Guia

HP Access Layer Network
Technologies using ProVision

Software
Student guide
HK651S A.03 [00646061]
Use of this material to deliver training without prior written permission from HP is prohibited.
Copyright 2013 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice. The only warranties for HP
products and services are set forth in the express warranty statements accompanying such products and
services. Nothing herein should be construed as constituting an additional warranty. HP shall not be
liable for technical or editorial errors or omissions contained herein.
This is an HP copyrighted work that may not be reproduced without the written permission of HP. You
may not use these materials to deliver training to any person outside of your organization without the
written permission of HP.
Microsoft, Windows, Windows NT are U.S. registered trademarks of Microsoft Corporation.
UNIX is a registered trademark of The Open Group.
Export Compliance Agreement
Export Requirements. You may not export or re-export products subject to this agreement in violation of
any applicable laws or regulations.
Without limiting the generality of the foregoing, products subject to this agreement may not be
exported, re-exported, otherwise transferred to or within (or to a national or resident of) countries under
U.S. economic embargo and/or sanction including the following countries:
Cuba, Iran, North Korea, Sudan and Syria.
This list is subject to change.
In addition, products subject to this agreement may not be exported, re-exported, or otherwise
transferred to persons or entities listed on the U.S. Department of Commerce Denied Persons List; U.S.
Department of Commerce Entity List (15 CFR 744, Supplement 4); U.S. Treasury Department
Designated/Blocked Nationals exclusion list; or U.S. State Department Debarred Parties List; or to parties
directly or indirectly involved in the development or production of nuclear, chemical, or biological
weapons, missiles, rocket systems, or unmanned air vehicles as specified in the U.S. Export
Administration Regulations (15 CFR 744); or to parties directly or indirectly involved in the financing,
commission or support of terrorist activities.
By accepting this agreement you confirm that you are not located in (or a national or resident of) any
country under U.S. embargo or sanction; not identified on any U.S. Department of Commerce Denied
Persons List, Entity List, US State Department Debarred Parties List or Treasury Department Designated
Nationals exclusion list; not directly or indirectly involved in the development or production of nuclear,
chemical, biological weapons, missiles, rocket systems, or unmanned air vehicles as specified in the U.S.
Export Administration Regulations (15 CFR 744), and not directly or indirectly involved in the financing,
commission or support of terrorist activities.
Printed in US
HP Access Layer Network Technologies using ProVision Software
Student guide
June 2013
Contents
Introduction
Welcome to HP Access Layer Network Technologies using ProVision Software ........ 1
Prerequisites and ongoing learning opportunities .......................................... 1
Certification.............................................................................................. 1
Four days of training ........................................................................................ 2
Todays agenda .............................................................................................. 3
Module 1: Basic Switch Setup

Module 1 objectives ...................................................................................... 1-1
Lab equipment for this course .......................................................................... 1-2
Introducing the HP E8212 zl switch .................................................................. 1-4
Introducing the HP E5406 zl switch ................................................................. 1-5
Port names on E8200 zl and E5400 zl switches ................................................ 1-6
Introducing the HP E3500-24G-PoE yl switch ..................................................... 1-7
Prework review activity: Introduction to VLANs ................................................... 1-8
Interfaces for initial configuration .................................................................... 1-11
Introducing the HP E-Series switch CLI: Facilitator demonstration ......................... 1-12
Verifying connectivity .................................................................................... 1-13
Using LLDP to learn about neighboring switches ............................................... 1-14
SMB scenario for lab activities ....................................................................... 1-15
Lab Activity 1 ............................................................................................... 1-16
Lab Activity 1 debrief .................................................................................... 1-17
Learning check ............................................................................................. 1-18
Module 2: Managing Switch Software and Configuration Files

Software image architecture ............................................................................ 2-2
Viewing software versions ...............................................................................2-3
Installing a new image from a USB drive ......................................................... 2-4
Configuration file architecture..........................................................................2-5
Two ways to erase the startup configuration ......................................................2-6
Backing up and restoring configuration files using a USB drive ............................ 2-7
Managing multiple configuration files ..............................................................2-8
Using a different configuration file ......................................................2-9
Displaying events in the system log ................................................................ 2-10
Port status and counters ................................................................................. 2-11
Lab Activity 2 .............................................................................................. 2-12
Lab Activity 2 debrief ................................................................................... 2-13
Learning check ............................................................................................ 2-14
Rev. 10.41
Module 3: Configuring VLANs and IP Services

Prework review activity: VLANs........................................................................3-2
Lab Activity 3 preview ................................................................................... 3-6
Lab activity preview: Configuring VLANs and IP services ....................................3-7
Final lab topology ........................................................................................ 3-8
VLANs on each switch .................................................................................. 3-9
Steps to configure VLANs ............................................................................. 3-10
Steps to configure IP interfaces on Router .........................................................3-11
Commands to confirm VLAN and IP interface configuration .............................. 3-12
Configuring IP services: DHCP ...................................................................... 3-13
Configuring IP services: Syslog ...................................................................... 3-14
Configuring IP services: SNTP ....................................................................... 3-15
Configuring IP services: DNS ........................................................................ 3-16
Configuring IP services: Back up to TFTP server ............................................... 3-17
Copying command output to a TFTP server ..................................................... 3-18
Using show tech ............................................................................. 3-18
Exploring remote management ...................................................................... 3-19
Troubleshooting connectivity: Tools ................................................................3-20
More information about these troubleshooting commands .................... 3-21
Troubleshooting connectivity: Process ............................................................. 3-22
Lab Activity 3 .............................................................................................. 3-24
Learning check ............................................................................................ 3-26
Module 4: Configuring Device Access Security

Prework review activity: Physical security.......................................................... 4-2
Management users ....................................................................................... 4-5
Local or remote authentication ........................................................................ 4-6
Advantages and disadvantages of remote authentication ...................... 4-7
Configuring passwords on the switch (local) ..................................................... 4-8
Remote authentication .................................................................................. 4-10
Access level ...................................................................................4-10
Method of authentication .................................................................4-10
Authentication server settings on the switch ........................................ 4-11
Disable the Clear and Reset buttons ............................................................... 4-12
Password Recovery.......................................................................... 4-13
Disable USB Port ............................................................................ 4-13
Save security settings in configuration files: the include credentials command ...... 4-14
Limit managers by IP address ........................................................................ 4-15
Secure management VLAN ........................................................................... 4-16
Prework review activity: Secure management................................................... 4-17
Enabling SSH.............................................................................................. 4-19
Disabling Telnet .............................................................................. 4-19
ii
Rev. 10.41
Contents
Configuring SSL.......................................................................................... 4-20

Disabling HTTP ............................................................................... 4-21
Configuring STFP .........................................................................................4-22
SNMP overview .......................................................................................... 4-23
SNMP reference ............................................................................ 4-24
Configure SNMPv2c .................................................................................... 4-26
Enable SNMPv3 and create a username ........................................................ 4-27
Assign the username to an SNMPv3 group .....................................................4-28
Lab 4 Activity ..............................................................................................4-29
Lab Activity 4 debrief .................................................................................. 4-30
Learning check ............................................................................................ 4-31
Module 5: Configuring Link Aggregation

Prework review activity: Link aggregation ..........................................................5-2
Lab Activity 5 preview ................................................................................... 5-4
Lab activity preview: Configuring link aggregation ............................................ 5-6
Final lab topology .........................................................................................5-7
Configuring port trunking .............................................................................. 5-8
Choosing a trunking protocol .................................................................. 5-8
HP E-Series trunking support .................................................................... 5-9
How port trunking affects VLAN membership .................................................. 5-10
Viewing trunk status ......................................................................................5-11
Examining load sharing ............................................................................... 5-12
Lab Activity 5 .............................................................................................. 5-13
Learning check ............................................................................................ 5-15
Module 6: Configuring Spanning Tree

Prework review activity: Spanning Tree ............................................................ 6-2
Lab activity 6 preview ................................................................................... 6-4
Lab activity preview: Configuring single-instance Spanning Tree ......................... 6-6
Final lab topology ........................................................................................ 6-7
Steps in single-instance configuration .............................................................. 6-8
Setting Bridge Priority.................................................................................... 6-9
Enabling Spanning Tree ............................................................................... 6-10
Spanning Tree details for Root Bridge ............................................................ 6-11
Spanning Tree details for non-Root Bridge ...................................................... 6-12
Lab Activity 6.1............................................................................................ 6-13
Lab Activity 6.1 debrief ................................................................................. 6-14
Lab activity preview: Configuring Multiple Spanning Tree ................................. 6-16
Steps in MSTP configuration .......................................................................... 6-17
MST configuration parameters ....................................................................... 6-18
Bridge Priority for MST instances ................................................................... 6-19
Rev. 10.41
iii
Viewing MST configuration .......................................................................... 6-20

MSTP enhancement in E-Series switches .................................................. 6-20
Viewing MST instance forwarding paths ......................................................... 6-21
Troubleshooting MSTP ..................................................................................6-22
Lab Activity 6.2 ...........................................................................................6-23
Lab Activity 6.2 debrief ................................................................................ 6-24
Learning check ............................................................................................6-25
Module 7: Configuring IP Routing

Prework review activity: Routing ....................................................................... 7-2
Lab 7 activity preview: Planning IP routing ........................................................7-3
Lab activity preview: IP addressing...................................................................7-5
Lab activity preview: Configuring IP static routing...............................................7-6
Final lab topology in your group ..................................................................... 7-7
Steps in static routing configuration ..................................................................7-9
Configuring static routes ............................................................................... 7-10
Connecting to Classroom Core ....................................................................... 7-11
Final topology connects all groups ..................................................................7-12
Using Wireshark ..........................................................................................7-13
Lab Activity 7.1 .............................................................................................7-15
Lab Activity 7.1 debrief ..................................................................................7-16
Learning activity: RIP .....................................................................................7-17
Dynamic routing ...........................................................................................7-18
Types of dynamic routing protocols ................................................................ 7-19
HP E-Series support ............................................................................... 7-19
RIP and OSPF comparison ............................................................................ 7-20
RIP update example ..................................................................................... 7-22
Split Horizon and Poison Reverse ............................................................ 7-22
Redistributing routes ..................................................................................... 7-24
Lab activity preview: Configuring dynamic routing with RIP ............................... 7-25
Implementing RIP ......................................................................................... 7-26
RIP versions .......................................................................................... 7-26
Enabling RIP on Router_1 ............................................................................. 7-27
Enabling RIP on Router_2 ............................................................................. 7-28
Options for show ip rip ................................................................................ 7-29
show ip rip for Router_1 ...............................................................................7-30
show ip route for Router_1 ............................................................................ 7-31
Lab Activity 7.2 ........................................................................................... 7-32
Lab Activity 7.2 debrief................................................................................. 7-33
Learning check ............................................................................................ 7-34
iv
Rev. 10.41
Contents
Module 8: Providing Mobility to SMBs

Prework review activity: Wireless networks ........................................................8-2
Lab activity 8 preview ................................................................................... 8-4
Lab activity preview: Adding a standalone HP E-MSM AP .................................. 8-6
Final lab topology .........................................................................................8-7
Assess the mobility solution requirements ......................................................... 8-8
Scenario ......................................................................................... 8-8
Configuring PoE ...........................................................................................8-11
Other uses for PoE .......................................................................... 8-13
Accessing a new HP E-MSM AP .................................................................... 8-14
Direct connection at the default IP address ......................................... 8-14
Indirect connection at the default IP address ....................................... 8-15
Indirect connection at a DHCP-assigned IP address ............................. 8-15
Logging in to the Web browser interface ........................................... 8-16
Converting the HP E-MSM AP to standalone mode .......................................... 8-17
Completing the HP E-MSM AP initial configuration........................................... 8-18
Configuring VLANs ...................................................................................... 8-19
Creating a VSC ...........................................................................................8-20
Lab Activity 8 .............................................................................................. 8-22
Learning check ............................................................................................ 8-24
Module 9: Managing and Monitoring SMB Networks with HP ProCurve

Manager
Why use PCM+? ...........................................................................................9-2
What is PCM+ ............................................................................................. 9-4
PCM+ versus PCM features ............................................................................ 9-5
Discovery........................................................................................ 9-5
Device management ........................................................................ 9-5
Monitoring, analysis, and troubleshooting .......................................... 9-6
PCM+ plug-ins ..............................................................................................9-7
HP Mobility Manager 3.0................................................................. 9-7
Identity Driven Management (IDM) 3.0 ............................................... 9-8
Network Immunity Manager (NIM) 2.0 .............................................. 9-8
PCM+ architecture ....................................................................................... 9-10
PCM+ architectureCont. .............................................................................9-11
Maximum supported devices ......................................................................... 9-12
Use model .................................................................................................. 9-13
Lab Activity 9 preview .................................................................................. 9-14
Installation requirements ............................................................................... 9-15
Installing the PCM+ server ............................................................................ 9-17
Installation considerations ............................................................................. 9-19
Installing remote PCM+ agents: Run the installation ......................................... 9-21
Rev. 10.41
Installing remote PCM+ clients ....................................................................... 9-23

Open firewalls and install the PCM+ client .........................................9-23
Allow the client to access the server ..................................................9-23
Allow a client without a fixed IP address to access the server ...............9-24
Logging in to PCM+..................................................................................... 9-25
Beginning to monitor and manage devices ..................................................... 9-26
Navigate the interface .....................................................................9-26
View device status ..........................................................................9-26
Manage devices .............................................................................9-27
PCM+ device discovery ................................................................................ 9-28
PCM+ discovery methods ............................................................................. 9-29
Neighbor discovery ....................................................................... 9-29
ARP discovery ............................................................................... 9-29
Ping sweep ................................................................................... 9-30
Device attribute discovery ............................................................... 9-30
Discovered devices ........................................................................ 9-30
Configuring discovery settings ....................................................................... 9-31
Managing PCM+ users ................................................................................9-32
Lab Activity 9 ............................................................................................. 9-33
Lab Activity 9 debrief .................................................................................. 9-34
Learning check ........................................................................................... 9-35
Module 10: Introduction to Network Design

Module 10 objectives ................................................................................... 10-1
Name that device! ....................................................................................... 10-2
Examples of HP E-Series switches ................................................................... 10-7
HP E-Series product matrix .......................................................................... 10-10
Key differentiator: Scalability........................................................................ 10-11
Key design feature: 10-GbE connectivity ....................................................... 10-12
Network design examples ...........................................................................10-14
Network design example 1 .................................................................. 10-15
VRRP reference information ............................................................ 10-16
Possible discussion questions .......................................................... 10-16
VRRP reference information ............................................................ 10-19
Group Activity: Designing networks with HP E-Series switches.......................... 10-24
Exercise instructions ...................................................................... 10-24
Scenario ...................................................................................... 10-24
Goal ........................................................................................... 10-24
Scenario details ............................................................................ 10-25
Worksheets .................................................................................. 10-29
vi
Rev. 10.41
Contents
Next steps: HP AIS Network Infrastructure certification training........................10-34

Next steps: HP AIS Network Infrastructure certification test .............................. 10-35
Continued learning .................................................................................... 10-36
Additional learning resources: HP networking documentation.......................... 10-37
My Networking Portal ................................................................... 10-37
Learning check ..........................................................................................10-38
Appendix A: CLI Job Aid

Appendix B: Mobility Job Aids
Appendix C: Learning Check Answers
Rev. 10.41
vii
viii
Rev. 10.41
Introduction
Welcome to HP Access Layer Network Technologies

using ProVision Software
HP Access Layer Network Technologies using ProVision Software can provide you
with the skills necessary to deploy and configure HP E-Series switches to meet the
basic connectivity needs of todays small-to-medium businesses (SMB). Emphasizing
hands-on lab activities and interactive classroom exercises, HP Access Layer Network
Technologies using ProVision Software covers key elements of switch operation and
configuration that will be required anytime you must deploy, re-deploy, or maintain
HP E-Series switches.
This course also introduces you to E-Series access points (APs).
Prerequisites and ongoing learning opportunities

The required prerequisites for HP Access Layer Network Technologies using ProVision
Software are:
Getting Started with HP Switching and Routing Web-Based Training (WBT)
Getting Started with HP Wireless Networks WBT
Both of these interactive WBTs are available on the HP networking training web site.
While the key elements of the prerequisite content will be reviewed and discussed
during delivery of HP Access Layer Network Technologies using ProVision Software,
the discussions and lab activities anticipate that you have been introduced to all of
the prerequisite topics.
Certification
Completing HP Access Layer Network Technologies using ProVision Software, along
with the prerequisite, helps prepare you to take the examination for Accredited
Integration Specialist (AIS), a certification offered by the HP ExpertONE program.
The certification program and examination will be discussed further on the final day
of the course.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
Introduction 1
Introduction
Four days of training

HP Access Layer Network Technologies using ProVision Software is designed to help
you gain basic proficiency in installing and configuring E-Series switches. Along with
required e-learning, the course also will prepare you for the Accredited Integration
Specialist examination.
During the next four days, hands-on activities, in-class learning activities, and
facilitator lectures will provide you with the information and skills you need to
successfully deploy and manage HP E-Series switches.
Day 1: Getting Started with HP E-Series Switches
Module 2: Managing Software and Configuration Files
Module 3: Configuring VLANs and IP Services
Day 2: Increasing Security, Capacity, and Availability
Module 4: Configuring Device Access Security
Module 5: Configuring Link Aggregation
Module 6: Configuring Spanning Tree
Day 3: IP Routing and Mobility
Module 6: Configuring Spanning Tree (continued)
Module 7: Configuring IP Routing
Module 8: Providing Mobility to SMBs
Day 4: Mobility, Management, and Design
Rev. 10.41
Module 8: Providing Mobility to SMBs (continued)
Module 9: Managing and Monitoring SMB Networks with HP PCM
Module 10: Introduction to Network Design
Introduction 2
Todays agenda
Day 1 of HP Access Layer Network Technologies using ProVision Software consists of
three parts:
1.

In this section, you will learn the basics of HP E-Series switches, including how
to navigate the Command Line Interface (CLI), how to configure basic security
settings, and how to enable remote management by configuring the Default
VLAN interface.
2.
Module 2: Managing Software and Configuration Files

The second section of todays session will provide the information you need to
upgrade switch software and manage configuration files.
3.
Module 3: Configuring VLANs and IP Interfaces

In the final tasks of Day 1, youll learn how to configure the switches to support
user VLANs and to access IP services such as SNTP and DNS.
Introduction 3
Rev. 10.41
Basic Switch Setup

Module 1
Module 1 objectives
After completing Module 1, you will be able to:
Choose the correct privilege level to complete a given configuration task
Issue the correct CLI commands to move among the privilege levels
Use the CLI to assign a hostname to an E-Series switch
Use the CLI to verify switch configuration using show commands
Rev. 10.41
Describe the privilege levels available in the HP E-Series CLI and the options
available in each level
Describe the port-naming conventions for the HP E-Series fixed-port and chassis
switches
Use the CLI to configure port parameters, including friendly names
Use the CLI to monitor interface status
Use the CLI to view LLDP configuration and neighbors table
Use the CLI to assign an IP address to a VLAN interface
1 1
Lab equipment
for this course
Lab equipment
for this course
E8200 zl
Access, distribution, or core for SMBs

Modular architecture
Six or 12 module slots
Advanced routing features (such as
OSPF, PIM, and VRRP) with Premium
License
E5400 zl
Access, distribution, or core for SMBs

Modular architecture
Six or 12 module slots
Advanced routing with Premium License
E3500
Access or distribution for SMBs
Fixed-port
24 or 48-port models
10/100/1000 and 10/100 models
Advanced routing with Premium License
6
Rev. 10.41
Figure 1-1: Lab equipment for this course
During the lab activities, you will have opportunities to configure four E-Series
switches. The selection of switch models can vary from class to class. However, all lab
participants will work with at least one of the following E-Series switches:
1.
HP E8200 zl Switch Series
2.
HP E5400 zl Switch Series
3.
HP E3500 Switch Series

Tip
To learn more about HP switches, visit www.hp.com/networking
The E8200 zl, E5400 zl, and E3500 Switch Series implement HPs ProVision
ASIC, which was developed by HP Labs to offer wirespeed intelligence along with
high levels of programmability and resilience. Because of their shared architecture,
the E8200 zl, E5400 zl, and E3500 also share a common interface and many basic
features. However, each model is designed for a specific Small-to-Medium Business
(SMB) deployment.
The E8200 zl Switch Series is designed for SMBs that need reliability and highperformance switching. The switches in this series feature redundant management
and fabric modules and redundant power supplies, as well as high-port density. They
can be deployed at the access, distribution, or core layer in an SMB environment.
The E5400 zl and E3500 are also designed for SMBs. They provide a rich feature
set, along with wirespeed forwarding, at the access or distribution layer. In some
SMB environments, the E5400 zl can also be deployed as a core switch.
1 2
Rev. 10.41
Basic Switch Setup
Other switches based on the ProVision ASIC are:
E6200-24G-mGBIC yl switch, a fixed-port aggregator designed to concentrate

traffic between the network core and access layer in an SMB environment
The E6600 Switch Series, which is designed for SMB environments that require
high-speed links and redundancyparticularly in their datacenters
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
1 3
Introducing the HP ProCurve
Introducing8212zl
the HPswitch
E8212 zl switch
Redundant
management
modules
Console ports
Module slots
Redundant fabric modules
Module slots
Rev. 9.41
Figure 1-2: Introducing the HP E8212 zl switch
The HP E8212 zl switch features high-performance, high-availability features required

by SMBs that rely on their network to provide core business services. It can be
deployed at the core, distribution, or access layer in these environments.
Key features include support for redundant management modules, fabric modules,
and power supplies. The switchs 12 module slots support a substantial array of port
options, enabling customized configurations for gigabit and 10GbE connectivity over
copper or fiber. With the addition of a Premium License, the E8212 zl switch supports
advanced routing features, including:
Open Shortest Path First (OSPF), which is a dynamic routing protocol that allows
the switch to exchange routing information with other network switches.
Protocol Independent Multicast (PIM), which allows hosts, such as streaming
video servers, to send messages to multiple hosts simultaneously. Hosts join
multicast host groups to be become eligible to receive specific multicasts.
Virtual Router Redundancy Protocol (VRRP), which provides routing redundancy.
These and other advanced features allow the E8212 zl switch to support all of the
demanding applications and complex topologies in a contemporary LAN.
HP also offers the E8206 zl switch, a six-module model that offers high performance
and redundancy to SMBs that do not require the port densities supported by the
E8212 zl switch.
In some HP Access Layer Network Technologies using ProVision Software classes, an
E8212 zl switch will provide the distribution-layer services for your lab group. The
E8212 zl also will provide connectivity between your group and other lab classroom
groups.
1 4
Rev. 10.41
Basic Switch Setup
Introducing the HP ProCurve

5406zl switch
Introducing the HP E5406 zl switch

10/100/1000 module with 24 ports
Management module
Console port
USB
Auxiliary
port
Six module slots labeled A-F
Figure 1-3: Introducing the HP E5406 zl switch

7
Rev. 9.41
The E5406 zl is a six-module switch designed to support up to 144 10/100/1000-T

ports. The E5400 zl switch is also available in a 12-module version, the E5412 zl
switch, which supports up to 288 ports. Both models support an array of accessory
modules, including four-port 10GbE modules and specialized modules to support
mobility and security.
All E5400 zl models support PoE and, with the installation of an optional Premium
License, advanced routing features such as OSPF and PIM.
In the lab activities for this class, E5406 zl switches may provide distribution-layer or
access-layer services for lab groups.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
1 5
Port names
Port names on E8200 zl and E5400 zl

switches
on
E8200 zl and E5400 zl switches
24-port
10/100/1000
Figure
1-4: Port names onmodule
E8200 zl and E5400 zl switches
Port
names include slot name and port number
On HP E-Series modular
as the
E8200
zl and E5400 zl switches, a
For instance,switches,
port 1 in thesuch
A module
is port
a1
port is identified
by a moduleports
letter
by the numberports
of the
port inrow
the
Odd-numbered
in followed
top row; even-numbered
in bottom
module. For instance,
if group,
module13-24
A is inpopulated
1-12 in left
right groupwith a 24-port 10/100/1000
module, the ports would be named a1 to a24.
On the E5406 zl and E8206 zl switches, the modules are identified by letters A
8
Rev. 10.41
through F. Module
A is in the upper left corner of the switch. Module B is
immediately to the right of module A. The second module row contains modules C
and D. The final row includes modules E and F.
Modules on the E8212 zl and E5412 zl are lettered A through L.
On each 24-port module, the ports are divided into two sections with ports 1-12 on
the left and 13-24 on the right. The odd-numbered ports (1, 3, and so on) are in the
top row, with even-numbered ports immediately below.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
1 6
Rev. 10.41
Basic Switch Setup
the HP E3500-24G-PoE
yl Switch
IntroducingIntroducing
the HP E3500-24G-PoE
yl switch
Dual-personality ports
Console port
USB Auxiliary port
20 10/100/1000 Base-T Ethernet Ports
Fixed ports numbered 1-24

Odd-numbered
ports in top row; even-numbered ports in bottom row
Dual-personality
ports support 10/100/1000 or mini-GBIC transceivers
Figure 1-5: Introducing the HP E3500-24G-PoE yl switch

10
Rev. 10.41
The E3500-24G-PoE
yl switch is part of the E3500 Switch Series, which includes two
families of 24 and 48-port stackable switches.
E3500 yl switchesfeature 10/100/1000 copper ports and dual-personality

ports for gigabit uplinks
E3500 switchesfeature 10/100 ports and dual-personality ports for gigabit
uplinks
These switches are designed to provide scalability and advanced intelligence for
access and distribution layers in an SMB environment. As with the E5400 zl, all
E3500 models support advanced routing features such as OSPF and PIM with the
installation of an optional Premium License. Two of the E3500 yl models support PoE,
and two support PoE+ (which provides more watts per device). The E3500 models
are available in PoE and non-PoE versions.
The E3500-24G-PoE yl switch offers 20 10/100/1000-T ports and four dualpersonality ports. Numbered 21-24, the dual-personality ports support
10/100/1000-T or SFP mini-GBICs. (See www.hp.com/networking for information
on SFP options.)
The port-numbering system for the E3500-24G-PoE yl switch (and other switches in
this series) is straightforward. The odd-numbered ports, including dual-personality
ports, are in the top row. The even-numbered ports are in the bottom row.
Rev. 10.41
1 7
Prework review activity: Introduction to VLANs

Throughout this course, you will participate in review activities, which are designed to
help you clarify your understanding of key concepts introduced in the Getting Started
with HP Switching and Routing or Getting Started with HP Wireless Networks. These
activities will also allow you to explore any areas you may have overlooked during
your independent study.
Your instructor will provide specific instructions for completing this activity, using one
of the following options:
Discussion
Your facilitator will assign you a question and ask you to develop an answer that
you can present to other people in your class. You should be prepared to
answer questions. The goal of this activity is not to require you to be the
instructor, but rather to encourage discussions among people in your class.
The next page presents the discussion topics that will be assigned in this activity,
along with space for taking notes during your preparation and presentation. To
refresh your memory of the WBT, you can review the Getting Started with HP
Switching and Routing Reference Guide. Be prepared, though, to explain each
point in the summaries in more detail.
Quiz Me
Your facilitator will give you several index cardseach one printed with a
possible answer to a question. For example, an index card may display the
word False or the word True. Or an index card may display a letter such as a,
b, c, d, or e. When your facilitator asks you a question, hold up the index card
that has the correct answer.
If you are in a virtual classroom, you will participate in an online quiz. You can
discuss the question and your answer with your facilitator.
The questions you answer will cover the same topics as those listed on the pages
that follow. You can use the space provided under each question to take
additional notes. After this class ends, you can use these questions to help you
review the course materials and prepare to take the AIS exam for this course.
1 8
Rev. 10.41
Basic Switch Setup
1.
What is a VLAN?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2. Why are VLANs used to segment the network?
_______________________________________________________________________
_______________________________________________________________________
________________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
________________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
1 9
3. What is the relationship between each VLAN and its network IP address range?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
1 10
Rev. 10.41
Basic Switch Setup
Interfaces for
initialfor
configuration
Interfaces
initial configuration
The CLI can be accessed through console or Telnet
Telnet
available only if switch receives DHCP address
At the CLI, you can:

Enter
commands directly
Access
menu interface
Offers fewer options than

the CLI
Access
switch setup screen
Offers limited options for initial

configuration
Menu interface
Figure 1-6: Interfaces for initial configuration
By default, E-Series switches will receive a VLAN 1 IP address from any available
Rev. 10.41
Dynamic10Host
Configuration Protocol (DHCP) server. DHCP enables hosts, or DHCP
clients, on an IP network to obtain IP addresses. This protocol helps reduce
administrative overhead on an IP-based network. (You will learn more about DHCP
later in this module.)
If the switch receives an address, you can access the Command Line Interface (CLI)
by Telnet or can use the web management interface that will be described in
Module 3.
In many cases, however, initial configuration will be performed through a console
connection. In that case, three options are available:
The CLI is the most comprehensive management tool, enabling access to all
switch configuration options. Consequently, it will be emphasized in this course.
You can also use the CLI to access the menu and setup interfaces.
The menu interface, shown in Figure 1-6, provides access to a subset of CLI
commands. You will explore this interface in Lab Activity 1.
The setup screen enables you to configure a VLAN 1 IP address so that the
switch can be accessed remotely
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
1 11
Introducing the HP E-Series switch CLI: Facilitator

demonstration
Introducing the ProCurve CLI
Figure 1-7: Introducing the H E-Series switch CLI: Facilitator demonstration
11
Rev. 9.41
Before you begin the first lab activity, your facilitator will distribute the HP E-Series
Switch CLI Job Aid and demonstrate basic CLI usage. Figure 1-7 shows the basic
navigation levels for the CLI.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
1 12
Rev. 10.41
Basic Switch Setup
Verifying connectivity
Verifying Connectivity
Ping utility uses ICMP packets to verify connectivity.
Switch# ping <IP address>
Example:
Switch# ping 10.1.10.10
10.1.10.10 is alive, time = 1ms
Figure 1-8: Verifying connectivity
When you configure and manage networks, you can use the ping utility to verify
connectivity between devices. The ping utility sends Internet Control Message
Protocol (ICMP) echo packets to a destination device. If the destination device
receives the
packet,
14
Rev. 10.41 it sends return ICMP packets.
The ping utility shows the results of the ICMP, reporting successful receipt of a reply
or a dropped packet.
Note that some network devices, such as network security devices, do not send reply
ICMP echo packets. This security precaution is designed to prevent malicious users
from using the ping utility in a reconnaissance attack.
Rev. 10.41
1 13
Using LLDP to learn about neighboring

Using LLDP switches
to learn about neighboring switches
Link
Layer Discovery Protocol (LLDP) is enabled by

default
LLDP switches exchange information about capabilities
Show command options include:
show lldp info remote-device
Displays all connected devices supporting LLDP
show lldp info remote-device <int-id>
Displays details on device connected to a port
Figure 1-9: Using LLDP to learn about neighboring switches
All current HP E-Series switches support the Link Layer Discovery Protocol (LLDP),
which provides a tool for learning about connected devices, such as switches and
wireless access
that also support the protocol. Described in IEEE 802.1AB,
12
Rev.points,
9.41
LLDP packets contain data about the transmitting switch and port. LLDP packets
survive only one hop. When a switch receives an LLDP packet, the switch places the
information from the packet into an entry in an LLDP neighbors table in the
Management Information Base (MIB).
The information included in LLDP packets includes details about routing and switching
capabilities, switch model, IP address, and MAC address.
By default, LLDP is enabled for all ports on E-Series switches but can be disabled per
port by entering lldp admin-status <int-id> disable at the CLI. You can also disable
or enable LLDP transmission or reception independently. For more information, see
the switchs Management and Configuration Guide.
You will explore the show lldp options during Lab Activity 1.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
1 14
Rev. 10.41
Basic Switch Setup
SMB scenario
lab activities
SMB for
Scenario
for Lab Activities
Six floors
Approximately 95 users per

floor
Requirements:
VLANs
for user groups
Redundancy
Ability
to increase bandwidth
between switches as needed
Wireless
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
Use ProCurve
mini-GBICs
and SFPs only
ProCurve
Gig-T/SFP
zl Module
J8705A
PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
zl
Use ProCurve
mini-GBICs
and SFPs only
ProCurve
Gig-T/SFP
zl Module
J8705A
zl
access
Unified
wired and wireless network

management
16
Rev. 10.41
Figure 1-10: SMB scenario
When you complete the labs in this course, you will be acting as a network
administrator who has been hired to install and configure E-Series switches at a
medium-sized company that has just moved into the right wing of an office building.
Each of the six floors has 95 employees, including their workstations and printers.
These employees are organized into the following departments: Marketing, Sales,
Manufacturing, and Human Resources.
The companys executives have explained that they want the network to be available
24 x 7. They also want the network to support the applications they are using now
and more bandwidth-intensive applications in the future. For example, they are
currently using video-conferencing applications in some conference rooms, but expect
to increase that usage in the near future.
They also want to provide employees with wireless access in two conference rooms
but plan to expand the wireless network next year. They would like a wireless
solution that scales well.
Finally, the company wants the ability to manage both wired and wireless networks
from a single network management console.
Rev. 10.41
1 15
Lab Activity 1
During this lab activity, your lab group will begin configuring four E-Series switches
that will provide wired connectivity on one floor of the companys new building.
During the first activity, you will first connect the four switches and then explore the ESeries switch CLI, configure basic security settings, assign a hostname to each of your
switches, assign an IP address to VLAN 1 on all your switches, and check basic
connectivity.
Consult your Lab Activity Guide for instructions for performing this activity.
1 16
Rev. 10.41
Basic Switch Setup
Lab Activity 1 debrief

Use the space below to record your key insights and challenges from Lab Activity 1.
Debrief for Lab Activity 1

Challenges
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
1 17
Learning check
1.
2.
3.
What commands provide help at the CLI of an E-Series switch? (Select two.)
a.
typing ?
b.
typing /? [ENTER]
c.
typing help
d.
pressing the [TAB] key
At the CLI of an E5406 zl switch, you enter show lldp information remote-device
a24. Assuming the device connected to port a24 also supports LLDP, what
information can you learn? (Select two.).
a.
IP address of connected device
b.
Supported management protocols on connected device
c.
Routing capabilities of connected device
d.
SNMP communities on connected device.
e.
STP region supported by connected device.
How can you access the history buffer in the E-Series switch CLI?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
1.
1 18
Match each privilege level to the correct prompt.
operator
Switch(config)#
manager
Switch>
global configuration
Switch#
Rev. 10.41
Managing Switch Software

and Configuration Files
Module 2
Module 2 objectives
After completing this module, you will be able to:
Rev. 10.41
Describe the flash memory architecture of HP E-Series switches
Upgrade software versions on an E-Series switch
Manage installed software versions on an E-Series switch
Restart an E-Series switch using a specified software image
Manage configuration files and changes on E-Series switches
Define multiple configuration files and assign them to different flash areas
Back up configuration files using a USB drive
Examine and interpret the event log
2 1
Software image
architecture
Software
image architecture
Primary Flash Memory
Software image
Stored
xxx xxx xxx

xx
xx xx xx
xxx xxx xxx
xx
xx xx xx
Two
xxx xxx
xxx xx
xx xx xx
xxx xxx
xxx xx
xx xx xx
2
Rev. 10.41
in flash memory
areas: primary and secondary
Store different images

Update independently
Secondary Flash Memory
Software image
Software image, or switch operating

system
Two CLI commands for restarting:

reload
and boot
Both execute system image

boot runs system diagnostics and enables
selection of primary or secondary image
Figure 2-1: Software image architecture
The switch software image contains the operating system. The switches ship with
software images installed, but updates are periodically released and made available
at www.hp.com/networking.
Most E-Series switches feature two flash memory areascalled primary and
secondarywhere software images are stored. Because the two areas can store
different images, you can back up a current software version before installing a new
one. This enables you to restore the switchs earlier functionality if the new software
proves unsuitable.
E-Series switches support two boot modes that can be executed from the CLI:
reload
You enter the reload command to instigate a warm boot that does not require
system diagnostics. When the switch is rebooted with reload, it uses the flash
image executed on the last cold boot.
boot
You enter the boot command to instigate a cold boot. This command ensures
the switch runs system diagnostics before restarting. It also enables you to
specify whether to use the primary or secondary flash image. To choose a flash
area, issue the boot command with the following options:
boot system flash <flash_image>
If no software image is specified, the switch is restarted using the current image.
The warm boot using reload takes less time and is well-suited for restarts required
when a configuration file is copied from a backup server or in the rare case that a
configuration change requires a restart.
2 2
Rev. 10.41
Managing Switch Software and Configuration Files
Viewing software
versionsversions
Viewing software
show flash displays contents of both flash areas
Switch# show flash
Image
Size(Bytes)
-------------Primary Image
: 10125499
Secondary Image : 7518995
Boot Rom Version: K.12.21
Default Boot
: Primary
Date
-------06/30/10
12/19/08
Version
------K.14.65
K.13.51
show version displays software version currently running

