ProCurve Switch Best Practices

HP ProCurve Networking
Andy Gallacher Nov, 2009
2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Agenda
Product Overview & Whats New Physical Infrastructure (Cabling, 10 GbE) Link technologies (Auto MDIX, Negotiation) Design methodologies (Link aggregation, VLANs, STP) Server Teaming Router Redundancy (VRRP) ProCurve Manager
HP ProCurve: Quick Facts

(ProCurve is often 20-30% less than the competition)
Price/Performance
(ALL hubs and switches/routing switches to 8200zl)
Lifetime Warranty
Technical Phone Support / Firmware Upgrades
Industry Standards
(Network Management Software shipped with each switch)
ProCurve Manager SW
Magic Quadrant: Enterprise LAN (Global), 2009

ProCurve Positioned in Gartners Leaders Quadrant
The Gartner Magic Quadrant is copyrighted April 2009 by Gartner, Inc., and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartners analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the Leaders quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. The Magic Quadrant graphic was published by Gartner, Inc., as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from HP ProCurve. Magic Quadrant for Enterprise LAN (Global), 2009, Mark Fabbi, Tim Zimmerman, 30 April 2009.
Why HP ProCurve Networking?

Customer Value
Reduced complexity Security and Trust Reliability Superior return on IT
Proactive networking
Focused on innovation and ease of use
Secure solutions
Trusted partner
Highly available
HP quality and industry-best warranty
Price/performance leadership
Engineered for affordability
HP ProCurve product categories

Switches
Core & Edge Switches
Wireless LAN
WAN
Access Point & Controller
Secure Router
Scalable core-to-edge switches based on open standards unify the network & reduce complexity
802.11n wireless solutions provide networking access, management and security.
WAN solutions provide adaptable, unified edge-to-edge network connectivity.
Data Center
Network Management
Network Security
DCM Controller
DC solutions provide policybased, automated provisioning of network and server resources.
Device handling capabilities such as mapping, configuration and monitoring across the network.
Security features embedded throughout the network that detect and respond to threats.
ProCurve Switching Portfolio

Core/ Distribution Data Center LAN Enterprise Traditional Edge Established Technology
Simple, Cost Effective Connectivity
Layer 2, Web managed, Unmanaged 2810, 2510, 1800, 1700, 1400
Data Center Specific Design

Layers 2 & 3, Automated provisioning 6600, 6120 DC Connection Manager
Core & Distribution / Aggregation

Full Layer 3+, Layer 4, HA
Basic Enterprise Edge

Layer 3 lite, Security, Sflow 4200, 2800, 2610,2910
HighFunction Edge (AEA) & Core/Distribution

Full Layer 3
8200, 6200
5400, 3500, WAN
Small Business Networks
Enterprise Networks
Portfolio Overview
Traditional Edge
2910al/2910al-PoE: High performance gigabit access switch 2910al-PoE Four optional 10-Gigabit ports (CX4 and/or SFP+) 2910al IEEE 802.3af/802.3at functionality (PoE/PoE+) Layer 2 switching with static and RIP IP routing Lifetime Warranty, sFlow, ACLs and rate limiting 2610/2610-PWR: Access layer 10/100 switch Static IP routes enable routing between VLANs Robust and granular security and QoS policies Redundancy with RPS support
LAN Enterprise Switches
2610-PWR 2610
Lite Layer 3 Managed
Functionality
2810
GA Nov. 1 2009 Established Technology

2510G 2510 1810G 1700
2520G-PoE 2520-PoE
2810: Managed Layer 2 feature set with 24 or 48 Gig ports sFlow, source port filtering, enhanced security Redundancy with RPS support Four SFP ports for fiber connectivity More robust/granular QoS 2520G/2520: Managed layer 2 PoE switch family 8 or 24 10/100 or Gigabit ports Ability to prioritize traffic using QoS for reliable VoIP deployments Quiet operation and small form-factor for open space deployment
2510G/2510: Managed layer 2 feature set 24 or 48 10/100 or Gigabit ports Two SFP ports for fiber connectivity Quiet operation for open space deployment 1810G/1700: Plug and play connectivity Basic network configuration capabilities Excellent migration from unmanaged switches Silent operation for open space deployment
Layer 2 Managed
Layer 2 Web Managed
Price/Performance
LAN Enterprise Switches

(Same ASIC and features)
8212zl 8206zl
5406zl PoE/PoE+ 5412zl PoE/PoE+ 3500yl 1G PoE/PoE+ 3500 10/100 PoE/PoE+ 3500 10/100 Non-PoE
Expanding The ProVision Family

9
Whats New
Introducing the ProCurve 2520/2520G Switch Series (Established Technology)

HP ProCurve 2520-8-PoE Switch (J9137A) HP ProCurve 2520-24-PoE Switch (J9138A)
HP ProCurve 2520G-8-PoE Switch (J9279A)
HP ProCurve 2520G-24-PoE Switch (J9280A)
2520-8-PoE - 8 10/100-T ports + two shared 10/100/1000-T SFP ports for fiber connectivity 2520G-8-PoE - 8 10/100/1000T ports + two shared 10/100/1000-T SFP ports for fiber connectivity
2520-24-PoE - 24 10/100-T ports + 2 10/100/1000-T ports + two shared 10/100/1000-T or SFP ports for fiber connectivity 2520G-24-PoE - 22 10/100/1000-T ports + four shared 10/100/1000-T or SFP ports for fiber connectivity
3500 10/100 Portfolio (LAN Enterprise)

J Number J9470A Official Product Description
HP ProCurve 3500-24 Switch
J9472A
HP ProCurve 3500-48 Switch
J9471A
HP ProCurve 3500-24-PoE Switch
J9473A
HP ProCurve 3500-48-PoE Switch
These switches have no expansion slots for the ProCurve Switch yl Module, so they do not have the yl designation.
12
8206zl Base SystemJ9475A (LAN Enterprise/Core)

Fan Tray, Power Supplies
Rear:
Mgmt Modules
Includes:
1x chassis 1x management module
Interface/Service Module Slots
6 RU
2x fabric modules 1x system support module 1x fan tray 6 interface/services module slots
Fabric Modules
8206zl Front View
13
8206zl vs. 8212zl

8206zl
Target Market Port Density Rack Units Occupied Performance Throughput L2/L3 Optimized Port Environment High Availability PoE/PoE+ Interface/Services Modules Internal Power Supplies Moderate-port-count network deployments Up to 144 10/100/1000 Up to 24 10GbE 6 RU 322.8 Gbps 240.2 mpps L3 services when running at L2; L3 routing with Premium License GbE 10 GbE Dual/slotted mgmt/fabric; passive backplane; redundant power Yes, standard 6 supported 2 supported: up to 1800 watts PoE/PoE+ power
8212zl
Higher port-count network deployments Up to 288 10/100/1000 Up to 48 10GbE 9 RU 646 Gbps 428 mpps L3 services when running at L2; L3 routing with Premium License GbE 10 GbE Dual/slotted mgmt/fabric; passive backplane; redundant power Yes, standard 12 supported 4 supported: up to 3600 watts PoE/PoE+ power
*The price reflects the new 8212zl base system, J8715B, which does not include the premium license.
14
Known zl Interface Modules

J8702A: 24-Port 10/100/1000 PoE zl Module J8705A: 20-Port 10/100/1000 PoE + 4-Port Mini-GBIC/SFP zl Module LH-LC, LX-LC, SX-LC, BX, 1000Base-T Mini-GBIC/SFP support 100-Meg xcvrs (100-FX) for SFP slots J8706A: 24-Port Mini-GBIC zl Module LH-LC, LX-LC, SX-LC, BX, 1000Base-T Mini-GBIC support J8707A: 4-Port 10GbE X2 zl Module CX4, SR, LR, J8707A - zl 4-Port LRM, or ER optics support J8708A - 4-Port 10GbE CX4 zl Module CX4, SR, LR, J8707A - zl 4-Port LRM, or ER optics support Used with both the 8200zl and 5400zl switches
15
HP ProCurve zl Power Supplies

Chassis Power 875W Power Supply J8712A (110-127/ 200-240 VAC) 1500W Power Supply J8713A (220 VAC only) 1500W Power Supply J9306A (110-127/ 200-240 VAC) Power Supply Shelf J8714A 300W/ 900W Up to 1800W 300W/ 900W Up to 1800W
8206zl/5406zl: Up to 2 power supplies, 1800W PoE/PoE+ (3600W with Power Supply Shelf)
PoE Power 273W
PoE+ Power
8212zl/5412zl: Up to 4 power supplies, 3600W PoE/PoE+ (5400 watts with Power Supply Shelf)
600W
600W
900W
New!
600W
Used with both 8200zl and 5400zl

16
HP ProCurve zl Power Supply Specs

Electrical Characteristics
New!
875W zl Power Supply (J8712A) Input Voltage Input Current PoE Power Frequency PoE/PoE+
110127 VAC 11.5 A 273 W 50/60 Hz PoE 200240 VAC 5.7 A 273 W 50/60 Hz PoE
1500W zl Power Supply (J8713A)

200220 VAC 10 A 900 W 50/60 Hz PoE
1500W PoE+ zl Power Supply (J9306A)

110127 VAC 13 A 300 W 50/60 HZ PoE+ 200240 VAC 10 A 900 W 50/60 Hz PoE+
HP ProCurve 6600 Switch Series (Data Center)

Product # Description
(24) 1G ports
J9263A HP ProCurve 6600-24G J9264A HP ProCurve 6600-24G-4XG

(24) 1G ports, (4) 10G ports
J9265A HP ProCurve 6600-24XG Switch

(24) 10G ports
J9451A HP ProCurve 6600-48G Switch

(48) 1G ports
J9452A HP ProCurve 6600-48G-4XG
Switch (48) 1G ports and (4) 10G ports
ProCurve ONE Services zl Module

SKU: J9289A Intel T7500 Core 2 Duo, 4G Main Memory, 4G Flash, 250GB 7200RPM SATA HDD 2 x 10G Ethernet connections to backplane Warranty: Industry-Leading Lifetime, HDD exception: Five years*
Supported in zl series chassis 5400zl for edge and branch (4U/7U) 8200 with high availability for core and distribution (9U)
Data Center
Core Edge Branch
19
Striking a Balance
ProCurve ONE Alliance Partners (1/26/09)
20
Striking a Balance
Services Modules
J9289A HP ProCurve ONE Services zl Module
J9155A- HP ProCurve TMS zl Module
J9370A - HP ProCurve MSM765zl Mobility Controller
J9371A - HP ProCurve MSM760/765 40 AP License
21
HP ProCurve Manager 3.0 (HP PCM 3.0) Overview

HP PCM 3.0 Overview

HP PCM 3.0 Enhancements
New Architecture (10 Agents) Enhanced Custom Group Management Granular User Profiles Support For Cisco Devices
PCM 3.0 Licensing Plug-in Applications for PCM 3.0

PCM 3.0 Use Models Upgrade PCM 2.3 to PCM 3.0 Maintenance and Troubleshooting
c-Class BladeSystem Interconnect Types
Pass-thru module
For scenarios where one-to-one server to network connections are required Equivalent to a patch panel
Virtual Connect module

