HP (Hewlett-Packard)メーカー2300の使用説明書/サービス説明書
ページ先へ移動 of 270
Release Notes: V ersion F .05.70 Software for the ProCurve Series 2300 and 2500 Switches These release notes include information on the following: ■ Downloading switch software and Do cumentation from the W eb (Page 1) ■ Enhancements in Release F .
ii © Copyright 2001-2009 Hewlett-Packard Development Company , LP . The information contained herein is subject to change without notice. Publication Number 5990-3102 March, 2009 Applicable Products .
iii Disclaimer The information contained in this documen t is subject to change without notice. HEWLETT -P ACKARD COMPANY MAKES NO W ARRANTY OF ANY KIND WITH REGARD TO THIS MA TERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED W ARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A P ARTICULAR PURPOSE.
iii Contents Software Management Download Switch Documentation and Software from the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 View or Download the Software Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
iv Configuring Port Isolation on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 4 Steps for Configuring Port Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
v Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 How RADIUS/802.1X Authentication Affects VLAN Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Messages Related to 802.
vi Messages Related to Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 35 Troubleshooting Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vii Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Troubleshooting TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
viii Port Security: Changes to Retaining Learned Static Addresses Across a Reboot . . . . . 217 Recommended Port Security Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Retention of Static Addresses .
ix Release F.02.13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Release F.04.01 (Beta Release Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
x Release F.05.37 (Not a General Release) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Release F.05.38 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3 Release F.
1 Software Management Software Management Caution: Archive Pre-F .05.17 Configuration Files A configuration file saved while using release F .05 .17 or later software is not backward-compatible with earlier software versions.
2 Software Management ■ Use the download utility in ProCurve Manager Plus. Note Downloading new software does not change the curr ent switch configuration. The switch configu- ration is contained in a separate fi le that can also be transferred, for example, for archive purposes or to be used in another switch of the same model.
3 Software Management Xmodem Download From a PC or Unix W orkstation This procedure assumes that: ■ The switch is connected via the Console RS-232 por t on a PC operating as a terminal. (Refer to the Installation Guide you received with the sw itch for information on connecting a PC as a terminal and running the switch console interface.
4 Software Management Saving Configurations While Using the CLI The switch operates with two configuration files: ■ Running-Config File: Exists in volatile memory and co ntrols switch operation. Rebooting the switch erases the current running-config file and replaces it with an exact copy of the current startup-config file.
5 Software Management ProCurve Switch, Routing Switch, and Router Software Keys Software Letter ProCurve Networking Products C 1600M, 2400M, 2424M, 4000M, and 8000M CY Switch 8100fl Series (8108fl and.
6 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.61 through F.05.70 Enhancements in Release F .05.05 through F .05.70 Enhancements in Release F .05.61 through F .05.70 No new enhancements, software fixes only. Enhancements in Release F .
7 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Implementation of LLDP For network device discovery solu tions, software version F .
8 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 MIB (Management Information Base): An internal da tabase the switch maintains for configuration and performance information. Neighbor: See “LLDP Neighbor”.
9 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 T able 1. Viewable Data A vailable for LLDP Advertisements Note Selected LLDP information (such as system name, port description, port type, chassis type) received by a Series 2500 switch from a remote neighbor is not viewable.
10 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 LLDP Operating Rules Port T runking. LLDP manages trunked ports individually . That is, trunked ports are configured individually for LLDP operation, in the same manner as non-trunked po rts.
11 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 LLDP Operation and Commands In the default configuration, LLDP is enabled to transmit on all active ports.
12 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Viewing LLDP-detected Devices Note Selected LLDP information (such as system name, port description, port type, chassis type) received by a Series 2500 switch from a remote neighbor is not viewable.
13 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Additional information from the remote device can be displayed by specifying the local port number in the command. For example, show lldp info remote-device 1 produces the following display: Figure 3.
14 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring Per -Port LLDP T r ansmit/Receive This command controls LLDP transmit/receive traffic on active ports.
15 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 New Console Option Starting with Release F .05.23, a new console option removes terminal escape sequences, which allows scripts to better interact with the Co mmand Line Interface.
16 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syslog Overview The switch’ s Event Log records switch-level prog ress, status, and warning messages. The System- Logging ( Syslog ) feature provides a means for recording these messages on a remote server .
17 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 no logging < syslog-ip-address > removes only the specified Syslog logging destination from the switch.
18 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Note As of March 2004, the logging facility < facility-name > option also is available on these switch models: ■ Switch Series 5300XL (software release E.
19 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 V iewing the Syslog Configuration Configuring Syslog Logging 1.
20 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 See Figure 6 below for an example of adding an additional Syslog server . Figure 6. Configuring multiple Syslog Servers Operating Notes for Syslog ■ Rebooting the switch or pressing the Reset butt on resets the Debug Configuration.
21 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 The Isolated Port Groups feature or iginally included in release F .04.08 has been enhanced in release F. 0 5 . xx with the inclusion of two new port isolation groups ( group1 and group2 ).
22 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 T able 2. Communication Allowed Betw een Port-Isolation T ypes within a Switch Figure 7.
23 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Operating Rules for Port Isolation ■ Port Isolation is intended only for networks that do not use VL AN tagging. (The switch must be in the default VLAN configuration before you configure port-isolation.
24 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring Port Isolation on the Switch Steps for Configuring Port Isolation 1. Remove all non-default VLANs from the switch and ensure that all ports are untagged members of the default VLAN (VID = 1).
25 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring and V iewing Port-Isolation Note The no port-isolation command erases all port-isolation mode settings from memory .
26 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 For example, suppose that the switch is in its default configuration (no multiple VLANs; GVRP disable.
27 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Figure 8. Example of Isolating Ports on a Series 2500 Switch Assuming a switch in the factory-default.
28 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Figure 9. Example of Port-Isolation Configuration Messages Related to Port-Isolation Operation Message Meaning Port Isolation is disabled. It must be enabled first.
29 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 T roubleshooting Port-Isolation Operation Configuring Port-Based Access Control (802.
30 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 General Features 802.1X on the Series 2500 sw itches includes the following: ■ Switch operation as .
31 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Authenticating One Switch to Another . 802.1X authentication also en ables the switch to operate as a supplicant when connected to a port on an other switch running 802.
