Вы находитесь на странице: 1из 105

ProCurve Cisco Interoperability

Holger Hasenaug HP ProCurve Technical Consultant CCIE# 6343


2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Objectives

Explain the interoperability between Cisco and ProCurve equipments in the same network Compare the differences and similarities in features and in configuration Interoperability in detail:

At Layer 2: VLANs, Spanning-Tree, Link Aggregation At Layer 3: IP, VRRP-HSRP, OSPF

Configure QOS at L2 and L3

Content
1. Migrating from a Cisco Infrastructure to a ProCurve Infrastructure 2. VLANs Interoperability 3. Spanning-Tree Interoperability 4. Hardening Spanning-Tree 5. L2 Discovery Protocols LLDP - CDP 6. Gateway redundancy HSRP - VRRP 7. POE, IP Phones and QOS 8. Network Access Control 9. Layer 2 layer 3 interfaces 10. IP Routing 11. Access Control Lists Conclusion
3

1- Migrating from a Cisco

infrastructure to a ProCurve infrastructure

Enterprise Starting Point

First Step of Integration


Interoperability

Multivlan Uplink

SpanningTree IP Phone Setup QOS


6

Second Step of Integration


Interoperability

OSPF

Link Aggregation

Third Step of Integration

Fourth Step of Integration

2- VLANs Interoperability

VLAN configuration comparison Switch-to-Switch connection


ProCurve vlan 1 untagged a1 vlan 2 tagged a1 vlan 3 tagged a1 Cisco interface GigabitEthernet 1/20 Default on access switches switchport switchport trunk encapsulation dot1q default switchport trunk native vlan 1 switchport trunk allowed vlan 1-3 switchport mode trunk disable Cisco DTP switchport nonegotiate

Default

a1

G1/20

ProCurve

Cisco

11

For a switch to switch connection between a ProCurve and a Cisco switch carrying multiple VLANs (1-3 in our case) you have to configure the following. On the ProCurve side you configure for every VLAN port a1 to be a member of. For VLAN 1 we configure port a1 to be an untagged member which corresponds with the native VLAN on the Cisco side. On the Cisco switch you configure it on the interface instead: Configure the interface as a switchport, set the encapsulation to 802.1q (dot1q) as Cisco also support a proprietary VLAN encapsulation called ISL. Configure the interface as a switchport trunk. That will automatically allow all configured VLANs to pass the interface. Therefore you have to restrict the VLANs with the command switchport trunk allowed vlan 1-3. As

the switch is sending by default Cisco proprietary Desktop Trunking Protocol (DTP) frames out you may disable this with the command switchport nonegotiate. By default the Cisco native VLAN is 1 which basically means that the frames for VLAN 1 are sent out untagged.

11

VLAN configuration comparison Switch-to-End Node connection


ProCurve vlan 2 untagged a1 Cisco interface GigabitEthernet 1/20 switchport switchport access vlan 2 switchport mode access

ProCurve
a1

Cisco
G1/20

12

The following show how to configure a port for an end-node like a PC or notebook. On the ProCurve side you configure on the corresponding VLAN port a1 to be an untagged member. On the Cisco side you configure the interface as a switchport with the mode access. Now you assign the VLAN id to this interface with the command switchport access vlan 2

12

VLAN configuration comparison Switch-to-IP-phone connection with PC


ProCurve
vlan 2 untagged a1 vlan 3 voice tagged a1

Cisco
interface GigabitEthernet 1/20 switchport switchport access vlan 2 switchport mode access switchport voice vlan 3

ProCurve
a1
LLDP-MED: Voice VLAN ID=3 Mode: tagged

Cisco
G1/20

CDPv2: Voice VLAN ID=3 Mode: tagged LLDP-MED: Voice VLAN ID=3 Mode: tagged LLDP-MED support has started on Cisco Catalyst switches 3760, 3750, 2960, 2970 switches running 12.2(37)SE and on Cisco Catalyst 6500 running 12.2(33)SXH 13

Here it is shown how you configure the switch to connect an IP phone (hard phone) with a PC cascaded. On the ProCurve side you configure the port a1 to be an untagged member of VLAN 2. This is the VLAN for the PC. And you need to configure port a1 to be a tagged member of VLAN 3 which is the id the IP phone may use to send and receive the traffic. That the phone can learn the VLAN id it has to use, you can configure VLAN 3 as a voice VLAN which will start sending out LLDP-MED frames if an IP phone with LLDP-MED support is detected. On the Cisco side you need to configure on the interface an access VLAN 2 for the PC and a voice VLAN 3 for the IP phone. On older IOS versions this enabled the switch to send out Cisco proprietary CDPv2 information with the voice VLAN id included. Current IOS versions will also send out LLDP-MED frames.

13

VLAN propagation with GVRP or VTP


GVRP
GARP VLAN Registration Protocol IEEE Standard Supported by most switch Vendors and on Cisco CatOS, not on Cisco IOS. Propagates VLAN Creation All GVRP nodes are the same Automatic VLAN tagging based on Edge ports in VLAN GVRP VLAN learning can be disabled on per port basis 802.1X can trigger VLAN creation Not Password protected

Cisco VTP
VLAN Trunking Protocol Cisco Proprietary protocol Supported by Cisco and ???. Not supported by ProCurve Propagates VLAN creation in VTP Domain Server, Client and Transparent VTP Modes Allowed VLANs automatically controlled on Cisco trunks by VTP Pruning VLANs filtered on Cisco trunks by VTP pruning VTP Pruning Password protected

Dynamic VLAN advertisement in a mixed environment with Cisco Catalyst and HP ProCurve switches. GVRP provides 802.1Q-compliant VLAN pruning and dynamic VLAN creation. With GVRP, the switch can exchange VLAN configuration information with other GVRP switches, prune unnecessary broadcast and unknown unicast traffic, and dynamically create and manage VLANs on switches connected through 802.1Q trunk ports. GVRP is an IEEE standard. GVRP can also be used to by end stations to advertise the VLAN they would like to join. Currently there are no implementations known to me where this is implemented, e.g. Microsoft, Linux, Apple. VTP is a Cisco proprietary Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP is a client-server protocol. On a VTP servers you can create, modify, and delete VLANs. VTP servers advertise their VLAN configuration to other switches and synchronize their VLAN configuration with other switches based on advertisements received over trunk links. VTP clients behave the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client. VTP-GVRP interaction is possible on Cisco switches running CatOS 5.3 or higher. These Catalyst switches can be configured to distribute the VTP learned or configured VLANs via GVRP to HP ProCurve switches. The following needs to be configured on the Cisco switch apart from the VTP configuration: enable GVRP globally set gvrp enable enable GVRP on the port connected to an HP Procurve switch set port gvrp enable mod_num/port_num The following needs to be configured on the HP ProCurve Switch: Enable GVRP globally gvrp You may disable GVRP on ports connected to clients: interface <port-list> unknown-vlans disable The GVRP protocol do not support advertising of VLAN names, therefore you will not see the VTP assigned names on HP ProCurve switches.