Switch# show version
Management Module 1: Active
Image stamp:
/sw/code/build/btm(t4a)
Jun 30 2010 15:23:28
K.14.65
126
Boot Image:
Primary
3
Rev. 10.41
Figure 2-2: Viewing software versions
Two CLI commandsshow flash and show versionenable you to view the images
currently installed on an E-Series switch and to determine which one is currently in
use. In Figure 2-2, the primary image is K.14.65, and the secondary image is K.13.51.
Note that show flash enables you to determine which image is the Default Boot,
while the show version command enables you to determine which image is currently
in use.
By default, the Default Boot image will be the image currently in use. The Default
Boot image can be configured using the boot set-default flash <image> command.
Finally, note that show flash also shows the current Boot Rom Version. In some cases,
it will be necessary to install a new Boot ROM to upgrade to a new software version.
When necessary, this requirement will be described on www.hp.com/networking
and in the Release Notes for the software.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
2 3
a new from
imageafrom
USB drive
Installing aInstalling
new image
USBa drive
dir displays the contents of the USB drive in the auxiliary
port
Switch# dir
Listing Directory /ufa0:
-rwxrwxrwx
1
10125499 Jun 30 15:26 K_14_65.SWI
-rwxrwxrwx
1
10094820 May 06 20:34 K_14_60.SWI
copy enables you to copy software to either flash area

Switch# copy usb flash K_14_65.swi secondary
The Secondary OS Image will be deleted, continue [y/n]?
Figure 2-3: Installing a new image from USB drive
The copy command enables you to install a new image to either flash area from a
USB drive4 or Rev.
a 10.41
TFTP server. In Figure 2-3, the K.14.65 software version has been
copied to the secondary flash area of an E3500 yl switch.
Before copying the software, you can use the dir command to examine the contents
of the USB drive in the auxiliary port. If the drive contains a subdirectory, you can
view its contents by specifying its name, as in dir folder.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2 4
Rev. 10.41
Configuration
file architecture
Configuration
file architecture
Two
types of files:
Running configuration stored in RAM

Startup configuration stored in flash memory
Volatile memory
(RAM)
Running
configuration
Rev. 9.41
xxx
xxx
xxx xx
xx xx
xx
xxx
xxx
xxx xx
xx xx
xx
Non-volatile memory
(Flash)
Startup
configuration
xxx
xxx
xxx xx
xx xx
xx
xxx
xxx
xxx xx
xx xx
xx
Figure 2-4: Configuration file architecture
E-Series switches rely on two types of configuration files:
The running configuration is stored in volatile memory (RAM) and is in use

whenever the switch is running.
The startup configuration is stored in non-volatile memory (flash) and is used
whenever the switch is restarted.
When the switch is restarted, the startup configuration is written to volatile memory
and becomes the running configuration. Subsequently, all commands issued at the
CLI are immediately written to the running configuration and executed.
To examine the current running configuration, issue the show running-config
command, which can be abbreviated as show run. Because CLI changes are not
automatically written to the startup configuration, administrators can use the CLI to
test changes before making them permanent.
To store the changes in the startup configuration, you must issue the write memory
command. If you forget to save changes, they will not be in effect when the switch is
restarted. To view the startup configuration and ensure changes are included, issue
the show configuration command.
To determine if the running configuration and the startup configuration match, issue
the following command:
Switch# show run status
Rev. 10.41
2 5
Two ways to
theerase
startup
configuration
Twoerase
ways to
startup
configuration
At the front panel:
1. Depress the Clear button followed by
the Reset button
2. Continue to press the Clear button while
releasing the Reset button
3. When the Self Test LED begins to flash,
release the Clear button
To perform Factory Reset:
1.
2.
3.
4.
Flashing
LED
At the CLI:
Switch# erase startup-config
Figure 2-5: Two ways to erase the startup configuration
7
Rev. 10.41
E-Series switches
offer two ways of erasing the startup configuration:
1.
At the CLI, you can issue the erase startup-config command. The switch will
prompt you to confirm this command and then restart with a default startup
configuration. However, some E-Series switches will maintain configured
passwords unless you use the no password command to delete them before
restarting.
2.
If you cannot access the CLI because of lost passwords, you can return the switch
to factory defaults, using the process shown in Figure 2-5. This process will erase
passwords and clear the startup configuration.
If you want to erase passwords without erasing the startup configuration, simply
press and hold the Clear button for at least one second.
2 6
Rev. 10.41
Backing up and
restoring configuration files using a
Backing up and restoring
USB drive
configuration files using USB
To
back up the startup configuration to

a USB drive
Switch# copy startup-config usb <filename>
To
restore the startup configuration from

a USB drive
Switch# copy usb startup-config <filename>
Device may be rebooted, do you want to continue [y/n]?
Rebooting switch...
Figure 2-6: Backing up and restoring configuration files using USB

Rev. 9.41up and restoring configuration files to a USB drive is
The process for 7backing
straightforward, as shown in Figure 2-6. You can also store a copy of the running
configuration by issuing the copy running-config usb <filename> command. You
cannot copy a stored configuration to the running configuration.
To copy a new startup configuration to the switch, simply issue the copy command
with a USB drive specified as the source, as shown in the second example in Figure
2-6. Note that the switch will immediately reboot using the new configuration.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
2 7
ManagingManaging
multiple multiple
configuration
files files
configuration
Many E-Series switches support multiple configuration files:
To store alternate startup configuration:

Copy
config1 to new configuration file
Switch# copy config config1 config baseConfig

Associate
new file with flash area
Switch# startup-default secondary config baseConfig
Figure 2-7: Managing multiple configuration files

8
Rev. 10.41
Many E-Series switches, including the E8200 zl, E5400 zl, and E3500, support the
maintenance of three distinct configuration files.
In Figure 2-7, the output of show config files command shows that the administrator
has defined three configuration files:
1.
config1, which is the default file
2.
baseConfig
3.
AISstart
As the illustration shows, configuration files can be associated with flash images,
meaning a specific configuration will be executed whenever the switch is restarted
using a given image. This feature can be useful if you want to test new features
enabled by a new software image, but do not want to delete or alter a configuration
known to work with an earlier software version. You can also store a configuration
without associating it with any flash area.
In the example, the active configuration is config1, as is shown by the asterisk (*) in
the act column. This file is also associated with primary flash. The second
configuration file, baseConfig, is associated with secondary flash. The third file,
AISstart, is not associated with either flash area. You can examine the contents of
any configuration file by issuing the show config <filename> command.
2 8
Rev. 10.41
Using a different configuration file

If you want to restart the switch with a different configuration file, you can use the
startup-default command to change the flash association. In Figure 2-7, the
administrator has issued the startup-default secondary config baseConfig command
to associated baseConfig with secondary flash. To use this file, the administrator
would issue the boot system flash secondary command.
You can associate a file with both flash areas by issuing the startup-default
<filename> command without specifying a flash area.
The table below shows commands that are useful for configuration file management.
Configuration file commands

Command
Effect
erase config <filename>

show config <filename>
Delete configuration file from system.

Shows contents of a configuration file.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
2 9
Displaying events
in theevents
system
logsystem log
Displaying
in the
The switch records system events in a log
Rev. 9.41
Figure 2-8: Displaying events in the system log
The show logging command displays events recorded since the switchs most recent
reboot. Each entry in the event log includes one of four possible severity levels
warning, information, major, or debugand a description of the system module,
such as chassis or lldp, that registered the event. In Figure 2-8, the chassis module
of an E5400 zl switch reports the recognition of each module that was inserted in
the switch and the downloading of firmware into each module.
Some options for the show logging command include:
show logging a shows all events, including those recorded during earlier boot
cycles. If the show logging command is issued without an option, the command
will show all events in the current boot cycle.
show logging r displays log events in reverse chronological order, that is, with
the most recent events listed first.
show logging <string> shows only events that contain the <string> value. This
provides a means of log event filtering. For instance, to view only events related
to LLDP, you could issue show logging lldp. The <string> value is not casesensitive.
To clear the log, issue the clear log command.

You will learn how to send log entries to a System Logging (Syslog) server in
Module 3: Configuring VLANs and IP Services.
2 10
Rev. 10.41
and counters
Port status Port
andstatus
counters
Switch# show interface a1
Status and Counters
Name :
MAC Address
:
Link Status
:
Totals (Since boot
Bytes Rx
:
Unicast Rx
:
Bcast/Mcast Rx :
Errors (Since boot
FCS Rx
:
Alignment Rx
:
Runts Rx
:
Giants Rx
:
Total Rx Errors :
Others (Since boot
Discard Rx
:
Unknown Protos :
. . .
11
Rev. 10.41
- Port Counters for port A1

001871-b934ff
Up
or last clear) :
521,841
130
2339
or last clear) :
0
0
0
0
0
or last clear) :
0
0
Bytes Tx
Unicast Tx
Bcast/Mcast Tx
: 67,315
: 112
: 569
Drops Tx
Collisions Tx
Late Colln Tx
Excessive Colln
Deferred Tx
:
:
:
:
:
Out Queue Len
: 0
0
0
0
0
0
Figure 2-9: Port status and counters
When you are in physical proximity to a switch, you can easily tell which ports are
up and which are down by looking at the LEDs. Ports with connected cables, but no
link LEDs, can indicate many issues, including a faulty cable, faulty network adapter,
or a connected device being powered down.
If you are managing the switch from a remote location, however, you must rely on
commands that can provide information about ports. For example, the show
interfaces brief command reports on the operational status, which is displayed as
Up or Down, and the administrative state of all ports (for example, whether
someone has administratively disabled any ports, causing them to stop functioning).
If the switch is experiencing intermittent problem, such as slow performance, but you
are not yet sure which port(s) might be involved, you may want to examine the port
counters. The show interfaces command displays a table view of the numbers of
bytes, frames, errors, and dropped frames per port.
If you see an inordinately high number of errors or dropped frames, you can drill
down to the port level by including a port number in the show interface command,
as shown in Figure 2-9. In the detailed per-port display you can see the composition
of the errors, that is, whether they are giants, runts, checksum errors, or collisionrelated errors. Because collisions are not expected in a switched network, errors
related to collisions can point to mode mismatch. For example, the port on one side
of a link is configured for full duplex and the port on the other side is configured for
half duplex.
Rev. 10.41
2 11
Lab Activity 2
You will now continue setting up the switches for the medium-sized company that has
just moved into a new office building. One of the first tasks you want to complete is
to ensure that the switches are running the latest version of the switch software. You
will also learn how to back up your configurations to a USB drive and configure
multiple configuration files.
2 12
Rev. 10.41


Challenges
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
2 13
Learning check
1.
2.
3.
On E-Series switches, what is a difference between the boot command and the
reload command?
a.
The reload command requires the switch to run diagnostics before

restarting. The boot command does not.
b.
The reload command restarts the switch using the current running
configuration. The boot command uses the startup configuration.
c.
The reload command restarts the switch without running diagnostics. The
boot command requires that diagnostics be executed and also allows you to
select a flash image.
d.
The reload command restarts the switch using the active configuration file.
The boot command enables the administrator to choose a configuration file
for startup.
What is the relationship between primary and secondary flash on an E-Series

switch?
a.
Primary flash holds the current system image. Secondary flash provides a
backup for the image.
b.
Primary and secondary flash are independent and can hold different
images. Either image can be used to boot the switch.
c.
Secondary flash is a mirror of primary flash, enabling the switch to failover

if the primary flash image is corrupted.
d.
Primary flash is non-volatile memory that stores the switchs startup

configuration. Secondary flash is volatile memory that stores the switchs
running configuration.
Name two potential uses for multiple configuration files on an E-Series switch.
_______________________________________________________________________
_______________________________________________________________________
4.
5.
When is a command entered at the E-Series switch CLI executed?

a.
immediately
b.
when the write memory command is entered
c.
when the switch is restarted
What is the process for upgrading the Boot ROM on an E-Series switch?
_______________________________________________________________________
_______________________________________________________________________
2 14
Rev. 10.41
Configuring VLANs and IP Services

Module 3
Module 3 objectives
Given a network design, use the command line interface (CLI) to assign an IP
address and subnet mask to a VLAN interface on an HP E-Series switch
Enable IP routing to enable communication among users in different VLANs
Examine IP interface and routing information
Configure IP helper addresses to enable DHCP relay for devices
Rev. 10.41
Given a network design, configure virtual LANs (VLANs) on HP E-Series switches

to support end users and switch-to-switch links
Enable HP E-Series switches to access IP services such as Simple Network Time

Protocol (SNTP) and Domain Names Service (DNS)
Back up configuration files using Trivial File Transfer Protocol (TFTP)
Enable remote management over IP networks
Use the web management interface to perform basic configuration tasks
3 1
Prework review activity: VLANs

What is the 802.1Q tag, and how is it used by VLAN-aware switches?
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3 2
Rev. 10.41
What are the rules for assigning ports to VLANs on HP E-Series switches?
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
3 3
Describe the Layer 2 forwarding process in a switched network.

NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3 4
Rev. 10.41
What is required to transmit traffic between two VLANs?

NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
3 5
Activity preview
Lab ActivityLab
3 3preview
Core:
10.0.0.0/16
Floor 1:
10.1.0.0/16
Floor 6:
10.6.0.0/16
Floor 2:
10.2.0.0/16
Floor5:
10.5.0.0/16
Floor 3:
10.3.0.0/16
VLAN
User Group
Address range
Switches and network admins
10.x.1.0/24
Server
10.x.2.0/24
10
Human Resources
10.x.10.0/24
20
Manufacturing
10.x.20.0/24
30
Sales
10.x.30.0/24
40
Executives
10.x.40.0/24
Rev. 10.41
Floor 4:
10.4.0.0/16
Figure 3-1: Lab Activity 3 preview
In the lab activity for this module, you will continue configuring switches for the
medium-sized company that you learned about in previous modules. Specifically, you
will configure the four switches for a floor at the corporations main office.
This corporation uses the Class A private address range (10.0.0.0 10.255.255.255), giving the corporation a total of 16,777,216 available host
addresses. This is obviously more IP addresses than the corporation requires, but its
IP addressing scheme provides a logical way for the corporation to manage its
devices.
To simplify network management, the core network uses addresses in the range of
10.0.0.0/16. Each of the six floors is assigned an address range that uses a 16-bit
subnet mask, with the floor number in its second octet. For instance, all devices on
floor 1 have addresses in the range of 10.1.0.0/16.
Each floor hosts six types of users, which are shown in Figure 3-1. For the purposes of
this lab, the VLAN IDs for all user types are the same on all floors, and each floors
address scheme uses the VLAN ID in the third octet. For example, the Human
Resources VLAN on floor 3 is 10.3.10.0/24.
In the lab activities, which simulate the companys network environment, each lab
group will configure four switches for one of the floors:
Three edge, or access-layer, switches, which provide connectivity for users

One distribution-layer switch that provides IP routing services to the users and
connectivity to the corporations core
In a previous lab, you assigned the distribution-layer switch a host name of Router.
Hereafter, this module refers to this switch by its host name (Router).
Your facilitator will manage a switch that simulates the companys core.
3 6
Rev. 10.41
Lab activityLab
preview:
Configuring
VLANs
andand
IP
activity preview:
Configuring
VLANs
services IP services
In Lab Activity 3, you will:
1.
2.
3.
4.
5.
6.
7.
8.
Configure five VLANs on your switches

Configure IP routing on your Router switch
Configure IP helper addresses so that hosts in all VLANs can receive
IP addresses from the DHCP server
Verify connectivity
Configure your switches to access DNS and SNTP services
Back up the configurations to a TFTP server
Explore the web management interface
Limit manager access to specific IP address ranges
Figure 3-2: Lab activity preview: Configuring VLANs and IP services
Lab Activity 3 focuses on the steps and procedures necessary to configure VLAN
5
Rev. 10.41
topologies
and
enable IP services on E-Series switches.
After verifying and troubleshooting your IP and VLAN configuration, you will enable
DNS and SNTP on your switches and back up your configurations to a TFTP server.
You will conclude the activity by exploring the web management interface and
configuring your switches so that only users in specific IP address ranges can gain
management access.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
3 7
Final topology for Lab Activity 3

Final lab topology
Rev. 10.41
Figure 3-3: Final lab topology
By the end of Lab Activity 3, your switches will be ready to support users in four user
VLANs and a VLAN for your groups Server. As shown in Figure 3-3, your groups
Router will act as default gateway for hosts in all five VLANs. The three access-layer
switches will remain in VLAN 1 and will be configured to use the Routers VLAN 1
interface as their default gateway. This will enable them to access services on your
groups Server.
All switch-to-switch links will be configured as tagged members of the appropriate
VLANs. Ports connected to hosts, including the clients and the server, will be
untagged members of the VLANs.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3 8
Rev. 10.41
VLANs on VLANs
each switch
on each switch
VLAN
Switch
IP address on router
Router
10.x.2.1/24
10
20
Edge_1, Router
Edge_2, Router
10.x.10.1/24
10.x.20.1/24
30
Edge_2, Edge_3, Router
10.x.30.1/24
40
Edge_2, Edge_3, Router
10.x.40.1/24
Connect workstations to untagged ports in each VLAN to test the

configuration.
Workstations will receive IP addresses from the DHCP server in VLAN 2.
No changes to the VLAN 1 interface configured in Lab Activity 1.
Figure 3-4: User VLANs on each switch
7
Rev. 10.41
The four user VLANs will be distributed among the edge switches, as shown in
Figure 3-4.
To act as default gateway for hosts in all VLANs, the Router will be configured with
ports in each VLAN and with an IP interface in each VLAN. Additionally, IP routing
will be enabled.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
3 9
Steps to configure VLANs on access-layer
Steps to configure
switches VLANs
For each VLAN:
Define
the VLAN
Switch(config)# vlan <id>

Add
tagged port members
Switch(vlan-id)# tag <port>

Add
untagged port members
Switch(vlan-id)# untag <port>
Figure 3-5: Steps to configure VLANs
The process for defining VLANs on a Layer 2 switch is straightforward, as shown in

Figure 3-5. Simply define each VLAN and then add ports as tagged or untagged
members.8 Rev. 10.41
TIP
If you make a mistake, it is easy to reverse most CLI commands. Simply repeat
the command preceded by no, as in:
Switch(config)# no vlan 10
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3 10
Rev. 10.41
Steps to configure IP interfaces on the Router
Steps to configure IP interfaces on Router
For each VLAN, in addition to steps for access-layer

switches:
Define
IP address for interface
Router(vlan-id)# ip address 10.x.<id>.1/24 <id>

Define
IP helper address
Router(vlan-id)# ip helper-address 10.x.2.100/24

Enable
IP routing
Router(config)# ip routing
Figure 3-6: Steps to configure IP interfaces on Router
Configuring VLANs on the Router begins with the same steps you followed to
configure VLANs on the access-layer switches. That is, you define the VLANs and
Rev. 10.41
then add9 ports
as necessary.
To act as a default gateway for the hosts in all VLANs, the distribution-layer switch
requires an IP interface associated with each VLAN, as shown in Figure 3-6. As well
as defining an IP address and mask for each VLAN, you must an IP helper address,
which will enable hosts in all VLANs to receive IP addresses by DHCP from the
Server in VLAN 2. You must enable IP routing.
Rev. 10.41
3 11
CommandsCommands
to confirm
VLAN and IP interface
to confirm VLAN and IP interface
configuration
configuration
show vlans
Issued
without options shows all VLANs on switch
show vlans <vlan-id>

Shows
the port membership for a single VLAN
show vlans port <port-id> detail

Shows
Detail
the VLAN membership of a single port

option shows tagged and untagged membership
show ip
Shows
Shows
IP interfaces configured on switch

if routing is enabled or if default gateway is defined
Figure 3-7: Commands to confirm VLAN and IP interface configuration
The show vlans command provides several powerful options for verifying VLAN
configuration. As shown, the options associated with this command enable you to
10
Rev. 10.41
view all VLANs configured on the switch, to examine details about a specific VLAN,
or to determine the VLAN membership status of a port or range of ports.
While not specifically related to VLAN configuration, the show ip command enables
you to view important information about IP interfaces configured on the switch. As
well as showing the IP interfaces associated with each VLAN, the show ip command
shows if routing is enabled or, in the case of a Layer 2 switch, if a default gateway is
defined.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3 12
Rev. 10.41
Configuring
IP services:
IP helper
addressDHCP
for DHCP clients
DHCP
Server
4
Unicast DHCP
response sent to
relay agent on
routing switch
3
Router
ProCurv e
Switc h5406zl
J8699A
PoE
Pranagem
oCurveSw
itcM
hodul
5400z
tus
M
ent
el
Po
E Sta
A B GH
J8726A
Mg
mt F
hT
s
la
mp 3 4 1 C D I J
e
Re
t Cle
s
r
a
t Ch
s
e
T
s DIMMF
a
n 1
a
2 EF
KL
In
rna
te
l2e
Modul
s
e
Pow
r PoE
Pwr
ProCurve Networking
HPInnovat ion
Use
zlModul
onlyes
Power
Ac
t
DxPo
F
E
r
EDSp
L
Md
eUs
d
o
Console
Aux
Port
ry
ila
Fault
Locator
Edge_1
Power
Fault
1
AProCurv e
Switc h5406zl
J8699A
PoE
Prg-ToCurve
24pGi
zlMo
dule
2
J8702A
1
Locator
11
13
15
17
19
21
23
20
22
Use
zlModul
es
onler
yzl
24Pow
ProCurve Networking
HPInnovat ion
8
10 12
14
PoE-Inte
gra
d1
te
/Ba
0
-TPorts
e
s
)Ports
4
-2
(1
IEEEAutoMDI/MDI-X
re
a
7
9
11
13
16
15
18
17
19
21
CA
ProCurve
24pGiduleg-T
zlMo
J8702A
C
E
8
10 12
14
PoE-Inte
gra
d1
te
/Ba
0
-TPorts
e
s
)Ports
4
-2
(1
IEEEAutoMDI/MDI-X
re
a
16
18
20
22
Fault
23
Locator
24
zl
1
3
5
7
9
11
13 15 17
19 21
23
B ProCurveSwitch5400zl
tus
a
ProCur
e
Mvanagem
entModule
Po
E St
Ac
t ing
ProCurv
e HNetwork
ABG
Switc hJ8726A
5406zl
J8699A
Mg
mt F
hT
s
la
mp 3 4 1 C D IHJPInnovat ioF
e
D
E
PoE
nxPo
Use
Re
t Cle
s
r
a
t Ch
s
e
T
s DIMMF
a
n 1
a
2 EFKL
Sp
dUs
r
Prg-ToCurve
Inte
rn2
l PoE
a
Module
s
EDMo
L
e
d
Console
Aux
Por
ry
ila
24pGi
zl
Mtodulezl
s
r Pwr 12
e
zlMo
dule
2
4
6
8 Pow
10
14 16 18
20 22
24
only
J8702A
PoE-Inte
gra
d1
te
/Ba
0
-TPorts
e
s
)Ports
4
-2
(1
IEEEAutoMDI/MDI-X
re
a
15 17
17 19
19 21
21 23
23
1 1 33 55
77 99 1111
1313 15
ADB
PrurveoCurve
Prg-ToC
24pGiduleg-T
24pGi
zlMo
zlMo
duleJ8702A
J8702A
2 2
44
66
10 1212
88 10
1414
PoEg
d
te
/B
0
-TPor
e
s
a
)Por
4
-2
(1
IEEE
re
a
ts
PoEInte
gIn
dte
te
ra
/Bra
0
1
-T1
e
s
a
Por
)Ports
4
-2
(1
ts
IEEE
re
a
ts
AutA
out
Mo
DM
I/MD
DI/M
I-XDI-X
16 18
18
16
20 22
22
20
24
24
zlzl
CFD
EF
Relay agent
sends unicast
response to client
Pranagem
oCurveSw
itcM
hodul
5400z
tus
M
ent
el
Po
E Sta
A B GH
J8726A
Mg
mt F
hT
s
la
mp 3 4 1 C D I J
e
Re
t Cle
s
r
a
t Ch
s
e
T
s DIMMF
a
n 1 2 2 EFKL
a
Inte
rna
l PoE Module
s
Powe
r Pwr
1
11
Ac
t
DxPo
F
E
Sp
dUs
r
EDMo
L
e
d
13
15
Console
17
B
Prg-ToCurve
24pGi
JzlModule
8702A
8
10
12
14 16
PoE-Inte
gra
d1
te
/Ba
0
-TPorts
e
s
)Ports
4
-2
(1
IEEEAutoMDI/MDI-X
re
a
Unicast packet
routed by
relay agent
based on IP
helper address
18
19
20
Edge_2
ProCurv e
Switc h5406zl
J8699A
PoE
Pr
CurveSw
itch
tus
Mo
anagem
ent
M5400z
odulel
Po
E Sta
A B GH
J8726A
Mg
mt F
hT
s
la
mp 3 4 1 C D I J
e
Re
t Cle
s
r
a
t Ch
s
e
T
s DIMMF
a
n 1
a
2 EF
KL
In
rna
te
l2e
PoE
Modul
s
e
Pow
r Pw
r
ProCurve Networking
HPInnovat ion
Use
zlMonl
odul
yes
Power
Ac
t
DxPo
F
E
r
EDSp
L
Md
eUs
d
o
Console
11
13
15
17
19
21
23
16
18
20
22
24
21
22
23
24
Cu
o
rve
2Pr
Gi
4p
-T
g
zlMo
le
u
d
J8702A
15
17
19
21
23
8
10
12
14 16
PoE-Inte
gra
d1
te
/Ba
0
-TPorts
e
s
)Ports
4
-2
(1
IEEEAutoMDI/MDI-X
re
a
11
13
18
20
22
24
8
10 12
14
PoE-Inte
gra
d1
te
/Ba
0
-TPorts
e
s
)Ports
4
-2
(1
IEEEAutoMDI/MDI-X
re
a
zl
Cu
o
rve
2Pr
Gi
4p
-T
g
zlMo
le
u
d
J8702A
zl
Rev. 10.41
zl
VLAN 20
Edge_3
1
Client sends DHCP
requestbroadcast
to 255.255.255.255
11
Aux
Port
ry
ila
Fault
Locator
Aux
Port
ry
ila
Edge_3 and
Edge_2 forward
broadcasts on
ports connecting
to VLAN 20
Figure 3-8: IP helper address for DHCP clients
Commonly used in enterprise networks, DHCP enables network clients to receive IP

addressing information from a DHCP server. This simplifies the process for client
addressing and enables administrators to change IP addressing parameters for
multiple clients by re-configuring information on the DHCP server.
When a host sends a DHCP request, the packets are addressed to the broadcast
address of 255.255.255.255. Consequently, the client will not receive a DHCP reply
unless a DHCP server resides within the broadcast domain where the client is
connected. Because it is unrealistic to provision a DHCP server on every IP subnet,
Layer 3 switches implement DHCP relay. This technology enables the switches to
forward DHCP requests to remote subnets and to forward the replies back to the
requesting hosts.
On HP E-Series switches, DHCP relay is enabled by default. However, to use the
feature, you must configure an IP helper-address for every VLAN where clients will
require DHCP addresses from other subnets. The IP helper-address must be entered in
the VLAN configuration context.
Switch (vlan-20)# ip helper-address <ip_address>
You replace <ip_address> with the IP address of the DHCP server.

Although IP helper address can be configured as soon as the VLAN is defined on the
switch, it will not function properly unless IP routing is enabled. Routing is required
because the switch must have route table entries that enable it to forward requests
between the clients VLAN and the servers VLAN.
Rev. 10.41
3 13
Configuring
IP services:
Configuring
IP services:
Syslogsyslog
On access-layer switches, define the Routers VLAN 1
interface as the default gateway
Switch(config)# ip default-gateway 10.x.1.1
For access-layer switches and the Router, configure logging

to the server in VLAN 2
Switch(config)# logging 10.x.2.100
Figure 3-9: Configuring IP services: Syslog
HP E-Series switches support logging on any System Logging (Syslog) server that
complies with the standard set forth in IETF RFC 3164. The process for identifying a
Syslog server is straightforward, as shown in Figure 3-9.
The switch would not require a default gateway to access a Syslog server if the server
were located
in the same network as one of the switchs IP interfaces. However, in
11
Rev. 10.41
Lab Activity 3, access-layer switches will not have interfaces in VLAN 2, where the
Server resides. Consequently, the access-layer switches must be configured with a
default gateway in VLAN 1, namely the Routers VLAN 1 interface.
The Router, of course, does not require a default gateway.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3 14
Rev. 10.41
Configuring
IP services:
Configuring
IP services:
SNTP SNTP
Select SNTP as time protocol
Switch(config)# timesync sntp
Set for unicast mode

Switch(config)# sntp unicast
Define SNTP server

Switch(config)# sntp server priority 1 10.x.2.100
Set timezone
Switch(config)# time timezone <+/-n>
Figure 3-10: Configuring IP services: SNTP
E-Series switches can be configured to synchronize their clocks with SNTP or TimeP
servers. By default, the switches are not configured to synchronize with a time server.
Time can12be Rev.
set10.41
manually using the time command. However, for many network
applications, the use of time services is recommended to ensure that log entries,
security settings, and other time-sensitive operations are synchronized for multiple
network devices.
In Figure 3-10, an administrator issues timesync sntp to select SNTP as the time
synchronization protocol. The sntp unicast command configures the switch to obtain
time services from a single server. Alternatively, the administrator could issue sntp
broadcast to configure the switch to broadcast for time services.
When configuring SNTP on a ProVision ASIC switch, you can define up to three
servers in priority order. In the example, the administrator uses the sntp server
command to define a single server, but the priority value is still required. Many other
E-Series switches support the definition of one SNTP server. On these switches, the
priority argument is not supported.
Finally, the switchs timezone is set by entering a time offset. The value entered after
timezone should reflect the difference in minutes between the switchs timezone and
Greenwich Mean Time. To set the time for Los Angeles, California, the command
would be time timezone -480. The time offset for Paris, France, would be time
timezone +60.
Rev. 10.41
3 15
Configuring
IP services:
Configuring
IP services:
DNS DNS
Define DNS server
Switch(config)# ip dns server-address priority 1 10.x.2.100
Define domain name

Switch(config)# ip dns domain-name pcu0x.edu
Figure 3-11: Configuring IP services: DNS
ProVision ASIC switches can use DNS services, enabling you to locate devices for
ping or traceroute by hostname instead of IP address. Configuration, as shown in
Figure 3-11, is simple. ProVision ASIC switches can be configured to use two DNS
servers, defined with priority values at the CLI. As with SNTP, the priority value is
required even if you are configuring only one server.
NOTES
13
Rev. 10.41
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3 16
Rev. 10.41
Configuring IP services: back up to TFTP

server
Configuring
IP services: Back up to TFTP server
Save configuration
Switch# write memory
Back up using copy command

Switch# copy startup-config tftp 10.x.2.100 <filename>
Process for upgrading flash areas is similar

Switch# copy tftp flash 10.x.2.100 <filename> <flash_area>
Figure 3-12: Configuring IP services: Back up to TFTP server
The process for backing up configuration files to a TFTP server is quite similar to the
process for backing up to a USB drive. TFTP is a UDP service that enables the
transfer of files between hosts in an IP network. As such, it provides a subset of the
functionality found in FTP, which is a TCP service.
14
Rev. 10.41
As shown in Figure 3-12, the TFTP process also uses the copy command, with the IP
address of the TFTP server entered as one parameter. To restore a file from the TFTP
server, simply reverse the order of the parameters immediately following copy, as in:
Switch# copy tftp startup-config tftp 10.x.2.100
<filename>
As shown, you can also upgrade software using a file from a TFTP server, using
syntax similar to the syntax for downloading software from a USB drive.
For higher levels of security, E-Series switches also support Secure Copy Protocol
(SCP) and Secure FTP (SFTP), which depend upon Secure Shell (SSH). You will learn
more about all three technologies in the next module.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
3 17
Copying command
output
to a TFTP
server
Copying command
output to
a TFTP
server
E-Series switches enable you to redirect CLI command output
to TFTP servers or USB drives
Switch# copy command-output show tech tftp <ip_address> <filename>
Can
be useful for troubleshooting or offline evaluation
show tech command (used in example) provides extensive

information about switch status
Multiple
scrolling pages are difficult to evaluate at CLI

Figure 3-13: Copying command output to a TFTP server
The copy command enables you to redirect command output to a TFTP server, USB
drive, or X-Modem transfer, using the syntax shown in Figure 3-13. This can be very
useful for troubleshooting or other offline evaluation of the switch's state.
15
Using show tech
Rev. 10.41
In Figure 3-13, the first example redirects the output of the show tech command. The
show tech command executes a series of show commands at the CLI and displays
their output sequentially. As well as showing the configuration, the show tech output
includes information about installed modules, interface status, logged events, and
other items. Consequently, the output of the command can run for several pages and
can be difficult to evaluate by scrolling through the CLI.
In the example, the copy command-output option sends the output to text file on a
TFTP server. Captured in this way, the output can be readily evaluated or shared with
other users or HP networking support.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3 18
Rev. 10.41
Exploring remote
Exploringmanagement
remote management
E5400 zl switch running software version K.15.XX

16
Rev. 10.41
Figure 3-14: Exploring remote management
Now that IP networking is configured on all of your switches, you can manage your
switches over IP connections as well as the serial console. E-Series switches support
three types of remote access:
Web management. All E-Series switches feature an embedded web server that
provides graphical access to many basic configuration and monitoring
parameters but is not as feature-rich as the CLI. The web interface is protected
by the same operator and manager passwords as the CLI. For higher security,
the interface supports Secure Sockets Layer (SSL), an industry standard
technology for encrypted communications over the web. You can disable the
web interface by entering no web-management plaintext in the global
configuration context.
The example shown in the slide is the web browser interface running on an HP
E5406 zl switch. With the K.15.XX switch software release, the Web browser
interface on this switch and other ProVision ASIC switches was updated. The
Web agent included in K.15.XX and above improves usability, making this
interface even easier to navigate and use.
Rev. 10.41
Telnet/SSH. E-Series switches feature embedded Telnet and Secure Shell (SSH)
servers that provide access to the same CLI as the serial console. By default, the
Telnet server is enabled, and the SSH server is disabled. You can disable the
Telnet interface by entering no telnet-server in the global configuration context.
PCM and PCM+. Most current E-Series switches can be accessed through HP
PCM and PCM+.
3 19
Troubleshooting Connectivity
Tools
Troubleshooting
connectivity: Tools
Can this device reach Device B?

Switch# ping <IP address | hostname>
When this device cannot reach a device in a different subnet, which

device drops the traffic?
Switch# traceroute <IP address> | hostname
On which port does this device reach a particular IP address or MAC

address?
Switch# show arp
On which port does this device reach a particular MAC address?