Simplest, and most flexible connectivity to a network Appears as a L2 bridge to the network
Ethernet switch
Interconnect aggregation and cable reduction using a managed switch Provides typical L2 switching feature set and may offer L3 routing capabilities
6120G/XG Hardware Overview:

Front Panel
Midplane 16x 1GbE internal ports for server/storage blade access 1x 10GbE internal port for switch-to-switch access
1x 10GbE CX4 port CX4 cable
2x 10GbE XFP ports DAC, SR and LR optics 2x 1GbE SFP ports Copper, and SX and LX optics For 10GbE & 1GbE ports: Link status LED Greenconnected, Amberfault Link activity LED Green flashingactivity
Console port Type A mini-USB
Clear button
Reset button (recessed)
Module status LED Greennormal, Amberfault Module locator LED Blueselected
4x 10/100/1000 RJ-45 ports Link status LED Greenconnected, Amberfault Link activity LED Green flashing10/100 activity Amber flashing1000 activity
6120XG Hardware Overview:

Front Panel
Midplane 16x 10GbE internal ports for server/storage blade access 2x 10GbE internal port for switch-to-switch access
shared port (17)
Clear button Console port Type A mini-USB
dedicated ports (18, 19, 20, 21, 22)
individually shared ports (23, 24)
Reset button
5x 10GbE SFP+ ports DAC, and SR, LR, and LRM optics
2x 10GbE SFP+ ports DAC, and SR, LR, and LRM optics
-- or -Module status LED Greennormal, Amberfault Module locator LED Blueselected 1x 10GbE CX4 port CX4 cable 2x 10GbE internal S2S ports 10GbE SFP+ ports also support use of 1GbE SFP (SX, LX, Gig-T) transceivers
-- or --
1x 10GbE SFP+ port DAC, and SR, LR, and LRM optics
Blade Switch Comparisons

a
External 1GbE ports External 10GbE ports Memory Manageme nt Access Security IGMP Multicast Forwarding / Routing Rate Limiting/ QoS Stacking Warranty
1
ProCurve ProCurve 6120G/X 6120XG G

2 SFP 4 RJ-45 1 CX4 2 XFP 512 MB RAM 256 MB flash LLDP-MED SNMPv3 802.1X, Web, MAC auth None
1
HP 1:10Gb Cisco Ethernet BL-c 3020

4 RJ-45 4 SFP/RJ-45 4 RJ-45
Cisco 3120G
4 SFP/RJ-45 4 RJ-45
Cisco 3120X
4 RJ-45
1 SFP+/CX4 5 SFP+ 2 SFP+/S2S 512 MB RAM 640 MB flash
1 CX4 2 XFP 256 MB RAM 64 MB flash HTTPS SNMPv3 ACLs, SSH, RADIUS & TACACS+ auth 1K groups
None 128 MB RAM 32 MB Flash SNMPv3 ACLs, 802.1X, Web, MAC auth 1K groups L2+, 8K MAC, 1K VLANs Extensive, highly granular with rate limiting & traffic shaping No 1 year
None 256 MB RAM 64 MB flash SNMPv3
4 SFP or 2 X2
ACLs, 802.1X, Web, MAC auth 1K groups L2 (upgradeable to L3 & IPv6), 8K MAC, 1K VLANs Extensive, highly granular with rate limiting & traffic shaping Stackwise 1 year
256 groups L2, IPv6 host, 16K MAC , 256 VLANs L2, IPv6 host, 32K MAC , 256 VLANs
L2, L3, VRRP, 16K MAC , 1K VLANs
Ingress, L3/L4 prioritization
QoS and 802.1p
No Lifetime
No 1 year
1GbE SFP optics (SX and LX) and Gig-T transceivers can be installed in any of the external 10GbE ports.
Software Features
General Networking Features

IP Multicast
IEEE 802.1D MAC Bridges IEEE 802.1p Priority IEEE 802.1Q VLANs IEEE 802.1v VLAN classification by Protocol and Port QOS (COS, TOS, DSCP) IEEE 802.1D RSTP (formerly 802.1w) IEEE 802.1Q MSTP (formerly 802.1s) BPDU Protection and STP root guard IEEE 802.3ad LACP IEEE 802.3x Flow Control RFC 792 ICMP Broadcast Throttling RFC 951 BOOTP and RFC 1542 Extensions RFC 2030 SNTP RFC 2131 DHCP Information Option with DHCP Protection TFTP, SFTP, FTP Uni-Directional Link Detection IPv6 Host ICMP Rate-limiting
IGMPv1, v2 & v3 (Data Driven) CLI Access Using Console, Telnet, or SSH HTTP and HTTPS Web Management Access SSHv1/SSHv2 Management Access HP Onboard Administrator Integration OOBM (with DHCP client default) Authorized Managers List Concurrent Port-Based 802.1X, Web and MAC Authentication RADIUS & TACACS+ Port Security MAC Address Lockout Port Mirroring RMON v1/v2 LLDP-MED Syslog Protocol SNMPv1/v2c/v3
Device Management

Security

Monitor and Diagnostics

Network Management

Parts Information
Description
HP ProCurve 6120G/XG Blade Switch HP ProCurve 6120XG Blade Switch HP SFP+ SR Transceiver HP SFP+ LR Transceiver HP SFP+ LRM Transceiver HP 10GbE SFP+ .5m Direct Attach Cable HP 10GbE SFP+ 1m Direct Attach Cable HP 10GbE SFP+ 3m Direct Attach Cable HP 10GbE SFP+ 5m Direct Attach Cable HP 10GbE SFP+ 7m Direct Attach Cable HP 1Gb SX SFP Option Kit HP 1Gb RJ-45 SFP Option Kit HP XFP 850nm SR Module HP XFP 1310nm LR Module
Part No.
498358-B21 516733-B21 455883-B21 455886-B21 455889-B21 487649-B21 487652-B21 487655-B21 537963-B21 487658-B21 453151-B21 453154-B21 443756-B21 443757-B21
Two Two blade blade switches switches
HP HP ISS ISS parts parts
Parts Information
Description
HP ProCurve SFP+ SR Transceiver HP ProCurve SFP+ LR Transceiver HP ProCurve SFP+ LRM Transceiver
(cont.)
Part No.
J9150A J9151A J9152A J9281A/B J9283A/B J9285A/B J9300A J9301A J9302A XFP XFP connector connector on on one one end, end, SFP+ SFP+ connector connector on on the the other other Applicable Applicable to to 6120G/XG 6120G/XG Only Only version version B B DACs DACs can can be be purchased purchased going going forward forward
HP ProCurve 10-GbE SFP+ 1m Direct Attach Cable HP ProCurve 10-GbE SFP+ 3m Direct Attach Cable HP ProCurve 10-GbE SFP+ 7m Direct Attach Cable HP ProCurve 10-GbE XFP-SFP+ 1m Direct Attach Cable HP ProCurve 10-GbE XFP-SFP+ 3m Direct Attach Cable HP ProCurve 10-GbE XFP-SFP+ 5m Direct Attach Cable
Cable Infrastructure
Cable specifications for full-duplex Ethernet

Interface type
1000Base-SX 1000Base-SX 1000Base-LX 1000Base-LX ** 100/1000Base-T 1000-BX 100-BX
Cable supported
Multimode (62.5 micron) Multimode (50 micron) Single-mode (9 micron) Multimode (62.5 or 50 micron) Category 5e UTP Single-mode (9 micron) Single-mode (9 micron)
Maximum distance
275 meters 500 meters 10 kilometers 550 meters 100 meters 10 kilometers 10 kilometers
Cable specifications for full-duplex Ethernet

Interface type
10G-CX4 10GBASE-SR 10GBASE-SR 10GBASE-LR 10GBASE-ER 10GBASE-LRM
Cable supported
4X Twinax (Infiniband-style) Multimode (62.5 micron) Multimode (50 micron/2000 Mhz) Single-mode (9 micron) Single-mode (9 micron) Multimode (62.5 micron)
Maximum distance
15 meters 2-33 meters 300 meters 10 kilometers 40 kilometers 220 meters
http://www.hp.com/rnd/support/faqs/10-GbE-trans.htm
Connector Types
HP ProCurve Mini GBIC / Transceivers

J4858C 1000Base-SX port Type 1000Base-SX Connector: LC maximum distance 220 meters J4859C 1000Base-LX port Type 1000Base-LX Connector: LC maximum distance 10 km J4860C 1000Base-LH port Type 1000Base-LH Connector: LC maximum distance 70 km J8177B 1000BT SPF;Connector RJ45 100 meters J9142B 1000-BX-D SFP-LC Connector: LC maximum distance 10 km J9143B 1000-BX-U SFP-LC Connector: LC maximum distance 10 km J9054B 100FX SPF;Connector RJ45 100 meters J9099B 100-BX-D SFP-LC Connector: LC maximum distance 10 km J9100B 100-BX-U SFP-LC Connector: LC maximum distance 10 km
Transceiver Packaging Comparison

Xenpak X2 GBIC mGBIC
(or SFP+)
9300
3400cl & 6400cl
PNB doesnt support GBICs in any of our products
10Gig only
10Gig only
Gigabit only
Gigabit/10 GbE
SFP+ 10G Technology
Next gen technology enables lower cost per 10G port

Supports Direct Attach Cable (DAC) for very low cost over short ranges
Smaller form factor than X2 or XFP

Provides higher port density Same form factor as Gig SFP
Provides thermal benefits leading to power savings

SFP+ consumes 1W per port X2 consumes 4W per port
Supports 10G SR, LR, LRM
36
HP ProCurve Switch Accessories

SFP+
A new form-factor (size & shape) for 10-Gigabit modular transceivers
Same size & shape as a "mini-GBIC" (SFP)
Supports three existing 10-Gigabit technologies:

SR, LRM, LR
10G SFP+ Transceivers
Product #
Description
US List
J9150A ProCurve 10-GbE SFP+ SR Transceiver J9151A ProCurve 10-GbE SFP+ LR Transceiver J9152A ProCurve 10-GbE SFP+ LRM Transceiver
37
HP ProCurve Switch Accessories

What is a Direct Attach cable?
A one-piece unit consisting of an SFP+ form-factor transceiver at each end with permanently-attached cabling between
Delivers the 10-Gigabit signal from end to end Initial length offerings: 1m, 3m, 7m
10G SFP+ Direct Attach Cables
Product # J9281B J9283B J9285B
Description ProCurve 10-GbE SFP+ 1m Direct Attach Cable ProCurve 10-GbE SFP+ 3m Direct Attach Cable ProCurve 10-GbE SFP+ 7m Direct Attach Cable
US List
38
Power over Ethernet (PoE)

802.3af ieee standard (48 volts , 15.4 watts) Existing cable plant (Cat 3,5,5e,6) Either data pairs or non data pairs (1/2 & 3/6) & (4/5 & 7/8) 15.4 watts maximum at end-span device Phones draws from 3 watts and higher PoE+ for PTZ cameras, 802.11n (Future PC battery) End-span refers to an Ethernet switch with embedded Power Mid-span devices are placed between legacy switches and the powered devices. Centralized Power
Why Support PoE+?

