Академический Документы
Профессиональный Документы
Культура Документы
Student guide
Use of this material to deliver training without prior written permission from HP is prohibited.
Contents
Introduction
Welcome to HP Access Layer Network Technologies using ProVision Software ........ 1
Prerequisites and ongoing learning opportunities .......................................... 1
Certification.............................................................................................. 1
Four days of training ........................................................................................ 2
Todays agenda .............................................................................................. 3
Rev. 10.41
Contents
iii
iv
Rev. 10.41
Contents
vi
Rev. 10.41
Contents
Rev. 10.41
vii
viii
Rev. 10.41
Introduction
Both of these interactive WBTs are available on the HP networking training web site.
While the key elements of the prerequisite content will be reviewed and discussed
during delivery of HP Access Layer Network Technologies using ProVision Software,
the discussions and lab activities anticipate that you have been introduced to all of
the prerequisite topics.
Certification
Completing HP Access Layer Network Technologies using ProVision Software, along
with the prerequisite, helps prepare you to take the examination for Accredited
Integration Specialist (AIS), a certification offered by the HP ExpertONE program.
The certification program and examination will be discussed further on the final day
of the course.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
Introduction 1
Introduction
Rev. 10.41
Introduction 2
Todays agenda
Day 1 of HP Access Layer Network Technologies using ProVision Software consists of
three parts:
1.
2.
3.
Introduction 3
Rev. 10.41
Module 1 objectives
After completing Module 1, you will be able to:
Issue the correct CLI commands to move among the privilege levels
Rev. 10.41
Describe the privilege levels available in the HP E-Series CLI and the options
available in each level
Describe the port-naming conventions for the HP E-Series fixed-port and chassis
switches
1 1
Lab equipment
for this course
Lab equipment
for this course
E8200 zl
E5400 zl
E3500
Fixed-port
24 or 48-port models
10/100/1000 and 10/100 models
Advanced routing with Premium License
6
Rev. 10.41
During the lab activities, you will have opportunities to configure four E-Series
switches. The selection of switch models can vary from class to class. However, all lab
participants will work with at least one of the following E-Series switches:
1.
2.
3.
The E8200 zl, E5400 zl, and E3500 Switch Series implement HPs ProVision
ASIC, which was developed by HP Labs to offer wirespeed intelligence along with
high levels of programmability and resilience. Because of their shared architecture,
the E8200 zl, E5400 zl, and E3500 also share a common interface and many basic
features. However, each model is designed for a specific Small-to-Medium Business
(SMB) deployment.
The E8200 zl Switch Series is designed for SMBs that need reliability and highperformance switching. The switches in this series feature redundant management
and fabric modules and redundant power supplies, as well as high-port density. They
can be deployed at the access, distribution, or core layer in an SMB environment.
The E5400 zl and E3500 are also designed for SMBs. They provide a rich feature
set, along with wirespeed forwarding, at the access or distribution layer. In some
SMB environments, the E5400 zl can also be deployed as a core switch.
1 2
Rev. 10.41
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
1 3
Introducing8212zl
the HPswitch
E8212 zl switch
Redundant
management
modules
Console ports
Module slots
Module slots
Rev. 9.41
Open Shortest Path First (OSPF), which is a dynamic routing protocol that allows
the switch to exchange routing information with other network switches.
Protocol Independent Multicast (PIM), which allows hosts, such as streaming
video servers, to send messages to multiple hosts simultaneously. Hosts join
multicast host groups to be become eligible to receive specific multicasts.
Virtual Router Redundancy Protocol (VRRP), which provides routing redundancy.
These and other advanced features allow the E8212 zl switch to support all of the
demanding applications and complex topologies in a contemporary LAN.
HP also offers the E8206 zl switch, a six-module model that offers high performance
and redundancy to SMBs that do not require the port densities supported by the
E8212 zl switch.
In some HP Access Layer Network Technologies using ProVision Software classes, an
E8212 zl switch will provide the distribution-layer services for your lab group. The
E8212 zl also will provide connectivity between your group and other lab classroom
groups.
1 4
Rev. 10.41
Management module
Console port
USB
Auxiliary
port
Rev. 9.41
Rev. 10.41
1 5
Port names
24-port
10/100/1000
Figure
1-4: Port names onmodule
E8200 zl and E5400 zl switches
Port
On HP E-Series modular
as the
E8200
zl and E5400 zl switches, a
For instance,switches,
port 1 in thesuch
A module
is port
a1
port is identified
by a moduleports
letter
by the numberports
of the
port inrow
the
Odd-numbered
in followed
top row; even-numbered
in bottom
module. For instance,
if group,
module13-24
A is inpopulated
1-12 in left
right groupwith a 24-port 10/100/1000
module, the ports would be named a1 to a24.
On the E5406 zl and E8206 zl switches, the modules are identified by letters A
8
Rev. 10.41
through F. Module
A is in the upper left corner of the switch. Module B is
immediately to the right of module A. The second module row contains modules C
and D. The final row includes modules E and F.
Modules on the E8212 zl and E5412 zl are lettered A through L.
On each 24-port module, the ports are divided into two sections with ports 1-12 on
the left and 13-24 on the right. The odd-numbered ports (1, 3, and so on) are in the
top row, with even-numbered ports immediately below.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
1 6
Rev. 10.41
the HP E3500-24G-PoE
yl Switch
IntroducingIntroducing
the HP E3500-24G-PoE
yl switch
Dual-personality ports
Console port
Dual-personality
These switches are designed to provide scalability and advanced intelligence for
access and distribution layers in an SMB environment. As with the E5400 zl, all
E3500 models support advanced routing features such as OSPF and PIM with the
installation of an optional Premium License. Two of the E3500 yl models support PoE,
and two support PoE+ (which provides more watts per device). The E3500 models
are available in PoE and non-PoE versions.
The E3500-24G-PoE yl switch offers 20 10/100/1000-T ports and four dualpersonality ports. Numbered 21-24, the dual-personality ports support
10/100/1000-T or SFP mini-GBICs. (See www.hp.com/networking for information
on SFP options.)
The port-numbering system for the E3500-24G-PoE yl switch (and other switches in
this series) is straightforward. The odd-numbered ports, including dual-personality
ports, are in the top row. The even-numbered ports are in the bottom row.
Rev. 10.41
1 7
Discussion
Your facilitator will assign you a question and ask you to develop an answer that
you can present to other people in your class. You should be prepared to
answer questions. The goal of this activity is not to require you to be the
instructor, but rather to encourage discussions among people in your class.
The next page presents the discussion topics that will be assigned in this activity,
along with space for taking notes during your preparation and presentation. To
refresh your memory of the WBT, you can review the Getting Started with HP
Switching and Routing Reference Guide. Be prepared, though, to explain each
point in the summaries in more detail.
Quiz Me
Your facilitator will give you several index cardseach one printed with a
possible answer to a question. For example, an index card may display the
word False or the word True. Or an index card may display a letter such as a,
b, c, d, or e. When your facilitator asks you a question, hold up the index card
that has the correct answer.
If you are in a virtual classroom, you will participate in an online quiz. You can
discuss the question and your answer with your facilitator.
The questions you answer will cover the same topics as those listed on the pages
that follow. You can use the space provided under each question to take
additional notes. After this class ends, you can use these questions to help you
review the course materials and prepare to take the AIS exam for this course.
1 8
Rev. 10.41
1.
What is a VLAN?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2. Why are VLANs used to segment the network?
_______________________________________________________________________
_______________________________________________________________________
________________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
________________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
1 9
3. What is the relationship between each VLAN and its network IP address range?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
1 10
Rev. 10.41
Interfaces for
initialfor
configuration
Interfaces
initial configuration
The CLI can be accessed through console or Telnet
Telnet
commands directly
Access
menu interface
Menu interface
By default, E-Series switches will receive a VLAN 1 IP address from any available
Rev. 10.41
Dynamic10Host
Configuration Protocol (DHCP) server. DHCP enables hosts, or DHCP
clients, on an IP network to obtain IP addresses. This protocol helps reduce
administrative overhead on an IP-based network. (You will learn more about DHCP
later in this module.)
If the switch receives an address, you can access the Command Line Interface (CLI)
by Telnet or can use the web management interface that will be described in
Module 3.
In many cases, however, initial configuration will be performed through a console
connection. In that case, three options are available:
The CLI is the most comprehensive management tool, enabling access to all
switch configuration options. Consequently, it will be emphasized in this course.
You can also use the CLI to access the menu and setup interfaces.
The menu interface, shown in Figure 1-6, provides access to a subset of CLI
commands. You will explore this interface in Lab Activity 1.
The setup screen enables you to configure a VLAN 1 IP address so that the
switch can be accessed remotely
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
1 11
11
Rev. 9.41
Before you begin the first lab activity, your facilitator will distribute the HP E-Series
Switch CLI Job Aid and demonstrate basic CLI usage. Figure 1-7 shows the basic
navigation levels for the CLI.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
1 12
Rev. 10.41
Verifying connectivity
Verifying Connectivity
Ping utility uses ICMP packets to verify connectivity.
Switch# ping <IP address>
Example:
Switch# ping 10.1.10.10
10.1.10.10 is alive, time = 1ms
When you configure and manage networks, you can use the ping utility to verify
connectivity between devices. The ping utility sends Internet Control Message
Protocol (ICMP) echo packets to a destination device. If the destination device
receives the
packet,
14
Rev. 10.41 it sends return ICMP packets.
The ping utility shows the results of the ICMP, reporting successful receipt of a reply
or a dropped packet.
Note that some network devices, such as network security devices, do not send reply
ICMP echo packets. This security precaution is designed to prevent malicious users
from using the ping utility in a reconnaissance attack.
Rev. 10.41
1 13
All current HP E-Series switches support the Link Layer Discovery Protocol (LLDP),
which provides a tool for learning about connected devices, such as switches and
wireless access
that also support the protocol. Described in IEEE 802.1AB,
12
Rev.points,
9.41
LLDP packets contain data about the transmitting switch and port. LLDP packets
survive only one hop. When a switch receives an LLDP packet, the switch places the
information from the packet into an entry in an LLDP neighbors table in the
Management Information Base (MIB).
The information included in LLDP packets includes details about routing and switching
capabilities, switch model, IP address, and MAC address.
By default, LLDP is enabled for all ports on E-Series switches but can be disabled per
port by entering lldp admin-status <int-id> disable at the CLI. You can also disable
or enable LLDP transmission or reception independently. For more information, see
the switchs Management and Configuration Guide.
You will explore the show lldp options during Lab Activity 1.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
1 14
Rev. 10.41
SMB scenario
lab activities
SMB for
Scenario
for Lab Activities
Six floors
Redundancy
Ability
to increase bandwidth
between switches as needed
Wireless
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
Use ProCurve
mini-GBICs
and SFPs only
ProCurve
Gig-T/SFP
zl Module
J8705A
zl
Use ProCurve
mini-GBICs
and SFPs only
ProCurve
Gig-T/SFP
zl Module
J8705A
zl
access
Unified
16
Rev. 10.41
When you complete the labs in this course, you will be acting as a network
administrator who has been hired to install and configure E-Series switches at a
medium-sized company that has just moved into the right wing of an office building.
Each of the six floors has 95 employees, including their workstations and printers.
These employees are organized into the following departments: Marketing, Sales,
Manufacturing, and Human Resources.
The companys executives have explained that they want the network to be available
24 x 7. They also want the network to support the applications they are using now
and more bandwidth-intensive applications in the future. For example, they are
currently using video-conferencing applications in some conference rooms, but expect
to increase that usage in the near future.
They also want to provide employees with wireless access in two conference rooms
but plan to expand the wireless network next year. They would like a wireless
solution that scales well.
Finally, the company wants the ability to manage both wired and wireless networks
from a single network management console.
Rev. 10.41
1 15
Lab Activity 1
During this lab activity, your lab group will begin configuring four E-Series switches
that will provide wired connectivity on one floor of the companys new building.
During the first activity, you will first connect the four switches and then explore the ESeries switch CLI, configure basic security settings, assign a hostname to each of your
switches, assign an IP address to VLAN 1 on all your switches, and check basic
connectivity.
Consult your Lab Activity Guide for instructions for performing this activity.
1 16
Rev. 10.41
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
1 17
Learning check
1.
2.
3.
What commands provide help at the CLI of an E-Series switch? (Select two.)
a.
typing ?
b.
typing /? [ENTER]
c.
typing help
d.
At the CLI of an E5406 zl switch, you enter show lldp information remote-device
a24. Assuming the device connected to port a24 also supports LLDP, what
information can you learn? (Select two.).
a.
b.
c.
d.
e.
How can you access the history buffer in the E-Series switch CLI?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
1.
1 18
operator
Switch(config)#
manager
Switch>
global configuration
Switch#
Rev. 10.41
Module 2 objectives
After completing this module, you will be able to:
Rev. 10.41
Define multiple configuration files and assign them to different flash areas
2 1
Software image
architecture
Software
image architecture
Primary Flash Memory
Software image
Stored
Two
xxx xxx
xxx xx
xx xx xx
xxx xxx
xxx xx
xx xx xx
2
Rev. 10.41
in flash memory
Software image
and boot
The switch software image contains the operating system. The switches ship with
software images installed, but updates are periodically released and made available
at www.hp.com/networking.
Most E-Series switches feature two flash memory areascalled primary and
secondarywhere software images are stored. Because the two areas can store
different images, you can back up a current software version before installing a new
one. This enables you to restore the switchs earlier functionality if the new software
proves unsuitable.
E-Series switches support two boot modes that can be executed from the CLI:
reload
You enter the reload command to instigate a warm boot that does not require
system diagnostics. When the switch is rebooted with reload, it uses the flash
image executed on the last cold boot.
boot
You enter the boot command to instigate a cold boot. This command ensures
the switch runs system diagnostics before restarting. It also enables you to
specify whether to use the primary or secondary flash image. To choose a flash
area, issue the boot command with the following options:
boot system flash <flash_image>
If no software image is specified, the switch is restarted using the current image.
The warm boot using reload takes less time and is well-suited for restarts required
when a configuration file is copied from a backup server or in the rare case that a
configuration change requires a restart.
2 2
Rev. 10.41
Viewing software
versionsversions
Viewing software
show flash displays contents of both flash areas
Switch# show flash
Image
Size(Bytes)
-------------Primary Image
: 10125499
Secondary Image : 7518995
Boot Rom Version: K.12.21
Default Boot
: Primary
Date
-------06/30/10
12/19/08
Version
------K.14.65
K.13.51
Rev. 10.41
Two CLI commandsshow flash and show versionenable you to view the images
currently installed on an E-Series switch and to determine which one is currently in
use. In Figure 2-2, the primary image is K.14.65, and the secondary image is K.13.51.
Note that show flash enables you to determine which image is the Default Boot,
while the show version command enables you to determine which image is currently
in use.
By default, the Default Boot image will be the image currently in use. The Default
Boot image can be configured using the boot set-default flash <image> command.
Finally, note that show flash also shows the current Boot Rom Version. In some cases,
it will be necessary to install a new Boot ROM to upgrade to a new software version.
When necessary, this requirement will be described on www.hp.com/networking
and in the Release Notes for the software.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
2 3
a new from
imageafrom
USB drive
Installing aInstalling
new image
USBa drive
dir displays the contents of the USB drive in the auxiliary
port
Switch# dir
Listing Directory /ufa0:
-rwxrwxrwx
1
10125499 Jun 30 15:26 K_14_65.SWI
-rwxrwxrwx
1
10094820 May 06 20:34 K_14_60.SWI
The copy command enables you to install a new image to either flash area from a
USB drive4 or Rev.
a 10.41
TFTP server. In Figure 2-3, the K.14.65 software version has been
copied to the secondary flash area of an E3500 yl switch.
Before copying the software, you can use the dir command to examine the contents
of the USB drive in the auxiliary port. If the drive contains a subdirectory, you can
view its contents by specifying its name, as in dir folder.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2 4
Rev. 10.41
Configuration
file architecture
Configuration
file architecture
Two
types of files:
Running
configuration
Rev. 9.41
xxx
xxx
xxx xx
xx xx
xx
xxx
xxx
xxx xx
xx xx
xx
Non-volatile memory
(Flash)
Startup
configuration
xxx
xxx
xxx xx
xx xx
xx
xxx
xxx
xxx xx
xx xx
xx
When the switch is restarted, the startup configuration is written to volatile memory
and becomes the running configuration. Subsequently, all commands issued at the
CLI are immediately written to the running configuration and executed.
To examine the current running configuration, issue the show running-config
command, which can be abbreviated as show run. Because CLI changes are not
automatically written to the startup configuration, administrators can use the CLI to
test changes before making them permanent.
To store the changes in the startup configuration, you must issue the write memory
command. If you forget to save changes, they will not be in effect when the switch is
restarted. To view the startup configuration and ensure changes are included, issue
the show configuration command.
To determine if the running configuration and the startup configuration match, issue
the following command:
Switch# show run status
Rev. 10.41
2 5
Two ways to
theerase
startup
configuration
Twoerase
ways to
startup
configuration
At the front panel:
1. Depress the Clear button followed by
the Reset button
2. Continue to press the Clear button while
releasing the Reset button
3. When the Self Test LED begins to flash,
release the Clear button
1.
2.
3.
4.
Flashing
LED
At the CLI:
Switch# erase startup-config
Figure 2-5: Two ways to erase the startup configuration
7
Rev. 10.41
E-Series switches
offer two ways of erasing the startup configuration:
1.
At the CLI, you can issue the erase startup-config command. The switch will
prompt you to confirm this command and then restart with a default startup
configuration. However, some E-Series switches will maintain configured
passwords unless you use the no password command to delete them before
restarting.
2.
If you cannot access the CLI because of lost passwords, you can return the switch
to factory defaults, using the process shown in Figure 2-5. This process will erase
passwords and clear the startup configuration.
If you want to erase passwords without erasing the startup configuration, simply
press and hold the Clear button for at least one second.
2 6
Rev. 10.41
Backing up and
restoring configuration files using a
Backing up and restoring
USB drive
configuration files using USB
To
To
To copy a new startup configuration to the switch, simply issue the copy command
with a USB drive specified as the source, as shown in the second example in Figure
2-6. Note that the switch will immediately reboot using the new configuration.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
2 7
ManagingManaging
multiple multiple
configuration
files files
configuration
Many E-Series switches support multiple configuration files:
Rev. 10.41
Many E-Series switches, including the E8200 zl, E5400 zl, and E3500, support the
maintenance of three distinct configuration files.
In Figure 2-7, the output of show config files command shows that the administrator
has defined three configuration files:
1.
2.
baseConfig
3.
AISstart
As the illustration shows, configuration files can be associated with flash images,
meaning a specific configuration will be executed whenever the switch is restarted
using a given image. This feature can be useful if you want to test new features
enabled by a new software image, but do not want to delete or alter a configuration
known to work with an earlier software version. You can also store a configuration
without associating it with any flash area.
In the example, the active configuration is config1, as is shown by the asterisk (*) in
the act column. This file is also associated with primary flash. The second
configuration file, baseConfig, is associated with secondary flash. The third file,
AISstart, is not associated with either flash area. You can examine the contents of
any configuration file by issuing the show config <filename> command.
2 8
Rev. 10.41
Effect
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
2 9
Displaying events
in theevents
system
logsystem log
Displaying
in the
Rev. 9.41
The show logging command displays events recorded since the switchs most recent
reboot. Each entry in the event log includes one of four possible severity levels
warning, information, major, or debugand a description of the system module,
such as chassis or lldp, that registered the event. In Figure 2-8, the chassis module
of an E5400 zl switch reports the recognition of each module that was inserted in
the switch and the downloading of firmware into each module.
Some options for the show logging command include:
show logging a shows all events, including those recorded during earlier boot
cycles. If the show logging command is issued without an option, the command
will show all events in the current boot cycle.
show logging r displays log events in reverse chronological order, that is, with
the most recent events listed first.
show logging <string> shows only events that contain the <string> value. This
provides a means of log event filtering. For instance, to view only events related
to LLDP, you could issue show logging lldp. The <string> value is not casesensitive.
2 10
Rev. 10.41
and counters
Port status Port
andstatus
counters
Switch# show interface a1
Status and Counters
Name :
MAC Address
:
Link Status
:
Totals (Since boot
Bytes Rx
:
Unicast Rx
:
Bcast/Mcast Rx :
Errors (Since boot
FCS Rx
:
Alignment Rx
:
Runts Rx
:
Giants Rx
:
Total Rx Errors :
Others (Since boot
Discard Rx
:
Unknown Protos :
. . .
11
Rev. 10.41
Bytes Tx
Unicast Tx
Bcast/Mcast Tx
: 67,315
: 112
: 569
Drops Tx
Collisions Tx
Late Colln Tx
Excessive Colln
Deferred Tx
:
:
:
:
:
: 0
0
0
0
0
0
When you are in physical proximity to a switch, you can easily tell which ports are
up and which are down by looking at the LEDs. Ports with connected cables, but no
link LEDs, can indicate many issues, including a faulty cable, faulty network adapter,
or a connected device being powered down.
If you are managing the switch from a remote location, however, you must rely on
commands that can provide information about ports. For example, the show
interfaces brief command reports on the operational status, which is displayed as
Up or Down, and the administrative state of all ports (for example, whether
someone has administratively disabled any ports, causing them to stop functioning).
If the switch is experiencing intermittent problem, such as slow performance, but you
are not yet sure which port(s) might be involved, you may want to examine the port
counters. The show interfaces command displays a table view of the numbers of
bytes, frames, errors, and dropped frames per port.
If you see an inordinately high number of errors or dropped frames, you can drill
down to the port level by including a port number in the show interface command,
as shown in Figure 2-9. In the detailed per-port display you can see the composition
of the errors, that is, whether they are giants, runts, checksum errors, or collisionrelated errors. Because collisions are not expected in a switched network, errors
related to collisions can point to mode mismatch. For example, the port on one side
of a link is configured for full duplex and the port on the other side is configured for
half duplex.
Rev. 10.41
2 11
Lab Activity 2
You will now continue setting up the switches for the medium-sized company that has
just moved into a new office building. One of the first tasks you want to complete is
to ensure that the switches are running the latest version of the switch software. You
will also learn how to back up your configurations to a USB drive and configure
multiple configuration files.
Consult your Lab Activity Guide for instructions for performing this activity.
2 12
Rev. 10.41
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
2 13
Learning check
1.
2.
3.
On E-Series switches, what is a difference between the boot command and the
reload command?
a.
b.
The reload command restarts the switch using the current running
configuration. The boot command uses the startup configuration.
c.
