 ports per trunk3500
24 trunks8 ports per trunk2900
24 trunks8 ports per trunk2810
24 trunks8 ports per trunk2800
6 trunks 4 ports per trunk2600
2 trunks4 port trunk2510
1 trunk4 port trunk2500
-
Interoperability FEC, LACP, and HP Trunk
LACP
Foundry
LACPLACPLACPLACP or HP Trunk
ProCurve(LACP,HP Trunk)
ProCurve 3comNortelCisco
-
Tricks & Tips
Configure trunks before connecting cables:
trunk 25-26 trk1
Unless dynamic LACP is utilized, disabled LACP on all interfaces:
interface < port-list > no lacp
Ensure server trunks (teaming) are coterminous and switch ports are configured correctly. Intel BroadcomAIXHP
-
Link Aggregation
DEMO
-
2008 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
HP Switch Meshing
-
HP Switch Meshing
HP Switch Meshing is another option for providing Layer 2 redundancy. Switch meshing is a load-balancing technology that enhances reliability and performance
-
HP Switch Meshing
Switch Meshing is an HP proprietary method for enabling automatic network redundancy and high availability at layer 2. Used in HPProCurve environments
-
Terminology (Switch Meshing) A group of meshed switch ports exchanging
meshing protocol packets is called a switch mesh domain
A switch mesh domain can contain up to 12 switches. Each switch can have up to 24 meshed ports
An edge switch has some mesh ports and some non-meshed ports. Switches 1-5 are edge switches
-
HP Switch Meshing Switch meshing is a load-balancing technology that enhances reliability and
performance in these ways:
Provides significantly better bandwidth utilization than either Spanning Tree Protocol (STP) or standard port trunking.
Uses redundant links that remain open to carry traffic, removing any single point of failure for disabling the network, and allowing quick responses to individual link failures. This also helps to maximize investments in ports and cabling.
Unlike trunked ports, the ports in a switch mesh can be of different types and speeds. For example, a 10Base-FL port and a 1GB port can be
included in the same switch mesh.
-
Non-meshing switchconfigured with STP
Non-meshing switchconfigured with STP
Blocking State
6
Switch Meshing compatibility with STP and RSTP
1
4
2
3
To interoperate with non-meshing switches within the Layer 2 domain, enable STP or RSTP on meshed switches
The mesh appears to non-meshing switches STP/RSTP switches as a single switch
Port Trunk 5
Meshing and RSTP enabled on all switches
-
Conversation-based load balancingDetermining lowest cost pathWhen the mesh is fully initialized, each path through the
mesh is assigned a cost based on link speed, outbound and inbound queue depths, and packet drop counts
Costs are recalculated every 30 seconds At any given moment, one path is considered the lowest cost path
Forwarding decisionsFrames that are part of a new conversation are forwarded
over the current lowest cost path Frames that are part of an established conversation are
forwarded through the same port as the first frame in that conversation
-
HP Switch Meshing design guidelinesA mesh consists of up to 12 HP ProCurve series switches
A switch can have up to 24 meshed ports using any combination of media types and link speeds
Meshing and IP routing cannot simultaneously be enabled on the same switch
Meshing is enabled per port Enable only on ports that directly connect to other meshed ports
HP Switch Meshing supports full mesh and partial mesh topologies
-
Summary: HP Switch MeshingHP Switch Meshing can be used to improve availability
while increasing capacity within a Layer 2 switched network
HP Switch Meshing is similar to the Spanning Tree Protocol in that it allows designers to create topologies that contain redundant paths HP Switch Meshing deals with redundant links in a more intelligent
way than STP or RSTP Instead of placing redundant links in the Blocking state, switches
using HP Switch Meshing can use all available links to forward traffic
The operation of HP Switch Meshing is transparentto non-meshing devices
-
Switch Meshing Supported Families
62005400
35005300
6400
MeshingSwitch Families