Advantages
of PoE+ over PoE:
Increases maximum power to PDs Dynamic and granular power negotiation

Enables support for additional devices: 802.11n access points Video IP phones Thin clients Pan-Tilt-Zoom cameras
Backwards compatible with PoE
PoE+ Specifications
1.
PoE+ (IEEE 802.3at) sets new specifications for: Wattage

Maximum delivered to PD increased to 24W Maximum at switch port increased to 30W
2. 3. 4.
Voltage levels
Minimum increased to 50V
Current
Maximum increased to 600mA
Cabling
Supports only Cat5E and newer
Typical VoIP Infrastructure
Mitel 3300 IP PBX
PSTN
Typical VoIP Infrastructure

Two port switch built into phone Single UTP cable to phone PC/Workstation connected to phone Two VLANs to phone ( VoIP tagged, Data untagged) Voice VLAN tagged with 802.1p priority set
Tricks & Tips
The interface-connector-cable combination can have a significant impact on the performance of the network. Be careful and note that a particular type of connector does not ensure a particular type of cable. An LC could be connecting either multimode or single mode. The mini-GBICs look the same. Read the label!
Auto MDIX
HP / IEEE Auto MDIX

Automatically
adjusts for straight-through or crossover cables on all 10/100 and 10/100/1000 ports
1000T (Cross-Over)
100T (Straight-Thru)
Tricks & Tips
It may be necessary in some environments to disable auto MDIX.

Auto
MDIX Manual Mode:
< port-list > mdix-mode < automdix | mdi | mdix>
interface
options include autoMDIX (the default), MDI, and MDI-X.

Benefits:
The
Minimizes auto-MDIX capability when connecting switch to switch links.
Auto Negotiation
Ethernet Transmission modes

Half Duplex: Data transmission over a Ethernet link capable of transmitting in either direction, but not simultaneously. For Ethernet, the CSMA/CD method is a half duplex protocol. If it receives traffic while transmitting, it reports a collision Full Duplex: Data transmission over a circuit capable of transmitting in both directions simultaneously.
Auto Negotiation
The auto-negotiation mechanism allows the two interfaces on a link to select the best common mode automatically, the moment a cable is plugged in. The problem is that it looks great on paper, but it doesn't always work as intended. Although the final Fast Ethernet standard did contain a section on auto-negotiating, that section was one of the last things put into the standard and many vendors had already implemented their own autosensing systems and deployed them before the standard was ratified. If this wasn't bad enough, there is no standard for detecting modes at 10Mb.
Ethernet Errors
In a shared environment, collisions may result in: Giants due to the concatenation of frames that were transmitted at the same time Runts due to the fragmentation of frames that were transmitted at the same time In a fully switched environment: Collisions indicate a mode mismatch, i.e. half- vs. fullduplex CRC errors Detected when the value in the appended 4-byte Frame Check Sequence does not match the CRC calculated by the receiving station May be present in either shared or switched environment
Tricks & Tips
Set system wide network resources to the maximum fix speed and duplex mode.
Speed
and duplex command:

< port-list > speed-duplex
interface
100-full
Benefits:
Minimizes auto-negotiation capability when connecting switch to servers links. Interface Status
show
interface brief
Tricks & Tips
Speed
and duplex command:

< port-list > speed-duplex
auto 100
interface
Benefits:
Minimizes auto-negotiation capability when connecting switch to servers links.
Virtual LANs
Interconnecting IP networks (LAN)

Router: connection point for wiring closets
Every host in an IP network has a unique IP address In this example, hosts in the same wiring closet are in the same
Broadcast domain IP network
IP Network 1
IP Network 2
IP Network 3
Traffic between hosts in the same IP network is forwarded by switches using destination Layer 2 (MAC) address Traffic between hosts in different IP networks is forwarded by the router using destination Layer 3 (IP) address
Interconnecting networks (VLANs)

Router: connection point for wiring closets Layer 3 Switch: connection point for wiring closets
All Networks
All Networks
All Networks
Every host in an IP network has a unique IP address In this example, hosts in the same wiring closet are in different VLANs Broadcast domain IP network Traffic between hosts in the same IP VLAN is forwarded by switches using destination Layer 2 (MAC) address Traffic between hosts in different IP networks is forwarded by the switch using destination Layer 3 (IP) address
VLAN = broadcast domain = IP network address = IP Subnet
VLAN ID assignments
Users should be arranged into VLANs (and thus IP address ranges) based on:
Internal Departments; Engineering, Administration Accounting Resource Requirements Should have access to all of the hosts in the suite Should have access to the Internet, email hosting, and remote backup depending on whether they have subscribed to those services Should not have access to resources in other tenants suites End user customers for ISPs
VLAN ID assignments
A network should have a minimum of 3 VLANs:
A Server VLAN Network Management VLAN User/Data VLAN
Network Design Methodology
Steps for design and deployment

Regardless of the size of the project, the basic steps in the design process are:
Assess customer needs and requirements Develop and propose a solution
Logical Physical
Implement and document the solution
Assessing customer needs

In assessing the needs of the network, plan for the following requirements:
Port types and quantities Cabling to support specified ports Amount and type of data anticipated User resource needs
growth in the enterprise and its network Examine existing network infrastructure Can the requirements be met within customers budget?
Anticipate
Plan for port types and quantities

determine the number and type of switches, consider:
Number of edge ports
One user per port Often determined by existing cabling
To
Number of wiring closets

Using modular edge switches can minimize the total number of switches (7 slots x 24 ports = 168 edge ports) Stackable switches support up to 48 edge ports
Distribution and/or core switches

Number of edge switch uplinks may determine whether all edge switches will terminate at a common core switch or be aggregated at intermediate level distribution switches
Plan for cabling to support specified bandwidth requirements

Use
existing cabling whenever possible
Distances between edge ports and cubicles must be 100 meters or less for 100TX/1000T
Category 5 or better for 100Base-TX Category 5e or better for 1000Base-T
For existing copper cabling with runs longer than 100 meters, the choices are:
Statically configure interface level speed-duplex parameter to auto-10 to assure reliable connections Install new cabling (may be cost-prohibitive for some customers)
Use fiber for switch-to-switch distances greater than 100 meters

1000Base-LX, 1000Base-SX, 1000Base-LH 100Base-FX
Plan for amount and type of traffic

Determine characteristics of the traffic to be carried over links between switches:
Location of high traffic hosts and anticipated volume
Servers Applications that generate high volume
Applications requiring prioritization

Voice Video
Multicast support
Distance learning Meetings
Traffic
requirements can indicate a need for higher speed edge ports and/or higher capacity uplinks
Understand user resource requirements

Determine resources to be made available to users and whether availability of those resources is critical
Identify users with common resource requirements
This information may be used to defined VLAN boundaries
Identify resources whose availability is critical

Provide redundant links and/or redundant switches Balance high availability needs with customers budget constraints
Addressing and Protocols

Private address range versus Public (NAT) Version IP4 versus IP6 Protocols IP, IPX, Appletalk, SNA, Decnet Do protocols need to be routable Routing protocols RIPv1, RIPv2, OSPF, BGP or proprietary Define VLAN's
By Protocol By security compartment Physical location
Hierarchical Address Scheme

Network 10.0.0.0
Wide Area Network (WAN) District Office Campus 1 Campus 2 Campus 3 Campus 4
Site (2nd Octet)

10.0.0.0 10.10.0.0 10.20.0.0 10.30.0.0 10.40.0.0 10.50.0.0
VLAN (3rd Octet)

10.0.0-254.0 10.10.0-254.0 10.20.0-254.0 10.30.0-254.0 10.40.0-254.0 10.50.0-254.0
IPX Address
0A00xx 0A0Axx 0A14xx 0A1Exx 0A28xx 0A32xx
Each 256 Host Subnet will be broken down into sub categories as follows:
Decimal Value Range 0 1 2 3-6 7 8-20 21-50 51-220 221-255 Meaning/Usage Reserved VRRP Primary VRRP Secondary Router Interfaces Firewall Reserved for Networking Devices Static addresses for hosts and printers Primary DHCP Range Backup DHCP Range # of devices 0 1 1 4 1 13 30 170 35
This breakdown of the address space allows for a maximum of 170 DHCP addressable devices and 30 servers/printers per subnet or VLAN.
Security
Physical Access Network Access (802.1x) Server Access Network Management passwords Firewalls, ACLs Internet, DMZ Wireless
Develop and propose a solution

on the information gathered during the assessment phase:
Diagram the physical connectivity
Switches, including any modular accessories Port counts, types, and speeds
Based
Produce a list of required equipment
Implement and document the solution

on the information you gathered in the assessment phase, create configurations
Create passwords to prevent unauthorized access Create VLANs specified in the design Enable high availability features where specified by the design Create any prioritization policies Enable remote management if required
Based
Create VLANs and port members

Create VLANs Assign access ports as untagged members of the appropriate VLAN for hosts with non-Q-compliant network adapters Define tagged VLAN membership for switch-to-switch links as necessary
Enable high-availability features

Enable high-availability features as specified by the design All versions of Spanning Tree interoperate with HP Switch Meshing Router Redundancy (XRRP,VRRP, HSRP) Server Teaming
Your design may require more than one high-availability feature
Be sure to include switch-to-switch links as tagged members of all VLANs whose traffic might be carried in the event of link failure
Enable prioritization
For hosts that require the edge switch to set and mark priority, define the policies or port level priorities that will accomplish the goals of the design For Q-compatible hosts that are capable of setting priorities on their own behalf:
Set policies that override illegitimate 802.1p priority settings Avoid setting user-defined policies that override legitimate 802.1p priority settings
Links that will carry prioritized traffic must be tagged members of relevant VLANs or the tags will be stripped, eliminating end-to-end prioritization
Hierarchical network design

the Internet
Core Layer (no end stations connect here L2)
Distribution Layer (interconnects edge switches L3)
Access Layer (edge switches all end stations connect here L2)
Hierarchical network design

the Internet
Core / Distribution Layer
Access Layer (edge switches all end stations connect here)
Design Terminology
Access Layer: Sometimes referred to as the edge. It is the bottom layer of a hierarchical model, it provides users with network access. Usually layer 2 connectivity (non routed) Distribution Layer: Middle layer of a hierarchical model. The distribution layer interconnects the core and access layers. This is where routing is performed. Usually layer 3 with filtering. Core Layer:
The top layer of a hierarchical model. Traditionally passes packets to the distribution layer only. Usually layer 2 for performance.
2 Tier Architecture
Advantage Disadvantage
3 Tier Architecture
Advantage
Better distributed traffic control via. Isolates L2 issues within the each distribution layer More advanced feature sets Requires addtional layer 3 switches/routers
Disadvantage
More complex. Requires routing switches per distribution layer
Network Complexity Layer 2 Problem Isolation Cost
Less Complex Centralized (Single pair of control. Traffic routing switches) bottlenecks L2 issues can affect the core
Lowest cost per port
Not suitable for large number of distribution uplinks to core.
Spanning Tree Protocol (STP)
Spanning Tree Protocol
The Spanning Tree Protocol automatically detects loops in the network topology and blocks the links that lead to less desirable paths.
Three Versions IEEE 802.1d (Original STP) IEEE 802.1w (Rapid STP) IEEE 802.1s (Multi instance STP)
Spanning Tree Protocol Defaults

