Professional Documents
Culture Documents
Configuracion
Configuracion
Configuracion
HP ExpertOne
Web-based Training
Copyright 2013 Hewlett‐Packard Development Company, L.P.
The information contained herein is subject to change without notice. The only warranties for HP products and
services are set forth in the express warranty statements accompanying such products and services. Nothing
herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial
errors or omissions contained herein.
This is an HP copyrighted work that may not be reproduced without the written permission of HP. You may not
use these materials to deliver training to any person outside of your organization without the written permission
of HP.
Objectives
Comware ProVision
• Describe the following types of switches and explain how they are used
in today’s networks:
• Core, distribution, and access layer switches
• Layer 2 and Layer 3 switches
• Modular and fixed-port switches
• Managed, smart-managed, and unmanaged switches
• Explain how HP switches help organizations meet today’s business and
technical challenges
• Explain how the HP ProVision command line interface (CLI) and the
Comware CLI are separated into different privilege levels and identify
tasks that can be completed at each level
Rev. 13.31 1 –1
Getting Started with HP Switching and Routing
Lesson 1: Introduction
In this lesson, you will review what small, medium, and large companies
require from their network to meet their current business goals.
You will then learn how HP helps IT organizations meet these requirements,
allowing companies to move beyond the limitations of aging, traditional
networks.
1 –2 Rev. 13.31
HP Switch Overview
Data center
Campus LAN
Branch office
Introduction
To understand the challenges companies are facing today, you should
consider three areas: data center, campus LAN, and branch office.
Data Center
Companies, seeking to improve efficiency and save money, are
consolidating resources in centralized data centers, which are rapidly
evolving and generating dramatic changes:
Rev. 13.31 1 –3
Getting Started with HP Switching and Routing
Campus LAN
Companies are moving resources out of the LAN and into the data center
and private or public clouds, driving more traffic across WAN connections.
At the same time, documents and applications—such as Unified
Communications and Collaboration (UC&C) solutions—are becoming more
media rich, increasing the need for more bandwidth and less latency. If the
network cannot deliver, the user experience suffers.
Branch office
Rather than deploy services at each branch office, companies are
consolidating services at centralized data centers. Resource consolidation
increases the demand for bandwidth and low latency on WAN links.
Companies are also reducing the number of IT staff at branch office or even
eliminating them.
While these changes may save money and increase efficiency, they
introduce new challenges for branch office solutions. Customers need fast,
reliable WAN connections and solutions that can survive locally when a
WAN outage occurs.
1 –4 Rev. 13.31
HP Switch Overview
Customer requirements
Companies of all sizes—small, medium, and large—now find themselves with networks that hinder rather than drive the
delivery of high-quality network services.
Companies have…
Rev. 13.31 1 –5
Getting Started with HP Switching and Routing
Introduction
To help companies evolve their network to meet these needs, HP provides
the FlexNetwork architecture.
HP FlexFabric
HP FlexFabric creates a low-latency, highly resilient infrastructure, uniquely
tuned for adapting to a virtualized environment, on which compute and
storage traffic converges.
HP FlexCampus
HP FlexCampus converges wired and wireless networks to deliver secure
identity-based access to employees and guests.
HP FlexBranch
HP FlexBranch simplifies the deployment and management of
standardized, secure, responsive, and resilient end-to-end solutions across
many branches.
HP FlexManagement
HP FlexManagement converges management of all network components
into a single solution, helping to orchestrate network management
according to business needs.
1 –6 Rev. 13.31
HP Switch Overview
HP FlexNetwork
HP FlexNetwork is based on open standards. It is scalable, secure, and
agile. Although divided into different components, the HP FlexNetwork
offers a consistent set of services and a unified management solution.
Rev. 13.31 1 –7
Getting Started with HP Switching and Routing
Introduction
Another issue facing companies is having to manage LANs and Storage
Area Networks (SANs) as separate infrastructures. Companies want to
simplify and save money by converging data and storage traffic onto a
single network. However, traditional Ethernet does not meet storage’s need
for high-speed, lossless delivery.
1 –8 Rev. 13.31
HP Switch Overview
Rev. 13.31 1 –9
Getting Started with HP Switching and Routing
3) With full convergence, LAN and SAN traffic traverse the same network
infrastructure and both are managed through a single pane of glass.
Open standards
Thus, HP products:
HP warranty
Software maintenance
Technical assistance
Lesson 1: Summary
Lesson 2: Introduction
Manageability
Form factor
In this lesson, you will begin to learn about switch technology. Specifically,
you will learn how switches can be categorized based on the following
criteria:
The distribution layer is eliminated; the LAN and server access switches
connect directly to the core switches.
Traffic flows directly from the edge to the core, reducing latency.
Introduction
Switches are also categorized based on their ability to forward traffic at the
Data Link or the Network Layer of the Open Systems Interconnection (OSI)
model.
Layer 1
The Physical Layer controls the physical medium, defining the electrical and
mechanical specifications for the network connection.
Layer 2
The Data Link Layer describes the procedures (called protocols) that
control data transfer across the physical infrastructure.
Layer 3
The Network Layer is primarily responsible for logical addressing and the
routing of traffic across internetworks.
Layer 4
The Transport Layer ensures the reliable transfer of data between hosts. It
provides flow control, error checking, and data recovery.