14

Useful show commands


Description Port status Port counters / utilization What VLAN are configured? Specific information about a single VLAN. Which untagged VLAN does a port belong to? Is the port a Cisco layer2 port? Which VLANs are configured on a port? Which ports exist with more than one VLAN
show vlan ports <port> detail

ProCurve
show interface brief

Cisco
show interfaces status

show interface <port>

show interface <port>

show vlan

show vlan brief

show vlan <vlan-id> show vlan ports <port> detail

show vlan id <vlan-id> show interfaces status show interfaces <port> switchport show interfaces <port> trunk show interfaces trunk

15

Static Aggregated Ports


ProCurve trunk a1-a2 trk1 trunk Cisco interface Port-channel1 interface GigabitEthernet 1/20 channel-group 1 mode on interface GigabitEthernet 1/21 channel-group 1 mode on
Here we do not use dynamic aggregation protocols like LACP or FEC Automatically created

Here we do not use a dynamic aggregation protocol like LACP

a1 a2

G1/20 G1/21

ProCurve

trk1

po1

Cisco

16

How to configure a static link aggregate between a ProCurve and Cisco switch? Remember that the naming for a link aggregation is different between ProCurve and Cisco switches. On the ProCurve side you have to configure a trunk port on which you have to specify the member ports. When you configure the above command trunk a1-a2 trk1 trunk you

created a trunk port called trk1 in static mode where port a1 and a2 belong to. On the Cisco side you need to configure the physical interfaces G1/20 and G1/21 to belong to the same channel-group. With the mode on command you specifry a static channel. Once you have done this a new interface is created called port-channel 1.

16

Dynamic Aggregated Ports using LACP (IEEE 802.3ad)


ProCurve trunk a1-a2 trk1 lacp Cisco interface Port-channel1
Automatically created

Use LACP on the trunk interface

interface GigabitEthernet 1/20 channel-group 1 mode <active | passive> interface GigabitEthernet 1/21 channel-group 1 mode <active | passive>
Sent LACP frame actively or just respond passively

a1 a2

G1/20 G1/21

ProCurve

trk1

po1

Cisco

17

Here is the same setup with using the dynamic link aggregation control protocol LACP. On the ProCuve side you just specify lacp instead of trunk. On the Cisco side you configure the mode to either active or passive which corresponds to LACP spoken actively or just passively responding to LACP frames.

17

Link aggregation to a Cisco Stack or VSS

Cisco Virtual Switching System 1440

Standard trunk or LACP trunk

ProCurve switch

trunk a1-a2 trk1 trunk trunk a1-a2 trk1 lacp

18

Cisco VSS appears as one switch to which a link aggregation can be set without requiring Spanning-Tree

VLAN Interoperability planning

Pay attention to MultiVLAN Ports. 1. Make sure Native VLAN on Cisco Trunk = Untagged VLAN on Tagged port 2. Ensure same VLANs are allowed and configured Note: BPDUs (Spanning Tree, LLDP, LACP) are not attached to the untagged or any VLAN on ProCurve contrarily to Cisco.

19

19

3- Spanning-Tree Interoperability

Spanning-Tree Interoperability

Introduction to the different STP modes MSTP on Cisco and ProCurve Without 1 MST instance With load balancing between Instances PVST+ on Cisco and MSTP ProCurve

21

We have to distinguish switch configurations for different kind of connections. - End User ports (PCs, Printer,) - IP phone ports - End User + IP phone ports - Server ports for one VLAN - Server ports for multiple VLANs - Switch-to-Switch ports for one VLANs - Switch-to-Switch ports for multiple VLANs - Aggregated ports

21

Support of STP

ProCurve STP (802.1D) RSTP (802.1w) MSTP (802.1s)

Cisco PVST+ Rapid PVST MSTP (802.1s)

Notes PVST BPDUs are STP compatible in VLAN 1 Rapid PVST BPDUs are RSTP compatible in VLAN 1 The best choice for Interoperability. Caution with pre-implementation of MSTP on Cisco

STP: IEEE 802.1D Standard Spanning Tree PVST: Per Vlan Spanning-Tree (Proprietary based on STP 802.1D ) Rapid PVST: Proprietary based on RSTP 802.1w) RSTP: Rapid Spanning Tree (802.1w IEEE standard) MSTP: Multi Instance Spanning-Tree (802.1s IEEE standard)
22

22

IEEE 802.1D and 802.1w


Previously there was only one STP for many VLANs

Before (with STP)

802.1D and 802.1w This left links unused since all VLANs took the same physical topology.

VLANs 1 VLANs 2 VLANs 3 VLANs 1 VLANs 2 VLANs 3

VLANs 1 VLANs 2 VLANs 3

Root

23

23

MSTP=MST(IEEE 802.1s)
In a response to a need to allow standards compliant 802.1D/w/Q switches have multiple logical paths for redundancy, 802.1s, Multiple Spanning Tree Protocol (MSTP), was ratified. 802.1s enhances 802.1Q allowing groups of VLANs to be assigned to different spanning tree instances Instances chosen to match number of possible logical paths through the layer 2 network. Often times this is only 2 or 3 that are required instead of 100s with PVST. Before (with PVST)
Root of 3 VLANs 1 VLANs 2 VLANs 3 VLANs 1 VLANs 2 VLANs 3 VLANs 1 Root of 2 VLANs 2 VLANs 3

Root of 1

Now with 802.1s


VLANs 1,2 VLAN 3,4 VLANs 1,2 VLAN 3,4

MSTI-1 Root VLANs 1,2 MSTI-2 Root VLAN 3,4


24

24

3.1- MSTP Interoperability

Cisco ProCurve Design 1: MSTP and one instance


MSTP
STP root STP backup root

Cisco

Cisco

X
ProCurve

STP blocked for all VLANs

MSTP

Pros: simple, all switches speak the same standard protocol Cons: no load balancing
26

Cisco ProCurve Design 2: MSTP and load balancing between instances


MSTP Instance 1: VLAN 1,2,3 STP root for instance 1 STP backup root for instance 1 STP backup root for instance 2 MSTP Instance 2: VLAN 4,5,6 STP root for instance 2

Cisco

Cisco

Cisco

Cisco

STP blocked for instance 1

STP blocked for instance 2

X
ProCurve
MSTP

X
ProCurve
MSTP

Pros: load balancing Cons: more complex to configure and troubleshoot


27

Cisco MST 802.1s-2002 compliance

To support the compliant IEEE 802.1s-2002 standard, Cisco switches must run at least the following firmware versions : Cisco Catalyst 2950, 3550, 3560, 3750: IOS 12.2(25)SEC Cisco Catalyst 4000: native IOS 12.2(25)SG Cisco Catalyst 6000: native IOS 12.2(18)SXF or CatOS 8.3