STP is NOT enabled by default. Rapid STP is the default version when enabled spanning-tree Multi-instance STP is the default version for newer ProCurve switches.
Spanning Tree Protocol
Spanning Tree is a standard method for enabling automatic network redundancy and high availability at layer 2. Used in multivendor environments
STP Step 1: Block ports

Switch_A B B B B B Switch_B B B B B B B B B
Forwarding due to Fast mode
The first step in defining a loop-free topology is to place all normal STP ports into Blocking state This prevents user traffic from being forwarded until loops are resolved Fast ports transition to Forwarding immediately (RSTP)
STP Step 2: Generate BPDUs and elect Root switch

Root
B B B B B B B B B B B B B
Forwarding Forwarding
Forwarding
Every STP switch generates BPDUs and sends them through all ports BPDUs are updated and forwarded by all switches through all ports Within about 30 seconds, one of the switches becomes the Root of the Spanning Tree Only the Root continues sending BPDUs Other switches continue to update and forward BPDUs
STP Step 3: Calculate path costs to Root

In this network, each link has a cost of 5
Root
5 10 10 10 10
5 10 5 10 5
Forwarding
As each switch updates the BPDUs, the result is a cumulative path cost to the root This enables each switch to determine which of its ports leads to the lowest cost path to the root
STP Step 4: Change some port states to Forwarding

Root port
Root
Root port F F F Root port
F F
Designated ports F F F B
B Root port
Forwarding
Every port on the Root Bridge transitions to the Forwarding state The root port on each switch transitions to the Forwarding state For each backup link, the designated port transitions to the Forwarding state The port on the other side of the backup link remains in the Blocking state
Spanning Tree Edge Ports

Enable
admin-edge on ports connected to end nodes. During spanning tree establishment, ports with admin-edge enabled transition immediately to the forwarding state. Disable this feature on any switch port that is connected to another switch, bridge, or hub. spanning-tree < port-list > admin-edge-port
Adapting to changes in port state

Root port Switch_A Root Root port F Switch_C Forwarding Forwarding F F F F F Switch_B F Root port Root port Forwarding F B F Switch_E
Failed link
F Switch_D
When a link fails, the constant nature of the hello messages causes another port to become the root port If the Root switch fails, all of the switches will block their ports until another switch is established as the Root and the appropriate ports transition to Forwarding state
STP Root Bridge Selection

00045A The Linksys Group
000625 The Linksys Group
15 20 20 10
15 20 20 10 10
000a57 Hewlett Packard 000d9d Hewlett Packard 000e7f Hewlett Packard
15
15
15
15
10
Forwarding
Instant Wireless Series
Ne twork Acce ss Point

I nsta nt Wireless
TM
P ower
A CT
LI NK
Mode l
W AP1 1
Not configuring the Root bridge may not give you the desired effect
Linksys (WET54GS5) 5 port switch (802.1d)
Higher speed links can be blocked in favor of a lower path cost to the Root Bridge
STP Root Bridge Selection

00045A The Linksys Group
000625 The Linksys Group
B F F F
F F F F F
000a57 Hewlett Packard 000d9d Hewlett Packard 000e7f Hewlett Packard
Root port
Forwarding
Root
Ne twork Access Point

Instant Wirele ss
TM

Mode l WAP1 1
P ower
ACT
LI NK
If Bridge Priority is not administratively-defined, which of these switches will become the Root Bridge? All things being equal the switch with the lowest MAC address becomes the Root Bridge.
Linksys (WET54GS5) 5 port switch (802.1d)
STP Root Bridge

Server
User
Ne twork Access Point

Instant Wirele ss
TM
P ower
ACT
LI NK
Mode l WAP1 1
Root
Connecting devices in default mode with STP enabled can change network paths End to end connect path may not be best path to the network resource Mis-configure Root Bridge can cause network performance issue
STP Root Bridge DEMO
VRRP VLAN 1= 10.10.1.1 VLAN 2 = 10.10.2.1 VLAN 3 =10.10.3.1 VLAN 4 =10.10.4.1 VLAN 5 =10.10.5.1 VLAN 6 =10.10.6.1 VLAN 7 =10.10.7.1 VLAN 8 =10.10.8.1 VLAN 9 =10.10.9.1 VLAN 10=10.10.10.1 VLAN 50=10.10.50.1
Rapid Spanning Tree

HP DL360 Server Teaming (TLB) IP= 10.10.50.10
Port 2
Port 1
Port A1
Port A1
Root Bridge
HP 5406_#1 IP= 10.10.1.1
Port B24
10 Gigabit F4
Port B24
HP 5406_#2 IP= 10.10.1.2
Port 49
1000SX (Multimode patch cord)
HP 2650 IP= 10.10.1.3
Port 50 Port 1 1000LX (Mode conditioning patch cord)
HP nc6000 VLAN 5 IP= 10.10.5.100 DG= 10.10.5.1
STP and RSTP

IEEE 802.1D STP and IEEE 802.1w RSTP address loop protection for link redundancy in networks regardless of the use of VLANs Links can be left unused since all VLANs must use the same physical topology
Original STP: IEEE 802.1D-1998 Rapid STP (RSTP): IEEE 802.1w-2001 Change to link cost and bridge priority values: IEEE 802.1t-2001
STP and RSTP

VLAN 1 VLAN 11 VLAN 12 VLAN 1 VLAN 11 VLAN 12
root bridge
VLAN 1 VLAN 11 VLAN 12
IEEE 802.1D-2006
Multi-Instance Spanning Tree Protocol MSTP (802.1s)
Odd VLANs
Even VLANs
Multi-Instance Spanning Tree is an multiple instances of STP. Redundant links carry different VLANs. Used in multivendor environments
Cisco PVST+ and Rapid-PVST+
PVST supports a spanning tree instance for each configured VLAN Yields a 1-to-1 mapping of VLANs to STP instances and therefore separate processes VLAN-specific BPDUs are used for each VLAN Uses ISL trunking and allows a VLAN trunk to be forwarding for some VLANs while blocking others
root for VLAN 11 VLAN 1 VLAN 11 VLAN 12
root for VLAN 1
root for VLAN 12
PVST+ provides the same functionality as PVST, but supports 802.1Q trunking Rapid-PVST+ incorporates convergence time improvements similar in concept to RSTP
Comparing PVST+ and MSTP
In response to a need to allow standards compliant 802.1D/w/Q switches to have multiple logical paths for redundancy, IEEE 802.1s MSTP was developed 802.1s enhanced 802.1Q by allowing groups of VLANs to be assigned to different spanning trees Instances may be chosen to match number of possible logical paths through the layer 2 network Often, only a few instances are required instead of 1-to-1 ratio of VLANs to instances with PVST+
PVST+
root for VLAN 11 VLAN 1 VLAN 11 VLAN 12
root for VLAN 1
root for VLAN 12
MSTP
VLANs 1,12 VLAN 11 VLANs 1,12 VLAN 11
root MSTI 1
VLANs VLAN 1,12 11
root MSTI 2
CiscoProCurve Scenario 1:
Rapid-PVST+
Cisco environment running PVST+ or Rapid-PVST+
root for VLANs 1, 11, 12, 13 backup root for VLANs 1, 11, 12, 13
Cisco Switch_A
Cisco Switch_B
blocked port ProCurve Switch_C Configured for STP, RSTP, or MSTP
Pro: Simple and you can still use PVST+ or Rapid-PVST+ for the backbone Con: There is no load balancing
10
CiscoProCurve Scenario 2:
MSTP (802.1s)
Cisco environment running MSTP (IEEE 802.1s)
root for VLANs 1, 11, 12, 13 backup root for VLANs 1, 11, 12, 13
Cisco Switch_A
Cisco Switch_B
ProCurve Switch_C Configured for MSTP
Pro: VLAN load balancing Con: More configuration required
10
Spanning Tree Problems
Unstable Spanning-Tree operation can be caused by factors and conditions that include: Uni-directional links Rogue devices talking STP Continuous STP topology changes due to flapping ports or end-user ports not set to edge mode (portfast) Loops not detected by STP
Blocked gigabit link Rogue switch root bridge
70
Spanning Tree Hardening Features

ProCurve Remote-Fault Notification (RFN) using Auto-negotiation Uni-directional Link Detection (UDLD) BPDU Protection Loop Protection Root-Guard Cisco Remote-Fault Notification (RFN) using Auto-negotiation Uni-directional Link Detection (UDLD) BPDU-Guard Keepalive Root-Guard
72
RFN Operation
TX idle or frames Switch_A MAC/RS RX idle or frames TX idle or frames Switch_A MAC/RS RX idle or frames fiber break loss of signal Switch_B MAC/RS TX idle or frames loss of signal Switch_B MAC/RS TX remote fault
fiber break
TX idle or frames Switch_A MAC/RS RX remote fault TX idle Switch_A MAC/RS RX remote fault
fiber break
loss of signal Switch_B MAC/RS TX remote fault
RFN RFN operates operates at at Layer Layer 1 1
fiber break
loss of signal Switch_B MAC/RS TX remote fault
RFN is optional but enabled by default on 1000BaseX ports on Cisco and ProCurve switches when auto-negotiation is used. Always use auto-negotiation on 1000BaseX ports.
74
UDLD Operation
UDLD
involves an exchange of protocol packets between neighboring devices

Both devices on the link must support UDLD and have it enabled on the respective ports
hello I am switch A, port 1/1 acknowledge hello
Cisco
Cisco
UDLD UDLD operates operates at at Layer Layer 2 2
Does not work since Cisco and ProCurve have different implementations
Cisco
ProCurve
hello I am switch A, port a1 acknowledge hello
ProCurve
76
ProCurve
UDLD Configuration Comparison
UDLD performs tasks that auto-negotiation cannot perform, such as detecting the identities of neighbors and shutting down misconnected ports
ProCurve UDLD Cisco UDLD Global for all fiber ports Switch(config)# udld aggressive
Interface specific: Switch(config)# interface a1 Switch(etha1)# link-keepalive Recovery is done automatically
Or interface specific Switch(config)# interface gig1/1 Switch(config-if)# udld port aggressive Recovery configured globally: Switch(config)# errdisable recovery udld interval 300
78
BPDU Protection (security enhancement )

Spanning
Tree Protocol operation is not protected in any way from rogue STP devices or malicious attacks. Protection is configurable on a per port basis and allows explicitly determine the legal boundary of STP domain. Protection should be applied to the edge ports that are connected to the end user devices., which normally do not run STP.
BPDU
BPDU
BPDU Protection and BPDU-Guard Configuration Comparison