8200
3400
-
Tricks & Tips When meshing is added to or removed from ports, switches must be rebooted
The Mesh is automatically made a tagged member of all user-defined VLANs on the switch, immediately enabling the included links to carry traffic for all VLANs
A meshed switch cannot perform IP forwarding between VLANs. Can not route and mesh simultaneously
-
Meshing
DEMO
-
2008 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
Server Adapter Teaming
-
Server Adapter Teaming Multiple Adapters function as single Virtual Adapter (VA) Devices communicate with VA: can not tell multiple
physical adapters IEEE compliant for L2 and L3 identities Other network devices Must see single MAC and Protocol
(1 entry in ARP cache) When Team initializes Driver reads BIA (Burned In
Address or MAC) for each physical adapterPick one MAC as Primary AdapterARP replies Team provides for server is Primary Adapter MAC
-
Team Failover and MAC/IP Management
Failover: MAC of Primary (PA) and one Non-Primary (NPA)
swapped, Non-Primary becomes Primary Swap MACs: Results in Team always known by one
MAC/one Protocol (IP) When Team Transmits: PA transmits using teams MAC and
IP Non-Primaries: always transmit own MAC and Teams IP NFT and TLB: MAC address used to transmit always
different than PA SLB: Additional switch intelligence allows all Teamed
adapters use same Team MAC
-
Teaming Modes
Network Fault Tolerance (NFT)
Transmit Load Balancing (TLB)
Switch-assisted Load Balancing (SLB)
Distributed Distributed TrunkingTrunking (K.14.xx)(K.14.xx)
-
Network Fault Tolerance (NFT) Simple redundancy Two to eight ports in a fault-tolerant team One defined primary adapter (PA) Any speed, any media Team can be split across switches
Remaining adapters are Standby: Non-Primary Adapters
Remain idle unless PA failsAll adapters can transmit and receive heartbeats
-
Network Fault Tolerance (NFT)
User User
ServerPrimary Adapter
Backup Adapter
-
Network Fault Tolerance (NFT)
logical viewlogical view
NFT before failure
NFT after failure
s
w
i
t
c
h
s
w
i
t
c
h
NIC 1
NIC 2 not active / dead
NIC 1
NIC 2
not active / dead
transmit / receive data
transmit / receive data
Team Members
CAN be split across >1 switch for switch redundancy
MUST be in same broadcast domain (VLAN)
Connect ALL team members to the same VLAN
If Switch Redundancy Required: HP recommends redundant links
between Switches with Spanning Tree enabled
STP fastmode or RSTP
-
Transmit Load Balancing (TLB) Two to eight ports in a team as 1 Virtual Adapter A single common speed Team can be split across switches All NFT features plus TLB TCP/IP protocol only Previously called Adaptive Load Balancing (ALB)
Allows server to load balance transmitted traffic from serverReceived traffic NOT load balanced
Primary Adapter receives ALL traffic to server, also transmits
Non-Primary only transmit frames
-
Transmit Load Balancing (TLB)
User User
ServerPrimary Adapter
Backup Adapter
-
Transmit Load Balancing (TLB)
s
w
i
t
c
h
s
w
i
t
c
h
TLB before failure
TLB after failure
NIC 1
NIC 2
NIC 3
transmit / receive data
transmit data, onlytransmit data, only
transmit data, onlytransmit data, only
transmit data, onlytransmit data, only
transmit / receive data
logical viewlogical view
NIC 1
NIC 2
NIC 3
Team Members
CAN be split across >1 switch for switch redundancy
MUST be in same broadcast domain (VLAN)
Connect ALL team members to the same VLAN
If Switch Redundancy Required: HP recommends redundant links
between Switches with Spanning Tree enabled
STP fastmode or RSTP
-
Switch Assisted Load Balancing (SLB)
All adapters transmit & receive at same speed
All ports must be connected to the SAME switchSwitch must be configured for SAME mode (LACP)!!!
Incorporates all features of NFT and TLB Adds load Balancing Receive Traffic 2-8 adapters act as single virtual adapter Load balances all traffic regardless of protocol
Compatible with HP ProCurve Port Trunking IEEE 802.3ad Link Aggregation Control Protocol (Static LACP) Cisco EtherChannel (Static Mode Only, No PAgP) Others (Extreme, Intel, Bay/Nortel, etc.)