Layer 5
The Session Layer defines the process of establishing and maintaining a
session (a two-way communication) between two applications.
Layer 6
The Presentation Layer translates the data from the lower layers to a format
that can be used by the Application Layer.
Layer 7
The Application Layer defines how applications access network services.
Ethernet
Ethernet is a Layer 1 and Layer 2 protocol. It defines the electrical and
mechanical specifications of the physical media that the network uses and
also controls data transfer across the physical infrastructure.
Layer 2 switch
A Layer 2 switch forwards traffic based on the frame’s Data Link Layer
information, specifically the hardware address, which is called the Media
Access Control (MAC) address. (You will learn more about Layer 2
forwarding later in this course.)
Layer 3 switch
A Layer 3 switch can route traffic based on Network Layer information. To
route traffic, Layer 3 switches must have the appropriate IP route. Layer 3
switches support static routes and routes learned through routing protocols.
Some switches support only static routes and are called Light Layer 3
switches. (You will learn more about Layer 3 routing later in this course.)
Switch manageability
Managed
Smart web-managed
Unmanaged
Introduction
Switches are also categorized based on their level of manageability.
Managed
Managed switches support Simple Network Management Protocol (SNMP)
and allow you to configure each port’s communication parameters and
many other aspects of the switch through a command line interface (CLI).
Many managed switches also provide a graphical user interface, such as a
Web browser interface. All of HP’s enterprise switches are managed.
Smart web-managed
Smart web-managed switches, as the name suggests, can be managed
through a Web browser interface. The Web browser interface is designed to
be intuitive, making it easy to configure and manage switch features.
Unmanaged
Unmanaged switches provide basic Layer 2 switching and are not
configurable. These switches are commonly referred to as “plug-and-play”
switches and are designed for small to medium businesses (SMBs) that
need basic switch functionality.
Form factor
Fixed-port switches
Modular switches
Flex-chassis switches
Introduction
Another way switches are categorized is by their form factor or physical
frame. (Regardless of their form factor, all types of switches support high-
speed links, either through traditional copper cabling or fiber optic cabling.)
Fixed-port switches
Fixed-port switches have a predefined number of ports. Typically, the switch
is one rack unit (RU).
Modular switches
Modular switches do not have a defined number of ports. Instead, port type
and density in a modular switch are defined by the type and number of
modules that are installed in the chassis.
Flex-chassis switches
Flex-chassis switches contain a number of fixed ports as well as room to
accommodate a limited number of modules, which allow you to add extra
high-speed ports or advanced features or services.
Meshed stacking
Introduction
Switches may also be categorized based on their support for stacking.
Traditional stacking enables you to connect several switches and manage
them through a single IP address.
Meshed stacking
Available on the HP 3800 Switch Series, meshed stacking allows you to
aggregate up to five switches to form a fully meshed stack for resiliency and
management via a single interface. Direct links run to and from each switch
in the stack, forming a single logical switch.
IRF
IRF
IRF allows you to combine multiple switches, creating a single resilient
virtual switch. To other devices on the network, each IRF system appears to
be one device, which has one MAC address and one bridge ID. Routing
updates originate from this one device.
IRF runs on many HP switches, including the HP 5120, 5500, 5800, 5820,
5830, 7500, 9500, 10500, and 12500 Switch Series.
Benefits
IRF and meshed stacking offer many benefits over traditional stacking:
High availability: IRF and meshed stacking provide N:1 failover and
redundant links.
Increased performance: All available links remain active and provide
load balancing, which increases efficiency in switching and routing.
Scalability: You can increase network bandwidth and processing
capabilities by adding switches to the meshed stack or IRF system.
Flattened architecture: By enabling access layer switches to share
highly available links to the core, meshed stacking and IRF help
customers create low-latency, two-tier architectures in both the campus
LAN and data center.
Lesson 2: Summary
Lesson 3: Introduction
In this lesson, you will begin to apply what you have learned about
switches. You will take a look at a few HP switches, considering features
such as their form factor, manageability, forwarding and switching
capabilities, and stacking capabilities.
You will also learn how to access and begin managing HP switches.
HP switch portfolio
FlexFabric switches
Featured Switch Form Switches Manageability Forwarding & Power over Stacking
Series Factor Routing Ethernet (PoE) / IRF
5800 Switch Series Flex- • 5800-24G, 5800-24G- Managed Layer 3/4 Yes IRF with
chassis PoE+, & 5800-24G-SFP up to 9
• 5800-48G, 5800-48G- switches
PoE, & 5800-48G with 2
slots
• 5800AF-48G
5820 Switch Series Flex- • 5820-14XG-SFP+ with 2 Managed Layer 3/4 No IRF with
chassis slots up to 9
• 5820-24XG-SFP+ switches
• 5820AF-24XG
5830 Switch Series Fixed-port • 5830AF-48G with 1 Managed Layer 3/4 No IRF with
interface slot up to 4
• 5830AF-96G switches
5920 Switch Series Fixed-port • 5920AF-24XG Managed Layer 3/4 No IRF with
up to 4
switches
12500 Switch Series Modular • 12504 (4 slots) Managed Layer 3/4 Yes IRF with
• 12508 (8 slots) up to 4
• 12518 (18 slots) switches
Introduction
You will now be introduced to several switches in each part of the
FlexNetwork architecture. And because small businesses have specific
technical, management, and budget requirements, you will examine
switches ideally suited for these environments.