32 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 iv . If the client is successfully authenticated and authorized to connect to the network, then the server notifies the switch to allo w access to the client.
33 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 2. The RADIUS server then responds with an MD5 access challenge that switch “B” forwards to port 1 on switch “A”. 3. Port 1 replies with an MD5 hash response base d on its username and password or other unique credentials.
34 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 EAP (Extensible Authentication Protocol) : EAP enables network acces s that supports multiple authentication methods. EAPOL: Extensible Authentication Protocol Over LAN, as defined in the 802.
35 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 General Operating Rules and Notes ■ When a port on the switch is configured as either an authenticator or supplicant and is connected to another device, rebooting the swit ch causes a re-authentication of the link.
36 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 General Setup Procedure for Port-Based Access Control (802.1X) Do These Steps Before Y ou Configure 802.1X Operation 1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels.
37 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 3. Configure the 802.1X authentication type. Options include: • Local Operator username and password (the default). This option allows a client to use the switch’ s local username and password as valid 802.
38 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring Switch Ports as 802.1X Authenticators 802.
39 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 1. Enable 802.1X Authentication on Selected Ports This task configures the individual ports you want to operate as 802.1X authenticators for point-to- point links to 802.
40 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syntax: aaa port-access authenticator < port-list > (Syntax Continued) [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant.
41 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syntax: aaa port-access authenticator < port-list > (Syntax Continued) [reauth-period < 1 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated.
42 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 3. Configure the 802.1X Authentication Method This task specifies how the switch will authenti cate the credentials provided by a supplicant connected to a switch port config ured as an 802.
43 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 4. Enter the RADIUS Host IP Address(es) If you selected either eap-radius or chap-radius for the authentication meth od, configure the switch to use 1 to 3 RADIUS servers for authentication.
44 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 802.1X Open VLAN Mode This section describes how to use the 802.1X Open VLAN mode to configur e unauthorized-client and authorized-client VLANs on ports configured as 802.
45 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 ■ 3rd Priority: If the port does not have an Authorized-Client VLAN configured, but does have a static, untagged VLAN membership in its config uration, then the switch assigns the port to this VLAN.
46 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 T able 4. 802.1X Open VLAN Mode Options 802.1X Per -Port Configuration Port Response No Open VLAN mode: The port automatically bloc ks a client that cannot initiate an authen- tication session.
47 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN.
48 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as Authorized- Client or Unauthorized-Client VLANs These must be configured on the switch before you configure an 802.
49 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Note: If you use the same VLAN as the Unauthorized-Cli ent VLAN for all authenticator ports, unauthenti- cated clients on different ports can communicate wi th each other .
50 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of both the Un authorized-Client and Authorized-Client VLANs. Refer to T able 4 on page 46 for other options.
51 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication.
52 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch.
53 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listing of the steps ne eded to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 50.
54 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Inspecting 802.1X Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewi ng 802.1X Open VLAN Mode Status” on page 63.
55 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Option For Authenticator Ports: Configure Port-Security T o Allow Only 802.1X Devices If you are using port-security on authenticator por ts, you can configure it to learn only the MAC address of the first 802.
56 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Note on Blocking a Non-802.1X Device If the port’ s 802.1X authenticator control mode is configured to authorized (as shown below , instead of auto ), then the first source MAC address from any device, whether 802.
57 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring Switch Ports T o Operate As Supplicants for 802.1X Connections to Other Switches Y ou can configure a switch port to operate as a s upplicant in a connection to a port on another 802.
58 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 • If, after the supplicant port sends the configur ed number of start request packets, it does not receive a response, it assumes that switch “B” is not 802.
59 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Configuring a Supplicant Switch Port. Note that you must enable supplicant operation on a port before you can change the supplicant configuratio n.
60 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syntax : aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [auth-timeout < 1 - 300 >] Sets the period of time the port waits to receive a challenge from the authenticator .
61 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access Authenticator 802.1X Authentication Commands page 38 802.1X Supplicant Commands page 57 802.
62 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Syntax: show port-access authenticator (Syntax Continued) config [[e] < port-list >] S hows: • Whether port-access authenticator is active • The 802.
63 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 V iewing 802.1X Open VLAN Mode Status Y ou can examine the switch’ s current VLAN status by using the show port-access authenticator and show vlan < vlan-id > commands as illustrated in this section.
64 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Note that because a temporary Open VLAN port assi gnment to either an authorized or unauthorized VLAN is an untagged VLAN membership, these a ssignments temporarily replace any other untagged VLAN membership that is statically configured on the port.
65 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Figure 15. Example of Showing a VLAN with Ports Configured for Open VLAN Mode Current VLAN ID < vlan-id >: Lists the VID of the static, untagged VL AN to which the port currently belongs.
66 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Show Commands for Port-Access Supplicant Note on Supplicant Statistics.
67 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 How RADIUS/802.1X Authentication Affects VLAN Operation Static VLAN Requirement. RADIUS authentication for an 802.1X client on a given port can include a (static) VLAN requirement.
68 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 ■ VLAN 33 becomes unavailable to port 2 for th e duration of the session (because there can be only one untagged VLAN on any port).
69 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Figure 18. The Active Configuration for VLAN 33 T emporarily Drops Port 22 for the 802.1X Session When the 802.1X client’ s session on port 2 ends, the port discards the temporary untagged VLAN membership.
70 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 Notes Any port VLAN-ID changes you make on 802.1X-awa re ports during an 802.1X-authenticated session do not take effect until the session ends. W ith GVRP enabled, a temporary , untagged static VLAN assignment created on a port by 802.
71 Enhancements in Release F.05.05 through F.05.70 Enhancements in Release F.05.05 through F.05.60 IGMP V ersion 3 Support When the switch receives an IGMPv3 Join, it ac cepts the host request and begins forwarding the IGMP traffic.
72 Enhancements in Release F.04.08 Enhancements in Release F .04.08 Enhancement Summary Page Friendly Port Names Enables you to assign opti onal, meaningful names to physical ports on the switch.
73 Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Using Friendly (Optional) Port Names This feature enables you to assign alphanumeric port names of your choosing to augment automat- ically assigned numeric port names.