SLB is NOT Server Load Balancing (works with Server Load Balancing)
All adapters in SLB Team equal
-
Server Teaming (SLB)
User User
Server
-
Switch Assisted Load Balancing (SLB)
Team Members
All adapters transmit & receive Adapters must support a
common speed Must be used with an intelligent
switch that supports this type of teaming
All ports must be part of the same switch trunk (LACP)
s
w
i
t
c
h
s
w
i
t
c
h
SLB before failure
SLB after failure
NIC 1
NIC 2
NIC 3
transmit / receive data
transmit / receive data
logical viewlogical view
NIC 1
NIC 2
NIC 3
transmit / receive data
transmit / receive data
transmit / receive data
-
Distributed Trunking (Server to Switch)
User User
Server (LACP team)
DT Switch
K.14.xx
DT Switch
K.14.xx
-
Distributed Trunking (Server to Switch) Distributed Trunking is a link aggregation technique,
where two or more links across two switches are aggregated together to form a trunk.
This feature uses a new protocol DTIP to overcome this limitation and support link aggregation for the links spanning across the switches. DT provides node-level L2 resiliency in an L2 network, when one of the switches fails.
Distributed Trunking is included in switch software starting with version K.14. In this initial release, only Server-to-Switch Distributed Trunking is supported.
-
Distributed Trunking (Server to Switch)Limitations/Restrictions Meshing and Distributed trunking features are mutually exclusive Routing and Distributed trunking feature are mutually exclusive. IGMP and DHCP snooping, arp-protect, STP are not supported on DT trunks. QinQ in mixed VLAN mode and DT are mutually exclusive. ISC ports will be part of all VLANs i.e. it will become member of a VLAN once
that VLAN configured. ISC Port can be an individual port or manual LACP trunk but dynamic LACP
trunk cant be configured as ISC port. Maximum of 8 links in a DT trunk across two switches is supported with max of
4 links per DT switch. The current limitation of 60 manual trunks in a switch, will now include DT
manual trunks too Only one ISC (inter-switch connect) link is supported per switch for max of 60 DT
trunks supported in the switch Spanning Tree Protocol is disabled (PDUs are filtered) on DT ports.
-
Supported team types summary
3Caldera Open Server 5
3Caldera OpenUnix 8
333Linux333Novell NetWare 4-6333Windows 2003333Windows 2000
SLBTLBNFTOperating
system
-
Tricks & TipsEnable RSTP or STP with fastmode
Ensure SLB server trunks are coterminous and switch ports are configured correctly.
Mixing adapters with different hardware features in TLB and SLB teams lowest common
denominator of features every team member must
support the feature for it to be used
Using adapters with mixed speeds in TLB teams higher speed adapters may
be under utilized
-
Tricks & Tips Different Network Interfaces (NICs) manufactures use different terms.
IntelBroadcomAIX
-
HP 5406_#1IP= 10.10.1.1
HP DL360Server Teaming
(TLB)IP= 10.10.50.10
HP 5406_#2IP= 10.10.1.2
HP 2650IP= 10.10.1.3
VRRPVLAN 1= 10.10.1.1VLAN 2 = 10.10.2.1VLAN 3 =10.10.3.1VLAN 4 =10.10.4.1VLAN 5 =10.10.5.1VLAN 6 =10.10.6.1VLAN 7 =10.10.7.1VLAN 8 =10.10.8.1VLAN 9 =10.10.9.1VLAN 10=10.10.10.1VLAN 50=10.10.50.1