28

MST concepts
Switches belong to the same MST region if they share the same configuration parameters: 1- MST Config Name (32 Bytes, case sensitive) 2- MST Revision Number (2 bytes) 3- MST Instances which are set by assignment of VLANs Example of an MST Configuration:

Config Name = building-1" Revision Number = 1 Instance 1 = VLANs 1, 2, 3 Instance 2 = VLANs 4, 5, 6


29

Configuring MSTP (802.1s) on ProCurve Switches


Enable MSTP globally:
ProCurve(config)# spanning-tree protocol-version mstp

(only required on older switch series)


ProCurve(config)# spanning-tree

Configure your MSTP on all switches equally:


ProCurve(config)# ProCurve(config)# ProCurve(config)# ProCurve(config)# spanning-tree spanning-tree spanning-tree spanning-tree config-name building-1 config-revision 1 instance 1 vlan 1-3 instance 2 vlan 4-6

30

Configuring MSTP (802.1s) on Cisco Switches

Enable MSTP globally:


Cisco(config)# spanning-tree mode mst

Configure your MSTP on all switches equally:


Cisco(config)# spanning-tree mst configuration Cisco(config-mst)# instance 1 vlan 1-3 Cisco(config-mst)# instance 2 vlan 4-6 Cisco(config-mst)# name building-1 Cisco(config-mst)# revision 1

31

Configuring MSTP (802.1s) on ProCurve and Cisco Switches


Modify bridge priority to tweak the STP root selection per instance: ProCurve:
ProCurve(config)# spanning-tree <instance-id> priority <priority>

Cisco:
Cisco(config)# spanning-tree mst instance-id priority <priority>

32

Configuring MSTP (802.1s) on ProCurve and Cisco Switches


Enable STP edge-port where desired (End User interfaces): ProCurve:
ProCurve(config)# spanning-tree a1 admin-edge-port The default is auto-edge, where the port role is automatically discovered in between 3 sec.

Cisco:
Cisco(config)# interface gigabitethernet0/2 Cisco(config-if)# spanning-tree portfast

33

Cisco MSTP What BPDUs are sent out of trunk ports?

interface GigabitEthernet 1/20 switchport trunk encapsulation dot1q switchport trunk native vlan 1 switchport trunk allowed vlan 1-3 switchport mode trunk

IEEE 802.1s BPDU

interface GigabitEthernet 1/20 switchport trunk encapsulation dot1q switchport trunk native vlan 1 switchport trunk allowed vlan 2-3 switchport mode trunk

IEEE 802.1s BPDU

MSTP 802.1s BPDU

Untagged
IEEE Destination MAC: 01:80:c2:00:00:00

RSTP and MSTP Common

CST Information

MSTP Specific Parameters MSTI . additional IST Info. Info. MSTI Info.
34

Cisco MST What BPDUs are sent out of access ports?


interface GigabitEthernet 1/20 switchport access vlan 10 switchport mode access interface GigabitEthernet 1/20 switchport access vlan 10 switchport mode access Switchport voice vlan 20

IEEE 802.1s BPDU without add. MST instance information

IEEE 802.1s BPDU without add. MST instance information

MSTP 802.1s BPDU

Untagged
IEEE Destination MAC: 01:80:c2:00:00:00

RSTP and MSTP Common

CST Information

MSTP Specific Parameters MSTI . additional IST Info. Info. MSTI Info.

Use trunk ports configuration on inter-switch links and always check that you have switchport mode trunk configured! If you use access ports you create MST region boundaries.
35

MSTP Interoperability planning


1) To get standard MSTP BPDU, use Trunk ports on Cisco uplinks. If an Untagged uplink is required, do not use Access port but define Cisco port as a Trunk and allow only the native VLAN! 2) On Cisco: pay attention at the IOS version. Cisco supports a Pre-Version of MSTP which looks like MSTP. You cannot see the difference in commands. It just do not interoperate with standard MSTP 3) Set the MSTP Configuration parameters identical: Name, Revision#, Mapping between VLANs and Instances

36

36

3.2- PVST - MSTP Interoperability

Various Spanning-Tree BPDUs


802.1D

Untagged
IEEE Destination MAC: 01:80:c2:00:00:00

RSTP 802.1w

Untagged
IEEE Destination MAC: 01:80:c2:00:00:00

MSTP 802.1s

Untagged
IEEE Destination MAC: 01:80:c2:00:00:00

RSTP and MSTP Common

CST Information

IST Info.

MSTP Specific Parameters MSTI . additional Info. MSTI Info.

PVST+ on Cisco Trunk ports

VLAN 1 allowed on trunk


IEEE Destination MAC: 01:80:c2:00:00:00

Untagged for native VLAN


Cisco Destination MAC: 01:00:0c:cc:cc:cd

Tagged
Cisco Destination MAC: 01:00:0c:cc:cc:cd

38

38

Cisco ProCurve Design #1 with PVST+


PVST+ or RapidPVST+

STP root for VLAN 1,2,3,4,5,6

STP backup root for VLAN 1,2,3,4,5,6

Cisco

Cisco

X
ProCurve

STP blocked port

802.1D, 802.1w or 802.1s

Pros: simple and still use PVST+ for backbone Cons: no load balancing
39

Cisco ProCurve Design #1 Cisco PVST+ view for VLAN 1


PVST+ or RapidPVST+

STP root for VLAN 1

STP backup root for VLAN 1

Cisco

Cisco

X
ProCurve

STP blocked port

802.1D, 802.1w or 802.1s

IEEE BPDUs are exchanged between all switches


40

Cisco ProCurve Design #1 Cisco PVST+ view for all other VLANs

STP root for VLAN 2,3,4,5,6

PVST+ or RapidPVST+

STP backup root for VLAN 2,3,4,5,6

Cisco

Cisco

The ProCurve switch will also block the PVST+ BPDUs as the whole port is blocked. Therefore the right Cisco switch will not receive any PVST+ BPDU through the ProCurve switch.

41

Configuring Rapid PVST+ on Cisco Switches


Enable PVST+ globally: Cisco(config)# spanning-tree mode rapid-pvst Cisco(config)# spanning-tree extend system-id Cisco(config)# spanning-tree pathcost method long

Modify bridge priority to tweak the STP root selection per VLAN Cisco(config)# spanning-tree vlan 1-2 priority 4096

Modify the interface cost if necessary per VLAN Cisco(config)# interface gigabitethernet0/2 Cisco(config-if)# spanning-tree vlan 1-2 cost 10000

Modify the interface priority if necessary per VLAN Cisco(config)# interface gigabitethernet0/2 Cisco(config-if)#spanning-tree vlan 1-2 port-priority 4

42

Configuring Rapid PVST+ on Cisco Switches cont.