The reload command restarts the switch without running diagnostics. The
boot command requires that diagnostics be executed and also allows you to
select a flash image.
d.
The reload command restarts the switch using the active configuration file.
The boot command enables the administrator to choose a configuration file
for startup.
Primary flash holds the current system image. Secondary flash provides a
backup for the image.
b.
Primary and secondary flash are independent and can hold different
images. Either image can be used to boot the switch.
c.
d.
Name two potential uses for multiple configuration files on an E-Series switch.
_______________________________________________________________________
_______________________________________________________________________
4.
5.
immediately
b.
c.
What is the process for upgrading the Boot ROM on an E-Series switch?
_______________________________________________________________________
_______________________________________________________________________
2 14
Rev. 10.41
Module 3 objectives
After completing Module 3, you will be able to:
Given a network design, use the command line interface (CLI) to assign an IP
address and subnet mask to a VLAN interface on an HP E-Series switch
Rev. 10.41
3 1
3 2
Rev. 10.41
What are the rules for assigning ports to VLANs on HP E-Series switches?
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
3 3
3 4
Rev. 10.41
Rev. 10.41
3 5
Activity preview
Lab ActivityLab
3 3preview
Core:
10.0.0.0/16
Floor 1:
10.1.0.0/16
Floor 6:
10.6.0.0/16
Floor 2:
10.2.0.0/16
Floor5:
10.5.0.0/16
Floor 3:
10.3.0.0/16
VLAN
User Group
Address range
10.x.1.0/24
Server
10.x.2.0/24
10
Human Resources
10.x.10.0/24
20
Manufacturing
10.x.20.0/24
30
Sales
10.x.30.0/24
40
Executives
10.x.40.0/24
Rev. 10.41
Floor 4:
10.4.0.0/16
In the lab activity for this module, you will continue configuring switches for the
medium-sized company that you learned about in previous modules. Specifically, you
will configure the four switches for a floor at the corporations main office.
This corporation uses the Class A private address range (10.0.0.0 10.255.255.255), giving the corporation a total of 16,777,216 available host
addresses. This is obviously more IP addresses than the corporation requires, but its
IP addressing scheme provides a logical way for the corporation to manage its
devices.
To simplify network management, the core network uses addresses in the range of
10.0.0.0/16. Each of the six floors is assigned an address range that uses a 16-bit
subnet mask, with the floor number in its second octet. For instance, all devices on
floor 1 have addresses in the range of 10.1.0.0/16.
Each floor hosts six types of users, which are shown in Figure 3-1. For the purposes of
this lab, the VLAN IDs for all user types are the same on all floors, and each floors
address scheme uses the VLAN ID in the third octet. For example, the Human
Resources VLAN on floor 3 is 10.3.10.0/24.
In the lab activities, which simulate the companys network environment, each lab
group will configure four switches for one of the floors:
In a previous lab, you assigned the distribution-layer switch a host name of Router.
Hereafter, this module refers to this switch by its host name (Router).
Your facilitator will manage a switch that simulates the companys core.
3 6
Rev. 10.41
Lab activityLab
preview:
Configuring
VLANs
andand
IP
activity preview:
Configuring
VLANs
services IP services
In Lab Activity 3, you will:
1.
2.
3.
4.
5.
6.
7.
8.
Lab Activity 3 focuses on the steps and procedures necessary to configure VLAN
5
Rev. 10.41
topologies
and
enable IP services on E-Series switches.
After verifying and troubleshooting your IP and VLAN configuration, you will enable
DNS and SNTP on your switches and back up your configurations to a TFTP server.
You will conclude the activity by exploring the web management interface and
configuring your switches so that only users in specific IP address ranges can gain
management access.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
3 7
Rev. 10.41
By the end of Lab Activity 3, your switches will be ready to support users in four user
VLANs and a VLAN for your groups Server. As shown in Figure 3-3, your groups
Router will act as default gateway for hosts in all five VLANs. The three access-layer
switches will remain in VLAN 1 and will be configured to use the Routers VLAN 1
interface as their default gateway. This will enable them to access services on your
groups Server.
All switch-to-switch links will be configured as tagged members of the appropriate
VLANs. Ports connected to hosts, including the clients and the server, will be
untagged members of the VLANs.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3 8
Rev. 10.41
VLANs on VLANs
each switch
on each switch
VLAN
Switch
IP address on router
Router
10.x.2.1/24
10
20
Edge_1, Router
Edge_2, Router
10.x.10.1/24
10.x.20.1/24
30
10.x.30.1/24
40
10.x.40.1/24
Rev. 10.41
The four user VLANs will be distributed among the edge switches, as shown in
Figure 3-4.
To act as default gateway for hosts in all VLANs, the Router will be configured with
ports in each VLAN and with an IP interface in each VLAN. Additionally, IP routing
will be enabled.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
3 9
Steps to configure
switches VLANs
For each VLAN:
Define
the VLAN
TIP
If you make a mistake, it is easy to reverse most CLI commands. Simply repeat
the command preceded by no, as in:
Switch(config)# no vlan 10
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3 10
Rev. 10.41
IP helper address
IP routing
Router(config)# ip routing
Configuring VLANs on the Router begins with the same steps you followed to
configure VLANs on the access-layer switches. That is, you define the VLANs and
Rev. 10.41
then add9 ports
as necessary.
To act as a default gateway for the hosts in all VLANs, the distribution-layer switch
requires an IP interface associated with each VLAN, as shown in Figure 3-6. As well
as defining an IP address and mask for each VLAN, you must an IP helper address,
which will enable hosts in all VLANs to receive IP addresses by DHCP from the
Server in VLAN 2. You must enable IP routing.
Rev. 10.41
3 11
CommandsCommands
to confirm
VLAN and IP interface
to confirm VLAN and IP interface
configuration
configuration
show vlans
Issued
show ip
Shows
Shows
The show vlans command provides several powerful options for verifying VLAN
configuration. As shown, the options associated with this command enable you to
10
Rev. 10.41
view all VLANs configured on the switch, to examine details about a specific VLAN,
or to determine the VLAN membership status of a port or range of ports.
While not specifically related to VLAN configuration, the show ip command enables
you to view important information about IP interfaces configured on the switch. As
well as showing the IP interfaces associated with each VLAN, the show ip command
shows if routing is enabled or, in the case of a Layer 2 switch, if a default gateway is
defined.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3 12
Rev. 10.41
Configuring
IP services:
IP helper
addressDHCP
for DHCP clients
DHCP
Server
4
Unicast DHCP
response sent to
relay agent on
routing switch
3
Router
ProCurv e
Switc h5406zl
J8699A
PoE
Pranagem
oCurveSw
itcM
hodul
5400z
tus
M
ent
el
Po
E Sta
A B GH
J8726A
Mg
mt F
hT
s
la
mp 3 4 1 C D I J
e
Re
t Cle
s
r
a
t Ch
s
e
T
s DIMMF
a
n 1
a
2 EF
KL
In
rna
te
l2e
Modul
s
e
Pow
r PoE
Pwr
ProCurve Networking
HPInnovat ion
Use
zlModul
onlyes
Power
Ac
t
DxPo
F
E
r
EDSp
L
Md
eUs
d
o
Console
Aux
Port
ry
ila
Fault
Locator
Edge_1
Power
Fault
1
AProCurv e
Switc h5406zl
J8699A
PoE
Prg-ToCurve
24pGi
zlMo
dule
2
J8702A
1
Locator
11
13
15
17
19
21
23
20
22
Use
zlModul
es
onler
yzl
24Pow
ProCurve Networking
HPInnovat ion
8
10 12
14
PoE-Inte
gra
d1
te
/Ba
0
-TPorts
e
s
)Ports
4
-2
(1
IEEEAutoMDI/MDI-X
re
a
7
9
11
13
16
15
18
17
19
21
CA
ProCurve
24pGiduleg-T
zlMo
J8702A
C
E
8
10 12
14
PoE-Inte
gra
d1
te
/Ba
0
-TPorts
e
s
)Ports
4
-2
(1
IEEEAutoMDI/MDI-X
re
a
16
18
20
22
Fault
23
Locator
24
zl
1
3
5
7
9
11
13 15 17
19 21
23
B ProCurveSwitch5400zl
tus
a
ProCur
e
Mvanagem
entModule
Po
E St
Ac
t ing
ProCurv
e HNetwork
ABG
Switc hJ8726A
5406zl
J8699A
Mg
mt F
hT
s
la
mp 3 4 1 C D IHJPInnovat ioF
e
D
E
PoE
nxPo
Use
Re
t Cle
s
r
a
t Ch
s
e
T
s DIMMF
a
n 1
a
2 EFKL
Sp
dUs
r
Prg-ToCurve
Inte
rn2
l PoE
a
Module
s
EDMo
L
e
d
Console
Aux
Por
ry
ila
24pGi
zl
Mtodulezl
s
r Pwr 12
e
zlMo
dule
2
4
6
8 Pow
10
14 16 18
20 22
24
only
J8702A
PoE-Inte
gra
d1
te
/Ba
0
-TPorts
e
s
)Ports
4
-2
(1
IEEEAutoMDI/MDI-X
re
a
15 17
17 19
19 21
21 23
23
1 1 33 55
77 99 1111
1313 15
ADB
PrurveoCurve
Prg-ToC
24pGiduleg-T
24pGi
zlMo
zlMo
duleJ8702A
J8702A
2 2
44
66
10 1212
88 10
1414
PoEg
d
te
/B
0
-TPor
e
s
a
)Por
4
-2
(1
IEEE
re
a
ts
PoEInte
gIn
dte
te
ra
/Bra
0
1
-T1
e
s
a
Por
)Ports
4
-2
(1
ts
IEEE
re
a
ts
AutA
out
Mo
DM
I/MD
DI/M
I-XDI-X
16 18
18
16
20 22
22
20
24
24
zlzl
CFD
EF
Relay agent
sends unicast
response to client
Pranagem
oCurveSw
itcM
hodul
5400z
tus
M
ent
el
Po
E Sta
A B GH
J8726A
Mg
mt F
hT
s
la
mp 3 4 1 C D I J
e
Re
t Cle
s
r
a
t Ch
s
e
T
s DIMMF
a
n 1 2 2 EFKL
a
Inte
rna
l PoE Module
s
Powe
r Pwr
1
11
Ac
t
DxPo
F
E
Sp
dUs
r
EDMo
L
e
d
13
15
Console
17
B
Prg-ToCurve
24pGi
JzlModule
8702A
8
10
12
14 16
PoE-Inte
gra
d1
te
/Ba
0
-TPorts
e
s
)Ports
4
-2
(1
IEEEAutoMDI/MDI-X
re
a
Unicast packet
routed by
relay agent
based on IP
helper address
18
19
20
Edge_2
ProCurv e
Switc h5406zl
J8699A
PoE
Pr
CurveSw
itch
tus
Mo
anagem
ent
M5400z
odulel
Po
E Sta
A B GH
J8726A
Mg
mt F
hT
s
la
mp 3 4 1 C D I J
e
Re
t Cle
s
r
a
t Ch
s
e
T
s DIMMF
a
n 1
a
2 EF
KL
In
rna
te
l2e
PoE
Modul
s
e
Pow
r Pw
r
ProCurve Networking
HPInnovat ion
Use
zlMonl
odul
yes
Power
Ac
t
DxPo
F
E
r
EDSp
L
Md
eUs
d
o
Console
11
13
15
17
19
21
23
16
18
20
22
24
21
22
23
24
Cu
o
rve
2Pr
Gi
4p
-T
g
zlMo
le
u
d
J8702A
15
17
19
21
23
8
10
12
14 16
PoE-Inte
gra
d1
te
/Ba
0
-TPorts
e
s
)Ports
4
-2
(1
IEEEAutoMDI/MDI-X
re
a
11
13
18
20
22
24
8
10 12
14
PoE-Inte
gra
d1
te
/Ba
0
-TPorts
e
s
)Ports
4
-2
(1
IEEEAutoMDI/MDI-X
re
a
zl
Cu
o
rve
2Pr
Gi
4p
-T
g
zlMo
le
u
d
J8702A
zl
Rev. 10.41
zl
VLAN 20
Edge_3
1
Client sends DHCP
requestbroadcast
to 255.255.255.255
11
Aux
Port
ry
ila
Fault
Locator
Aux
Port
ry
ila
Edge_3 and
Edge_2 forward
broadcasts on
ports connecting
to VLAN 20
Rev. 10.41
3 13
Configuring
IP services:
Configuring
IP services:
Syslogsyslog
On access-layer switches, define the Routers VLAN 1
interface as the default gateway
Switch(config)# ip default-gateway 10.x.1.1
HP E-Series switches support logging on any System Logging (Syslog) server that
complies with the standard set forth in IETF RFC 3164. The process for identifying a
Syslog server is straightforward, as shown in Figure 3-9.
The switch would not require a default gateway to access a Syslog server if the server
were located
in the same network as one of the switchs IP interfaces. However, in
11
Rev. 10.41
Lab Activity 3, access-layer switches will not have interfaces in VLAN 2, where the
Server resides. Consequently, the access-layer switches must be configured with a
default gateway in VLAN 1, namely the Routers VLAN 1 interface.
The Router, of course, does not require a default gateway.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3 14
Rev. 10.41
Configuring
IP services:
Configuring
IP services:
SNTP SNTP
Select SNTP as time protocol
Switch(config)# timesync sntp
Set timezone
Switch(config)# time timezone <+/-n>
E-Series switches can be configured to synchronize their clocks with SNTP or TimeP
servers. By default, the switches are not configured to synchronize with a time server.
Time can12be Rev.
set10.41
manually using the time command. However, for many network
applications, the use of time services is recommended to ensure that log entries,
security settings, and other time-sensitive operations are synchronized for multiple
network devices.
In Figure 3-10, an administrator issues timesync sntp to select SNTP as the time
synchronization protocol. The sntp unicast command configures the switch to obtain
time services from a single server. Alternatively, the administrator could issue sntp
broadcast to configure the switch to broadcast for time services.
When configuring SNTP on a ProVision ASIC switch, you can define up to three
servers in priority order. In the example, the administrator uses the sntp server
command to define a single server, but the priority value is still required. Many other
E-Series switches support the definition of one SNTP server. On these switches, the
priority argument is not supported.
Finally, the switchs timezone is set by entering a time offset. The value entered after
timezone should reflect the difference in minutes between the switchs timezone and
Greenwich Mean Time. To set the time for Los Angeles, California, the command
would be time timezone -480. The time offset for Paris, France, would be time
timezone +60.
Rev. 10.41
3 15
Configuring
IP services:
Configuring
IP services:
DNS DNS
Define DNS server
Switch(config)# ip dns server-address priority 1 10.x.2.100
ProVision ASIC switches can use DNS services, enabling you to locate devices for
ping or traceroute by hostname instead of IP address. Configuration, as shown in
Figure 3-11, is simple. ProVision ASIC switches can be configured to use two DNS
servers, defined with priority values at the CLI. As with SNTP, the priority value is
required even if you are configuring only one server.
NOTES
13
Rev. 10.41
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3 16
Rev. 10.41
The process for backing up configuration files to a TFTP server is quite similar to the
process for backing up to a USB drive. TFTP is a UDP service that enables the
transfer of files between hosts in an IP network. As such, it provides a subset of the
functionality found in FTP, which is a TCP service.
14
Rev. 10.41
As shown in Figure 3-12, the TFTP process also uses the copy command, with the IP
address of the TFTP server entered as one parameter. To restore a file from the TFTP
server, simply reverse the order of the parameters immediately following copy, as in:
Switch# copy tftp startup-config tftp 10.x.2.100
<filename>
As shown, you can also upgrade software using a file from a TFTP server, using
syntax similar to the syntax for downloading software from a USB drive.
For higher levels of security, E-Series switches also support Secure Copy Protocol
(SCP) and Secure FTP (SFTP), which depend upon Secure Shell (SSH). You will learn
more about all three technologies in the next module.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
3 17
Copying command
output
to a TFTP
server
Copying command
output to
a TFTP
server
E-Series switches enable you to redirect CLI command output
to TFTP servers or USB drives
Switch# copy command-output show tech tftp <ip_address> <filename>
Can
The copy command enables you to redirect command output to a TFTP server, USB
drive, or X-Modem transfer, using the syntax shown in Figure 3-13. This can be very
useful for troubleshooting or other offline evaluation of the switch's state.
15
Rev. 10.41
In Figure 3-13, the first example redirects the output of the show tech command. The
show tech command executes a series of show commands at the CLI and displays
their output sequentially. As well as showing the configuration, the show tech output
includes information about installed modules, interface status, logged events, and
other items. Consequently, the output of the command can run for several pages and
can be difficult to evaluate by scrolling through the CLI.
In the example, the copy command-output option sends the output to text file on a
TFTP server. Captured in this way, the output can be readily evaluated or shared with
other users or HP networking support.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3 18
Rev. 10.41
Exploring remote
Exploringmanagement
remote management
Rev. 10.41
Now that IP networking is configured on all of your switches, you can manage your
switches over IP connections as well as the serial console. E-Series switches support
three types of remote access:
Web management. All E-Series switches feature an embedded web server that
provides graphical access to many basic configuration and monitoring
parameters but is not as feature-rich as the CLI. The web interface is protected
by the same operator and manager passwords as the CLI. For higher security,
the interface supports Secure Sockets Layer (SSL), an industry standard
technology for encrypted communications over the web. You can disable the
web interface by entering no web-management plaintext in the global
configuration context.
The example shown in the slide is the web browser interface running on an HP
E5406 zl switch. With the K.15.XX switch software release, the Web browser
interface on this switch and other ProVision ASIC switches was updated. The
Web agent included in K.15.XX and above improves usability, making this
interface even easier to navigate and use.
Rev. 10.41
Telnet/SSH. E-Series switches feature embedded Telnet and Secure Shell (SSH)
servers that provide access to the same CLI as the serial console. By default, the
Telnet server is enabled, and the SSH server is disabled. You can disable the
Telnet interface by entering no telnet-server in the global configuration context.
PCM and PCM+. Most current E-Series switches can be accessed through HP
PCM and PCM+.
3 19
Troubleshooting Connectivity
Tools
Troubleshooting
connectivity: Tools
Rev. 10.41
In a moment, you will complete a lab in which you configure VLANs and IP settings.
As you complete this lab, you will need to verify and possibly troubleshoot
connectivity. In fact, even as you troubleshoot more and more complicated processes
throughout this course, troubleshooting connectivity will remain a fundamental first
step.
To verify and troubleshoot connectivity, you will enter several useful commands. The
table shows the questions that these commands answer for you.
Command
Syntax
ping <IP
address |
hostname>
traceroute <IP
show arp
address |
hostname >
Example Output
HP# ping 192.168.5.3
192.168.5.3 is alive, time = 7ms
HP# traceroute 192.168.5.3
traceroute to 192.168.5.3
1 hop min, 30 hops max, 5 sec. timeout, 30 probes
1 10.1.1.1
0ms
0ms
0ms
2 10.1.3.1
7ms
3ms
0ms
3 10.1.5.1
3ms
0ms
1ms
4 192.168.5.3 3ms
3ms
0 ms
HP# show arp
IP ARP table
IP Address
MAC Address
Type Port
--------------- ----------------- ------- ---192.168.5.3 000f1f-134679 dynamic A5
3 20
Rev. 10.41
show mac
Note
Sometimes you will want to troubleshoot connectivity on an endpoint. You can
enter similar commands from the endpoint itself. On a Windows station, access
the command line prompt, and enter ping <IP address> or tracert <IP address>.
Rev. 10.41
3 21
Troubleshooting Connectivity
Troubleshooting
connectivity: Process
Process
ping
Can A
reach B?
No
Check VLAN
memberships.
show
show
show
port
arp
mac
vlan
<ID>
No
Yes
Is B in a
different subnet?
Check IP settings on
this device and the
next-hop devices.
show ip
show ip route
Rev. 10.41
When you troubleshoot a connection, you must use the commands in a logical way
to pinpoint the problem. Above you see a process for verifying connectivity between
two devices.
1. First check whether the devices can communicate by entering the ping
command on the first device.
2.
If the devices are in the same subnet, you should check VLAN memberships
on the switch-to-switch connections for each switch between the two devices.
On the last switch, also check the port that connects to the destination
device. You learned the show commands for viewing VLAN memberships
earlier.
Note
In a lab, you can easily see which ports provide switch-to-switch connections. But
in the real world, you might be managing your switches remotely. To find the port
on switch 1 that connects to switch 2, ping switch 2s management IP address
from switch 1. Then enter the show arp command and look for the port
associated with switch 2s address.
b.
3 22
If the devices are in different subnets, the traffic must be routed. (You will
learn more about routing later in this course.) Find out which is the last
device to route the traffic. You then know that somewhere between this
device and the next-hop in the route to the destination, a device is dropping
the traffic. Access each of these devices, if possible, and check their IP
settings and VLANs for mistakes.
Rev. 10.41
Rev. 10.41
3 23
Lab Activity 3
With basic configuration complete, you are now ready to prepare your switches to
support end users and other hosts. In Lab Activity 3, you will configure VLANs on all
switches and enable routing on your distribution-layer switch so that users in all
VLANs can interconnect. You will configure the switches to access IP services such as
SNTP and DNS. Finally, you will explore the web-management interface.
Consult your Lab Activity Guide for instructions for performing this activity.
3 24
Rev. 10.41
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
3 25
Learning check
1.
2.
3.
4.
3 26
Which of the following statements correctly describes a rule for assigning VLAN
membership to ports on an E-Series switch?
a.
b.
c.
d.
b.
Create a new Layer 2 header and forward the frame through port C1.
c.
d.
Remove the tag that was on the frame when it entered the switch.
b.
Create a new Layer 2 header and forward the frame to the workstation.
c.
Add a tag to the frame that identifies its destination as VLAN 40.
d.
Remove the VLAN 20 tag and forward the frame to the user.
What is the rule for removing ports from a VLAN on an E-Series switch?
a.
b.
c.
If a port is a member of only one VLAN, you cannot reverse the command
that made the port a member of that VLAN.
d.
Rev. 10.41
Module 4 objectives
After completing this module, you will be able to:
Describe requirements for configuring Secure Shell (SSH) or HTTP over Secure
Socket Layer (HTTPS) on E-Series switches
Rev. 10.41
4 1
Prework review
activity:
Physical
security
WBT review
activity:
physical
security
What can a malicious user do if he or
she has physical access to a switch?
What security measures can you take
to protect the switch?
4 2
Rev. 10.41
What security measures can you take to provide physical security for the switch?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
Rev. 10.41
4 3
4 4
Rev. 10.41
Management users
Management users
Users
Rights
Manager
Operator
Rev. 10.41
When you log in as a manager, you can make changes to the switch configuration.