Switch# show mac
Figure 3-15: Troubleshooting ConnectivityTools

18
Rev. 10.41
In a moment, you will complete a lab in which you configure VLANs and IP settings.
As you complete this lab, you will need to verify and possibly troubleshoot
connectivity. In fact, even as you troubleshoot more and more complicated processes
throughout this course, troubleshooting connectivity will remain a fundamental first
step.
To verify and troubleshoot connectivity, you will enter several useful commands. The
table shows the questions that these commands answer for you.
Table 1: Connectivity Troubleshooting Commands

Question
Can this device reach Device B?
Command
Syntax
ping <IP
address |
hostname>
Which devices route the traffic to its

destination?
When this device cannot reach
Device B, which is in a different
subnet, which is the last device to
route the traffic?
traceroute <IP
On which switch port does this

device reach a particular IP address
or MAC address?
show arp
address |
hostname >
Example Output
HP# ping 192.168.5.3
192.168.5.3 is alive, time = 7ms
HP# traceroute 192.168.5.3
traceroute to 192.168.5.3
1 hop min, 30 hops max, 5 sec. timeout, 30 probes
1 10.1.1.1
0ms
0ms
0ms
2 10.1.3.1
7ms
3ms
0ms
3 10.1.5.1
3ms
0ms
1ms
4 192.168.5.3 3ms
3ms
0 ms
HP# show arp
IP ARP table
IP Address
MAC Address
Type Port
--------------- ----------------- ------- ---192.168.5.3 000f1f-134679 dynamic A5
3 20
Rev. 10.41
On which switch port does this

device reach a particular MAC
address
show mac
HP# show mac

Status and Counters - Port Address Table
MAC Address Located on Port
------------- --------------000f1f-134679 A5
Note
Sometimes you will want to troubleshoot connectivity on an endpoint. You can
enter similar commands from the endpoint itself. On a Windows station, access
the command line prompt, and enter ping <IP address> or tracert <IP address>.
More information about these troubleshooting commands

The ping command sends an ICMP echo message to a destination device. If the
destination receives the ping, it sends an ICMP reply. The switch outputs the result to
the terminal, telling you whether the switch has received a reply and how long the
reply took to arrive. You can add options to tell the switch to send more pings or to
change the timeout (how long the switch waits for a reply). Use the CLI help to view
these options.
The traceroute command causes the switch to send a series of successive probes to
map the hops between the switch and the destination. First, the switch sends three
probes that are scheduled to time out after one hop. The next-hop device in the route
to the destination sees that the probes have expired and sends notifications back to
the switch. Then the switch sends three probes scheduled to time out after two hops.
The second router in the path now sends the notifications back to the switch. The
switch continues this process until the probes reach the destination. The switch outputs
to the terminal the IP address for each router in the path.
Note that the traceroute command does not show you the IP address of every device
in the path between your switch and the destination device. It shows only the devices
that route the traffic to a new subnet. Therefore, when you see that the probe times
out after a particular IP address, the problem could be on that IP address or an any
device between that IP address and the next-hop router.
The show arp command displays the table that the switch uses to forward traffic at
Layer 2.
Rev. 10.41
3 21
Troubleshooting Connectivity
Troubleshooting
connectivity: Process
Process
ping
Can A
reach B?
No
Check VLAN
memberships.
show
show
show
port
arp
mac
vlan
<ID>
No
Yes
Is B in a
different subnet?
Find the last

device to route traceroute
the traffic.
Check IP settings on
this device and the
next-hop devices.
show ip
show ip route
Check VLAN memberships show arp

show mac
on all devices between
this one and the next-hop. show vlan
port <ID>
19
Rev. 10.41
Figure 3-16: Troubleshooting ConnectivityProcess
When you troubleshoot a connection, you must use the commands in a logical way
to pinpoint the problem. Above you see a process for verifying connectivity between
two devices.
1. First check whether the devices can communicate by entering the ping
command on the first device.
2.
If the devices cannot communicate, begin troubleshooting by considering

whether the devices are in different subnets:
a.
If the devices are in the same subnet, you should check VLAN memberships
on the switch-to-switch connections for each switch between the two devices.
On the last switch, also check the port that connects to the destination
device. You learned the show commands for viewing VLAN memberships
earlier.
Note
In a lab, you can easily see which ports provide switch-to-switch connections. But
in the real world, you might be managing your switches remotely. To find the port
on switch 1 that connects to switch 2, ping switch 2s management IP address
from switch 1. Then enter the show arp command and look for the port
associated with switch 2s address.
b.
3 22
If the devices are in different subnets, the traffic must be routed. (You will
learn more about routing later in this course.) Find out which is the last
device to route the traffic. You then know that somewhere between this
device and the next-hop in the route to the destination, a device is dropping
the traffic. Access each of these devices, if possible, and check their IP
settings and VLANs for mistakes.
Rev. 10.41
When you begin troubleshooting at a new device, always attempt to ping

the destination again; if the ping now succeeds, you know that the
destination or one of the next-hop routers cannot route return traffic to the
original source subnet. Otherwise, look for problems with IP settings on the
new device, and make sure that VLAN memberships are properly extended
between this device and the next hop on the way to the destination. (You
will learn about more ways to troubleshoot routing later in this course.)
Write the troubleshooting commands that you have learned in the front of your lab
guide. Whenever you encounter a problem in a lab, return to these tools to
troubleshoot connectivity.
Rev. 10.41
3 23
Lab Activity 3
With basic configuration complete, you are now ready to prepare your switches to
support end users and other hosts. In Lab Activity 3, you will configure VLANs on all
switches and enable routing on your distribution-layer switch so that users in all
VLANs can interconnect. You will configure the switches to access IP services such as
SNTP and DNS. Finally, you will explore the web-management interface.
3 24
Rev. 10.41


Challenges
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
3 25
Learning check
1.
2.
3.
4.
3 26
Which of the following statements correctly describes a rule for assigning VLAN
membership to ports on an E-Series switch?
a.
A port may be a member of only one VLAN.
b.
A port may be an untagged member of at most one VLAN.
c.
A port may be a tagged member of at most one VLAN.
d.
A port that connects switches must be a member of multiple VLANs.
A frame enters an E-Series switch through a port that is an untagged member of

VLAN 40 and must be forwarded through port C1, which is an untagged
member of VLAN 1. Port C1 is an uplink port the switch uses to carry traffic for
VLAN 40 as well as that of other VLANs. Which one of the following best
describes what the switch does to the frame?
a.
Discard the frame.
b.
Create a new Layer 2 header and forward the frame through port C1.
c.
Add a tag to the frame that identifies it as belonging to VLAN 40.
d.
Remove the tag that was on the frame when it entered the switch.
A frame enters an E-Series switch through a port that is a tagged member of

VLAN 20 and must be forwarded to a user workstation connected to the switch
by a port that is an untagged member of VLAN 40. How does the switch handle
the frame?
a.
Discard the frame.
b.
Create a new Layer 2 header and forward the frame to the workstation.
c.
Add a tag to the frame that identifies its destination as VLAN 40.
d.
Remove the VLAN 20 tag and forward the frame to the user.
What is the rule for removing ports from a VLAN on an E-Series switch?
a.
When you remove a port from a VLAN, it automatically becomes an

untagged member of the Default VLAN.
b.
When you remove a port from a VLAN, it automatically becomes a tagged

member of the Default VLAN.
c.
If a port is a member of only one VLAN, you cannot reverse the command
that made the port a member of that VLAN.
d.
You cannot delete a VLAN that has port members.
Rev. 10.41
Configuring Device Access Security

Module 4
Module 4 objectives
After completing this module, you will be able to:
Describe requirements for configuring Secure Shell (SSH) or HTTP over Secure
Socket Layer (HTTPS) on E-Series switches
Use Secure File Transfer Protocol (SFTP) to back up a configuration file
Define users and passwords to protect access to devices
Rev. 10.41
Manage passwords on HP E-Series switches using the command line interface

(CLI) and front-panel buttons
Describe the effect of the include-credentials command on E-Series switch

functionality
Implement secure management VLAN and/or IP authorized managers to control
access to management interfaces
Implement Simple Network Management Protocol (SNMP) v1/2 and v3
4 1
Prework review
activity:
Physical
security
WBT review
activity:
physical
security
What can a malicious user do if he or
she has physical access to a switch?
What security measures can you take
to protect the switch?
What are the trade-offs when

implementing these security measures?
Figure 4-1: Physical security
You will now

participate in an activity to review concepts that you learned in the
3
Rev. 10.41
Getting Started with HP Switching and Routing WBT. In particular, you will review the
importance of physically securing switches.
What can a malicious user do if he or she has physical access to a switch?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
4 2
Rev. 10.41
What security measures can you take to provide physical security for the switch?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
Rev. 10.41
4 3
What are the trade-offs when implementing these security measures?

_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
4 4
Rev. 10.41
Management users
Management users
Users
Rights
Manager
Grants the user read-write access to the switch
Operator
Grants the user read-only access to the switch
Figure 4-2: Management users
E-Series switches support two management users:

4
Rev. 10.41
Managergrants the user read-write access
Operatorgrants the user read-only access to the switch
When you log in as a manager, you can make changes to the switch configuration.
When you log in as an operator, you can only view information about the switch.
The operator cannot make configuration changes.
Rev. 10.41
4 5
Local or centralized password protection
Local or remote authentication
4
3
hp 1902
2
hp 1902
Local
Centralized
Figure 4-3: Local or remote authentication
Rev. 10.41
E-Series switches can be configured to use either local or remote authentication

services. If you use local authentication, you configure and store passwords (and
optionally usernames) on the switch. If you use remote authentication, login
credentials are stored on an authentication server, such as a RADIUS or TACACS+
network server.
If a network administrator attempts to access a switch and passwords are configured
on the switch, the following occurs.
1. The switch prompts the administrator to enter a password (or username and
password, if a username has been configured).
2. The administrator enters the password (or username and password, if the switch
is so configured).
3. The switch grants access if the administrator enters the correct credentials; the
switch blocks access if the credentials are incorrect.
If a network administrator attempts to access a switch and remote authentication is
configured, the following occurs. (Remote authentication is also sometimes referred to
as centralized authentication.)
1. The switch prompts the administrator to enter a password (or username and
password, if a username has been configured).
2. The administrator enters the username and password.
3. The switch forwards the login credentials to the RADIUS or TACACS+ server.
4. The server validates the login credentials against its database and notifies the
switch if they match. It also notifies the switch what privilege level the
administrator should be given.
5. The switch grants the appropriate access level.
4 6
Rev. 10.41
Advantages and disadvantages of remote authentication

Remote authentication has several advantages. For example, each network
administrator has a unique username and password, rather than sharing one
username and password. This helps network administrators keep login credentials
private, making it less likely that they will leak the password to unauthorized users.
In addition, you can configure login credentials once for a number of switches.
With remote authentication, you can also control Telnet, SSH, Web, and console
access separately.
Although the username and password information is transmitted between the switch
and the authentication server, both TACACS+ and RADIUS servers support
encryption for the authentication information to prevent unauthorized users from
eavesdropping to obtain passwords.
Centralized authentication has some disadvantages. Although it can save you time
because you configure login credentials once for a number of switches, it requires a
RADIUS or TACACS+ server. Configuring one of these servers is not a trivial
management task. However, many companies already have an existing RADIUS or
TACACS+ server, so this may not be a serious drawback.
Rev. 10.41
4 7
Configuring passwords on the switch (local)
Configuring passwords on the switch (local)

Manager
Switch(config)# password manager
New password for manager: ********
Please retype new password for manager: ********
Operator
Switch(config)# password operator
New password for manager: ********
Please retype new password for manager: ********
Figure 4-4: Configuring passwords on the switch (local)
The basic CLI commands for configuring a password are listed above. When you
enter the password command as shown in Figure 4-4, you are prompted to enter and
re-enter the
password.
6
Rev. 10.41
You can also enter the command with the options shown in the complete command
syntax below.
password <manager | operator | port-access> [user-name
<name>]<hash-type> <password>
Optionally, you can include the user-name option and replace <name> with a name,
such as Paul, Wim, or Miriam. If you configure a username, management users will
be prompted to enter the username first when they log in.
Replace <hash-type> with either plaintext or sha-1. SHA1 is an algorithm that hashes
the password. (A hash algorithm is a security measure that ensures data integrity by
transforming the data using an authentication key and appending the transformed
data to the original data as a signature.) If you specify sha-1, you must enter the
password in hash form.
To enter a password in plain text, enter:
Switch (config)# password manager user-name Paul plaintext password
If you enter the password command in this way, you can configure a password with
a single entry. If you enter the password command as shown in Figure 4-4, you are
prompted to enter and re-enter the password you want to configure.
Passwords and usernames are case sensitive.
Note
You can configure a manager or operator password using any

of the E-Series management interfaces (CLI, Web browser
interface, or menu). If you want to configure a manager or
operator username, however, you must use either the CLI or the
Web browser interface.
4 8
Rev. 10.41
After you configure management passwords, you will be prompted to enter a

password the next time you log in, as shown below.
Password:
If you enter the operator password, you will access the operator context and have
read-only rights to the switch.
Switch>
If you enter the manager password, you will access the manager-level context and
have read-write access.
Switch#
To remove a password, enter:

Switch (config)# no password manager
Or:
Switch (config)# no password operator
You can remove both passwords at once by entering:

Switch (config)# no password all
You can also clear passwords by pressing the Clear button on the front panel of the
switch (as long as this function has not been disabled).
Rev. 10.41
4 9
Configuring remote authentication
Remote authentication
Control each access method separately

Access level
[enable | login <privilege-mode>]
Switch(config)# aaa authentication telnet enable radius local
Access method
[telnet | console | web | ssh]
Provide authentication server settings
Method of authentication
[radius| tacacs| local]
Encryption key
Switch(config)# radius-server host <ip-address> <key>
IP address of RADIUS server

7
Rev. 10.41
Figure 4-5: Remote authentication
With remote authentication, you can separately control each access method:
Telnet
SSH
Console
Web browser interface
That is, you enter commands for each access method, specifying the access level and
the primary and secondary methods of authentication.
Access level
To specify the access level, include the enable option for manager-level access and
the login option for operator-level access. For each access method, you must enter
the command twicespecifying the login option for operator in one command and
the enable option for manager in the other.
Method of authentication
You must specify how the switch verifies authenticationby contacting a RADIUS
server or a TACACS+ server, or by checking the passwords configured on the switch
(local). For each access method, you should specify a primary and secondary
authentication method. The secondary authentication method will be used if the first
authentication method is not available. For example, the switch will use the
secondary authentication method if the authentication server is temporarily down.
The default setting for the secondary authentication method is none, except when
you configure console access. For example, if you configure RADIUS authentication
for console access, local is automatically set as the secondary authentication method.
This prevents you from being locked out of the switch in the event of a failure of all
other access methods.
4 10
Rev. 10.41
Authentication server settings on the switch

In addition to configuring how you want to control each access method, you need to
provide the switch with the information it needs to contact and communicate with the
authentication server that will verify each users login credentials. You need to
configure the following:
IP addressYou can specify up to three different RADIUS servers by issuing the

command three separate times with the respective IP address setting.
KeySome authentication servers require the switch to provide a shared secret,
which is used to encrypt communications between the authentication server and
switch. Encryption prevents malicious users from eavesdropping on your
management communications.
Configuring a shared secret is optional. Contact the person who manages the
authentication server at your company to determine if a shared secret is
required.
If you are using a RADIUS server, use the following command:

Switch (config)# radius-server host <ip_address> key <string>
For TACACS+ server, enter:

Switch (config)# tacacs host <ip_address> key <string>
You will also need to contact the authentication server administrator and have him or
her configure the appropriate settings on the RADIUS or TACACS+ server.
Rev. 10.41
4 11
Clear
andbuttons
Reset buttons
Disable theDisable
Clearthe
and
Reset
Prevent the Clear button from
being used to remove
usernames and passwords
Disable the hardware reset to
factory defaults
Reset and Clear
buttons
Figure 4-6: Disable the Clear and Reset buttons
As you discussed in the review activity at the beginning of this module, the Clear
button on the front-panel can allow unauthorized users to erase a switch password.
Rev. 10.41
That user8 could
then access the switch, define a new password, and take control of
the switch without leaving any record of this activity.
To disable the Clear button, enter:
Switch(config)# no front-panel-security password-clear
Likewise, the Reset button can be misused if a malicious user has physical access to
the switch. To disable hardware resets, enter:
Switch(config)# no front-panel-security factory-reset
When this function is disabled, pressing the Reset and Clear buttons will still reboot
the switch, but it will not erase the existing configuration.
To enable the Clear button again, enter:
Switch(config)# front-panel-security password-clear
To enable the hardware reset, enter:

Switch(config)# front-panel-security factory-reset
You can view the current settings for these buttons by entering:
Switch# show front-panel-security
Note
The front-panel security settings are stored in switch flash

memory and do not appear in the configuration file.
If you erase the startup configuration and reboot the switch, the
front-panel security settings are not restored to the default
settings. That is, the front-panel security settings you configured
previously are retained.
4 12
Rev. 10.41
Password Recovery
E-Series switches support a password recovery feature, which is enabled by default.
This feature allows you to regain management access to the switch in the event that:
You lose the local manager username (if configured) or password.
The hardware reset and Clear button have been disabled.
When this situation occurs, you must contact HP Customer Care to acquire a onetime-use password.
Disable USB Port

You may also want to disable the USB port to prevent anyone from loading software
through this port.
Switch(config)# no usb-port
Rev. 10.41
4 13
Save security
settings
in configuration
files:
the
Saving
passwords
and other security
settings
in configuration
files
include credentials
command
Advantages
Disadvantages
Experiment with security settings

and view them
Less secure
Upload a configuration file to

another switch, without
reconfiguring security settings
Test different security settings by
booting to different config files
Figure 4-7: The include-credentials command
When you configure a management password on an E-Series switch, it is stored in

internal flash by default. These security settings are not included in the configuration
7
Rev. 10.41
file. Other security settings, such as the following, are also stored in internal flash:
Simple Network Management Protocol (SNMP) security credentials, including

authentication and privacy passwords
Port-access passwords and usernames, which are used as 802.1X authentication
credentials for management access
Secure Shell (SSH) public keys, which are used to authenticate SSH clients
Simple Network Time Protocol (SNTP) authentication settings
(For a complete list of these security settings, see the switch Access Security Guide.)
You can configure the switch to include these security settings in configuration files.
At the global configuration context, enter:
Switch (config)# include-credentials
Note
Once the include-credentials command has been entered,

passwords are displayed by default in encrypted format in
configuration files.
4 14
Rev. 10.41
Limitingbymanagers
by IP address
Limit managers
IP address
At default settings, any IP address may be the source of
management traffic
To restrict access:
Switch(config)# ip authorized-managers 10.1.1.0 255.255.255.0
Figure 4-8: Limit managers by IP address
E-Series switches enable you to define a range of IP addresses for stations that will be
allowed to access switch management features. Figure 4-XX shows commands that
enable access from a range of addresses, but you can also enter individual IP
addresses.
Furthermore, you can set different IP address restrictions for manager and operator
access. For instance, to ensure that only VLAN 1 users can gain manager access,
Rev. 10.41
you could17 enter
ip authorized-managers 10.1.1.0 255.255.255.0 access manager. To
grant operator access to VLAN 40 users, you could enter ip authorized-managers
10.1.40.0 255.255.255.0 access operator. For even more granular control, you can
specify address ranges for specific access methods, such as Telnet or web.
After these commands are entered, hosts outside these ranges will not be able to
start management sessions or even to successfully ping the switch. Consequently, if
you are unable to contact a switch, it is recommended you ensure that you are using
a permitted station.
To remove an authorized manager IP entry, negate the original entry with the no ip
auth <ip-address> <mask> command.
Rev. 10.41
4 15
Secure management
VLAN VLAN
Secure management
Limits switch access to ports assigned to the management
VLAN
Isolates the management VLAN from user VLANs

Switch(config)# management-vlan <vlan_id>
Figure 4-9: Secure management VLAN
To further protect management access to the switch, you can configure a secure
management VLAN. The switch will then grant management access only to stations
that have an IP address in the same subnet as the secure management VLAN. The
secure management VLAN applies to all access methods, including Telnet, SSH,
HTTP, HTTPS, or SNMP.
The switch
will
not route traffic from user VLANs to the secure management VLAN.
11
Rev. 10.41
This isolates the management VLAN from user VLANs, preventing users from seeing
or accessing management traffic.
Before you enter the management-vlan command, you must create the VLAN on the
switch. For best security practices, you should not use VLAN 1 as the secure
management VLAN.
Why do you think you should avoid using VLAN 1 as the secure management
VLAN?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
4 16
Rev. 10.41
Prework review activity: Secure management
Prework review activity: Secure management

Secure management options include:
SSH
HTTPS
How do these protocols make your network more secure?
What tasks must you complete to implement these protocols?
hp 1902
Network
Secure management
Figure 4-10: Secure management

12
Rev. 10.41
You are deploying an HP E-Series solution, and the customer has told you that their
security policies require secure device management. You know that this means that
you must implement Secure Shell (SSH) and HTTP over Secure Sockets Layer (SSL)
(HTTPS).
How do these protocols make the network more secure? And what tasks must you
complete to implement each secure management option on an HP E-Series switch?
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
4 17
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4 18
Rev. 10.41
Enabling SSH
Enabling SSH
Generate a public/private key pair:
Switch(config)# crypto key generate ssh rsa bits <size>
Enable SSH
Switch(config)# ip ssh
Disable Telnet (optional)

Switch(config)# no telnet-server
Useful show commands

Determine
if SSH is enabled:
Switch# show ip ssh

Display
the switchs public key
Switch# show crypto host-public-key

15
Rev. 10.41
Figure 4-11: Enabling SSH
To access the switch using SSH, you must generate a public/private key pair on the
switch. When you enter the crypto key generate ssh rsa command, the switchs
public-private key pair is generated and stored in flash memory. It will survive any
factory reset operation you may perform. Note that only the public key of this key
pair is readable.
After you generate the public/private key pair, you can enable SSH by entering the
ip ssh command.
To access the switch using SSH, you need an SSH client, such as PuTTY. When you
attempt to connect to the switch, the switch uses the SSH key pair, along with a
dynamically generated session key, to negotiate an encryption method and session
parameters with your SSH client. Some clients let you install the switchs public key on
them in advance; otherwise, you will need to accept the key the first time that you
connect to the switch.
To verify whether SSH is enabled, you can use the show ip ssh command.
You can display the switchs public key by entering the show crypto host-public-key
command.
Disabling Telnet
After you have verified SSH access, you should strongly consider disabling Telnet. In
this way, you force management users to use the more secure management protocol.
Enter this command:
Switch(config)# no telnet-server
Rev. 10.41
4 19
Enabling
Configuring
SSL SSL
1. Generate a public/private key pair.
Switch(config)# crypto key generate cert [rsa] <512|768|1024>
2. Generate a self-signed certificate or install a CA certificate.

Switch(config)# crypto host-cert generate self-signed
3. Enable SSL
Switch(config)# web-management ssl
4. Disable HTTP access (optional).

Switch(config)# no web-management
Figure 4-12: Configuring SSL

16
Rev. 10.41
If you prefer to manage your E-Series switch using its Web browser interface, you
can access it securely using HTTPS. To use HTTPS, you must implement SSL by
completing these main steps:
1.
Create an SSL public/private key pair, using the command shown in the figure
above.
2.
Generate a self-signed certificate or install a CA certificate.
Self-signedYou can easily generate a self-signed certificate, using the

command shown in the figure above. You will be prompted to provide the
following information: a validity start and end date, common name,
organizational unit, organization, city, state, and country code.
After you enter this information, the self-signed certificate is automatically
installed on the switch.
CA certificateYou can purchase a Certificate Authority (CA)-signed

certificate. A CA is a third-party that verifies the switchs identity. If you
select this option, you must:
Use the switchs Web browser interface to create a certificate request

file.
Send this request file to the CA to be signed.
Use the switchs Web browser interface to install the CA-signed

certificate on the switch.
(For more information about installing a CA certificate, check your switch

documentation.)
4 20
Rev. 10.41
3.
Enable SSL on the switch, using the web-management ssl command.
You only need to create the SSL public/private key pair once (unless you use the
crypto key zeroize cert to remove the key pair). The certificate, however, must be
replaced when the validity end date is reached.
Disabling HTTP
After you have verified that you have HTTPS access to the switch, you should again
consider disabling HTTP. Enter this command:
Switch(config)# no web-management
Rev. 10.41
4 21
Configuring
SFTP
Configuring
STFP
SFTP
SSH
SFTP
client
Internet
Secure file transfers by:

Enabling
SSH
Enabling
SFTP:
Switch(config)# ip ssh filetransfer
TFTP
is automatically disabled.
Figure 4-13: Configuring SFTP
In addition to securing your management session, you should ensure that your file
transfers 15
are Rev.
encrypted,
particularly if you manage a switch remotely. SFTP uses the
10.41
SSH protocol to prevent malicious users from eavesdropping on file transfers.
SFTP requires the SSH protocol, so you must first enable that on the switch. You can
then enable SFTP by entering:
Switch (config)# ip ssh filetransfer
You must use an SFTP client to transfer files to and from the switch.
Enabling SFTP automatically disables TFTP.
4 22
Rev. 10.41
SNMP overview
SNMP
16
Rev. 10.41
Figure 4-14: SNMP
SNMP allows you to centrally manage a variety of devicessuch as switches,

routers, access points, and serverson an IP network. Depending on the capabilities
of the SNMP server and the SNMP-capable devices, you can gather information
about devices and even network traffic. You can then use this information in network
planning and troubleshooting. You can also deploy software updates more easily
and apply uniform management and security policies across all your network
devices.
SNMP uses a server/agent model; the SNMP server communicates with SNMP
agents that reside on managed devices. The server and agent use Message
Information Bases (MIBs) to define the object identifiers (OIDs) for the information
and variables that they communicate. For example, the MIB might define the OID for
a devices IP address. The server could read the IP address object and discover the
devices address, or it could write to the object and change the IP address.
Of course, the SNMP solution hides these details from you. You typically navigate
through the information in a graphical user interface (GUI) , in which you can also
implement actions and policies. You will learn about an HP SNMP solution, PCM,
later in this course.
There are three versions of SNMP: v1, v2c, and v3. For your purposes, they differ
primarily in terms of security. SNMPv1/v2c use communities that are plaintext strings
that function much like passwords. With the correct read-only community name, an
SNMP server can read information on managed devices; with the correct read-write
community name, the server can read and write to that information.
Rev. 10.41
4 23
SNMPv3 allows you to create multiple users. Each user is assigned to a group that
defines to which objects he or she has read or read/write access. In addition, each
user can have his or her own authentication key and encryption key, which hash and
encrypt management traffic to keep it secure. The section below provides more
details about SNMP if you are interested.
SNMP reference
SNMPv1 and v2cSNMPv1 was the original standard and as described above
it defined read-only and read-write communities to control access between the
SNMP server and agents on managed devices.
SNMPv2c supports all the functions provided in SNMP and adds some
enhancements. For example, SNMPv2c adds two new operations: GetBulk and
Inform. The GetBulk operation is used to efficiently retrieve large blocks of data.
The Inform operation allows one network management system to send trap
information to another network management system and to then receive a
response.
SNMP versions 1 and 2 use three community strings, which provide three access
levels:
Read-onlyThis community strong limits the SNMP servers rights to read

only. (To access this information, the SNMP server uses the Get and
GetNext functions.)
Read-writeThis community provides read and write access to SNMP

functions. With this community, the SNMP server can make configuration
changes on the SNMP-managed devices, using the Set operation.
TrapA trap allows the managed device to send an unsolicited update to

the SNMP server. The managed device sends the update in response to an
internally generated alarmwithout being prompted by the SNMP server.
In this access level, the SNMP agent sends only the traps that you specify to
the SNMP server; the SNMP server receives the trap information but is not
allowed to access other information about the SNMP agentunless you
grant the SNMP server an additional access level (such as a read-write
community).
SNMP-compliant devices typically use public as the default read-only community

and private as the default read-write community. Because many organizations
do not change these default settings, their managed devices and SNMP servers
are vulnerable to hackers.
In addition, SNMP v1 and v2 do not include security measures to protect the
data exchanged between the SNMP agent and the SNMP server: neither the
packets nor the community strings are encrypted, and no message integrity
measures are provided.
4 24
Rev. 10.41
Rev. 10.41
SNMPv3SNMPv3 addresses the security flaws in SNMP v1 and v2 by

incorporating data authentication and encryption to protect SNMP packets:
AuthenticationSNMPv3 uses usernames and passwords to determine who

can and cannot gain the read-write access necessary to modify information.
When the user provides his or her authentication password, the password is
converted into a localized key. This key, the SNMP engine timestamp, and
the actual message are compressed into a message digest and forwarded
with the packet to provide integrity authentication. Therefore, an
unauthorized user cannot alter the message in transit.
PrivacyAlong with the username and authentication password, each user

is given a privacy password, which is used to encrypt the message packet.
SNMP v3 uses encryption algorithms to encrypt the localized key and the
SNMP packet.
Security levelsSNMP v3 also provides three optional security levels which

determine whether the data integrity and encryption described above are
used:
noAuthNoPrivThis level does not provide authentication or privacy

and is, therefore, not recommended.
AuthNoPrivThis level provides authentication but no privacy.
AuthPrivThis level provides both authentication and privacy.
4 25
Configure SNMP v2c communities
Configure SNMPv2c
Read-only community
Switch(config)# snmp-server community <community_string>
operator restricted
Read-write community
Switch(config)# snmp-server community <community_string>
manager unrestricted
SNMP trap
Switch(config)# snmp-server host <ip_address> <community name>
Figure 4-15: Configure SNMPv2c

20
Rev. 10.41
To configure SNMP v2c settings, use the commands outlined above.

The restricted option gives a server that uses this community string read-only access
to MIBs. The unrestricted option gives read-write access. The operator option, on the
other hand, gives access to all MIBs except the CONFIG MIB while the manager
option gives access to all MIBs. Thus the community string in the first command gives
read-only access to all MIBs on the switch except the CONFIG MIB while the string
in the second command gives read-write access to all MIBs.
The community strings that you configure on the switch must match exactly those
configured on the SNMP server.
You will practice configuring these settings later in the training when you configure
complete the lab for Module 9: Managing and Monitoring SMB Networks with HP
PCM.
4 26
Rev. 10.41
Enable SNMPv3 and create a username
Enable SNMPv3 and create a username

Enable SNMPv3
Switch (config)# snmpv3 enable
Configure a username and password

Switch (config)# snmpv3 user <username> [auth <md5|sha>
<auth-pwd> priv <des|aes> <priv-pwd>]
Example:
Switch (config)# snmpv3 user Miriam auth sha securepass priv
aes securepass
Figure 4-16: Enable SNMPv3 and create a username

21
Rev. 10.41
SNMPv3 allows you to configure multiple management users with highly

customizable rights. The simplest strategy, and the one least prone to errors, is to
specify a user with complete read-write access to your infrastructure devices.
You must first enable SNMPv3.
Note
When you enter the snmpv3 enable command, you will be prompted to create
an initial user. This initial user can be downgraded and provided with fewer
features but not upgraded by adding new features. For this reason it is
recommended that when you enable SNMPv3, you also create a second user
with SHA authentication and DES privacy. (See the switch documentation for
more information.
Once you enable SNMPv3, you can create a username and password, specifying
authentication and encryption algorithms.
Although an in-depth discussion of encryption algorithms is outside of the scope of
this course, you should know that for authentication, SHA-1 is more secure than MD5.
For privacy, AES is more than DES. (For more information about SNMPv3, see the
switch documentation.)
Rev. 10.41
4 27
Assign the username rights
Assign the username to an SNMPv3 group

Assign the username to an SNMPv3 group
Switch (config)# snmpv3 group <group_name> user <username>
secmodel ver3
Group names for SNMPv3 users include:
managerpriv
managerauth
operatorauth
operatornoauth
Figure 4-17: Assign the username to an SNMPv3 group
You must assign the username to one of the SNMP groups defined on the switch. This
is done using the snmpv3 group command.
22
Rev. 10.41
Switch(config)# snmpv3 group <group_name> user <username> secmodel

ver3
Note
You can also specify ver2c or ver1 for the secmodel. However, these options are
primarily intended to define the privileges associated with SNMPv1 and
SNMPv2c communities.
The group you select not only determines the type of security that is enforced but also
the rights the user has. The switch defines eight groups, but only four are intended for
SNMPv3 users:
4 28
managerprivThe user must have privacy and authentication passwords and

has read-write access to all objects.
managerauthThe user must have an authentication password and has readwrite access to all objects Require authentication, can access all objects.
operatorauthThe user must have an authentication password and has readonly access to all objects (except write access to discovery objects).
operatornoauthThe user does not have to authenticate and has read-only
access to all objects (except write access to discovery objects).
Rev. 10.41
Lab 4 Activity preview

Lab 4 Activity
In Lab Activity 4, you will:
1.
2.
3.
4.
5.
Configure usernames and passwords for local authentication

Enable SSH access
Enable HTTPS access
Secure management VLAN
Limit manager access to specific IP address ranges
Figure 4-18: Lab 4 Activity preview
In Lab 4 activity, you will continue to configure the SMBs network. Like most
companies today, this company is concerned about security. The companys
executives are following your recommendation to secure switches in a locked room
and are considering video monitoring for tighter security.
In this lab, you will begin implementing other security measures to control
22
Rev. 10.41
management
access to the switch. First, you will configure usernames and passwords.
You will also enable secure protocols so that management sessions will be encrypted.
Finally, you will control management access by enabling a secure management
VLAN and by limiting managers to a specific IP address range.
After you complete these settings, you will disable the password, the secure
management VLAN, and limiting management access to a specific IP address range.
Although these security measures are vital in a production network, they are typically
not necessary or convenient in a lab environment. Disabling these features will allow
you to focus on configuring other switch features.
Rev. 10.41
4 29

Use the space below to record your key Insights and challenges from Lab Activity 4.

Challenges
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4 30
Rev. 10.41
Learning check
After each module, your facilitator will lead a class discussion to capture key insights
and challenges from the module and accompanying lab activity. To prepare for the
discussion, answer each of the questions below.
1.
2.
3.
Which are secure management protocols? (Select 3.)

a.
SNMPv2c
b.
SSH
c.
HTTP
d.
Telnet
e.
SNMPv3
f.
HTTPS
What protocol must be enabled before you can enable and use SFTP?
a.
SSH
b.
SSL
c.
TFTP
d.
FTP
What steps must you take before you can access the switch using HTTPS?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
4.
What are the two types of SNMPv2c communities?

_____________________________________________________________________
_____________________________________________________________________
Rev. 10.41
4 31
4 32
Rev. 10.41
Configuring Link Aggregation

Module 5
Module 5 objectives
After completing Module 5 of HP Access Layer Network Technologies using
ProVision Software, you will be able to:
Describe the rules and requirements for port trunking on HP E-Series switches
Given a network design, configure port trunks using the HP E-Series CLI
Verify and monitor trunk configurations using the HP E-Series CLI
Rev. 10.41
Describe the rules for VLAN membership of port trunks, including the impact of
trunk configuration on the VLAN configurations of individual ports
5 1
Prework review activity: Link aggregation

In this activity, you will draft 1-3 quiz questions that will be used to review topics in
link aggregation from the prework. Use the next several pages to record your
questions and to take notes.
1. _____________________________________________________________________
_______________________________________________________________________
2. _____________________________________________________________________
_______________________________________________________________________
3. _____________________________________________________________________
_______________________________________________________________________
Technical and business value of link aggregation
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5 2
Rev. 10.41
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
5 3
Lab activity preview
Lab Activity 5 preview

Floor 1:
Core
Floor 6:
Floor 2:
Floor5:
Floor 3:
Floor 4:
Figure 5- 1: Lab Activity 5 preview

5
Rev. 10.41
The lab for this module builds on the topology that you established in earlier labs.
As in the previous labs, you are establishing the network for a Small to Medium
Business (SMB) with six floors, each of which has a server closet with three access
layer switches and on distribution layer switch. The distribution switches will all
connect to a core switch. Each edge switch supports about 20 users.
Where would you plan aggregated links? How many links would you aggregate in
each group? Consider the number of ports that are available and the amount of
traffic that you expect on each switch-to-switch connection.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5 4
Rev. 10.41
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
5 5
Lab activity
Lab activity preview:

Configuring
link aggregation
preview: Configuring
link
aggregation
During Lab Activity 5, you will:

1.
Configure static trunks on your edge switches and distribution

switch
2.
Verify trunk configuration
3.
Analyze the effect of trunk configuration on VLAN membership
4.
Examine load sharing

Figure 5- 2: Lab activity preview: Configuring link aggregation
Lab Activity 5 will focus on the steps and procedures necessary to configure link
aggregation on HP E-Series switches.
NOTES
5
Rev. 10.41
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5 6
Rev. 10.41
Final lab topology
Figure 5- 3: Final lab topology
By the end of Lab Activity 5, Edge_1 and Edge_2 both will be connected to your
groups Router by a two-port trunk. All other topology elements will be unchanged.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
5 7
Configuring
port trunking
Configuring
port trunking
Edge_1(config)# trunk ?
[ethernet] PORT-LIST Specify the ports that are to be added to/removed
from a trunk.
Edge_1(config)# trunk 21,22 ?
trk1
Trunk group 1
trk2
Trunk group 2
...
Edge_1(config)# trunk 21,22 trk1 ?
trunk
Do not use any protocol to create or maintain the
trunk.
lacp
Use IEEE 802.1ad Link Aggregation protocol.
<cr>
Edge_1(config)# trunk 21,22 trk1 lacp
The trunk command is used to create an HP port trunk or

LACP port trunk
trk1, trk2, etc. are fixed label names for trunks
Figure 5- 4: Configuring port trunking
Rev. 10.41
To enable7 static
port trunking from the CLI, issue the trunk command at the global
configuration level. As shown in Figure 5-4, the trunk command must be followed by:
A list of the ports that will be aggregated
A name for the trunk
The type of trunk (HP trunk or LACP). If no option is entered, the trunk will default
to an HP trunk.
It is not necessary for trunk ports to be contiguous; any ports of the same speed can
be included. A list of contiguous ports can be defined by a hyphen, as in trunk 21-22
trk1 lacp. A list of non-contiguous ports should be separated by a comma, as in
trunk 19, 21, 23 trk1 lacp.
Choosing a trunking protocol

Because it is a widely used standard, static LACP is the preferred trunking method
when the switch on the other side of the link supports LACP. However, HP Port
Trunking can be suitable for situations when the other switch does not support LACP
or when its trunking support is unknown. Because it does not rely on a protocol, HP
Port Trunking often will interoperate with other trunking configurations.
The primary advantage of dynamic LACP is support for standby links, which means
the trunk can be configured with links that will become active if other links in the
trunk fail. However, the implementation of dynamic LACP limits other configuration
options for the ports in the trunk. For instance, ports in a dynamic LACP trunk cannot
be configured with non-default Spanning Tree settings. The dynamic LACP trunk also
cannot be configured for membership in static VLANs. For more information on these
issues, see the Management and Configuration Guide for your switch.
5 8
Rev. 10.41
HP E-Series trunking support

Trunking support on HP E-Series switches varies among switch models and classes of
switches. The ProVision ASIC switches, including the E3500, E5400 zl, and E8200
zl, support 144 trunks with eight ports per trunk with software version K.14.10 or later
installed. The software used in this course (K.13.63) supports up to 60 trunks. By
contrast, the E2610 and E2910 al support 24 trunks with four ports per trunk. For
more information on trunking support, see the Management and Configuration
Guide for your switch.
Rev. 10.41
5 9
How port trunking

affects VLAN
status
How port trunking
affects VLAN
membership
Edge_1# show run
...
vlan 10
name "VLAN10
tagged 21 ...
Before creating trunk, port