VRRPVLAN 1= 10.10.1.2VLAN 2 = 10.10.2.2VLAN 3 =10.10.3.2VLAN 4 =10.10.4.2VLAN 5 =10.10.5.2VLAN 6 =10.10.6.2VLAN 7 =10.10.7.2VLAN 8 =10.10.8.2VLAN 9 =10.10.9.2VLAN 10=10.10.10.2VLAN 50=10.10.50.2
Port B24
HP nc6000VLAN 5
IP= 10.10.5.100DG= 10.10.5.1
Port 49 Port 50
Port A1 Port A1
Port 2 Port 1
F4
Port 1
Port B24
P o we r
F a u lt
L o c a to r
E F
C D
A
ProCurve NetworkingHP Innovation
zlP roC urve24p G ig-Tzl M odule J8702A
P o E -In teg rated 10/100/1000B ase-T P o rts (1-24) - P o rts are IE E E A u to MD I/MD I-X
1 5
62
3
4
7 1 1
1 28
9
1 0
1 3 1 7
1 81 4
1 5
1 6
1 9 2 3
2 42 0
2 1
2 2 zlP roC urve24p G ig-Tzl M odule J8702A
P o E -In teg rated 10/100/1000B ase-T P o rts (1-24) - P o rts are IE E E A u to MD I/MD I-X
1 5
62
3
4
7 1 1
1 28
9
1 0
1 3 1 7
1 81 4
1 5
1 6
1 9 2 3
2 42 0
2 1
2 2
C o n s o leR eset C lear
A u xiliary P o rt
P ro C u rv e S witc h 5 4 0 0 zlMa n a g e me n t Mo d u le
J 8 7 2 6 A
In tern alP o wer
P o EP wr
2
1
2
4
1
3
P oE
Temp
Fan
Flash
D IMM
Mgmt
C hasTestLE D ModeMo d u les
S tatu sA ct
FD x
S pd U sr
P oE
H
J
LK
I
G
F
D
B
E
C
A
P ro C u rv e
S w itc h 5 4 0 6 z lJ 8 6 9 9 A
P o EU s e
z l Mo d u le so n ly
B
P o we r
F a u lt
h p P r o C u r v e
Sw itc h 2 6 5 0 -p w rJ 8 1 6 5 A
U se only one (T or M) for Gigabit port
G ig -TP o rts
1 0 /1 0 0 B a se -T X P o rts a re H P A u to -MD I-X , Gig -T p o rts a re IE E E A u to MD I/MD I-X
P oE
P oE -R eady 10/100B ase-T X Ports (1-48)
M in i-G B IC
P o rts
MTMT
17
28
39
41 0
51 1
61 2
1 31 9
1 42 0
1 52 1
1 62 2
1 72 3
1 82 4
off = 10Mbps flash = 100Mbps on = 1000MbpsSpd Mode
S tatus
LE DMode
R eset
Fan
Test
R P S
E P S
A ct
FD xS pd
C lear
P oE
2 53 1
2 63 2
2 73 3
2 83 4
2 93 5
3 03 6
3 74 3
3 84 4
3 94 5
4 04 6
4 14 7
4 24 8
5 04 9
P o w e r
F a u lt
L o c a to r
E F
C D
A
ProCurve NetworkingHP Innovation
zlP roC urve24p G ig-Tzl M odule J8702A
P o E -In teg rated 10/100/1000B ase-T P o rts (1-24) - P o rts are IE E E A u to MD I/MD I-X
1 5
62
3
4
7 1 1
1 28
9
1 0
1 3 1 7
1 81 4
1 5
1 6
1 9 2 3
2 42 0
2 1
2 2 zlP roC urve24p G ig-Tzl M odule J8702A
P o E -In teg rated 10/100/1000B ase-T P o rts (1-24) - P o rts are IE E E A u to MD I/MD I-X
1 5
62
3
4
7 1 1
1 28
9
1 0
1 3 1 7
1 81 4
1 5
1 6
1 9 2 3
2 42 0
2 1
2 2
C o n s o leR eset C lear
A u xiliary P o rt
P ro C u rv e S witc h 5 4 0 0 zlMa n a g e me n t Mo d u le
J 8 7 2 6 A
In tern alP o wer
P o EP wr
2
1
2
4
1
3
P oE
Temp
Fan
Flash
D IMM
Mgmt
C hasTestLE D ModeMo d u les
S tatu sA ct
FD x
S pd U sr
P oE
H
J
LK
I
G
F
D
B
E
C
A
P ro C u rv e
S w itc h 5 4 0 6 z lJ 8 6 9 9 A
P o EU s e
z l Mo d u le so n ly
B
1000LX (Mode conditioning patch cord)
1000SX (Multimode patch cord)
10 Gigabit
Teaming with TLB
-
Server Teaming (TLB)
DEMO
-
2008 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
Virtual Router Redundancy Protocol(VRRP)
-
Virtual Router Redundancy Protocol (VRRP)
VRRP (Virtual Router Redundancy Protocol) is the feature used by the HP ProCurve Series 3500yl, 5400zl, & 6200yl family of switches to provide router redundancy, or fail-over, to one or more backup routers in case one fails.