FlexFabric switches
This table provides basic information about some of the switches that can
be used to implement FlexFabric. To view information about other switches
that play a role in FlexFabric, go to http://www.hp.com/go/networking.
FlexCampus switches
Featured Switch Form Factor Switches Manageability Forwarding & PoE Stacking
Series Routing
FlexCampus switches
This table provides basic information about some of the switches that can
be used to implement FlexCampus. To view information about other
switches that play a role in FlexCampus, go to
http://www.hp.com/go/networking. (Keep in mind that some FlexCampus
switches, such as the 2530 Switch Series, can be deployed in FlexBranch
as well.)
FlexBranch switches
2620 Switch Series Fixed-port • 2620-24, 26020-24-PP0E+, Managed Layer 3/4 Yes Up to 16
& 2620-24-PoE+ (designated switches
• 2620-48 & 2620-48-PoE+ switches)
2910 al Switch Fixed-port • 2910-24G al Managed Layer 3/4 Yes Up to 16
Series • 2910-48G al (designated switches
• 2910-24-G-PoE+ al switches)
• 2910-48G-PoE+ al
2920 Switch Series Fixed-port • 2920-24G Managed Layer 3/4 Yes Up to 4
• 2920-24G-PoE+ (designated switches
• 2920-48G switches)
• 2920-48G-PoE+
5400 zl Switch Modular • 5406 zl Managed Layer 3/4 Yes No
Series • 5412 zl (designated
modules)
5500 HI Switch Fixed-port • 5500-24G-4SFP HI Switch Managed Layer 3/4 No IRF with
Series with 2 Interface Slots up to 9
• 5500-48G-4SFP HI Switch switches
with 2 Interface Slots
FlexBranch switches
This table provides basic information about some of the switches that can
be used to implement FlexBranch. To view information about other switches
that play a role in FlexBranch, go to http://www.hp.com/go/networking.
(Keep in mind that some switches, such as the 2620, 2910 al, 2920, and
5400 zl, can be deployed in FlexCampus as well.)
Featured Switch Form Factor Switches Manageability Forwarding & PoE Stacking
Series Routing
Switch software
Both ProVision software and Comware software provide many of the same features. There are some differences, of
course, but a detailed comparison is beyond the scope of this course. For now, you simply need to understand that the
software determines the structure of the command line interface (CLI) and the commands you enter. (For more in-depth
information, attend Building SMB Networks with HP Technologies, which is an instructor-led training course.)
You will now learn more about ProVision and Comware switches.
ProVision software
Comware software
Both ProVision software and Comware software provide many of the same
features. There are some differences, of course, but a detailed comparison
is beyond the scope of this course. For now, you simply need to understand
that the software determines the structure of the command line interface
(CLI) and the commands you enter. (For more in-depth information, attend
Building SMB Networks with HP Technologies, which is an instructor-led
training course.)
You will now learn more about ProVision and Comware switches.
ProVision CLI
Comware CLI
Introduction
Both ProVision and Comware switches are managed primarily through their
CLI. ProVision switches offer two additional management interfaces: the
menu interface and the Web browser interface. Some Comware switches
also provide a Web browser interface.
Keep in mind that the CLI is the primary interface for both ProVision and
Comware switches, and this course will focus on that interface.
ProVision CLI
The example above shows the ProVision CLI. You will learn more about
how to access the CLI and navigate in it in the next slides.
Comware CLI
The example above shows the Comware CLI. You will learn more about
how to access the CLI and navigate in it in the next slides.
Introduction
You can access a switch’s CLI in two ways.
You can protect access to the switch by configuring a password for each user. At factory default settings, there are no
passwords for either user.
Operator provides read-only access. You can view only statistics and
configuration information.
Manager provides read-write access. You can make configuration
changes and view information.
You can protect access to the switch by configuring a password for each
user. At factory default settings, there are no passwords for either user.
Introduction
The HP ProVision switch CLI is organized into different levels, or contexts.
You can tell the context by the switch prompt.
Operator context
The > symbol in the switch prompt indicates you are at the operator level.
At this level you can view statistics and configuration information. To move
to the manager level, enter enable. If a manager password has been
configured on the switch, you will be prompted to enter that password.
Manager context
The # symbol in the switch prompt appears at the manager level. From this
context, you can view additional information and begin managing the
switch. For example, you can update the switch software. To move to the
global configuration context, enter configure terminal (or a command
shortcut such as config).
Context configuration
From the global configuration context, you can enter commands to move to
other contexts, from which you configure particular settings. For example,
you might move to a physical interface context or a VLAN context to
1 –36 Rev. 13.31
HP Switch Overview
configure settings specific to that interface or VLAN. You can also access
contexts for protocols such as Routing Information Protocol (RIP) or Open
Shortest Path First (OSPF).
Switch(vlan-1)#
Switch(rip)#
Introduction
On Comware switches, you access the CLI through user interfaces.
Inband management
In-band access, which allows multiple users to access the switch through
the IP network, uses virtual interfaces VTY0, VTY1, VTY2, and so on. At a
switch’s default settings, you are required to enter a password for these
interfaces, but to eliminate a potential security weakness, the switch does
not have a default password. You must configure a unique password for
your particular company.