21 is a tagged member of
VLAN 10
Create trunk with ports 21 and 22
Edge_1(config)# trunk 21-22 trk1 lacp
Edge_1# show run

vlan 1
name "DEFAULT_VLAN"
untagged 2-20,23-24,Trk1
ip address 10.1.1.2 255.255.255.0
no untagged 1
exit
Edge_1(config)# vlan 10 tagged trk1
Rev. 10.41
After trunk creation, Trk1

becomes an untagged
member of the default VLAN
Port 21 is no longer assigned
to VLAN 10 and 22 is no
longer assigned to VLAN 1
Trk1 must be assigned as a

tagged member of VLAN 10
Figure 5- 5: How port trunking affects VLAN membership
When a port trunk is defined on a HP E-Series switch, its VLAN status is the same as
the default status for an individual port, that is, the trunk is an untagged member of
VLAN 1, the Default VLAN. Consequently, the non-default VLAN status of ports
added to the trunk will be deleted.
Figure 5-5 illustrates the affect. Before being added to trk1, port 21 was a tagged
member of VLAN 10. The trunk, however, does not include this configuration.
Consequently, the trunk will not carry traffic for users in VLAN 10.
This problem is easily remedied by the final step in the figure, when the administrator
adds the entire trunk to VLAN 10 as a tagged member.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5 10
Rev. 10.41
Viewing trunk status

Viewing trunk
status
Edge_1(config)# show trunk
Load Balancing
Port
---21
22
|
+
|
|
Name
Type
| Group Type
-------------------------------- --------- + ----- ----Router
100/1000T | Trk1 LACP
Router_2
100/1000T | Trk1 LACP
Router(config)# show trunk

Load Balancing
Port
---A1
A2
|
+
|
|
Name
-------------------------------Edge_1
Edge_1_2
Type
--------100/1000T
100/1000T
|
+
|
|
Group
----Trk1
Trk1
Type
----LACP
LACP
Figure 5- 6: Viewing trunk status
The show 9trunk

is the basic tool for examining trunk configuration on HP ERev.command
10.41
Series switches. In Figure 5-6, both sides of the trunk use the same trunk type.
However, if they were not the same, each side of the trunk would distribute outbound
traffic according to its own configuration.
Because the trunks on both of these switches are static, their status will be the same
whether or not they are connected. The status of dynamic trunks will change if they
are not connected.
Note that friendly names have been defined for all ports in the trunks.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
5 11
load sharing
Examining Examining
load sharing
show interface display
provides dynamic display of port
activity
Figure 5- 7: Examining load sharing

Rev. 10.41
The show 10
interface
display command provides a dynamic display of all port activity,
including the activity on ports assigned to trunks. In Figure 5-7, the output shows
activity for ports assigned to Trk1 on an E3500 switch.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5 12
Rev. 10.41
Lab Activity 5
Like many contemporary enterprises, this SMB sometimes experiences high levels of
network traffic due to bandwidth-intensive applications such as streaming video. In
Lab Activity 5, you will configure and troubleshoot trunking to increase the capacity
of switch-to-switch links.
Rev. 10.41
5 13

Use the space below to record your Key Insights and Challenges from Lab Activity 5.
Table 5-1: Debrief for Lab Activity 5

Challenges
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5 14
Rev. 10.41
Learning check
1.
On an HP E5406 zl switch, port A1 is a tagged member of VLAN 10 and an

untagged member of VLAN 1. Port A2 is an untagged member of VLAN 1 and
a tagged member of VLAN 20. How will the following command affect the
VLAN status of these ports?
HP Switch E5406 zl(config)# trunk a1-a2 trk1
2.
3.
Rev. 10.41
a.
The trunk will be a member only of VLAN 1.
b.
The trunk will be a tagged member of VLAN 10 and an untagged member

of VLAN 1.
c.
The trunk will be a tagged member of VLAN 10 and 20 and an untagged

member of VLAN 1.
d.
The trunk will be an untagged member of VLAN 1. The individual ports will
maintain their tagged membership in other VLANs.
What is the criterion used to share loads across ports in a trunk configured on a
HP E-Series switch?
a.
Layer 2 or Layer 3 conversation
b.
TCP or UDP port number
c.
bandwidth saturation of each link
d.
negotiation with switch on the other side of the link
What is the advantage of configuring a static LACP trunk instead of a dynamic

LACP trunk on an HP E-Series switch?
a.
The static trunk supports standby links.
b.
The static trunk offers true load balancing.
c.
The static trunk supports more configuration options.
d.
The static trunk enables ports with different speeds to be included in the
trunk.
5 15
4.
5.
5 16
What is the rule for naming a trunk on an HP E-Series switch?

a.
The trunk must use one of the predefined names, such as Trk5, in the order
listed in the CLI.
b.
The trunk must use one of the predefined names, such as Trk5, in the CLI,
but they can be assigned in any order.
c.
The trunk can be assigned a friendly name using the name command that is
also used to assign a name to an individual port.
d.
The trunk must include the trunk type, LACP or trunk, in its name.
What is a difference between HP Port Trunking and static LACP?

a.
HP Port Trunking allows more ports to be included in the trunk.
b.
HP Port Trunking supports media types and speeds.
c.
HP Port Trunking does not use a protocol.
d.
HP Port Trunking supports more configuration options for technologies such

as Spanning Tree and VLANs.
Rev. 10.41
Configuring Spanning Tree

Module 6
Module 6 objectives
Configure and enable RSTP on E-Series switches
Configure bridge priority on E-Series switches
View Spanning Tree configuration and operation details
Configure Spanning Tree to avoid isolating VLANs if a link is blocked
Verify single-instance RSTP configuration
Rev. 10.41
Given a network design, configure MSTP to ensure switches will be part of the
correct MST region
Verify MSTP configuration
6 1
Prework review activity: Spanning Tree

In this activity, you will explore a question distributed by your facilitator. After
developing an answer, you will give a brief presentation to the class.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6 2
Rev. 10.41
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
6 3
Lab activity
preview
Lab activity
6 preview
Router
ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Status
ProCurve Switch 5400zl

Management Module
J8726A
HP Innovation
Reset
Test Chas DIMM
Clear
PoE
Mgmt Flash
Use
zl Modules
only
Power
Temp
Fan
Internal
Power
Act
FDx
PoE
Spd
Usr
Console
LED Mode
Modules
PoE
Pwr
Auxiliary Port
Fault
1
Locator
11
13
15
17
19
21
23
ProCurve
24p Gig-T
zl Module
J8702A
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
10
12
14
16
18
20
22
24
zl
ProCurve
24p Gig-T
zl Module
J8702A
zl
Edge_1
Edge_2
Edge_3
Figure 6-1: Lab activity 6 preview

4
In the
previous lab, you increased capacity for the SBM by creating aggregated
Rev. 10.41
links. These links also provided a degree of redundancy: if one link in the
aggregation group fails, the other links continue to provide connectivity.
However, this SBM, like most companies, relies on the network to conduct business.
Currently, if one switch fails, all switches downstream to it lose their connections to
the rest of the network. The SBM needs better redundancy, so you decide to connect
every switch to two switches, as shown in the figure.
Note
All switch-to-switch links in the figure are Gbps links.
Because this topology introduces loops, you will implement MSTP. Work with your
partner to plan the MSTP solution. For now, you will only implement one instance of
MSTP, so the solution will function like RSTP:
1.
Select the root bridge and the secondary root and label those switches with their
roles. Also mark the priority for all four switches.
2.
Label each port with its role:
3.
6 4
Root
Designated
Alternate
Backup
X out the link next to blocked ports (alternate or backup role).

Rev. 10.41
4.
Discuss the advantages and disadvantages of your solution:
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
6 5

Configuring single-instance
Spanning TreeConfiguring single-instance Spanning Tree
During Lab Activity 6.1, you will:
1. Configure single-instance Spanning Tree on all four
switches and connect redundant links
2. Evaluate the forwarding path
3. Verify connectivity and failover
Figure 6-2: Lab activity preview: Configuring single-instance Spanning Tree
NOTES
_______________________________________________________________________
3
Rev. 10.41
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6 6
Rev. 10.41
Final lab topology

Final lab topology
Rev. 10.41
Figure 6-3: Final lab topology
By the end of Lab Activity 6.1 and 6.2, you will have configured and verified singleinstance and multiple-instance Spanning Tree on all of your switches. You will add
two redundant links that will connect Edge_3 with Edge_1 and Edge_2 and Edge_1.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
6 7
Steps in single-instance
configuration
Steps in single-instance
configuration
1. Choose redundant links
2. Configure VLAN membership for all switch-to-switch links
3. Set Bridge Priority for all switches
4. Enable Spanning Tree
5. Connect redundant links

6. Verify using show spanning-tree command
Figure 6-4: Steps in single-instance configuration
The steps for configuring E-Series switches to interoperate with RSTP switches in
single-instance Spanning Trees are fairly straightforward. After planning for link
redundancy, configure VLANs, set Bridge Priority, and enable the protocol. You
could change
the
order of these steps by, for instance, setting Bridge Priority before
Rev. 10.41
5
configuring VLAN membership.
However, it is crucial to not connect redundant links until the protocol is enabled. If
you connect the links prematurely, a broadcast storm can result, which can degrade
the performance of your switches.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6 8
Rev. 10.41
Setting
Bridge Priority
Setting Bridge
Priority
Bridge Priority for RSTP/MSTP switches is set in increments of
4096
To
set priority to 4096:
Switch(config)# spanning-tree priority 1

To
set priority to 8192:

To
return to default of 32768:
Figure 6-5: Setting Bridge Priority
As described in the prework, it is recommended that you set Bridge Priority to ensure
that the correct switches are elected as Root Bridge and backup Root Bridge in your
topology. If Bridge Priorities are left at their default values, the Root Bridge will be
6
Rev. 10.41
selected according to MAC address, which may result in the election of a switch at
the network edge. This can result in an inefficient forwarding path.
Figure 6-4 shows the command for setting Bridge Priority, which is set in increments
of 4096. On E-Series switches, the maximum value for the spanning-tree priority
command is 15, which translates to an incremental value of 61440.
Note
This command does not enable Spanning Tree.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
6 9
Enabling Spanning
Enabling Spanning
Tree Tree
To enable Spanning Tree:
Switch(config)# spanning-tree
Default STP version on most current E-Series switches is MSTP

Switches
will function like RSTP switches because only IST is defined

Figure 6-6: Enabling Spanning Tree
On E-Series switches, you enable Spanning Tree by entering the spanning-tree

command at the global configuration level. MSTP is the default STP protocol on most
current E-Series switches. However, the switches will function like RSTP switches
and interoperate with standards-compliant RSTP switches from other vendors
because only the IST has been defined.
To enable MSTP operation, you must define other MST configuration parameters that
will be described
later in this module.
8
Rev. 10.41
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6 10
Rev. 10.41
Spanning
for Root Bridge
Spanning Tree
detailsTree
fordetails
Root Bridge
Router(config)# show spanning-tree
Multiple Spanning Tree (MST) Information
STP Enabled
: Yes
Force Version : MSTP-operation
IST Mapped VLANs : 1-4094
Switch MAC Address : 0017a4-742700
Switch Priority
: 4096
Max Age : 20
Max Hops : 20
Forward Delay : 15
All VLANs in IST
Topology Change Count : 13

Time Since Last Change : 2 mins
CST
CST
CST
CST
Root
Root
Root
Root
MAC Address
Priority
Path Cost
Port
:
:
:
:
0017a4-742700
4096
0
This switch is root
Port Type
Cost
Priority State
:
---- --------- --------- -------- ---------- +
Trk1
100/1000T 20000
128
Forwarding
Trk2
100/1000T 20000
128
Forwarding
Rev. 10.41Figure
Bridge Priority
is set to 1
Root Bridge is
Designated Bridge
for its locally
connected links
Designated Bridge
----------------: 0017a4-742700
: 0017a4-742700
6-7: Spanning Tree details for Root Bridge
The show spanning-tree command enables you to verify your Spanning Tree
configuration. In Figure 6-7, an administrator has entered show spanning-tree to view
the configuration on the Router, which is the Root Bridge for this example network.
The outcome indicates that MSTP is enabled, but also shows that all VLANs are
assigned to the IST. The Bridge Priority is set to 4096, indicating that the priority was
set to 1 when the show spanning-tree priority command was entered.
Because this is the Root Bridge, all switch-to-switch links are in the forwarding state.
For both linksTrk1 and Trk2the Root Bridge is the Designated Bridge, as is
indicated by the MAC address, which matches the Switch MAC Address.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
6 11
Spanning Tree details
Spanning Tree
detailsBridge
for non-Root Bridge
for non-Root
Edge_2(config)# show
...
IST Mapped VLANs :
Switch MAC Address
Switch Priority
Max Age : 20
Max Hops : 20
Forward Delay : 15
spanning-tree
1-4094
: 0019bb-aea640
: 8192
All VLANs in IST
Bridge Priority
is set to 2
Topology Change Count : 10

Time Since Last Change : 8 mins
CST
CST
CST
CST
...
Port
---23
24
Trk1
Root
Root
Root
Root
MAC Address
Priority
Path Cost
Port
Type
--------100/1000T
100/1000T
100/1000T
Rev. 10.41
:
:
:
:
Cost
--------20000
20000
20000
0017a4-742700
4096
20000
Trk1
Priority
-------128
128
128
State
---------Blocking
Forwarding
Forwarding
Root Bridge
Indicators
:
+
:
:
:
Designated Bridge
----------------001635-b65040
0019bb-aea640
0017a4-742700
Figure 6-8: Spanning Tree details for non-Root Bridge
In Figure 6-8, the administrator views the Spanning Tree configuration for Edge_2 in
the SMB network. The output indicates that the switch is connected to the Root Bridge
by Trk1. The CST Root MAC Address indicates the Root Bridge is the Router.
Each of the switch-to-switch links indicates a different Designated Bridge because
each is connected to a different switch. One of the switchs redundant links, port 23,
is in the blocking state.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6 12
Rev. 10.41
Lab Activity 6.1

Network administrators at the SMB are concerned about the effect that network
outages caused by downed switches, broken cables, or disconnected ports could
have on network performance. To ensure that critical network services remain
available while outages are resolved, you will establish redundant links between the
switches in your location. But first you must configure single-instance Spanning Tree
on the switches to ensure that loops do not cause problems.
Rev. 10.41
6 13
Lab Activity 6.1 debrief

Use the space below to record your Key Insights and Challenges from Lab
Activity 6.1.
Table 6-1: Debrief for Lab Activity 6.1

Challenges
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6 14
Rev. 10.41
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
6 15

Configuring
Lab activity
preview: Multiple
Spanning Tree Configuring Multiple Spanning Tree
1. Configure MSTP on all four switches
2. Evaluate forwarding paths for two instances
3. Verify connectivity and failover

Figure 6-9: Lab activity preview: Configuring Multiple Spanning Tree
NOTES
_______________________________________________________________________
_______________________________________________________________________
12
Rev. 10.41
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6 16
Rev. 10.41
Steps in MSTP configuration

Steps in MSTP configuration
1. Configure region parameters
config-name
and config-revision
2. Assign VLANs to instances

Unassigned
VLANs will remain in IST
3. Set Bridge Priority for each instance

4. Verify using show spanning-tree commands
Figure 6-10: Steps in MSTP configuration
To enable MSTP operation on E-Series switches, you must configure several more
parameters, including:
1.
The config-name and config-revision
2.
The VLAN-to-instance
mappings
12
Rev. 10.41
3.
Bridge Priority for each instance
After configuring all parameters, you will use show spanning-tree commands to
verify your setup.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
6 17
MST configuration
MST configuration
parametersparameters
Define an MST region identity for the switch
Edge_1(config)# spanning-tree config-name hp
Edge_1(config)# spanning-tree config-revision 1
Associate user VLANs with MST instances

Edge_1(config)# spanning-tree instance 1 vlan 10 20
Edge_1(config)# spanning-tree instance 2 vlan 30 40
Figure 6-11: MST configuration parameters
MST configuration parameters are defined by entering the spanning-tree command in

the global configuration context, as shown in Figure 6-10. To enable proper MSTP
operation, all parameters must match on all switches.
In the lab topology, VLANs 10 and 20 will be assigned to Instance 1. VLANs 20 and
30 will be assigned to Instance 2. VLAN 1 will remain in the IST.
NOTES
16
Rev. 10.41
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6 18
Rev. 10.41
Bridge Priority
for Priority
MST instances
Bridge
for MST instances
Bridge Priority may be defined for each Spanning Tree
instance
To
define priorities for two MST bridges in the same region:
Edge_1(config)# spanning-tree instance 1 priority 1

Figure 6-12: Bridge Priority for MST instances
In MSTP, Bridge Priorities are set using the same increments used to set priorities for
RSTP operation. That is, each increment in the priority value (1-15) increases the
configured priority value by 4096.
In Figure 6-12, an administrator sets Bridge Priorities for two instances. Edge_1 will
have the highest priority in Instance 1, and Edge_2 will have the highest priority in
Instance 2. 14
This Rev.
will
help to ensure that each instance uses a different forwarding
10.41
path, which will ensure efficient use of links.
Another configuration option is to make routing switches the Root Bridges in all
instances. This is the approach that you will take in the lab.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
6 19
Viewing MST configuration
Viewing MST configuration
Edge_1(config)# show spanning-tree mst-config
MST Configuration Identifier Information

MST Configuration Name : hp
MST Configuration Revision : 1
MST Configuration Digest : 0xE821CCEE7501115289B37C79A72E07C9
IST Mapped VLANs : 1-9,11-19,21-29,31-39,41-4094
Instance ID Mapped VLANs

----------- --------------------------------------------------------1
10,30
20,40
Figure 6-13: Viewing MST configuration
To view the configured MST parameters, use the show spanning-tree mst-config
18
Rev. 10.41
command as shown in Figure 6-13. In this example, the administrator views the
configuration details for the Edge_1 switch on one of the SMBs floors. The output
shows the configuration name, the configuration digest, and the VLANs that are
mapped to each instance, including the IST. Note that the IST includes all VLANs not
specifically mapped to another instance.
The output also includes the MST Configuration Digest, a value that each switch
computes on the basis of the VLAN-to-instance mappings. Like other configuration
parameters, this value must be identical on all switches in an MST region.
MSTP enhancement in E-Series switches

Some E-Series switches, including the ProVision ASIC switches, enable you to
configure VLAN-to-instance mappings for VLANs not yet configured on the switch. In
an infrastructure where all switches support this feature, it enables administrators to
configure identical mappings on all devices, and then configure actual VLANs as
needed. However, these pre-configured VLANs will appear in the MST configuration.
Consequently, they will result in configuration mismatches if some switches in an MST
region do not support the feature.
6 20
Rev. 10.41
Viewing
MST instance
forwarding
Viewing MST
instance
forwarding
pathspath
Edge_1(config)# show spanning-tree instance 1
MST Instance Information
Instance ID : 1
Mapped VLANs : 10,30
Switch Priority
: 4096
Topology Change Count

Time Since Last Change
: 37
: 4 mins
Regional Root MAC Address

Regional Root Priority
Regional Root Path Cost
Regional Root Port
Remaining Hops
Port
----1
...
23
24
Trk1
16
:
:
:
:
:
Instance priority
001635-b65040
4096
0
This switch is root
20
Root Bridge
Indicators
Designated
Type
Cost
Priority Role
State
Bridge
--------- --------- -------- ---------- ---------- ------------100/1000T 200000
0
Designated Forwarding 001635-b65040
100/1000T 20000
100/1000T 20000
20000
Rev. 10.41
0
0
0

Figure 6-14: Viewing MST instance forwarding paths
To view details for an MST instance, issue the show spanning-tree command with the
instance ID, as shown in Figure 6-14. The ID can be IST or CST, as well as the
identifier for an MST instance.
In this example, the administrator views Instance 1 details for Edge_1, which is the
Root Bridge for the instance. Consequently, all switch-to-switch links are in the
forwarding state.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
6 21
Troubleshooting
Troubleshooting
MSTP MSTP
spanning-tree
instance 1command to create a network
D(config)#
B(config)#
C(config)#
A(config)#
Use theshow
show
spanning-tree
MST Instance Information
map with this information:
Instance ID
ID :: 11
Mapped
VLANs
: 10
Blocked
and
forwarding ports
Switch Priority
: 4096
32768
0
Root
and designated ports
Topology Change Count

Time
Since
Last Change
Root
priorities
: 37
: 44 mins
mins
Regional
Root MAC Address
Port costs
Regional Root Priority
Regional Root Path Cost
Regional Root Port
Remaining Hops
:
:
:
:
:
001635-b65042
001635-b65042
00
0
Trk1
2
Trk2
This
switch is root
20
Look for reasons why the topology differs from the expected
topology.
Designated
Port Type
----- --------...
Trk1
2
100/1000T
48
Trk2
...
Trk1
Trk3
Trk1
Trk2
Trk2
Cost
Priority Role
State
Bridge
State
Bridge
--------- -------- ---------- ---------- -------------
10000
Root
Alternate
Blocking
001635-b65040
20000
Designated Forwarding
If you have not configured
MSTP 000correctly,
segments
of the001635-b65042
network might become
10000
Designated
Forwarding 001635-b65040
Root
001635-b65042
10000
0
Designated
Forwarding
001635-b65040
0
Alternate
Blocking
001635-b65041
001635-b65042
isolated or certain hosts might
lose
connectivity.
At
the
very
least, your switches might
10000
0
Alternate Blocking
001635-b65041
not be able to use the most efficient path for forwarding traffic.
Rev. 10.41
You can18troubleshoot
by constructing a map of the network topology and comparing
it to the desired topology. Then you can look for reasons why the MSTP
implementation is not functioning correctly.
Use the show spanning-tree command to create you map of the topology. You
should obtain this information:
Every switchs root priority on each instance
Every switch ports status (blocking or forwarding)
Every forwarding switch ports role (root or designated)
Every switch ports cost
Root bridge switches
Once you know which links are forwarding and which are blocking, you can look for
configuration errors or ways to adjust the topology to create a more efficient traffic
flow.
Troubleshooting MSTP
Symptom
Possible problem
Two switches claim to be root bridge in the

same instance.
The wrong switch is root.
The wrong ports are designated.
Traffic is not reaching its destination.
Physical links might have failed between them.
6 22
Priorities might be configured incorrectly.

Port costs might be configured incorrectly.
Tagging on the forwarding ports is incorrect.
Rev. 10.41
Lab Activity 6.2

In complex networking topologies, MSTP often is preferable to single-instance
Spanning Tree because MSTP topologies can be designed to ensure that all links are
used to forward traffic for some VLANs, even if they are blocked for others. In this
lab, you will convert from a single-instance topology to a multiple-instance topology
and evaluate the effects of this change on network behavior.
Rev. 10.41
6 23

Activity 6.2.
Table 6-2: Debrief for Lab Activity 6.2

Challenges
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6 24
Rev. 10.41
Learning check
1.
2.
3.
What is the significance of the Root Port in the display of Spanning Tree details?
a.
It is the port on the switch that has the lowest link cost.
b.
It will always be one of the highest speed ports on the switch.
c.
It is the port that leads to the lowest cost path to the Root Bridge.
d.
It will always be the lowest numbered port on the switch.
Which strategy will assure connectivity for users in all VLANs in a switched
environment that uses RSTP to resolve redundant links?
a.
Statically assign all VLANs to all switch-to-switch links.
b.
For each switch-to-switch link, assign VLANs supported by switches on either

side of the link.
c.
Make sure all switch-to-switch links carry management traffic.
d.
Configure all ports as untagged members of VLAN 1.
What is a benefit of deploying MSTP instead of RSTP?

___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
4.
5.
Rev. 10.41
What configuration items must be identical among all switches in the same MST
Region? Choose all that apply.
a.
Bridge Priority
b.
Configuration name
c.
Configuration revision number
d.
Port Priority
e.
VLAN-to-instance mappings
What is the default Spanning Tree protocol on ProVision ASIC switches?

a.
STP
b.
RSTP
c.
MSTP
d.
PVST
6 25
6.
You must configure a 5406zl switch for installation on a customer network where
existing switches use RSTP. What is necessary to enable the 5406zl to
participate in the Spanning Tree on this network?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
6 26
Rev. 10.41
Configuring IP Routing
Module 7
Module 7 objectives
Rev. 10.41
Given a network design, configure static routes on HP E-Series switches
Use the CLI to examine and interpret IP route tables
Analyze and troubleshoot connectivity between IP networks in a routed LAN
Given a network design, configure and verify RIP at the HP E-Series CLI
7 1
Prework review activity: Routing

In this activity, you will draft 1-3 quiz questions that will be used to review topics in IP
routing from the prework.
NOTES
1. ____________________________________________________________________
_______________________________________________________________________
2. ____________________________________________________________________
_______________________________________________________________________
3. ____________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 2
Rev. 10.41
Configuring IP routing
Lab 7preview:
activity preview
Lab 7 activity
Planning IP routing
Intranet Core:
10.0.0.0/16
Floor 1:
10.1.0.0/16
Floor 6:
10.6.0.0/16
Floor 2:
10.2.0.0/16
Floor 5:
10.5.0.0/16
Floor 3:
10.3.0.0/16
Floor 4:
10.4.0.0/16
Close up of Floor X
10.X.0.0/16
ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Reset
Test Chas DIMM
Clear
A B
PoE
Mgmt Flash Temp
Use
zl Modules
only
VLAN 20 (10.X.20.0/24)
VLAN 30 (10.X.30.0/24)
Status

Management Module
J8726A
HP Innovation
Power
Fan
Internal
Power
G H
C D
E F
K L
Act
FDx
PoE
Spd
Usr
Console
LED Mode
Modules
PoE
Pwr
Auxiliary Port
Fault
Locator
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
ProCurve
24p Gig-T
zl Module
J8702A
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
zl
ProCurve
24p Gig-T
zl Module
J8702A
zl
hp 1902
hp 1902
VLAN 10
10.X.10.0/24
5
Rev. 10.41
hp 1902
VLAN 30 (10.X.30.0/24)
VLAN 40 (10.X.40.0/24)
Figure 7-1: Lab 7 activity preview: Planning IP routing
What role does IP routing play in the SMB scenario that you have been configuring?
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 3
Where would you implement IP routing in this topology? What advantages and
disadvantages are offered by implementing routing in different areas?
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 4
Rev. 10.41
activity preview: Final topology

Lab activityLab
preview:
IP addressing
Floor 1:
10.1.0.0/16
Intranet Core:
10.0.0.0/16
Location 6:
10.6.0.0/16
Floor 2:
10.2.0.0/16
Location 5:
10.5.0.0/16
Floor 3:
10.3.0.0/16
VLAN
User Group
Switches and network admins
10.x.1.0/24
Server
10.x.2.0/24
10
Marketing
10.x.10.0/24
20
Sales
10.x.20.0/24
30
Manufacturing
10.x.30.0/24
40
Human resources
10.x.40.0/24
Rev. 10.41
Floor 4:
10.4.0.0/16
Address range
All switches
shown here
implement
routing.
Figure 7-2: Lab activity preview: IP addressing
After routing configuration is complete, the topology for the SMB envisioned on Day
1 will be complete. All six floors will be interconnected, enabling users to exchange
data with other users, to access resources in the server VLAN, and to access the
Internet.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 5
Lab activity

Configuring
IP static routing
preview:
Configuring
IP
static routing

1. Modify VLAN topology to support Layer 3 connectivity
between Router and Edge_2.
2. Configure Edge_2 to be default gateway for
VLANs 20, 30, and 40.
3. Configure static routes.
4. Test connectivity.
Figure 7-3: Lab activity preview: Configuring IP static routing
Lab Activity 7.1 will enable you to configure and test static routes using HP E-Series
routing switches. You will begin the activity by configuring your Edge_2 switch to
7
Rev. 10.41
perform default
gateway
services for VLANs 20, 30, 40. Next, you will configure
static routes enabling clients in those VLANs to access resources in VLAN 2 and
VLAN 10. After testing and confirming this configuration, you will enable and test
connectivity with the Classroom Core switch, a simulated Internet address, and other
classroom groups.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 6
Rev. 10.41
Final lab topology

your group
Final lab topology
in your ingroup
Rev. 10.41
Figure 7-4: Final lab topology in your group
By the end of Lab Activity 7.1, your group topology will be similar to Figure 7-4. The
most important change is the configuration of routing services on Edge_2, which
will be renamed Router_2. To act as default gateway for VLANs 20, 30, and 40,
Router_2 will be configured with IP interfaces in these VLANs. Router will be
renamed Router_1 and will no longer require IP interfaces for VLANs 20, 30,
and 40.
VLANs 20, 30, and 40 will be deleted from the link between the routers. VLAN 100
will be configured to connect Router_2 and Router_1. VLAN 200 will connect
Router_1 to the Classroom Core. All switches will remain in VLAN 1 for management
connectivity.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 7
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 8
Rev. 10.41
Steps
in static
routing configuration
Steps in static
routing
configuration
1. Restore the configuration from Lab 5
2. Modify VLAN topology to support Layer 3 connectivity
between Router_1 and Router_2.
3. Configure Router_2 with IP interfaces in
VLANs 20, 30, 40.
4. Enable IP routing on Router_2.

5. Configure static routes on both routers.
6. Test connectivity
Among
VLANs in your group

With Classroom Core
With other groups
9
Rev. 10.41
Figure 7-5: Steps in static routing configuration
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 9
Configuring
static routes
Configuring
static routes
Configure static routes on Router_1 and Router_2 to enable
connectivity within your group
To
enable Router_1 to forward traffic to VLANs 20, 30, and 40
Router_1(config)# ip route 10.x.0.0/16 10.x.100.2
To
enable Router_2 to forward traffic to VLANs 1, 2, and 10
Router_2(config)# ip route 10.x.0.0/16 10.x.100.1
Figure 7-6: Configuring static routes
To enable connectivity for all VLANs in your group, you will configure static routes on
Router_1 and Router_2. In both cases, you will configure specific static routes that will
enable forwarding to other VLANs in your group. Later in this activity, you will
explore the
uses
of default routes in this topology.
9
Rev. 10.41
Note that the static routes in the figure overlap locally connected routes on both
routers. It may seem that this will create a routing conflict because the routers will be
configured with two conflicting routes to the same location. For instance, Router_1
now has a locally connected route to 10.x.10.0/24 and a static route to
10.x.0.0/16. The range specified in the static route includes the range for the locally
connected route.
However, Router_1 will forward VLAN 10 traffic to Edge_1 instead of Router_2
because routers always use the most specific route in their tables when route table
entries conflict.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 10
Rev. 10.41
to Classroom
ConnectingConnecting
to Classroom
Core Core
Classroom Core switch provides links to other groups
Also
supports simulated Internet IP of 172.16.21.21
To enable connectivity for Router_1 to the Classroom Core:

Configure
VLAN 200 on Router_1
IP address: 10.0.200.x1/24
Add link to Classroom Core to VLAN 200 as untagged member

Configure
default route
Router_1(config) ip route 0.0.0.0/0 10.0.200.1
Figure 7-7: Connecting to Classroom Core
Of course, users connected to your VLANs will require access to resources outside
your group, which represents a single floor in the SMB building. To accomplish this
goal, you will connect Router_1 to a core switch managed by your facilitator.
NOTES
10
Rev. 10.41
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 11
Final topology
all groups
Final topology
connectsconnects
all groups
Classroom Core:
10.0.200.1/24
Group 1:
10.0.200.11/24
Group 2:
10.0.200.21/24
Group 3:
10.0.200.31/24
Group 4:
10.0.200.41/24
Group 5:
10.0.200.51/24
Group 6:
10.0.200.61/24
All links untagged VLAN

200
11
Rev. 10.41
Figure 7-8: Final topology connects all groups
When this activity is complete, you will test connectivity to the Classroom Core
network, to the simulated Internet location, and to VLANs in other groups. All groups
will be connected to the Classroom Core by links that are untagged members of
VLAN 200.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 12
Rev. 10.41
Using Wireshark
Using Wireshark
Collects traffic
Decodes traffic
Displays information in a GUI

ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Status

Management Module
J8726A
HP Innovation
Reset
Test Chas DIMM
Clear
PoE
Mgmt Flash
Use
zl Modules
only
Power
Temp
Fan
Internal
Power
Act
FDx
PoE
Spd
Usr
Console
LED Mode
Modules
PoE
Pwr
Auxiliary Port
Fault
Locator
Wireshark
ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Reset
Test Chas DIMM
Clear
PoE
Mgmt Flash
Use
zl Modules
only
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
zl
ProCurve
24p Gig-T
zl Module
J8702A
zl
Status

Management Module
J8726A
HP Innovation
Power
hp 1902
ProCurve
24p Gig-T
zl Module
J8702A
Temp
Fan
Internal
Power
Act
FDx
PoE
Spd
Usr
Console
LED Mode
Modules
PoE
Pwr
Auxiliary Port
Fault
Locator
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
ProCurve
24p Gig-T
zl Module
J8702A
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
zl
ProCurve
24p Gig-T
zl Module
J8702A
zl
mirror 1 port a1
interface b23-b24 monitor all both mirror 1
Figure 7-9: Using Wireshark

13
Rev. 10.41
A packet capturing application collects traffic that arrives on a NIC, decodes the
traffic, and displays information about it in a GUI. By providing you with an in-depth
look at exactly what is happening in the network, the packet capture furnishes you
with a powerful tool for monitoring and troubleshooting. Throughout the rest of this
course, you will use Wireshark, a freely available packet capturing application, to
monitor your network at a deeper level.
To capture and analyze traffic with Wireshark, you must mirror the traffic to a NIC on
the device that runs the application. The figure shows the commands for setting up
local mirroring:
1.
You must specify the mirror port to which traffic is mirrored; this is the switch port
to which the device running Wireshark connects.
Switch(config)# mirror <session ID> port <port ID>
2.
You must also specify the monitor ports from which traffic is mirrored; these are
ports that send or receive traffic that is interesting to you.
Switch(config)# interface <port list> monitor all [in | out |
both] mirror <session ID>
Note
The in keyword captures traffic that is received on the port, the out keyword
captures traffic sent on the port, and the both keyword captures both. The HP ESeries devices support more mirroring capabilities, which you can learn about in
higher-level courses.
Rev. 10.41
7 13
With mirroring configured, you can activate a capture on Wireshark. Select Capture
> Interface and select the Ethernet interface to which traffic is mirrored. Wireshark
displays traffic as the interface receives it:
The top pane displays a list of packets and summary information about them.
The middle pane displays the decoded data in the packet selected in the top
pane. You will see a line for each header as well as a line for the application
data (if present). You can expand the headers and view specific information in
various fields. You can also expand the application data and view it.
The bottom pane displays the specific bytes that form the data that is selected in
the middle pane.
There is much more to learn about using Wireshark, but you now know enough to
get started exploring the application yourself.
7 14
Rev. 10.41
Lab Activity 7.1

Remember to record your key insights and challenges as you perform this activity.
Rev. 10.41
7 15

Activity 7.1.
Table 7.1: Debrief for Lab Activity 7.1

Challenges
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 16
Rev. 10.41
Learning activity: RIP

During this activity, your lab group will develop a presentation on one section of the
following pages about Routing Information Protocol (RIP). Your facilitator will provide
more instructions.
What are the advantages of implementing a dynamic routing protocol instead of
static routes like the ones configured in Lab Activity 7.1? Relate your answer to the
SMB scenario. What are the mechanisms that dynamic routing protocols typically
have in common?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 17
Dynamic routing
Dynamic routing
Used for more complex network topologies
Routers communicate to discover available routes and the
best paths to destinations
Information
exchanged with neighbor routers
Routing topology automatically updates when changes

occur
Route
tables are constantly updated to ensure best route

Remote office
ISP
14
Rev. 10.41
Main office
Figure 7-10: Dynamic routing
Dynamic routing protocols enable routers to adjust automatically to changes in

topology. With a dynamic routing protocol configured, if a routers neighbor has
failed, it will quickly learn if other paths are available to the neighbors networks and
update its route table accordingly.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 18
Rev. 10.41
Types of dynamic
protocols
Types of dynamic
routing routing
protocols
Interior Gateway Protocol (IGP)
Facilitates
exchange of routing information among routers under the same

organizational control, within the same autonomous system
Routing
Open
Information Protocol (RIP) is commonly used
Shortest Path First (OSPF) is more sophisticated
Exterior Gateway Protocol (EGP)