When you log in as an operator, you can only view information about the switch.
The operator cannot make configuration changes.
Rev. 10.41
4 5
4
3
hp 1902
2
hp 1902
Local
Centralized
Figure 4-3: Local or remote authentication
Rev. 10.41
4 6
Rev. 10.41
Rev. 10.41
4 7
Operator
Switch(config)# password operator
New password for manager: ********
Please retype new password for manager: ********
The basic CLI commands for configuring a password are listed above. When you
enter the password command as shown in Figure 4-4, you are prompted to enter and
re-enter the
password.
6
Rev. 10.41
You can also enter the command with the options shown in the complete command
syntax below.
password <manager | operator | port-access> [user-name
<name>]<hash-type> <password>
Optionally, you can include the user-name option and replace <name> with a name,
such as Paul, Wim, or Miriam. If you configure a username, management users will
be prompted to enter the username first when they log in.
Replace <hash-type> with either plaintext or sha-1. SHA1 is an algorithm that hashes
the password. (A hash algorithm is a security measure that ensures data integrity by
transforming the data using an authentication key and appending the transformed
data to the original data as a signature.) If you specify sha-1, you must enter the
password in hash form.
To enter a password in plain text, enter:
Switch (config)# password manager user-name Paul plaintext password
If you enter the password command in this way, you can configure a password with
a single entry. If you enter the password command as shown in Figure 4-4, you are
prompted to enter and re-enter the password you want to configure.
Passwords and usernames are case sensitive.
Note
4 8
Rev. 10.41
If you enter the operator password, you will access the operator context and have
read-only rights to the switch.
Switch>
If you enter the manager password, you will access the manager-level context and
have read-write access.
Switch#
Or:
Switch (config)# no password operator
You can also clear passwords by pressing the Clear button on the front panel of the
switch (as long as this function has not been disabled).
Rev. 10.41
4 9
Remote authentication
Access method
[telnet | console | web | ssh]
Method of authentication
[radius| tacacs| local]
Encryption key
Rev. 10.41
With remote authentication, you can separately control each access method:
Telnet
SSH
Console
That is, you enter commands for each access method, specifying the access level and
the primary and secondary methods of authentication.
Access level
To specify the access level, include the enable option for manager-level access and
the login option for operator-level access. For each access method, you must enter
the command twicespecifying the login option for operator in one command and
the enable option for manager in the other.
Method of authentication
You must specify how the switch verifies authenticationby contacting a RADIUS
server or a TACACS+ server, or by checking the passwords configured on the switch
(local). For each access method, you should specify a primary and secondary
authentication method. The secondary authentication method will be used if the first
authentication method is not available. For example, the switch will use the
secondary authentication method if the authentication server is temporarily down.
The default setting for the secondary authentication method is none, except when
you configure console access. For example, if you configure RADIUS authentication
for console access, local is automatically set as the secondary authentication method.
This prevents you from being locked out of the switch in the event of a failure of all
other access methods.
4 10
Rev. 10.41
You will also need to contact the authentication server administrator and have him or
her configure the appropriate settings on the RADIUS or TACACS+ server.
Rev. 10.41
4 11
Clear
andbuttons
Reset buttons
Disable theDisable
Clearthe
and
Reset
Prevent the Clear button from
being used to remove
usernames and passwords
Disable the hardware reset to
factory defaults
Reset and Clear
buttons
Figure 4-6: Disable the Clear and Reset buttons
As you discussed in the review activity at the beginning of this module, the Clear
button on the front-panel can allow unauthorized users to erase a switch password.
Rev. 10.41
That user8 could
then access the switch, define a new password, and take control of
the switch without leaving any record of this activity.
To disable the Clear button, enter:
Switch(config)# no front-panel-security password-clear
Likewise, the Reset button can be misused if a malicious user has physical access to
the switch. To disable hardware resets, enter:
Switch(config)# no front-panel-security factory-reset
When this function is disabled, pressing the Reset and Clear buttons will still reboot
the switch, but it will not erase the existing configuration.
To enable the Clear button again, enter:
Switch(config)# front-panel-security password-clear
You can view the current settings for these buttons by entering:
Switch# show front-panel-security
Note
4 12
Rev. 10.41
Password Recovery
E-Series switches support a password recovery feature, which is enabled by default.
This feature allows you to regain management access to the switch in the event that:
When this situation occurs, you must contact HP Customer Care to acquire a onetime-use password.
Rev. 10.41
4 13
Save security
settings
in configuration
files:
the
Saving
passwords
and other security
settings
in configuration
files
include credentials
command
Advantages
Disadvantages
Less secure
Secure Shell (SSH) public keys, which are used to authenticate SSH clients
(For a complete list of these security settings, see the switch Access Security Guide.)
You can configure the switch to include these security settings in configuration files.
At the global configuration context, enter:
Switch (config)# include-credentials
Note
4 14
Rev. 10.41
Limitingbymanagers
by IP address
Limit managers
IP address
At default settings, any IP address may be the source of
management traffic
To restrict access:
Switch(config)# ip authorized-managers 10.1.1.0 255.255.255.0
E-Series switches enable you to define a range of IP addresses for stations that will be
allowed to access switch management features. Figure 4-XX shows commands that
enable access from a range of addresses, but you can also enter individual IP
addresses.
Furthermore, you can set different IP address restrictions for manager and operator
access. For instance, to ensure that only VLAN 1 users can gain manager access,
Rev. 10.41
you could17 enter
ip authorized-managers 10.1.1.0 255.255.255.0 access manager. To
grant operator access to VLAN 40 users, you could enter ip authorized-managers
10.1.40.0 255.255.255.0 access operator. For even more granular control, you can
specify address ranges for specific access methods, such as Telnet or web.
After these commands are entered, hosts outside these ranges will not be able to
start management sessions or even to successfully ping the switch. Consequently, if
you are unable to contact a switch, it is recommended you ensure that you are using
a permitted station.
To remove an authorized manager IP entry, negate the original entry with the no ip
auth <ip-address> <mask> command.
Rev. 10.41
4 15
Secure management
VLAN VLAN
Secure management
Limits switch access to ports assigned to the management
VLAN
To further protect management access to the switch, you can configure a secure
management VLAN. The switch will then grant management access only to stations
that have an IP address in the same subnet as the secure management VLAN. The
secure management VLAN applies to all access methods, including Telnet, SSH,
HTTP, HTTPS, or SNMP.
The switch
will
not route traffic from user VLANs to the secure management VLAN.
11
Rev. 10.41
This isolates the management VLAN from user VLANs, preventing users from seeing
or accessing management traffic.
Before you enter the management-vlan command, you must create the VLAN on the
switch. For best security practices, you should not use VLAN 1 as the secure
management VLAN.
Why do you think you should avoid using VLAN 1 as the secure management
VLAN?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
4 16
Rev. 10.41
hp 1902
Network
Secure management
Rev. 10.41
You are deploying an HP E-Series solution, and the customer has told you that their
security policies require secure device management. You know that this means that
you must implement Secure Shell (SSH) and HTTP over Secure Sockets Layer (SSL)
(HTTPS).
How do these protocols make the network more secure? And what tasks must you
complete to implement each secure management option on an HP E-Series switch?
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
4 17
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4 18
Rev. 10.41
Enabling SSH
Enabling SSH
Generate a public/private key pair:
Switch(config)# crypto key generate ssh rsa bits <size>
Enable SSH
Switch(config)# ip ssh
if SSH is enabled:
Rev. 10.41
To access the switch using SSH, you must generate a public/private key pair on the
switch. When you enter the crypto key generate ssh rsa command, the switchs
public-private key pair is generated and stored in flash memory. It will survive any
factory reset operation you may perform. Note that only the public key of this key
pair is readable.
After you generate the public/private key pair, you can enable SSH by entering the
ip ssh command.
To access the switch using SSH, you need an SSH client, such as PuTTY. When you
attempt to connect to the switch, the switch uses the SSH key pair, along with a
dynamically generated session key, to negotiate an encryption method and session
parameters with your SSH client. Some clients let you install the switchs public key on
them in advance; otherwise, you will need to accept the key the first time that you
connect to the switch.
To verify whether SSH is enabled, you can use the show ip ssh command.
You can display the switchs public key by entering the show crypto host-public-key
command.
Disabling Telnet
After you have verified SSH access, you should strongly consider disabling Telnet. In
this way, you force management users to use the more secure management protocol.
Enter this command:
Switch(config)# no telnet-server
Rev. 10.41
4 19
Enabling
Configuring
SSL SSL
1. Generate a public/private key pair.
Switch(config)# crypto key generate cert [rsa] <512|768|1024>
3. Enable SSL
Switch(config)# web-management ssl
Rev. 10.41
If you prefer to manage your E-Series switch using its Web browser interface, you
can access it securely using HTTPS. To use HTTPS, you must implement SSL by
completing these main steps:
1.
Create an SSL public/private key pair, using the command shown in the figure
above.
2.
4 20
Rev. 10.41
3.
You only need to create the SSL public/private key pair once (unless you use the
crypto key zeroize cert to remove the key pair). The certificate, however, must be
replaced when the validity end date is reached.
Disabling HTTP
After you have verified that you have HTTPS access to the switch, you should again
consider disabling HTTP. Enter this command:
Switch(config)# no web-management
Rev. 10.41
4 21
Configuring
SFTP
Configuring
STFP
SFTP
SSH
SFTP
client
Internet
SSH
Enabling
SFTP:
TFTP
is automatically disabled.
Figure 4-13: Configuring SFTP
In addition to securing your management session, you should ensure that your file
transfers 15
are Rev.
encrypted,
particularly if you manage a switch remotely. SFTP uses the
10.41
SSH protocol to prevent malicious users from eavesdropping on file transfers.
SFTP requires the SSH protocol, so you must first enable that on the switch. You can
then enable SFTP by entering:
Switch (config)# ip ssh filetransfer
You must use an SFTP client to transfer files to and from the switch.
Enabling SFTP automatically disables TFTP.
4 22
Rev. 10.41
SNMP overview
SNMP
16
Rev. 10.41
Rev. 10.41
4 23
SNMPv3 allows you to create multiple users. Each user is assigned to a group that
defines to which objects he or she has read or read/write access. In addition, each
user can have his or her own authentication key and encryption key, which hash and
encrypt management traffic to keep it secure. The section below provides more
details about SNMP if you are interested.
SNMP reference
SNMPv1 and v2cSNMPv1 was the original standard and as described above
it defined read-only and read-write communities to control access between the
SNMP server and agents on managed devices.
SNMPv2c supports all the functions provided in SNMP and adds some
enhancements. For example, SNMPv2c adds two new operations: GetBulk and
Inform. The GetBulk operation is used to efficiently retrieve large blocks of data.
The Inform operation allows one network management system to send trap
information to another network management system and to then receive a
response.
SNMP versions 1 and 2 use three community strings, which provide three access
levels:
4 24
Rev. 10.41
Rev. 10.41
4 25
Configure SNMPv2c
Read-only community
Switch(config)# snmp-server community <community_string>
operator restricted
Read-write community
Switch(config)# snmp-server community <community_string>
manager unrestricted
SNMP trap
Switch(config)# snmp-server host <ip_address> <community name>
Rev. 10.41
4 26
Rev. 10.41
Example:
Switch (config)# snmpv3 user Miriam auth sha securepass priv
aes securepass
Rev. 10.41
Once you enable SNMPv3, you can create a username and password, specifying
authentication and encryption algorithms.
Although an in-depth discussion of encryption algorithms is outside of the scope of
this course, you should know that for authentication, SHA-1 is more secure than MD5.
For privacy, AES is more than DES. (For more information about SNMPv3, see the
switch documentation.)
Rev. 10.41
4 27
managerpriv
managerauth
operatorauth
operatornoauth
You must assign the username to one of the SNMP groups defined on the switch. This
is done using the snmpv3 group command.
22
Rev. 10.41
The group you select not only determines the type of security that is enforced but also
the rights the user has. The switch defines eight groups, but only four are intended for
SNMPv3 users:
4 28
Rev. 10.41
In Lab 4 activity, you will continue to configure the SMBs network. Like most
companies today, this company is concerned about security. The companys
executives are following your recommendation to secure switches in a locked room
and are considering video monitoring for tighter security.
In this lab, you will begin implementing other security measures to control
22
Rev. 10.41
management
access to the switch. First, you will configure usernames and passwords.
You will also enable secure protocols so that management sessions will be encrypted.
Finally, you will control management access by enabling a secure management
VLAN and by limiting managers to a specific IP address range.
After you complete these settings, you will disable the password, the secure
management VLAN, and limiting management access to a specific IP address range.
Although these security measures are vital in a production network, they are typically
not necessary or convenient in a lab environment. Disabling these features will allow
you to focus on configuring other switch features.
Rev. 10.41
4 29
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
4 30
Rev. 10.41
Learning check
After each module, your facilitator will lead a class discussion to capture key insights
and challenges from the module and accompanying lab activity. To prepare for the
discussion, answer each of the questions below.
1.
2.
3.
SNMPv2c
b.
SSH
c.
HTTP
d.
Telnet
e.
SNMPv3
f.
HTTPS
What protocol must be enabled before you can enable and use SFTP?
a.
SSH
b.
SSL
c.
TFTP
d.
FTP
What steps must you take before you can access the switch using HTTPS?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
4.
Rev. 10.41
4 31
4 32
Rev. 10.41
Module 5 objectives
After completing Module 5 of HP Access Layer Network Technologies using
ProVision Software, you will be able to:
Describe the rules and requirements for port trunking on HP E-Series switches
Given a network design, configure port trunks using the HP E-Series CLI
Rev. 10.41
Describe the rules for VLAN membership of port trunks, including the impact of
trunk configuration on the VLAN configurations of individual ports
5 1
5 2
Rev. 10.41
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
5 3
Core
Floor 6:
Floor 2:
Floor5:
Floor 3:
Floor 4:
Rev. 10.41
The lab for this module builds on the topology that you established in earlier labs.
As in the previous labs, you are establishing the network for a Small to Medium
Business (SMB) with six floors, each of which has a server closet with three access
layer switches and on distribution layer switch. The distribution switches will all
connect to a core switch. Each edge switch supports about 20 users.
Where would you plan aggregated links? How many links would you aggregate in
each group? Consider the number of ports that are available and the amount of
traffic that you expect on each switch-to-switch connection.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5 4
Rev. 10.41
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
5 5
Lab activity
aggregation
2.
3.
4.
Lab Activity 5 will focus on the steps and procedures necessary to configure link
aggregation on HP E-Series switches.
NOTES
5
Rev. 10.41
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5 6
Rev. 10.41
By the end of Lab Activity 5, Edge_1 and Edge_2 both will be connected to your
groups Router by a two-port trunk. All other topology elements will be unchanged.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
5 7
Configuring
port trunking
Configuring
port trunking
Edge_1(config)# trunk ?
[ethernet] PORT-LIST Specify the ports that are to be added to/removed
from a trunk.
Edge_1(config)# trunk 21,22 ?
trk1
Trunk group 1
trk2
Trunk group 2
...
Edge_1(config)# trunk 21,22 trk1 ?
trunk
Do not use any protocol to create or maintain the
trunk.
lacp
Use IEEE 802.1ad Link Aggregation protocol.
<cr>
Edge_1(config)# trunk 21,22 trk1 lacp
The type of trunk (HP trunk or LACP). If no option is entered, the trunk will default
to an HP trunk.
It is not necessary for trunk ports to be contiguous; any ports of the same speed can
be included. A list of contiguous ports can be defined by a hyphen, as in trunk 21-22
trk1 lacp. A list of non-contiguous ports should be separated by a comma, as in
trunk 19, 21, 23 trk1 lacp.
5 8
Rev. 10.41
Rev. 10.41
5 9
Rev. 10.41
When a port trunk is defined on a HP E-Series switch, its VLAN status is the same as
the default status for an individual port, that is, the trunk is an untagged member of
VLAN 1, the Default VLAN. Consequently, the non-default VLAN status of ports
added to the trunk will be deleted.
Figure 5-5 illustrates the affect. Before being added to trk1, port 21 was a tagged
member of VLAN 10. The trunk, however, does not include this configuration.
Consequently, the trunk will not carry traffic for users in VLAN 10.
This problem is easily remedied by the final step in the figure, when the administrator
adds the entire trunk to VLAN 10 as a tagged member.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5 10
Rev. 10.41
|
+
|
|
Name
Type
| Group Type
-------------------------------- --------- + ----- ----Router
100/1000T | Trk1 LACP
Router_2
100/1000T | Trk1 LACP
Port
---A1
A2
|
+
|
|
Name
-------------------------------Edge_1
Edge_1_2
Type
--------100/1000T
100/1000T
|
+
|
|
Group
----Trk1
Trk1
Type
----LACP
LACP
Rev. 10.41
5 11
load sharing
Examining Examining
load sharing
show interface display
activity
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5 12
Rev. 10.41
Lab Activity 5
Like many contemporary enterprises, this SMB sometimes experiences high levels of
network traffic due to bandwidth-intensive applications such as streaming video. In
Lab Activity 5, you will configure and troubleshoot trunking to increase the capacity
of switch-to-switch links.
Consult your Lab Activity Guide for instructions for performing this activity.
Rev. 10.41
5 13
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5 14
Rev. 10.41
Learning check
After each module, your facilitator will lead a class discussion to capture key insights
and challenges from the module and accompanying lab activity. To prepare for the
discussion, answer each of the questions below.
1.
2.
3.
Rev. 10.41
a.
b.
c.
d.
The trunk will be an untagged member of VLAN 1. The individual ports will
maintain their tagged membership in other VLANs.
What is the criterion used to share loads across ports in a trunk configured on a
HP E-Series switch?
a.
b.
c.
d.
b.
c.
d.
The static trunk enables ports with different speeds to be included in the
trunk.
5 15
4.
5.
5 16
The trunk must use one of the predefined names, such as Trk5, in the order
listed in the CLI.
b.
The trunk must use one of the predefined names, such as Trk5, in the CLI,
but they can be assigned in any order.
c.
The trunk can be assigned a friendly name using the name command that is
also used to assign a name to an individual port.
d.
The trunk must include the trunk type, LACP or trunk, in its name.
b.
c.
d.
Rev. 10.41
Module 6 objectives
After completing Module 6, you will be able to:
Rev. 10.41
Given a network design, configure MSTP to ensure switches will be part of the
correct MST region
Verify MSTP configuration
6 1
6 2
Rev. 10.41
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
6 3
Lab activity
preview
Lab activity
6 preview
Router
ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Status
HP Innovation
Reset
Clear
PoE
Mgmt Flash
Use
zl Modules
only
Power
Temp
Fan
Internal
Power
Act
FDx
PoE
Spd
Usr
Console
LED Mode
Modules
PoE
Pwr
Auxiliary Port
Fault
1
Locator
11
13
15
17
19
21
23
ProCurve
24p Gig-T
zl Module
J8702A
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
10
12
14
16
18
20
22
24
zl
ProCurve
24p Gig-T
zl Module
J8702A
zl
Edge_1
Edge_2
Edge_3
In the
previous lab, you increased capacity for the SBM by creating aggregated
Rev. 10.41
links. These links also provided a degree of redundancy: if one link in the
aggregation group fails, the other links continue to provide connectivity.
However, this SBM, like most companies, relies on the network to conduct business.
Currently, if one switch fails, all switches downstream to it lose their connections to
the rest of the network. The SBM needs better redundancy, so you decide to connect
every switch to two switches, as shown in the figure.
Note
All switch-to-switch links in the figure are Gbps links.
Because this topology introduces loops, you will implement MSTP. Work with your
partner to plan the MSTP solution. For now, you will only implement one instance of
MSTP, so the solution will function like RSTP:
1.
Select the root bridge and the secondary root and label those switches with their
roles. Also mark the priority for all four switches.
2.
3.
6 4
Root
Designated
Alternate
Backup
4.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
6 5
NOTES
_______________________________________________________________________
3
Rev. 10.41
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6 6
Rev. 10.41
Rev. 10.41
By the end of Lab Activity 6.1 and 6.2, you will have configured and verified singleinstance and multiple-instance Spanning Tree on all of your switches. You will add
two redundant links that will connect Edge_3 with Edge_1 and Edge_2 and Edge_1.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
6 7
Steps in single-instance
configuration
Steps in single-instance
configuration
1. Choose redundant links
2. Configure VLAN membership for all switch-to-switch links
3. Set Bridge Priority for all switches
4. Enable Spanning Tree
The steps for configuring E-Series switches to interoperate with RSTP switches in
single-instance Spanning Trees are fairly straightforward. After planning for link
redundancy, configure VLANs, set Bridge Priority, and enable the protocol. You
could change
the
order of these steps by, for instance, setting Bridge Priority before
Rev. 10.41
5
configuring VLAN membership.
However, it is crucial to not connect redundant links until the protocol is enabled. If
you connect the links prematurely, a broadcast storm can result, which can degrade
the performance of your switches.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6 8
Rev. 10.41
Setting
Bridge Priority
Setting Bridge
Priority
Bridge Priority for RSTP/MSTP switches is set in increments of
4096
To
As described in the prework, it is recommended that you set Bridge Priority to ensure
that the correct switches are elected as Root Bridge and backup Root Bridge in your
topology. If Bridge Priorities are left at their default values, the Root Bridge will be
6
Rev. 10.41
selected according to MAC address, which may result in the election of a switch at
the network edge. This can result in an inefficient forwarding path.
Figure 6-4 shows the command for setting Bridge Priority, which is set in increments
of 4096. On E-Series switches, the maximum value for the spanning-tree priority
command is 15, which translates to an incremental value of 61440.
Note
This command does not enable Spanning Tree.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
6 9
Enabling Spanning
Enabling Spanning
Tree Tree
To enable Spanning Tree:
Switch(config)# spanning-tree
6 10
Rev. 10.41
Spanning
for Root Bridge
Spanning Tree
detailsTree
fordetails
Root Bridge
Router(config)# show spanning-tree
Multiple Spanning Tree (MST) Information
STP Enabled
: Yes
Force Version : MSTP-operation
IST Mapped VLANs : 1-4094
Switch MAC Address : 0017a4-742700
Switch Priority
: 4096
Max Age : 20
Max Hops : 20
Forward Delay : 15
Root
Root
Root
Root
MAC Address
Priority
Path Cost
Port
:
:
:
:
0017a4-742700
4096
0
This switch is root
Port Type
Cost
Priority State
:
---- --------- --------- -------- ---------- +
Trk1
100/1000T 20000
128
Forwarding
Trk2
100/1000T 20000
128
Forwarding
Rev. 10.41Figure
Bridge Priority
is set to 1
Root Bridge is
Designated Bridge
for its locally
connected links
Designated Bridge
----------------: 0017a4-742700
: 0017a4-742700
The show spanning-tree command enables you to verify your Spanning Tree
configuration. In Figure 6-7, an administrator has entered show spanning-tree to view
the configuration on the Router, which is the Root Bridge for this example network.