To access a Comware switch for the first time, you must use out-of-band
management. You can then configure a password for in-band management
or change the authentication method to any of the three methods described
for out-of-band management.
Out-of-band management
Out-of-band connections use the AUX0 interface and require no password
at default settings, enabling initial access to the switch. You can leave this
default authentication method (none) for out-of-band management, or you
can configure the AUX0 interface to require users to log in with a password
or with a username and password. If you require a username and password
(an authentication method called scheme authentication), the switch checks
the credentials against a local list of users or an external authentication
server, as dictated by its Authentication, Authorization, and Accounting
(AAA) domain settings.
1 –38 Rev. 13.31
HP Switch Overview
On Comware switches, each CLI command is associated with one of four command levels. The command level for each
command is configurable, but most network managers leave the commands at the default settings.
The figure below shows the four command levels and the types of commands that are available at each level.
The figure below shows the four command levels and the types of
commands that are available at each level.
The types of commands that you can enter depend on your privilege level,
which the Comware switch assigns you when you log in. Privilege levels
equate to the CLI command levels.
You may enter any command that is available to your current privilege level
and lower.
Introduction
The Comware CLI is divided into views, each of which contains a set of
related commands. In addition to having the privilege to enter a particular
command, you must be in the correct view. As the table shows, the switch
prompt indicates the current view.
User view
The user view is indicated by angle brackets (<>). In this view, you can view
settings, troubleshoot system problems, and manage files. You can move to
the system view by entering the command: system-view.
System view
The system view is indicated by square brackets ([ ]). In this view, you can
make configuration changes to the switch’s software. You can also access
other command views. You can return to the user view by entering quit.
HP CLI help
Both HP ProVision and Comware CLIs offer help features to assist you in navigating the interface. The table shows the
common help commands for both.
Both HP ProVision and Comware CLIs offer help features to assist you in
navigating the interface. The table shows the common help commands for
both.
display commands
Fundamental commands
Introduction
Because many companies have both ProVision and Comware switches, HP
has been focusing on providing CLI compatibility within the ProVision
software. Specifically, HP has been adding support for certain Comware
commands within the ProVision CLI. This effort is designed to help network
administrators who are familiar with Comware commands to use the
ProVision CLI more easily.
Note that this course outlines the CLI compatibility support available at the
time the course was published. Check your ProVision switch documentation
to learn more about the switches and the software versions that support this
display commands
Many HP switches that run the ProVision software support more than 200
Comware display commands, which allow you to view information about
the switch and its configuration. (Natively, ProVision switches support show
commands, which provide similar functionality as display commands.)
Fundamental commands
To help network administrators who are familiar with Comware switches
manage ProVision switches more easily, HP has also added support for
fundamental Comware configuration commands, such as the file
management commands shown here.
Extended help
HP has also added extended help messages to the ProVision help feature.
These messages will help network administrators who are familiar with
Comware identify the equivalent command on the ProVision switch. When
this feature is enabled, these network administrators can simply type the
first part of the Comware configuration command and press the [tab] key.
The help feature then will provide a reference to the correct ProVision
command. It may also provide guidance on the next action for those
configuration items that may not be intuitive due to naming or concept
differences between Comware and ProVision software.
Of course, not all Comware configuration commands require the new help
feature: Some configuration commands are identical, or very similar, to
ProVision commands. Using these commands is self-explanatory.
Summary
Module 2: Security
Objectives
This module introduces you to the basics of network security. You will
learn about today’s security landscape and evolving threats. You will
also learn the basics of securing HP networking infrastructure devices
from improper access.
This module introduces you to the basics of network security. You will learn
about today’s security landscape and evolving threats. You will also learn
the basics of securing HP networking infrastructure devices from improper
access.
Rev. 13.31 2 –1
Getting Started with HP Switching and Routing
Module 2: Security
Introduction
To ensure that you deploy a switch securely, you must understand the types
of threats that travel through the network infrastructure or even target the
network infrastructure itself.
2 –2 Rev. 13.31
Security
Module 2: Security
Overview of attacks
Rev. 13.31 2 –3
Getting Started with HP Switching and Routing
Module 2: Security
Common attacks
Unauthorized access
Denial of Service (DoS)
Impersonation
Reconnaissance
Malware
Introduction
You should be aware of several broad categories of threats, which might
originate externally or internally.
Unauthorized Access
Unauthorized attacks occur when an unauthorized user accesses your
network either by guessing, stealing, or cracking a password or by finding
insecure network access points. Hackers might be able to crack passwords
by trying many different dictionary words or by wiretapping and
eavesdropping on communications. Hackers can also trick users into
revealing passwords or find passwords that are stored insecurely.
reflectors (Web servers and so forth). The reflectors then flood the spoofed
address, which is the target of the attack.
Impersonation
Impersonation attacks occur when attackers masquerade as legitimate
resource providers to steal private information or install malware on a
workstation. Two common types of impersonation attacks are man-in-the-
middle (MITM) attacks and phishing attacks:
Reconnaissance
Reconnaissance attacks are used to gather information about a network
and to discover potential vulnerabilities a hacker can exploit. Hackers often
use tools that can be legitimately used as troubleshooting tools such as:
Malware
Malware describes any software designed to use network resources or
infiltrate network devices without the knowledge or consent of the device
owner. Types of malware include:
Rev. 13.31 2 –5
Getting Started with HP Switching and Routing
2 –6 Rev. 13.31
Security
Module 2: Security
Introduction
As you have learned, internal users can unwittingly allow their endpoints to
become compromised, and hackers can then use the endpoints to launch
harmful attacks. Consider what can happen if hackers compromise a
network infrastructure device, which supports hundreds or even thousands
of users’ traffic.