74 Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Configuring Friendly Port Names Syntax : interface [e] < port-list > name < port-name-string > Assigns a port name to port-list . no interface [e] < port-list > name Deletes the port name from port-list .
75 Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Displaying Friendly Port Names with Other Port Data Y ou can display friendly port name da ta in the following combinations: ■.
76 Enhancements in Release F.04.08 Using Friendly (Optional) Port Names Figure 23. Example of Friendly Port Na me Data for Specific Ports on the Switch Including Friendly Port Names in Per -Port Statistics Listings. A friendly port name config- ured to a port is automatically included wh en you display the port’ s statistics output.
77 Enhancements in Release F.04.08 Using Friendly (Optional) Port Names For a given port, if a friendly port name does not exist in the running-config file, the Name line in the above command output appears as: Name : not assigned T o Search the Configuration for Po rts with Friendly Port Names.
78 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Configuring Secure Shell (SSH) The Series 2500 switches use Secure Shell versi on 1 (SSHv1) to provide remote access to management functions on the switches via encrypted paths be tween the switch and management station clients capable of SSHv1 operation.
79 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Note SSH in the ProCurve Series 2500 switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit http://www .openssh.com . Switch SSH and User Pass word Authentication .
80 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) T erminology ■ SSH Server: An HP Series 2500 switch with SSH enabled. ■ Key Pair: A pair of keys generated by the switch or an SSH client application.
81 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) keys by default, check the application software fo r a key conversion utility or use a third-party key conversion utility . Figure 28. Example of Public Key in PEM- Encoded ASCII Format Common for SSHv2 Clients Figure 29.
82 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) The general steps for configuring SSH include: A. Client Preparation 1. Install an SSH client application on a management station you want to use for access to the switch. (Refer to the documentation provided with your SSH client application.
83 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 6. Use your SSH client to access the switch using the switch’ s IP address or DNS name (if allowed by your SSH client application). Refer to the documentation provided with the client application.
84 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH-Related Commands in This Section show ip ssh page 91 show ip client-public-key [< babb.
85 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 1. Assigning a Local Login (Operator) and Enable (Manager) Password At a minimum, HP recommends that you always assign at least a Manager password to the switch.
86 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) T o Generate or Erase the Switch’ s Public/Private RSA Host Key Pair . Because the host key pair is stored in flash instead of the runn ing-config file, it is not necessary to use write memory to save the key pair .
87 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 3. Providing the Switch’ s Public Key to Clients When an SSH client contacts the switch for the first time, the client wi ll challenge the connection unless you have already copied the key into the clie nt’ s "known host" file.
88 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 3. Ensure that there are no line breaks in the text string. (A public key must be an unbroken ASCII string.
89 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Figure 35. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’ s Public Key Note The two commands shown in figure.
90 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) SSH Client Contact Behavior . At the first contact between the sw itch and an SSH client, if you have not copied the switch’ s publi.
91 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Note on Port Number The ip ssh key-size command affects only a per -session, internal server key the switch creates, uses, and discards. This key is not accessible from the user interface.
92 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 5. Configuring the Switch for SSH Authentication Note that all methods in this section result in au thentication of the switch’ s public key by an SSH client. However , only Option B, below results in the sw itch also authenticating the client’ s public key .
93 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) (For more on these topics, refer to “Further In formation on SSH Client Public-Key Authentication” on page 95.
94 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Figure 37. Configuring for SSH Access Requiring a Client Public-Key Match and Manager Passwords Figure 38 shows how to check th e results of the above commands. Figure 38. SSH Configuration and Client-Public-Key Listing From Figure 37 6.
95 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication The section titled “5. Configuring the Switch for SSH Authentication” on page 92 lists the steps for configuring SSH authentication on the switch.
96 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) b. Uses MD5 to create a hash version of this information. c. Returns the hash version to the switch. 7. The switch computes its own hash version of the da ta in step 6 and compar es it to the client’ s hash version.
97 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) 1. Use your SSH client application to create a public/private key pair . Refer to the documentation provided with your SSH client application for details. The Series 2500 switches support the following client-public-key properties: 2.
98 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Note on Public Keys The actual content of a public key entry in a public key file is determ ined by the SSH client application generating the key .
99 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Replacing or Clearing the Public Key File. The client public-key file remains in the switch’ s flash memory even if you erase the startup-config file, reset the switch, or reboot the switch.
100 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. Indicates an error in communicating with the tftp server or not finding the file to download .
101 Enhancements in Release F.04.08 Configuring Secure Shell (SSH) T roubleshooting SSH Operation See also “Messages Related to SSH Operation” on page 100.
102 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Configuring RADIUS Authentication and Accounting RADIUS ( Remote Authentication Dial-In User Service ) enables you .
103 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Note The Series 2500 switches do not support RADIUS security for SNMP (net work management) access or W eb browser interface access.
104 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Switch Operating Rules for RADIUS ■ Y ou must have at least one RADIUS server accessible to the switch. ■ The switch supports authentication and accoun ting using up to three RADIUS servers.
105 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • If you need to replace the default UDP destination port (1812) the switch uses for authentication requests to a specific RADIUS server , select it befor e beginning the configuration process.
106 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Outline of the Steps for Configuring RADIUS Authentication There are three main steps to co nfiguring RADIUS authentication: 1.
107 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting zero and then trying to log on again. As an alternative, you can reboot the switch, (thus resetting the dead-time counter to assume the server is available) and then try to log on again.
108 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting For example, suppose you have already configured local passwords on the switch, but want to use RADIUS to protect primary T elnet and SSH access wi thout allowing a secondary T elnet or SSH access option (which would be the switch’ s local passwords): Figure 42.
109 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting 2. Configure the Switch T o Access a RADIUS Server This section describes how to configure the swit ch to interact with a RADIUS server for both authentication and accounting services.
110 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting For example, suppose you have configured the switch as shown in figure 43 and you now need to make the following changes: 1. Change the encryption key for the se rver at 10.
111 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting 3. Configure the Switch’ s Global RADIUS Parameters Y ou can configure the switch for the following global RADIUS.
112 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting radius-server retransmit < 1 .. 5 > If a RADIUS server fails to respond to an authentication request, specifies how many retries to attempt before closing the session.
113 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Figure 46. Listings of Global RADIUS Parameters Configured In Figure 45 Local Authentication Process When the switc.