These respective features should be enabled on end-user ports

STP BPDUs should not be allowed to be received on those ports
If a BPDU is received, the port is put in an errdisable state (Cisco) or the port is disabled (ProCurve)
ProCurve BPDU Protection
Cisco BPDU-Guard Global for all fiber ports Switch(config)# spanning-tree portfast bpduguard default Or interface specific Switch(config)# interface gig1/1 Switch(config-if)# spanningtree bpduguard enable Recovery configured globally:
Switch(config)# errdisable recovery bpduguard interval 300
79
Interface specific: Switch(config)# interface a1 Switch(eth-a1)# spanning-tree bpduprotection Recovery configured globally:
Switch(config)# spanningtree bpdu-protectiontimeout 300
Loop Protection
Additional
protection for networks from L2 forwarding loops. undetectable loop can be formed if an unmanaged device attached to the network consumes and does not forward Spanning Tree packets.
An
Tricks & Tips
Loop protection operates by periodically sending out a special multicast packet. If the switch receives its own packet back then a loop has been detected and the receiving port will be disabled.
loop-protect <PORT-LIST>
Cisco Keepalive Operation

ProCurve Switch 408 Cisco Cisco keepalive keepalive feature feature may may detect this condition and detect this condition and put put the port in errdisable state the port in errdisable state (enabled (enabled by by default) default) But, But, if if BPDU-Guard BPDU-Guard is is detect configured, it will it configured, it will detect it
Will Will cause cause all all frames frames including BPDUs including BPDUs to to be be looped looped back back
Cisco switch
Will Will cause cause all all frames frames excluding BPDUs excluding BPDUs to to be be looped back even if STP looped back even if STP is is not not supported supported on on the the switch switch
Cisco Cisco keepalive keepalive feature feature may may detect this condition and detect this condition and put put the port in errdisable state the port in errdisable state (enabled (enabled by by default) default) But, But, BPDU-Guard BPDU-Guard is is not not able able to detect it to detect it NetGear FS105
80
ProCurve Loop Protect Operation

ProCurve Switch 408
Will Will cause cause all all frames frames including BPDUs including BPDUs to to be be looped looped back back
ProCurve ProCurve Spanning Spanning Tree Tree will will detect this condition and detect this condition and block block the the port port if if STP STP is is enabled enabled
ProCurve switch If If enabled, enabled, the the ProCurve ProCurve Loop Loop Protect feature will detect Protect feature will detect this this condition and disable the port condition and disable the port
Will Will cause cause all all frames frames excluding BPDUs excluding BPDUs to to be be looped back even if STP looped back even if STP is is not not supported supported on on the the switch switch
NetGear FS105
82
Spanning Tree Root Guard Configuration Comparison

ProCurve Root Guard Interface specific: Switch(config)# spanningtree a1 root-guard Recovery is done automatically Cisco Root Guard Interface specific: Switch(config)# interface gig1/1 Switch(config-if)# spanningtree guard root Recovery is done automatically
85
Tricks & Tips
Version of Spanning Tree needs to be enabled

spanning-tree (Default ?)
A root bridge should be configured

spanning-tree priority 1 or 0
Switch to switch links need to be configured for transitioning or learning (802.1w)

no spanning-tree <port> admin-edgeport
Tricks & Tips

Compatibility mode for 802.1d devices (Cisco)
no
spanning-tree < port-list > mcheck
Spanning tree status and information

show
spanning-tree
Edge-port Defaults
Switch
2500 2510 2600 2800 2810 2900 3500 4200 5300 5400 6200 6400 Default Default Default Default Default Default Default Default Default Default
Edge-port enabled
Default
Edge-port disabled
Default
Command
Disable edge-port on switch links no spanning-tree <ports> edge-port Enable edge-port on node ports spanning-tree <ports> edge-port Disable edge-port on switch links no spanning-tree <ports> edge-port Disable edge-port on switch links no spanning-tree <ports> edge-port Enable edge-port on node ports spanning-tree <ports> edge-port Enable edge-port on node ports spanning-tree <ports> edge-port Enable edge-port on node ports spanning-tree <ports> edge-port Disable edge-port on switch links no spanning-tree <ports> edge-port Disable edge-port on switch links no spanning-tree <ports> edge-port Enable edge-port on node ports spanning-tree <ports> edge-port Enable edge-port on node ports spanning-tree <ports> edge-port Disable edge-port on switch links no spanning-tree <ports> edge-port
Tricks & Tips
BPDU Protection should be enabled on ALL edge ports to determine the legal boundary of STP domain.
spanning-tree <port-list> bpduprotection
Spanning tree traps

spanning-tree traps errant-bpdu
BPDU Filter
BPDU
Filter Passively preventing the switch from receiving and transmitting BPDU frames on a specific port. Locks the port into STP forwarding state to interconnect STP domains
Used
Example:
LAN Extension service
Tricks & Tips
BPDU Filter should be enabled on edge ports to lock the port into STP forwarding state.
spanning-tree <port-list> bpdu-filter
Spanning Tree
Configure
Internet
root bridge
CORE-A CORE-B
Spanning-tree priority 0
Edge
Features (End Device)

Admin-edge-port Loop-protect Bpdu-protection
DATA & MGMT VOIP
DATA & MGMT
VOIP
Separate
STP Domains
Bpdu-filter
Spanning Tree Protocol Summary

Requires Planning, Design and Implementation Version mismatches (Cisco versus ieee) Root bridge Define STP edge ports (admin-edge or auto-edge) Define STP boundary (BPDU protection) Identify ports for STP filtering (LAN extension)
Self Pace Training http://www.procurve.com/training/training/technical/n pi/MSTP.htm
Link Aggregation or Trunking
Link aggregation
Link aggregation
Increasing capacity between switches and Servers Load sharing Static vs. dynamic
Challenge: Increasing switch link capacity

full-duplex gigabit fiber links
Six 1000Base-T full-duplex servers ((6 x 1000Mb) x 2)
Six 1000Base-T full-duplex servers ((6 x 1000Mb) x 2)
The full-duplex gigabit link provisioned between each 2600 switch and the 5304xl core switch carries traffic to and from six full-duplex gigabit servers To increase the capacity of the connection between the core and the 2600 switches, a second link may be aggregated with the existing link
Terminology (Trunking)
HP,
Foundry, 3Com
Trunking = Link aggregation= LACP

Cisco
Trunking = Vlan trunking = VLAN tagging (ISL,802.1q)

Nortel
Trunking = TDM voice Trunking = Split Multi-link trunking
Requirements for link aggregation

aggregation is also known as port trunking in HP ProCurve documentation Requirements for port trunking:
HP ProCurve 2500, 2600, 2800, and 4100gl series, and 6108 switches allow up to eight links to be aggregated The links in a port trunk must:
Be coterminous, i.e., they must begin together and end together Support the same mode and flow control options
Link
Link Aggregation Methods

HP
Port Trunking
Does not use a protocol to set up the trunk Port trunking is compatible with other trunking methods because it is statically defined
Fast
EtherChannel (FEC) ** No longer Supported Aggregation Control Protocol (LACP)
FEC is a Cisco standard with widespread compatibility with other switches and multiple-adapter servers
Link
LACP is defined by IEEE standard 802.3ad Both sides may be statically defined; however, LACP also supports a dynamic method for recognizing aggregated links
three methods use both source and destination addresses for load sharing
All
HP ProCurve Supported Trucks

Switch Families # of trunks
1 trunk 4 port trunk 2 trunks 4 port trunk 6 trunks 4 ports per trunk 24 trunks 8 ports per trunk 24 trunks 8 ports per trunk 24 trunks 8 ports per trunk 60 trunks 8 ports per trunk 36 trunks 8 ports per trunk 36 trunks 8 ports per trunk 60 trunks 8 ports per trunk 60 trunks 8 ports per trunk 4 trunks 4 ports per trunk
2500 2510 2600 2800 2810 2900 3500 4200 5300 5400 6200 6400
Interoperability FEC, LACP, and HP Trunk
ProCurve
Cisco
Nortel
Foundry
3com
ProCurve (LACP,HP Trunk)
LACP or HP Trunk
LACP
LACP
LACP
LACP
Configure trunks before connecting cables:
Tricks & Tips
trunk 25-26 trk1 <trunk,LACP>
Unless dynamic LACP is utilized, disabled LACP on all interfaces:

interface no
< port-list >
lacp
Ensure server trunks (teaming) are coterminous and switch ports are configured correctly.
Intel Broadcom AIX HP
Link Aggregation DEMO
HP Switch Meshing
HP Switch Meshing
HP Switch Meshing is another option for providing Layer 2 redundancy. Switch meshing is a loadbalancing technology that enhances reliability and performance
HP Switch Meshing
Switch Meshing is an HP proprietary method for enabling automatic network redundancy and high availability at layer 2. Used in HP ProCurve environments
Terminology (Switch Meshing)
A group of meshed switch ports exchanging meshing protocol packets is called a switch mesh domain A switch mesh domain can contain up to 12 switches. Each switch can have up to 24 meshed ports An edge switch has some mesh ports and some non-meshed ports. Switches 1-5 are edge switches
HP Switch Meshing
Switch meshing is a load-balancing technology that enhances reliability and performance in these ways: Provides significantly better bandwidth utilization than either Spanning Tree Protocol (STP) or standard port trunking. Uses redundant links that remain open to carry traffic, removing any single point of failure for disabling the network, and allowing quick responses to individual link failures. This also helps to maximize investments in ports and cabling. Unlike trunked ports, the ports in a switch mesh can be of different types and speeds. For example, a 10Base-FL port and a 1GB port can be included in the same switch mesh.
Switch Meshing compatibility with STP and RSTP

To interoperate with non-meshing switches within the Layer 2 domain, enable STP or RSTP on meshed switches The mesh appears to non-meshing switches STP/RSTP switches as a single switch
Non-meshing switch configured with STP 5
Port Trunk
Blocking State 6 3 Non-meshing switch configured with STP
Meshing and RSTP enabled on all switches
Conversation-based load balancing

Determining
lowest cost path
When the mesh is fully initialized, each path through the mesh is assigned a cost based on link speed, outbound and inbound queue depths, and packet drop counts Costs are recalculated every 30 seconds
At any given moment, one path is considered the lowest cost path
Forwarding
decisions
Frames that are part of a new conversation are forwarded over the current lowest cost path Frames that are part of an established conversation are forwarded through the same port as the first frame in that conversation
HP Switch Meshing design guidelines

A mesh consists of up to 12 HP ProCurve series switches
A switch can have up to 24 meshed ports using any combination of media types and link speeds Meshing and IP routing cannot simultaneously be enabled on the same switch
Meshing is enabled per port

Enable only on ports that directly connect to other meshed ports
HP Switch Meshing supports full mesh and partial mesh topologies
Summary: HP Switch Meshing
HP Switch Meshing can be used to improve availability while increasing capacity within a Layer 2 switched network HP Switch Meshing is similar to the Spanning Tree Protocol in that it allows designers to create topologies that contain redundant paths
HP Switch Meshing deals with redundant links in a more intelligent way than STP or RSTP Instead of placing redundant links in the Blocking state, switches using HP Switch Meshing can use all available links to forward traffic
The operation of HP Switch Meshing is transparent to non-meshing devices
Switch Meshing Supported Families

Switch Families Meshing
3400 3500 5300 5400 6200 6400 8200
Tricks & Tips
When meshing is added to or removed from ports, switches must be rebooted The Mesh is automatically made a tagged member of all user-defined VLANs on the switch, immediately enabling the included links to carry traffic for all VLANs A meshed switch cannot perform IP forwarding between VLANs. Can not route and mesh simultaneously
Meshing DEMO
Server Adapter Teaming
Server Adapter Teaming