The outcome indicates that MSTP is enabled, but also shows that all VLANs are
assigned to the IST. The Bridge Priority is set to 4096, indicating that the priority was
set to 1 when the show spanning-tree priority command was entered.
Because this is the Root Bridge, all switch-to-switch links are in the forwarding state.
For both linksTrk1 and Trk2the Root Bridge is the Designated Bridge, as is
indicated by the MAC address, which matches the Switch MAC Address.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
6 11
Spanning Tree
detailsBridge
for non-Root Bridge
for non-Root
Edge_2(config)# show
...
IST Mapped VLANs :
Switch MAC Address
Switch Priority
Max Age : 20
Max Hops : 20
Forward Delay : 15
spanning-tree
1-4094
: 0019bb-aea640
: 8192
Bridge Priority
is set to 2
Root
Root
Root
Root
MAC Address
Priority
Path Cost
Port
Type
--------100/1000T
100/1000T
100/1000T
Rev. 10.41
:
:
:
:
Cost
--------20000
20000
20000
0017a4-742700
4096
20000
Trk1
Priority
-------128
128
128
State
---------Blocking
Forwarding
Forwarding
Root Bridge
Indicators
:
+
:
:
:
Designated Bridge
----------------001635-b65040
0019bb-aea640
0017a4-742700
In Figure 6-8, the administrator views the Spanning Tree configuration for Edge_2 in
the SMB network. The output indicates that the switch is connected to the Root Bridge
by Trk1. The CST Root MAC Address indicates the Root Bridge is the Router.
Each of the switch-to-switch links indicates a different Designated Bridge because
each is connected to a different switch. One of the switchs redundant links, port 23,
is in the blocking state.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6 12
Rev. 10.41
Rev. 10.41
6 13
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6 14
Rev. 10.41
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
6 15
NOTES
_______________________________________________________________________
_______________________________________________________________________
12
Rev. 10.41
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6 16
Rev. 10.41
and config-revision
To enable MSTP operation on E-Series switches, you must configure several more
parameters, including:
1.
2.
The VLAN-to-instance
mappings
12
Rev. 10.41
3.
After configuring all parameters, you will use show spanning-tree commands to
verify your setup.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
6 17
MST configuration
MST configuration
parametersparameters
Define an MST region identity for the switch
Edge_1(config)# spanning-tree config-name hp
Edge_1(config)# spanning-tree config-revision 1
16
Rev. 10.41
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6 18
Rev. 10.41
Bridge Priority
for Priority
MST instances
Bridge
for MST instances
Bridge Priority may be defined for each Spanning Tree
instance
To
In MSTP, Bridge Priorities are set using the same increments used to set priorities for
RSTP operation. That is, each increment in the priority value (1-15) increases the
configured priority value by 4096.
In Figure 6-12, an administrator sets Bridge Priorities for two instances. Edge_1 will
have the highest priority in Instance 1, and Edge_2 will have the highest priority in
Instance 2. 14
This Rev.
will
help to ensure that each instance uses a different forwarding
10.41
path, which will ensure efficient use of links.
Another configuration option is to make routing switches the Root Bridges in all
instances. This is the approach that you will take in the lab.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
6 19
10,30
20,40
To view the configured MST parameters, use the show spanning-tree mst-config
18
Rev. 10.41
command as shown in Figure 6-13. In this example, the administrator views the
configuration details for the Edge_1 switch on one of the SMBs floors. The output
shows the configuration name, the configuration digest, and the VLANs that are
mapped to each instance, including the IST. Note that the IST includes all VLANs not
specifically mapped to another instance.
The output also includes the MST Configuration Digest, a value that each switch
computes on the basis of the VLAN-to-instance mappings. Like other configuration
parameters, this value must be identical on all switches in an MST region.
6 20
Rev. 10.41
Viewing
MST instance
forwarding
Viewing MST
instance
forwarding
pathspath
Edge_1(config)# show spanning-tree instance 1
MST Instance Information
Instance ID : 1
Mapped VLANs : 10,30
Switch Priority
: 4096
: 37
: 4 mins
16
:
:
:
:
:
Instance priority
001635-b65040
4096
0
This switch is root
20
Root Bridge
Indicators
Designated
Type
Cost
Priority Role
State
Bridge
--------- --------- -------- ---------- ---------- ------------100/1000T 200000
0
Designated Forwarding 001635-b65040
100/1000T 20000
100/1000T 20000
20000
Rev. 10.41
0
0
0
To view details for an MST instance, issue the show spanning-tree command with the
instance ID, as shown in Figure 6-14. The ID can be IST or CST, as well as the
identifier for an MST instance.
In this example, the administrator views Instance 1 details for Edge_1, which is the
Root Bridge for the instance. Consequently, all switch-to-switch links are in the
forwarding state.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
6 21
Troubleshooting
Troubleshooting
MSTP MSTP
spanning-tree
instance 1command to create a network
D(config)#
B(config)#
C(config)#
A(config)#
Use theshow
show
spanning-tree
MST Instance Information
map with this information:
Instance ID
ID :: 11
Mapped
VLANs
: 10
Blocked
and
forwarding ports
Switch Priority
: 4096
32768
0
Root
: 37
: 44 mins
mins
Regional
Root MAC Address
Port costs
Regional Root Priority
Regional Root Path Cost
Regional Root Port
Remaining Hops
:
:
:
:
:
001635-b65042
001635-b65042
00
0
Trk1
2
Trk2
This
switch is root
20
Look for reasons why the topology differs from the expected
topology.
Designated
Port Type
----- --------...
Trk1
2
100/1000T
48
Trk2
...
Trk1
Trk3
Trk1
Trk2
Trk2
Cost
Priority Role
State
Bridge
State
Bridge
--------- -------- ---------- ---------- -------------
10000
Root
Alternate
Blocking
001635-b65040
20000
Designated Forwarding
If you have not configured
MSTP 000correctly,
segments
of the001635-b65042
network might become
10000
Designated
Forwarding 001635-b65040
Root
001635-b65042
10000
0
Designated
Forwarding
001635-b65040
0
Alternate
Blocking
001635-b65041
001635-b65042
isolated or certain hosts might
lose
connectivity.
At
the
very
least, your switches might
10000
0
Alternate Blocking
001635-b65041
not be able to use the most efficient path for forwarding traffic.
Rev. 10.41
You can18troubleshoot
by constructing a map of the network topology and comparing
it to the desired topology. Then you can look for reasons why the MSTP
implementation is not functioning correctly.
Use the show spanning-tree command to create you map of the topology. You
should obtain this information:
Once you know which links are forwarding and which are blocking, you can look for
configuration errors or ways to adjust the topology to create a more efficient traffic
flow.
Troubleshooting MSTP
Symptom
Possible problem
6 22
Rev. 10.41
Rev. 10.41
6 23
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6 24
Rev. 10.41
Learning check
After each module, your facilitator will lead a class discussion to capture key insights
and challenges from the module and accompanying lab activity. To prepare for the
discussion, answer each of the questions below.
1.
2.
3.
What is the significance of the Root Port in the display of Spanning Tree details?
a.
It is the port on the switch that has the lowest link cost.
b.
c.
It is the port that leads to the lowest cost path to the Root Bridge.
d.
Which strategy will assure connectivity for users in all VLANs in a switched
environment that uses RSTP to resolve redundant links?
a.
b.
c.
d.
4.
5.
Rev. 10.41
What configuration items must be identical among all switches in the same MST
Region? Choose all that apply.
a.
Bridge Priority
b.
Configuration name
c.
d.
Port Priority
e.
VLAN-to-instance mappings
STP
b.
RSTP
c.
MSTP
d.
PVST
6 25
6.
You must configure a 5406zl switch for installation on a customer network where
existing switches use RSTP. What is necessary to enable the 5406zl to
participate in the Spanning Tree on this network?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
6 26
Rev. 10.41
Configuring IP Routing
Module 7
Module 7 objectives
After completing Module 7 of HP Access Layer Network Technologies using
ProVision Software, you will be able to:
Rev. 10.41
Given a network design, configure and verify RIP at the HP E-Series CLI
7 1
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 2
Rev. 10.41
Configuring IP routing
Lab 7preview:
activity preview
Lab 7 activity
Planning IP routing
Intranet Core:
10.0.0.0/16
Floor 1:
10.1.0.0/16
Floor 6:
10.6.0.0/16
Floor 2:
10.2.0.0/16
Floor 5:
10.5.0.0/16
Floor 3:
10.3.0.0/16
Floor 4:
10.4.0.0/16
Close up of Floor X
10.X.0.0/16
ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Reset
Clear
A B
PoE
Mgmt Flash Temp
Use
zl Modules
only
VLAN 20 (10.X.20.0/24)
VLAN 30 (10.X.30.0/24)
Status
HP Innovation
Power
Fan
Internal
Power
G H
C D
E F
K L
Act
FDx
PoE
Spd
Usr
Console
LED Mode
Modules
PoE
Pwr
Auxiliary Port
Fault
Locator
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
ProCurve
24p Gig-T
zl Module
J8702A
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
zl
ProCurve
24p Gig-T
zl Module
J8702A
zl
hp 1902
hp 1902
VLAN 10
10.X.10.0/24
5
Rev. 10.41
hp 1902
VLAN 30 (10.X.30.0/24)
VLAN 40 (10.X.40.0/24)
What role does IP routing play in the SMB scenario that you have been configuring?
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 3
Where would you implement IP routing in this topology? What advantages and
disadvantages are offered by implementing routing in different areas?
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 4
Rev. 10.41
Configuring IP routing
Intranet Core:
10.0.0.0/16
Location 6:
10.6.0.0/16
Floor 2:
10.2.0.0/16
Location 5:
10.5.0.0/16
Floor 3:
10.3.0.0/16
VLAN
User Group
10.x.1.0/24
Server
10.x.2.0/24
10
Marketing
10.x.10.0/24
20
Sales
10.x.20.0/24
30
Manufacturing
10.x.30.0/24
40
Human resources
10.x.40.0/24
Rev. 10.41
Floor 4:
10.4.0.0/16
Address range
All switches
shown here
implement
routing.
After routing configuration is complete, the topology for the SMB envisioned on Day
1 will be complete. All six floors will be interconnected, enabling users to exchange
data with other users, to access resources in the server VLAN, and to access the
Internet.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 5
Lab activity
static routing
4. Test connectivity.
Figure 7-3: Lab activity preview: Configuring IP static routing
Lab Activity 7.1 will enable you to configure and test static routes using HP E-Series
routing switches. You will begin the activity by configuring your Edge_2 switch to
7
Rev. 10.41
perform default
gateway
services for VLANs 20, 30, 40. Next, you will configure
static routes enabling clients in those VLANs to access resources in VLAN 2 and
VLAN 10. After testing and confirming this configuration, you will enable and test
connectivity with the Classroom Core switch, a simulated Internet address, and other
classroom groups.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 6
Rev. 10.41
Configuring IP routing
Rev. 10.41
By the end of Lab Activity 7.1, your group topology will be similar to Figure 7-4. The
most important change is the configuration of routing services on Edge_2, which
will be renamed Router_2. To act as default gateway for VLANs 20, 30, and 40,
Router_2 will be configured with IP interfaces in these VLANs. Router will be
renamed Router_1 and will no longer require IP interfaces for VLANs 20, 30,
and 40.
VLANs 20, 30, and 40 will be deleted from the link between the routers. VLAN 100
will be configured to connect Router_2 and Router_1. VLAN 200 will connect
Router_1 to the Classroom Core. All switches will remain in VLAN 1 for management
connectivity.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 7
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 8
Rev. 10.41
Configuring IP routing
Steps
in static
routing configuration
Steps in static
routing
configuration
1. Restore the configuration from Lab 5
2. Modify VLAN topology to support Layer 3 connectivity
between Router_1 and Router_2.
3. Configure Router_2 with IP interfaces in
VLANs 20, 30, 40.
Rev. 10.41
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 9
Configuring
static routes
Configuring
static routes
Configure static routes on Router_1 and Router_2 to enable
connectivity within your group
To
To
To enable connectivity for all VLANs in your group, you will configure static routes on
Router_1 and Router_2. In both cases, you will configure specific static routes that will
enable forwarding to other VLANs in your group. Later in this activity, you will
explore the
uses
of default routes in this topology.
9
Rev. 10.41
Note that the static routes in the figure overlap locally connected routes on both
routers. It may seem that this will create a routing conflict because the routers will be
configured with two conflicting routes to the same location. For instance, Router_1
now has a locally connected route to 10.x.10.0/24 and a static route to
10.x.0.0/16. The range specified in the static route includes the range for the locally
connected route.
However, Router_1 will forward VLAN 10 traffic to Edge_1 instead of Router_2
because routers always use the most specific route in their tables when route table
entries conflict.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 10
Rev. 10.41
Configuring IP routing
to Classroom
ConnectingConnecting
to Classroom
Core Core
Classroom Core switch provides links to other groups
Also
IP address: 10.0.200.x1/24
default route
Of course, users connected to your VLANs will require access to resources outside
your group, which represents a single floor in the SMB building. To accomplish this
goal, you will connect Router_1 to a core switch managed by your facilitator.
NOTES
10
Rev. 10.41
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 11
Final topology
all groups
Final topology
connectsconnects
all groups
Classroom Core:
10.0.200.1/24
Group 1:
10.0.200.11/24
Group 2:
10.0.200.21/24
Group 3:
10.0.200.31/24
Group 4:
10.0.200.41/24
Group 5:
10.0.200.51/24
Group 6:
10.0.200.61/24
Rev. 10.41
When this activity is complete, you will test connectivity to the Classroom Core
network, to the simulated Internet location, and to VLANs in other groups. All groups
will be connected to the Classroom Core by links that are untagged members of
VLAN 200.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 12
Rev. 10.41
Configuring IP routing
Using Wireshark
Using Wireshark
Collects traffic
Decodes traffic
ProCurve Networking
Status
HP Innovation
Reset
Clear
PoE
Mgmt Flash
Use
zl Modules
only
Power
Temp
Fan
Internal
Power
Act
FDx
PoE
Spd
Usr
Console
LED Mode
Modules
PoE
Pwr
Auxiliary Port
Fault
Locator
Wireshark
ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Reset
Clear
PoE
Mgmt Flash
Use
zl Modules
only
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
zl
ProCurve
24p Gig-T
zl Module
J8702A
zl
Status
HP Innovation
Power
hp 1902
ProCurve
24p Gig-T
zl Module
J8702A
Temp
Fan
Internal
Power
Act
FDx
PoE
Spd
Usr
Console
LED Mode
Modules
PoE
Pwr
Auxiliary Port
Fault
Locator
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
ProCurve
24p Gig-T
zl Module
J8702A
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
zl
ProCurve
24p Gig-T
zl Module
J8702A
zl
mirror 1 port a1
interface b23-b24 monitor all both mirror 1
Rev. 10.41
A packet capturing application collects traffic that arrives on a NIC, decodes the
traffic, and displays information about it in a GUI. By providing you with an in-depth
look at exactly what is happening in the network, the packet capture furnishes you
with a powerful tool for monitoring and troubleshooting. Throughout the rest of this
course, you will use Wireshark, a freely available packet capturing application, to
monitor your network at a deeper level.
To capture and analyze traffic with Wireshark, you must mirror the traffic to a NIC on
the device that runs the application. The figure shows the commands for setting up
local mirroring:
1.
You must specify the mirror port to which traffic is mirrored; this is the switch port
to which the device running Wireshark connects.
Switch(config)# mirror <session ID> port <port ID>
2.
You must also specify the monitor ports from which traffic is mirrored; these are
ports that send or receive traffic that is interesting to you.
Switch(config)# interface <port list> monitor all [in | out |
both] mirror <session ID>
Note
The in keyword captures traffic that is received on the port, the out keyword
captures traffic sent on the port, and the both keyword captures both. The HP ESeries devices support more mirroring capabilities, which you can learn about in
higher-level courses.
Rev. 10.41
7 13
With mirroring configured, you can activate a capture on Wireshark. Select Capture
> Interface and select the Ethernet interface to which traffic is mirrored. Wireshark
displays traffic as the interface receives it:
The top pane displays a list of packets and summary information about them.
The middle pane displays the decoded data in the packet selected in the top
pane. You will see a line for each header as well as a line for the application
data (if present). You can expand the headers and view specific information in
various fields. You can also expand the application data and view it.
The bottom pane displays the specific bytes that form the data that is selected in
the middle pane.
There is much more to learn about using Wireshark, but you now know enough to
get started exploring the application yourself.
7 14
Rev. 10.41
Configuring IP routing
Rev. 10.41
7 15
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 16
Rev. 10.41
Configuring IP routing
Rev. 10.41
7 17
Dynamic routing
Dynamic routing
Used for more complex network topologies
Routers communicate to discover available routes and the
best paths to destinations
Information
ISP
14
Rev. 10.41
Main office
7 18
Rev. 10.41
Configuring IP routing
Types of dynamic
protocols
Types of dynamic
routing routing
protocols
Interior Gateway Protocol (IGP)
Facilitates
Routing
Open
Border
ISP
BGP4
Main office
RIP
OSPF
15
Rev. 10.41
The two major categories of dynamic routing information exchange protocols are:
1.
2.
EGPs are most commonly used by ISPs to enable connectivity between customers and
the Internet. An Internet Service Provider is likely to use a combination of interior and
exterior gateway protocols to facilitate exchange of routing information among the
routers that make up its own internal network as well as with the routers at customer
locations.
HP E-Series support
Several HP E-Series switch models, including all of the ProVision ASIC switches,
support RIP. The ProVision ASIC switches support OSPF, but a Premium License is
required to implement OSPF on the 3500yl, 5400zl, and 6660. The 8212zl supports
OSPF without a Premium License.
Rev. 10.41
7 19
Information
Convergence
can be slow
Updates
Logical
Enables
Two types of standard interior gateway protocols are commonly used in IP networks:
16
1.
Rev. 10.41
Distance-vector protocols
Routers using these protocols integrate information into their route tables and resend the resulting entries, as modified from their own perspectives. RIP is a
common example of a distance-vector protocol.
2.
Link-state protocols
Routers using these protocols establish neighbor relationships with adjacent
routers. Routers generate updates based on local information and send the
updates to neighbors, who then flood updates to all their neighbors. Ideally,
within a few milliseconds, every router in an administratively defined area has
identical information. Each router builds a logical tree that traces out the shortest
path to each advertised destination, using itself as the root. As a result, every
router has a consistent picture of the network from its own perspective. OSPF is a
common example of a link-state protocol.
While RIP and other distance-vector protocols are easier to configure than link-state
protocols, the distance-vector protocols have one serious disadvantage. Changes in
routing topology often propagate slowly because information in a routers table is
acquired from other routers that may be as many as 15 hops away.
OSPF, like other link-state protocols, avoids the convergence issues of RIP by not
relying on second-hand information. A router sends an advertisement when it
recognizes a link-state change. Along with the topology change, the update contains
the attributes of all of the routers currently active links. The router sends the
advertisement to its immediate neighbors, which are required by the protocol to
immediately flood the advertisement to all of their neighbors.
7 20
Rev. 10.41
Configuring IP routing
Unlike RIP routers, OSPF routers do not increment the costs as they flood updates. In
fact, an OSPF router is not permitted to make any changes to advertisements it
receives on one network before sending it out onto another network. As a result, all
of the routers in the OSPF area have a consistent picture of the connections
between all routers and networks in the area.
Each router builds a tree based on first-hand information that traces the shortest
path between itself and every router and network in the area. When a link state
changes, the router recalculates the tree based on the new information. Ideally, less
than a second passes between the time the router advertises its new state and the
time when all of the routers have found an alternate path, if one exists.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 21
update example
RIP updateRIP
example
Router_1 in Group 1sends periodic updates over interface
10.0.200.0/24
Networks
10.1.2.0/24
10.1.20.0/24
10.2.10.0/24
10 3.10.0/24
Metric:
Metric:
Metric:
Metric
1
2
16
16
Destination
10.1.2.0/24
10.1.20.0/24
10.2.10.0/24
10.3.10.0/24
Gateway
10.0.200.11
10.0.200.11
10.0.200.21
10.0.200.31
Type
RIP
RIP
RIP
RIP
Metric
2
3
3
3
10.0.200.21
10.0.200.1
Core
10.0.200.11
Router_1
Group 1
17
Rev. 10.41
10.0.200.31
When RIP is enabled on an interface, the router prepares an update that advertises
the address ranges in its route table. In many cases, each address range in the table
represents a network, a single broadcast domain. However, this is not always the
case. Sometimes the entries represent an address range that includes many networks
known as a summarized network.
In the example above, Router_1 in Group 1 advertises all of its connected networks
except the network associated with the interface through which the router sends the
update. In the example above, the RIP update is being sent over the interface
10.0.200.11/24. Accordingly, network 10.0.200.0/24 is omitted from the update.
By default, this update occurs every 30 seconds. When this interval expires, the
router sends updates over all of its RIP-enabled interfaces.
The metric associated with each of the advertised networks is 1 for directly connected
networks and 2 or more for remote networks. While Router_1 internally associates a
metric of 0 with its locally connected networks, it advertises these networks with a
cost of 1. In some vendor implementations, the cost used internally will be 1.
However, the external cost reported is the same.
Rev. 10.41
Configuring IP routing
An alternative to poison reverse for preventing routing loops is split horizon, which
requires a router to never advertise a route to the neighbor from which it was
learned. In general, poison reverse is preferred in multi-path networks because it
offers faster convergence times.
For information on disabling poison reverse and enabling split horizon, see the
Multicast and Routing Guide for a given HP E-Series routing switch model.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 23
Redistributing
routes
Redistributing
routes
By default, RIP updates from HP E-Series routing switches
include:
Directly
connected networks
Routes
to RIP-enabled interfaces
Routes
Disable
By default, RIP updates from HP E-Series ProVision ASIC routing switches include all
19
Rev. 10.41
directly connected
routes, as well as routes to RIP-enabled interfaces and routes
learned through RIP updates. You must manually configure the router to redistribute
static routes or routes learned through OSPF.