Enable STP edge-port where desired (End User interfaces): Either globally which will affect all non-trunking ports:
Cisco(config)# spanning-tree portfast default

Or on per interface basis:


Cisco(config)# interface gigabitethernet0/2 Cisco(config-if)# spanning-tree portfast

43

Cisco Rapid-PVST+ What BPDUs are sent out of trunk ports?

interface GigabitEthernet 1/20 switchport trunk encapsulation dot1q switchport trunk native vlan 1 switchport trunk allowed vlan 1-3 switchport mode trunk

IEEE 802.1w BPDU untagged PVST BPDU for VLAN 1

PVST BPDU for all tagged VLANS

interface GigabitEthernet 1/20 switchport trunk encapsulation dot1q switchport trunk native vlan 1 switchport trunk allowed vlan 2-3 switchport mode trunk

PVST BPDU for all tagged VLANS (VLAN 2,3)

If the VLAN 1 is not allowed on a trunk port no IEEE BPDU is sent out !!!

44

Cisco Rapid-PVST+ What BPDUs are sent out of access ports?

interface GigabitEthernet 1/20 switchport access vlan 10 switchport mode access

IEEE 802.1w BPDU

interface GigabitEthernet 1/20 switchport access vlan 10 switchport mode access Switchport voice vlan 20

untagged PVST BPDU for VLAN 10

PVST BPDU for tagged voice VLAN 20

Use trunk port configuration on all interswitch links !

45

Cisco ProCurve Design #1 Cisco RapidPVST+


ProCurve 5406zl configuration: vlan 1 name management untag a24,b24 ip address 10.1.1.1/24 vlan 2 tagged a24,b24 vlan 3 tagged a24,b24 vlan 4 tagged a24,b24 vlan 5 tagged a24,b24 vlan 6 tagged a24,b24 spanning-tree
a24 b24

STP root for VLAN 1,2,3,4,5,6


po1

RapidPVST+
po1

STP backup root for VLAN 1,2,3,4,5,6

Cisco Cisco
Gig2/x Gig2/x

MSTP ProCurve

a1-a20,b1-b20,c1-c24,d1-d24

46

Cisco ProCurve Design #1 Cisco RapidPVST+


STP root for VLAN 1,2,3,4,5,6

RapidPVST+
po1

STP backup root for VLAN 1,2,3,4,5,6


po1

Cisco 6506_left configuration: spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree pathcost method long spanning-tree vlan 1-4094 priority 0 interface Port-channel1 no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-6 switchport mode trunk interface GigabitEthernet2/x no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-6 switchport mode trunk Cisco

Cisco
Gig2/x Gig2/x

MSTP ProCurve
a24 b24

a1-a20,b1-b20,c1-c24,d1-d24

47

Cisco ProCurve Design #1 Cisco RapidPVST+


STP root for VLAN 1,2,3,4,5,6

RapidPVST+
po1

STP backup root for VLAN 1,2,3,4,5,6


po1

Cisco 6509_right configuration: Cisco spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree pathcost method long spanning-tree vlan 1-4094 priority 4096 interface Port-channel1 no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-6 switchport mode trunk interface GigabitEthernet2/x no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-6 switchport mode trunk Cisco
Gig2/x Gig2/x

MSTP ProCurve
a24 b24

a1-a20,b1-b20,c1-c24,d1-d24

48

PVST - MSTP Interoperability planning


1) On Cisco Trunk inter-switch links, make sure that VLAN 1 is allowed (otherwise only non-standard BPDUs will be sent) 2) Take special care of the Root and secondary Root setup on VLAN 1 as Cisco and ProCurve switches will interoperate through the standard BPDUs. 3) To get faster convergence, set Rapid-PVST instead of PVST+ on Cisco Switches. 4) On Cisco switches make sure to use the path cost long method.

49

49

Cisco ProCurve Design #2 PVST+ with load balancing


PVST+ or RapidPVST+ PVST+ or RapidPVST+

STP root for VLAN 1,2,3

STP backup root for VLAN 1,2,3

STP backup root for VLAN 4,5,6

STP root for VLAN 4,5,6

Cisco

Cisco
STP blocked for VLAN 1,2,3

Cisco

Cisco

X
Be sure to tweak STP that blocking occurs on the Cisco switches !!!

STP blocked for VLAN 4,5,6

ProCurve 802.1D, 802.1w or 802.1s

ProCurve 802.1D, 802.1w or 802.1s

Pros: load balancing and PVST+ for backbone Cons: more complex to configure and troubleshoot
50

Cisco ProCurve Design #2 Cisco PVST+ view for VLAN 1


STP root
po1 po1

STP backup root second lowest Bridge-ID

Cisco
Gig2/8 Gig2/1

Cisco
Gig2/1 Gig2/8

ProCurve
a24

X
b24

. . .
1. Why are the ports b24 on the ProCurve switches in the blocking state and not the ports Gig 2/1 to Gig 2/8 on the right Cisco switch? ProCurve
a24

X
b24

a1-a20,b1-b20,c1-c24,d1-d24

IEEE BPDUs are exchanged between all switches


51

Cisco ProCurve Design #2 Cisco PVST+ view for VLAN 1


STP root
po1 po1

STP backup root second lowest Bridge-ID

Cisco
Gig2/8 Gig2/1

Cisco
Gig2/1

X
ProCurve

Gig2/8

a24 b24

. . .
ProCurve
a24 b24

2. What do you have to change to block the ports Gig 2/1 and Gig 2/8 on the right Cisco switch?

a1-a20,b1-b20,c1-c24,d1-d24

IEEE BPDUs are exchanged between all switches


52

Cisco ProCurve Design #2 Cisco PVST+ view for VLAN 1


STP root
po1

STP port cost 30000 20000


po1

STP backup root second lowest Bridge-ID

Cisco
Gig2/8 Gig2/1

Cisco
Gig2/1

ProCurve
b24

. . .
ProCurve
a24 b24

a1-a20,b1-b20,c1-c24,d1-d24

IEEE BPDUs are exchanged between all switches


53

ST P cos port t 20 000

a24

ST P cos port t 20 000

Gig2/8

ort 0 P p 00 ST st 20 co

ort P p 00 ST t 200 s co

2. What do you have to change to block the ports Gig 2/1 and Gig 2/8 on the right Cisco switch?

Cisco ProCurve Design #2 Cisco PVST+ view for all other VLANs
STP root
po1

STP port cost 20000


po1

lowest port ID wins

Cisco
Gig2/8 Gig2/1

X
Gig2/1

Cisco
Gig2/8

X
STP port cost 20000

. .
1. Why might Spannging-Tree block the ports on po1 for the other VLANs?
STP port cost 20000