Multiple Adapters function as single Virtual Adapter (VA) Devices communicate with VA: can not tell multiple physical adapters IEEE compliant for L2 and L3 identities Other network devices Must see single MAC and Protocol (1 entry in ARP cache) When Team initializes Driver reads BIA (Burned In Address or MAC) for each physical adapter Pick one MAC as Primary Adapter ARP replies Team provides for server is Primary Adapter MAC
Team Failover and MAC/IP Management
Failover: MAC of Primary (PA) and one Non-Primary (NPA) swapped, Non-Primary becomes Primary Swap MACs: Results in Team always known by one MAC/one Protocol (IP) When Team Transmits: PA transmits using teams MAC and IP Non-Primaries: always transmit own MAC and Teams IP NFT and TLB: MAC address used to transmit always different than PA SLB: Additional switch intelligence allows all Teamed adapters use same Team MAC
Teaming Modes
Network Fault Tolerance (NFT) Transmit Load Balancing (TLB) Switch-assisted Load Balancing (SLB) Distributed Trunking (K.14.xx)
Network Fault Tolerance (NFT)

Simple
redundancy Two to eight ports in a fault-tolerant team One defined primary adapter (PA) Any speed, any media Team can be split across switches
Remaining adapters are Standby: Non-Primary Adapters Remain idle unless PA fails All adapters can transmit and receive heartbeats

Server
Primary Adapter Backup Adapter
User
User

logical view
NFT before failure
Team Members
CAN be split across >1 switch for switch redundancy MUST be in same broadcast domain (VLAN) Connect ALL team members to the same VLAN If Switch Redundancy Required: HP recommends redundant links between Switches with Spanning Tree enabled STP fastmode or RSTP
switch
NIC 1 NIC 2
transmit / receive data not active / dead
NFT after failure
NIC 2
transmit / receive data
switch
NIC 1
not active / dead
Transmit Load Balancing (TLB)

Two
to eight ports in a team as 1 Virtual Adapter A single common speed Team can be split across switches All NFT features plus TLB TCP/IP protocol only Previously called Adaptive Load Balancing (ALB)
Allows server to load balance transmitted traffic from server Received traffic NOT load balanced Primary Adapter receives ALL traffic to server, also transmits Non-Primary only transmit frames

Server
Primary Adapter Backup Adapter
User
User

logical view
TLB before failure NIC 1 NIC 2 NIC 3
transmit / receive data
Team Members
CAN be split across >1 switch for switch redundancy MUST be in same broadcast domain (VLAN)
switch
transmit data, only transmit data, only
TLB after failure NIC 1 NIC 2 NIC 3

transmit / receive data transmit data, only
Connect ALL team members to the same VLAN If Switch Redundancy Required: HP recommends redundant links between Switches with Spanning Tree enabled STP fastmode or RSTP
switch
Switch Assisted Load Balancing (SLB)
Incorporates all features of NFT and TLB Adds load Balancing Receive Traffic 2-8 adapters act as single virtual adapter Load balances all traffic regardless of protocol
Compatible with
HP ProCurve Port Trunking IEEE 802.3ad Link Aggregation Control Protocol (Static LACP) Cisco EtherChannel (Static Mode Only, No PAgP) Others (Extreme, Intel, Bay/Nortel, etc.)
SLB is NOT Server Load Balancing (works with Server Load Balancing)
All adapters in SLB Team equal

All adapters transmit & receive at same speed All ports must be connected to the SAME switch Switch must be configured for SAME mode (LACP)!!!
Server Teaming (SLB)

Server
User
User
Switch Assisted Load Balancing (SLB)

logical view
SLB before failure NIC 1 NIC 2 NIC 3
transmit / receive data transmit / receive data transmit / receive data
Team Members All adapters transmit & receive Adapters must support a common speed Must be used with an intelligent switch that supports this type of teaming All ports must be part of the same switch trunk (LACP)
SLB after failure NIC 1 NIC 2 NIC 3

transmit / receive data transmit / receive data
switch
switch
Distributed Trunking (Server to Switch)

Server (LACP team)
DT Switch K.14.xx
DT Switch K.14.xx
User
User

Distributed
Trunking is a link aggregation technique, where two or more links across two switches are aggregated together to form a trunk. This feature uses a new protocol DTIP to overcome this limitation and support link aggregation for the links spanning across the switches. DT provides node-level L2 resiliency in an L2 network, when one of the switches fails. Distributed Trunking is included in switch software starting with version K.14. In this initial release, only Server-to-Switch Distributed Trunking is supported.

Limitations/Restrictions

Meshing and Distributed trunking features are mutually exclusive Routing and Distributed trunking feature are mutually exclusive. IGMP and DHCP snooping, arp-protect, STP are not supported on DT trunks. QinQ in mixed VLAN mode and DT are mutually exclusive. ISC ports will be part of all VLANs i.e. it will become member of a VLAN once that VLAN configured. ISC Port can be an individual port or manual LACP trunk but dynamic LACP trunk cant be configured as ISC port. Maximum of 8 links in a DT trunk across two switches is supported with max of 4 links per DT switch. The current limitation of 60 manual trunks in a switch, will now include DT manual trunks too Only one ISC (inter-switch connect) link is supported per switch for max of 60 DT trunks supported in the switch Spanning Tree Protocol is disabled (PDUs are filtered) on DT ports.
Supported team types summary

Operating system
Windows 2000 Windows 2003 Novell NetWare 4-6 Linux Caldera OpenUnix 8 Caldera Open Server 5
NFT
TLB
SLB
Tricks & Tips
Enable RSTP or STP with fastmode Ensure SLB server trunks are coterminous and switch ports are configured correctly. Mixing adapters with different hardware features in TLB and SLB teams lowest common denominator of features
every team member must support the feature for it to be used
Using adapters with mixed speeds in TLB teams higher speed adapters may be under utilized
Tricks & Tips
Different Network Interfaces (NICs) manufactures use different terms.

Intel Broadcom AIX
Teaming with TLB

Port 1
Port 2
Port A1
Po r Cu v r e S wi t c h 5 4 0 6 z l J 8 6 9 9 A Po E P o we r
Port A1
ProCurv eNe twork ing
H P nnovat i I on
Us e Re t s zl Mo d u e l s ony l Cl r a e t s e T Ch s a DI MMF n a Pr oCuv r e S wi c h54 00z t l Ma n a g e me n t Mo d u e l J8726A Mg mt F h s a l mp e T St us a Po E A 3 4 1 C E B D G H I J Dx P E F o Sp d Us r E D Mo L e d Co n s o e l Au x Pot y r a l i r P o we r Ac t Po r Cu v r e Swi t c h 5 4 0 6 z l J 8 6 9 9 A PoE
ProCurv e Ne twork ing

H P nnovat o I in
Us e zl Mo d u e l s ony l
Po r Cu v r e S wi ch5400z t l Ma n a g e m e n t Mo d u e l J8726A Mg mt F h s a l Re t s Cl r a e t s e T Ch s a
St us a Po E A mp e T 3 4 1 C E B D G H I J Dx P o F E Sd pUs r E D Mo L e d Co n s o e l Au i P y r a l x ot r Ac t
1 2 2 ne I n r t l a PoE P o we r P wr
F K L Mo d u e s l
DI MMF n a
F K L Mo d u e s l
Fa ut l 1 Loc ao t r 3 5 7 9 11 13 15 17 19 21 23 1 3 5 7 9 11 13 15 17 19 21 23
Fa ut l 1 Loc a t or 3 5 7 9 11 13 15 17 19 21 23 1 3 5 7 9 11 13 15 17 19 21 23
Po C r r e v u Gi p 4 2 g T Mo l z e l u d A 2 0 7 8 J
10
12
14
16
18
20
22
24
z l
1 0
12
14
16
18
20
22
24
z l
10
12
14
16
18
20
22
24
zl
10
12
14
16
18
20
22
24
zl
PoEI n - e g t a d e t r 1 Ba / 0 T Pot e s P ) 4 2 1 ( s r ot E E E Au o I e r a s t MD I MD I / X -
P oEI n - e g t a d e t r 1 Ba / 0 TPo t e s P ) 4 2 1 ( s r ot E E E Au t I e r a s o MD I MD I / X -
Po E I n - e g t a d e t r 1 Ba / 0 TPot e s P ) 4 2 1 ( s r ot E E E Au t I e r a s o MD I MD I / X -
Po EI n - e g t a d e t r 1 Ba / 0 T Pot e s P ) 4 2 1 ( s r ot E E E Au o I e r a s t MD I MD I / X -
10 Gigabit F4
HP 5406_#1 IP= 10.10.1.1
Port B24
Port B24
HP 5406_#2 IP= 10.10.1.2
h p P r o Cu r v e Swt i c h2650p wr J8165A Po E Sa s u t RP S P o we r ED L e d E P S Mo n a F t s e T Ac t Dx F Sp d Po E Cl r a e Mo d p S e d
1 7
2 8
3 9
4 10
5 11
6 12
13 19
14 20
15 21
16 22
17 23
18 24
25 31
26 32
27 33
28 34
29 35
30 36
37 43
38 44
39 45
40 46
41 47
42 48
Gg i T Po t s r
49
TM
50
T M Mn i i GB I C
Port 49
Fa ut l Re t s
Mb 0 1 = f o s p
a l b f M 0 1 = h s s p
o Mp 0 1 = n s b
Po ERe Bs / 0 1 y d a T e a X Po ) 8 4 1 ( s t r
Us M) r T ( y l n o e Gi r o f r I o p t i b a g 10/ 1 0 0 Ba s eTXPo r ar s t e HPAu t oMD I X Gi , gTpor ar s t eI EEE Au t o MD I M / D X -
Po r s t
HP 2650 IP= 10.10.1.3
Port 50
Port 1 1000LX (Mode conditioning patch cord)
HP nc6000 VLAN 5 IP= 10.10.5.100 DG= 10.10.5.1
Server Teaming (TLB) DEMO
Virtual Router Redundancy Protocol (VRRP)

VRRP (Virtual Router Redundancy Protocol) is the feature
used by the HP ProCurve Series 3500yl, 5400zl, & 6200yl family of switches to provide router redundancy, or fail-over, to one or more backup routers in case one fails. XRRP (XL Router Redundancy Protocol) is the feature used by the HP ProCurve Series 5300XL & 3400 family of switches to provide router redundancy, or fail-over, to a backup router in case one fails. Allows you to configure one or more switches to behave as backup routers for each other.
Terminology (VRRP)
Virtual Router A Virtual Router (VR) instance consists of one Owner router and one or more Backup routers belonging to the same network. Any VR instance exists within a specific VLAN, and all members of a given VR must belong to the same subnet. In a multinetted VLAN, multiple VRs can be configured. The Owner operates as the VRs Master unless it becomes unavailable, in which case the highest-priority backup becomes the VRs Master. Master The physical router that is currently providing the virtual router interface to the host computers. Advertisement Interval The time interval at which the Master router sends out VRRP packets on each virtual router interface.