Console port
If a hacker has physical access to the switch and no one has restricted
access to the console port, the hacker can easily establish a terminal
session to the command-line interface (CLI) of the switch through that
console port. Hackers that gain management access can hijack the switch
and gain unauthorized access, perform network reconnaissance attacks,
initiate DoS attacks, and disable security features. By default, both HP
Comware and ProVision switches are not configured with a password for
console port access.
Rev. 13.31 2 –7
Getting Started with HP Switching and Routing
Ports
Users with physical access to a switch can disconnect or move Ethernet
cables, causing a DoS attack for users or other services connected through
that link.
Power cord
Users with physical access to a switch can unplug the power, causing a
DoS for users or other services connected through the switch.
2 –8 Rev. 13.31
Security
Module 2: Security
Defense in depth
Rev. 13.31 2 –9
Getting Started with HP Switching and Routing
Module 2: Security
Build it in
Make it intelligent
Introduction
Managing multiple layers of security can be challenging, particularly as
valuable data proliferates and becomes dispersed in Bring Your Own
Device (BYOD) and cloud solutions. HP Security and Risk Management
solutions help companies integrate security across the enterprise.
Build it in
Rather than bolt on security as an after-thought, HP solutions build security
into every component and also ensure that each component participates in
the integrated, business-level strategy.
Make it intelligent
HP security solutions collect information from end-to-end. By combining and
correlating information from many areas, including endpoints, applications,
and network infrastructure devices, security solutions can make intelligent
choices that protect the company and prove regulatory compliance without
interfering with productivity.
Module 2: Security
The HP Security and Risk Management portfolio includes solutions in six areas.
Introduction
The HP Security and Risk Management portfolio includes solutions in six
areas.
Operations security
HP operations security solutions integrate security solutions and processes
with overarching business orchestration solutions and processes.
Application security
From the earliest stages of application architecture, whether for in-house
applications or cloud services, HP helps you to design the appropriate
security measures and build them into the application.
Endpoint security
HP provides a wide portfolio of solutions for securing servers, desktops,
laptops, printers, and other endpoints—as well as solutions for ensuring
proper access control and data protection for BYOD.
Network security
Each component of the network infrastructure supports secure data
transmission with built-in protections against exploits and unauthorized
network traffic. In addition, HP provides industry-leading network security
solutions such as next-generation firewalls and HP TippingPoint IPSs.
Module 2: Security
Introduction
Although this course does not cover specific security services and
solutions, HP network infrastructure devices do play a role in an overall
security solution.
HP switches offer BPDU protection and guard features, which ensure that
untrusted BPDUs are dropped. Some switches have additional features for
ignoring unauthorized STP messages.
HP switches can protect against ARP poisoning. They use DHCP snooping
to build tables that specify the expected ports for particular MAC addresses
and, based on those expectations, reject suspicious ARP messages.
Module 2: Security
Introduction
The HP network infrastructure devices also help to collect information and
enforce intelligent security decisions.
Endpoint integrity
Endpoint integrity forms a key element of a BYOD solution. Authorized
users may still endanger the network if they use insecure devices. An
insecure device is not properly protected: It might not have a firewall or anti-
virus software, or its anti-virus software might be out of date. It might be
running unauthorized software or be infected by malware. Endpoint integrity
isolates such devices until they are brought into compliance.
For example, an authorized user connects to the network with a device that
has outdated anti-virus software. Endpoint integrity ensures that the device
is quarantined and the user is notified of the problem. The device is not
allowed out of quarantine and allowed normal access to the network until
the user updates the antivirus software.
Module 2: Security
Introduction
While implementing a complete security solution might lie beyond your
realm of responsibility, you can do your part by ensuring that you deploy
infrastructure devices securely.
Earlier you learned about vulnerabilities that can arise when a switch lacks
physical security.
Console port
To protect management access to the switch’s console port, you should
store the switch in a secure, locked, and preferably camera-monitored
room. If you cannot secure the switch physically, you should disable the
console port.
You should consider setting a secure password for console access even on
physically secure switches.
Ports
The only way to protect against a user disconnecting cables is to store the
switch in a secure, locked, and preferably camera-monitored room.
Power cord
The only way to protect against a user removing the switch power is to
store the switch in a secure, locked, and preferably camera-monitored
room.
Module 2: Security
Module 2: Security
Introduction
As you learned previously, Comware switches have several user interfaces,
which control various forms of management access. For each interface, you
can select one of the following authentication methods:
Step 1
When a user attempts to establish a management session, the switch
prompts the user for his or her credentials.
Step 2
The user supplies the credentials: a user name and password.
Step 3
The switch forwards the login credentials to a RADIUS or TACACS server
for validation. (Alternatively, the switch could have a local record of user
accounts and validate the credentials itself.)
Step 4
The server validates the login credentials and notifies the switch whether or
not to grant the user access. If the user is granted access, the server also
tells the switch what level of access the user receives. The switch enforces
the decision.