114 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting For local authentication, the switch uses the Op erator -level and Manager -level username/password set(s) previously configured locally on the switch .
115 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Note This section assumes you have already: ■ Configured RADIUS authentication on the switch for one or more acce.
116 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting ■ System accounting: Provides records containing the in formation listed below when system events occur on the switch, including system re set, system boot, and enabling or disabling of system accounting.
117 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Outline of the Steps for Configuring RADIUS Accounting 1. Configure the switch for accessing a RADIUS server . Y ou can configure a list of up to three RADIUS servers (one primary , two backup).
118 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting 1. Configure the Switch T o Access a RADIUS Server Before you configure the actual accounting parame ters, you should first configure the switch to use a RADIUS server .
119 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Figure 47. Example of Configuring for a RADIUS Se rver with a Non-Default Accounting UDP Port Number The radius-server command as shown in figure 47, above, configures the switch to use a RADIUS server at IP address 10.
120 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Determine how you want the switch to send accounting data to a RADIUS server: ■ Start-Stop: • Send a start record accounting notice at the beginning of the accounting session and a stop record notice at the end of the session.
121 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting ■ Updates: In addition to using a Start-Stop or Stop-O nly trigger , you can optionally configure the switch to send periodic accountin g record updates to a RADIUS server .
122 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Figure 50. Example of General RADIUS Information from Show Radius Command Figure 51.
123 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Te r m Definition Round T rip T ime The time interv al between the most recent Accou nting-Response and the Accounting- Request that matched it from this RADIUS accounting server .
124 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting RADIUS Authentication Syntax : show authentication Displays the primary and secondary authentication methods configured for the Console, Telnet, Port-Access (802.1X), and SSH methods of accessing the switch.
125 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting RADIUS Accounting Syntax : show accounting Lists configured accounting interval, "Empty User" suppression status, accounting types, methods, and modes.
126 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command.
127 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting Figure 58. Example of New RADIUS Server Search Order Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authen- tication request.
128 Enhancements in Release F.04.08 Configuring RADIUS Authentication and Accounting T roubleshooting RADIUS Operation Symptom Possible Cause The switch does not receive a response to RADIUS authen- tication requests.
129 Enhancements in Release F.04.08 IP Preserve: Retaining VLAN-1 IP Addre ssing Across Configuration File Downloads IP Preserve: Retaining VLAN-1 IP Addressing Across Configuration File Downloads IP .
130 Enhancements in Release F.04.08 IP Preserve: Retaining VLAN-1 IP Addre ssing Across Configuration File Downloads For example, consider Figure 60: Figure 60.
131 Enhancements in Release F.04.08 IP Preserve: Retaining VLAN-1 IP Addre ssing Across Configuration File Downloads If you apply this configuration file to figure 60, swit ches 1 - 3 will still retain their manually assigned IP addressing. However , switch 4 will be configured with the IP addressing included in the file.
132 Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets Configuring Port-Based Priority for Incoming Packets When network congestion occurs, it is important to move traffic on the basis of relative importance.
133 Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets Outbound Port Queues and Packet Priority Settings Series 2500 switch ports use two outbound port queues, Normal and High . As described below , these two queues map to the eight priority sett ings specified in the 802.
134 Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets Operating Rules for Port-Based Priority on Series 2500 Switches ■ In the switch’ s default configuration, port-bas ed priority is configured as "0" (zero) for inbound traffic on all ports.
135 Enhancements in Release F.04.08 Configuring Port-Based Priority for Incoming Packets For example, suppose you wanted to configure ports 10 -12 on the switch to prioritize all untagged, inbound VLAN traffic as "Low" (priority leve l = 1; refer to table 8 on page 133).
136 Enhancements in Release F.04.08 Using the "Kill" Command To Terminate Remote Sessions Using the "Kill" Command T o T erminate Remote Sessions Using the kill command, you can terminate remote management sessions. ( Kill does not terminate a Console session on the serial port, either through a direct connection or via a modem.
137 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Configuring Rapid Reconfiguration Spanning T ree (RSTP) This section is related to the information on “Spa.
138 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) The IEEE 802.1D version of Spanning T ree (STP) can take a fairly long time to resolve all the possible paths and to select the most efficient path through the network.
139 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Configuring RSTP The default switch configuration has Spanning T ree disabled with RSTP as the selected protocol. That is, when Spanning T ree is enabled, RSTP is the version of Spanning T ree that is enabled, by default.
140 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) CLI: Configuring RSTP V iewing the Current Spanning T ree Configuration.
141 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Figure 65. Example of the Spanning T ree Configuration Display Enabling or Disabling RSTP. Issuing the command to enable Sp anning T ree on the switch imple- ments, by default, the RSTP version of Spanning T r ee for all physical ports on the switch.
142 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Reconfiguring Whole-Switch Spanning T ree V alues. Y ou can configure one or more of the following parameters, which affect the Sp anning T ree operation of the whole switch: T able 9.
143 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Note Executing the spanning-tree command alone enables Spanning T r ee.
144 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Reconfiguring Per -Port Spanning T ree V alues. Y ou can configure one or more of the following parameters, which affect the Spanning T ree operation of the specified ports only: T able 10.
145 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Note on Path Cost RSTP implements a greater range of path costs and new default path cost values to account for higher network speeds. These values are different than the values defined by 802.
146 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) Menu: Configuring RSTP 1. From the console CLI prompt, enter the menu command. ProCurve Switch # menu 2. From the switch console Main Menu, select 2. Switch Configuration .
147 Enhancements in Release F.04.08 Configuring Rapid Reconfigur ation Spanning Tree (RSTP) 7. Press the [T ab] key or use the arrow keys to go to the next parameter you want to change, then type in the new value or press the Space bar to select a value.
148 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Enhancements in Release F .02.11 Fast-Uplink Spanning T ree Protocol (STP) Fast-Uplink STP improves the recove ry (convergence) time in wiring closet switches with redundant uplinks.
149 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) T o use fast-uplink STP on a Series 2500 switch, configure fast-uplink ( Mode = Uplink ) only on the switch’ s upstream ports; (that is, two or more ports forming a group of redundant links in the direction of the STP root switch).