XRRP (XL Router Redundancy Protocol) is the feature used by the HP ProCurve Series 5300XL & 3400 family of switches to provide router redundancy, or fail-over, to a backup router in case one fails.
Allows you to configure one or more switches to behave as backup routers for each other.
-
Terminology (VRRP) Virtual Router A Virtual Router (VR) instance consists
of one Owner router and one or more Backup routers belonging to the same network. Any VR instance exists within a specific VLAN, and all members of a given VR must belong to the same subnet. In a multinetted VLAN, multiple VRs can be configured. The Owner operates as the VRs Master unless it becomes unavailable, in which case the highest-priority backup becomes the VRs Master.
Master The physical router that is currently providing the virtual router interface to the host computers.
Advertisement Interval The time interval at which the Master router sends out VRRP packets on each virtual router interface.
-
Virtual Router Redundancy Protocol (VRRP)
User User
ServerDefault Gateway10.0.1.1
10.0.2.1
Default Gateway
10.0.1.1
Default Gateway
10.0.2.1
Protective Domain
-
VRRP Normal Operation On a given VLAN, a VR includes two or more
member routers configured with a virtual IP address that is also configured as a real IP address on one of the routers, plus a virtual router MAC address. The router that owns the IP address is configured to operate as the Owner of the VR for traffic-forwarding purposes, and by default has the highest VRRP priority in the VR. The other router(s) in the VR have a lower priority and are configured to operate as Backups in case the Owner router becomes unavailable.
The configuration is done for each VLAN
-
VRRP Fail-Over Operation The Owner normally operates as the Master for a VR. But if it becomes
unavailable, then a failover to a Backup router belonging to the same VR occurs, and this Backup becomes the current Master. If the Owner recovers, a failback occurs, and Master status reverts to the Owner. (Note that using more than one Backup provides additional redundancy, meaning that if both the Owner and the highest-priority Backup fail, then another, lower-priority Backup can take over as Master.
The current Master router sends periodic advertisements to inform the other router(s) in the VR of its operational status. If the backup VR(s) fail to receive a Master advertisement within the timeout interval, the current Master is assumed to be unavailable and a new Master is elected from the existing Backups. The timeout interval for a VR is three times the advertisement interval configured on the VR(s) in the network or subnet. In the default VRRP configuration, the advertisement interval is one second and the resulting timeout interval is three seconds.
-
Router Redundancy Protocol (VRRP)
User User
ServerDefault Gateway10.0.1.1
10.0.2.1
Default Gateway
10.0.1.1
Default Gateway
10.0.2.1
Protective Domain
-
VRRP Supported Families
54008200
62003500
VRRPXRRPSwitch Families
9300/9400
640034005300
-
XRRP Versus Ciscos HSRP
Load Balancing within VLAN
Single Hot Standby
Load Balancing across VLANs
ProCurve XRRP
Cisco HSRP
-
Tricks & TipsVRRP uses the following multicast MAC address for its protocol packets: 00-00-5E-00-01-< VRid >
XRRP uses the following multicast MAC address for its protocol packets: 0101-E794-0640
Never set up a default or static route that points to the peer router as the path.
Routers must have identical connectivity. That is, they must have the same access to all remote subnets, and the route costs of the access must be the same.