2. How do you make sure that the ports Gig2/1 to Gig2/8 of the right Cisco switch are blocking and not po1?

All tagged Cisco PVST BPDUs which are sent to the Cisco specific multicast MAC address 01:00:0c:cc:cc:cd are forwarded unchanged by ProCurve switches as any other frame !!!
54

Cisco ProCurve Design #2 Cisco PVST+ view for all other VLANs
STP root
po1

STP port cost 10000 20000


po1

Cisco
Gig2/8 Gig2/1 Gig2/1

Cisco
Gig2/8

X
STP port cost 20000

. .
STP port cost 20000

2. How do you make sure that the ports Gig2/1 to Gig2/8 of the right Cisco switch are blocking and not po1?

All tagged Cisco PVST BPDUs which are sent to the Cisco specific multicast MAC address 01:00:0c:cc:cc:cd are forwarded unchanged by ProCurve switches as any other frame !!!
55

Cisco ProCurve Design #2 Design with RapidPVST+


Cisco 6506_left configuration: spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree pathcost method long spanning-tree vlan 1-3 priority 0 spanning-tree vlan 4-6 priority 4096 interface Port-channel1 no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-6 switchport mode trunk spanning-tree vlan 1 cost 30000 spanning-tree vlan 2-6 cost 10000 interface GigabitEthernet2/x no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-6 switchport mode trunk
STP root for VLAN 1,2,3
po1

RapidPVST+
po1

STP root for VLAN 4,5,6

Cisco
Gig2/x

Cisco

Gig2/x

STP blocked for vlans 4-6

STP blocked for vlans 1-3

MSTP
ProCurve
a24 b24

a1-a20,b1-b20,c1-c24,d1-d24

56

Cisco ProCurve Design #2 Design with RapidPVST+


Cisco 6509_right configuration: spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree pathcost method long spanning-tree vlan 1-3 priority 4096 spanning-tree vlan 4-6 priority 0 interface Port-channel1 no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-6 switchport mode trunk spanning-tree vlan 1 cost 30000 spanning-tree vlan 2-6 cost 10000 interface GigabitEthernet2/x no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-6 switchport mode trunk
STP root for VLAN 1,2,3
po1

RapidPVST+
po1

STP root for VLAN 4,5,6

Cisco
Gig2/x

Cisco

Gig2/x

STP blocked for vlans 4-6

STP blocked for vlans 1-3

MSTP
ProCurve
a24 b24

a1-a20,b1-b20,c1-c24,d1-d24

57

PVST - MSTP Interoperability planning with load balancing


1)

Start setup as in previous scenario If Cisco switches are in the Core, to get PVST load balancing Increase Cost of Inter-Core link in VLAN 1 (E.g.: 30000) Reduce Cost of Inter-Core link in other VLANs (E.g.: 10000) Set priorities on Root and Secondary root to get load balancing between VLANs

2)

3)

58

58

4- Hardening Spanning-Tree

Spanning-Tree problems

Unstable STP can be caused by: Uni-directional links Rogue devices talking STP Permanent STP topology changes due to flapping ports or End User ports not set to edge mode (portfast) Loops not detected by STP

60

Spanning-Tree Hardening Features


ProCurve Cisco

Remote-Fault Notification (RFN) using Autonegotiation

Remote-Fault Notification (RFN) using Autonegotiation

Uni-directional Link Detection (UDLD) Uni-directional Link Detection (UDLD) BPDU-protection Loop-protect Root-Guard BPDU-Guard Keepalive Root-Guard Loop-Guard

61

61

Why do Uni-directional Links cause Problems

Root transmits BPDUs Neighbor doesnt receive them and thinks the root is dead now claims its the new root Bottom switch opens up ist blocked port loop in the network Network goes down, troubleshooting very difficult

Uni-directional Link Root TX RX TX RX RX TX RX TX

RX TX

TX RX

RX

62

Remote-Fault Notification (RFN) in the Auto-negotiation against Uni-directional Links

This feature works on Layer-1.

RFN is optional but enabled by default on 1000BaseX on Cisco and ProCurve switches when Auto-negotiation is used. Recommendation: always use Autoneg on 1000BaseX connection
63

Uni-directional Link Detection (UDLD)


UDLD works by exchanging protocol packets between the neighboring devices. In order for UDLD to work, both devices on the link must support UDLD and have it enabled on respective ports. This feature works on Layer-2.
Hello I am switch xyz, port abc

Cisco

Acknowledge hello.

Cisco

Cisco

Does not work as Cisco and ProCurve have a different implementation.

ProCurve

Hello I am switch xyz, port abc

ProCurve

Acknowledge hello.

ProCurve

64

Uni-directional Link Detection (UDLD)


UDLD performs tasks that autonegotiation cannot perform, such as detecting the identities of neighbors and shutting down misconnected ports.

ProCurve

Cisco
Global for all fiber ports: Cisco(config)# udld aggressive

Interface specific: ProCurve(config)# interface a1 ProCurve(eth-a1)# link-keepalive Recovery is done automatically

Or interface specific: Cisco(config)# interface gig0/2 Cisco(config-if)# udld port aggressive Recovery configured globally: Cisco(config)# errdisable recovery cause udld errdisable recovery interval 300(default)

65

BPDU-Guard, BPDU-protection
You should not allow STP BPDUs to be received on an end user port. Therefore enable this feature on all End User ports. If a BPDU is received the port is put in an errordisable state (Cisco) or the port is disabled (ProCurve).

ProCurve

Cisco
Global for all ports: Cisco(config)# spanning-tree portfast bpduguard default

Interface specific on global config: ProCurve(config)# spanning-tree a1 bpdu-protection Recovery configured globally: ProCurve(config)# spanning-tree bpdu-protection-timeout 300

Or interface specific: Cisco(config)# interface gig0/2 Cisco(config-if)# spanning-tree bpduguard enable Recovery configured globally: Cisco(config)# errdisable recovery cause bpduguard errdisable recovery interval 300(default)

66

Keepalive (Cisco) Loop-protect (ProCurve)

ProCurve
Interface specific on global config: ProCurve(config)# loop-protect a1 Recovery configured globally: ProCurve(config)# loop-protect disable-timer 300

Cisco
By default enabled on all copper ports

Recovery configured globally: Cisco(config)# errdisable recovery cause loopback errdisable recovery interval 300(default)

The ProCurve loop-protect feature is an edge-port feature and therefore not intended for interswitch links.