150 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) When single-instance spanning tree (STP) is running in a network and a forwarding port goes down, a blocked port typically requires a period of (2 x ( forward delay ) + link down detection) to transition to forwarding.
151 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Operating Rules for Fast Uplink ■ A switch with ports configured for fast uplink must be an edge switch and not either an interior switch or the STP root switch.
152 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Menu: Viewing and Configuring Fast-Uplink STP Y ou can use the menu to quickly display the en tire STP configuration and to make any STP configuration changes. T o V iew and/or Configure Fast-Uplink STP .
153 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) 3. If the Protocol V ersion is set to RSTP (as shown in figure 70), do the following: a. Press [E] ( E dit ) to move the cursor to the Protocol V ersion field. b. Press the Space bar once to change the Protocol Version field to STP .
154 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Figure 72. The Spanning T ree Operation Screen 4. On the ports and/or trunks you want to us e for redundant fast uplink connections, change the mode to Uplink . In this example, port 1 and T rk1 (using ports 2 and 3) provide the redundant uplinks for STP: a.
155 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Figure 73. Example of STP Enabled with T wo Redundant Links Configured for Fast-Uplink STP 5. Press [S] (for S ave ) to save the configuration changes to flash (non-volatile) memory .
156 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) T o V iew Fast-Uplink STP Status. Continuing from figures 72 and 73 in the preceding procedure, this task uses the same screen that you would use to view STP status for other operating modes.
157 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) In figure 75: • Port 1 and T rk1 (trunk 1; formed from port s 2 and 3) are redundant fast-uplink STP links, with trunk 1 forwarding (the active link) and port 1 blocking (the backup link).
158 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Figure 77. Example of a Show Spanning-T ree Listing for the T opology Shown in Figure 76 Indicates that T rk1 (T runk 1) provides the currently active path to the STP root device.
159 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Figure 78. Example of a Configuration Supp orting the STP T opology Shown in Figure 76 Using the CLI T o Configure Fast-Uplink STP . This example uses the CLI to configure the switch for the fast-uplink operation shown in figures 76, 77, and 78.
160 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Syntax : spanning-tree e < port/trunk-list > mode uplink Enables STP on the switch and configures fast-uplink STP on the designated interfaces (port or trunk).
161 Enhancements in Release F.02.11 Fast-Uplink Spanning Tree Protocol (STP) Fast-Uplink T roubleshooting Some of the problems that can result from inco rrect usage of Fast-Uplink STP include temporary loops and generation of duplicate packets. Problem sources can include: ■ Fast-Uplink is configured on a swit ch that is the STP root device.
162 Enhancements in Release F.02.11 The Show Tech Command for Listing Swit ch Configuration and Operating Details The Show T ech Command for Listing Switch Configuration and Operating Details The show tech command provides a tool for gathering inform ation to help with troubleshooting.
163 Enhancements in Release F.02.11 The Show Tech Command for Li sting Switch Configuration and Operating Details 1. In Hyperterminal, click on T ransfer | Capture T ext... Figure 80. The Capture T ext window of the Hypert ext Application Used with Microsoft Windows Software 2.
164 Enhancements in Release F.02.02 Documentation for Enhancements in Release F.02.02 Enhancements in Release F .02.02 Documentation for Enhancements in Release F .
165 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security T ACACS+ Authentication for Centralized Control of Switch Access Security T ACACS+ Feat ur.
166 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security W ith authentication configured on the switch and T ACACS+ configured and operating on a s.
167 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security T erminology Used in T ACACS Applications: ■ NAS (Network Access Server): This is an industry term for a T ACACS-aware device that communicates with a T ACACS server for authen tication services.
168 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security General System Requirements T o use T ACACS+ authentication, you need the following: ■ Release F .02.02 or later software running on your Series 2500 switch.
169 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security T ACACS+ Operation T ACACS+ in Series 2500 switches manages authen tication of logon attempts through either the Console port or T elnet.
170 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security 2. Ensure that the switch is configured to operate on your network and can communicate with your first -choice T ACACS+ server . (At a minimum, th is requires IP addressing and a successful ping test from the switch to the server .
171 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Caution You should ensure that the switch has a local Manager password. Otherwise, if authentication through a TACACS+ server fails for any reason, then unauthorized acce ss will be available through the console port or Telnet.
172 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Configuring T ACACS+ on the Switch The switch offers three command areas for T ACACS+ operation: ■ show authentication and show tacacs: Displays the switch’ s T ACACS+ configuration and status.
173 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security V iewing the Switch’ s Current Authentication Configuration This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary access methods conf igured for each type of access.
174 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Configuring the Switch’ s Authentication Methods The aaa authentication command configures the access control for console port and T elnet access to the switch.
175 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security T able 13. Primary/Secondary Authentication T able Access Method and Privilege Level Authentication Options Effect on Access Attempts Primary Secondary Console — Login local none* Local username/password access only.
176 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security For example, here is a set of access options and the corresponding comm ands to configure them: Console Login (Operator , or Read-Only) Access: Primary using T ACACS+ server .
177 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Configuring the Switch’ s T ACACS+ Server Access The tacacs-server command configures these parameters: ■ The host IP address(es) for up to three T ACACS+ servers; one first-choice and up to two backups.
178 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Name Default Range host < ip-addr > [key < key-string > none n/a Specifies the IP address of a device ru nning a T ACACS+ server application.
179 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Adding, Removing, or Changing th e Priority of a T ACACS+ Server . Suppose that the switch was already configured to use T ACACS+ servers at 10.
180 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security To configure westside as a global encryption key: HP2512(config) tacacs-server key westside To configure westside as a per-server encryption key: HP2512(config)tacacs-server host 10.
181 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security How Authentication Operates General Authentication Process Using a T ACACS+ Server Authentication through a T ACACS+ server operates generally as described below .
182 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security • If the username/password pair received from the requesting terminal matches a user - name/password pair previously stored in the server , then the server passes access permission through the switch to the terminal.
183 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Using the Encryption Key General Operation When used, the encryption key (sometimes termed.
184 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security For example, you would use the next command to co nfigure a global encryption key in the switch to match a key entered as north40campus in two target TACACS+ servers.
185 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security Messages The switch generates the CLI messages listed below . However , you may see other messages generated in your T ACACS+ server application.