Module 2: Security
Introduction
HP ProVision switches also support multiple authentication methods. You
can select a primary and backup method for each access method: Telnet,
SSH, console, or Web.
Step 1
When a user attempts to open a management session, the switch prompts
the user for a password.
Step 2
The user submits a password. If the password matches the manager or
operator password, the user receives manager or operator privilege,
respectively. If the user does not enter valid credentials, he or she cannot
access the switch.
Module 2: Security
With in-band management, however, Access the CLI with SSHv2 to encrypt
the vital data crosses the shared 2
in-band management traffic.
network. Hackers might be able to
intercept and read data sent in clear-
text and then use that data to obtain Access the Web interface with
unauthorized access to your switches or
3
HTTPS to encrypt in-band
to impersonate network servers.
management traffic.
When you manage a switch, you send vital information over the connection.
For out-of-band management, such as with a connection to the console port
of the switch, you can be certain that no one can intercept the data.
With in-band management, however, the vital data crosses the shared
network. Hackers might be able to intercept and read data sent in clear-text
and then use that data to obtain unauthorized access to your switches or to
impersonate network servers.
You must protect the data’s privacy by using secure management protocols
that support encryption.
Module 2: Security
SSHv2
Introduction
SSHv2 ensures the privacy and integrity of management traffic by:
• Securing authentication
• Encrypting management traffic
Step 1
The management station establishes a secure tunnel on the SSHv2
Transport Layer. The station and the switch agree on shared encryption and
hash keys using the secure Diffie-Hellman exchange. Using these keys, the
station and switch can transform data so that hackers cannot tamper with it
(hash keys) or read it (encryption keys). When establishing the tunnel, the
switch also uses a public-private key pair to prove its identity, which
ensures that the management station does not send credentials to an
imposter.
For more information about hashing and the Diffie-Hellman exchange, refer
to the HP Network Infrastructure Security Technologies WBT.
Step 2
The switch requests the management user’s credentials. The credentials
are passed to the switch through the secure tunnel. The switch can then
authenticate the user locally or to a remote server, as previously discussed.
Step 3
The management station and switch establish communication channels to
transmit the management session data within the secure tunnel.
Module 2: Security
HTTPS
Introduction
HTTPS uses the Secure Sockets Layer (SSL) protocol. Like SSHv2, SSL
creates a secure tunnel using encryption and hashing keys generated in a
Diffie-Hellman exchange.
Step 1
Your management station and the switch establish a secure tunnel using
the SSL protocol. When establishing the tunnel, the switch authenticates
itself using a digital certificate.
Step 2
All further communications run securely over the encrypted SSL connection.
These communications include your authentication credentials and all
management traffic after you log in successfully.
Module 2: Security
How do I set up HTTPS on HP Comware switches? How do I set up HTTPS on HP ProVision switches?
How do I set up SSH on HP Comware switches? How do I set up SSH on HP ProVision switches?
Introduction
Read the following questions to learn how to use the secure management
protocols.
You must then install the signed certificate and enable the HTTPS server on
the switch.
If you have software version 5.20 F2218P01-US or later, you can simply
enable HTTPS, which automatically generates a self-signed certificate.
You can choose any option that you learned about earlier for authenticating
operators and managers.
You must also enable the SSH server, which is disabled by default.
The Comware switches require user accounts for SSH access, so you must
configure at least one VTY user interface that uses AAA (scheme)
authentication, either to the local list or to a RADIUS server. You must
create an SSH user on the switch for each local or RADIUS user who is
allowed SSH access. The SSH user settings indicate whether this user
authenticates with a password or uses public-key authentication.
Module 2: Security
Summary
In this module, you learned about network threats and the measures you
can take to protect against these threats. Specifically, you learned about:
Module 3: VLANS
Objectives
This module explains one of the most fundamental aspects of managing today’s networks, virtual LANs (VLANs).
After completing this module, you should be able to:
Describe how VLANs are used in today’s Explain how to configure VLANs on HP
networks Comware and ProVision switches
Explain how the 802.1Q standard enables Explain the terms tagged, untagged, access
network infrastructure devices to transmit port, trunk port, and hybrid port as they
and receive traffic from multiple network relate to VLANs
segments
Rev. 13.31 3 –1
Getting Started with HP Switching and Routing
Module 3: VLANS
Definition of a VLAN
A LAN is typically defined as a group of connected devices in close physical proximity. A virtual LAN (VLAN), on the other
hand, is not defined by physical proximity. A VLAN is a logical group of devices that has been assigned to a particular
subnet.
VLANs can span multiple switches and can be used to segment the otherwise flat structure of a LAN.
This course focuses on port-based VLANs, which are defined on switch ports.
In this example network, some switch ports
have been assigned to VLAN 10, some to VLAN 20, and others to VLAN 30.
VLANs can span multiple switches and can be used to segment the
otherwise flat structure of a LAN.
3 –2 Rev. 13.31
VLANs
Module 3: VLANS
Each VLAN is associated with an IP subnet. In the example network, VLAN 10 is associated with 10.1.10.0/24, VLAN
20 with 10.1.20.0/24, and VLAN 30 with 10.1.30.0/24.
All VLANs are located within the larger 10.1.0.0/16 subnet.