Facilitates
exchange of routing information among routers in different

autonomous systems
Border
Gateway Protocol v4 (BGP4), commonly used by ISPs

Remote office
ISP
BGP4
Main office
RIP
OSPF
15
Rev. 10.41
Figure 7-11: Types of dynamic routing protocols
The two major categories of dynamic routing information exchange protocols are:
1.
Interior Gateway Protocols (IGP) enable communications among routers in a

single autonomous system, meaning they are under common administrative
control and use the same protocol for exchanging information. Common IGPs
are RIP and OSPF.
2.
Exterior Gateway Protocols (EGP) enable communications among routers that

are in different autonomous systems, meaning they are under different
administrative control. A common EGP is Border Gateway Protocol (BGP).
EGPs are most commonly used by ISPs to enable connectivity between customers and
the Internet. An Internet Service Provider is likely to use a combination of interior and
exterior gateway protocols to facilitate exchange of routing information among the
routers that make up its own internal network as well as with the routers at customer
locations.
HP E-Series support
Several HP E-Series switch models, including all of the ProVision ASIC switches,
support RIP. The ProVision ASIC switches support OSPF, but a Premium License is
required to implement OSPF on the 3500yl, 5400zl, and 6660. The 8212zl supports
OSPF without a Premium License.
Rev. 10.41
7 19
RIP and OSPF

comparison
RIP and
OSPF comparison
Distance Vector: RIP
Router
sends periodic updates to neighbor routers
Information
about remote networks is passed from router to router based on

each routers perspective
Convergence
can be slow
Link State: OSPF

Router
reports to its neighbors the characteristics of its active connections to

local networks
Updates
Logical
are flooded to all routers within administratively defined area
tree is built to calculate shortest path to each address range
Enables
faster convergence, detection of alternate paths after link failure

due to possession of first-hand information
Figure 7-12: RIP and OSPF comparison
Two types of standard interior gateway protocols are commonly used in IP networks:
16
1.
Rev. 10.41
Distance-vector protocols
Routers using these protocols integrate information into their route tables and resend the resulting entries, as modified from their own perspectives. RIP is a
common example of a distance-vector protocol.
2.
Link-state protocols
Routers using these protocols establish neighbor relationships with adjacent
routers. Routers generate updates based on local information and send the
updates to neighbors, who then flood updates to all their neighbors. Ideally,
within a few milliseconds, every router in an administratively defined area has
identical information. Each router builds a logical tree that traces out the shortest
path to each advertised destination, using itself as the root. As a result, every
router has a consistent picture of the network from its own perspective. OSPF is a
common example of a link-state protocol.
While RIP and other distance-vector protocols are easier to configure than link-state
protocols, the distance-vector protocols have one serious disadvantage. Changes in
routing topology often propagate slowly because information in a routers table is
acquired from other routers that may be as many as 15 hops away.
OSPF, like other link-state protocols, avoids the convergence issues of RIP by not
relying on second-hand information. A router sends an advertisement when it
recognizes a link-state change. Along with the topology change, the update contains
the attributes of all of the routers currently active links. The router sends the
advertisement to its immediate neighbors, which are required by the protocol to
immediately flood the advertisement to all of their neighbors.
7 20
Rev. 10.41
Unlike RIP routers, OSPF routers do not increment the costs as they flood updates. In
fact, an OSPF router is not permitted to make any changes to advertisements it
receives on one network before sending it out onto another network. As a result, all
of the routers in the OSPF area have a consistent picture of the connections
between all routers and networks in the area.
Each router builds a tree based on first-hand information that traces the shortest
path between itself and every router and network in the area. When a link state
changes, the router recalculates the tree based on the new information. Ideally, less
than a second passes between the time the router advertises its new state and the
time when all of the routers have found an alternate path, if one exists.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 21
update example
RIP updateRIP
example
Router_1 in Group 1sends periodic updates over interface
10.0.200.0/24
Networks
learned over that interface have metric of 16
Core adds networks in 10.1.0.0/16 to its route table

Core and Router_1 learn 10.2.0.0/16 and 10.3.0.0/16
from other peers
Core route table
Router_1 RIP update

Network:
Network:
Network:
Network:
10.1.2.0/24
10.1.20.0/24
10.2.10.0/24
10 3.10.0/24
Metric:
Metric:
Metric:
Metric
1
2
16
16
Destination
10.1.2.0/24
10.1.20.0/24
10.2.10.0/24
10.3.10.0/24
Gateway
10.0.200.11
10.0.200.11
10.0.200.21
10.0.200.31
Type
RIP
RIP
RIP
RIP
Metric
2
3
3
3
10.0.200.21
10.0.200.1
Core
10.0.200.11
Router_1
Group 1
17
Rev. 10.41
10.0.200.31
Figure 7-13: RIP update example
When RIP is enabled on an interface, the router prepares an update that advertises
the address ranges in its route table. In many cases, each address range in the table
represents a network, a single broadcast domain. However, this is not always the
case. Sometimes the entries represent an address range that includes many networks
known as a summarized network.
In the example above, Router_1 in Group 1 advertises all of its connected networks
except the network associated with the interface through which the router sends the
update. In the example above, the RIP update is being sent over the interface
10.0.200.11/24. Accordingly, network 10.0.200.0/24 is omitted from the update.
By default, this update occurs every 30 seconds. When this interval expires, the
router sends updates over all of its RIP-enabled interfaces.
The metric associated with each of the advertised networks is 1 for directly connected
networks and 2 or more for remote networks. While Router_1 internally associates a
metric of 0 with its locally connected networks, it advertises these networks with a
cost of 1. In some vendor implementations, the cost used internally will be 1.
However, the external cost reported is the same.
Split Horizon and Poison Reverse

By default, the ProVision ASIC switches implement poison reverse. This technology
prevents routing loops by enabling RIP routers to distinguish legitimate redundant
routes from routes that have been learned from immediate neighbors.
Before sending an update over an interface, a router using poison reverse examines
the next-hop address for each entry in its route table. If an update is being directed
to the source for a particular route, the update is sent with a metric of 16, which is
considered infinity for RIP. In this way, the poison reverse technology informs the
neighbor that it cannot reach the network in question through the local router.
7 22
Rev. 10.41
An alternative to poison reverse for preventing routing loops is split horizon, which
requires a router to never advertise a route to the neighbor from which it was
learned. In general, poison reverse is preferred in multi-path networks because it
offers faster convergence times.
For information on disabling poison reverse and enabling split horizon, see the
Multicast and Routing Guide for a given HP E-Series routing switch model.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 23
Redistributing
routes
Redistributing
routes
By default, RIP updates from HP E-Series routing switches
include:
Directly
connected networks
Routes
to RIP-enabled interfaces
Routes
learned through RIP updates
You can configure RIP to:

Redistribute
static routes and OSPF routes:
Router(rip)# redistribute [static | ospf]
Disable
redistribution of connected routes
Router(rip)# no redistribute connected
Figure 7-14: Redistributing routes
By default, RIP updates from HP E-Series ProVision ASIC routing switches include all
19
Rev. 10.41
directly connected
routes, as well as routes to RIP-enabled interfaces and routes
learned through RIP updates. You must manually configure the router to redistribute
static routes or routes learned through OSPF.
For example, you could enable RIP on a router that connects to an external network
using OSPF instead of RIP. You could then enable OSPF redistribution so that the
routers RIP neighbors would learn the routes learned through OSPF.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 24
Rev. 10.41

dynamic routing
Lab activityConfiguring
preview:
Configuring dynamic routing with RIP
with RIP
1. Configure and test RIP for your group environment
2. Configure and test RIP for connectivity to the Classroom
Core and other groups
Figure 7-15: Lab activity preview: Configuring dynamic routing with RIP
NOTES
_______________________________________________________________________
_______________________________________________________________________
20
Rev. 10.41
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 25
Implementing
RIP
Implementing
RIP
1. Enable RIP globally
2. Configure RIP version number if necessary
Version
2 by default on HP-E Series switches
3. Specify networks participating in the RIP process

Typically
interfaces connecting to routers, not hosts
Class_Core
Router_1
Router_2
21
Rev. 10.41
Figure 7-16: Implementing RIP
The process for implementing RIP on HP E-Series routing switches involves three
straightforward steps. After enabling RIP globally, you configure the RIP version, if
necessary, and then specify the interfaces that will participate in the RIP
advertisement process. Generally, RIP advertisements are exchanged only over
switch-to-switch links. Networks that connect to hosts are advertised as directly
connected networks, if appropriate.
RIP versions
By default, ProVision ASIC switches implement RIP v2, which was defined in 1994 in
RFC 2082. RIP v2 is in nearly universal use among LAN routers, so it is rarely
necessary to change the RIP version during configuration. However, HP E-Series
routing switches support either version or both versions simultaneously. For
information on changing RIP versions, see the Multicast and Routing Guide for your
switch model.
RIP v2 addressed several significant limitations of RIP v1 by offering support for
variable subnet masks and for router authentication. RIP v2 uses a multicast
destination address to send updates, whereas RIP v1 uses a broadcast address.
Routers or other devices on a network that do not support RIP v2 will not process a
RIP update because they are not members of the RIP Routers multicast group
(224.0.0.9).
7 26
Rev. 10.41
Enabling RIP on Router_1
Router_1(config)# router rip

Router_1(rip)# vlan 200 ip rip
Class_Core
Untagged VLAN 200
Router_1
Untagged VLAN 1
Tagged VLAN 10
Untagged VLAN 1
Tagged VLAN 100
Router_2
Edge_1
Untagged VLAN 1
Tagged VLAN 30,40
Edge_3
21
Rev. 10.41
Figure 7-17: Enabling RIP on Router_1
In each classroom group, you will enable RIP on Router_1 and on Router_2. The
basic process for each router will be the same, as shown in Figure 7-16:
1.
Enable RIP globally by entering router rip in the global configuration context.
2.
Enable RIP for each VLAN that must support RIP updates. On Router_1, this will
include VLAN 100 and VLAN 200.
In Figure 7-16, the administrator enables RIP for the VLAN interfaces by entering the
ip rip command in the RIP configuration context. Alternatively, the administrator could
issue the command in the VLAN configuration contexts.
Other RIP parameters, such as redistribute, also are entered in the RIP context. If you
need to configure RIP parameters after RIP is enabled, you can re-enter the RIP
configuration context by entering router rip in the global configuration context.
Entering this command will not disable RIP or otherwise affect the status of RIP on the
switch. To disable RIP, enter no router rip in the global configuration context.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 27

Class_Core
Router_2(config)# router rip

Untagged VLAN 200
Router_1
Untagged VLAN 1
Tagged VLAN 10
Untagged VLAN 1
Tagged VLAN 100
Router_2
Edge_1
Untagged VLAN 1
Tagged VLAN 30,40
Edge_3
22
Rev. 10.41
Figure 7-18: Enabling RIP on Router_2
The steps for enabling RIP on Router_2 are the same as the steps for Router_1 with
one exception. RIP must be enabled only on VLAN 100 on Router_2.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 28
Rev. 10.41
Options for show ip rip
Options for show ip rip
Router_1# show ip rip ?

general
Show RIP basic configuration and operational
information.
interface
Show RIP interfaces' information.
peer
Show RIP peers.
redistribute
List protocols which are being redistributed into RIP.
restrict
List routes which will not be redistributed via RIP.
Figure 7-19: Options for show ip rip
The show ip rip command is the basic tool for verifying RIP configuration on a HP ESeries routing switch. The basic options for this command are shown in Figure 7-18.
The show ip rip general option provides the same output as show ip rip. Both
commands show all configured RIP interfaces and discovered peers.
NOTES
23
Rev. 10.41
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 29
show ip ripshow
for Router_1
ip rip for Router_1
RIP enabled for

VLAN 100 and VLAN 200
Peers include Router_2, Class_Core, and

Routers in other groups
24
Rev. 10.41
Figure 7-20: show ip rip for Router_1
When configuration of Router_1 is complete, the output of show ip rip should be

similar to Figure 7-19. RIP will be enabled on two VLANs. Peers should include one
router from each of the other classroom groups, the Class_Core router, and Router_2
in your own group. Figure 7-19 shows only two routers from other groups to conserve
space.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 30
Rev. 10.41
show ip route for Router_1

show ip route
for Router_1
RIP routes learned from
VLAN 100 and VLAN 200
Figure 7-21: show ip route for Router_1

25
Rev. 10.41
When all groups have completed their configurations, the route table for Router_1
will show RIP routes from all other groups and from Router_2, as well as connected
routes associated with VLAN 2 and VLAN 10.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 31
Lab Activity 7.2

Remember to record your key insights and challenges as you perform this activity.
7 32
Rev. 10.41

Activity 7.2.
Table 7.2: Debrief for Lab Activity 7.2

Challenges
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 33
Learning check
1.
What is the difference between a direct and an indirect route?

___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
2.
What is a difference between an Interior Gateway Protocol and an Exterior

Gateway Protocol?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
3.
What is the effect of the following command entered at the CLI of an E3500
switch?
Switch(config)# ip route 0.0.0.0/0 192.168.254.100
4.
a.
The switch will drop all packets arriving through the interface
192.168.254.100.
b.
The switch will forward all packets destined for networks not in its route
table to 192.168.254.100.
c.
The switch will perform default gateway services for hosts in the
192.168.254.0/24 subnet.
The IP route table of an E5406 zl switch includes a route to 172.16.30.0/24

using 172.16.30.1 as its gateway. What is the effect of the following command?
7 34
a.
The switch will delete the route to 172.16.30.0 from its route table and
replace it with the new route.
b.
The switch will forward packets destined to hosts in the 172.16.30.0/24 to

172.16.30.1 and will forward packets destined for other subnets in
172.16.0.0/16 to 10.2.1.1.
c.
The switch will not include either route in its route table because they
conflict.
Rev. 10.41
5.
Rev. 10.41
When RIP is enabled on an E3500 switch, what type of route is automatically

redistributed?
a.
static
b.
OSPF
c.
Default
d.
connected
7 35
7 36
Rev. 10.41
Providing Mobility to SMBs

Module 8
Module 8 objectives
Rev. 10.41
Compare and contrast controlled mode and autonomous mode for HP E-Series
MultiService Mobility (E-MSM) Access Points (APs)
Describe the 802.11 a/b/g/n wireless LAN standards
Describe Power over Ethernet (PoE) technologies supported by E-MSM APs and ESeries switches
Access the Web browser interface to manage an E-Series MSM AP
Configure Virtual Service Communities (VSCs) to provide access for varying user
groups
Configure VLANs on autonomous E-MSM APs
8 1
Prework review activity: Wireless networks

In this activity, you will draft 1-3 quiz questions that will be used to review topics in
mobility from the prework. Use the next several pages to record your questions and
to take notes.
1. _____________________________________________________________________
_______________________________________________________________________
2. _____________________________________________________________________
_______________________________________________________________________
3. _____________________________________________________________________
_______________________________________________________________________
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
8 2
Rev. 10.41
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
8 3
activity preview
Lab activityLab
8 8preview
Floor 1:
Core
Floor 6:
Floor 2:
Floor5:
Floor 3:
Floor 4:
Wireless network access

throughout the site
4
Rev. XX
The SMB now has a solid wired network, but most companies today also require
wireless connectivity. Brainstorm reasons for an SMB to implement a mobility
solution; what business benefits does mobility bring?
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
8 4
Rev. 10.41
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
8 5

Adding
a standalone
HP
ELab 8 activity:
Adding
a standalone
E-Series
AP
MSM AP
During Lab Activity 8, you will:
Connect the AP to a PoE enabled switch port.
Access the AP and complete initial configuration:
Set
the AP to standalone mode.
Assign
IP settings.
Secure
management access.
Configure a VSC.
Create
a VLAN for wireless users.
Establish
and secure the WLAN.
Add the wireless user VLAN to the infrastructure.

5
Figure 8- 2: Lab activity 8: Adding a standalone HP E-MSM AP

Rev. XX
In Lab Activity 8, you deploy a standalone HP E-MSM AP that supports basic, but
secure wireless services. You will also ensure that the AP can forward traffic in
the LAN.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
8 6
Rev. 10.41
Final lab topology

Final lab topology
Rev. 10.41
Figure 8- 3: Final lab topology
By the end of Lab Activity 8, you will have connected your AP to your LAN and
configured the AP to support secure wireless services. This AP will bridge wireless
users traffic into the LAN on a new VLAN reserved for wireless access. As you see,
in this lab, the AP connects to Router_2, which can acts as the wireless users default
gateway. If another device were the default gateway, you would need to extend the
new VLAN to that device, remembering to add the IP settings for the new VLAN.
In an alternative configuration, the AP forwards wireless users traffic in an existing
VLANs.
Note
To implement the alternative solution, the AP might either need to support
different VSCs, each associated with a different VLAN, or to authenticate users to
a network authentication server that provides dynamic VLAN assignments. This
course does not cover dynamic VLANs.
Rev. 10.41
8 7
Assess the mobility

solution
Assess the
mobilityrequirements
solution requirements
20 meters
25 meters
Rev. XX
Figure 8- 4: Assess the mobility solution requirements
You will now practice assessing the mobility requirements for the SMB described
below. Your instructor will provide you job aids, which will help you now and later in
the workplace.
Scenario
The figure displays the one-floor office building of a very small business with about
thirty employees. The company wants to add wireless coverage, in particular in the
common space in the south-west corner and the conference room at the north end,
but also throughout the building.
You have found out the following information by talking to the head of the company
and by conducting a site survey:
8 8
Users are planning to use the wireless connections primary for checking and
sending email, conducting research on the Internet, and updating spreadsheets
and databases stored on company servers. Some of these activities involve
sensitive or proprietary data.
The walls at the site consist of drywall. Most of the office is open space with
cubicle dividers. Both the close offices and the cubicles contain wooden desks
and metal filing cabinets.
The neighboring office buildings have wireless networks on 2.4 GHz channel 1
and 5 GHz channel 36.
The companys computers and laptops have wireless NICs that support
802.11a/b/g.
The company has a Web server and a data server, but no domain or RADIUS
services.
Rev. 10.41
Consider which 802.11 standard or standards (802.11a, 802.11b, 802.11g, or

802.11n) you would implement.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Plan where to place an AP or APs to provide adequate coverage and capacity.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
8 9
Consider the exact channels for your AP radios, taking into account overlapping
radio signals.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Consider the companys need for security and select wireless security option.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
8 10
Rev. 10.41
Configuring PoE
Configuring PoE
By default, E-Series PoE capable ports:

Provide
PoE
Allocate
just as much power to the port as the connected device draws
You must plan the power budget

(AP1
PoE demand) + (AP2 PoE demand ) < Switch total PoE power
If necessary, prioritize PoE on the APs ports:

Critical
In
ports are provisioned first, then High, then Low (default).
case of a tie, ports with a lower number are provisioned first.

Figure 8- 5: Configuring PoE
You might want to establish PoE connections for your APs so that you do not have to
manage power
supplies for devices in hard-to-access locations. Instead, the Ethernet
8
Rev. XX
cable provides both connectivity and power.
Both ends of the connection must support PoE (802.3af). All HP E-MSM APs support
this protocol as powered devices (PDs), the devices receiving power. Many HP ESeries switches feature PoE capable ports, which are power sourcing equipment
(PSE), the components providing power. If your switch does not provide PoE, you
could alternatively connect your AP to a PoE injector.
The AP will automatically draw power on the cable if it has no other power source.
You do not need to complete any configuration; simply connect the AP to a PSE.
To configure PoE on an HP E-Series switch, you must:
1.
Ensure that PoE is enabled on the switch portThis step is optional. By default,
PoE is enabled on all HP E-Series switch ports that support PoE. The command
for enabling and disabling PoE is:
Switch(config)# [no] interface <port list> power-over-ethernet
In addition, by default, the switch allocates just as much power to the port as the
device draws. (The switch could also allocate a set number of Watts or a set
power class, which defines the number of Watts. Refer to your switchs
Management and Configuration Guide for more information.)
In short, establishing the PoE connection might be as simple as connecting the
cable.
2.
Rev. 10.41
Plan the PoE power budgetThe maximum power allowed over a standard PoE
connection is 15.4 W. The HP E-Series APs draw between 6W to 12W
depending on the number of radios and the radio operation modes (802.11n
generally requires more power).
8 11
Note
Some 802.11n APs draw more than 15.4W, which means that they require PoE+
(802.3at) support. However, the HP E-MSM 802.11n-capable APs use PoE
(802.3af).
You can look up how much power your APs require in their datasheets. Add up
the power demands and determine whether they exceed the amount of power
provided by your switch, which you can find in the switchs datasheet. Note,
however, that when a switch reaches less than 17W remaining PoE power, it
cannot allocate any more power to a new device even if the device draws less
than 17W. Therefore, you need to plan a slight amount of leeway.
You should also remember that other devices might draw power from the switch.
Some switches provide enough power to fully provision every PoE port, in which
case you do not need to worry. Others switches provide only enough power for
some ports. In that case, you must either disable PoE on some ports or set up
prioritization such that important devices like your APs are guaranteed the power
that they need.
You can also connect many HP E-Series switches to an external power supply
(EPS), which furnishes additional power for PoE.
Note
EPSs for HP E-Series devices include:
HP E630 Redundant Power Supply/External Power Supply

HP E620 Redundant Power Supply/External Power Supply
HP E610 External Power Supply
You can also purchase HP zl Power Supply shelves for HP zl switches.
Check the HP networking Web site for the latest information and for guidelines
on which RPS/EPSs are compatible with your switches.
3.
Set a PoE priority on the portThis step is optional. As mentioned above, you
would only need to set a priority if you determine that the switch might not have
enough power for all PoE devices that might connect to it.
The HP E-Series devices define three priority classes: Critical, High, and Low. All
Critical ports are provisioned before any High ports, which are provisioned
before any Low ports. In the case of a tie (for example, devices on Critical ports
demand more power than is available), the lower numbered ports are
provisioned first.
The command for setting the PoE priority class is:
Switch(config)# interface <port list> power-over-ethernet
[critical | high | low]
8 12
Rev. 10.41
Other uses for PoE

Other devices besides APs use PoE. Voice over IP (VoIP) phones often draw PoE
power as do security cameras and other video devices. You can provide PoE to these
devices just as you do wireless APs. Simply plan your power budget and enable PoE
on the correct ports, prioritizing power on those ports as necessary.
Sometimes you must configure the correct power level for the port. However, many
multimedia devices support Link Layer Discovery Protocol-Media Endpoint Detection
(LLDP-MED), which they can use to inform LLDP-MED-capable switches of their power
needs as well as the types of special service that they require. PoE-capable HP ESeries switches support this feature.
Rev. 10.41
8 13
an E-MSM
HP E-MSM
AccessingAccessing
a new HP
APAP initially
Indirect connection at
default address
Direct connection
at default address
192.168.1.1/24
Indirect connection at
DHCP address
DHCP address
192.168.1.1/24
PoE connection
PoE connection
ProCurve
Switch 5406zl
J8699A PoE
ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Power
VLAN X
Reset
Test Chas DIMM
Clear
Act
Temp
FDx
PoE
Fan
Spd
Usr
PoE
Mgmt Flash
Use
zl Modules
only
Internal
Power
Console
LED Mode
Modules
PoE
Pwr
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
Status

Management Module
J8726A
Reset
Test Chas DIMM
Clear
PoE
Mgmt Flash
Use
zl Modules
only
Temp
Fan
Internal
Power
Act
FDx
PoE
Spd
Usr
Console
LED Mode
Modules
PoE
Pwr
Auxiliary Port
Fault
Auxiliary Port
Locator
1
ProCurve
24p Gig-T
zl Module
J8702A
HP Innovation
Power
Fault
Locator
ProCurve Networking
Status

Management Module
J8726A
HP Innovation
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
zl
ProCurve
24p Gig-T
zl Module
J8702A
ProCurve
24p Gig-T
zl Module
J8702A
zl
ProCurve
24p Gig-T
zl Module
J8702A
zl
zl
DHCP server
hp 1902
hp 1902
hp 1902
192.168.1.2/24
192.168.1.2/24
9
Rev. XX
DHCP address
Figure 8- 6: Accessing a new HP E-MSM AP
Generally, you complete the initial configuration of a standalone HP E-MSM device

through its Web browser interface. To reach this interface, you must know the APs IP
address. At factory defaults, the AP attempts to receive a DHCP address. However, if
its DHCP requests time out, it defaults to 192.168.1.1/24.
There are several strategies for establishing the initial connection to the AP Web
browser interface.
Direct connection at the default IP address

Connect your management station directly to the APs Ethernet port (Port 1 if the AP
has multiple ports). Power up the AP with an external power supply. Configure your
stations Ethernet NIC to use these IP settings:
IP address = 192.168.1.2
You can actually use any IP address in the 192.168.1.0/24 subnet except
192.168.1.1.
Subnet mask = 255.255.255.0
Default gateway = 192.168.1.1
NOTES ON USE CASES

_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
8 14
Rev. 10.41
Indirect connection at the default IP address

In a variation on the first strategy, you can connect the AP to a PoE-enabled switch
port. First configure the switch port, activating PoE and making the port an untagged
member of a VLAN that is not used in your system. Connect the AP to that port.
Make another switch port an untagged member of the same VLAN. Connect your
station to that port. Configure your stations Ethernet NIC with an IP address in
192.168.1.0/24 as described in the previous section.
After you connect to the AP and change its IP address to one that is valid in your
LAN, you will need to change the VLAN membership on the switchs ports.
NOTES ON USE CASES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Indirect connection at a DHCP-assigned IP address

If you plan to have the AP use a DHCP-assigned IP address, you can contact the AP
on that address initially. Generally, the AP should have a fixed DHCP reservation so
that you will always know its IP address.
Contact your networks DHCP administrator and discuss a fixed DHCP reservation.
Then connect the AP to any switch port in the correct VLAN. Connect your
management station to the LAN and ping the APs fixed DHCP address to ensure
that you can reach the AP.
In a variation on this strategy, you can have the AP receive a DHCP address without
a reservation. In that case, you would need access to the DHCP server so that you
could find the IP address assigned to the AP. You could then change the APs
address to a static address.
NOTES ON USE CASES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
8 15
Logging in to the Web browser interface

Once you have connected the AP and your management station using one of these
three strategies, open a Web browser. Contact the AP at either its default IP address
or the DHCP address.
Use these default credentials to log in:
Username = admin
Password = admin
Note
It is recommended that you use Internet Explorer 7.0 or Mozilla Firefox 2.0 to
access the APs Web browser interface, but you might be able to use other
browsers as well.
8 16
Rev. 10.41
Converting the HP E-MSM AP to standalone
Convertingmode
the HP E-MSM AP to standalone mode
Figure 8- 7: Converting the HP E-MSM AP to standalone mode

10
Rev. XX
By default, HP E-MSM APs act as controlled devices, managed and configured by an

E-MSM Access Controller or E-MSM Mobility Controller. For this course, however, you
are focusing on the APs as standalone devices, which can provide wireless services
for an SMB on their own.
To convert an E-MSM AP to autonomous mode, simply click the button shown in the
figure. The AP automatically restarts itself.
Rev. 10.41
8 17
Completing the HP E-MSM AP initial

Completingconfiguration
the HP E-MSM AP initial configuration
1. A wizard guides you
through:
Accepting a license and

registering the AP
Setting the APs country code
Changing the APs

password
2. If necessary, set
a static IP
address.
11
Rev. XX Figure
8- 8: Completing the HP E-MSM AP initial configuration
After the AP reboots, a wizard is launched. You are prompted to:

1.
Accept a license.
2.
Register the AP.
3.
Set the APs country code.

You must select the country code for your region, which automatically configures
the AP to use legal channels and transmit powers.
4.
Change the password (and username) for management access to the AP.
You are then placed at the home page for the AP. As you will see in the lab, the APs
Web browser interface has a navigation bar at the top. This bar includes tabs for
various configuration and management tasks. When you select a tab, the subtabs for
that tab are displayed in a row below. Select a subtab to configure specific settings.
If the AP is not using a fixed DHCP address, you must now set a static IP address.
The figure shows the windows in which you do so:
8 18
1.
In the top navigation bar, select Network > Ports.
2.
You will see several ports listed. The port on which you configure the IP address
is called the bridge port, which is a virtual port that handles bridging traffic on
both the wireless radios and the APs Ethernet port. Click Bridge port.
3.
Select Static and click Configure.
4.
Configure the APs IP settings.
5.
Click Save in both windows.
Rev. 10.41
Configuring VLANs
ConfiguringYouVLANs
must create the VLANs on which the AP bridges traffic:
1. Create a network profile.
Network > Network
profiles > Add new profile
2. Create the VLAN.

Network > Ports > Add
New VLAN
12
Rev. XX
Figure 8- 9: Configuring VLANs
In a moment, you will learn how to create a Virtual Service Community (VSC), which
defines wireless services offered by the AP. If you want the AP to bridge wireless
traffic into a different VLAN from the one on which the AP has its IP address, you
must create that VLAN before configuring the VSC.
Follow these steps:
1.
2.
Rev. 10.41
Add a network profile, which indicates the VLAN ID:

a.
Click Network > Network profiles.
b.
Click Add network profile.
c.
Configure a name for the profile.
d.
Select the VLAN check box and specify the VLAN ID.
e.
Click Save.
Configure the VLAN, which assigns the VLAN ID to a port.

a.
Click the Ports tab under Network.
b.
Click Add New VLAN.
c.
Select the Ethernet port (in this example, Port 1).
d.
For VLAN ID, select the network profile.
e.
Select None for the IP address. (You want the AP to bridge traffic on this
VLAN, not route it.)
f.
Click Save.
8 19
Creating a Creating
VSC a VSC
A VSC defines:
1. WLAN settings:
SSID
Wireless
security
2. Egress VLAN
3. Filters
2
13
Rev. XX
Figure 8- 10: Creating a VSC
A Virtual Service Community (VSC) defines the wireless services offered by the AP.
Thus it specifies not only WLAN settings but also the egress VLAN for wireless traffic
as well as filters that control the traffic.
WLAN and radio settings include:
SSID and the radios that support it
Open and closed system setting (whether the SSID is broadcast)
Advanced settings, such as the supported data rates and QoS settings (these
settings are beyond the scope of this course)
Wireless security method:
802.1XDynamic Wired Equivalent Privacy (WEP); users must authenticate

to an external RADIUS server.
WEPStatic WEP
You can set up to four keys each with an index number between 1 and 4.
The wireless clients must have exactly the same key (whether in Hex or
ASCII) and index number.
Caution
Static WEP is deprecated for enterprises because it is trivial for hackers to
download WEP cracking software. Even dynamic WEP is deprecated. You
should select WPA/WPA2 whenever possible.
8 20
Rev. 10.41
WPA (TKIP), WPA2 (AES), or WPA/WPA2

For Wi-Fi Protected Access (WPA), you can select Temporal Key Integrity
Protocol (TKIP), Counter CBC-MAC Mode Protocol (CCMP) with Advanced
Encryption Standard (AES), or both. For any of the options, you can set the
Key source to either Preshared key or RADIUS.
The interface refers to WPA 802.1X mode as RADIUS because the wireless users must
authenticate to an external RADIUS server. Because many SMBs do not have such a
server, in this lab, you will use WPA/WPA2-PSK.
The figure shows where you set the egress VLAN with the VLAN that you created in
advance.
The filters enable you to filter wireless traffic by its destination MAC address. For
example, you can restrict wireless users to sending traffic to the MAC address of their
default gateway. This filter enables the wireless users to have their traffic routed, but
not to reach other wireless users or devices in their VLAN, helping to minimize
attacks by malicious authorized users. You can specify the users default gateway
simply by selecting the APs default gateway, if they are the same, or you can specify
the MAC address manually. The APs also support filters that restrict the wireless users
to sending traffic to specific IP addresses (these filters do not restrict DNS and DHCP
requests). If you want to learn more, refer to your APs Management and
Configuration Guide or attend the Implementing HP E-Series Wireless LANs course.
Rev. 10.41
8 21
Lab Activity 8
The SMB administrators have decided that employees could be more productive if
they could gain network access more easily no matter where on site they move. You
must add a wireless AP to your floor. The AP will forward all wireless user traffic on a
new VLAN reserved for traffic from wireless users. You will also add this VLAN to the
switches and routing switches in your network.
8 22
Rev. 10.41

Table8-1: Debrief for Lab Activity 8

Challenges
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
8 23
Learning check
1.
Your AP has a management IP address on VLAN 1. It supports a WLAN that

enforces WPA2-PSK security. You want the AP to forward wireless users traffic in
existing user VLAN 12. What steps must you complete on the AP and in the
network infrastructure?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
2.
You want your AP to implement the strongest wireless security possible in an

environment without a RADIUS server. How do you configure the AP to
implement this security?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
3.
You have an E2610-24-PoE switch to which you plan to connect your HP EMSM320 AP. You want to power the AP using PoE. What is the absolute
minimum setup that you must complete?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
8 24
Rev. 10.41
4.
You set up a VSC on your HP E-MSM AP, ensure that the VSC is activated on the
APs radios, and that the radios are activated in AP mode. When you attempt to
connect a client to the AP, you cannot even see your SSID in the list of wireless
networks. What are potential causes and how might you attempt to resolve the
problem?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
Rev. 10.41
8 25
8 26
Rev. 10.41
Managing and Monitoring SMB Networks with

HP PCM
Module 9
Module 9 objectives
This module introduces you to HPs solution for managing HP E-Series switches, HP
PCM and PCM+. By the time that you have finished this module, you will be able to:
Install HP PCM server, client, and agent
Describe differences between PCM and PCM+
Describe the PCM+ architecture and features
Rev. 10.41
Configure PCM+ users to ensure management security while providing all

necessary rights to management users
Use PCM+ to manage device configurations, subnets, and VLANs on E-Series
switches
9 1
Why use PCM+?

Why use PCM+?
Increase network visibility
Automate network management

Implement consistent policies to
control devices, users, and threats
4
Rev. 10.41
Figure 9- 1: Why use PCM+
Even an SMB environment might feature dozens of infrastructure devices. Simply in

terms of time, you would find it a considerable task to configure and monitor each
device separately. Ensuring that the devices enforce consistent settings raises the
challenge to another level. And without a clear picture of what is happening in the
network, you might not be putting your time to the best use.
What challenges do you face as a network administrator? How do you spend the
majority of your time?
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
9 2
Rev. 10.41
Managing and Monitoring SMB Networks with HP PCM
PCM+, the HP management solution for HP E-Series devices, helps you to meet these
challenges and spend your time more productively. From PCM+s single-pane-of-glass
interface, you can:
Increase network visibility:
Monitor automatically discovered network devices

Receive notification of important events
Monitor and analyze traffic patterns
Automate network management
Apply configuration templates across customizable groups of devices
Create policies that automatically alter configurations in response to

changing conditions
Implement integrated, consistent policies for controlling devices, users, and

threats
The rest of this module explains more.
Rev. 10.41
9 3
What is PCM+
Figure 9- 2: What is PCM+?
You will now learn about the features of PCM+ and how to best deploy the solution
in various environments.
Note
This module covers the features provided by PCM+ 3.10 through auto-update 4.
PCM+ is a Simple Network Management Protocol (SNMP) server, which provides:
Device discovery
PCM+ automatically discovers infrastructure devices and their attributes. It also
receives events from the devices and polls them for traffic samples and statistics.
Device management
PCM+ provides a variety of tools for device configuration and management,
including automated policies that you can fully customize.
Network monitoring and analysis

PCM+ provides you with a great deal of information organized in intuitive
tables, maps, and charts. The advanced Event Browser also helps you to search
and understand events that occur in your network.
9 4
Rev. 10.41
PCM+ versus
PCM
features
PCM+
versus
PCM features
SNMPv3
PCM+ only
Automated
management
Configuration
templates
SNMP v2
Custom groups
Ping, ARP,
LLDP/CDP/FDP, manual
Discovery
5
Rev. 10.41
Device interface access
In-depth traffic
monitoring
Find Node tools and
consistency checks
Configurable alerts
PCM+
only
Syslog
Email and pager
notifications
Advanced event
browser
Device and endpoint
status
Network and VLAN
mapping
Device management Monitoring, analysis, and

troubleshooting
Figure 9- 3: PCM+ versus PCM features
You will now examine these features in more detail. To obtain all these features, you
must use PCM+, but HP offers a less full-featured version of PCM+, called PCM, for
free. In the figure, the features supported by both PCM and PCM+ are displayed with
solid colors. As you, PCM+ provides a much wider range of capabilities for device
management and for monitoring, analysis, and troubleshooting.
Discovery
Both PCM and PCM+ provide both manual and automatic device discovery through
a variety of methods. You will learn more about device discovery later in this module.
Device management
Using PCM, you can access the command line interface (CLI) on discovered devices
and make configuration changes from the centralized location. You can also group
device together logically in custom groups.
However, only with PCM+ do you gain the power to use those group definitions to
fully automate device configuration. You can create configuration templates and
apply them to a custom group; when PCM+ discovers a new device, it assigns it to
the correct group (or you do) and then applies the correct template. Similarly, you
can create policies for automatic software updates.
PCM+ wizards hide the complexities of configuration from you. Your experience
managing the network becomes less device-interface based and more intuitive policy
based. For example, you can use the VLAN wizard to define where you want specific
Rev. 10.41
9 5
VLANs to extend, and PCM+ automatically adjusts the devices configuration to

extend the VLAN.
PCM+ can also apply circumstance-specific configuration changes based on fully
customizable policies. For example, you can create policies that alter device
configurations in response to a threat detected by a PCM+ plug-in (you will learn
more about those later).
Monitoring, analysis, and troubleshooting

As PCM/PCM+ discover devices, it maps them with color coding that indicates the
devices status. You can view maps of the physical topology, VLAN topology, and
network topology
PCM polls infrastructure devices to collect summaries and statistics about the devices
status and connected endpoints status. The Advanced Event browser helps you to
navigate and interpret logged events, and PCM can also send email or pager
notifications for pre-defined events so that you do not have to be logged in to hear
about important events when they occur.
PCM+ dramatically increases the visibility into network. In addition to monitoring
device status, you can monitor traffic itself. The PCM+ Traffic Monitor uses industrystandard, highly-accurate, but non-bandwidth intensive sFlow to collect and analyze
traffic samples. (It also supports RMON and XRMON.)
Other tools draw on discovered information to help you to manage and troubleshoot
the network more intelligently. For example, the Find Node tools uses
LLDP/CDP/FDP, switch ARP tables, and switch bridge MIBs, to discover all the
neighbors of a devices. If you specify a host such as a computer, the neighbor is the
switch and port, revealing the devices precise location. Thus you can home in on an
endpoint specified in an event.
Or the Network Consistency Analyzer checks port, VLAN, and trunk settings
between switches to ensure that they are consistent. You can create a policy that
periodically runs the Network Consistency Analyzer, then generates and delivers a
report on the results, alerting you to possible misconfigurations.
Finally, with PCM+, you can customize your own alerts. In addition to notifying you,
these alerts can activate policies to take specific pre-configured actions created
through the Policy Manager.
PCM+ also integrates with your Syslog solution, submitting event information for
network and security audits.
9 6
Rev. 10.41
PCM+ plug-ins
PCM+ plug-ins
PCM+ also provides plugs-ins which further enhance its

functionality.
PCM+ Platform
Manages
wireless devices
hp 1902
PMM
Controls
users access
PCM+
Exchange
information
IDM
Protects
against attacks
NIM
7
Rev. 10.41
Plug-in applications
Figure 9- 4: PCM+ plug-ins
PCM+ becomes much more powerful as you add plug-ins (PCM does not support
any plug-ins). These plug-ins integrate seamlessly into the PCM+ management
platform and are managed from the same user interface.
The sections below briefly describe the current plug-in options.
Note
PCM+ provides a Configurable Integration Platform (CIP), which allows you to
integrate other applications of your choice into PCM+. You can add support for
third-party infrastructure devices, or you can add another management
application that you like to use. The CIP Wizard, with its intuitive interface,
makes it easy to integrate these applications.
HP Mobility Manager 3.0

HP Mobility Manager delivers wireless-device specific management options such as
the ability to configure wireless devices radio and wireless LAN (WLAN) settings.
Note
Without HP Mobility Manager, PCM+ can discover wireless devices, place the
device in groups, and manage settings such as IP addresses and software
updates. However, PCM+ alone does not recognize the products as wireless
devices with configurable radio and WLAN settings.
In addition to centralized device management, HP Mobility Manager provides a site

planning tool with predictive RF analysis and auto-calibration.
Rev. 10.41
9 7
From Mobility Managers site view, which you can divide into different zones for
ease of viewing, you can monitor the wireless network, searching for rogue APs,
congestion, or areas with poor coverage. You can then run a wizard to adjust
devices radio settings to solve the problems that you detect.
Identity Driven Management (IDM) 3.0

IDM integrates with a network RADIUS server responsible for authenticating users.
IDM removes the hassle from creating policies that bind user identity to access rights
such as VLAN assignment, rate limit, quality of service (QoS), and permitted services
and resources. Your policies can also assign users different rights based on various
criteria, including:
Time
Location
WLAN (for wireless users when Mobility Manager is also installed)
Device on which the user connects
Endpoint integrity (compliance with security policies as determined by Microsoft

Windows Network Access Protection [NAP])
IDM integrates with a variety of Lightweight Directory Access Protocol (LDAP)

solutions including Windows Active Directory (AD), Novell eDirectory, and
OpenLDAP, allowing you to import existing users for access policies. In addition, the
IDM agent that actually delivers the rules can reside on several different RADIUS
servers.
You can learn more about IDM at the Implementing HP Network Infrastructure
Security course.
Network Immunity Manager (NIM) 2.0

NIM searches for potential threats to your system by implementing Network Behavior
Anomaly Detection (NBAD) on sFlow traffic samples collected by managed devices.
When NIM detects odd behavior, it can implement a variety of actions based on
completely configurable policies. It can notify network administrators and also enlist
infrastructure devices to block offending devices.
NIM reveals its true power when it coordinates a complete threat management
solution that includes HP devices implementing Virus Throttle technology as well as
one or more Intrusion Detection Systems/Intrusion Prevention Systems (IDSs/IPSs). For
example, NIM might detect potentially suspicious activity and dynamically enable
traffic mirroring on the switch that connects to the source of the suspicious traffic. The
switch mirrors the traffic to an IDS that analyzes the traffic in more depth. When the
IDS sends a trap indicating the threat, NIM disables the mirroring and alerts the
device connected to the offender to limit the bandwidth or block the connection, as
appropriate.
9 8
Rev. 10.41
NIM integrates with several IDS/IPSs, including HP S-Series TippingPoint solutions,

the HP Threat Management Services (TMS) zl Module (which NIM can actually
manage), and third-party IDSs/IPSs.
You can learn more about NIM at the Implementing HP Network Infrastructure
Security course.
Rev. 10.41
9 9
PCM+ architecture
PCM+ architecture
PCM+ provides a distributed structure for companies with

WAN links and devices behind firewalls.
Rev. 10.41
Figure 9- 5: PCM+ architecture
You can deploy PCM+ 3.10 in a distributed architecture in which some devices are
deployed at different sites. In this architecture, a single PCM+ server manages one or
more agents, one of which can be local (deployed on the same machine as the
server) and the others of which are remote. Each remote agent takes responsibility for
managing a set of devices, typically ones at their same site.
The advantages of this architecture include:
9 10
Devices can be managed at remote sites behind firewalls, which might otherwise
interfere with the management traffic.
Management traffic across WAN links is minimized.
More devices can be managed because the load is distributed across several
devices.
Rev. 10.41
PCM+ architectureCont.
PCM+ architectureCont.
Rev. 10.41
Figure 9- 6: PCM+ architectureCont.
Examine the virtual architecture in more detail.