For example, you could enable RIP on a router that connects to an external network
using OSPF instead of RIP. You could then enable OSPF redistribution so that the
routers RIP neighbors would learn the routes learned through OSPF.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 24
Rev. 10.41
Configuring IP routing
NOTES
_______________________________________________________________________
_______________________________________________________________________
20
Rev. 10.41
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 25
Implementing
RIP
Implementing
RIP
1. Enable RIP globally
2. Configure RIP version number if necessary
Version
Class_Core
Router_1
Router_2
21
Rev. 10.41
The process for implementing RIP on HP E-Series routing switches involves three
straightforward steps. After enabling RIP globally, you configure the RIP version, if
necessary, and then specify the interfaces that will participate in the RIP
advertisement process. Generally, RIP advertisements are exchanged only over
switch-to-switch links. Networks that connect to hosts are advertised as directly
connected networks, if appropriate.
RIP versions
By default, ProVision ASIC switches implement RIP v2, which was defined in 1994 in
RFC 2082. RIP v2 is in nearly universal use among LAN routers, so it is rarely
necessary to change the RIP version during configuration. However, HP E-Series
routing switches support either version or both versions simultaneously. For
information on changing RIP versions, see the Multicast and Routing Guide for your
switch model.
RIP v2 addressed several significant limitations of RIP v1 by offering support for
variable subnet masks and for router authentication. RIP v2 uses a multicast
destination address to send updates, whereas RIP v1 uses a broadcast address.
Routers or other devices on a network that do not support RIP v2 will not process a
RIP update because they are not members of the RIP Routers multicast group
(224.0.0.9).
7 26
Rev. 10.41
Configuring IP routing
Class_Core
Untagged VLAN 200
Router_1
Untagged VLAN 1
Tagged VLAN 10
Untagged VLAN 1
Tagged VLAN 100
Router_2
Edge_1
Untagged VLAN 1
Tagged VLAN 30,40
Edge_3
21
Rev. 10.41
In each classroom group, you will enable RIP on Router_1 and on Router_2. The
basic process for each router will be the same, as shown in Figure 7-16:
1.
Enable RIP globally by entering router rip in the global configuration context.
2.
Enable RIP for each VLAN that must support RIP updates. On Router_1, this will
include VLAN 100 and VLAN 200.
In Figure 7-16, the administrator enables RIP for the VLAN interfaces by entering the
ip rip command in the RIP configuration context. Alternatively, the administrator could
issue the command in the VLAN configuration contexts.
Other RIP parameters, such as redistribute, also are entered in the RIP context. If you
need to configure RIP parameters after RIP is enabled, you can re-enter the RIP
configuration context by entering router rip in the global configuration context.
Entering this command will not disable RIP or otherwise affect the status of RIP on the
switch. To disable RIP, enter no router rip in the global configuration context.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 27
Router_1
Untagged VLAN 1
Tagged VLAN 10
Untagged VLAN 1
Tagged VLAN 100
Router_2
Edge_1
Untagged VLAN 1
Tagged VLAN 30,40
Edge_3
22
Rev. 10.41
The steps for enabling RIP on Router_2 are the same as the steps for Router_1 with
one exception. RIP must be enabled only on VLAN 100 on Router_2.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
7 28
Rev. 10.41
Configuring IP routing
The show ip rip command is the basic tool for verifying RIP configuration on a HP ESeries routing switch. The basic options for this command are shown in Figure 7-18.
The show ip rip general option provides the same output as show ip rip. Both
commands show all configured RIP interfaces and discovered peers.
NOTES
23
Rev. 10.41
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 29
show ip ripshow
for Router_1
ip rip for Router_1
Rev. 10.41
7 30
Rev. 10.41
Configuring IP routing
Rev. 10.41
When all groups have completed their configurations, the route table for Router_1
will show RIP routes from all other groups and from Router_2, as well as connected
routes associated with VLAN 2 and VLAN 10.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 31
7 32
Rev. 10.41
Configuring IP routing
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
7 33
Learning check
After each module, your facilitator will lead a class discussion to capture key insights
and challenges from the module and accompanying lab activity. To prepare for the
discussion, answer each of the questions below.
1.
2.
3.
What is the effect of the following command entered at the CLI of an E3500
switch?
Switch(config)# ip route 0.0.0.0/0 192.168.254.100
4.
a.
The switch will drop all packets arriving through the interface
192.168.254.100.
b.
The switch will forward all packets destined for networks not in its route
table to 192.168.254.100.
c.
The switch will perform default gateway services for hosts in the
192.168.254.0/24 subnet.
7 34
a.
The switch will delete the route to 172.16.30.0 from its route table and
replace it with the new route.
b.
c.
The switch will not include either route in its route table because they
conflict.
Rev. 10.41
Configuring IP routing
5.
Rev. 10.41
static
b.
OSPF
c.
Default
d.
connected
7 35
7 36
Rev. 10.41
Module 8 objectives
After completing Module 8 of HP Access Layer Network Technologies using
ProVision Software, you will be able to:
Rev. 10.41
Compare and contrast controlled mode and autonomous mode for HP E-Series
MultiService Mobility (E-MSM) Access Points (APs)
Describe the 802.11 a/b/g/n wireless LAN standards
Describe Power over Ethernet (PoE) technologies supported by E-MSM APs and ESeries switches
Access the Web browser interface to manage an E-Series MSM AP
Configure Virtual Service Communities (VSCs) to provide access for varying user
groups
Configure VLANs on autonomous E-MSM APs
8 1
8 2
Rev. 10.41
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
8 3
activity preview
Lab activityLab
8 8preview
Floor 1:
Core
Floor 6:
Floor 2:
Floor5:
Floor 3:
Floor 4:
Rev. XX
The SMB now has a solid wired network, but most companies today also require
wireless connectivity. Brainstorm reasons for an SMB to implement a mobility
solution; what business benefits does mobility bring?
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
8 4
Rev. 10.41
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
8 5
Assign
IP settings.
Secure
management access.
Configure a VSC.
Create
Establish
In Lab Activity 8, you deploy a standalone HP E-MSM AP that supports basic, but
secure wireless services. You will also ensure that the AP can forward traffic in
the LAN.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
8 6
Rev. 10.41
Rev. 10.41
By the end of Lab Activity 8, you will have connected your AP to your LAN and
configured the AP to support secure wireless services. This AP will bridge wireless
users traffic into the LAN on a new VLAN reserved for wireless access. As you see,
in this lab, the AP connects to Router_2, which can acts as the wireless users default
gateway. If another device were the default gateway, you would need to extend the
new VLAN to that device, remembering to add the IP settings for the new VLAN.
In an alternative configuration, the AP forwards wireless users traffic in an existing
VLANs.
Note
To implement the alternative solution, the AP might either need to support
different VSCs, each associated with a different VLAN, or to authenticate users to
a network authentication server that provides dynamic VLAN assignments. This
course does not cover dynamic VLANs.
Rev. 10.41
8 7
25 meters
Rev. XX
You will now practice assessing the mobility requirements for the SMB described
below. Your instructor will provide you job aids, which will help you now and later in
the workplace.
Scenario
The figure displays the one-floor office building of a very small business with about
thirty employees. The company wants to add wireless coverage, in particular in the
common space in the south-west corner and the conference room at the north end,
but also throughout the building.
You have found out the following information by talking to the head of the company
and by conducting a site survey:
8 8
Users are planning to use the wireless connections primary for checking and
sending email, conducting research on the Internet, and updating spreadsheets
and databases stored on company servers. Some of these activities involve
sensitive or proprietary data.
The walls at the site consist of drywall. Most of the office is open space with
cubicle dividers. Both the close offices and the cubicles contain wooden desks
and metal filing cabinets.
The neighboring office buildings have wireless networks on 2.4 GHz channel 1
and 5 GHz channel 36.
The companys computers and laptops have wireless NICs that support
802.11a/b/g.
The company has a Web server and a data server, but no domain or RADIUS
services.
Rev. 10.41
8 9
Consider the exact channels for your AP radios, taking into account overlapping
radio signals.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Consider the companys need for security and select wireless security option.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
8 10
Rev. 10.41
Configuring PoE
Configuring PoE
PoE
Allocate
PoE demand) + (AP2 PoE demand ) < Switch total PoE power
In
You might want to establish PoE connections for your APs so that you do not have to
manage power
supplies for devices in hard-to-access locations. Instead, the Ethernet
8
Rev. XX
cable provides both connectivity and power.
Both ends of the connection must support PoE (802.3af). All HP E-MSM APs support
this protocol as powered devices (PDs), the devices receiving power. Many HP ESeries switches feature PoE capable ports, which are power sourcing equipment
(PSE), the components providing power. If your switch does not provide PoE, you
could alternatively connect your AP to a PoE injector.
The AP will automatically draw power on the cable if it has no other power source.
You do not need to complete any configuration; simply connect the AP to a PSE.
To configure PoE on an HP E-Series switch, you must:
1.
Ensure that PoE is enabled on the switch portThis step is optional. By default,
PoE is enabled on all HP E-Series switch ports that support PoE. The command
for enabling and disabling PoE is:
Switch(config)# [no] interface <port list> power-over-ethernet
In addition, by default, the switch allocates just as much power to the port as the
device draws. (The switch could also allocate a set number of Watts or a set
power class, which defines the number of Watts. Refer to your switchs
Management and Configuration Guide for more information.)
In short, establishing the PoE connection might be as simple as connecting the
cable.
2.
Rev. 10.41
Plan the PoE power budgetThe maximum power allowed over a standard PoE
connection is 15.4 W. The HP E-Series APs draw between 6W to 12W
depending on the number of radios and the radio operation modes (802.11n
generally requires more power).
8 11
Note
Some 802.11n APs draw more than 15.4W, which means that they require PoE+
(802.3at) support. However, the HP E-MSM 802.11n-capable APs use PoE
(802.3af).
You can look up how much power your APs require in their datasheets. Add up
the power demands and determine whether they exceed the amount of power
provided by your switch, which you can find in the switchs datasheet. Note,
however, that when a switch reaches less than 17W remaining PoE power, it
cannot allocate any more power to a new device even if the device draws less
than 17W. Therefore, you need to plan a slight amount of leeway.
You should also remember that other devices might draw power from the switch.
Some switches provide enough power to fully provision every PoE port, in which
case you do not need to worry. Others switches provide only enough power for
some ports. In that case, you must either disable PoE on some ports or set up
prioritization such that important devices like your APs are guaranteed the power
that they need.
You can also connect many HP E-Series switches to an external power supply
(EPS), which furnishes additional power for PoE.
Note
EPSs for HP E-Series devices include:
3.
Set a PoE priority on the portThis step is optional. As mentioned above, you
would only need to set a priority if you determine that the switch might not have
enough power for all PoE devices that might connect to it.
The HP E-Series devices define three priority classes: Critical, High, and Low. All
Critical ports are provisioned before any High ports, which are provisioned
before any Low ports. In the case of a tie (for example, devices on Critical ports
demand more power than is available), the lower numbered ports are
provisioned first.
The command for setting the PoE priority class is:
Switch(config)# interface <port list> power-over-ethernet
[critical | high | low]
8 12
Rev. 10.41
Rev. 10.41
8 13
an E-MSM
HP E-MSM
AccessingAccessing
a new HP
APAP initially
Indirect connection at
default address
Direct connection
at default address
192.168.1.1/24
Indirect connection at
DHCP address
DHCP address
192.168.1.1/24
PoE connection
PoE connection
ProCurve
Switch 5406zl
J8699A PoE
ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Power
VLAN X
Reset
Clear
Act
Temp
FDx
PoE
Fan
Spd
Usr
PoE
Mgmt Flash
Use
zl Modules
only
Internal
Power
Console
LED Mode
Modules
PoE
Pwr
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
Status
Reset
Clear
PoE
Mgmt Flash
Use
zl Modules
only
Temp
Fan
Internal
Power
Act
FDx
PoE
Spd
Usr
Console
LED Mode
Modules
PoE
Pwr
Auxiliary Port
Fault
Auxiliary Port
Locator
1
ProCurve
24p Gig-T
zl Module
J8702A
HP Innovation
Power
Fault
Locator
ProCurve Networking
Status
HP Innovation
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
zl
ProCurve
24p Gig-T
zl Module
J8702A
ProCurve
24p Gig-T
zl Module
J8702A
zl
ProCurve
24p Gig-T
zl Module
J8702A
zl
zl
DHCP server
hp 1902
hp 1902
hp 1902
192.168.1.2/24
192.168.1.2/24
9
Rev. XX
DHCP address
IP address = 192.168.1.2
You can actually use any IP address in the 192.168.1.0/24 subnet except
192.168.1.1.
8 14
Rev. 10.41
8 15
Username = admin
Password = admin
Note
It is recommended that you use Internet Explorer 7.0 or Mozilla Firefox 2.0 to
access the APs Web browser interface, but you might be able to use other
browsers as well.
8 16
Rev. 10.41
Convertingmode
the HP E-MSM AP to standalone mode
Rev. XX
Rev. 10.41
8 17
2. If necessary, set
a static IP
address.
11
Rev. XX Figure
Accept a license.
2.
3.
4.
Change the password (and username) for management access to the AP.
You are then placed at the home page for the AP. As you will see in the lab, the APs
Web browser interface has a navigation bar at the top. This bar includes tabs for
various configuration and management tasks. When you select a tab, the subtabs for
that tab are displayed in a row below. Select a subtab to configure specific settings.
If the AP is not using a fixed DHCP address, you must now set a static IP address.
The figure shows the windows in which you do so:
8 18
1.
2.
You will see several ports listed. The port on which you configure the IP address
is called the bridge port, which is a virtual port that handles bridging traffic on
both the wireless radios and the APs Ethernet port. Click Bridge port.
3.
4.
5.
Rev. 10.41
Configuring VLANs
ConfiguringYouVLANs
must create the VLANs on which the AP bridges traffic:
1. Create a network profile.
Network > Network
profiles > Add new profile
12
Rev. XX
In a moment, you will learn how to create a Virtual Service Community (VSC), which
defines wireless services offered by the AP. If you want the AP to bridge wireless
traffic into a different VLAN from the one on which the AP has its IP address, you
must create that VLAN before configuring the VSC.
Follow these steps:
1.
2.
Rev. 10.41
b.
c.
d.
Select the VLAN check box and specify the VLAN ID.
e.
Click Save.
b.
c.
d.
e.
Select None for the IP address. (You want the AP to bridge traffic on this
VLAN, not route it.)
f.
Click Save.
8 19
Creating a Creating
VSC a VSC
A VSC defines:
1. WLAN settings:
SSID
Wireless
security
2. Egress VLAN
3. Filters
2
13
Rev. XX
A Virtual Service Community (VSC) defines the wireless services offered by the AP.
Thus it specifies not only WLAN settings but also the egress VLAN for wireless traffic
as well as filters that control the traffic.
WLAN and radio settings include:
Advanced settings, such as the supported data rates and QoS settings (these
settings are beyond the scope of this course)
Wireless security method:
WEPStatic WEP
You can set up to four keys each with an index number between 1 and 4.
The wireless clients must have exactly the same key (whether in Hex or
ASCII) and index number.
Caution
Static WEP is deprecated for enterprises because it is trivial for hackers to
download WEP cracking software. Even dynamic WEP is deprecated. You
should select WPA/WPA2 whenever possible.
8 20
Rev. 10.41
The interface refers to WPA 802.1X mode as RADIUS because the wireless users must
authenticate to an external RADIUS server. Because many SMBs do not have such a
server, in this lab, you will use WPA/WPA2-PSK.
The figure shows where you set the egress VLAN with the VLAN that you created in
advance.
The filters enable you to filter wireless traffic by its destination MAC address. For
example, you can restrict wireless users to sending traffic to the MAC address of their
default gateway. This filter enables the wireless users to have their traffic routed, but
not to reach other wireless users or devices in their VLAN, helping to minimize
attacks by malicious authorized users. You can specify the users default gateway
simply by selecting the APs default gateway, if they are the same, or you can specify
the MAC address manually. The APs also support filters that restrict the wireless users
to sending traffic to specific IP addresses (these filters do not restrict DNS and DHCP
requests). If you want to learn more, refer to your APs Management and
Configuration Guide or attend the Implementing HP E-Series Wireless LANs course.
Rev. 10.41
8 21
Lab Activity 8
The SMB administrators have decided that employees could be more productive if
they could gain network access more easily no matter where on site they move. You
must add a wireless AP to your floor. The AP will forward all wireless user traffic on a
new VLAN reserved for traffic from wireless users. You will also add this VLAN to the
switches and routing switches in your network.
Consult your Lab Activity Guide for instructions for performing this activity.
8 22
Rev. 10.41
Key Insights
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
8 23
Learning check
After each module, your facilitator will lead a class discussion to capture key insights
and challenges from the module and accompanying lab activity. To prepare for the
discussion, answer each of the questions below.
1.
2.
3.
You have an E2610-24-PoE switch to which you plan to connect your HP EMSM320 AP. You want to power the AP using PoE. What is the absolute
minimum setup that you must complete?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
8 24
Rev. 10.41
4.
You set up a VSC on your HP E-MSM AP, ensure that the VSC is activated on the
APs radios, and that the radios are activated in AP mode. When you attempt to
connect a client to the AP, you cannot even see your SSID in the list of wireless
networks. What are potential causes and how might you attempt to resolve the
problem?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
Rev. 10.41
8 25
8 26
Rev. 10.41
Module 9 objectives
This module introduces you to HPs solution for managing HP E-Series switches, HP
PCM and PCM+. By the time that you have finished this module, you will be able to:
Rev. 10.41
9 1
Rev. 10.41
9 2
Rev. 10.41
PCM+, the HP management solution for HP E-Series devices, helps you to meet these
challenges and spend your time more productively. From PCM+s single-pane-of-glass
interface, you can:
Rev. 10.41
9 3
What is PCM+
You will now learn about the features of PCM+ and how to best deploy the solution
in various environments.
Note
This module covers the features provided by PCM+ 3.10 through auto-update 4.
Device discovery
PCM+ automatically discovers infrastructure devices and their attributes. It also
receives events from the devices and polls them for traffic samples and statistics.
Device management
PCM+ provides a variety of tools for device configuration and management,
including automated policies that you can fully customize.
9 4
Rev. 10.41
PCM+ versus
PCM
features
PCM+
versus
PCM features
SNMPv3
PCM+ only
Automated
management
Configuration
templates
SNMP v2
Custom groups
Ping, ARP,
LLDP/CDP/FDP, manual
Discovery
5
Rev. 10.41
In-depth traffic
monitoring
Find Node tools and
consistency checks
Configurable alerts
PCM+
only
Syslog
Email and pager
notifications
Advanced event
browser
Device and endpoint
status
Network and VLAN
mapping
You will now examine these features in more detail. To obtain all these features, you
must use PCM+, but HP offers a less full-featured version of PCM+, called PCM, for
free. In the figure, the features supported by both PCM and PCM+ are displayed with
solid colors. As you, PCM+ provides a much wider range of capabilities for device
management and for monitoring, analysis, and troubleshooting.
Discovery
Both PCM and PCM+ provide both manual and automatic device discovery through
a variety of methods. You will learn more about device discovery later in this module.
Device management
Using PCM, you can access the command line interface (CLI) on discovered devices
and make configuration changes from the centralized location. You can also group
device together logically in custom groups.
However, only with PCM+ do you gain the power to use those group definitions to
fully automate device configuration. You can create configuration templates and
apply them to a custom group; when PCM+ discovers a new device, it assigns it to
the correct group (or you do) and then applies the correct template. Similarly, you
can create policies for automatic software updates.
PCM+ wizards hide the complexities of configuration from you. Your experience
managing the network becomes less device-interface based and more intuitive policy
based. For example, you can use the VLAN wizard to define where you want specific
Rev. 10.41
9 5
9 6
Rev. 10.41
PCM+ plug-ins
PCM+ plug-ins
hp 1902
PMM
Controls
users access
PCM+
Exchange
information
IDM
Protects
against attacks
NIM
7
Rev. 10.41
Plug-in applications
PCM+ becomes much more powerful as you add plug-ins (PCM does not support
any plug-ins). These plug-ins integrate seamlessly into the PCM+ management
platform and are managed from the same user interface.
The sections below briefly describe the current plug-in options.
Note
PCM+ provides a Configurable Integration Platform (CIP), which allows you to
integrate other applications of your choice into PCM+. You can add support for
third-party infrastructure devices, or you can add another management
application that you like to use. The CIP Wizard, with its intuitive interface,
makes it easy to integrate these applications.
Rev. 10.41
9 7
From Mobility Managers site view, which you can divide into different zones for
ease of viewing, you can monitor the wireless network, searching for rogue APs,
congestion, or areas with poor coverage. You can then run a wizard to adjust
devices radio settings to solve the problems that you detect.
Time
Location
9 8
Rev. 10.41
Rev. 10.41
9 9
PCM+ architecture
PCM+ architecture
Rev. 10.41
You can deploy PCM+ 3.10 in a distributed architecture in which some devices are
deployed at different sites. In this architecture, a single PCM+ server manages one or
more agents, one of which can be local (deployed on the same machine as the
server) and the others of which are remote. Each remote agent takes responsibility for
managing a set of devices, typically ones at their same site.
The advantages of this architecture include:
9 10
Devices can be managed at remote sites behind firewalls, which might otherwise
interfere with the management traffic.
Management traffic across WAN links is minimized.
More devices can be managed because the load is distributed across several
devices.
Rev. 10.41
PCM+ architectureCont.
PCM+ architectureCont.
Rev. 10.41
SNMP
Secure Copy Protocol (SCP), File Transfer Protocol (FTP), or Trivial File Transfer
Protocol (TFTP)
The managed devices can also send traffic samples with sFlow (or Extended Remote
Networking Monitoring [XRMON]).
Rev. 10.41
9 11
Distributed
architecture
PCM+ server
PCM+
server/local
agent
Up to 2000
managed
devices
Remote
agent 1
Up to 1500
managed
devices
Up to 3500
total managed
devices
Remote
agent 25
Up to 1500
managed
devices
The maximum number of devices that PCM+ can support depends on whether you
architecture or not. In a simple architecture, in which you have a PCM+
server and a single local agent, PCM+ can manage up to 2000 devices.
9
Rev. 10.41
distribute
the
In either type of architecture, PCM+ can support up to 10 clients, including one local
client, which is automatically installed on the same machine on which you install the
PCM+ server. Remember: the agents are responsible for managing devices; you use
the clients to access PCM+s user interface.
9 12
Rev. 10.41
Use model
Use model
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
9 13
Install PCM+.
Verify
Install
You will now learn guidelines for installing PCM+ components, including the server,
agents, and clients. You begin to customize PCM+ for your environment during the
installation, so it is important that you follow the correct process. You will practice
Rev. 10.41
installing PCM+12in the
lab.