67

Spanning-Tree Root-Guard

ProCurve
Interface specific on global config: ProCurve(config)# spanning-tree a1 root-guard Recovery is done automatically

Cisco
Interface specific: Cisco(config)# interface gig0/2 Cisco(config-if)# spanning-tree guard root Recovery is done automatically

68

Hardening Spanning-Tree on ProCurve switches


ProCurve 5406zl configuration: vlan 1 name management untag a24,b24 ip address 10.1.1.1 255.255.255.0 vlan 2 tagged a24,b24 vlan 3 tagged a24,b24 STP Root Guard vlan 4 tagged a24,b24 vlan 5 tagged a24,b24 vlan 6 tagged a24,b24 spanning-tree spanning-tree a1-a20,b1-b20,c1-c24,d1-d24 admin-edge-port spanning-tree a1-a20,b1-b20,c1-c24,d1-d24 bpdu-protection spanning-tree bpdu-protection-timeout 300 loop-protect a1-a20,b1-b20,c1-c24,d1-d24 loop-protect disable-timer 300
69
a24

STP root for VLAN 1,2,3,4,5,6


po1

RapidPVST+

po1

Cisco Cisco
Gig2/x Gig2/x

MSTP

ProCurve

X
b24

a1-a20,b1-b20,c1-c24,d1-d24

5- Layer-2 Discovery Protocols

CDP and LLDP

CDP and LLDP


ProCurve
CDP by default enabled on all ports in receive mode only. Transmitting of CDP packets is no longer supported. LLDP by default enabled on all ports

Cisco
CDP by default enabled on all ports

Support on LLDP has started on Cisco Catalyst switches series 2960, 3760, 3750 switches running 12.2(37)SE without SNMP MIB support and on Cisco Catalyst 6500 running 12.2(33)SXH

LLDP TX

CDP TX CDP RX
CDP table, CDP MIB

ProCurve
LLDP, CDP RX
CDP table, CDP MIB

Cisco

Procurve switch NOT visible

LLDP table, LLDP MIB

A Cisco switch is visible in the LLDP and CDP table as entries are cross populated

LLDP table LLDP MIB not yet supported

Procurve switch visible

71

71

6- Gateway Redundancy Protocols

HSRP - VRRP

Hot Standby Routing Protocol (HSRP)


Cisco informational RFC 2281 (March 1998)
A group of routers function as one virtual router by sharing ONE virtual IP address and ONE virtual MAC address.

Active HSRP Router IP: MAC: vIP: vMAC: 10.1.1.2 0000.0c12.3456 10.1.1.1 0000-0c07.ac00

Standby HSRP Router IP: MAC: vIP: vMAC: 10.1.1.3 0000.0c78.9abc

One active router performs packet forwarding of local hosts

Cisco The rest of the routers provide hot standby in case the local router fails.

Cisco

Standby routers stay idle as far as packet forwarding from the client side is concerned.

Client

Virtual IP address is always pingable and answering to SNMP requests

IP: MAC: GW: ARP:

10.1.1.21 aaaa.aaaa.aaaa 10.1.1.1 0000-0c07.ac00


73

HSRP configuration example on Cisco Switches

active HSRP router: interface vlan1 ip address 10.1.1.2 255.255.255.0 standby 1 ip 10.1.1.1 standby 1 priority 200 standby 1 preempt

standby HSRP router: interface vlan1 ip address 10.1.1.3 255.255.255.0 standby 1 ip 10.1.1.1 standby 1 priority 190 standby 1 preempt

74

Virtual Router Redundancy Protocol (VRRP)


IETF Standard RFC 2338, 3768 (April 1998, April 2004)
A group of routers function as one virtual router by sharing ONE virtual IP address and ONE virtual MAC address.

Master VRRP Router Owner of vIP address IP: MAC: vIP: vMAC: 10.1.1.1 0000.0c12.3456 10.1.1.1 0000.5e00.0101

Backup VRRP Router Non-Owner of vIP address IP: MAC: vIP: vMAC: 10.1.1.2 0000.0c78.9abc

One master router performs packet forwarding of local hosts

The rest of the routers provide backup in case the local router fails.

ProCurve

ProCurve

Backup routers stay idle as far as packet forwarding from the client side is concerned.
Client

Virtual IP address is only pingable and answering SNMP requests on the VRRP owner

IP: MAC: GW: ARP:

10.1.1.21 aaaa.aaaa.aaaa 10.1.1.1 0000.5e00.0101


75

VRRP configuration example on ProCurve Switches 3500zl, 5400zl, 6200yl

VRRP master router: router vrrp vlan1 ip address 10.1.1.1 255.255.255.0 vrrp vrid 1 owner virtual-ip-address 10.1.1.1 priority 255 enable exit exit

VRRP backup router: router vrrp vlan1 ip address 10.1.1.2 255.255.255.0 vrrp vrid 1 backup virtual-ip-address 10.1.1.1 priority 100 enable exit exit

76

7- POE, QOS and IP phones

Multi-Vendor Support
Shared connections for PC and IP-phone
How does IP phone auto-configure the voice VLAN and QoS?
1. Auto-config voice VLAN and L2/L3 QoS using LLDP-MED (ProCurve switches) or CDPv2 (Cisco switches) 2. Many phones support vendor specific DHCP process for auto-config
Avaya, Alcatel, Mitel, Siemens, ShoreTel etc DHCP server on data VLAN advertises voice VLAN ID and QoS For Cisco, set the admin VLAN ID via the Network Configuration setup when connecting to a Cisco network

3. One-time manual configuration

DHCP server

IP network

Untagged data VLAN tagged voice VLAN

Untagged data VLAN

IP phone
IP PBX

PC
78

78

VLAN configuration comparison Switch-to-IP-phone connection with PC


ProCurve
vlan 2 untagged a1 vlan 3 voice tagged a1

Cisco
interface GigabitEthernet 1/20 switchport switchport access vlan 2 switchport mode access switchport voice vlan 3

ProCurve
a1
LLDP-MED: Voice VLAN ID=3 Mode: tagged

Cisco
G1/20

CDPv2: Voice VLAN ID=3 Mode: tagged LLDP-MED: Voice VLAN ID=3 Mode: tagged LLDP-MED support has started on Cisco Catalyst switches 3760, 3750, 2960, 2970 switches running 12.2(37)SE and on Cisco Catalyst 6500 running 12.2(33)SXH 79

Here it is shown how you configure the switch to connect an IP phone (hard phone) with a PC cascaded. On the ProCurve side you configure the port a1 to be an untagged member of VLAN 2. This is the VLAN for the PC. And you need to configure port a1 to be a tagged member of VLAN 3 which is the id the IP phone may use to send and receive the traffic. That the phone can learn the VLAN id it has to use, you can configure VLAN 3 as a voice VLAN which will start sending out LLDP-MED frames if an IP phone with LLDP-MED support is detected. On the Cisco side you need to configure on the interface an access VLAN 2 for the PC and a voice VLAN 3 for the IP phone. On older IOS versions this enabled the switch to send out Cisco proprietary CDPv2 information with the voice VLAN id included. Current IOS versions will also send out LLDP-MED frames.