Default Gateway 10.0.1.1 10.0.2.1
Server
Protective Domain
Default Gateway
Default Gateway
User
10.0.1.1
User
10.0.2.1
VRRP Normal Operation
On a given VLAN, a VR includes two or more member routers configured with a virtual IP address that is also configured as a real IP address on one of the routers, plus a virtual router MAC address. The router that owns the IP address is configured to operate as the Owner of the VR for traffic-forwarding purposes, and by default has the highest VRRP priority in the VR. The other router(s) in the VR have a lower priority and are configured to operate as Backups in case the Owner router becomes unavailable. The configuration is done for each VLAN
VRRP Fail-Over Operation
The Owner normally operates as the Master for a VR. But if it becomes unavailable, then a failover to a Backup router belonging to the same VR occurs, and this Backup becomes the current Master. If the Owner recovers, a failback occurs, and Master status reverts to the Owner. (Note that using more than one Backup provides additional redundancy, meaning that if both the Owner and the highest-priority Backup fail, then another, lower-priority Backup can take over as Master. The current Master router sends periodic advertisements to inform the other router(s) in the VR of its operational status. If the backup VR(s) fail to receive a Master advertisement within the timeout interval, the current Master is assumed to be unavailable and a new Master is elected from the existing Backups. The timeout interval for a VR is three times the advertisement interval configured on the VR(s) in the network or subnet. In the default VRRP configuration, the advertisement interval is one second and the resulting timeout interval is three seconds.
Router Redundancy Protocol (VRRP)

Default Gateway 10.0.1.1 10.0.2.1
Server
Protective Domain
Default Gateway
Default Gateway
User
10.0.1.1
User
10.0.2.1
VRRP Supported Families

Switch Families XRRP VRRP
5300 3400 6400 3500 6200 5400 8200 9300/9400
XRRP Versus Ciscos HSRP

ProCurve XRRP Single Hot Standby Load Balancing across VLANs Load Balancing within VLAN Cisco HSRP
Tricks & Tips
VRRP uses the following multicast MAC address for its protocol packets:
00-00-5E-00-01-<
VRid >
XRRP uses the following multicast MAC address for its protocol packets:
0101-E794-0640
Never set up a default or static route that points to the peer router as the path. Routers must have identical connectivity. That is, they must have the same access to all remote subnets, and the route costs of the access must be the same.
Router Redundancy with VRRP

Port 2
Port 1
Port A1
Po r Cu v r e S wi t c h 5 4 0 6 z l J 8 6 9 9 A Po E
Port A1
ProCurv eNe twork ing
H P nnovat i I on
Us e Re t s Cl r a e t s e T Ch s a DI MMF n a zl Mo d u e l s ony l Pr oCuv r e S wi c h54 00z t l Ma n a g e me n t Mo d u e l J8726A Mg mt F h s a l mp e T St us a Po E A 3 4 1 C E B D G H I J Dx P E F o Sp d Us r E D Mo L e d Co n s o e l Au x Pot y r a l i r P o we r Ac t Po r Cu v r e Swi t c h 5 4 0 6 z l J 8 6 9 9 A PoE
ProCurv e Ne twork ing

H P nnovat o I in
Us e zl Mo d u e l s ony l
Po r Cu v r e S wi ch5400z t l Ma n a g e m e n t Mo d u e l J8726A Mg mt F h s a l Re t s Cl r a e t s e T Ch s a
St us a Po E A mp e T 3 4 1 C E B D G H I J Dx P o F E Sd pUs r E D Mo L e d Co n s o e l Au i P y r a l x ot r Ac t
Default Gateway 10.10.5.1
P o we r
F K L Mo d u e s l
DI MMF n a
F K L Mo d u e s l
Fa ut l 1 Loc ao t r 3 5 7 9 11 13 15 17 19 21 23 1 3 5 7 9 11 13 15 17 19 21 23
Fa ut l 1 Loc a t or 3 5 7 9 11 13 15 17 19 21 23 1 3 5 7 9 11 13 15 17 19 21 23
Po C r r e v u 2 i G p 4 g T Mo l z e l u d A 2 0 7 8 J
10
12
14
16
18
20
22
24
z l
1 0
12
14
16
18
20
22
24
z l
10
12
14
16
18
20
22
24
zl
10
12
14
16
18
20
22
24
zl
PoEI n - e g t a d e t r 1 Ba / 0 T Pot e s P ) 4 2 1 ( s r ot E E E Au o I e r a s t MD I MD I / X -
P oEI n - e g t a d e t r 1 Ba / 0 TPo t e s P ) 4 2 1 ( s r ot E E E Au t I e r a s o MD I MD I / X -
Po E I n - e g t a d e t r 1 Ba / 0 TPot e s P ) 4 2 1 ( s r ot E E E Au t I e r a s o MD I MD I / X -
Po EI n - e g t a d e t r 1 Ba / 0 T Pot e s P ) 4 2 1 ( s r ot E E E Au o I e r a s t MD I MD I / X -
10 Gigabit F4
HP 5406_#1 IP= 10.10.1.1
Port B24
Port B24
HP 5406_#2 IP= 10.10.1.2
h p P r o Cu r v e Swt i c h2650p wr J8165A Po E Sa s u t RP S ED L e d E P S Mo n a F t s e T Ac t Fx D Sp d Po E Cl r a e Mo d p S e d
1 7
2 8
3 9
4 10
5 11
6 12
13 19
14 20
15 21
16 22
17 23
18 24
25 31
26 32
27 33
28 34
29 35
30 36
37 43
38 44
39 45
40 46
41 47
42 48
Gg i T Po t s r
49
TM
50
T M Mn i i GB I C
P o we r
Port 49
Fa ut l Re t s
Mb 0 1 = f o s p
a l b f M 0 1 = h s s p
o Mp 0 1 = n s b
Po ERe Bs / 0 1 y d a T e a X Po ) 8 4 1 ( s t r
10/ 1 0 0 Ba s eTXPo r ar s t e HPAu t oMD I X Gi , gTpor ar s t eI EEE Au t o MD Us M) r T ( y l n o e I M / Gi r o f D r I o p t i b a g X -
Po r s t
HP 2650 IP= 10.10.1.3
Port 50
Port 1 1000LX (Mode conditioning patch cord)
HP nc6000 VLAN 5 IP= 10.10.5.100 DG= 10.10.5.1
VRRP DEMO
Connection Rate Filtering (Virus Throttling)
REMEMBER!
No
other vendor has added capabilities like these to their switches to the industry!
Cutting edge technology (developed at HP Labs) for mainstream customers at affordable prices Its a free upgrade
First
The Virus Problem

Most anti-virus software works by preventing infection Works well but occasionally fails
05:29 Jan 25 0 infected
Anti-virus software fails to recognize new viruses Client/server/security software not up-to-date Worms can spread very rapidly and cause lots of damage
SQLSlammer Sasser
06:00 Jan 25 74855 infected
Todays Limited Solutions

Signature-based
detection (known malicious code)
Targeted at viruses that have been seen before Have to touch the client since that is where the virus is actually detected Ineffective initially with unknown viruses
Could lead to network paralysis with quick spreading viruses
Solving a different virus concern Assumes all clients entering the networking are homogeneous
How
do you manage the unknown, often the most Competitions only solution destructive?
Only a partial solution
No acceptance for outside clients like other vendors sales reps, contract employees, etc.
For Virus Throttling ProCurve targets the virus (worm) behavior
Advantages to ProCurve Security Architecture Virus Throttling

Works
without knowing anything about the virus
Handles unknown viruses Needs no signature updates

Protects
network infrastructure
Network and switches will stay up and running, even when under attack
Notification
When a host is throttled, a SNMP trap and log event is generated IT staff have time to react, before the problem escalates to a crisis
ProCurves Security Advantages

Virus
Throttling is unique
Monitors all ports simultaneously Easy to configure No periodic updates needed

Some
competitors have behavioural detection that is similar but

Requires an external appliance or special switch module
Extra cost
The Solution: Virus Throttling
As the worm virus tries to spread:

the switch detects the activity and automatically either:
throttles traffic from these nodes at the routed VLAN boundary greatly slows the virus spread allows time to react without bringing the network down for the infected client or prevents all traffic from infected client from being routed to other parts of the network stops virus spread but also prevents all traffic from infected client to be routed to the rest of the network
Virus Throttling Caveats

Throttling
automatically occurs only for traffic across routed VLANs

Routing is required, no automatic affect in pure L2 environments Other nodes on the VLAN with the infected client are still at risk
Traffic from infected clients continues to be forwarded in the L2 environment BUT The network manager is notified of virus activity and can take steps through PCM+ to find and shut down the switch port where the virus is entering the network.
The Solution: Virus Throttling In an L2 Environment

If
you are running PCM+ 1.6 or later
PCM+ gets the trap from the switch identifying the IP address of the infected client Net Mgr can then:
Use PCM+ to find the switch port associated with this IP address Shut down the switch port preventing the virus from entering the network at L2 as well. Net Mgr can now deal with just the client, not the rest of the network
Virus Throttling in an L2 Environment

1. Switch detects virus activity 2. Alerts PCM+ with IP addr and MAC addr of infected client PCM+
X
Virus
3. Net Manager alerted 4. Manager uses Find Switch Port utility to locate client switch port 5. Manager shuts down that switch port
Traffic blocked
Virus Throttling
Switch Families Virus Throttling
5300 (L3) 3500 6200 5400 8200
Virus Throttling Enabled
HP ProCurve Manager and ProCurve Manager Plus
HP ProCurve Manager implements Command from the Center

Windows-based network management solution Enables configuration and monitoring of network devices from a central location Two versions available: Standard and PLUS Provides necessary tools to effectively manage your network, including:
Auto-discovery Topology mapping Device polling Device configuration Traffic monitoring
Comparing HP ProCurve Manager and Manager Plus