You will then learn about managing the network with PCM+. Describing all of the
tasks that you can perform in PCM+ exceeds the scope of this course. However, you
will learn how to log in to the user interface, begin navigating the interface, discover
users, and control managers.
9 14
Rev. 10.41
installation requirements
InstallationPCM+
requirements
The machine on which you install each PCM+ component
must meet requirements for:
OS
Network
Disk
adapter speed
space
Number
of CPUs
Memory
Rev. 10.41
The machine on which you install each PCM+ component must meet requirements
for:
OS
Disk space
You must carefully check the requirements for your environment, as they vary
depending on factors such as the deployment size. The tables give the current
requirements for PCM+ 3.10. Refer to the HP networking Web site for future
requirements.
OS
Windows 2008
Rev. 10.41
Server
Enterprise/Standard
(32/64-bit)
Windows 2003
Server Enterprise
SP2 (32-bit)
Windows XP Pro
SP2/SP3 (32-bit)
Network
adapter
Hard disk
space
RAM
Number
of CPUs
Dedicated
100 Mbps
or 1 Gbps
60 GB
60 GB
100 GB
2 GB
2 GB
4 GB
(6 GB
recommended)
2
2
4
9 15
OS
Windows 2008
2000 to 3500
Server
Enterprise/Standard
(32/64-bit)
Windows 2003
Server Enterprise
SP2 (32-bit))
Network
adapter
Hard disk
space
Dedicated
100 Mbps
or 1 Gbps
60 GB
60 GB
100 GB
100 GB
RAM
2 GB
2 GB
4 GB
(6 GB
recommended)
5 GB
1 (6 GB
recommended)
Number
of CPUs
2
2
4
OS
Up to 50
Windows 2008
50 to 1500
Server
Enterprise/Standard
(32/64-bit)
Windows 2003
Server Enterprise
SP2 (32-bit)
Windows XP Pro
SP2/SP3 (32-bit)
Network
adapter
Hard disk
space
RAM
Number
of CPUs
Dedicated
100 Mbps
40 GB
2 GB
80 GB
2 GB
(3 GB
recommended)
Note
You can also run the PCM+ agent on an HP ONE Services zl Module.
OS
Up to 1200
Windows XP Pro
1200 to 3500
9 16
SP2/SP3 (32-bit)
Windows Vista
Business/Ultimate
SP1 (64-bit)
Network
adapter
Hard disk
space
RAM
Number
of CPUs
Dedicated
100 Mbps
40 GB
2 GB
4 GB for Vista
60 GB
Rev. 10.41
password
settings
Discovery
Device
management settings
Proxy
As you install PCM+, you customize it for your system. Among other settings, you
14
Rev. 10.41
must specify:
Rev. 10.41
As you saw earlier, PCM+ uses SNMP v1/v2c and SNMPv3 to manage
devices. You must specify the correct version for your environment as well as
the SNMP settings configured on your devices:
PCM+ also uses Telnet or SSH to log in to managed devices CLI. You must
specify the correct manager and operator usernames and passwords. For
SSH, you must also specify the version, password or shared key, and port.
Proxy server informationIf your site uses a proxy server for Internet access,
you must configure its IP address or name to enable PCM+ to download
software updates for managed devices from the HP networking Web site.
9 17
9 18
Domain nameIf you are installing IDM, you specify the name of the domain to
which you users log in.
Install setYou also select the plug-ins that you want to install when you install
PCM+. (You can also run the installation later to add a plug-in.) This course does
not cover the plug-ins.
Rev. 10.41
Installation considerations
Installation considerations
PCM+ server
PCM+ agent
TCP
PCM+ server port
(default: 51111)
PCM+ server
PCM+ agent
TCP
PCM+ agent port
(default: 51112)
14
Rev. 10.41
The choices that you make for the agent settings when you install the PCM+ server
affect the setup that you must perform before installing remote agents. You will now
examine those settings and their implications in more detail.
First, you must select whether the server or remote agents initiate connections. Often,
the PCM+ server and PCM+ agent must communicate through a firewall at one or
both sites. It is recommended that you configure the component at the site with a
firewall to initiate connections (if both sites have a firewall, you can select either
component).
During the PCM+ server installation, you also configure the port at which the PCM+
server contacts the PCM+ agent. And, if you choose to allow agents to initiate
connections, you must also configure a server port at which the agent contacts the
server. The default server port is 51111, and the default agent port, 51112. It is
recommended that you use those ports unless another service in your environment
already does.
You can also choose whether the server and agent encrypt communications with SSL
or transmit them in plaintext; encryption is highly recommended.
Note
You can also configure these and other server and agent settings after installing
the PCM+ server using the PCM+ client.
Whichever device initiates the connection, you must open any intervening firewall for
to allow outbound or inbound sessions on the appropriate ports. The figure illustrates
the opening of the firewall for both agent- and server-initiated connections.
Rev. 10.41
9 19
Note
The firewalls illustrated here are network firewalls. During the server and agent
installation, the installation wizard prompts you to allow PCM+ to automatically
create firewall rules; however, those rules are for the personal firewall on the
device that runs the PCM+ component. You must complete both steps (ensure that
the personal firewalls and the network firewalls permit necessary traffic).
Also note that the firewall has been opened to connections on port 8040 on the
PCM+ server. You must contact this port to download the agent installation file as
shown in the next slide.
Note
If you do not want to open this port on your firewall, you can contact the server
locally. Then follow the instructions for downloading the file provided on the next
page.
9 20
Rev. 10.41
PCM+ server
TCP
8040
PCM+ agent
Rev. 10.41
To begin the installation, open a Web browser on the device on which you want to
install the PCM+ agent. Contact the PCM+ server: http://<IP address>:8040. You
will see the window shown in the slide. Select the link for the Windows PCM/IDM
agent.
You might need to follow several prompts to accept the download. Once the file has
downloaded it, run it. The wizard will guide you through the installation. Note that
the same executable installs the PCM+ agent and the IDM agent, so you must select
the PCM+ agent during the installation.
The installation wizard will guide you through configuring the agent settings. You
must carefully match the settings on PCM+:
Server IP address
Server password
Agent password
The agent uses this password to authenticate. You can also use this password
with the admin username to log in to the agent Web browser interface. The port
at which you contact that interface is 8080, by default.
Use the pictures below as your guide for matching the settings in the PCM+ server
installation and the remote PCM+ agent installation.
Rev. 10.41
9 21
In a final step, which is not illustrated, you choose whether to allow the agent to
automatically configure the host devices firewall to permit required traffic. If you do
not allow it to do so, you will need to configure this firewall yourself.
Also note that when you choose to have the server initiate the connection instead of
remote agents, you must complete some extra setup on the PCM+ server after
installing it:
9 22
1.
2.
Open the Agent Manager and add the agent manually, setting its password
and the port at which the server contacts it.
3.
Rev. 10.41
TCP
8040
PCM+ client
hp 1902
Access.txt
<IP address>
<DNS name>
<password>
Rev. 10.41
Rev. 10.41
9 23
1.
On the PCM+ server, move to this directory (if you selected a different
installation path, adjust the path as necessary): .
\Program Files\Hewlett-Packard\PNM\server\config
2.
3.
4.
5.
On the PCM+ client, move to this directory (if you selected a different installation
path, adjust the path as necessary):
\Program Files\Hewlett-Packard\PNM\client\config
6.
7.
8.
9 24
Rev. 10.41
Logging in to PCM+
Use the PCM+ client to access the interface. You must select
the server the first time.
2
22
Rev. 10.41
To log in to the PCM+ user interface, simply run the client, which can be the client
installed locally on the server or a remote client. The first time that you access the
server, you must type in its IP address and click Connecteven if you are using the
local client. However, the client remembers the address subsequent times.
After the client then connects to the server, you are prompted to log in with the
password that you set during server installation.
Rev. 10.41
9 25
Beginning to
monitorto and
manage
devices
Beginning
monitor
and manage
devices
Navigation Tree Menus
21
Rev. 10.41
PCM+ has automatically discovered your devices, and you can start monitoring and
managing them. This course cannot go into the details, but the sections below give
you a place to get started.
9 26
You can also click folders within the Device folder to see summaries of the statuses for
all devices within that folder.
Manage devices
To manage the device, turn to the toolbar. For example, you can click the Device
Manager icon to set the devices management settings or access its CLI. Navigate to
a higher level in the Network Tree and launch a wizard to configure multiple devices.
The global toolbar provides many helpful wizards include the VLAN Manager and
the Secure Access Wizard.
Rev. 10.41
9 27
PCM+ agent
PCM+ server
Database
SNMP
Establishes an SNMP
connection.
If auto-trap is enabled, adds
itself as a trap receiver.
ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Status
HP Innovation
Reset
Clear
PoE
Mgmt Flash
Use
zl Modules
only
Power
Temp
Fan
Internal
Power
Act
FDx
PoE
Spd
Usr
Console
LED Mode
Modules
PoE
Pwr
Auxiliary Port
Fault
Locator
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
ProCurve
24p Gig-T
zl Module
J8702A
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
zl
ProCurve
24p Gig-T
zl Module
J8702A
zl
Rev. 10.41
As soon as you log in to the PCM+ user interface, you can begin browsing the
Navigation Tree and viewing discovered devices. Take a moment to consider how
PCM+ discovered the devices.
The PCM+ agents actually perform device discovery. (Thus, if you have several
agents, PCM+ will discover all of your devices more quickly.) An agent begins at the
seed device, which you configured when you installed the PCM+ server. To formally
discover the seed device, the agent initiates an SNMP connection with it. As long as
PCM+s and the devices SNMP parameters match, the connection is successful.
PCM+ then completes these steps:
1.
2.
If auto-trap is enabled, the agent adds itself as the devices SNMP trap receiver.
3.
It classifies the device and places the device within the correct group in the
Navigation Tree.
4.
System name
VLAN configuration
IP settings
Using information collected from the discovered seed device, the PCM+ agent
discovers more devices.
9 28
Rev. 10.41
PCM discovery
PCM+ discovery
methodsmethods
Neighbor discovery
ARP discovery
PCM+ agent
PCM+ agent
SNMP
LLDP (CDP or FDP)
neighbor table
ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Reset
Clear
PoE
Mgmt Flash
Use
zl Modules
only
PCM+ agent
SNMP
ARP table
Status
HP Innovation
Power
Temp
Fan
Internal
Power
Act
FDx
PoE
Spd
Usr
Console
LED Mode
Modules
PoE
Pwr
Auxiliary Port
Fault
1
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
Locator
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
ProCurve
24p Gig-T
zl Module
J8702A
zl
ProCurve
Switch 5406zl
J8699A PoE
ProCurve
24p Gig-T
zl Module
J8702A
zl
ProCurve Networking
Status
HP Innovation
Reset
Clear
PoE
Mgmt Flash
Use
zl Modules
only
Power
Temp
Fan
Internal
Power
Act
FDx
PoE
Spd
Usr
Console
LED Mode
Modules
PoE
Pwr
Auxiliary Port
Fault
Locator
ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Status
HP Innovation
Reset
Clear
PoE
Mgmt Flash
Use
zl Modules
only
Power
Temp
Fan
Internal
Power
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
ProCurve
24p Gig-T
zl Module
J8702A
PoE
Spd
Usr
Console
zl
ProCurve
24p Gig-T
zl Module
J8702A
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
zl
Newly-discovered LLDP
neighbor; added to map
23
Rev. 10.41
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
zl
ProCurve
24p Gig-T
zl Module
J8702A
zl
Managed
subnet
Auxiliary Port
Pings
Act
FDx
LED Mode
Modules
PoE
Pwr
Fault
Locator
ProCurve
24p Gig-T
zl Module
J8702A
Ping sweep
Newly discovered
active device
You specified the seed device manually, so PCM+ knew where to locate and
discover it. How does the PCM+ agent find more devices to discover? It supports
several methods.
Neighbor discovery
This form of discovery relies on discovered devices that support Link Layer Discovery
Protocol (LLDP 802.1AB), Cisco Discovery Protocol (CDP), or Foundry Discovery
Protocol (FDP). PCM+ uses SNMP to query discovered devices for their
LLDP/CDP/FDP neighbor table. The PCM+ agent reads the table and finds the IP
addresses of new devices to discover.
The agent also uses the LLDP/CDP/FDP information to map the network topology.
PCM+ first places the seed device. It then adds each of that devices neighbors to the
map connected to the seed device link. After formally discovering the neighbors and
receiving their neighbor tables, PCM+ adds those neighbors to the map. It follows a
recursive algorithm, discovering more neighbors until it finds no more new neighbors.
Because PCM+ uses neighbor discovery for mapping, devices will not be displayed
in the map unless they support LLDP/CDP/FDP. Wireless devices make an exception;
PCM+ maps them using the bridge MIB, which it discovers during device attribute
discovery.
ARP discovery
PCM+ can also use SNMP to query discovered devices for their ARP tables, which
contain the MAC and IP addresses of other devices in the switchs subnets. This form
of discovery enables the PCM+ to discover all active devices that do not support
LLDP/CDP/FDP.
Rev. 10.41
9 29
Ping sweep
With this time-intensive, but exhaustive discovery method, the PCM+ agent pings
every IP address in the managed subnets, detecting any devices that escaped the
neighbor and ARP discovery phases. This process takes longest to run because the
agent queries all IP addresses in the subnet and must wait for a response or a time
out before proceeding to the next potential device in the IP address range.
Initially, the only managed subnet is the one associated with the seed devices IP
address. But you can add more managed subnets.
Discovered devices
With these methods combined, PCM+ can discover all E-Series devices in a
managed subnet. It discovers these devices whether they support LLDP/FDP/CDP or
not. The devices simply require:
IP addresses
SNMP support with the correct read-only community or SNMPv3 user credentials
(read-write access is required to manage the device fully)
Although PCM+ looks for devices with the bridge MIB (switches and APs), it can also
discover SNMP-accessible devices without the bridge MIBs such as HP printers.
Finally, PCM+ can discover any endpoints that have IP addresses such as user
computers.
Note
PCM+ can also discover and manage certain HP A-Series devices and Cisco
devices. Check the supported device matrix for your version of PCM+.
9 30
Rev. 10.41
Configuring
discovery
settings
Configuring
discovery
settings
Configure discovery settings per-agent.
If you have devices
in a different subnet
from the seed, you
must add managed
subnets.
24
Rev. 10.41
Now that you understand how PCM+ begins automatically discovering devices, you
can look at customizing the discovery settings. Because the PCM+ agent handles
device discovery, you configure these settings from PCM+s Agent Manager.
In the global toolbar, click the
The left pane lists the agents that have connected to the server. You can select each
agent and configure its settings separately. The figure shows the Discovery tab for the
Default Agent (the local agent on PCM+). From this tab, you configure all discovery
settings.
The figure displays one of the most important initial settings: Managed Subnet. As
you see, the PCM+ agent has already discovered other subnets configured on the
seed device and populated the Unmanaged Subnets list with them. If any devices
that you want to manage have management IP addresses in one of those subnets,
move it to the Managed Subnets list.
You can also exclude devices from discovery (Exclude Device subtab) and disable
discovery methods or view their status (Status subtab).
Rev. 10.41
9 31
Task
Administrator
Manage users
Operator
Viewer
Monitor devices
Just as setting a password to secure management access is one of the first tasks that
25 on
Rev.a
10.41
you complete
switch, you must set up management access to PCM+.
Initially, you log in to PCM+ with the Administrator account, but you can create your
own management user accounts. To each account, you assign a role. The figure
shows the three pre-defined roles:
To configure the management users, select File > Manage Users or click the Manage
Users icon
in the global toolbar. In addition to supporting local users, PCM+
can authenticate management users to a network RADIUS server (PCM does not
provide that feature.)
Note
In PCM+, you can also create your own profiles that define which tasks users can
perform more granularly.
9 32
Rev. 10.41
Lab Activity 9
The SMB network is expanding, and the IT staff need help keeping up. Not only do
they need to be able to deploy, configure, and manage infrastructure devices more
easily, they need help monitoring the network and verifying that resources are being
used effectively. You will install PCM+ and begin to use it to monitor and manage the
network.
Consult your Lab Activity Guide for instructions for performing this activity.
Rev. 10.41
9 33
Key Insights
What tools did you find that you could use in your job?
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
9 34
Rev. 10.41
Learning check
1.
Which PCM+ component discovers devices? What does this mean for the
amount of time that is required to discover a network?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
2.
How does PCM+ add discovered devices to network, VLAN, and subnet maps?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
Rev. 10.41
9 35
3.
Which ports must you open in firewalls that stand between a remote agent and
the PCM+ server? Which settings affect the requirements?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
4.
What is one way that PCM+ provides enhanced visibility into the network as
compared to PCM?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
9 36
Rev. 10.41
Module 10 objectives
After completing Module 10 of HP Access Layer Network Technologies using
ProVision Software, you will be able to:
Rev. 10.41
Analyze network needs and specify appropriate designs using E-Series products
and technologies
Identify E-Series switches appropriate for a given environment
10 1
Rev. 10.41
Device 3:
Your first guess: _________________________________________________________
Correct answer: _________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Device 4:
Your first guess: _________________________________________________________
Correct answer: _________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
10 3
Device 5:
Your first guess: _________________________________________________________
Correct answer: _________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Device 6:
Your first guess: _________________________________________________________
Correct answer: _________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
10 4
Rev. 10.41
Device 7:
Your first guess: _________________________________________________________
Correct answer: _________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
10 5
Device 8:
Your first guess: _________________________________________________________
Correct answer: _________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
10 6
Rev. 10.41
Functionality
Examples ofExamples
HP E-Series
switches
of HP E-Series
switches
E8200 zl
E3500
E5400 zl
E2910 al
E2610
E2510
Scalability/Performance
12
Rev. 10.41
HP networking offers dynamic families of Ethernet switches, with new product lines
and features added regularly. Figure 10-1 shows some examples of HPs most recent
E-Series products. As shown in the figure, HP E-Series switches can be divided into
three categories.
1.
Layer 2 managed
Switches such as those in the E2510 Switch Series offer basic Layer 2 connectivity for
small and medium businesses (SMBs). The E2510, one of HP E-Seriess latest offerings
in this class, offers four different models to meet the connectivity needs of different
types of users and organizations. All four switches support an array of sophisticated
Layer 2 technologies, including LACP, MSTP, LLDP, and 802.1Q VLANs.
The E2510-24 and E2510-48 offer 24 or 48 10/100 ports for end-user connectivity,
plus uplink ports for gigabit connectivity to network distribution layers. The E2510-24
offers two dual-personality ports that can support gigabit uplinks using either RJ-45
or fiber-optic transceivers. The E2510-48 offers 48 10/100 ports plus four uplink
ports, including two 1000-BaseT ports for RJ-45 connectivity and two slots for fiberoptic transceivers.
Rev. 10.41
10 7
The E2510-24G and E2510-48G add gigabit connectivity for end users. The E251024G offers 20 10/100/1000 ports and two dual-personality ports for uplink
flexibility. The E2510-48G offers 44 10/10/1000 ports and two dual-personality
ports.
2.
Light Layer 3
Switches such as those in the HP E2610 Switch Series and HP E2910 al Switch Series
offer all the Layer 2 features of the E2510 plus basic IP routing features such as static
routing and, in the case of the E2910 al, RIP.
The E2610 series offers five different models that support an array of connectivity
needs. The E2610-24 and E2610-48 offer 24 or 48 10/100 ports for end-user
connectivity. For uplinks, they both offer two RJ45 10/100/1000 ports and two open
transceiver slots for fiber-optic connectivity. The other three models, the E2610-24-PoE,
E2610-48-PoE, and E2610-24/12-PoE offer the same connectivity and uplink options,
plus support for Power over Ethernet.
The E2910 al series offers four models with support for 10/100/1000 end-user
connectivity and four dual-personality ports. The switches also support four optional
10-GbE uplink ports that support a variety of transceivers. The E2910-24G al offers
20 10/100/1000 ports plus four dual-personality ports. The E2910-48G al offers 44
10/100/1000 ports plus four dual-personality ports. The E2910-24G-PoE+ al and
E2910-48-PoE+ al add support for PoE+, a next-generation version of PoE that
provides more power and control options than the earlier PoE version.
Among the switches not shown here are those in the E4200 vl Series, a family of
modular Light Layer 3 switches that support 10/100, 10/100/1000, and 10-GbE
connectivity for the enterprise edge. The E4200 vl Series includes six models that
support two, four, or eight port modules. Some models include port modules. One
model, the E4202-72 vl offers 72 built-in 10/100 ports plus open slots for two port
modules.
3.
Advanced Intelligent
Based on the ProVision ASIC, HP E-Seriess Advanced Intelligent switches offer five
models designed to meet the advanced connectivity needs of the contemporary
enterprise. As described throughout this course, the ProVision ASIC switches offer a
full range of Layer 2 and Layer 3 software features in a variety of hardware form
factors that are purpose-built for various enterprise roles. Designed for the medium
enterprise LAN, the E3500, E5400 zl, and E8200 zl all support PoE plus a suite of
hardware features designed specifically for roles in the enterprise edge, distribution
layer, and core. The E6600 offers five models designed specifically for the enterprise
datacenter. As well as offering datacenter-specific features such as customizable
airflow, the five models in the E6600 Switch Series support a variety of connectivity
options for 100/1000 and 10-GbE connectivity. These include:
10 8
E6600-24G-4XG, which supports 20 10/10/1000 ports plus slots for four 10GbE transceivers.
E6600-48G, which supports 44 10/100/1000 ports plus four dual-personality
ports.
E6600-48G-4XG, which supports 48 10/10/1000 ports plus slots for four 10GbE transceivers.
E6600-24XG, which offers slots for 24 10-GbE transceivers.