The PCM+ server is installed on a server (or workstation). In this example, the server
manages two agents, one local agent, which resides on the same server, and one
remote agent, which resides on a different server behind a firewall. The servers and
remote agents communicate securely through the firewall using SSL over a TCP
connection.
The agents manage the devices. In this example, the local agent manages devices at
the main office, including an E-MSM Controller, which manages main and branch
office APs. The remote agent manages the switches at the branch office. Agents use a
variety of protocols to communicate with managed devices:
SNMP
Telnet or Secure Shell (SSH)
Hyper Text Transfer Protocol (HTTP)
Secure Copy Protocol (SCP), File Transfer Protocol (FTP), or Trivial File Transfer
Protocol (TFTP)
The managed devices can also send traffic samples with sFlow (or Extended Remote
Networking Monitoring [XRMON]).
Rev. 10.41
9 11
Maximum supported devices
Maximum supported devices

Single server
architecture
Distributed
architecture
PCM+ server
PCM+
server/local
agent
Up to 2000
managed
devices
Remote
agent 1
Up to 1500
managed
devices
Up to 3500
total managed
devices
Remote
agent 25
Up to 1500
managed
devices
Figure 9-7: Maximum supported devices
The maximum number of devices that PCM+ can support depends on whether you
architecture or not. In a simple architecture, in which you have a PCM+
server and a single local agent, PCM+ can manage up to 2000 devices.
9
Rev. 10.41
distribute
the
In a distributed architecture, PCM+ can manage up to 25 remote agents. To gain the

best performance, it is recommended that you do not use a local agent when the
PCM+ server manages more than four agents. The entire system can manage a total
of 3500 devices, but each remote agent can support up to 1500 devices. (Of course,
when you have several agents, all of them cannot manage 1500 devices due to the
3500 total device maximum).
As part of managing the devices, each agent supports the following performance:
10 SNMP/Syslog events per second
10,000 monitored interfaces monitored
3,000 sFlow sampled interfaces
7,000 interfaces polled for SNMP statistics

Note
Your PCM+ solution must be properly licensed to support the managed devices.
It also must be licensed to support the remote agents. The HP network Web site
gives more details about licensing; you can also contact your partner.
In either type of architecture, PCM+ can support up to 10 clients, including one local
client, which is automatically installed on the same machine on which you install the
PCM+ server. Remember: the agents are responsible for managing devices; you use
the clients to access PCM+s user interface.
9 12
Rev. 10.41
Use model
Use model
Figure 9-8: Use model
Design a PCM+ deployment for this company.

12
Rev.
10.41
Note whether
you
would install remote agents and, if so, where would you install
them. What are the advantages and disadvantages of your solution? Are there any
factors that might cause you to select a different design?
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
9 13
Install PCM+.
Verify
requirements for each component.
Install
the PCM+ server, agent, and client.
Log in to and explore the PCM+ user interface.
Verify device discovery and add managed subnets.

Configure management users.
You will now learn guidelines for installing PCM+ components, including the server,
agents, and clients. You begin to customize PCM+ for your environment during the
installation, so it is important that you follow the correct process. You will practice
Rev. 10.41
installing PCM+12in the
lab.
You will then learn about managing the network with PCM+. Describing all of the
tasks that you can perform in PCM+ exceeds the scope of this course. However, you
will learn how to log in to the user interface, begin navigating the interface, discover
users, and control managers.
9 14
Rev. 10.41
installation requirements
InstallationPCM+
requirements
The machine on which you install each PCM+ component
must meet requirements for:
OS
Network
Disk
adapter speed
space
Number
of CPUs
Memory
Figure 9- 10: Installation requirements

13
Rev. 10.41
The machine on which you install each PCM+ component must meet requirements
for:
OS
Network adapter speed
Disk space
Random access memory (RAM)
Number of central processing units (CPUs)
You must carefully check the requirements for your environment, as they vary
depending on factors such as the deployment size. The tables give the current
requirements for PCM+ 3.10. Refer to the HP networking Web site for future
requirements.
PCM+ server installation requirements (single-server deployment)

Number of
managed devices
Up to 350
350 to 1000
1000 to 2000
OS
Windows 2008
Rev. 10.41
Server
Enterprise/Standard
(32/64-bit)
Windows 2003
Server Enterprise
SP2 (32-bit)
Windows XP Pro
SP2/SP3 (32-bit)
Network
adapter
Hard disk
space
RAM
Number
of CPUs
Dedicated
100 Mbps
or 1 Gbps
60 GB
60 GB
100 GB
2 GB
2 GB
4 GB
(6 GB
recommended)
2
2
4
9 15
PCM+ server installation requirements (distributed deployment)

Number of
managed devices
Up to 350
350 to 1000
1000 to 2000
OS
Windows 2008
2000 to 3500
Server
Enterprise/Standard
(32/64-bit)
Windows 2003
Server Enterprise
SP2 (32-bit))
Network
adapter
Hard disk
space
Dedicated
100 Mbps
or 1 Gbps
60 GB
60 GB
100 GB
100 GB
RAM
2 GB
2 GB
4 GB
(6 GB
recommended)
5 GB
1 (6 GB
recommended)
Number
of CPUs
2
2
4
PCM+ agent installation requirements

Number of
managed devices
OS
Up to 50
Windows 2008
50 to 1500
Server
Enterprise/Standard
(32/64-bit)
Windows 2003
Server Enterprise
SP2 (32-bit)
Windows XP Pro
SP2/SP3 (32-bit)
Network
adapter
Hard disk
space
RAM
Number
of CPUs
Dedicated
100 Mbps
40 GB
2 GB
80 GB
2 GB
(3 GB
recommended)
Note
You can also run the PCM+ agent on an HP ONE Services zl Module.
PCM+ client installation requirements

Number of
managed devices
OS
Up to 1200
Windows XP Pro
1200 to 3500
9 16
SP2/SP3 (32-bit)
Windows Vista
Business/Ultimate
SP1 (64-bit)
Network
adapter
Hard disk
space
RAM
Number
of CPUs
Dedicated
100 Mbps
40 GB
2 GB
4 GB for Vista
60 GB
Rev. 10.41
Installing the PCM+ server
Installing the PCM+ server

Configure initial settings:
Administrator
Agent
password
settings
Discovery
Device
settings (seed device)
management settings
SNMPv2 and/or SNMPv3 parameters

Manager and operator usernames and passwords for CLI access
SSH parameters
Proxy
server information for Internet access

Install set (PCM+ plug-ins)
Domain name if you are installing IDM
Figure 9- 11: Installing the PCM+ server
As you install PCM+, you customize it for your system. Among other settings, you
14
Rev. 10.41
must specify:
Password for the PCM Administrator user account.

Agent settingsYou must specify how PCM+ contacts and begins to manage
agents. You will select whether the server or the agents initiate connections,
configure communication ports, set passwords, and choose whether to allow the
server to automatically configure the host devices firewall to permit required
traffic. (If you do not allow PCM+ to configure the firewall, you must configure
the firewall itself.) You must synchronize all these settings with settings configured
during agent installation, so you will see more details in the next slides.
Initial discovery settingsYou set the IP address or DNS name of a seed device,
typically a core routing switch, at which PCM+ begins discovery.
Device management settings
Rev. 10.41
As you saw earlier, PCM+ uses SNMP v1/v2c and SNMPv3 to manage
devices. You must specify the correct version for your environment as well as
the SNMP settings configured on your devices:
For SNMP v1/v2c, read-only and read-write community names
For SNMv3, username, authentication and encryption protocols, and

authentication and encryption password.
PCM+ also uses Telnet or SSH to log in to managed devices CLI. You must
specify the correct manager and operator usernames and passwords. For
SSH, you must also specify the version, password or shared key, and port.
Proxy server informationIf your site uses a proxy server for Internet access,
you must configure its IP address or name to enable PCM+ to download
software updates for managed devices from the HP networking Web site.
9 17
9 18
Domain nameIf you are installing IDM, you specify the name of the domain to
which you users log in.
Install setYou also select the plug-ins that you want to install when you install
PCM+. (You can also run the installation later to add a plug-in.) This course does
not cover the plug-ins.
Rev. 10.41
Installation considerations
Installation considerations
Agent initiates connections

TCP
8040
PCM+ server
PCM+ agent
TCP
PCM+ server port
(default: 51111)
Server initiates connections

TCP
8040
PCM+ server
PCM+ agent
TCP
PCM+ agent port
(default: 51112)
14
Rev. 10.41
Figure 9- 12: Installation considerations
The choices that you make for the agent settings when you install the PCM+ server
affect the setup that you must perform before installing remote agents. You will now
examine those settings and their implications in more detail.
First, you must select whether the server or remote agents initiate connections. Often,
the PCM+ server and PCM+ agent must communicate through a firewall at one or
both sites. It is recommended that you configure the component at the site with a
firewall to initiate connections (if both sites have a firewall, you can select either
component).
During the PCM+ server installation, you also configure the port at which the PCM+
server contacts the PCM+ agent. And, if you choose to allow agents to initiate
connections, you must also configure a server port at which the agent contacts the
server. The default server port is 51111, and the default agent port, 51112. It is
recommended that you use those ports unless another service in your environment
already does.
You can also choose whether the server and agent encrypt communications with SSL
or transmit them in plaintext; encryption is highly recommended.
Note
You can also configure these and other server and agent settings after installing
the PCM+ server using the PCM+ client.
Whichever device initiates the connection, you must open any intervening firewall for
to allow outbound or inbound sessions on the appropriate ports. The figure illustrates
the opening of the firewall for both agent- and server-initiated connections.
Rev. 10.41
9 19
Note
The firewalls illustrated here are network firewalls. During the server and agent
installation, the installation wizard prompts you to allow PCM+ to automatically
create firewall rules; however, those rules are for the personal firewall on the
device that runs the PCM+ component. You must complete both steps (ensure that
the personal firewalls and the network firewalls permit necessary traffic).
Also note that the firewall has been opened to connections on port 8040 on the
PCM+ server. You must contact this port to download the agent installation file as
shown in the next slide.
Note
If you do not want to open this port on your firewall, you can contact the server
locally. Then follow the instructions for downloading the file provided on the next
page.
9 20
Rev. 10.41
Installing remote agents: Run the installation

Installing remote
PCM+ agents: Run the installation
PCM+ server
TCP
8040
PCM+ agent
1. Download the file.
2. Run the file.

3. Select a PCM+ agent installation.
4. Match passwords and connection settings to the settings on the PCM+
server.
17
Figure 9- 13: Installing remote PCM+ agents: Run the installation
Rev. 10.41
To begin the installation, open a Web browser on the device on which you want to
install the PCM+ agent. Contact the PCM+ server: http://<IP address>:8040. You
will see the window shown in the slide. Select the link for the Windows PCM/IDM
agent.
You might need to follow several prompts to accept the download. Once the file has
downloaded it, run it. The wizard will guide you through the installation. Note that
the same executable installs the PCM+ agent and the IDM agent, so you must select
the PCM+ agent during the installation.
The installation wizard will guide you through configuring the agent settings. You
must carefully match the settings on PCM+:
Which device initiates the connection
Server port if the agent initiates the connection
Server IP address
Server password
Agent password
The agent uses this password to authenticate. You can also use this password
with the admin username to log in to the agent Web browser interface. The port
at which you contact that interface is 8080, by default.
Use the pictures below as your guide for matching the settings in the PCM+ server
installation and the remote PCM+ agent installation.
Rev. 10.41
9 21
In a final step, which is not illustrated, you choose whether to allow the agent to
automatically configure the host devices firewall to permit required traffic. If you do
not allow it to do so, you will need to configure this firewall yourself.
Also note that when you choose to have the server initiate the connection instead of
remote agents, you must complete some extra setup on the PCM+ server after
installing it:
9 22
1.
Use the PCM+ client to access the PCM+ user interface.
2.
Open the Agent Manager and add the agent manually, setting its password
and the port at which the server contacts it.
3.
Activate the agent.
Rev. 10.41
Installing remote PCM+ clients
Installing remote PCM+ clients

Variety of TCP
and UDP ports
PCM+ server
TCP
8040
PCM+ client
hp 1902
Access.txt
<IP address>
<DNS name>
<password>
1. If any firewalls intervene, permit communications between the

client and server.
2. Download the client (http://<Server address>:8040) and run
the installation file.
3. Configure the server to allow remote client access.
Figure 9- 14: Installing remote PCM+ clients

17
Rev. 10.41
Open firewalls and install the PCM+ client

You download the installation for the PCM+ client in exactly the same way that you
did the PCM+ agent installation. Therefore, you might need to open intervening
firewalls to permit connections to the server on port 8040. In addition, when you
launch the client and connect to the PCM+ user interface, the client will contact the
server at several different UDP and TCP ports, and the firewall must permit those
communications. (It is simplest to all IP traffic between the client and server.)
After you download the file, run it, following the prompts in the installation wizard.
Allow the client to access the server

Before the client can contact the user interface on the PCM+ server, you must also
edit the access.txt file on the PCM+ server. By default, the file is located in:
\Program Files\Hewlett-Packard\PNM\server\config
The path through PNM would differ if you chose a different path during installation.
By default, the file is empty, implying that only the local client that was automatically
installed with the server can access the PCM user interface. You can add one or
more host-specific IP addresses or DNS names. You can also use wildcards
(asterisks) in the IP addresses or DNS names to identify multiple clients.
Rev. 10.41
9 23
Allow a client without a fixed IP address to access the server

If you cannot specify one of your clients IP address or name (perhaps the client uses
DHCP without a reservation or has remote access through a VPN), you can enter a
password to the list. You will have to configure the client to submit the password.
Caution
When you alter the files, be very careful not to make any changes except those
described.
1.
On the PCM+ server, move to this directory (if you selected a different
installation path, adjust the path as necessary): .
\Program Files\Hewlett-Packard\PNM\server\config
2.
Open the TyphoonServer.cfg file using a text-based editor such as Notepad or

Wordpad.
3.
Change the AUTHENTICATION=10 entry to:

AUTHENTICATION=100
4.
Save and close the file.
5.
On the PCM+ client, move to this directory (if you selected a different installation
path, adjust the path as necessary):
\Program Files\Hewlett-Packard\PNM\client\config
6.
Open the riptide.cfg file.
7.
Add the following line to the file:

PASSWORD = <your password>
For example, enter:
PASSWORD = s5crE+
8.
9 24
Save and close the file.
Rev. 10.41
Logging in to PCM+ interface
Logging in to PCM+
Use the PCM+ client to access the interface. You must select
the server the first time.
2
22
Rev. 10.41
Figure 9- 15: Logging in to PCM+
To log in to the PCM+ user interface, simply run the client, which can be the client
installed locally on the server or a remote client. The first time that you access the
server, you must type in its IP address and click Connecteven if you are using the
local client. However, the client remembers the address subsequent times.
After the client then connects to the server, you are prompted to log in with the
password that you set during server installation.
Rev. 10.41
9 25
Beginning to
monitorto and
manage
devices
Beginning
monitor
and manage
devices
Navigation Tree Menus
21
Tabs Global Toolbar Right pane
Figure 9- 16: Beginning to monitor and manage devices
Rev. 10.41
PCM+ has automatically discovered your devices, and you can start monitoring and
managing them. This course cannot go into the details, but the sections below give
you a place to get started.
Navigate the interface

Examine the main PCM+ user interface window. The left pane holds the Network
Tree, which arranges all discovered devices in a hierarchical group of folders.
The top-level folder is the Network Management Home; when you click that folder,
you see events and summaries of statuses for all managed devices. This folder
contains the Custom Groups folder and the Agent Groups folder. Ignore the Custom
Groups folder for now; this course does not cover this feature. The Agent Groups
folder contains a folder for each agent. The agent folder, in turn, contains a folder
for network maps and a Devices folder.
The Devices folder holds all discovered devices, initially automatically grouped by
model. From this folder, you can begin to explore PCM+s capabilities for monitoring
and managing your devices.
View device status

To view an individual devices status, browse the Network Tree until you find the
device. Click its name in the tree. The right pane then displays the device and all
information discovered about it. You can click tabs to see information such as:
9 26
Device properties (Dashboard subtab)
Ports and their status (Port List subtab)
Traffic statistics (Traffic subtab)

Rev. 10.41
Events (Events subtab)
Device settings (Configuration subtab)
You can also click folders within the Device folder to see summaries of the statuses for
all devices within that folder.
Manage devices
To manage the device, turn to the toolbar. For example, you can click the Device
Manager icon to set the devices management settings or access its CLI. Navigate to
a higher level in the Network Tree and launch a wizard to configure multiple devices.
The global toolbar provides many helpful wizards include the VLAN Manager and
the Secure Access Wizard.
Rev. 10.41
9 27
PCM device discovery
PCM+ device discovery
Logs the device to the

databases device list.
PCM+ agent
PCM+ server
Database
SNMP
Establishes an SNMP
connection.
If auto-trap is enabled, adds
itself as a trap receiver.
Discovers device attributes.
ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Status

Management Module
J8726A
HP Innovation
Reset
Test Chas DIMM
Clear
PoE
Mgmt Flash
Use
zl Modules
only
Power
Classifies the device within

the Navigation Tree.
Temp
Fan
Internal
Power
Act
FDx
PoE
Spd
Usr
Console
LED Mode
Modules
PoE
Pwr
Auxiliary Port
Fault
Locator
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
ProCurve
24p Gig-T
zl Module
J8702A
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
zl
ProCurve
24p Gig-T
zl Module
J8702A
zl
Discovered device (initially seed)

22
Rev. 10.41
Figure 9- 17: PCM+ device discovery
As soon as you log in to the PCM+ user interface, you can begin browsing the
Navigation Tree and viewing discovered devices. Take a moment to consider how
PCM+ discovered the devices.
The PCM+ agents actually perform device discovery. (Thus, if you have several
agents, PCM+ will discover all of your devices more quickly.) An agent begins at the
seed device, which you configured when you installed the PCM+ server. To formally
discover the seed device, the agent initiates an SNMP connection with it. As long as
PCM+s and the devices SNMP parameters match, the connection is successful.
PCM+ then completes these steps:
1.
It logs the device to the device list in the database.
2.
If auto-trap is enabled, the agent adds itself as the devices SNMP trap receiver.
3.
It classifies the device and places the device within the correct group in the
Navigation Tree.
4.
It uses SNMP to discover other device attributes such as:
System name
Port lists and status
VLAN configuration
IP settings
Using information collected from the discovered seed device, the PCM+ agent
discovers more devices.
9 28
Rev. 10.41
PCM discovery
PCM+ discovery
methodsmethods
Neighbor discovery
ARP discovery
PCM+ agent
PCM+ agent
SNMP
LLDP (CDP or FDP)
neighbor table
ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Reset
Test Chas DIMM
Clear
PoE
Mgmt Flash
Use
zl Modules
only
PCM+ agent
SNMP
ARP table
Status

Management Module
J8726A
HP Innovation
Power
Temp
Fan
Internal
Power
Act
FDx
PoE
Spd
Usr
Console
LED Mode
Modules
PoE
Pwr
Auxiliary Port
Fault
1
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
Locator
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
ProCurve
24p Gig-T
zl Module
J8702A
zl
ProCurve
Switch 5406zl
J8699A PoE
ProCurve
24p Gig-T
zl Module
J8702A
zl
ProCurve Networking
Status

Management Module
J8726A
HP Innovation
Reset
Test Chas DIMM
Clear
PoE
Mgmt Flash
Use
zl Modules
only
Power
Temp
Fan
Internal
Power
Act
FDx
PoE
Spd
Usr
Console
LED Mode
Modules
PoE
Pwr
Auxiliary Port
Fault
Locator
Previously discovered device
ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Status

Management Module
J8726A
HP Innovation
Reset
Test Chas DIMM
Clear
PoE
Mgmt Flash
Use
zl Modules
only
Power
Temp
Fan
Internal
Power
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
ProCurve
24p Gig-T
zl Module
J8702A
PoE
Spd
Usr
Console
zl
ProCurve
24p Gig-T
zl Module
J8702A
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
zl
Newly-discovered LLDP
neighbor; added to map
23
Rev. 10.41
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
zl
ProCurve
24p Gig-T
zl Module
J8702A
zl
Managed
subnet
Previously discovered device
Auxiliary Port
Pings
Act
FDx
LED Mode
Modules
PoE
Pwr
Fault
Locator
ProCurve
24p Gig-T
zl Module
J8702A
Ping sweep
Newly discovered
active device
Figure 9- 18: PCM+ discovery methods
You specified the seed device manually, so PCM+ knew where to locate and
discover it. How does the PCM+ agent find more devices to discover? It supports
several methods.
Neighbor discovery
This form of discovery relies on discovered devices that support Link Layer Discovery
Protocol (LLDP 802.1AB), Cisco Discovery Protocol (CDP), or Foundry Discovery
Protocol (FDP). PCM+ uses SNMP to query discovered devices for their
LLDP/CDP/FDP neighbor table. The PCM+ agent reads the table and finds the IP
addresses of new devices to discover.
The agent also uses the LLDP/CDP/FDP information to map the network topology.
PCM+ first places the seed device. It then adds each of that devices neighbors to the
map connected to the seed device link. After formally discovering the neighbors and
receiving their neighbor tables, PCM+ adds those neighbors to the map. It follows a
recursive algorithm, discovering more neighbors until it finds no more new neighbors.
Because PCM+ uses neighbor discovery for mapping, devices will not be displayed
in the map unless they support LLDP/CDP/FDP. Wireless devices make an exception;
PCM+ maps them using the bridge MIB, which it discovers during device attribute
discovery.
ARP discovery
PCM+ can also use SNMP to query discovered devices for their ARP tables, which
contain the MAC and IP addresses of other devices in the switchs subnets. This form
of discovery enables the PCM+ to discover all active devices that do not support
LLDP/CDP/FDP.
Rev. 10.41
9 29
Ping sweep
With this time-intensive, but exhaustive discovery method, the PCM+ agent pings
every IP address in the managed subnets, detecting any devices that escaped the
neighbor and ARP discovery phases. This process takes longest to run because the
agent queries all IP addresses in the subnet and must wait for a response or a time
out before proceeding to the next potential device in the IP address range.
Initially, the only managed subnet is the one associated with the seed devices IP
address. But you can add more managed subnets.
Device attribute discovery

As you learned in the previous slide, once PCM+ detects a device, it attempts to
connect to it with SNMP. If successful, it discovers the device attributes, which enable
it to display the device status in the user interface. In addition, PCM+ discovers which
subnets and VLANs are supported on which devices and links, enabling it to create
subnet and VLAN maps.
Discovered devices
With these methods combined, PCM+ can discover all E-Series devices in a
managed subnet. It discovers these devices whether they support LLDP/FDP/CDP or
not. The devices simply require:
IP addresses
SNMP support with the correct read-only community or SNMPv3 user credentials
(read-write access is required to manage the device fully)
Although PCM+ looks for devices with the bridge MIB (switches and APs), it can also
discover SNMP-accessible devices without the bridge MIBs such as HP printers.
Finally, PCM+ can discover any endpoints that have IP addresses such as user
computers.
Note
PCM+ can also discover and manage certain HP A-Series devices and Cisco
devices. Check the supported device matrix for your version of PCM+.
9 30
Rev. 10.41
Configuring
discovery
settings
Configuring
discovery
settings
Configure discovery settings per-agent.
If you have devices
in a different subnet
from the seed, you
must add managed
subnets.
24
Rev. 10.41
Figure 9- 19: Configuring discovery settings
Now that you understand how PCM+ begins automatically discovering devices, you
can look at customizing the discovery settings. Because the PCM+ agent handles
device discovery, you configure these settings from PCM+s Agent Manager.
In the global toolbar, click the
icon to launch the Agent Manager.
The left pane lists the agents that have connected to the server. You can select each
agent and configure its settings separately. The figure shows the Discovery tab for the
Default Agent (the local agent on PCM+). From this tab, you configure all discovery
settings.
The figure displays one of the most important initial settings: Managed Subnet. As
you see, the PCM+ agent has already discovered other subnets configured on the
seed device and populated the Unmanaged Subnets list with them. If any devices
that you want to manage have management IP addresses in one of those subnets,
move it to the Managed Subnets list.
You can also exclude devices from discovery (Exclude Device subtab) and disable
discovery methods or view their status (Status subtab).
Rev. 10.41
9 31
Managing PCM+ users
Managing PCM+ users
You can create various user accounts with different levels of

access to PCM+.
Default user profiles
Task
Administrator
Manage users
Operator
Manage and configure devices
Viewer
Monitor devices
Figure 9- 20: Managing PCM+ users
Just as setting a password to secure management access is one of the first tasks that
25 on
Rev.a
10.41
you complete
switch, you must set up management access to PCM+.
Initially, you log in to PCM+ with the Administrator account, but you can create your
own management user accounts. To each account, you assign a role. The figure
shows the three pre-defined roles:
Administrators can perform any role, including managing users (network

administrators with access to PCM+), managing and configuring devices, and
monitoring devices.
Operators can perform any task except managing users.
Viewers can view device status and events but not make any configuration
changes.
To configure the management users, select File > Manage Users or click the Manage
Users icon
in the global toolbar. In addition to supporting local users, PCM+
can authenticate management users to a network RADIUS server (PCM does not
provide that feature.)
Note
In PCM+, you can also create your own profiles that define which tasks users can
perform more granularly.
9 32
Rev. 10.41
Lab Activity 9
The SMB network is expanding, and the IT staff need help keeping up. Not only do
they need to be able to deploy, configure, and manage infrastructure devices more
easily, they need help monitoring the network and verifying that resources are being
used effectively. You will install PCM+ and begin to use it to monitor and manage the
network.
Rev. 10.41
9 33

Table9-1: Debrief for Lab Activity 9

Challenges
Key Insights
What tools did you find that you could use in your job?
How would you use the tool?
Teach the class.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
9 34
Rev. 10.41
Learning check
1.
Which PCM+ component discovers devices? What does this mean for the
amount of time that is required to discover a network?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
2.
How does PCM+ add discovered devices to network, VLAN, and subnet maps?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
Rev. 10.41
9 35
3.
Which ports must you open in firewalls that stand between a remote agent and
the PCM+ server? Which settings affect the requirements?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
4.
What is one way that PCM+ provides enhanced visibility into the network as
compared to PCM?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
9 36
Rev. 10.41
Introduction to Network Design

Module 10
Module 10 objectives
Rev. 10.41
Analyze network needs and specify appropriate designs using E-Series products
and technologies
Identify E-Series switches appropriate for a given environment
10 1
Name that device!

Device 1:
Your first guess: _________________________________________________________
Correct answer: _________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Device 2:
Your first guess: _________________________________________________________
Correct answer: _________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
10 2
Rev. 10.41
Device 3:
Your first guess: _________________________________________________________
Correct answer: _________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Device 4:
Your first guess: _________________________________________________________
Correct answer: _________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
10 3
Device 5:
Your first guess: _________________________________________________________
Correct answer: _________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Device 6:
Your first guess: _________________________________________________________
Correct answer: _________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
10 4
Rev. 10.41
Device 7:
Your first guess: _________________________________________________________
Correct answer: _________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
10 5
Device 8:
Your first guess: _________________________________________________________
Correct answer: _________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
10 6
Rev. 10.41
Functionality
Examples ofExamples
HP E-Series
switches
of HP E-Series
switches
To see the complete E-Series

product line, visit
www.hp.com/networking
E8200 zl
E3500
E5400 zl
E2910 al
E2610
E2510
Scalability/Performance
12
Rev. 10.41
Figure 10- 1: Examples of HP E-Series switches
HP networking offers dynamic families of Ethernet switches, with new product lines
and features added regularly. Figure 10-1 shows some examples of HPs most recent
E-Series products. As shown in the figure, HP E-Series switches can be divided into
three categories.
1.
Layer 2 managed
Switches such as those in the E2510 Switch Series offer basic Layer 2 connectivity for
small and medium businesses (SMBs). The E2510, one of HP E-Seriess latest offerings
in this class, offers four different models to meet the connectivity needs of different
types of users and organizations. All four switches support an array of sophisticated
Layer 2 technologies, including LACP, MSTP, LLDP, and 802.1Q VLANs.
The E2510-24 and E2510-48 offer 24 or 48 10/100 ports for end-user connectivity,
plus uplink ports for gigabit connectivity to network distribution layers. The E2510-24
offers two dual-personality ports that can support gigabit uplinks using either RJ-45
or fiber-optic transceivers. The E2510-48 offers 48 10/100 ports plus four uplink
ports, including two 1000-BaseT ports for RJ-45 connectivity and two slots for fiberoptic transceivers.
Rev. 10.41
10 7
The E2510-24G and E2510-48G add gigabit connectivity for end users. The E251024G offers 20 10/100/1000 ports and two dual-personality ports for uplink
flexibility. The E2510-48G offers 44 10/10/1000 ports and two dual-personality
ports.
2.
Light Layer 3
Switches such as those in the HP E2610 Switch Series and HP E2910 al Switch Series
offer all the Layer 2 features of the E2510 plus basic IP routing features such as static
routing and, in the case of the E2910 al, RIP.
The E2610 series offers five different models that support an array of connectivity
needs. The E2610-24 and E2610-48 offer 24 or 48 10/100 ports for end-user
connectivity. For uplinks, they both offer two RJ45 10/100/1000 ports and two open
transceiver slots for fiber-optic connectivity. The other three models, the E2610-24-PoE,
E2610-48-PoE, and E2610-24/12-PoE offer the same connectivity and uplink options,
plus support for Power over Ethernet.
The E2910 al series offers four models with support for 10/100/1000 end-user
connectivity and four dual-personality ports. The switches also support four optional
10-GbE uplink ports that support a variety of transceivers. The E2910-24G al offers
20 10/100/1000 ports plus four dual-personality ports. The E2910-48G al offers 44
10/100/1000 ports plus four dual-personality ports. The E2910-24G-PoE+ al and
E2910-48-PoE+ al add support for PoE+, a next-generation version of PoE that
provides more power and control options than the earlier PoE version.
Among the switches not shown here are those in the E4200 vl Series, a family of
modular Light Layer 3 switches that support 10/100, 10/100/1000, and 10-GbE
connectivity for the enterprise edge. The E4200 vl Series includes six models that
support two, four, or eight port modules. Some models include port modules. One
model, the E4202-72 vl offers 72 built-in 10/100 ports plus open slots for two port
modules.
3.
Advanced Intelligent
Based on the ProVision ASIC, HP E-Seriess Advanced Intelligent switches offer five
models designed to meet the advanced connectivity needs of the contemporary
enterprise. As described throughout this course, the ProVision ASIC switches offer a
full range of Layer 2 and Layer 3 software features in a variety of hardware form
factors that are purpose-built for various enterprise roles. Designed for the medium
enterprise LAN, the E3500, E5400 zl, and E8200 zl all support PoE plus a suite of
hardware features designed specifically for roles in the enterprise edge, distribution
layer, and core. The E6600 offers five models designed specifically for the enterprise
datacenter. As well as offering datacenter-specific features such as customizable
airflow, the five models in the E6600 Switch Series support a variety of connectivity
options for 100/1000 and 10-GbE connectivity. These include:
10 8
E6600-24G, which supports 20 10/100/1000 ports plus four dual-personality

ports.
Rev. 10.41
E6600-24G-4XG, which supports 20 10/10/1000 ports plus slots for four 10GbE transceivers.
E6600-48G, which supports 44 10/100/1000 ports plus four dual-personality
ports.
E6600-48G-4XG, which supports 48 10/10/1000 ports plus slots for four 10GbE transceivers.
E6600-24XG, which offers slots for 24 10-GbE transceivers.
Designed to be deployed as an aggregator between the enterprise edge and core,

the E6200-24G-mGBIC yl supports 24 slots for gigabit fiber-optic transceivers and an
expansion slot for four 10-GbE transceivers.
Rev. 10.41
10 9
HP E-Series product matrix

The table summarizes HP E-Series switch support for the technologies described in
this course. For more information on these switches or for products in other HP
networking series, see the HP networking Web site, www.hp.com/networking.
Features of HP E-Series switches

Maximum
VLANs
Default STP
Link
aggregation
Routing support
Routing/switch
capacity
E2510
E2610
E2910 al
E3500
E5400 zl
E6600
E8200 zl
64 to
256***
MSTP
up to 24
trunks,
eight ports
per
trunk**
Layer 2
only
256
2048
2048
2048
2048
2048
MSTP
24 trunks,
8 ports per
trunk
MSTP
24 trunks,
8 ports per
trunk
MSTP
60 trunks,
8 ports per
trunk
MSTP
60 trunks,
8 ports per
trunk
MSTP
60 trunks,
8 ports per
trunk
MSTP
60 trunks,
8 ports per
trunk
16 static
routes
RIP, OSPF*
RIP, OSPF*
RIP, OSPF*
RIP, OSPF
48 to 96
Gbps
12.8 to
17.6 Gbps
RIP, 16
static
routes
128 to 176
Gbps
101.8 to
149.8
Gbps
322.8 to
645.6
Gbps
48 to
322.8
Gbps
645.6
Gbps
* Requires Premium License