79

Cisco IP phone boot process


CDPv2 and pre-standard PoE

Cisco pre-standard PoE: Fast Link Pulse Reflected Fast Link Pulse

CDP: Power requirement CDP: voice VLAN ID Cisco7960G Switch

DHCP request in voice VLAN DHCP response: IP add., Gateway, TFTP server DHCP Server TFTP request for configuration Cisco7940G TFTP request of configuration

SCCP or SIP registration with Callmanager Cisco Callmanager

80

Cisco IP phone boot process


LLDP-MED and 802.3af PoE
LLDP-MED is supported in the following models since release 8.3(3): 7906G, 7911G, 7931G, 7941G/7941G-GE, 7942G, 7945G, 7961G/7961G-GE, 7962G, 7965G, 7970G/7971G-GE, 7975G

IEEE 802.3af: Apply voltage and classify device Return current Cisco7941/42/61/62G LLDP-MED: PoE requirement, firmware, serial# LLDP-MED: voice VLAN ID, etc (CDPv2 is still supported)

Switch

DHCP request in voice VLAN DHCP response: IP add., Gateway, TFTP server Cisco7945/65G DHCP Server TFTP request for configuration TFTP request of configuration

SCCP or SIP registration with Callmanager Cisco7970/71/75G Cisco Callmanager

81

LLDP example
ProCurve Switch 5406zl# show run vlan 3 name "data" untag a1, ... exit vlan 6 name "IP phone" qos priority 6 tagged a1, ... voice exit

ProCurve
a1
LLDP-MED: Voice VLAN ID=3 Mode: tagged

Cisco IP phone

ProCurve Switch 5406zl# show vlan port a1 detailed Status and Counters - VLAN Information - for ports A1 VLAN ID ------3 6 Name -------------------data IP phone | + | | Status ---------Port-based Port-based Voice ----No Yes Jumbo ----No No Mode -------Untagged Tagged

ProCurve Switch 5406zl# show lldp info remote-device LLDP Remote Devices Information LocalPort | ChassisId PortId PortDescr SysName --------- + ------------------------- ------ --------- ---------------------A1 | 192.168.0.33 000... SW PORT SEP000F2322DDAA.cis...

82

Display detailed LLDP information


ProCurve Switch 3500yl-24G# show lldp info remote-device a1 LLDP Remote Device Information Detail Local Port ChassisType ChassisId PortType PortId SysName System Descr PortDescr : : : : : : : : A1 network-address 192.168.0.33 local 000F2322DDAA:P1 SEP000F2322DDAA.cisco.com Cisco IP Phone CP-7970G,V, SIP70.8-3-3S SW PORT : bridge, telephone : bridge, telephone

System Capabilities Supported System Capabilities Enabled Remote Management Address Type : ipv4 Address : 192.168.0.33 MED Information Detail EndpointClass Media Policy Vlan id Media Policy Priority Media Policy Dscp Media Policy Tagged Poe Device Type Power Requested Power Source Power Priority

:Class3 :6 :6 :0 :True :PD :63 :From PSE :Unknown

Footer text

HP ProCurve Confidential

83

Enabling QoS in the Access Layer Congestion Scenario: Data + VoIP

Access switch

. ax m e ic ps Vo K b 80

IP phone integrated 3-port switch

P0 P1

PC

P1

P0

P2

Data max 100 Mbps

Potential Congestion Points

During Data Traffic Bursts, Buffers can become congested, causing voice packets to be dropped

84

Different traffic need different prioritization

IP PBX

IP network

PC with Softphone

P SI
IP Phone A

g in al nny n i g k Si , S 3 2 .3 ,H

) CP C (S

SI P, H

Voice Stream RTP

.3 Sig 23 n , S ali ki ng nn y (S CC P)

IP Phone B

data

data

PC

PC
85

QOS Default on ProCurve


L2 QOS (802.1p) is trusted by default If Phone send tagged frames with 802.1p priority, it is trusted No additional setup is needed L3 QOS (DSCP) is trusted It has to be enabled
qos type-of-service diff-services A mapping between dscp and 802.1p has to exist show qos dscp-map

86

QoS classification #1 for hard phones (no trust)


qos type-of-service diff-services vlan 1 name data untagged a1-a20,b1-b20,c1-c24,d1-d24,e1-e24,f1-f24 tagged a24,b24 qos dscp 000000 (0) vlan 2 name voice tagged a1-a20,a24,b1-b20,b24,c1-c24,d1-d24 ,e1-e24,f1-f24 qos dscp 101110 (46)
Enabling recognition of L3 QOS / DSCP code points

Classification based on VLANs and overriding DSCP bits (Marking)

qos dscp-map 000000 priority 0 name BE qos dscp-map 101110 priority 7 name EF

Mapping of DSCP values for the queues

87

8- Network Access Control

Multi-user authentication on the same port 802.1X - MAC auth. WEB auth.
LLDP-MED

RFC 4675
RADIUS LDAP, AD, Flat File User Database
VLAN, QoS, ACL, Rate-limit

multi-user authentication

IEEE 802.3af

IDM

1. 2. 3. 4.

Secure authentication of IP phone and PC with a single connection 802.1x Mac - Web LLDP-MED to auto-provision phone with voice VLAN and QoS LLDP-MED for detailed topology, phone inventory management, and location... Dynamic assignment of untagged data and tagged voice VLAN accoreding to RFC 4675

Deep Dive on NAC

89

89

More interest across EMEA support provision location info -In phones, for use in E-112 emergency calls. Switch port is fixed when provisioned (unlike phone/user) best place Then LLDP-MED communicates info to phone Esp true - consider VoWiFi / PDA best way - wireless network controller

ProCurve

working to extend LLDP-MED to support physical location suitable for use by WLAN and other wireless standards

------------------------

Legacy PBX
E911

physical location corresponded to phone number (static) phone required manual re-provisioning

Moving

IP Telephony Challenge
Users Every

can pick-up phones and simply move them (just like a PC)

Access Network, without exception, must provide means to obtain location


Self reported location is notoriously inaccurate, especially for roaming or nomadic users LLDP-MED

can enable automatic physical location acquisition, but

89

802.1X Multi-user Authentication with Cisco IP Phone and Windows PC


5406zl# show port-access authenticator a1 clients Port Access Authenticator Client Status Port Client Name MAC Address IP Address Session Status ----- ----------------------- ------------- ------------- -------------a1 CP-7970G-SEP000F2322... 000f23-22ddaa n/a Open a1 PROCURVE\aeinstein 0010a4-a75fc5 n/a Open