Rev. 10.41
10 9
Routing support
Routing/switch
capacity
E2510
E2610
E2910 al
E3500
E5400 zl
E6600
E8200 zl
64 to
256***
MSTP
up to 24
trunks,
eight ports
per
trunk**
Layer 2
only
256
2048
2048
2048
2048
2048
MSTP
24 trunks,
8 ports per
trunk
MSTP
24 trunks,
8 ports per
trunk
MSTP
60 trunks,
8 ports per
trunk
MSTP
60 trunks,
8 ports per
trunk
MSTP
60 trunks,
8 ports per
trunk
MSTP
60 trunks,
8 ports per
trunk
16 static
routes
RIP, OSPF*
RIP, OSPF*
RIP, OSPF*
RIP, OSPF
48 to 96
Gbps
12.8 to
17.6 Gbps
RIP, 16
static
routes
128 to 176
Gbps
101.8 to
149.8
Gbps
322.8 to
645.6
Gbps
48 to
322.8
Gbps
645.6
Gbps
10 10
Rev. 10.41
Key differentiator:
Scalability
Key differentiator:
Scalability
The Advanced Intelligent switches offer the most scalability,
capacity, and performance
For
E2910
E3500-48G-PoE yl
E2910-48G al
E2510-48G
13
Rev. 10.41
While the various classes of HP E-Series switches offer similar port densities, they can
be differentiated by scalability and performance. For instance, the E2510-48G and
E2910-48G al both offer 48 10/100/1000 ports. However, as shown in the
Features of HP E-Series switches table on the previous page, the E2910-48G al
offers significantly greater routing and switching capacity and support for more
VLANs. Furthermore, as a Light Layer 3 switch, the E2910 al supports static routing
and RIP. All E2510 models support Layer 2 connectivity. Positioned between the
E2510 and the E2910 al, the E2610 models offer static routing. Furthermore, the
E2610 and E2910 al both offer support for PoE, which is not offered on the E2510.
Similarly, in keeping with its role in the advanced enterprise, the E3500-48G-PoE yl
offers software features not available on the E2910 al, as well as support for more
trunks and VLANs.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
10 11
design 10-GbE
feature: 10-GbE
connectivity
Key designKey
feature:
connectivity
Many E-Series switches support 10-GbE modules
Most
Support for various cable types, including Infiniband (CX4) and fiber-optic
Check
10-GbE CX4
transceiver
10-GbE X2
transceiver
Another key
differentiator
among HP E-Series switch families is support for 10-GbE
12
Rev. 10.41
connectivity. The various classes and models of HP E-Series switches support an array
of 10-GbE transceivers in various form factors. The three major types of 10-GbE
transceivers supported on HP E-Series switches are:
10 12
Rev. 10.41
The table shows the maximum cable lengths for various types of 10-GbE fiber-optic
connectivity supported on HP E-Series switches. CX4 cable supports distances up to
15 meters.
Rev. 10.41
62.5/125 micron
multimode fiber
50/125 micron
multimode fiber
33 meters
220 meters
300 meters
220 meters
Singlemode fiber
10 kilometers
30-40 kilometers
10 13
10 14
Rev. 10.41
Network
design1 example 1
Network design
example
Network core
Remote site #1
2 E5406 zl
3 E2610-48-PoE
5 E2610-48-PoE
3 E-MSM320 APs
Blocked
Forwarding
Remote site #2
4 E2610-48-PoE
2 E-MSM320 APs
Blocked
Legend
1000Base-T
1 Gigabit-SX
3 E2610-48-PoE
6 E-MSM 320 APs
1-Gigabit-LX
Blocked
16
Rev. 10.41
Blocked link
Figure 10-4 illustrates a basic network design consisting of a primary site with two
remote sites. This design is typical of a mid-range network and could easily be
expanded to include additional remote sites. This design works well for a network
with several servers, but not an extensive data center, that needs basic 10/100 Mbps
connectivity for users. You could apply this design to organizations such as school
systems with multiple elementary schools, banks with multiple branches, universities
with remote campuses, or businesses with branch offices.
Key features of this design are:
Two HP E5406 zl switches that serve as the network core and support these
connections
Power over Ethernet (PoE) enables the E2610-48-PoE switches to provide power, as
well as network connectivity, to Powered Devices (PDs) such as the web-enabled
cameras and HP E-MSM APs shown in the figure.
Rev. 10.41
10 15
Note how the redundant backbone links connect the core switches to different
switches at the remote sites. This is an important design element because if the core
switches connected to the same switch at each remote site, RSTP would disable one
of those links. Connecting the core switches to two different remote-site switches
blocks the 1000Base-T link between the two remote-site switches instead. The
designers have decided that this design is best because traffic flows more heavily
between the remote site and core than between different areas in the remote site.
They do not want a single E2610 to handle all of that traffic.
The design also implements a technology that has not been previously discussed in
this course: Virtual Router Redundancy Protocol (VRRP), which enables routing
switches to provide redundancy for their routing services. The section below includes
information about this protocol if you are interested.
What advantages do the E2610-48-PoE switches provide? Why do you think that
the designers selected them?
2.
Based on what you have learned about RSTP, explain the topology. Why do you
think that the designers implemented RSTP to block these specific links? When
would this topology be less efficient than another?
3.
The designers have deployed the APs as standalone devices. Would you make
the same decision?
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
10 16
Rev. 10.41
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
10 17
Remote site #1
1 E3500-24G-PoE yl
5 E2610-48-PoE
6 E-MSM320 APs
Legend
1000Base-T
E-MSM
765 zl
1 Gigabit-SX
1-Gigabit-LX
Blocked link
Port trunk
Remote site #2
1 E3500y24G-PoE yl
4 E2610-48-PoE
6 E-MSM 320 APs
1 E3500-24-PoE yl
3 E2610-48-PoE
8 E-MSM 320 APs
17
Rev. 10.41
Figure 10-5 illustrates a basic network design consisting of a main site with two
remote sites. This design is typical of a mid-range network and could easily be
expanded to include additional remote sites. This design works well for a network
with several servers, but not an extensive data center, that needs basic 10/100 Mbps
connectivity for users. The design nonetheless supports high performance for traffic
traveling from the remote sites to the network core and for traffic destined to local
services at the remote sites.
You could apply this design to organizations such as school systems with multiple
elementary schools, banks with multiple branches, universities with remote campuses,
or businesses with branch offices.
Key features of this design are:
10 18
Two HP E5406 zl switches that serve as the network core and support these
connections:
One of these switches also includes an E-MSM 765 zl Mobility Controller for
managing the APs (you can learn more about this controller at the ASE level)
HP E2610-48 PoE switches at the edge
HP E3500-48 yl switches that aggregate links between the edge switches and
the core
Rev. 10.41
Power over Ethernet (PoE) enables the E2610-48-PWR switches to provide power, as
well as network connectivity, to Powered Devices (PDs) such as the web-enabled
cameras and HP E-MSM APs shown in the figure.
Note how the redundant backbone links connect the core switches to the E3500 yl
aggregation switches at the remote sites. Both links have been established to the
same switch at each site because the designers wanted ensure that the crucial
backbone link traffic is always handled by the high-performing E3500 yl switches.
The E2610 switches, while suitable at the edge, could create a bottleneck if asked to
handle the extensive traffic expected on this link. To further speed traffic to the
network core and the sites aggregation layer, where most resources are held, each
E2610 switch has an aggregated link to the E3500 yl switch.
Also note that this design implements a technology that has not been previously
discussed in this course: Virtual Router Redundancy Protocol (VRRP), which enables
routing switches to provide redundancy for their routing services. The section below
includes information about this protocol if you are interested.
What advantages do the E3500 yl switches provide? Why did the designers
include these aggregation layer switches?
What advantages does the spanning tree design provide? If the design includes
multiple VLANs, how would you suggest setting up MSTP?
Where would you suggest adding bandwidth to this design in the future?
NOTES
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
10 19
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
10 20
Rev. 10.41
example 3
Network designNetwork
example design
3
Network core
1 E8212 zl
3 E3500-48G-PoE yl
1 E6600-24G-4XG
Remote site #1
1 E5412 zl switch
6 E-MSM 422 APs
Server rack
10-GbE-SR
Fortigate
ONE zl
Legend
1000Base-T
10-GbE-CX4
E-MSM
765 zl
10-GbE-LR
10-GbE-SR
Blocked link
Port trunk
18
Rev. 10.41
Remote site #2
1 E5412 zl switch
6 E-MSM 422 APs
1 E3500-24G-PoE yl
3 E3500-48G-PoE yl
12 E-MSM 422 APs
Figure 10-6 illustrates a network design consisting of an extensive central data center,
a main office, and two remote sites. This design is intended for a company with more
intensive networking needs and the need for a Gigabit connectivity for at least some
users. This design is scalable; more devices could be added at the data center or at
new remote sites.
Key elements of this design include:
One HP E8212 zl switch that serves as the network core, with six 1-port 10-GbE
X2 modules and X2-CX4 transceivers to support connections to the other
switches:
You will learn about these types of advanced services if you continue to the ASE
level training.
Rev. 10.41
10 21
Note that this design does not require MSTP to disable any backbone links because
it features link aggregations between the single core switch and the E5412 zl
switches at the remote site.
The data centers racked servers form an important component of the design. They
make the data center more scalable and support cloud computing and other
innovations. The 6600 is a specialized data center switch offering mission-critical
features such as:
Configurable air flow to ensure the switchs exhaust is directed away from other
devices. Fan trays are also hot-swappable.
Modular, hot-swappable internal power supplies
Server-to-switch distributed trunking, which enables servers that support teamed
interface cards to be connected by aggregated links to multiple switches. This
enables redundancy as well as capacity.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
10 22
Rev. 10.41
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
10 23
Scenario
You have been contacted by the head of a growing non-profit organization that has
two related goals:
Providing medical care and vaccinations for people in areas of the world with
fewer resources
Researching emerging diseases, disease-prevention, and epidemiology
The organization recently received an endowment and is opening a new facility that
will act as the headquarters and central research facility. You must design the
networking solution for this facility.
Goal
Although the facility has not yet been built and many details about the organizations
eventual networking needs remain to emerge, you have enough details to begin a
preliminary plan. Ideally, the plan should include the following elements:
10 24
A research plan listing questions and topics that should be explored in more
depth in order to complete the plan
Scenario details
The new two-floor facility will house approximately 100 users and 30 servers. The
organization actually has more than 100 users because personnel rotate between the
field, providing medical services and conducting research, and the headquarters,
compiling and analyzing their research.
The ground floor provides offices and labs for onsite medical researchers. These
users need access to data servers that store their research as well as access to
sophisticated data analysis tools.
The ground floor also provides several classrooms, which the organization uses
for training new volunteers and employees.
A ground floor datacenter will house servers, which fulfill several functions:
Some servers store the medical researchers data. These servers must hold
large files that are subject to sophisticated analysis.
The company is thinking about a Voice over IP (VoIP) solution for their call
center, which would require another server.
Rev. 10.41
10 25
Figure 10-7 and Figure 10-8 show the proposed layout for each of the two floors.
Note that the second floor includes specialized wiring closets for switches and other
infrastructure equipment. Racks for servers and switches will occupy much of the
space in the data center on the first floor.
Figure 10-9 shows how the user types are expected to be distributed throughout the
building.
10 26
Rev. 10.41
Rev. 10.41
The research servers will experience the highest data load during regular
business hours when researchers are at work.
Researchers will require PCs with Gigabit connections due to the large size of
the files they will retrieve from the research servers.
Administrators and fundraisers will be equipped with PCs with 100 Mbps
connections.
Some IT staff members will require 1 Gbps connections because of their roles in
administering the data servers. Other staff members, such as those who manage
the network infrastructure, will require 100 Mbps connections.
The mailing and call center features a couple of PCs that users share for
clocking into the organizations timecard application and for checking email.
All servers will have 1 Gbps network adapters.
All printers will be connected to 10/100 Mbps print servers or feature built-in
network support. No printers are connected to user PCs. Printers are shared
between users; for example, the fundraisers use the same printers as the
administrators.
10 27
International regulations require high levels of security for the medical and
epidemiological data. Many countries allow the medical researchers to collect
data and tissue samples only under the agreement that the research is carefully
monitored and not sold for profit. Therefore, only authorized medical researchers
will be allowed to access the data.
The medical researchers will use resource-intensive data-modeling applications
to work directly with the data files on the research servers. They will not store
research files on their local PCs.
Administrative and fundraising staff members will use typical office and webbased applications and will store their files on file servers in the data center.
A separate team is evaluating the possibility of implementing a VoIP solution for
the call center. The team is also evaluating whether to allow wireless access for
any users, particularly in the training and conference rooms.
Table 7-3 summarizes the device requirements for the new building. Note that, if the
company decides
Table 7-3
Floor
Department
Data center
Research
Training
2
Administrators
(including HR and
accounting)
Fund-raisers
IT staff
Mailing and call
center
Research
10 28
Device
Quantity
Total
Servers:
1 Gbps
Rack-mounted
Teamed NICs
PCs1 Gbps
Printers
PCs100 Mbps
Printer
PCs100 Mbps
30
30
16
2
4
1
20
18
Printers/print
servers
PCs100 Mbps
PCs100 Mbps
PCs1 Gbps
PCs100 Mbps
Printers/print
servers
PCs1 Gbps
10
2
1
3
16
5
22
10
3
6
18
Rev. 10.41
Worksheets
The worksheets on the next several pages provide the resources required to
summarize and sketch your network design.
The figure below provides a space for sketching the switches that will be located in
each wiring closet and the data center. Use the space to sketch all switches and
connections.
Rev. 10.41
10 29
Provide more detailed information about the switches that you placed in the sketch.
10 30
Rev. 10.41
Switch model
Fiber or
copper
Speed
Uplink type
Floor 1
Floor 2
Now that you have made a preliminary sketch of your switching infrastructure,
consider the following questions to finish your diagram.
1.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
10 31
2.
Do you see any locations that require RSTP or MSTP to provide for Layer 2
redundancy? Sketch them into the diagram and provide reasons for your choice
below.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3.
What is your plan for VLANs and IP addressing? Would you implement a single
VLAN design or create multiple VLANs?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
10 32
VLAN name
Subnet IP
address/Mask
Default gateway
Address
Device
Rev. 10.41
4.
Will you implement routing at any location inside the facility? If so, where?
Explain below.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
5.
What type of bandwidth might the facility require for its Internet connection?
Will Internet traffic create requirements for additional bandwidth in the data
center?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
6.
What additional information must you gather in order to complete the network
design for the new facility?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
10 33
Getting
HP
HP
Figure 10- 11: Next steps: HP AIS Network Infrastructure certification training
The Accredited Integration Specialist (AIS) certification verifies that you can deploy
HP networking products to meet the basic routing, switching, and mobility needs for
SMBs, commercial companies, and the enterprise edge.
Having completed this course, you are well on your way to being prepared for the
AIS certification test. You simply need to attend the HP Access Layer Network
Technologies using Comware Software ILTif you are not already familiar with
implementing the technologies covered in this course on the A-Series devices.
10 34
Rev. 10.41
Contact
Figure 10- 12: Next steps: HP AIS Network Infrastructure certification test
To earn the AIS certification, you must pass the AIS certification test, which is offered
at PearsonVue Testing Centers. The test will cover all courses in the AIS curriculum,
including the prerequisite WBTs. However, although the courses will prepare you for
the test, you may register for test at any time you choose whether you have
completed the courses or not.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Rev. 10.41
10 35
Continued learning
Advanced certification with several tracks each
ASE
Certifies you to design, implement, and support HP networking products in complex
and multi-site enterprise environments
MASE
Certifies you to deploy design, implement, and support HP networking and thirdparty products in advanced solutions that meet enterprises specific business needs
Like the AIS certification, the ASE and MASE certifications are supported by a series
of web-based and instructor-led courses. These certifications also divide into several
specialized tracks.
The AIS Network Infrastructure certification will provide all the prerequisites you
require for the ASE Network Infrastructure or ASE Wireless certification tracks. Both
tracks consist of several training courses, including instructor-led training and webbased training. For more information, visit www.hp.com/networking/training.
NOTES
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
10 36
Rev. 10.41
Reference Guide
and Routing Guide
Multicast
Rev. 10.41
My Networking Portal
As well as product manuals, HP networking offers a growing library of design and
implementation guides, covering such topics as PoE, security, and VoIP installation.
Most of these documents are available by clicking the Design and Implementation
link on the Support page.
Access to these documents requires registration at the My Networking Portal site.
However, this registration is free. Simply navigate to
http://hp.com/networking/mynetworking and click Create New Account. As well as
offering access to implementation guides, My Networking Portal offers access to prerelease versions of HP networking software.
Rev. 10.41
10 37
Learning check
1.
The HP E3500-48-PoE yl switch, the HP E2910-48-PoE switch, and the HP E251048-PoE switch all provide 48 GbE ports. Why can you not use the switches
interchangeably in all environments?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
2.
Which HP E-Series switch series is specifically designed for the data center?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
3.
You must consider many questions as you decide which HP E-Series products to
deploy and where to deploy them to meet a companys needs. What are three?
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
10 38
Rev. 10.41
Rev. 10.41
A 1
A 2
Rev. 10.41
2.
3.
4.
5.
You can select the 2.4 GHz frequency range, the 5 GHz range, or both. Using
both frequencies enables you to increase capacity easily by overlapping radios.
If you want to use both frequencies, configure different 802.11n radios for
different frequencies. Move to question 3.
If you want to use one frequency, select the frequency that experiences the
least interference in your environment. Move to question 3.
If yes, or if you are willing to upgrade, implement pure 802.11n in the select
frequency or frequencies. You are done.
If every NIC supports 802.11b only, select 802.11b. You are done.
If every NIC supports 802.11a only, select 802.11a. You are done.
If the NICs support a mix of 802.11b and 802.11b/g, select 802.11b/g. You
are done.
You can select the 2.4 GHz frequency range, the 5 GHz range, or both. Using
both frequencies enables you to increase capacity easily by overlapping radios.
Rev. 10.41
If you want to use both frequencies, configure 802.11a on some radios and
802.11g (or 802.11b/g) on other radios. You are done.
B 1
B 2
If you want to use only one frequency, select the frequency that experiences
the least interference in your environment.
Rev. 10.41
When you deploy APs more closely together, you should decrease their
transmit power slightly. You should also raise the basic data rates to prevent
stations from connecting to APs that are further away, which can slow down
the connection for everyone.
The closer an obstruction is to the AP, the greater effect it has on the signal.
Try to place the AP above and away from obstructions such as metal
cabinets, walls with wire mesh, and reflective surfaces.
Rev. 10.41
B 3
Example sets of
channels
1, 6, 11
1, 7, 13
1, 7, 12
2, 7, 13
3, 8, 13
2, 8
2, 9
2, 10
2, 11
2, 12
3, 9
3, 10
3, 12
4, 10
4, 12
5, 12
B 4
Rev. 10.41
Module 1
1.
2.
3.
What commands provide help at the CLI of an E-Series switch? (Select two.)
a.
typing ?
b.
typing /? [ENTER]
c.
typing help
d.
At the CLI of an E5406 zl switch, you enter show lldp information remote-device
a24. Assuming the device connected to port a24 also supports LLDP, what
information can you learn? (Select two.).
a.
b.
c.
d.
e.
How can you access the history buffer in the E-Series switch CLI?
By entering show history or by using the up arrow on the keyboard.
4.
Rev. 10.41
Switch(config)#
manager
Switch>
global configuration
Switch#
C 1
Module 2
1.
2.
3.
4.
C 2
On E-Series switches, what is a difference between the boot command and the
reload command?
a.
b.
The reload command restarts the switch using the current running
configuration. The boot command uses the startup configuration.
c.
The reload command restarts the switch without running diagnostics. The
boot command requires that diagnostics be executed and also allows you
to select a flash image.
d.
The reload command restarts the switch using the active configuration file.
The boot command enables the administrator to choose a configuration file
for startup.
Primary flash holds the current system image. Secondary flash provides a
backup for the image.
b.
Primary and secondary flash are independent and can hold different
images. Either image can be used to boot the switch.
c.
d.
Name two potential uses for multiple configuration files on an E-Series switch.
a.
Backup a base or known configuration in case you must restore the switch
to a known state
b.
immediately
b.
c.
Rev. 10.41
5.
What is the process for upgrading the Boot ROM on an E-Series switch?
If necessary, Boot ROM upgrades are included in software images downloaded from
the HP web site. When the software is installed and the switch is rebooted, it will
boot twice. During the first reboot, it will install the Boot ROM, and then restart
immediately. The new software will become active with the second reboot. For more
information, see the Release Notes included with your HP switch software. Warnings
about Boot ROM procedures also appear on the software download pages on the
HP web site.
Module 3
Ideas for the prework review activity
What is the 802.1Q tag, and how is it used by VLAN-aware switches?
What are the rules for assigning ports to VLANs on E-Series switches?
Rev. 10.41
If a port is a member of only one VLAN, you cannot remove it from the VLAN
without first assigning it to another VLAN. If you delete the VLAN, its
membership will revert to VLAN 1.
If a port is a member of multiple VLANs, it can be removed from the VLAN or
the VLAN can be deleted without any other steps.
A switch uses Layer 2 forwarding when it determines that the destination MAC
address in a frame is different from the switchs MAC address.
A routing switch uses Layer 3 forwarding when it determines that the destination
MAC address in an incoming frame is the same as the switchs MAC address.
When forwarding a frame between hosts in the same VLAN, a switch uses the
Layer 2 header to learn the destination hosts MAC address. The switch
forwards the frame through the port where it has learned the address.
When forwarding a frame between hosts in different VLANs, a routing switch
examines the Layer 3 header of the frame to determine the destination hosts IP
address and then consults the IP route table to determine how to forward the
frame.
If a device sends traffic to a device in another VLAN (or subnet), that traffic must
be routed. The traffic can be routed by either a Layer 3 switch or a router.
To route traffic, a Layer 3 switch must determine the packets IP address. On
Ethernet networks, the Layer 3 switch finds the destination IP address in the
header of the IP packet, which is encapsulated in the Ethernet frame.
After determining a packets destination IP address, a Layer 3 switch must know
the route, or pathway, to the destination network. It checks its routing table, and
if it has a route to this network, it forwards the packet to the next hop for that
route.
C 4
Which of the following statements correctly describes a rule for assigning VLAN
membership to ports on an E-Series switch?
a.
b.
c.
d.
Rev. 10.41
2.
3.
4.
b.
Create a new Layer 2 header and forward the frame through port C1.
c.
d.
Remove the tag that was on the frame when it entered the switch.
b.
Create a new Layer 2 header and forward the frame to the workstation.
c.
Add a tag to the frame that identifies its destination as VLAN 40.
d.
Remove the VLAN 20 tag and forward the frame to the user.
What is the rule for removing ports from a VLAN on an E-Series switch?
a.
b.
c.
If a port is a member of only one VLAN, you cannot reverse the command
that made the port a member of that VLAN.
d.
Module 4
Ideas for the physical security review activity
What can a malicious user do if he or she has physical access to a switch?
Rev. 10.41
C 5
What security measures can you take to provide physical security for the switch?
Place the switch in a locked server closet or other room and carefully control
who has a key to this room
SSH
Purpose: SSH provides secure in-band access to the CLI. It sets up a secure
tunnel that encrypts management traffic. It provides authentication for the
management user. It also authenticates the switch to the management user,
ensuring that the user does not connect to a rogue device. If the manager
did connect to a rogue device, a hacker could collect his or her password.