186 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security T roubleshooting T ACACS+ Operation All Users Are Locked Out of Access to the Switch.
187 Enhancements in Release F.02.02 TACACS+ Authentication for Centraliz ed Control of Switch Access Security ■ The time quota for the account has been exhausted. ■ The time credit for th e account has expired. ■ The access attempt is outside of th e timeframe allowed for the account.
188 Enhancements in Release F.02.02 CDP (Updated by Software Version F.05.50) CDP (Updated by Software V ersion F .05.50) Software version F .02.02 for the Series 2500 sw itches, implemented CDP-v1 (Cisco Discovery Protocol, version 1) to help discover devices in a network.
189 Enhancements in Release F.02.02 New Time Synchronization Protocol Options T imeP T ime Synchronization Y ou can either manually assign th e switch to use a T imeP server or use DHCP to assign the TimeP server . In either case, the switch can get its time synchronization updates from only one, designated T imep server .
190 Enhancements in Release F.02.02 New Time Synchronization Protocol Options •T i m e P : DHCP or Manual 3. Configure the remaining parameters for the time protocol you selected. The switch retains the parameter settings for both time protocols even if you change from one protocol to the other .
191 Enhancements in Release F.02.02 New Time Synchronization Protocol Options T able 15. SNTP Parameters Menu: Viewing and Configuring SNTP T o View , Enable, and Modify SNTP T ime Protocol: 1. From the Main Menu, select: 2. Switch Configuration... 1.
192 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Figure 88. The System Inform ation Screen (Default V alues) 2. Press [E] (for E dit ). The cursor moves to the System Name field. 3. Use [v] to move the cursor to the T ime Sync Method field.
193 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Note: This step replaces any previously configured server IP address. If you will be using backup SNTP servers (r equires use of the CLI), then see “SNTP Unicast T ime Polling with Mu ltiple SNTP Servers” on page 205.
194 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Viewing the Current SNTP Configuration This command lists both the time synchronizatio n method (T imeP , SNTP , or None) and the SNTP configuration, even if SNTP is not the selected time protocol.
195 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Enabling SNTP in Broadcast Mode. Because the switch provides an SNTP polling interval (default: 720 seconds), you need only these two commands for minimal SNTP broadcast configura- tion: Syntax : timesync sntp Selects SNTP as the time synchronization method.
196 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Syntax : timesync sntp Selects SNTP as the time synchronization method. sntp unicast Configures the SNTP mode for Unicast operation . sntp server < ip-addr > [ version ] Specifies the SNTP server.
197 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Figure 93. Example of Specifying the SNTP Protocol V ersion Number Changing the SNTP Poll Interval. This command lets you specif y how long the switch waits between time polling intervals.
198 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Disabling the SNTP Mode. If you want to prevent SNTP from being used even if selected by timesync (or the Menu interface’ s T ime Sync Method parameter), configure the SNTP mode as disabled.
199 Enhancements in Release F.02.02 New Time Synchronization Protocol Options T able 16. T imep Parameters Menu: Viewing and Configuring T imeP T o View , Enable, and Modify the TimeP Protocol: 1. From the Main Menu, select: 2. Switch Configuration...
200 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Figure 96. The System Inform ation Screen (Default V alues) 2. Press [E] (for E dit ). The cursor moves to the System Name field. 3. Use [v] to move the cursor to the T ime Sync Method field.
201 Enhancements in Release F.02.02 New Time Synchronization Protocol Options iii. Press [>] to move the cursor to the Poll Interval field, then go to step 6. 6. In the Poll Interval field, enter the time in minutes that you want for a T i meP Poll Interval.
202 Enhancements in Release F.02.02 New Time Synchronization Protocol Options If SNTP is the selected time synchronization method ), show timep still lists the Ti meP configuration even though it is not currently in use: Figure 98.
203 Enhancements in Release F.02.02 New Time Synchronization Protocol Options For example, suppose: ■ T ime synchronization is configured for SNTP . ■ Y ou want to: 1. View the current time synchronization. 2. Select T imeP as the time synchronization mode.
204 Enhancements in Release F.02.02 New Time Synchronization Protocol Options HP2512(config)# timesync timep Selects TimeP . HP2512(config)# ip timep manual 10.28.227.141 Activates TimeP in Manual mode . Figure 100. Example of Configuring T imep for Manual Operation Changing the T imeP Poll Interval.
205 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Disabling the T imeP Mode. Disabling the T imeP mode means to configure it as disabled. (Disabling T imeP prevents the switch from using it as the time synchronization protocol, even if it is the selected T ime Sync Method option.
206 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Adding and Deleting SNTP Server Addresses Adding Addresses. As mentioned earlier , you can configure one SNTP server address using either the Menu interface or the CLI. T o configure a seco nd and third address, you must use the CLI.
207 Enhancements in Release F.02.02 New Time Synchronization Protocol Options Menu Interface Operation with Multiple SNTP Server Addresses Configured When you use the Menu interface to configure an SN TP server IP address, the new address writes over the current primary address, if one is config ured.
208 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) Operation and Enhancements for Multimedia T raffic Control (IGMP) How Data-Driven IGMP Operates Th.
209 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) multicast packets to ports from which a join requ est for that group has not been received. (If the switch or router has not received any join requests for a given multicast group, it drops the traffic it receives for that group.
210 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) Fast-Leave IGMP IGMP Operation Presents a "Delayed Leave" Problem.
211 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) unnecessary multicast traffic from that group to th e former IGMP client. This improves performance by reducing the amount of multicast traffic going thro ugh the port to the IGMP client after the client leaves a multicast group.
212 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) Forced Fast-Leave IGMP Forced Fast-Leave IGMP Features Forced Fast-Leave IGMP speeds up the process of blocking unnecessary IGMP traffic to a switch port that is connected to multiple end nodes.
213 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) For example: Figure 106. Listing the Forced Fast-L eave State for Ports in an HP2512 Switch T o list the Forced Fast-Leave state for a single port. Syntax : getmib hpSwitchIgmpPortForcedLeaveState.
214 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) CLI: Configuring Per -Port Forced Fast-Leave IGMP In the factory-default configuration, Forced Fast-L eave is disabled for all ports on the switch.