5406zl# show port-access authenticator a1 clients detailed Port Access Authenticator Client Status Detailed Client Base Details : Port : a1 Session Status : Open Session Time(sec) Frames In : 0 Frames Out Username : CP-7970G-SEP000F2322... MAC Address IP : n/a Access Policy Details : COS Map : 00000000 In Limit % Tagged VLANs : 6 Out Limit RADIUS-ACL List : No Radius ACL List Client Base Details : Port : a1 Session Status : Open Frames In : 0 Username : PROCURVE\aeinstein IP : n/a Access Policy Details : COS Map : 00000000 Untagged VLAN : 3 RADIUS-ACL List : No Radius ACL List

: 0 : 0 : 000f23-22ddaa

: 0 %

: 0

Session Time(sec) : 0 Frames Out : 0 MAC Address : 0010a4-a75fc5

In Limit % Out Limit %

: 0 : 0
90

90

9- Layer 2 and Layer 3 interfaces

Layer-2 Interfaces
ProCurve
Layer-2 port configuration:

Cisco
Layer-2 port configuration:

vlan 1 untagged a1

interface GigabitEthernet 1/20 switchport

Enabled layer-2 protocols by default: - HP stacking (on most switches) - LACP passive (on some switches) - LLDP

Enabled layer-2 protocols by default: Cisco DTP protocol Cisco VTP protocol Cisco PVST+ protocol Cisco CDP protocol Keepalive (on copper ports)

92

Layer-3 Interfaces

Network 1.1.1.0/30

Network 2.2.2.0/24

Network 3.3.3.0/24 Vlan100: 1.1.1.2 int g1/20 1.1.1.1

ProCurve

Cisco

User Network 1

Transfer Network

User Network 2

93

Layer-3 Interfaces
ProCurve
Layer-3 port configuration:
A separate VLAN for transfer layer-3 vlan 100 subnet needs to be created untagged a1 ip address 1.1.1.2 255.255.255.252

Cisco
Layer-3 port configuration: interface GigabitEthernet 1/20 no switchport ip address 1.1.1.1 255.255.255.252 Enabled layer-2 protocols by default: - Cisco CDP protocol - Keepalive (on copper ports)

Enabled layer-2 protocols by default: - HP stacking (on most switches) - LLDP Layer-2 protocols to be disabled per port if globally enabled: Spanning-tree: (config)# spanning-tree a1 bpdu-filter GVRP: (config)# no interface a1 (config-eth-a1)#unknown-vlans disable

94

10- IP Routing

OSPF

OSPF area 0
Network 2.2.2.0/24 Vlan1: 1.1.1.1 int Vlan1: 1.1.1.2 Network 3.3.3.0/24

ProCurve
Network 1.1.1.0/30

Cisco

User Network 1

Transfer Network

User Network 2

96

OSPF
ProCurve
router ospf area 0 interface loopback 1 ip address 99.99.99.1 ip ospf 99.99.99.1 area 0 interface Loopback1 vlan 1 ip address 1.1.1.1 255.255.255.0 ip ospf 1.1.1.1 area 0 ip ospf cost 10 vlan 2 ip address 2.2.2.1 255.255.255.0 ip ospf 2.2.2.1 passive ip ospf 2.2.2.1 area 0 ip ospf cost 10 interface Vlan3 ip address 3.3.3.1 255.255.255.0 ip ospf cost 10
97

Cisco
router ospf 1 passive-interface Vlan3 network 1.1.1.2 0.0.0.0 area 0 network 3.3.3.1 0.0.0.0 area 0 network 99.99.99.2 0.0.0.0 area 0

ip address 99.99.99.2 255.255.255.255 ip ospf cost 10 interface Vlan1 ip address 1.1.1.2 255.255.255.0 ip ospf cost 10

OSPF differences

Cisco to be enabled with network statement globally ProCurve to be enabled on the VLAN Redistribution differences ProCurve: always NBMA Cisco: highest loopback IP used as router ID ProCurve: lowest loopback IP used as router ID ProCurve: loopback always /32 mask ProCurve: OSPF link cost is 1 by default (same on Cisco VLAN interfaces)

98

ACL on ProCurve
ProCurve OS supports Standard & Extended ACL Numbered (1-99, 100-200) & Named ACLs Routed ACL (applied to Inbound and Outbound routed traffic) VLAN ACL (applied to inbound switched traffic) Static and Dynamic Port ACL (applied to inbound switches traffic)
L3

Routed ACL

L2

L2

Port ACL VLAN ACL

99

ACL on ProCurve
ACL example
ProCurve(config)# ip access-list extended visitors ProCurve(config-acl)# deny ip any 10.0.0.0/8 ProCurve(config-acl)# permit udp any any eq dns ProCurve(config-acl)# permit tcp any any eq http ProCurve(config-acl)# deny ip any any log ProCurve(config-acl)# exit ProCurve(config)# vlan 100 ip access-group visitors in

100

Manage ACL on ProCurve


ACL entries are numbered.
ProCurve(config)# show access-list config ip access-list extended visitors" 10 deny ip 0.0.0.0 255.255.255.255 10.0.0.0 0.0.0.255 20 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq dns 30 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq http 40 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log exit

Sequence number can be changed and used for insertion and removal. E.g.: Insert an entry (numbered are assigned by range of 10)
ProCurve(config-acl)# 5 permit ip any host 10.1.234.172 ProCurve(config-acl)# 25 remark permit dns and http

E.g: Remove an entry


ProCurve(config-acl)# no 20

101

Create ACL Offline and load it to Running config


For a large ACL use offline method to edit your ACL 1. move your existing ACL if any to a TFTP server
ProCurve# copy command-output 'show access-list config' tftp 10.1.1.100 acl02.txt pc

2. Edit ACL offline using a text (.txt) file format 3. use TFTP to load an offline ACL into the switchs running-config
ProCurve(config)# copy tftp command-file 10.10.10.1 acl02.txt pc Running configuration may change, do you want to continue [y/n]? Y

102

Conclusion

Conclusion
Interoperability works! VLAN interoperability is quite easy to manage For link aggregation use no protocols or LACP Pay special attention to Spanning-Tree Prefer MSTP whenever possible Or Rapid-PVST on Cisco with RSTP/MSTP on ProCurve Make sure VLAN 1 is allowed on Cisco trunks IP Routing protocols interoperates

104

For further interoperability questions


For further questions about Cisco to ProCurve interoperability projects, please contact: -in every EMEA country: the ProCurve EMEA Technical Consultants -In EMEA: Jean-Maurice Mrel, CCIE #9285 jean-maurice.merel@hp.com +33 6 86 46 64 90

105

Вам также может понравиться