-
HP 5406_#1IP= 10.10.1.1
HP DL360Server Teaming
(TLB)IP= 10.10.50.10
HP 5406_#2IP= 10.10.1.2
HP 2650IP= 10.10.1.3
VRRPVLAN 1= 10.10.1.1VLAN 2 = 10.10.2.1VLAN 3 =10.10.3.1VLAN 4 =10.10.4.1VLAN 5 =10.10.5.1VLAN 6 =10.10.6.1VLAN 7 =10.10.7.1VLAN 8 =10.10.8.1VLAN 9 =10.10.9.1VLAN 10=10.10.10.1VLAN 50=10.10.50.1
VRRPVLAN 1= 10.10.1.2VLAN 2 = 10.10.2.2VLAN 3 =10.10.3.2VLAN 4 =10.10.4.2VLAN 5 =10.10.5.2VLAN 6 =10.10.6.2VLAN 7 =10.10.7.2VLAN 8 =10.10.8.2VLAN 9 =10.10.9.2VLAN 10=10.10.10.2VLAN 50=10.10.50.2
Port B24
HP nc6000VLAN 5
IP= 10.10.5.100DG= 10.10.5.1
Port 49 Port 50
Port A1 Port A1
Port 2 Port 1
F4
Port 1
Port B24
P o we r
F a u lt
L o c a to r
E F
C D
A
ProCurve NetworkingHP Innovation
zlP roC urve24p G ig-Tzl M odule J8702A
P o E -In teg rated 10/100/1000B ase-T P o rts (1-24) - P o rts are IE E E A u to MD I/MD I-X
1 5
62
3
4
7 1 1
1 28
9
1 0
1 3 1 7
1 81 4
1 5
1 6
1 9 2 3
2 42 0
2 1
2 2 zlP roC urve24p G ig-Tzl M odule J8702A
P o E -In teg rated 10/100/1000B ase-T P o rts (1-24) - P o rts are IE E E A u to MD I/MD I-X
1 5
62
3
4
7 1 1
1 28
9
1 0
1 3 1 7
1 81 4
1 5
1 6
1 9 2 3
2 42 0
2 1
2 2
C o n s o leR eset C lear
A u xiliary P o rt
P ro C u rv e S witc h 5 4 0 0 zlMa n a g e me n t Mo d u le
J 8 7 2 6 A
In tern alP o wer
P o EP wr
2
1
2
4
1
3
P oE
Temp
Fan
Flash
D IMM
Mgmt
C hasTestLE D ModeMo d u les
S tatu sA ct
FD x
S pd U sr
P oE
H
J
LK
I
G
F
D
B
E
C
A
P ro C u rv e
S w itc h 5 4 0 6 z lJ 8 6 9 9 A
P o EU s e
z l Mo d u le so n ly
B
P o we r
F a u lt
h p P r o C u r v e
Sw itc h 2 6 5 0 -p w rJ 8 1 6 5 A
U se only one (T or M) for Gigabit port
G ig -TP o rts
1 0 /1 0 0 B a se -T X P o rts a re H P A u to -MD I-X , Gig -T p o rts a re IE E E A u to MD I/MD I-X
P oE
P oE -R eady 10/100B ase-T X Ports (1-48)
M in i-G B IC
P o rts
MTMT
17
28
39
41 0
51 1
61 2
1 31 9
1 42 0
1 52 1
1 62 2
1 72 3
1 82 4
off = 10Mbps flash = 100Mbps on = 1000MbpsSpd Mode
S tatus
LE DMode
R eset
Fan
Test
R P S
E P S
A ct
FD xS pd
C lear
P oE
2 53 1
2 63 2
2 73 3
2 83 4
2 93 5
3 03 6
3 74 3
3 84 4
3 94 5
4 04 6
4 14 7
4 24 8
5 04 9
P o w e r
F a u lt
L o c a to r
E F
C D
A
ProCurve NetworkingHP Innovation
zlP roC urve24p G ig-Tzl M odule J8702A
P o E -In teg rated 10/100/1000B ase-T P o rts (1-24) - P o rts are IE E E A u to MD I/MD I-X
1 5
62
3
4
7 1 1
1 28
9
1 0
1 3 1 7
1 81 4
1 5
1 6
1 9 2 3
2 42 0
2 1
2 2 zlP roC urve24p G ig-Tzl M odule J8702A
P o E -In teg rated 10/100/1000B ase-T P o rts (1-24) - P o rts are IE E E A u to MD I/MD I-X
1 5
62
3
4
7 1 1
1 28
9
1 0
1 3 1 7
1 81 4
1 5
1 6
1 9 2 3
2 42 0
2 1
2 2
C o n s o leR eset C lear
A u xiliary P o rt
P ro C u rv e S witc h 5 4 0 0 zlMa n a g e me n t Mo d u le
J 8 7 2 6 A
In tern alP o wer
P o EP wr
2
1
2
4
1
3
P oE
Temp
Fan
Flash
D IMM
Mgmt
C hasTestLE D ModeMo d u les
S tatu sA ct
FD x
S pd U sr
P oE
H
J
LK
I
G
F
D
B
E
C
A
P ro C u rv e
S w itc h 5 4 0 6 z lJ 8 6 9 9 A
P o EU s e
z l Mo d u le so n ly
B
1000LX (Mode conditioning patch cord)
1000SX (Multimode patch cord)
10 Gigabit
Router Redundancy with VRRP
Default Gateway10.10.5.1
-
VRRP
DEMO
-
2008 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
Connection Rate Filtering (Virus Throttling)
-
REMEMBER!