HP
ProCurve Manager No cost Replaces HP TopTools for Hubs & Switches Included with all new ProCurve devices Available as free download from ProCurve web site Key features include: Auto Discovery Network Status and Monitoring Alerts and Troubleshooting Device Management Network Topology Mapping HP ProCurve Manager Plus Free trial for 30 Days Additional features include: Advanced VLAN Management In-depth Traffic Analysis Group and Policy Management Device Firmware Updates Device Configuration Management
Supported operating systems and system requirements
Client installation
From From any any web web browser: browser: You You can can access access the the PCM PCM GUI GUI Download Download Page Page via via port port 8040 8040 of of the the Management Management Server. Server. There There are are 2 2 steps steps in in client client installation: installation: 1) 1) Install Install the the Client Client Software Software using using the the GUI GUI Download Download page page 2) 2) Authorize Authorize the the client client host host to to access access the the management management server server
HP ProCurve Manager Home Page
Navigation Navigation Pane Pane
Home Home Page Page Dashboard Dashboard
User management
is required for all users using the HP ProCurve Manager Client
The Authentication
three user types are:
Administrator - full access Operator - full access with the exception of adding/modifying/deleting user accounts Viewer - restricted access; no database changes allowed
Auto-discovery
HP ProCurve Manager polls the device specified as the default gateway and all subnets configured on the device A list of all subnets will be discovered
By default, only devices contained within the subnet of the specified default gateway will be auto-discovered and managed
Additional managed subnets can be added, and their devices managed and configured Automatic discovery can be stopped and started at any time Discovery can be performed in a manual mode
Discovery components
Topology discovers devices, using CDP , and creates Network topology map ARP reads ARP cache on all active devices VLAN obtains all VLAN and subnet information on each discovered device
Creates both VLAN and Subnet topology maps
Ping Sweep discovers all devices sequentially, including inactive devices
Viewing the Network Map
The The Network Network Maps Maps window window provides provides a a graphical graphical view view of of the the physical physical layout layout of of the the managed managed network. network.
VLAN Manager
VLANs
Provides
a graphical interface for managing
Create VLANs that can span the entire managed network infrastructure
Select switches from a list to add to the VLAN View and modify properties and port memberships Use the Global Discovery Manager to add the VLAN as a managed subnet
Delete VLANs
Remove all references to the VLAN from all switches that have port members of the VLAN All port members of the deleted VLAN will be returned to the Default VLAN on their respective devices
Policy Manager
Policy Manager allows network administrators to define and enforce configuration-based parameters for a group of devices:
Community Names Trap Receivers Authorized Managers Spanning Tree Protocol
Configure multiple devices with a single action Schedule for automatic enforcement
Configuration management
Configuration management features include:
Scheduled and manual device configuration scans By default, a configuration scan runs on all discovered devices at 6AM every day Comparison and deployment of configurations on multiple devices A configuration history tab displays a summary of previous scans The ability to use CLI commands to deploy a specific configuration to a single device or multiple devices Automatic firmware update
Updating firmware automatically

HP provides periodic firmware updates for HP ProCurve switches via the HP ProCurve Support web site
http://www.hp.com/rnd/software/index.htm
The Configuration management screen on HP ProCurve Manager provides an interface for downloading the latest firmware HP ProCurve Manager Plus offers a Firmware Update feature that automatically downloads and applies updates
PCM+ DEMO
Things to check when you leave here!

Spanning Tree Server teaming Microsoft Clustering Switch logs
Things to check when you leave!
Switch Log Issues

>show log
W 02/03/09 00:53:09 00332 FFI: port A10-Excessive Broadcasts. See help. W 02/03/09 00:53:30 00332 FFI: port A1-Excessive Broadcasts. See help. W 02/03/09 00:53:41 00332 FFI: port A10-Excessive Broadcasts. See help. W 02/03/09 01:12:07 00564 ports: port A1 PD Invalid Signature indication. I 02/03/09 01:12:10 00076 ports: port A1 is now on-line W 02/03/09 01:12:20 00332 FFI: port A1-Excessive Broadcasts. See help. W 02/03/09 01:12:20 00332 FFI: port A10-Excessive Broadcasts. See help. W 02/03/09 01:28:53 00329 FFI: port A1-Excessive CRC/alignment errors. See help. W 02/03/09 01:28:53 00332 FFI: port A1-Excessive Broadcasts. See help. W 02/03/09 01:29:46 00331 FFI: port A1-High collision or drop rate. See help. I 02/03/09 01:42:58 00077 ports: port A1 is now off-line W 02/03/09 01:44:28 00564 ports: port A1 PD Invalid Signature indication. I 02/03/09 01:44:31 00076 ports: port A1 is now on-line W 02/03/09 01:44:42 00329 FFI: port A1-Excessive CRC/alignment errors. See help. W 02/03/09 01:44:42 00332 FFI: port A1-Excessive Broadcasts. See help. W 02/03/09 01:46:38 00331 FFI: port A1-High collision or drop rate. See help. W 02/03/09 01:46:39 00331 FFI: port A1-High collision or drop rate. See help. W 02/03/09 01:46:49 00331 FFI: port A1-High collision or drop rate. See help. W 02/03/09 01:46:52 00331 FFI: port A1-High collision or drop rate. See help.
Spanning-Tree Issue
>show spanning-tree
Multiple Spanning Tree (MST) Information STP Enabled : Yes Force Version : MSTP-operation IST Mapped VLANs : 1 Switch MAC Address : 0019bb-0ae000 Switch Priority : 0 Max Age : 20 Max Hops : 20 Forward Delay : 15 Topology Change Count : 33456 Time Since Last Change : 89 secs CST CST CST CST Root Root Root Root MAC Address : 0019bb-0ae000 Priority : 0 Path Cost : 0 Port : This switch is root
IST Regional Root MAC Address : 0019bb-0ae000
>show tech addrmgrmovelist mac address vid old port new port timestamp ------------- ---- -------- -------- ----------------005056-906d8a 1 A12 Trk1 02/03/09 10:15:54 005056-906d8a 1 A10 A12 02/03/09 10:15:57 005056-906d8a 1 A12 Trk1 02/03/09 10:16:00 005056-906d8a 1 A10 A12 02/03/09 10:16:03 005056-906d8a 1 A12 Trk1 02/03/09 10:16:06 005056-906d8a 1 A10 A12 02/03/09 10:16:09 005056-906d8a 1 A12 Trk1 02/03/09 10:16:12 005056-906d8a 1 A10 A12 02/03/09 10:16:15 005056-906d8a 1 A12 Trk1 02/03/09 10:16:18 005056-906d8a 1 A10 A12 02/03/09 10:16:21 005056-906d8a 1 A12 Trk1 02/03/09 10:16:24 005056-906d8a 1 A10 A12 02/03/09 10:16:27 005056-906d8a 1 A12 Trk1 02/03/09 10:16:30 005056-906d8a 1 A10 A12 02/03/09 10:16:33 005056-906d8a 1 A12 Trk1 02/03/09 10:16:36 005056-906d8a 1 A10 A12 02/03/09 10:16:39 005056-906d8a 1 A12 Trk1 02/03/09 10:16:42 005056-906d8a 1 A10 A12 02/03/09 10:16:45
Server Teaming Issue
ProVision Software Features
Optional Premium License

ProCurve
with:
3500/5400/6600/8200 switches ship
Layer 2 + Base Layer 3 routing capabilities (static IP routing and RIP) standard
Premium
features:
License provides advanced Layer 3
OSPFv2 PIM Dense Mode PIM Sparse Mode VRRP QinQ - IEEE 802.1ad
Note:
The ProCurve 6200 switch ships with the Premium License included
21 0
5400/3500 Features
Flexibility Features
Versatile Intelligent Port Every copper port: 10/100/1000 PoE enabled Has all L3 services applied 8 Hardware queues All copper ports created equal Routing Support RIP, static routes OSPF, includes ECMP PIM Sparse PIM Dense VRRP
Operational
Flexibility
24-port stackable to 288-port chassis in a single, consistent product family L3 Services at L2 ACLs, QoS, etc. can use L3 info without the switch routing Jumbo packet support (L2/L3) Quiet operation Power supply choice for optimum PoE power Small chassis size Minimizes space requirements RMON, XRMON, sFlow support
5400/3500 Features
Intelligent Edge Features
Security
Bandwidth
Shaping
Protect, Detect, Respond to Network Threats

Fast, flexible ACLs Can use ICMP/IGMP/Protocol fields, IP TOS byte IP & MAC lockdown/lockout Source port filtering Access control to the network 802.1x, Web-auth, MAC-auth Virus Throttling for control of malicious worm agents L2/L3 SSH, SSL, TACACS+, Secure FTP for management access
Guaranteed minimums Per port, per queue Enforced maximums Limit problem clients bandwidth Set allowable bandwidth levels for specific traffic Per port
QoS
QoS based on: User Application Set outgoing IP Priority, remap DSCP
5400/3500 Features
Ease
Operational Excellence Features

of Deployment
Long Product Life
With broad scalability allows consistent product experience Installation - same set-up Operational
Same end-user experience Same network management view Same front panel info Versatile Intelligent Port All copper Gig ports are equivalent
Availability

Industry-leading ProCurve support value proposition Lifetime warranty* Includes fans and power supplies Free software updates** 2048 VLANs 8 Hardware/software priority queues Upgradeable management engine and CPU Add-in module capability Programmable ASICs 802.1s MIST Switch Meshing VRRP Optional redundant power supplies Removable management blade (chassis products)
Maintenance
Same software code level USB mass memory support Copy to/from for config, debug/crash and cmd output files
Technology for better business outcomes

ProCurve Switch Best Practices

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ProCurve Switch Best Practices

Uploaded by

Copyright:

Available Formats

HP ProCurve Networking

Andy Gallacher Nov, 2009

HP ProCurve: Quick Facts

(ALL hubs and switches/routing switches to 8200zl)

Technical Phone Support / Firmware Upgrades

Magic Quadrant: Enterprise LAN (Global), 2009

Why HP ProCurve Networking?

Reduced complexity Security and Trust Reliability Superior return on IT

HP ProCurve product categories

Access Point & Controller

802.11n wireless solutions provide networking access, management and security.

WAN solutions provide adaptable, unified edge-to-edge network connectivity.

DC solutions provide policybased, automated provisioning of network and server resources.

ProCurve Switching Portfolio

Data Center Specific Design

Core & Distribution / Aggregation

Basic Enterprise Edge

HighFunction Edge (AEA) & Core/Distribution

5400, 3500, WAN

Small Business Networks

LAN Enterprise Switches

Lite Layer 3 Managed

GA Nov. 1 2009 Established Technology

Layer 2 Web Managed

LAN Enterprise Switches

Expanding The ProVision Family

Introducing the ProCurve 2520/2520G Switch Series (Established Technology)

HP ProCurve 2520G-8-PoE Switch (J9279A)

HP ProCurve 2520G-24-PoE Switch (J9280A)

3500 10/100 Portfolio (LAN Enterprise)

HP ProCurve 3500-48 Switch

HP ProCurve 3500-24-PoE Switch

HP ProCurve 3500-48-PoE Switch

8206zl Base SystemJ9475A (LAN Enterprise/Core)

Interface/Service Module Slots

8206zl Front View

8206zl vs. 8212zl

Known zl Interface Modules

HP ProCurve zl Power Supplies

PoE Power 273W

Used with both 8200zl and 5400zl

HP ProCurve zl Power Supply Specs

1500W zl Power Supply (J8713A)

1500W PoE+ zl Power Supply (J9306A)

HP ProCurve 6600 Switch Series (Data Center)

J9263A HP ProCurve 6600-24G J9264A HP ProCurve 6600-24G-4XG

J9265A HP ProCurve 6600-24XG Switch

J9451A HP ProCurve 6600-48G Switch

J9452A HP ProCurve 6600-48G-4XG

Switch (48) 1G ports and (4) 10G ports

ProCurve ONE Services zl Module

Core Edge Branch

ProCurve ONE Alliance Partners (1/26/09)

J9155A- HP ProCurve TMS zl Module

J9370A - HP ProCurve MSM765zl Mobility Controller

J9371A - HP ProCurve MSM760/765 40 AP License

HP ProCurve Manager 3.0 (HP PCM 3.0) Overview

HP PCM 3.0 Overview

PCM 3.0 Licensing Plug-in Applications for PCM 3.0

c-Class BladeSystem Interconnect Types

Virtual Connect module

6120G/XG Hardware Overview:

1x 10GbE CX4 port CX4 cable

Console port Type A mini-USB