HTTPS
C 6
Requirements: The switch requires a digital certificate, which might be selfsigned or signed by a CA. The management station needs to trust the entity
that signed this certificate (you can choose to trust the certificate the first
time that you connect). The switch also must be set up to authenticate the
management user locally or remotely.
2.
3.
SNMPv2c
b.
SSH
c.
HTTP
d.
Telnet
e.
SNMPv3
f.
HTTPS
What protocol must be enabled before you can enable and use SFTP?
a.
SSH
b.
SSL
c.
TFTP
d.
FTP
What steps must you take before you can access the switch using HTTPS?
You must:
Generate a public/private key pair.
Install a CA or self-signed certificate.
Enable web management through SSL.
4.
Module 5
Ideas for the Lab activity 5 preview
Where would you plan aggregated links in the lab environment? How many ports
would you include in the link aggregation groups?
You should plan an aggregated link between each floors Router switch (the E5400
zl switches) and the Classroom Core switch. You could also plan link aggregation
between each floors Edge_1 and Edge_2 switches and the Router.
Rev. 10.41
C 7
Two links are probably sufficient for the link aggregations; however, you might add
more for the link between the distribution layer (each floors Router) and the core,
particularly in a network that experiences higher utilization.
When planning the link aggregation groups, keep in mind that you might want to
leave ports available for expansion.
2.
3.
C 8
a.
b.
c.
d.
The trunk will be an untagged member of VLAN 1. The individual ports will
maintain their tagged membership in other VLANs.
What is the criterion used to share loads across ports in a trunk configured on
an HP E-Series switch?
a.
b.
c.
d.
b.
c.
d.
The static trunk enables ports with different speeds to be included in the
trunk.
Rev. 10.41
4.
5.
The trunk must use one of the predefined names, such as Trk5, in the order
listed in the CLI.
b.
The trunk must use one of the predefined names, such as Trk5, in the CLI,
but they can be assigned in any order.
c.
The trunk can be assigned a friendly name using the name command that is
also used to assign a name to an individual port.
d.
The trunk must include the trunk type, LACP or trunk, in its name.
b.
c.
d.
Module 6
Ideas for the review activity
Compare and contrast STP, RSTP, and MSTP. Conclude by comparing all of these
standards to PVST.
Rev. 10.41
STP (IEEE 802.1D) is the original Spanning Tree standard that enabled
redundant paths in a bridged network.
RSTP (IEEE 802.1w), the next development in the Spanning Tree standard,
enabled faster convergence times by placing ports in an edge state by default.
The edge state indicates a port is not connected to another switch, which speeds
the transition to forwarding state.
MSTP (IEEE 802.1s) enabled the definition of VLAN-aware Spanning Tree
topologies. In MSTP, VLANs are mapped to specific MSTP instances. This
enables all ports to carry traffic. With MSTP enabled, a port can be in the
blocking state for one instance while remaining in the forwarding state for other
instances.
STP, RSTP, and MSTP share features that enable them to interoperate. Under all
the standards, the switches in a Spanning Tree elect a Root Bridge. Each switch
determines the best path to the Root Bridge by exchanging BPDUs with
neighboring switches.
Per-VLAN Spanning Tree (PVST, PVST+, and RPVST+) is a proprietary Cisco
Systems technology. PVST enables VLAN-aware Spanning Tree topologies.
However, it requires a separate instance for each VLAN, which often creates
more complex topologies than MSTP.
C 9
In a network supporting multiple VLANs, why is there a risk that some users can
become isolated when RSTP is implemented? What steps are necessary to ensure this
does not occur?
Because RSTP is not VLAN-aware, users can be isolated if the topology does not
provide redundant paths in their VLAN between them and the Root Bridge.
In this case, the traffic flow will be disrupted if any switch in the path to the Root
Bridge places one of its ports in Spanning-Tree blocking state.
To prevent this, configure all switch-to-switch links for membership in all VLANs
in the Spanning Tree.
The setting of Bridge Priority can help to ensure the correct switches are chosen
as Root and Backup Root Bridges.
If all switches in a Spanning Tree are configured with the default Bridge Priority
setting, all versions of Spanning Tree protocol use the switches MAC addresses
to determine the Root Bridge. If no priorities are set by administrators, the switch
with the lowest MAC address will become Root Bridge.
This can result in very inefficient topologies if the switch selected as Root Bridge
is at the edge of the topology.
This is especially true if an organizations older switches are deployed at the
edge of the network, as they often have the lowest MAC addresses.
This issue arises in both single-instance and multiple-instance topologies.
What is an MST region? How do switches identify the MST region to which they
belong?
What are the Common Spanning Tree (CST) and the Internal Spanning Tree (IST)?
C 10
The CST interconnects MST regions with STP and RSTP Spanning Trees. The CST
enables MSTP switches, including E-Series switches, to interoperate with RSTP
switches.
The IST is the instance on a switch associated with all VLANs that are not
mapped to user-defined instances. By default, an MSTP switches places all of its
VLANs in the IST.
Rev. 10.41
What are the business and technical reasons for implementing Spanning Tree? How
does Spanning Tree add value to the enterprise network?
ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Status
HP Innovation
Reset
Clear
Temp
Fan
Internal
Power
Modules
PoE
Pwr
Fault
1
1 to Router
Root
11
13
15
17
19
21
23
ProCurve
24p Gig-T
zl Module
J8702A
10
12
14
16
18
20
22
24
zl
11
10
12
Act
FDx
PoE
Spd
Usr
Console
LED Mode
15
17
19
21
23
14
16
18
20
22
24
zl
2 to Router
Root
Edge_1Secondary root
Priority 4096
1 to 2
Designated
Auxiliary Port
13
1 to 3
Designated
ProCurve
24p Gig-T
zl Module
J8702A
Router to 2
Designated
A
1
PoE
Mgmt Flash
Use
zl Modules
only
Power
Locator
2 to 3
Designated
2 to 1
Alternate
X
3 to 1
Root
5
Rev. 10.41
Rev. 10.41
Edge_2
Priority 8192
Edge_3
Priority 32768
3 to 1
Alternate
C 11
RouterRoot bridge
Priority 0
Router to 1
Designated
ProCurve
Switch 5406zl
J8699A PoE
ProCurve Networking
Status
HP Innovation
Reset
Clear
Temp
Fan
Internal
Power
Modules
PoE
Pwr
Fault
1
ProCurve
24p Gig-T
zl Module
J8702A
1 to Router
Root
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
zl
ProCurve
24p Gig-T
zl Module
J8702A
11
10
12
Act
Usr
Console
Auxiliary Port
17
19
21
23
16
18
20
22
24
zl
2 to Router
Root
Edge_2Secondary
Priority 4096
2 to 3
Designated
2 to 1
Designated
Edge_3
Priority 32768
Rev. 10.41
PoE
Spd
15
14
Edge_1
Priority 8192
1 to 2
Alternate
FDx
LED Mode
13
3 to 1
Alternate
6
1 to 3
Designated
Router to 2
Designated
A
1
2
PoE
Mgmt Flash
Use
zl Modules
only
Power
Locator
3 to 1
Root
2.
3.
What is the significance of the Root Port in the display of Spanning Tree details?
a.
It is the port on the switch that has the lowest link cost.
b.
c.
It is the port that leads to the lowest cost path to the Root Bridge.
d.
Which strategy will assure connectivity for users in all VLANs in a switched
environment that uses RSTP to resolve redundant links?
a.
b.
c.
d.
4.
C 12
What configuration items must be identical among all switches in the same MST
Region? Choose all that apply.
a.
Bridge Priority
b.
Configuration name
c.
5.
6.
d.
Port Priority
e.
VLAN-to-instance mappings
STP
b.
RSTP
c.
MSTP
d.
PVST
Module 7
Ideas for the planning routing activity
What role does IP routing play in the SMB scenario that you have been configuring?
IP routing is necessary to permit devices in one subnet (VLAN) to communicate with
another. Therefore, if you have resources in one subnet that users in other subnet
need to access, you must implement routing between those two subnets. You must
also implement routing to route traffic from various internal subnets out an Internet
connection.
You might choose a network design that requires routing for several reasons:
You want to divide the network into several broadcast domains while still
allowing users to reach resources in other network segments (including the
Internet).
Different types of users need access to the same resources. Instead of placing
resources in the same subnet as user, you place resources in a separate subnet
and route user traffic into that subnet. In this example, you want to divide users
into different departments, but users in various departments need to reach the
server VLAN 2.
Where would you implement IP routing in this topology? What advantages and
disadvantages are offered by implementing routing in different areas?
You might implement routing on the E5400 zl switch on each floor. These switches
support each VLAN and have an IP address on each VLAN. They can implement
routing between these connected networks.
Rev. 10.41
C 13
The core switch must also implement routing; it will need to learn routes (static or RIP)
from each floors Router switch. Routing at the distribution layer and the core brings
the benefits of routing local traffic immediately, reducing the load at the core.
You could also implement routing on edge switches, which would further reduce the
load at the core. However, configuring routing at the edge does add complexity. In
this topology, each edge switch supports only one or two subnets and most traffic
travels toward the core in any case, so routing at the edge might bring fewer
benefits.
These changes can include the failure of a router or a cable break or other
event that makes a neighboring router unavailable.
Compare and contrast Interior Gateway Protocol (IGPs) with Exterior Gateway
Protocols (EGP). Provide examples of each type of routing protocol and describe the
situations where they would be deployed.
All ProVision ASIC switches support RIP. The ProVision ASIC switches can
support OSPF, but the E3500 yl, E5400 zl, and E6600 require a Premium
License to enable this feature. OSPF support is included on the E8200 zl.
EGPs enable the exchange of routing information among routers that are not
part of the same autonomous system.
C 14
Describe the RIP update process. What information is exchanged by RIP routers? Use
the classroom lab to provide an example of this process.
For instance, in the classroom example, each groups Router_1 will send
updates on the VLAN 200 interface to the Classroom Core and to other
group routers. The updates will include all routing information about the
groups interior networks, but will not include information about the VLAN
200 interface.
In the classroom network, all routers with VLAN 200 interfaces will receive
updates from all other VLAN 200 routers, not just from the Classroom Core
to which they are directly connected.
What are Split Horizon and Poison Reverse? How do they improve RIP routing
functionality?
Rev. 10.41
Split Horizon and Poison Reverse are RIP technologies that prevent routing loops
by enabling RIP routers to distinguish between usable redundant routes from
routes learned from immediate neighbors. Both technologies ensure that RIP
routers cannot successfully advertise routes to the neighbors from which they
received them.
By default, ProVision ASIC switches support Poison Reverse. In updates using this
technology, the switches advertise routes back to neighbors from whom they
learned them. However, the metric for the routes is incremented to 16. In RIP, this
value is equivalent to infinity because RIP routers will not accept routes with
metrics greater than 15.
C 15
In Split Horizon, routes are not advertised to the neighbors from which they were
received. However, this technology results in slower convergence times than
Poison Reverse.
What is route redistribution and why is it used in an enterprise topology? What are
the default redistribution settings on HPs ProVision ASIC switches?
You can enable redistribution of static routes and OSPF routes. You can also
disable redistribution of connected routes.
2.
3.
What is the effect of the following command entered at the CLI of an E3500
switch?
Switch(config)# ip route 0.0.0.0/0 192.168.254.100
C 16
a.
The switch will drop all packets arriving through the interface
192.168.254.100.
b.
The switch will forward all packets destined for networks not in its route
table to 192.168.254.100.
c.
The switch will perform default gateway services for hosts in the
192.168.254.0/24 subnet.
Rev. 10.41
4.
5.
a.
The switch will delete the route to 172.16.30.0 from its route table and
replace it with the new route.
b.
c.
The switch will not include either route in its route table because they
conflict.
static
b.
OSPF
c.
Default
d.
connected
Module 8
Ideas for Lab activity 8 preview
Brainstorm reasons for an SMB to implement a mobility solution; what business
benefits does mobility bring?
In few businesses do employees spend eight hours at their desks. They might meet
their colleagues to collaborate. They might meet with clients in a conference room.
Employees will be more productive if they have seamless access to network resource
without having to search for an Ethernet port.
If the company has many visitors, partners, or clients, those people might expect
wireless access. Granting it to them creates a favorable impression and helps to
promote a positive relationship. More, partners might need network access to do
their jobs.
In some older buildings, all or part of the building might not be wired. Sometimes a
wireless solution is cheaper than rewiring these parts of the building.
In some industries, mobile devices require wireless access:
Rev. 10.41
2.
3.
One AP might be adequate for this small site. This AP could use two radios
to provide coverage in both frequency bands and possibly increase
capacity.
You might place two APs to provide better capacity. In that case, you might
place one AP closer to the common area, which needs good coverage, and
another AP in the conference room.
Wherever you place the APs, you must consider the desired coverage area,
the realistic range for wireless signals, interference, and the need to avoid
obstacles.
Consider the exact channels for your AP radios, taking into account
overlapping radio signals.
You must consider overlapping radios. Overlapping radios provides more
seamless coverage and higher capacity; however, if your plan includes them,
your channels must not overlap. For 802.11b/g and 802.11n operating at 2.4
GHz, overlapping radios must use channels at least five channels apart. For
802.11a and 802.11n operating at 5 GHz, all channels are non-overlapping.
You could have selected any scheme that followed these rules for your plan. (See
the Overlapping radios job aid for examples.)
4.
Consider the companys need for security and select wireless security option.
Every enterprise environment should implement WPA2 or at the least
WPA/WPA2. (Almost all stations now support these options.) PSK is probably
the best option for this company, which is an SMB without a RADIUS server
RADIUS being required for 802.1X. This small company would probably not
consider purchasing such a server worthwhile.
C 18
Rev. 10.41
2.
3.
The direct connection to the AP often provides the simplest setup. You know that
you can reach the APs IP address. However, you need to change the IP address
on your management station. In addition, you need an external power supply
for the AP.
Both types of indirect connection enable you power to the AP using PoE, which
can be simpler than purchasing a power supply.
If you are in change of your networks DHCP services, or if you have easy
access to the person who is, you might choose the DHCP option. Then you
can connect to the AP without altering settings on the switch (except
perhaps configuring a port in the correct VLAN, which you would need to
do in any case) or on your management station. In addition, if you set up a
DHCP reservation, you do not have to change the APs IP address manually,
which eliminates one configuration task.
If you do not have control over your networks DHCP services, but you want
to use PoE to power the AP, you might choose the second strategy. This
strategy has the drawback of requiring you to complete some extra
configuration on the switchthat is, placing two ports in an unused VLAN
and then deleting that VLAN after you change the APs IP address.
However, this strategy does enable you to connect to the PoE-powered AP at
a known IP address.
Rev. 10.41
a.
Create a network profile that specifies VLAN 12 for the VLAN ID.
b.
Add a VLAN to the APs Ethernet port that is associated with that network
profile and does not have an IP address.
c.
On the APs switch, you must make the port that connects to the AP a tagged
member of the VLAN. (If necessary, also add the VLAN to switch-to-switch links
between the switch and the default gateway for that VLAN.)
2.
3.
You have an E2610-24-PoE switch to which you plan to connect your HP EMSM320 AP. You want to power the AP using PoE. What is the absolute
minimum setup that you must complete?
You simply need to connect the AP to the switch using a CAT-5 Ethernet cable.
As long as the switch has enough PoE power available, it will begin powering
the AP. If the switch does not have enough power, you must set a critical priority
on the APs switch port or connect the switch to an EPS.
4.
You set up a VSC on your HP E-MSM AP, ensure that the VSC is activated on the
APs radios, and that the radios are activated in AP mode. When you attempt to
connect a client to the AP, you cannot even see your SSID in the list of wireless
networks. What are potential causes and how might you attempt to resolve the
problem?
The VSC might be configured not to broadcast the SSID (closed system). In this
case, you would need to configure the client to connect to the SSID manually.
Or the AP radios might operate in a 802.11 standard that is not supported by
the stations wireless NIC. In that case, you must either change the standard on
at least one AP radio or update your equipment.
Use model
C 20
12
Rev. 10.41
Rev. 10.41
Which PCM+ component discovers devices? What does this mean for the
amount of time that is required to discover a network?
The PCM+ agent discovers devices, which means that the more agents you have
(distributed architecture) the faster the initial discovery proceeds.
2.
How does PCM+ add discovered devices to network, VLAN, and subnet maps?
PCM+ first places the seed device. It uses neighbor discovery to find all
LLDP/CDP/FDP neighbors of that device and adds each neighbor to the map
connected to the seed device by a link. PCM+ then discovers the newly
discovered devices LLDP/CDP/FDP neighbors and adds them to the map. It
continues this recursive process until it finds no new neighbors.
PCM+ follows a similar process to map wireless APs, but uses the bridge MIB
instead.
PCM+ uses SNMP device attribute discovery to find out which subnets and
VLANs are associated with which links. It uses this information to create the
subnet and VLAN maps.
Therefore, your network must implement LLDP/CDP/FDP, as well as SNMP, for
mapping to function correctly.
Rev. 10.41
C 21
3.
How must you alter the configurations on firewalls that stand between a remote
agent and the PCM+ server? Which settings affect the requirements?
The requirements depend on which component initiates connections: the agent
or server. If the agent initiates connections, you must configure firewalls to allow
connections from the agent to the server on the configured server TCP port. If the
server initiates connections, you must configure firewalls to allow connections
from the server to the agent on the configured agent TCP port.
If you want to download the PCM+ agent installation file directly to the
hardware on which you plan to install the agent, firewalls must also allow
connections to the server on TCP 8040.
4.
What is one way that PCM+ provides enhanced visibility into the network as
compared to PCM?
Answers might include:
PCM+ provides network traffic monitoring with sFlow and XRMON. You can
examine traffic patterns down to the types of services that people are using.
With the plug-in NIM, PCM+ gives you visibility into suspicious behavior
and potential threats.
PCM+ also enables you to create customized alerts that can trigger actions
to collect more information.
Module 10
Ideas for the discussion questions in the Network design
examples activity
Network design example 1
What advantages do the E2610-48 PoE switches provide? Why do you think
that the designers selected them?
These switches provide solid 10/100 Mbps connectivity, which is all the users in
this example require, at a good cost. The support for PoE simplifies the
deployment of APs and other PoE-capable devices.
Based on what you have learned about RSTP, explain the topology. Why do you
think that the designers implemented RSTP to block these specific links? When
would this topology be less efficient than another?
Each switch at the remote site considers the backbone connection as the lowest
cost path to the root, which is one of the core switches. The connection within
the stack is higher, so that connection is blocked.
C 22
Rev. 10.41
The designers implemented this topology so that two switches at the remote site
handle connectivity to the core. Because the E2610 switches are not the highest
performing switches in the portfolio, a single switch forced to handle all the
traffic could form a bottleneck.
This topology would only be inefficient if the E2610 switches needed to pass a
great deal of traffic between each other, in which case switching the traffic
through the core might be less efficient.
The designers have deployed the APs as standalone devices. Would you make
the same decision?
With this number of APs, the company might benefit from a controller to ease
management and ensure that the devices implement consistent settings. This
might be a nice component for the company to add in the future.
What advantages do the E3500 yl switches provide over, for example, E2610
switches alone? Why did the designers include these aggregation layer
switches?
As noted earlier, the E3500 yl offers significantly higher routing and switching
capacity than the E2610. Consequently, it provides better performance for traffic
switched through the local site as well as to the network core.
What advantages does the spanning tree design provide? If the design includes
multiple VLANs, how would you suggest setting up MSTP?
The E3500 yl is less likely to become a bottleneck in the path between end users
at each site and the core than an E2610. This topology ensures that the E3500
yl switch at each site always provides the backbone connection.
You should set up MSTP such that each core switch acts as root for some VLANs.
This will ensure that all backbone connections support some traffic, increasing
the total available bandwidth between the core and the edge sites.
Where would you suggest adding bandwidth to this design in the future?
Depending on which links experience the most congestion, you might create a
10GbE link between the core and the data center or between the core and a
remote site. You would need to install 10GbE transceivers in the E3500 yl
switches and the E5406zl switches.
Rev. 10.41
C 23
Why do you think that the designers have elected to place a 5412zl switch at
each site rather than a stack of fixed-port switches. Use datasheets and the
Features of HP E-Series switches table to compare the 5412zl switch capacity
to the capacity of a stack of six E2610 switches.
With support for 12 24-port modules, the E5412 zl switches can support 288
100/1000 connections. By comparison, six stackable E2610 switches support a
maximum of 264 connections. The E2610 switches port density would be further
reduced by the aggregated links they use to connect to each other, which are
not necessary when all edge devices connect directly to the E5412 zl switches.
Using a single switch reduces management complexity. Also, the E5412 zl offers
more routing and switching capacity than that provided by aggregating a stack
of switches through a switch such as an E3500 yl.
Does using a single E8212 zl switch in the core rather than, for example, two
E5406 zl Series Switches, reduce high availability? Examine the E8212 zl Switch
Series datasheet to find redundancy features offered by this switch.
Using a single E8212 zl switch might reduce redundancy to a degree, but an
E8212 zl offers almost all the redundant features of two separate switches
redundant management modules and fabric modules, as well as redundant
power supplies which can plug into different power sources. And with a single
E8212 zl switch, you obtain a relatively high level of redundancy with the
advantage of less management overhead. Each solution has its advantages and
disadvantages, which you must evaluate for your environment.
What advantages do the E6600 switches offer in the data center over other
switches?
The HP E6600 Switch Series is specifically designed for the data center. The
configurable air flow enables the switch to operate effectively in any
environment. The support for distributed switch-to-server trunking enables servers
that support teamed interface cards to be connected by aggregated links to
multiple switches. This design provides high capacity and high availability to the
servers.
The data center topology in this design enables servers to connect to each other
without burdening core switch. This design could be useful for server-to-server
backups or mirroring. You could also implement routing and security solutions on
the E6600 to manage traffic and access to server resources.
C 24
Rev. 10.41
2.
Which HP E-Series switch series is specifically designed for the data center?
The HP E6600 Switch Series is specifically designed for the data center with
support for configurable air flow, hot-swappable power and fan components,
and support for distributed switch-to-server trunking.
3.
You must consider many questions as you decide which HP E-Series products to
deploy and where to deploy them to meet a companys needs. What are three?
Questions include:
Rev. 10.41
How many users and devices does the network need to support?
What type of applications do you expect the users to run? Which users
require 100 Mbps connections and which require Gigabit connections?
Where are the wiring closets? What is the distance between the closets?
Between every device and the closets? Between buildings?
How much traffic will the core need to support at times of peak network
use?
C 25
C 26
Rev. 10.41