No other vendor has added capabilities like these to their switches
First to the industry!Cutting edge technology (developed at HP Labs) for mainstream customers at affordable pricesIts a free upgrade
-
The Virus Problem Most anti-virus software
works by preventing infection
Works well but occasionally fails Anti-virus software fails to
recognize new viruses Client/server/security
software not up-to-date Worms can spread very
rapidly and cause lots of damage SQLSlammer Sasser
05:29 Jan 25 0 infected
06:00 Jan 25 74855 infected
-
Todays Limited Solutions
Signature-based detection (known malicious code)Targeted at viruses that have been seen beforeHave to touch the client since that is where the virus is
actually detected Ineffective initially with unknown viruses
Could lead to network paralysis with quick spreading viruses
Solving a different virus concernAssumes all clients entering the networking are
homogeneous No acceptance for outside clients like other vendors sales reps,
contract employees, etc.
Competitions only solution Only a partial solution
How do you manage the unknown, often the most destructive?
-
For Virus Throttling ProCurve targets the virus (worm) behavior
-
Advantages to ProCurve Security ArchitectureVirus Throttling
Works without knowing anything about the virusHandles unknown virusesNeeds no signature updates
Protects network infrastructureNetwork and switches will stay up and running, even
when under attack
NotificationWhen a host is throttled, a SNMP trap and log event is
generated IT staff have time to react, before the problem escalates
to a crisis
-
ProCurves Security Advantages Virus Throttling is uniqueMonitors all ports simultaneouslyEasy to configureNo periodic updates needed
Some competitors have behavioural detection that is similar but Requires an external appliance or special switch module
Extra cost
-
The Solution: Virus Throttling
As the worm virus tries to spread: the switch detects the activity and automatically either:
throttles traffic from these nodes at the routed VLAN boundary greatly slows the virus spread allows time to react without bringing the network down for the
infected client
or
prevents all traffic from infected client from being routed to other parts of the network stops virus spread
but also prevents all traffic from infected client to be routed to the rest of the network
-
Virus Throttling Caveats Throttling automatically occurs only for traffic
across routed VLANsRouting is required, no automatic affect in pure L2
environmentsOther nodes on the VLAN with the infected client are still
at risk Traffic from infected clients continues to be forwarded in the L2
environment BUT
The network manager is notified of virus activity and can take steps through PCM+ to find and shut down the switch port where the virus is entering the network.
-
The Solution: Virus ThrottlingIn an L2 Environment
If you are running PCM+ 1.6 or laterPCM+ gets the trap from the switch identifying the IP
address of the infected clientNet Mgr can then:
Use PCM+ to find the switch port associated with this IP address Shut down the switch port preventing the virus from entering the
network at L2 as well. Net Mgr can now deal with just the client, not the rest of the
network
-
Virus Throttling in an L2 Environment
1. Switch detects virus activity
2. Alerts PCM+ with IP addr and MAC addr of infected client
X
Traffic blocked
3. Net Manager alerted
4. Manager uses Find Switch Port utility to locate client switch port
5. Manager shuts down that switch port
Virus
PCM+
-
Virus Throttling
6200
8200
5400
3500
Virus ThrottlingSwitch Families
5300 (L3)
-
Virus Throttling Enabled
-
2008 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
HP ProCurve Manager and ProCurve Manager Plus
-
HP ProCurve Manager implementsCommand from the Center
Windows-based network management solution
Enables configuration and monitoring of network devices from a central location
Two versions available: Standard and PLUS
Provides necessary tools to effectively manage your network, including:
Auto-