215 Enhancements in Release F.02.02 Operation and Enhancements for Mu ltimedia Traffic Control (IGMP) Querier Operation The function of the IGMP Querier is to poll other IGMP-enabled de vices in an IGMP-enabled VLAN to elicit group membership information.
216 Enhancements in Release F.02.02 The Switch Excludes Well-Known or Reserved Mult icast Addresses from IP Multicast Filtering The Switch Excludes W ell-Known or Reserved Multicast Addresses from IP Multicast Filtering Each multicast host group is identified by a sing le IP address in the range of 224.
217 Enhancements in Release F.02.02 Port Security: Changes to Retaining Learned Static Addresses Across a Reboot Port Security: Changes to Retaining Learned Static Addresses Across a Reboot Recommended Port Security Procedures ■ Before configuring port security , use the swit ch’ s TFTP features to save a copy of the configuration.
218 Enhancements in Release F.02.02 Port Security: Changes to Retaining Le arned Static Addresses Across a Reboot T o remove an address learned using either of the preceding methods, do one of the following: • Delete the address by using the no port-security < port-number > mac-address < mac-addr > command.
219 Enhancements in Release F.02.02 Username Assignment and Prompt Username Assignment and Prompt Prior to release F .02.02, assigning a manager or oper ator username to the switch required you to use the W eb browser interface.
220 Updates and Corrections for the Management and Configuration Guide Updates and Corrections for the Management and Configuration Guide This section lists updates to the Management and Configuration Guide (p/n 5969-2354; August 2000).
221 Updates and Corrections for the M anagement and Configuration Guide • Running configuration has been changed and needs to be saved. This message indicates that the two configurations are different.
222 Updates and Corrections for the Management and Configuration Guide This change affects the following commands: Restoring the Factory-Default Configuration, Including Usernames and Passwords Page 11-20 in the Management and Configuration guide incorrectly implies that the erase startup-config command clears passwords.
223 Updates and Corrections for the M anagement and Configuration Guide GVRP Does Not Require a Common VLAN Delete the note at the top of page 9-78 in the Management and Configuration Guide. GVRP does not require a common VLAN (VID) connecting all of the GVRP-aware devices in the network to carry GVRP packets.
224 Updates and Corrections for the Management and Configuration Guide Note Duplicate MAC addresses are likely to occur in VLAN environments where XNS and DECnet are used. For this reason, using VLANs in XNS and DECnet environments is not currently supported.
225 Updates and Corrections for the M anagement and Configuration Guide Also on page 9-54, add the foll owing item to the bulleted list: ■ When T imeP is enabled and configured for DH CP operation, the switch learns of T imeP servers from DHCP and Bootp packet s received on the primary VLAN.
226 Software Fixes Software Fixes Release F .01.07 was the first software rel ease for the ProCurve Series 2500 switches Release F.01.08 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
227 Software Fixes Release F.05.19 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 1 Release F.05.20 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
228 Software Fixes Release F.05.64 (Never Released) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 7 Release F.05.65 (Not a Public Release) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
229 Software Fixes Release F .01.08 Fixed in release F .01.08: ■ 100/1000-T transceiver — When using this 100/1000-T transceiver and negotiating to 100 Mbps, the port may report that it is operating at 100 full duplex, when it is actually operating at 100 half duplex.
230 Software Fixes Note The startup-config file saved u nder version F .02.02 is NOT back ward-compatible with previous software versions. HP recommends that you save a c opy of the pre-02.02 startup-config file BEFORE UPGRADING to F .02.02 or greater , in case there is ever a need to revert back to pre-02.
231 Software Fixes ■ LACP — Resolves several issues with LACP , including: conversation on a trunk may momentarily fail if a trunk member port goes down, difficulty accessing the MIB, configura- t.
232 Software Fixes Release F .02.04 (Beta Release Only) The switch's CDP packets have been modified to better interoperate with older Cisco IOS versions. Certain legal CDP packets sent from the ProCurve switch could result in Cisco routers, running older IOS versions, to crash.
233 Software Fixes ■ IGMP — If there are several IGMP groups in seve ral VLANs, and the switch is acting as Querier , the switch may stop sending IGMP Queries on some of its VLANs. ■ IGMP — All Querier intervals on the switch will be cut in half if IGMP , after already being enabled, is disabled and then re-enabled.
234 Software Fixes Note Contact your local Customer Care Center before activating this feature to receive proper configura- tion instructions. Failure to configure this featur e properly will result in unexpected connectivity problems. Release F .02.06 (Beta Release Only) T extual modifications made to th e Isolated Port Groups feature.
235 Software Fixes ■ XRMON — V arious XRMON counters display incorrec t values. Possible symptoms include network management applications reporting a too high network utilization (T opT ools may report "crossed octets"). Release F .02.08 (Beta Release Only) Fixed in F .
236 Software Fixes Release F .02.12 Fixed in release F .02.12 ■ Monitoring Port — When a config file containing a Monitoring Port configuration is loaded onto the switch via TFTP or XModem, the Moni toring Port feature does not work properly . Release F .
237 Software Fixes ■ Port Configuration — Changing a port setting from one Auto mode to another may not be reflected in Auto-negotiation's advertised capab ility without a switch reset, or module hot- swap.
238 Software Fixes Release F .04.08 Fixed in release F .04.08 Modification of Lab troubleshooting commands. Release F .04.09 (Beta Release Only) Fixed in release F .
239 Software Fixes Note The startup-config file saved u nder version F .05.05, or later , is NOT backward-compatible with previous software versions. The user is advised to save a copy of the pre-05 .05 startup-config file BEFORE UPGRADING to F .05.05 or greater , in case ther e is ever a need to revert back to pre- 05.
240 Software Fixes ■ Crash — If dynamic trunks are configured and the sw itch is rebooted, the switch may crash with a message similar to: ->Software exception at rstp_dyn_reconfit.
241 Software Fixes ■ Link-up polling interval — A delay of up to 1.7 seconds between plugging in a cable (linkbeat established) and traffic being forwar ded to and from that port may cause problems with some time sensitive applications.
242 Software Fixes ■ STP/Startup-Config — When a startup-config file contai ning an 802.1D STP configuration is reloaded that was saved off from the swit ch, an error similar to the following occurs: Line: 13. Invalid input: stp802.1d Corrupted download file.