** E2510-24 supports two 10/100 trunks with four links per trunk and one gigabit trunk.
*** E2510 supports 256 VLANs. E2510G supports 64 VLANs.
Note
At factory defaults, HP E-Series switches typically support a limited number of
VLANs. VLAN support can be increased using the max-vlans command. For
more information, see the Advanced Traffic Management Guide for your switch.
10 10
Rev. 10.41
Key differentiator:
Scalability
Key differentiator:
Scalability
The Advanced Intelligent switches offer the most scalability,
capacity, and performance
For
instance, E3500 yl offers higher switching capacity than E2910 al
E2910
al offers higher capacity than E2510
E3500-48G-PoE yl
E2910-48G al
E2510-48G
13
Rev. 10.41
Figure 10- 2: Key differentiator: Scalability
While the various classes of HP E-Series switches offer similar port densities, they can
be differentiated by scalability and performance. For instance, the E2510-48G and
E2910-48G al both offer 48 10/100/1000 ports. However, as shown in the
Features of HP E-Series switches table on the previous page, the E2910-48G al
offers significantly greater routing and switching capacity and support for more
VLANs. Furthermore, as a Light Layer 3 switch, the E2910 al supports static routing
and RIP. All E2510 models support Layer 2 connectivity. Positioned between the
E2510 and the E2910 al, the E2610 models offer static routing. Furthermore, the
E2610 and E2910 al both offer support for PoE, which is not offered on the E2510.
Similarly, in keeping with its role in the advanced enterprise, the E3500-48G-PoE yl
offers software features not available on the E2910 al, as well as support for more
trunks and VLANs.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
10 11
design 10-GbE
feature: 10-GbE
connectivity
Key designKey
feature:
connectivity
Many E-Series switches support 10-GbE modules
Most
often, 10-GbE switches require add-on modules and transceivers
Support for various cable types, including Infiniband (CX4) and fiber-optic
Check
your datasheet for 10-GbE support for your switch model
10-GbE CX4
transceiver
10-GbE X2
transceiver
Figure 10- 3: Key design feature: 10-GbE connectivity
Another key
differentiator
among HP E-Series switch families is support for 10-GbE
12
Rev. 10.41
connectivity. The various classes and models of HP E-Series switches support an array
of 10-GbE transceivers in various form factors. The three major types of 10-GbE
transceivers supported on HP E-Series switches are:
10 12
X2A standard for supporting fiber-optic connections. In HP E-Series switches,

X2 support is generally offered by transceivers that can be plugged into
specialized module slots. X2 supports SR, LR, LRM, and ER connectivity. For
information on 10-GbE support on your switch model, consult the datasheet.
CX4A copper cable form factor similar to the Infiniband cable designed for
high-volume data flows between processors and I/0 devices. As with X2, HP ESeries switches support CX4 through pluggable transceivers designed for
specific 10-GbE modules.
SFP+Supported on the E2910 al and E6600 switches, the SFP+ form factor
supports the same cable types as the older X2 standard. Similar to the SFP form
factor used in gigabit connectivity, SFP+ offers a smaller footprint and lower
power usage than the older X2 form factor. The E2910 al Switch Series and most
of the E6600 Switch Series models support SFP+ through the addition of
specialized modules. However, the E6600-24XG offers 24 SFP+ ports.
Rev. 10.41
The table shows the maximum cable lengths for various types of 10-GbE fiber-optic
connectivity supported on HP E-Series switches. CX4 cable supports distances up to
15 meters.
10-GbE distances for fiber-optic connections

10-GbE standard
10GBase-SR
10GBase-LRM
10GBase-LR
10GBase-ER
Rev. 10.41
62.5/125 micron
multimode fiber
50/125 micron
multimode fiber
33 meters
220 meters
300 meters
220 meters
Singlemode fiber
10 kilometers
30-40 kilometers
10 13
Network design examples

Your facilitator will now place you in a group and assign you to an example design.
Study the design individually for a couple of minutes. Then discuss the design as a
group; the Learner Guide provides discussion questions, and you can also discuss
topics that interest you.
Also work together to plan a two-minute presentation on your design, which you will
give to the class. After your presentation, you will also have the chance to ask other
classmates or your facilitator to clarify any points in the design that your group did
not understand.
10 14
Rev. 10.41
Network
design1 example 1
Network design
example
Network core
Remote site #1
2 E5406 zl
3 E2610-48-PoE
5 E2610-48-PoE
3 E-MSM320 APs
Blocked
Forwarding
Remote site #2
4 E2610-48-PoE
2 E-MSM320 APs
Blocked
Legend
1000Base-T
1 Gigabit-SX
3 E2610-48-PoE
6 E-MSM 320 APs
1-Gigabit-LX
Blocked
16
Rev. 10.41
Blocked link
Figure 10- 4: Network design example 1
Figure 10-4 illustrates a basic network design consisting of a primary site with two
remote sites. This design is typical of a mid-range network and could easily be
expanded to include additional remote sites. This design works well for a network
with several servers, but not an extensive data center, that needs basic 10/100 Mbps
connectivity for users. You could apply this design to organizations such as school
systems with multiple elementary schools, banks with multiple branches, universities
with remote campuses, or businesses with branch offices.
Key features of this design are:
Two HP E5406 zl switches that serve as the network core and support these
connections
1000Base-T links to the HP E2610-48-PoE switches located near the E5406

zl switches
Gigabit fiber-optic links for backbone connections to HP E2610-48-PoE

switches located in the data center (Gigabit-SX) and in remote sites
(Gigabit-LX)
HP E2610-48-PoE switches at the edge
HP E-MSM 320 APs at each site to provide wireless connectivity
Rapid Spanning Tree Protocol (RSTP) to block redundant links

The links in blocking state are indicated by dotted lines.
Power over Ethernet (PoE) enables the E2610-48-PoE switches to provide power, as
well as network connectivity, to Powered Devices (PDs) such as the web-enabled
cameras and HP E-MSM APs shown in the figure.
Rev. 10.41
10 15
Note how the redundant backbone links connect the core switches to different
switches at the remote sites. This is an important design element because if the core
switches connected to the same switch at each remote site, RSTP would disable one
of those links. Connecting the core switches to two different remote-site switches
blocks the 1000Base-T link between the two remote-site switches instead. The
designers have decided that this design is best because traffic flows more heavily
between the remote site and core than between different areas in the remote site.
They do not want a single E2610 to handle all of that traffic.
The design also implements a technology that has not been previously discussed in
this course: Virtual Router Redundancy Protocol (VRRP), which enables routing
switches to provide redundancy for their routing services. The section below includes
information about this protocol if you are interested.
VRRP reference information

VRRP enables the two routing switches to provide Layer 3 redundancy for clients
relying on them for default- gateway service. VRRP, available on the E5400 zl
switches with the addition of a Premium License, enables routers and routing switches
to act as Master and Backup routers for designated networks. If the Master becomes
unavailable, the Backup router can take over default gateway duties, enabling users
to maintain connectivity. A complete discussion of VRRP is outside the scope of this
course. This technology is covered at the ASE level in the Routing, Switching, and
Wireless track.
Possible discussion questions

1.
What advantages do the E2610-48-PoE switches provide? Why do you think that
the designers selected them?
2.
Based on what you have learned about RSTP, explain the topology. Why do you
think that the designers implemented RSTP to block these specific links? When
would this topology be less efficient than another?
3.
The designers have deployed the APs as standalone devices. Would you make
the same decision?
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
10 16
Rev. 10.41
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
10 17
Network design example 2

Network core
2 E5406 zl
3 E2610-48-PoE
Remote site #1
1 E3500-24G-PoE yl
5 E2610-48-PoE
6 E-MSM320 APs
Legend
1000Base-T
E-MSM
765 zl
1 Gigabit-SX
1-Gigabit-LX
Blocked link
Port trunk
Remote site #2
1 E3500y24G-PoE yl
4 E2610-48-PoE
6 E-MSM 320 APs
1 E3500-24-PoE yl
3 E2610-48-PoE
8 E-MSM 320 APs
17
Rev. 10.41
Figure 10-5 illustrates a basic network design consisting of a main site with two
remote sites. This design is typical of a mid-range network and could easily be
expanded to include additional remote sites. This design works well for a network
with several servers, but not an extensive data center, that needs basic 10/100 Mbps
connectivity for users. The design nonetheless supports high performance for traffic
traveling from the remote sites to the network core and for traffic destined to local
services at the remote sites.
You could apply this design to organizations such as school systems with multiple
elementary schools, banks with multiple branches, universities with remote campuses,
or businesses with branch offices.
Key features of this design are:
10 18
Two HP E5406 zl switches that serve as the network core and support these
connections:
1000Base-T links to the HP E2610-48-PoE switches located near them
Gigabit fiber-optic links for backbone connections to the E3500-24G-PoE yl

switches at the local site (Gigabit-SX) and at the remote sites (Gigabit-LX)
One of these switches also includes an E-MSM 765 zl Mobility Controller for
managing the APs (you can learn more about this controller at the ASE level)
HP E2610-48 PoE switches at the edge
HP E3500-48 yl switches that aggregate links between the edge switches and
the core
Rev. 10.41
HP E-MSM 320 APs at each site to provide wireless connectivity
Rapid Spanning Tree Protocol (RSTP) to block redundant links

The links in blocking state are indicated by dotted lines.
Power over Ethernet (PoE) enables the E2610-48-PWR switches to provide power, as
well as network connectivity, to Powered Devices (PDs) such as the web-enabled
cameras and HP E-MSM APs shown in the figure.
Note how the redundant backbone links connect the core switches to the E3500 yl
aggregation switches at the remote sites. Both links have been established to the
same switch at each site because the designers wanted ensure that the crucial
backbone link traffic is always handled by the high-performing E3500 yl switches.
The E2610 switches, while suitable at the edge, could create a bottleneck if asked to
handle the extensive traffic expected on this link. To further speed traffic to the
network core and the sites aggregation layer, where most resources are held, each
E2610 switch has an aggregated link to the E3500 yl switch.
Also note that this design implements a technology that has not been previously
discussed in this course: Virtual Router Redundancy Protocol (VRRP), which enables
routing switches to provide redundancy for their routing services. The section below
includes information about this protocol if you are interested.
VRRP reference information

VRRP enables the two routing switches to provide Layer 3 redundancy for clients
relying on them for default- gateway service. VRRP, available on the E5400 zl
switches with the addition of a Premium License, enables routers and routing switches
to act as Master and Backup routers for designated networks. If the Master becomes
unavailable, the Backup router can take over default gateway duties, enabling users
to maintain connectivity. A complete discussion of VRRP is outside the scope of this
course. This technology is covered at the ASE level in the Routing, Switching, and
Wireless track.
What advantages do the E3500 yl switches provide? Why did the designers
include these aggregation layer switches?
What advantages does the spanning tree design provide? If the design includes
multiple VLANs, how would you suggest setting up MSTP?
Where would you suggest adding bandwidth to this design in the future?
NOTES
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
10 19
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
10 20
Rev. 10.41
example 3
Network designNetwork
example design
3
Network core
1 E8212 zl
3 E3500-48G-PoE yl
1 E6600-24G-4XG
Remote site #1
1 E5412 zl switch
6 E-MSM 422 APs
Server rack
10-GbE-SR
Fortigate
ONE zl
Legend
1000Base-T
10-GbE-CX4
E-MSM
765 zl
10-GbE-LR
10-GbE-SR
Blocked link
Port trunk
18
Rev. 10.41
Remote site #2
1 E5412 zl switch
6 E-MSM 422 APs
1 E3500-24G-PoE yl
3 E3500-48G-PoE yl
12 E-MSM 422 APs
Figure 10-6 illustrates a network design consisting of an extensive central data center,
a main office, and two remote sites. This design is intended for a company with more
intensive networking needs and the need for a Gigabit connectivity for at least some
users. This design is scalable; more devices could be added at the data center or at
new remote sites.
Key elements of this design include:
One HP E8212 zl switch that serves as the network core, with six 1-port 10-GbE
X2 modules and X2-CX4 transceivers to support connections to the other
switches:
1000Base-T links to the HP E3500-48-PoE yl switches that provide

connectivity for users at the main office
10 Gigabit fiber-optic links (Gigabit-SX) for backbone connections to HP

E6600 switches, which provide high capacity and high availability to the
data center servers
10 Gigabit fiber-optic links (Gigabit-LX) for backbone connections to HP

E5412 zl switches at the remote site
HP Open Network Ecosystem (ONE) zl modules in the E8212 zl switch to

provide advanced services:
Fortigate ONE provides a firewall and IPS
E-MSM765 zl Mobility Controller to control the HP
You will learn about these types of advanced services if you continue to the ASE
level training.
Rev. 10.41
10 21
Note that this design does not require MSTP to disable any backbone links because
it features link aggregations between the single core switch and the E5412 zl
switches at the remote site.
The data centers racked servers form an important component of the design. They
make the data center more scalable and support cloud computing and other
innovations. The 6600 is a specialized data center switch offering mission-critical
features such as:
Configurable air flow to ensure the switchs exhaust is directed away from other
devices. Fan trays are also hot-swappable.
Modular, hot-swappable internal power supplies
Server-to-switch distributed trunking, which enables servers that support teamed
interface cards to be connected by aggregated links to multiple switches. This
enables redundancy as well as capacity.
What possible advantage do you see in creating a topology with link

aggregations between the single core switch and the remote site switches?
Why do you think that the designers have elected to place an E5412 zl switch at
each site rather than a stack of fixed-port switches. Use datasheets and the
Features of HP E-Series switches table on page ??? to compare the E5412 zl
switch capacity to the capacity of a stack of six E2610 switches.
Does using a single E8212 zl switch in the core rather than, for example, two
5406 zl Series Switches, reduce high availability? Examine the E8212 zl Switch
Series datasheet to find redundancy features offered by this switch.
What advantages do the E6600 switches offer in the data center over, for
example, E3500 switches?
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
10 22
Rev. 10.41
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
10 23
Group Activity: Designing networks with HP E-Series

switches
Exercise instructions
Your lab group will use the information and worksheets on the next several pages to
propose a preliminary design for a network at a new office facility.
Your facilitator will set a time limit for your discussions, which will determine the level
of detail you will be able to provide in your plan. After your plan is complete, your
facilitator will lead the classroom in a group discussion of the network plan.
Remember, there is no single correct answer to this exercise. The exercise is designed
to provide you with an opportunity to examine how you can deploy HP E-Series
switches in a new network. It will also help to familiarize you with the HP E-Series
product line and to determine which technologies and products you might want to
explore in the next phase of your networking education.
Consult the design examples on the preceding pages and your datasheets as you
address the design criteria shown in the next several pages.
Scenario
You have been contacted by the head of a growing non-profit organization that has
two related goals:
Providing medical care and vaccinations for people in areas of the world with
fewer resources
Researching emerging diseases, disease-prevention, and epidemiology
The organization recently received an endowment and is opening a new facility that
will act as the headquarters and central research facility. You must design the
networking solution for this facility.
Goal
Although the facility has not yet been built and many details about the organizations
eventual networking needs remain to emerge, you have enough details to begin a
preliminary plan. Ideally, the plan should include the following elements:
10 24
A sketch showing which HP E-Series switches should be installed in each wiring

closet. Architectural drawings for the building include facilities to support the IT
infrastructure.
A preliminary design showing how technologies emphasized in this course
could be deployed to meet this organizations particular needs. Specifically, you
should plan:
VLANs and an IP addressing scheme
Locations where link aggregation could be required or useful

Rev. 10.41
Locations where user needs suggest that Spanning Tree should be

implemented to provide redundancy
A preliminary routing topology that indicates where you might enable

routing in order to handle traffic flow between VLANs and to implement
security features such as IP ACLs
A research plan listing questions and topics that should be explored in more
depth in order to complete the plan
Scenario details
The new two-floor facility will house approximately 100 users and 30 servers. The
organization actually has more than 100 users because personnel rotate between the
field, providing medical services and conducting research, and the headquarters,
compiling and analyzing their research.
The ground floor provides offices and labs for onsite medical researchers. These
users need access to data servers that store their research as well as access to
sophisticated data analysis tools.
The ground floor also provides several classrooms, which the organization uses
for training new volunteers and employees.
A ground floor datacenter will house servers, which fulfill several functions:
Some servers store the medical researchers data. These servers must hold
large files that are subject to sophisticated analysis.
This organization has enthusiastically embraced the Internet as a source for

fundraising. Several servers support the organizations Web site and handle
online credit card transactions from donors around the world.
Two servers handle the organizations internal accounting and human

resource (HR) records, as well as the organizations email system.
The company is thinking about a Voice over IP (VoIP) solution for their call
center, which would require another server.
The second floor provides:
Offices for administrators and fundraisers

These employees use basic office applications such as email, word
processors, spreadsheets, and presentation tools. However, they sometimes
need to run more intensive data analysis on trends and best practice, as
noted earlier.
Rev. 10.41
Offices for onsite medical researchers
Two conference rooms where fund-raisers give presentations to potential

donors
10 25
Figure 10-7 and Figure 10-8 show the proposed layout for each of the two floors.
Note that the second floor includes specialized wiring closets for switches and other
infrastructure equipment. Racks for servers and switches will occupy much of the
space in the data center on the first floor.
Figure 10- 7: Layout for the first floor
Figure 10- 8: Layout for the second floor
Figure 10-9 shows how the user types are expected to be distributed throughout the
building.
10 26
Rev. 10.41
Figure 10- 9: Expected user distribution
Network connectivity requirements:
Rev. 10.41
The research servers will experience the highest data load during regular
business hours when researchers are at work.
Researchers will require PCs with Gigabit connections due to the large size of
the files they will retrieve from the research servers.
Administrators and fundraisers will be equipped with PCs with 100 Mbps
connections.
Some IT staff members will require 1 Gbps connections because of their roles in
administering the data servers. Other staff members, such as those who manage
the network infrastructure, will require 100 Mbps connections.
The mailing and call center features a couple of PCs that users share for
clocking into the organizations timecard application and for checking email.
All servers will have 1 Gbps network adapters.
All printers will be connected to 10/100 Mbps print servers or feature built-in
network support. No printers are connected to user PCs. Printers are shared
between users; for example, the fundraisers use the same printers as the
administrators.
10 27
All devices will be located within 100 meters of a wiring closet.
Application requirements include:
International regulations require high levels of security for the medical and
epidemiological data. Many countries allow the medical researchers to collect
data and tissue samples only under the agreement that the research is carefully
monitored and not sold for profit. Therefore, only authorized medical researchers
will be allowed to access the data.
The medical researchers will use resource-intensive data-modeling applications
to work directly with the data files on the research servers. They will not store
research files on their local PCs.
Administrative and fundraising staff members will use typical office and webbased applications and will store their files on file servers in the data center.
A separate team is evaluating the possibility of implementing a VoIP solution for
the call center. The team is also evaluating whether to allow wireless access for
any users, particularly in the training and conference rooms.
Table 7-3 summarizes the device requirements for the new building. Note that, if the
company decides
Table 7-3
Devices expected in the facility
Floor
Department
Data center
Research
Training
2
Administrators
(including HR and
accounting)
Fund-raisers
IT staff
Mailing and call
center
Research
10 28
Device
Quantity
Total
Servers:
1 Gbps
Rack-mounted
Teamed NICs
PCs1 Gbps
Printers
PCs100 Mbps
Printer
PCs100 Mbps
30
30
16
2
4
1
20
18
Printers/print
servers
PCs100 Mbps
PCs100 Mbps
PCs1 Gbps
PCs100 Mbps
Printers/print
servers
PCs1 Gbps
10
2
1
3
16
5
22
10
3
6
18
Rev. 10.41
Worksheets
The worksheets on the next several pages provide the resources required to
summarize and sketch your network design.
The figure below provides a space for sketching the switches that will be located in
each wiring closet and the data center. Use the space to sketch all switches and
connections.
Rev. 10.41
10 29
Figure 10- 10: Sketch for wiring closets
Provide more detailed information about the switches that you placed in the sketch.
10 30
Rev. 10.41
Equipment list worksheet

Ports
Location
Switch model
Fiber or
copper
Speed
Uplink type
Floor 1
Floor 2
Now that you have made a preliminary sketch of your switching infrastructure,
consider the following questions to finish your diagram.
1.
Where would you deploy port trunking for higher-bandwidth connectivity?

Where do you require 10-GbE uplinks? Sketch them into your diagram and
provide reasons for your choices below.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
10 31
2.
Do you see any locations that require RSTP or MSTP to provide for Layer 2
redundancy? Sketch them into the diagram and provide reasons for your choice
below.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3.
What is your plan for VLANs and IP addressing? Would you implement a single
VLAN design or create multiple VLANs?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Logical network design

VLAN ID
10 32
VLAN name
Subnet IP
address/Mask
Default gateway
Address
Device
Rev. 10.41
4.
Will you implement routing at any location inside the facility? If so, where?
Explain below.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5.
What type of bandwidth might the facility require for its Internet connection?
Will Internet traffic create requirements for additional bandwidth in the data
center?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6.
What additional information must you gather in order to complete the network
design for the new facility?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
10 33
Next steps: HP AIS Network Infrastructure

certification training
Certifies you to deploy HP products to meet the basic
routing, switching, and mobility needs of SMBs,
commercial companies, and the enterprise edge
Four components:
Getting
Started with HP Wireless Networks (WBT)
Getting
Started with HP Switching and Routing (WBT)
HP
Access Layer Network Technologies using ProVision

Software (this ILT)
HP
Access Layer Network Technologies using Comware

Software (ILT)
Figure 10- 11: Next steps: HP AIS Network Infrastructure certification training
The Accredited Integration Specialist (AIS) certification verifies that you can deploy
HP networking products to meet the basic routing, switching, and mobility needs for
SMBs, commercial companies, and the enterprise edge.
Having completed this course, you are well on your way to being prepared for the
AIS certification test. You simply need to attend the HP Access Layer Network
Technologies using Comware Software ILTif you are not already familiar with
implementing the technologies covered in this course on the A-Series devices.
10 34
Rev. 10.41
Next steps: HP AIS Network Infrastructure

certification test
Register at: www.pearsonvue.com/hp
You may take the AIS certification test at any time
Test
name is HP Networking Technologies (HP0-Y30)
Contact
a PearsonVUE Testing Center
Figure 10- 12: Next steps: HP AIS Network Infrastructure certification test
To earn the AIS certification, you must pass the AIS certification test, which is offered
at PearsonVue Testing Centers. The test will cover all courses in the AIS curriculum,
including the prerequisite WBTs. However, although the courses will prepare you for
the test, you may register for test at any time you choose whether you have
completed the courses or not.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
10 35
Continued learning
Advanced certification with several tracks each
ASE
Certifies you to design, implement, and support HP networking products in complex
and multi-site enterprise environments
MASE
Certifies you to deploy design, implement, and support HP networking and thirdparty products in advanced solutions that meet enterprises specific business needs
For more information, visit www.hp.com/networking/training
Figure 10- 13: Continued learning
You can also receive more advanced certifications:
Accredited Systems Engineer (ASE)
Master Accredited Systems Engineer (MASE)
Like the AIS certification, the ASE and MASE certifications are supported by a series
of web-based and instructor-led courses. These certifications also divide into several
specialized tracks.
The AIS Network Infrastructure certification will provide all the prerequisites you
require for the ASE Network Infrastructure or ASE Wireless certification tracks. Both
tracks consist of several training courses, including instructor-led training and webbased training. For more information, visit www.hp.com/networking/training.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
10 36
Rev. 10.41
Additional learning resources: HP networking

Additional learning resources:
documentation
HP networking documentation
Manuals for current HP E-Series devices
available at:
www.hp.com/networking/manuals
For most products, manuals include:
Installation
and Getting Started Guide

and Configuration Guide
Advanced Traffic Management Guide
Access Security Guide
Management
For some products:

CLI
Reference Guide
and Routing Guide
Multicast
Figure 10- 14: Additional learning resources: HP networking documentation

23
Rev. 10.41
The HP networking web site features extensive documentation on all HP networking

products, including the E-Series products. For most switches, the site offers three
manuals: the Management and Configuration Guide, the Advanced Traffic
Management Guide, and the Access Security Guide. For advanced products, other
guides may be available. For the ProVision ASIC products, for example, the site
offers a Multicast and Routing Guide and a CLI Reference Guide. HP also provides
manuals for the HP E-Series wireless products.
To locate the manuals, you can navigate to a products Web page on the site and
click the Manuals link in the right-hand sidebar. Alternatively, you can visit the
Support section as link for the Manuals link.
For most manuals, you have the option of viewing or downloading the entire manual
or downloading individual chapters. All documents are presented in PDF format.
My Networking Portal
As well as product manuals, HP networking offers a growing library of design and
implementation guides, covering such topics as PoE, security, and VoIP installation.
Most of these documents are available by clicking the Design and Implementation
link on the Support page.
Access to these documents requires registration at the My Networking Portal site.
However, this registration is free. Simply navigate to
http://hp.com/networking/mynetworking and click Create New Account. As well as
offering access to implementation guides, My Networking Portal offers access to prerelease versions of HP networking software.
Rev. 10.41
10 37
Learning check
1.
The HP E3500-48-PoE yl switch, the HP E2910-48-PoE switch, and the HP E251048-PoE switch all provide 48 GbE ports. Why can you not use the switches
interchangeably in all environments?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2.
Which HP E-Series switch series is specifically designed for the data center?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3.
You must consider many questions as you decide which HP E-Series products to
deploy and where to deploy them to meet a companys needs. What are three?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
10 38
Rev. 10.41
CLI Job Aid

Appendix A
Rev. 10.41
A 1
A 2
Rev. 10.41
Mobility Job Aids

Appendix B
Mobility Job Aid: 802.11 Standard Selection

1.
2.
3.
4.
5.
Determine your bandwidth requirements. Do you have a high density of users?

Will your users run bandwidth-intensive applications such as streaming video,
online gaming, graphical design programs, and video conferencing?
If yes to any of these questions, select 802.11n and move to question 2.
If no, move to question 4.
You can select the 2.4 GHz frequency range, the 5 GHz range, or both. Using
both frequencies enables you to increase capacity easily by overlapping radios.
If you want to use both frequencies, configure different 802.11n radios for
different frequencies. Move to question 3.
If you want to use one frequency, select the frequency that experiences the
least interference in your environment. Move to question 3.
Determine whether you want to implement backward compatibility. Do all of

your stations support 802.11n?
If yes, or if you are willing to upgrade, implement pure 802.11n in the select
frequency or frequencies. You are done.
If some do not, implement 802.11n/a (for 5 GHz) and/or 802.11n/g (for

2.4 GHz). You are done.
Consider the capabilities of your stations wireless NICs.
If every NIC supports 802.11b only, select 802.11b. You are done.
If every NIC supports 802.11b/g, select 802.11g. You are done.
If every NIC supports 802.11a only, select 802.11a. You are done.
If the NICs support a mix of 802.11b and 802.11b/g, select 802.11b/g. You
are done.
If the NICs support a mix of 802.11b, 802.11b/g, 802.11a, and

802.11a/b/g, configure some radios for 802.11a and some for 802.11b/g.
You are done.
If every NIC supports 802.11a/b/g, move to the next question.
You can select the 2.4 GHz frequency range, the 5 GHz range, or both. Using
both frequencies enables you to increase capacity easily by overlapping radios.
Rev. 10.41
If you want to use both frequencies, configure 802.11a on some radios and
802.11g (or 802.11b/g) on other radios. You are done.
B 1
B 2
If you want to use only one frequency, select the frequency that experiences
the least interference in your environment.
If 2.4 GHz experiences less interference, select 802.11g (or

802.11b/g). You are done.
If 5 GHz experiences less interfaces, select 802.11a. You are done.
Rev. 10.41
Mobility Job Aids
Mobility Job Aid: AP Placement

Your APs placement affects the success of your wireless services. The guidelines
below are no replacement for an assessment of your specific site by skilled wireless
engineers; however, they give you a place to start.
Space the APs correctly
In a typical office environment, APs should be placed between 15 and 45 m

apart.
Place APs more closely together to support higher bandwidth. (However,

802.11n APs do support a slightly longer range.)
When you deploy APs more closely together, you should decrease their
transmit power slightly. You should also raise the basic data rates to prevent
stations from connecting to APs that are further away, which can slow down
the connection for everyone.
Look for obstructions
The closer an obstruction is to the AP, the greater effect it has on the signal.
Try to place the AP above and away from obstructions such as metal
cabinets, walls with wire mesh, and reflective surfaces.
Check the AP and antenna orientation
Check and recheck
Rev. 10.41
An internal omnidirectional antenna does not propagate the signal equally

in three dimensions. Instead it propagates the signal in a relatively flat disk.
Make sure that the AP is oriented such that the signal propagates out
towards users. Also ensure that you do not install the AP so high that the
coverage is weak where users actually sit.
After you place the APs, check the signal strength in many locations. Also
check the signal at different times of day because interference tends to vary.
B 3
Mobility Job Aid: Overlapping radios

You can increase the capacity of your wireless network by overlapping radios that
operate at 2.4 GHz and at 5 GHz. You can also increase capacity by overlapping
radios that operate in the same frequency range. In the latter case, you must ensure
that the channels on overlapping radios (or even nearby radios) do not overlap.
All channels in the 5 GHz range are non-overlapping. In the 2.4 GHz range,
channels overlap with channels five above or below. The table indicates some sets of
non-overlapping channels; you can use these sets or plan your own.
Note
Some regions do not allow some channels. Choose a set with channels allowed
by your regions.
Non-overlapping 2.4 GHz channels

Number of overlapping
radios
Example sets of
channels
1, 6, 11
1, 7, 13
1, 7, 12
2, 7, 13
3, 8, 13
2, 8
2, 9
2, 10
2, 11
2, 12
3, 9
3, 10
3, 12
4, 10
4, 12
5, 12
B 4
Rev. 10.41
Learning Check Answers

Appendix C
Module 1
1.
2.
3.
What commands provide help at the CLI of an E-Series switch? (Select two.)
a.
typing ?
b.
typing /? [ENTER]
c.
typing help
d.
pressing the [TAB] key
At the CLI of an E5406 zl switch, you enter show lldp information remote-device
a24. Assuming the device connected to port a24 also supports LLDP, what
information can you learn? (Select two.).
a.
IP address of connected device
b.
Supported management protocols on connected device
c.
Routing capabilities of connected device
d.
SNMP communities on connected device.
e.
STP region supported by connected device.
How can you access the history buffer in the E-Series switch CLI?
By entering show history or by using the up arrow on the keyboard.
4.
Rev. 10.41
Match each privilege level to the correct prompt.

operator
Switch(config)#
manager
Switch>
global configuration
Switch#
C 1
Module 2
1.
2.
3.
4.
C 2
On E-Series switches, what is a difference between the boot command and the
reload command?
a.
The reload command requires the switch to run diagnostics before

restarting. The boot command does not.
b.
The reload command restarts the switch using the current running
configuration. The boot command uses the startup configuration.
c.
The reload command restarts the switch without running diagnostics. The
boot command requires that diagnostics be executed and also allows you
to select a flash image.
d.
The reload command restarts the switch using the active configuration file.
The boot command enables the administrator to choose a configuration file
for startup.
What is the relationship between primary and secondary flash on an E-Series

switch?
a.
Primary flash holds the current system image. Secondary flash provides a
backup for the image.
b.
Primary and secondary flash are independent and can hold different
images. Either image can be used to boot the switch.
c.
Secondary flash is a mirror of primary flash, enabling the switch to failover

if the primary flash image is corrupted.
d.
Primary flash is non-volatile memory that stores the switchs startup

configuration. Secondary flash is volatile memory that stores the switchs
running configuration.
Name two potential uses for multiple configuration files on an E-Series switch.
a.
Backup a base or known configuration in case you must restore the switch
to a known state
b.
Hold multiple configurations for use with different software images,

enabling you to test new features without a complete re-configuration
When is a command entered at the E-Series CLI executed?

a.
immediately
b.
when the write memory command is entered
c.
when the switch is restarted
Rev. 10.41
5.
What is the process for upgrading the Boot ROM on an E-Series switch?
If necessary, Boot ROM upgrades are included in software images downloaded from
the HP web site. When the software is installed and the switch is rebooted, it will
boot twice. During the first reboot, it will install the Boot ROM, and then restart
immediately. The new software will become active with the second reboot. For more
information, see the Release Notes included with your HP switch software. Warnings
about Boot ROM procedures also appear on the software download pages on the
HP web site.
Module 3
Ideas for the prework review activity
What is the 802.1Q tag, and how is it used by VLAN-aware switches?
The 802.1Q tag is an IEEE standard for including VLAN membership

information in the Ethernet frame.
In a VLAN-aware network, frames are either tagged or untagged. Untagged
frames, as their name suggests, do not include a specific VLAN ID. Tagged
frames include a four-byte tag that specifies a VLAN ID.
Switch ports can be configured to be tagged or untagged members of a VLAN.
This enables every switch port to forward traffic for multiple VLANs. When an
untagged frame arrives on a port, the switch assumes the frame should be
forwarded in the VLAN in which the port is an untagged member. The tags in
tagged frames provide the switch with VLAN information.
Because most end nodes, such as PCs and their network interface cards, cannot
insert or remove VLAN tags, a port serving only end users is typically an
untagged member of the users VLANs.
Because switch-to-switch links often must carry multiple VLANs, they are often
untagged members of one VLAN and tagged members of others. Often, but not
always, the port is an untagged member of the Default VLAN and a tagged
member of administratively defined VLANs.
When an untagged frame arrives on an end-user port and must be forwarded
over an uplink that is a tagged member of the users VLAN, the switch will insert
the correct tag before forwarding the frame. This enables the switch on the other
side of the link to correctly identify the frames VLAN membership.
What are the rules for assigning ports to VLANs on E-Series switches?
Rev. 10.41
A port can be an untagged member of only one VLAN.

A port must be a member, tagged or untagged, of at least one VLAN. By
default, all ports on E-Series switches are members of VLAN 1, the Default
VLAN.
C 3
If a port is a member of only one VLAN, you cannot remove it from the VLAN
without first assigning it to another VLAN. If you delete the VLAN, its
membership will revert to VLAN 1.
If a port is a member of multiple VLANs, it can be removed from the VLAN or
the VLAN can be deleted without any other steps.
Describe the Layer 2 and Layer 3 forwarding processes in a switched network.
A switch uses Layer 2 forwarding when it determines that the destination MAC
address in a frame is different from the switchs MAC address.
A routing switch uses Layer 3 forwarding when it determines that the destination
MAC address in an incoming frame is the same as the switchs MAC address.
When forwarding a frame between hosts in the same VLAN, a switch uses the
Layer 2 header to learn the destination hosts MAC address. The switch
forwards the frame through the port where it has learned the address.
When forwarding a frame between hosts in different VLANs, a routing switch
examines the Layer 3 header of the frame to determine the destination hosts IP
address and then consults the IP route table to determine how to forward the
frame.
What is required to transmit traffic between two VLANs?
If a device sends traffic to a device in another VLAN (or subnet), that traffic must
be routed. The traffic can be routed by either a Layer 3 switch or a router.
To route traffic, a Layer 3 switch must determine the packets IP address. On
Ethernet networks, the Layer 3 switch finds the destination IP address in the
header of the IP packet, which is encapsulated in the Ethernet frame.
After determining a packets destination IP address, a Layer 3 switch must know
the route, or pathway, to the destination network. It checks its routing table, and
if it has a route to this network, it forwards the packet to the next hop for that
route.
Learning check answers

1.
C 4
Which of the following statements correctly describes a rule for assigning VLAN
membership to ports on an E-Series switch?
a.
A port may be a member of only one VLAN.
b.
A port may be an untagged member of at most one VLAN.
c.
A port may be a tagged member of at most one VLAN.
d.
A port that connects switches must be a member of multiple VLANs.
Rev. 10.41
2.
3.
4.
A frame enters an E-Series switch through a port that is an untagged member of

VLAN 40 and must be forwarded through port C1, which is an untagged
member of VLAN 1. Port C1 is an uplink port the switch uses to carry traffic for
VLAN 40 as well as that of other VLANs. Which one of the following best
describes what the switch does to the frame?
a.
Discard the frame.
b.
Create a new Layer 2 header and forward the frame through port C1.
c.
Add a tag to the frame that identifies it as belonging to VLAN 40.
d.
Remove the tag that was on the frame when it entered the switch.
A frame enters an E-Series switch through a port that is a tagged member of

VLAN 20 and must be forwarded to a user workstation connected to the switch
by a port that is an untagged member of VLAN 40. How does the switch handle
the frame?
a.
Discard the frame.
b.
Create a new Layer 2 header and forward the frame to the workstation.
c.
Add a tag to the frame that identifies its destination as VLAN 40.
d.
Remove the VLAN 20 tag and forward the frame to the user.
What is the rule for removing ports from a VLAN on an E-Series switch?
a.
When you remove a port from a VLAN, it automatically becomes an

untagged member of the Default VLAN.
b.
When you remove a port from a VLAN, it automatically becomes a tagged

member of the Default VLAN.
c.
If a port is a member of only one VLAN, you cannot reverse the command
that made the port a member of that VLAN.
d.
You cannot delete a VLAN that has port members.
Module 4
Ideas for the physical security review activity
What can a malicious user do if he or she has physical access to a switch?
Rev. 10.41
Remove the power supply
Remove Ethernet cables
Use the Reset and Clear buttons to:
Reboot the switch
Reset the switch to factory default settings
Clear management passwords
C 5
Establish a management session through the console port:
Hijacking the switch and gaining unauthorized access
Performing network reconnaissance
Initiating Denial of Service (DoS) attacks
Disabling security features
What security measures can you take to provide physical security for the switch?
Place the switch in a locked server closet or other room and carefully control
who has a key to this room
Provide video monitoring of the room where the switch is located
Password-protect the switch
Disable the Clear and Reset buttons on the switch front-panel
What are the trade-offs when implementing these security measures?