NOTE: In this course, Classless Inter-Domain Routing (CIDR) is used to express network IP
addresses. In place of the subnet mask, CIDR uses a prefix length, which indicates how
many bits are in the network portion of the address. For more information about CIDR, see
Request for Comments (RFC) 1519 (http://www.ietf.org/rfc/rfc1519.txt).
Rev. 13.31 3 –3
Getting Started with HP Switching and Routing
Module 3: VLANS
Introduction
Now that you have a basic understanding of what VLANs are, you should
consider why companies use them.
Security
Today’s networks provide services for different groups of users, such as
employees, partners, and visitors. If all of these users are on the same
subnet, it is easier for users to compromise security. For example, visitors
might be able to view employees’ data as that data is transmitted across
the network. They might try to access data center servers when they should
only access the Internet. You can (and should) implement security to
prevent unauthorized users from accessing these servers. However, users
might still be able to launch scans, use a protocol analyzer to view traffic on
the wire, or launch attacks.
Companies can use VLANs to isolate traffic and help to ensure users only
have access to the resources to which they should be granted access,
increasing security.
Broadcast domain
An Ethernet network is, by definition, a broadcast domain. Devices on
Ethernet networks send broadcasts to discover other devices or to provide
information about themselves.
3 –4 Rev. 13.31
VLANs
Rev. 13.31 3 –5
Getting Started with HP Switching and Routing
Module 3: VLANS
Introduction
Now you will look at an example of how a network designer might use
VLANs to segment a company network. In this example, the company is
using subnet 10.1.0.0/16. The network designer must plan the VLANs and
IP addresses in tandem. Each VLAN will be associated with a unique IP
subnet, and each department will be assigned to one or more VLANs.
Phase 1: Design
For the IP addressing scheme, each subnet will have a subnet mask of
255.255.255.0 (/24), which means that the network address uses the first
three octets:
• The first octet for all subnets is “10” because the company is using
private addresses in the 10.0.0.0/8 block.
• The second octet is being used as a site identifier. In the scenario above,
“1” has been assigned to identify this building. For other buildings, the
company uses different values in the second octet.
• The third octet includes the VLAN ID. Each department or type of user
will be assigned a different VLAN ID.
• The fourth octet is the host portion of the IP address. Certain addresses
are reserved; 1 to 30 are used for servers, printers, and other shared
network devices.
3 –6 Rev. 13.31
VLANs
Phase 2: Guests
The network designer knows that guests will need to access the network,
primarily so that they can connect to the Internet while they are on-site. The
network designer assigns VLAN 10 and subnet 10.1.10.0/24 to guests.
Phase 3: IT
The network designer assigns the IT group VLANs 1 and 5. VLAN 1 is
associated with 10.1.1.0/24, and VLAN 5 is associated with 10.1.5.0/24.
Phase 4 : Administration
The network designer assigns the Administration group VLAN 20, and
VLAN 20 is associated with the 10.1.20.0/24 subnet.
Phase 6: Accounting
Finally, the network designer assigns the Accounting group to VLAN 40,
and VLAN 40 is associated with the 10.1.40.0/24 subnet.
Rev. 13.31 3 –7
Getting Started with HP Switching and Routing
Module 3: VLANS
Introduction
An Ethernet link might support multiple VLANs, so a mechanism is required
to identify the VLAN to which particular traffic belongs.
TPID
The Tag Protocol ID (TPID) subfield identifies the frame as an 802.1Q
frame.
TCI
The Tag Control Information (TCI) field contains three components,
including the VLAN ID.
3 –8 Rev. 13.31
VLANs
User Priority
The 802.1p standard, User Priority, allows devices to apply quality of
service (QoS) to traffic. That is, 802.1p-compliant devices can classify and
mark frames with the priorities from 0-7. The current IEEE
recommendations for the priority associated with each value are:
Switches that support 802.1p handle the traffic based on the setting
configured. For example, they will transmit frames with the 7 value before
they transmit frames with 3 value. 802.1p is one way to ensure that delay-
sensitive applications (such as voice over IP, or VoIP) receive priority
handling.
CFI
The Canonical Format Indicator (CFI) indicates whether the information in
the frame’s MAC address is included in canonical format, which is
sometimes called the “standard notation.” This format establishes the order
in which bits are submitted. If a device uses the Canonical format, it orders
the least important bit first. If a device uses the non-canonical format (which
is also called bit-reversed order), it orders the most important bit first.
Rev. 13.31 3 –9
Getting Started with HP Switching and Routing
VLAN ID
The VLAN ID associates the frame with a specific VLAN. This is the VLAN
ID or VLAN number. If this field is empty or set to a value of 0, the frame is
not identified as belonging to a specific VLAN. Frames that do not have the
VLAN ID tag set are often referred to as “untagged” frames.
The VLAN ID field has 12 bits, providing up to 4096 IDs (212 = 4096). IDs 0
and 4095 are reserved, so a network can support up to 4094 VLANs.
Module 3: VLANS
Introduction
This graphic provides an example of an Ethernet frame that contains an
802.1Q VLAN tag.
Devices that are not 802.1Q-compliant cannot add or act on these tags.
Because they do not recognize the 802.1Q tag and may consider the
802.1Q tag data illegal, these devices may even drop frames that contain
an 802.1Q tag.
Devices that do not support 802.1Q can still be part of a VLAN. However,
you must configure their connected switch ports to strip away the 802.1Q
tag—you will learn how later.