243 Software Fixes Release F .05.12 (Beta Release Only) Adds the following enhancement: ■ Changes to 802.1X to support Open VLAN Mode Release F .05.13 (Beta Release Only) Adds the following enhancement: ■ Changes to Isolated Port Groups to add two new groups: group1 and group2.
244 Software Fixes ■ Performance/Crash (PR_4967) — Slow performance may occur when using 10/100 ports or the 100FX transceiver operating at half-dupl ex. This also may occur when using 100FX, Gigabit Stacking, Gigabit-SX, or Gigabit-LX tr ansceivers operating at full-duplex.
245 Software Fixes ■ Crash — When setting the host name to a very long (~20 characters) string, the switch may crash with a bus error similar to: -> Bus error: HW Addr=0x29283030 IP=0x002086ac Task='mSnmpCtrl' Task ID=0x165ae00.
246 Software Fixes ■ SNMP — The OID ifAlias is defaulted to "not a ssigned", causing Network Node Manager to log error messages. (The fix is to default ifAlias to a zero-length string, as stated in the MIB, or make each port have a unique value.
247 Software Fixes ■ RSTP/LACP — T urning LACP off, then back on, le aves LACP in Passive mode. This can T runking — With ports 25 and 26 configured in a trunk group, the show trunk 25 , 26 command displays incorrect information for T r unk Group Name and T runk Group T ype.
248 Software Fixes Release F .05.19 (Never Released) Fixed in release F .05.19 ■ Counters (PR_92221) — Counters for J4834A 100/1000 xcvr do not clear . ■ Crash/Bus Error (PR_92466) — Bus error related to 802.1X/unauthorized VLAN. ■ Agent Hang (PR_92802) — Agent 'hang'.
249 Software Fixes ■ Syslog (PR_1000003656) — The syslog capability added to F .05.22. ■ Syslog (PR_1000004080) — A timep event log messa ge on syslog is truncated. ■ W eb (PR_81848) — 'Clear changes' button does not wo rk for the Default Gateway or VLAN selections.
250 Software Fixes Release F .05.24 (Not a General Release) Fixed in release F .05.24 ■ W eb (PR_1000007144) — When using the W eb user interface, VLAN Configuration, Add/ Remove VLANs, GVRP Mode, clicking on the help link gives the message, The page you requested is no longer located here.
251 Software Fixes ■ SNMP (PR_1000190654) — When switch has the IP addr ess configured on a VLAN other than the "default VLAN", Find/Fix/Inform (FFI) SNMP traps list a 0.
252 Software Fixes Release F .05.32 (Not a General Release) Fixed in release F .05.32 ■ TFTP/Config (PR_1000215024) — After a new configuration is loaded from a TFTP server , the switch reboots so the new configuration will take effect.
253 Software Fixes Release F .05.37 (Not a General Release) Fixed in release F .05.36 ■ CLI (PR_83354) — The command " show mac vlan <VID> " displays all MAC addresses known on the switch (from all VLANs) instead of just those in the specified VLAN.
Release F .05.51 (Never Released) Fixed in release F .05.51 ■ Crash (PR_1000297510) — When using the W eb User Interface and the switch is set as commander for stacking, the switch may crash with .
255 Software Fixes Release F .05.55 Fixed in release F .05.55 ■ LLDP (PR_1000310666) — The command "show LLDP" does not display information learned from CDPv2 packets. ■ Menu (PR_1000318531) — When using the 'Menu' interface, the Switch hostname may be displayed incorrectly .
256 Software Fixes Release F .05.59 Fixed in release F .05.59 ■ Daylight savings (PR_1000364740) — Due to the passage of the Energy Policy Act of 2005, Pub. L. no. 109-58, 119 Stat 594 (2005), starting in March 20 07 daylight time in the United States will begin on the second Sunday in Marc h and end on the first Sunday in November .
257 Software Fixes Daylight Savings (PR_1000467724) — DST is outdated for the W estern-European Time Zone. This change corrects the schedule for the W estern Europe T ime Zone: DST to start the last Sunday in March and DST to end the last Sunday in October.
258 Software Fixes Release F .05.69 Fixed in release F .05.69 ■ ProCurve Manager (PR_1000768253) — The ProCurve Manager 2.2 Auto Update 5 test communication parameters feature fa ils intermittently . ■ Stacking T ransceivers (PR_1000784489) — Stacking-kit ports (J4116A) display an inaccurate duplex output.
© Copyright 2001-2009 Hewlett-Packard Company , LP . The information contained in this document is subject to change without notice. Part Number: 5990-3102 March, 2009.
デバイスHP (Hewlett-Packard) 2300の購入後に(又は購入する前であっても)重要なポイントは、説明書をよく読むことです。その単純な理由はいくつかあります:
HP (Hewlett-Packard) 2300をまだ購入していないなら、この製品の基本情報を理解する良い機会です。まずは上にある説明書の最初のページをご覧ください。そこにはHP (Hewlett-Packard) 2300の技術情報の概要が記載されているはずです。デバイスがあなたのニーズを満たすかどうかは、ここで確認しましょう。HP (Hewlett-Packard) 2300の取扱説明書の次のページをよく読むことにより、製品の全機能やその取り扱いに関する情報を知ることができます。HP (Hewlett-Packard) 2300で得られた情報は、きっとあなたの購入の決断を手助けしてくれることでしょう。
HP (Hewlett-Packard) 2300を既にお持ちだが、まだ読んでいない場合は、上記の理由によりそれを行うべきです。そうすることにより機能を適切に使用しているか、又はHP (Hewlett-Packard) 2300の不適切な取り扱いによりその寿命を短くする危険を犯していないかどうかを知ることができます。
ですが、ユーザガイドが果たす重要な役割の一つは、HP (Hewlett-Packard) 2300に関する問題の解決を支援することです。そこにはほとんどの場合、トラブルシューティング、すなわちHP (Hewlett-Packard) 2300デバイスで最もよく起こりうる故障・不良とそれらの対処法についてのアドバイスを見つけることができるはずです。たとえ問題を解決できなかった場合でも、説明書にはカスタマー・サービスセンター又は最寄りのサービスセンターへの問い合わせ先等、次の対処法についての指示があるはずです。