Locating switches in a locked room will likely cause network administrators only a
small inconvenience. For example, they may have to carry a key or some type of
electronic card to open the door. Other security measures, such as disabling the
functionality of the Clear and Reset buttons, could have more impact. If you disable
the Clear button, you eliminate an easy way to gain access to the switch if the
management passwords are forgotten. Likewise the Reset button allows you to return
the switch to factory default settings if a problem occurs with a configuration.
Typically, you would only need to disable the Clear and Reset buttons if the device is
physically insecure.
Ideas for the SSH and SSL review activity
SSH
Purpose: SSH provides secure in-band access to the CLI. It sets up a secure
tunnel that encrypts management traffic. It provides authentication for the
management user. It also authenticates the switch to the management user,
ensuring that the user does not connect to a rogue device. If the manager
did connect to a rogue device, a hacker could collect his or her password.
Requirements: The switch requires a public/private key pair. (Installing the

public key on the management client can be a best practice.) The switch
also must be set up to authenticate the management user locally or
remotely.
HTTPS
C 6
Purpose: HTTPS provides secure in-band access to the Web browser

interface. It sets up a secure tunnel that encrypts management traffic. It
provides authentication for the management user. It also authenticates the
switch to the management user, ensuring that the user does not connect to a
rogue device.
Rev. 10.41
Requirements: The switch requires a digital certificate, which might be selfsigned or signed by a CA. The management station needs to trust the entity
that signed this certificate (you can choose to trust the certificate the first
time that you connect). The switch also must be set up to authenticate the
management user locally or remotely.

1.
2.
3.
Which are secure management protocols? (Select 3.)

a.
SNMPv2c
b.
SSH
c.
HTTP
d.
Telnet
e.
SNMPv3
f.
HTTPS
What protocol must be enabled before you can enable and use SFTP?
a.
SSH
b.
SSL
c.
TFTP
d.
FTP
What steps must you take before you can access the switch using HTTPS?
You must:
Generate a public/private key pair.
Install a CA or self-signed certificate.
Enable web management through SSL.
4.
What are the two types of SNMPv2c communities?

Read-only and read-write
Module 5
Ideas for the Lab activity 5 preview
Where would you plan aggregated links in the lab environment? How many ports
would you include in the link aggregation groups?
You should plan an aggregated link between each floors Router switch (the E5400
zl switches) and the Classroom Core switch. You could also plan link aggregation
between each floors Edge_1 and Edge_2 switches and the Router.
Rev. 10.41
C 7
Two links are probably sufficient for the link aggregations; however, you might add
more for the link between the distribution layer (each floors Router) and the core,
particularly in a network that experiences higher utilization.
When planning the link aggregation groups, keep in mind that you might want to
leave ports available for expansion.

1.
On an HP E5406 zl switch, port A1 is a tagged member of VLAN 10 and an

untagged member of VLAN 1. Port A2 is an untagged member of VLAN 1 and
a tagged member of VLAN 20. How will the following command affect the
VLAN status of these ports?
HP Switch E5406 zl(config)# trunk a1-a2 trk1
2.
3.
C 8
a.
The trunk will be a member only of VLAN 1.
b.
The trunk will be a tagged member of VLAN 10 and an untagged member

of VLAN 1.
c.
The trunk will be a tagged member of VLAN 10 and 20 and an untagged

member of VLAN 1.
d.
The trunk will be an untagged member of VLAN 1. The individual ports will
maintain their tagged membership in other VLANs.
What is the criterion used to share loads across ports in a trunk configured on
an HP E-Series switch?
a.
Layer 2 or Layer 3 conversation
b.
TCP or UDP port number
c.
bandwidth saturation of each link
d.
negotiation with switch on the other side of the link
What is the advantage of configuring a static LACP trunk instead of a dynamic

LACP trunk on an HP E-Series switch?
a.
The static trunk supports standby links.
b.
The static trunk offers true load balancing.
c.
The static trunk supports more configuration options.
d.
The static trunk enables ports with different speeds to be included in the
trunk.
Rev. 10.41
4.
5.
What is the rule for naming a trunk on an HP E-Series switch?

a.
The trunk must use one of the predefined names, such as Trk5, in the order
listed in the CLI.
b.
The trunk must use one of the predefined names, such as Trk5, in the CLI,
but they can be assigned in any order.
c.
The trunk can be assigned a friendly name using the name command that is
also used to assign a name to an individual port.
d.
The trunk must include the trunk type, LACP or trunk, in its name.
What is a difference between HP Port Trunking and static LACP?

a.
HP Port Trunking allows more ports to be included in the trunk.
b.
HP Port Trunking supports media types and speeds.
c.
HP Port Trunking does not use a protocol.
d.
HP Port Trunking supports more configuration options for technologies such

as Spanning Tree and VLANs.
Module 6
Ideas for the review activity
Compare and contrast STP, RSTP, and MSTP. Conclude by comparing all of these
standards to PVST.
Rev. 10.41
STP (IEEE 802.1D) is the original Spanning Tree standard that enabled
redundant paths in a bridged network.
RSTP (IEEE 802.1w), the next development in the Spanning Tree standard,
enabled faster convergence times by placing ports in an edge state by default.
The edge state indicates a port is not connected to another switch, which speeds
the transition to forwarding state.
MSTP (IEEE 802.1s) enabled the definition of VLAN-aware Spanning Tree
topologies. In MSTP, VLANs are mapped to specific MSTP instances. This
enables all ports to carry traffic. With MSTP enabled, a port can be in the
blocking state for one instance while remaining in the forwarding state for other
instances.
STP, RSTP, and MSTP share features that enable them to interoperate. Under all
the standards, the switches in a Spanning Tree elect a Root Bridge. Each switch
determines the best path to the Root Bridge by exchanging BPDUs with
neighboring switches.
Per-VLAN Spanning Tree (PVST, PVST+, and RPVST+) is a proprietary Cisco
Systems technology. PVST enables VLAN-aware Spanning Tree topologies.
However, it requires a separate instance for each VLAN, which often creates
more complex topologies than MSTP.
C 9
In a network supporting multiple VLANs, why is there a risk that some users can
become isolated when RSTP is implemented? What steps are necessary to ensure this
does not occur?
Because RSTP is not VLAN-aware, users can be isolated if the topology does not
provide redundant paths in their VLAN between them and the Root Bridge.
In this case, the traffic flow will be disrupted if any switch in the path to the Root
Bridge places one of its ports in Spanning-Tree blocking state.
To prevent this, configure all switch-to-switch links for membership in all VLANs
in the Spanning Tree.
In an RSTP topology, why is it advisable to set Bridge Priority on switches that

participate in the Spanning Tree?
The setting of Bridge Priority can help to ensure the correct switches are chosen
as Root and Backup Root Bridges.
If all switches in a Spanning Tree are configured with the default Bridge Priority
setting, all versions of Spanning Tree protocol use the switches MAC addresses
to determine the Root Bridge. If no priorities are set by administrators, the switch
with the lowest MAC address will become Root Bridge.
This can result in very inefficient topologies if the switch selected as Root Bridge
is at the edge of the topology.
This is especially true if an organizations older switches are deployed at the
edge of the network, as they often have the lowest MAC addresses.
This issue arises in both single-instance and multiple-instance topologies.
What is an MST region? How do switches identify the MST region to which they
belong?
In MSTP, an MST region is a group of switches that share MSTP instances.

To ensure a group of switches joins the same region, they must be configured
with identical MST configuration parameters. This includes the configuration
name and configuration revision number, as well as the VLAN-to-instance
mappings.
A switch recognizes a region boundary when it receives a BPDU from a switch
with a different MST configuration or from an STP or RSTP switch.
What are the Common Spanning Tree (CST) and the Internal Spanning Tree (IST)?
C 10
The CST interconnects MST regions with STP and RSTP Spanning Trees. The CST
enables MSTP switches, including E-Series switches, to interoperate with RSTP
switches.
The IST is the instance on a switch associated with all VLANs that are not
mapped to user-defined instances. By default, an MSTP switches places all of its
VLANs in the IST.
Rev. 10.41
What are the business and technical reasons for implementing Spanning Tree? How
does Spanning Tree add value to the enterprise network?
By enabling switches to manage redundant links without creating loops,

Spanning Tree provides network designers with a critical tool to ensure high
levels of availability.
Designed properly, a Spanning Tree topology can minimize the effect of
hardware failures such as cable breaks, port failures, and even the failure of
entire switches.
When a failure occurs, switches in a Spanning Tree almost instantly re-evaluate
the topology and create paths around the failed link. Often, the recovery is so
rapid that network users and applications are not noticeably affected.
Ideas for the Lab activity 6 preview

The figures below illustrate two good options for an MSTP implementation in your lab
topology. Lab activity preview
RouterRoot bridge
Priority 0
Router to 1
Designated
ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Status

Management Module
J8726A
HP Innovation
Reset
Test Chas DIMM
Clear
Temp
Fan
Internal
Power
Modules
PoE
Pwr
Fault
1
1 to Router
Root
11
13
15
17
19
21
23
ProCurve
24p Gig-T
zl Module
J8702A
10
12
14
16
18
20
22
24
zl
11
10
12
Act
FDx
PoE
Spd
Usr
Console
LED Mode
15
17
19
21
23
14
16
18
20
22
24
zl
2 to Router
Root
Edge_1Secondary root
Priority 4096
1 to 2
Designated
Auxiliary Port
13
1 to 3
Designated
ProCurve
24p Gig-T
zl Module
J8702A
Router to 2
Designated
A
1
PoE
Mgmt Flash
Use
zl Modules
only
Power
Locator
2 to 3
Designated
2 to 1
Alternate
X
3 to 1
Root
5
Rev. 10.41
Rev. 10.41
Edge_2
Priority 8192
Edge_3
Priority 32768
3 to 1
Alternate
Lab preview solution option 1
C 11
Lab activity preview
RouterRoot bridge
Priority 0
Router to 1
Designated
ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Status

Management Module
J8726A
HP Innovation
Reset
Test Chas DIMM
Clear
Temp
Fan
Internal
Power
Modules
PoE
Pwr
Fault
1
ProCurve
24p Gig-T
zl Module
J8702A
1 to Router
Root
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
zl
ProCurve
24p Gig-T
zl Module
J8702A
11
10
12
Act
Usr
Console
Auxiliary Port
17
19
21
23
16
18
20
22
24
zl
2 to Router
Root
Edge_2Secondary
Priority 4096
2 to 3
Designated
2 to 1
Designated
Edge_3
Priority 32768
Rev. 10.41
PoE
Spd
15
14
Edge_1
Priority 8192
1 to 2
Alternate
FDx
LED Mode
13
3 to 1
Alternate
6
1 to 3
Designated
Router to 2
Designated
A
1
2
PoE
Mgmt Flash
Use
zl Modules
only
Power
Locator
3 to 1
Root
Lab preview solution option 2

1.
2.
3.
What is the significance of the Root Port in the display of Spanning Tree details?
a.
It is the port on the switch that has the lowest link cost.
b.
It will always be one of the highest speed ports on the switch.
c.
It is the port that leads to the lowest cost path to the Root Bridge.
d.
It will always be the lowest numbered port on the switch.
Which strategy will assure connectivity for users in all VLANs in a switched
environment that uses RSTP to resolve redundant links?
a.
Statically assign all VLANs to all switch-to-switch links.
b.
For each switch-to-switch link, assign VLANs supported by switches on either

side of the link.
c.
Make sure all switch-to-switch links carry management traffic.
d.
Configure all ports as untagged members of VLAN 1.
What is a benefit of deploying MSTP instead of RSTP?

MSTP can make better use of network resources because each defined instance
uses its own path through the network. Thus, ports can be in the forwarding state
for some instances and in the blocking state for others.
4.
C 12
What configuration items must be identical among all switches in the same MST
Region? Choose all that apply.
a.
Bridge Priority
b.
Configuration name
c.
Configuration revision number

Rev. 10.41
5.
6.
d.
Port Priority
e.
VLAN-to-instance mappings
What is the default Spanning Tree protocol on ProVision ASIC switches?

a.
STP
b.
RSTP
c.
MSTP
d.
PVST
You must configure an E5406 zl switch for installation on a customer network

where existing switches use RSTP. What is necessary to enable the 5406zl to
participate in the Spanning Tree on this network?
Spanning Tree must be enabled on the switch in the global configuration
context. MSTP switches require no further configuration to interoperate with RSTP
switches.
Module 7
Ideas for the planning routing activity
What role does IP routing play in the SMB scenario that you have been configuring?
IP routing is necessary to permit devices in one subnet (VLAN) to communicate with
another. Therefore, if you have resources in one subnet that users in other subnet
need to access, you must implement routing between those two subnets. You must
also implement routing to route traffic from various internal subnets out an Internet
connection.
You might choose a network design that requires routing for several reasons:
You want to divide the network into several broadcast domains while still
allowing users to reach resources in other network segments (including the
Internet).
Different types of users need access to the same resources. Instead of placing
resources in the same subnet as user, you place resources in a separate subnet
and route user traffic into that subnet. In this example, you want to divide users
into different departments, but users in various departments need to reach the
server VLAN 2.
Where would you implement IP routing in this topology? What advantages and
disadvantages are offered by implementing routing in different areas?
You might implement routing on the E5400 zl switch on each floor. These switches
support each VLAN and have an IP address on each VLAN. They can implement
routing between these connected networks.
Rev. 10.41
C 13
The core switch must also implement routing; it will need to learn routes (static or RIP)
from each floors Router switch. Routing at the distribution layer and the core brings
the benefits of routing local traffic immediately, reducing the load at the core.
You could also implement routing on edge switches, which would further reduce the
load at the core. However, configuring routing at the edge does add complexity. In
this topology, each edge switch supports only one or two subnets and most traffic
travels toward the core in any case, so routing at the edge might bring fewer
benefits.
Ideas for the RIP review activity

What are the advantages of implementing a dynamic routing protocol instead of
static routes like the ones configured in Lab Activity 5.1? Relate your answer to the
SMB scenario. What are the mechanisms that dynamic routing protocols typically
have in common?
Dynamic routing protocols enable routers to exchange routing information and

to automatically update the routing topology when changes occur.
These changes can include the failure of a router or a cable break or other
event that makes a neighboring router unavailable.
Dynamic routing protocols are implemented in complex network topologies,

when it is impractical to update route tables through the use of static routes.
Compare and contrast Interior Gateway Protocol (IGPs) with Exterior Gateway
Protocols (EGP). Provide examples of each type of routing protocol and describe the
situations where they would be deployed.
IGPs enable routers in a single autonomous system to exchange routing

information. The example SMB is an autonomous system.
Common IGPs are RIP and OSPF.
All ProVision ASIC switches support RIP. The ProVision ASIC switches can
support OSPF, but the E3500 yl, E5400 zl, and E6600 require a Premium
License to enable this feature. OSPF support is included on the E8200 zl.
EGPs enable the exchange of routing information among routers that are not
part of the same autonomous system.
EGPs are commonly used by Internet Services Providers (ISPs) to enable

connectivity between customers and the Internet.
A common example of an EGP is Border Gateway Protocol (BGP), which is

typically implemented on the connection to an ISP.
Compare and contrast distance-vector protocols and link-state protocols. Give an

example of each type and discuss their advantages and disadvantages.
C 14
Distance-vector and link-state protocols are major types of IGPs used in IP

networks.
Rev. 10.41
With distance-vector protocols enabled, routers send periodic updates to

their neighbors. The routers receiving the updates integrate them into their
own route tables, as modified from their own perspectives.
RIP is an example of a distance-vector protocol.
With link-state protocols enabled, routers flood routing advertisements to all

neighbors simultaneously. All routers in an administratively defined area
receive updates simultaneously.
OSPF is a link-state protocol.
Because of the flooding mechanism, link-state protocols update their tables

quickly. Often, all the routers in an area will synchronize their route tables
within milliseconds.
However, distance-vector protocols are typically easier to configure and use.
Describe the RIP update process. What information is exchanged by RIP routers? Use
the classroom lab to provide an example of this process.
As soon as RIP is enabled, a router prepares an update that advertises the

ranges in its route table.
The router sends this update to all RIP peers, but does not include the interface
on which it is sending the advertisement.
For instance, in the classroom example, each groups Router_1 will send
updates on the VLAN 200 interface to the Classroom Core and to other
group routers. The updates will include all routing information about the
groups interior networks, but will not include information about the VLAN
200 interface.
In the classroom network, all routers with VLAN 200 interfaces will receive
updates from all other VLAN 200 routers, not just from the Classroom Core
to which they are directly connected.
What are Split Horizon and Poison Reverse? How do they improve RIP routing
functionality?
Rev. 10.41
Split Horizon and Poison Reverse are RIP technologies that prevent routing loops
by enabling RIP routers to distinguish between usable redundant routes from
routes learned from immediate neighbors. Both technologies ensure that RIP
routers cannot successfully advertise routes to the neighbors from which they
received them.
By default, ProVision ASIC switches support Poison Reverse. In updates using this
technology, the switches advertise routes back to neighbors from whom they
learned them. However, the metric for the routes is incremented to 16. In RIP, this
value is equivalent to infinity because RIP routers will not accept routes with
metrics greater than 15.
C 15
In Split Horizon, routes are not advertised to the neighbors from which they were
received. However, this technology results in slower convergence times than
Poison Reverse.
What is route redistribution and why is it used in an enterprise topology? What are
the default redistribution settings on HPs ProVision ASIC switches?
Route redistribution enables administrators to control the routes that are

advertised by their RIP routers.
By default, RIP updates from HP E-Series routing switches include directly
connected networks, routes to RIP-enabled interfaces, and routes learned from
RIP updates.
You can enable redistribution of static routes and OSPF routes. You can also
disable redistribution of connected routes.

1.
What is the difference between a direct and an indirect route?

A direct route is a route to a local destination and is derived from the routers
own interface configuration. An indirect route is a route to a remote destination.
It can be manually configured or learned through a dynamic routing protocol,
such as RIP or OSPF.
2.
What is a difference between an Interior Gateway Protocol and an Exterior

Gateway Protocol?
Interior Gateway Protocols facilitate exchange of information among routers in a
single autonomous system. Exterior Gateway Protocols facilitate the exchange of
information among routers in different autonomous systems.
3.
What is the effect of the following command entered at the CLI of an E3500
switch?
C 16
a.
The switch will drop all packets arriving through the interface
192.168.254.100.
b.
The switch will forward all packets destined for networks not in its route
table to 192.168.254.100.
c.
The switch will perform default gateway services for hosts in the
192.168.254.0/24 subnet.
Rev. 10.41
4.
The IP route table of a 5406zl switch includes a route to 172.16.30.0/24 using

172.16.30.1 as its gateway. What is the effect of the following command?
5.
a.
The switch will delete the route to 172.16.30.0 from its route table and
replace it with the new route.
b.
The switch will forward packets destined to hosts in the 172.16.30.0/24 to

172.16.30.1 and will forward packets destined for other subnets in
172.16.0.0/16 to 10.2.1.1.
c.
The switch will not include either route in its route table because they
conflict.
When RIP is enabled on an E3500 switch, what type of route is automatically

redistributed?
a.
static
b.
OSPF
c.
Default
d.
connected
Module 8
Ideas for Lab activity 8 preview
Brainstorm reasons for an SMB to implement a mobility solution; what business
benefits does mobility bring?
In few businesses do employees spend eight hours at their desks. They might meet
their colleagues to collaborate. They might meet with clients in a conference room.
Employees will be more productive if they have seamless access to network resource
without having to search for an Ethernet port.
If the company has many visitors, partners, or clients, those people might expect
wireless access. Granting it to them creates a favorable impression and helps to
promote a positive relationship. More, partners might need network access to do
their jobs.
In some older buildings, all or part of the building might not be wired. Sometimes a
wireless solution is cheaper than rewiring these parts of the building.
In some industries, mobile devices require wireless access:
Rev. 10.41
Some point of sales (PoS) devices for retail
Nurses carts in medical facilities
Inventory trackers in retail and manufacturing
Mobile check-in counters for hotels

C 17
Ideas for Assess the mobility solution requirements activity

1.
Consider which 802.11 standard or standards (802.11a, 802.11b, 802.11g,

or 802.11n) you would implement. (Use the 802.11 Standard Selection job
aid.)
This company supports only 30 users at most, and these users do not run
bandwidth-intensive applications. Therefore, the customer does not require
802.11n.
Next you must consider the capabilities of wireless stations. Because all stations
support 802.11a/b/g, you can concentrate on which frequencies you want to
select. In this case, you should probably use both frequencies, configuring some
radios to operate in 802.11a and others to operate in 802.11g. This choice might
offer the customer higher capacity. Finally, you would choose channels for the
standards that experience the least interference in the customers environment.
2.
Plan where to place an AP or APs to provide adequate coverage and capacity.

There is no single correct answer. In the real world, you would verify your plan
by conducting site surveys and signal tests. Some ideas include:
3.
One AP might be adequate for this small site. This AP could use two radios
to provide coverage in both frequency bands and possibly increase
capacity.
You might place two APs to provide better capacity. In that case, you might
place one AP closer to the common area, which needs good coverage, and
another AP in the conference room.
Wherever you place the APs, you must consider the desired coverage area,
the realistic range for wireless signals, interference, and the need to avoid
obstacles.
Consider the exact channels for your AP radios, taking into account
overlapping radio signals.
You must consider overlapping radios. Overlapping radios provides more
seamless coverage and higher capacity; however, if your plan includes them,
your channels must not overlap. For 802.11b/g and 802.11n operating at 2.4
GHz, overlapping radios must use channels at least five channels apart. For
802.11a and 802.11n operating at 5 GHz, all channels are non-overlapping.
You could have selected any scheme that followed these rules for your plan. (See
the Overlapping radios job aid for examples.)
4.
Consider the companys need for security and select wireless security option.
Every enterprise environment should implement WPA2 or at the least
WPA/WPA2. (Almost all stations now support these options.) PSK is probably
the best option for this company, which is an SMB without a RADIUS server
RADIUS being required for 802.1X. This small company would probably not
consider purchasing such a server worthwhile.
C 18
Rev. 10.41
Ideas for use cases for methods of accessing a new HP E-MSM

AP
There are three methods for accessing a new HP E-MSM AP:
1.
Direct connection at the APs default IP address
2.
Indirect connection at the APs default IP address
3.
Indirect connection at the APs DHCP address
Some considerations for selection a method include:
The direct connection to the AP often provides the simplest setup. You know that
you can reach the APs IP address. However, you need to change the IP address
on your management station. In addition, you need an external power supply
for the AP.
Both types of indirect connection enable you power to the AP using PoE, which
can be simpler than purchasing a power supply.
If you are in change of your networks DHCP services, or if you have easy
access to the person who is, you might choose the DHCP option. Then you
can connect to the AP without altering settings on the switch (except
perhaps configuring a port in the correct VLAN, which you would need to
do in any case) or on your management station. In addition, if you set up a
DHCP reservation, you do not have to change the APs IP address manually,
which eliminates one configuration task.
If you do not have control over your networks DHCP services, but you want
to use PoE to power the AP, you might choose the second strategy. This
strategy has the drawback of requiring you to complete some extra
configuration on the switchthat is, placing two ports in an unused VLAN
and then deleting that VLAN after you change the APs IP address.
However, this strategy does enable you to connect to the PoE-powered AP at
a known IP address.

1.
Your AP has a management IP address on VLAN 1. It supports a WLAN that

enforces WPA2-PSK security. You want the AP to forward wireless users traffic in
an existing user VLAN 12. What steps must you complete on the AP and in the
network infrastructure?On the AP, you must:
Rev. 10.41
a.
Create a network profile that specifies VLAN 12 for the VLAN ID.
b.
Add a VLAN to the APs Ethernet port that is associated with that network
profile and does not have an IP address.
c.
In the VSC, specify this VLAN as the egress VLAN.

C 19
On the APs switch, you must make the port that connects to the AP a tagged
member of the VLAN. (If necessary, also add the VLAN to switch-to-switch links
between the switch and the default gateway for that VLAN.)
2.
You want your AP to implement the strongest wireless security possible in an

environment without a RADIUS server. How do you configure the AP to
implement this security?
When you configure the VSC, you select WPA2 (AES) for the Wireless
protection setting. You also select Preshared key because the site has no RADIUS
server.
3.
You have an E2610-24-PoE switch to which you plan to connect your HP EMSM320 AP. You want to power the AP using PoE. What is the absolute
minimum setup that you must complete?
You simply need to connect the AP to the switch using a CAT-5 Ethernet cable.
As long as the switch has enough PoE power available, it will begin powering
the AP. If the switch does not have enough power, you must set a critical priority
on the APs switch port or connect the switch to an EPS.
4.
You set up a VSC on your HP E-MSM AP, ensure that the VSC is activated on the
APs radios, and that the radios are activated in AP mode. When you attempt to
connect a client to the AP, you cannot even see your SSID in the list of wireless
networks. What are potential causes and how might you attempt to resolve the
problem?
The VSC might be configured not to broadcast the SSID (closed system). In this
case, you would need to configure the client to connect to the SSID manually.
Or the AP radios might operate in a 802.11 standard that is not supported by
the stations wireless NIC. In that case, you must either change the standard on
at least one AP radio or update your equipment.
Module 9 Use model

Use model
Use model
C 20
12
Rev. 10.41
Rev. 10.41
Design a PCM+ deployment for this company.

Note whether you would install remote agents and, if so, where would you install
them. What are the advantages and disadvantages of your solution? Are there any
factors that might cause you to select a different design?
There are two basic approaches to the design:
Single-serverThe company has well below the maximum number of devices

that can be handled by a single server, so you could possibly use that design.
Such a design is simpler and more cost-effective. However, the scenario shows
that the company has firewalls between the sites. These firewalls might interfere
with management traffic. Therefore, this solution might not be feasible.
DistributedYou could deploy the PCM+ server with local agent at the main site
and two remote agents, one at each site. There is no need to deploy a remote
agent at the main site; the local agent should work well for a deployment of this
size with only three total agents. This architecture offers this advantage: each site
has a local device that manages the network; management traffic need not cross
relatively slow WAN links nor traverse firewalls. This solution does have the
drawback of requiring more expensive licenses.

1.
Which PCM+ component discovers devices? What does this mean for the
amount of time that is required to discover a network?
The PCM+ agent discovers devices, which means that the more agents you have
(distributed architecture) the faster the initial discovery proceeds.
2.
How does PCM+ add discovered devices to network, VLAN, and subnet maps?
PCM+ first places the seed device. It uses neighbor discovery to find all
LLDP/CDP/FDP neighbors of that device and adds each neighbor to the map
connected to the seed device by a link. PCM+ then discovers the newly
discovered devices LLDP/CDP/FDP neighbors and adds them to the map. It
continues this recursive process until it finds no new neighbors.
PCM+ follows a similar process to map wireless APs, but uses the bridge MIB
instead.
PCM+ uses SNMP device attribute discovery to find out which subnets and
VLANs are associated with which links. It uses this information to create the
subnet and VLAN maps.
Therefore, your network must implement LLDP/CDP/FDP, as well as SNMP, for
mapping to function correctly.
Rev. 10.41
C 21
3.
How must you alter the configurations on firewalls that stand between a remote
agent and the PCM+ server? Which settings affect the requirements?
The requirements depend on which component initiates connections: the agent
or server. If the agent initiates connections, you must configure firewalls to allow
connections from the agent to the server on the configured server TCP port. If the
server initiates connections, you must configure firewalls to allow connections
from the server to the agent on the configured agent TCP port.
If you want to download the PCM+ agent installation file directly to the
hardware on which you plan to install the agent, firewalls must also allow
connections to the server on TCP 8040.
4.
What is one way that PCM+ provides enhanced visibility into the network as
compared to PCM?
Answers might include:
PCM+ provides network traffic monitoring with sFlow and XRMON. You can
examine traffic patterns down to the types of services that people are using.
With the plug-in NIM, PCM+ gives you visibility into suspicious behavior
and potential threats.
PCM+ can submit information to a Syslog server, which also receives

information from other sources, helping to provide a complete audit of your
system.
PCM+ also enables you to create customized alerts that can trigger actions
to collect more information.
Module 10
Ideas for the discussion questions in the Network design
examples activity
What advantages do the E2610-48 PoE switches provide? Why do you think
that the designers selected them?
These switches provide solid 10/100 Mbps connectivity, which is all the users in
this example require, at a good cost. The support for PoE simplifies the
deployment of APs and other PoE-capable devices.
Based on what you have learned about RSTP, explain the topology. Why do you
think that the designers implemented RSTP to block these specific links? When
would this topology be less efficient than another?
Each switch at the remote site considers the backbone connection as the lowest
cost path to the root, which is one of the core switches. The connection within
the stack is higher, so that connection is blocked.
C 22
Rev. 10.41
The designers implemented this topology so that two switches at the remote site
handle connectivity to the core. Because the E2610 switches are not the highest
performing switches in the portfolio, a single switch forced to handle all the
traffic could form a bottleneck.
This topology would only be inefficient if the E2610 switches needed to pass a
great deal of traffic between each other, in which case switching the traffic
through the core might be less efficient.
The designers have deployed the APs as standalone devices. Would you make
the same decision?
With this number of APs, the company might benefit from a controller to ease
management and ensure that the devices implement consistent settings. This
might be a nice component for the company to add in the future.
What advantages do the E3500 yl switches provide over, for example, E2610
switches alone? Why did the designers include these aggregation layer
switches?
As noted earlier, the E3500 yl offers significantly higher routing and switching
capacity than the E2610. Consequently, it provides better performance for traffic
switched through the local site as well as to the network core.
What advantages does the spanning tree design provide? If the design includes
multiple VLANs, how would you suggest setting up MSTP?
The E3500 yl is less likely to become a bottleneck in the path between end users
at each site and the core than an E2610. This topology ensures that the E3500
yl switch at each site always provides the backbone connection.
You should set up MSTP such that each core switch acts as root for some VLANs.
This will ensure that all backbone connections support some traffic, increasing
the total available bandwidth between the core and the edge sites.
Where would you suggest adding bandwidth to this design in the future?
Depending on which links experience the most congestion, you might create a
10GbE link between the core and the data center or between the core and a
remote site. You would need to install 10GbE transceivers in the E3500 yl
switches and the E5406zl switches.
What possible advantage do you see in creating a topology with link

aggregations between the single core switch and the remote site switches?
Both links in the link aggregation are fully active, providing a great deal of
bandwidth between the remote sites and the data center.
Rev. 10.41
C 23
Why do you think that the designers have elected to place a 5412zl switch at
each site rather than a stack of fixed-port switches. Use datasheets and the
Features of HP E-Series switches table to compare the 5412zl switch capacity
to the capacity of a stack of six E2610 switches.
With support for 12 24-port modules, the E5412 zl switches can support 288
100/1000 connections. By comparison, six stackable E2610 switches support a
maximum of 264 connections. The E2610 switches port density would be further
reduced by the aggregated links they use to connect to each other, which are
not necessary when all edge devices connect directly to the E5412 zl switches.
Using a single switch reduces management complexity. Also, the E5412 zl offers
more routing and switching capacity than that provided by aggregating a stack
of switches through a switch such as an E3500 yl.
Does using a single E8212 zl switch in the core rather than, for example, two
E5406 zl Series Switches, reduce high availability? Examine the E8212 zl Switch
Series datasheet to find redundancy features offered by this switch.
Using a single E8212 zl switch might reduce redundancy to a degree, but an
E8212 zl offers almost all the redundant features of two separate switches
redundant management modules and fabric modules, as well as redundant
power supplies which can plug into different power sources. And with a single
E8212 zl switch, you obtain a relatively high level of redundancy with the
advantage of less management overhead. Each solution has its advantages and
disadvantages, which you must evaluate for your environment.
What advantages do the E6600 switches offer in the data center over other
switches?
The HP E6600 Switch Series is specifically designed for the data center. The
configurable air flow enables the switch to operate effectively in any
environment. The support for distributed switch-to-server trunking enables servers
that support teamed interface cards to be connected by aggregated links to
multiple switches. This design provides high capacity and high availability to the
servers.
The data center topology in this design enables servers to connect to each other
without burdening core switch. This design could be useful for server-to-server
backups or mirroring. You could also implement routing and security solutions on
the E6600 to manage traffic and access to server resources.
C 24
Rev. 10.41

1.
The HP E3500-48-PoE yl switch, the HP E2910-48-PoE al switch, and the HP

E2510-48-PoE switch all provide 48 GbE ports. Why can you not use the
switches interchangeably in all environments?
The switches provide different levels of performance and scalability. The E2910
al and the E3500 yl provide much greater routing and switching capacity than
the E2510. In addition, the E2910 al and the E3500 yl provide routing
capabilities. The E2910 als routing is more limited than that of the E3500 yl,
which also provides other sophisticated features.
2.
Which HP E-Series switch series is specifically designed for the data center?
The HP E6600 Switch Series is specifically designed for the data center with
support for configurable air flow, hot-swappable power and fan components,
and support for distributed switch-to-server trunking.
3.
You must consider many questions as you decide which HP E-Series products to
deploy and where to deploy them to meet a companys needs. What are three?
Questions include:
Rev. 10.41
How many users and devices does the network need to support?
How many servers does the network need to support?
What type of applications do you expect the users to run? Which users
require 100 Mbps connections and which require Gigabit connections?
Where are the wiring closets? What is the distance between the closets?
Between every device and the closets? Between buildings?
What type of security does data require? Do various users need to be

isolated in different VLANs?
Which types of users are expected in various areas?
Does the company desire wireless connectivity?
How much traffic will the core need to support at times of peak network
use?
What are the companys requirements for high availability?
C 25
C 26
Rev. 10.41
To learn more about HP networking, visit

www.hp.com/networking
2010 Hewlett-Packard Development Company, L.P. The information contained herein is
subject to change without notice. The only warranties for HP products and services are set forth
in the express warranty statements accompanying such products and services. Nothing herein
should be construed as constituting an additional warranty. HP shall not be liable for technical
or editorial errors or omissions contained herein.

Guia

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Guia

Загружено:

Авторское право:

Доступные форматы

HP Access Layer Network

Technologies using ProVision

HK651S A.03 [00646061]

Copyright 2013 Hewlett-Packard Development Company, L.P.

Module 1: Basic Switch Setup

Module 2: Managing Switch Software and Configuration Files

HP Access Layer Network Technologies using ProVision Software

Module 3: Configuring VLANs and IP Services

Module 4: Configuring Device Access Security

Configuring SSL.......................................................................................... 4-20

Module 5: Configuring Link Aggregation

Module 6: Configuring Spanning Tree

HP Access Layer Network Technologies using ProVision Software

Viewing MST configuration .......................................................................... 6-20

Module 7: Configuring IP Routing

Module 8: Providing Mobility to SMBs

Module 9: Managing and Monitoring SMB Networks with HP ProCurve

HP Access Layer Network Technologies using ProVision Software

Installing remote PCM+ clients ....................................................................... 9-23

Module 10: Introduction to Network Design

Next steps: HP AIS Network Infrastructure certification training........................10-34

Appendix A: CLI Job Aid

HP Access Layer Network Technologies using ProVision Software

Welcome to HP Access Layer Network Technologies

Prerequisites and ongoing learning opportunities

Getting Started with HP Switching and Routing Web-Based Training (WBT)

Getting Started with HP Wireless Networks WBT

Four days of training

Day 1: Getting Started with HP E-Series Switches

Module 1: Basic Switch Setup

Module 2: Managing Software and Configuration Files

Module 3: Configuring VLANs and IP Services

Day 2: Increasing Security, Capacity, and Availability

Module 4: Configuring Device Access Security

Module 5: Configuring Link Aggregation

Module 6: Configuring Spanning Tree

Day 3: IP Routing and Mobility

Module 6: Configuring Spanning Tree (continued)

Module 7: Configuring IP Routing

Module 8: Providing Mobility to SMBs

Day 4: Mobility, Management, and Design

Module 8: Providing Mobility to SMBs (continued)

Module 9: Managing and Monitoring SMB Networks with HP PCM

Module 10: Introduction to Network Design

HP Access Layer Network Technologies using ProVision Software

Module 1: Basic Switch Setup

Module 2: Managing Software and Configuration Files

Module 3: Configuring VLANs and IP Interfaces

Basic Switch Setup

Choose the correct privilege level to complete a given configuration task

Use the CLI to assign a hostname to an E-Series switch

Use the CLI to verify switch configuration using show commands

Use the CLI to configure port parameters, including friendly names

Use the CLI to monitor interface status

Use the CLI to view LLDP configuration and neighbors table

Use the CLI to assign an IP address to a VLAN interface

HP Access Layer Network Technologies using ProVision Software

Access, distribution, or core for SMBs

Access, distribution, or core for SMBs

Access or distribution for SMBs

Figure 1-1: Lab equipment for this course

HP E8200 zl Switch Series

HP E5400 zl Switch Series

HP E3500 Switch Series