Ethernet header
This part of the Ethernet frame header contains the destination and source
MAC addresses for the frame. The destination MAC address indicates the
Ethernet interface, whether a switch port or endpoint NIC, that should
receive the Ethernet frame. For example, this frame is addressed to a
device with the MAC address 0004e1-e1100. A broadcast frame—that is, a
frame that is sent out to everyone on the network segment—has the
destination MAC address set to FFFFFF-FFFFFF.
The source MAC address is the hardware address of the device that sent
the Ethernet frame. In this case, the frame was sent by a device with MAC
address 080046-44f11ca.
802.1Q field
This part of the Ethernet frame header contains the 802.1Q tag information.
As you learned in the previous frame, the first 2 bytes are the Tag Protocol
ID (TPID) field. In this frame, TPID is set to 8100. Note that this is the
hexadecimal representation of the value for the 2-byte field, and it indicates
that this is an 802.1Q-tagged frame.
When a switch receives a frame with a TPID of 8100, it interprets the next
two bytes as Tag Control Information (TCI) for 802.1Q. The first three bits of
the TCI data are the user priority. In this frame, these three bits are set to 0,
so the user priority is set to 0 or best effort.
The fourth bit of the TCI data is the Canonical Format Indicator (CFI). This
bit is set to 0 (turned off), which indicates that the MAC address in the
Ethernet frame is in canonical format.
The last 12 bits are the VLAN tag or the VLAN ID to which the frame
belongs. In this example, the VLAN ID is set to a hexadecimal value of 014,
which when converted to decimal notation is 20. So this frame belongs to
VLAN 20.
Type field
The next part of the Ethernet header is a type identifier, which indicates the
type of data that follows (the payload). In this example, the type field is set
to the hexadecimal value of 0800, which is the type identifier for IP data.
Notice that the next part of the Ethernet frame contains an IP header that
includes two IP addresses.
Payload
Here you see the payload of the Ethernet frame, beginning with the Layer 3
header, an IP header in this case. Note that the IP header is distinct or
separate from the Ethernet header. The IP header contains information that
a Layer 3 switch or router would use to forward traffic. You will learn about
Layer 3 switches and routers later in this course.
Right now, just notice that the IP header contains a source IP and a
destination IP, which are the IP address of the device that sent the data and
the IP address for which the data is intended.
Module 3: VLANS
Introduction
You will now examine how HP switches implement VLANs, beginning with
ProVision switches.
• Transmit—The switch does not apply the 802.1Q tag to traffic that it
transmits in its untagged VLAN on that port.
• Receive—The switch assigns all untagged traffic that it receives on that
port to this VLAN.
Devices that do not support 802.1Q must be connected to switch ports that
are untagged members of a VLAN.
• Transmit—The switch adds an 802.1Q tag (with the proper VLAN ID) to
all frames that it transmits in this VLAN.
• Receive—The switch accepts frames with an 802.1Q tag for this VLAN. If
the switch receives a frame with an 802.1Q tag for a VLAN for which it has
an untagged membership or no membership, it drops the frame. For
example, if the port is a tagged member of only VLAN 10 and it receives a
frame with an 802.1Q tag that has a VLAN ID of 20, the switch will drop
the frame.
Module 3: VLANS
Introduction
Now that you understand tagged and untagged VLAN memberships, you
will review some basic guidelines for configuring VLANs on ProVision
switches.
The switch also uses this VLAN for its control traffic so it is recommended
that you configure users’ ports as members of other VLANs.
Module 3: VLANS
Edge_1(config)# vlan 20
Edge_1(vlan-20)# untagged a1-a6
Edge_1(vlan-20)# vlan 30
Edge_1(vlan-30)# untagged a22,a24,b1-b5
Now that you know how ProVision switches handle VLANs, you will take a
quick look at the basic commands for configuring VLANs on HP ProVision
switches. For example, if you wanted to create VLAN 20 and make several
contiguous ports untagged members of this VLAN, you would enter:
Edge_1(config)# vlan 20
Edge_1(vlan-20)# untagged a1-a6
As shown in the next command, you can use commas to list non-
contiguous ports in the untagged command:
Edge_1(vlan-20)# vlan 30
Edge_1(vlan-30)# untagged a22,a24,b1-b5
Module 3: VLANS
As mentioned earlier, switch-to-switch ports typically need to support traffic for multiple VLANs. In this example, the
uplink port of an edge switch is defined as a tagged member of VLANs 20 and 30. The uplink port is also an untagged
member of VLAN 1, which it uses for control traffic and also to allow management access.
Because switch ports are untagged members of VLAN 1 by default, you do not have to configure this VLAN membership
on the uplink port. To configure the uplink port as a tagged member of VLANs 20 and 30, you would enter the following
commands:
Edge_1(config)# vlan 20
Edge_1(vlan-20)# tagged b24
Edge_1(vlan-20)# vlan 30
Edge_1(vlan-30)# tagged b24
VLAN 20 VLAN 30
6 users 7 users VLAN 1,
20, 30
Uplink
Edge_1(config)# vlan 20
Edge_1(vlan-20)# tagged b24
Edge_1(vlan-20)# vlan 30
Edge_1(vlan-30)# tagged b24
Module 3: VLANS
VLAN 20 VLAN 30
6 users 7 users VLAN 1,
20, 30
Uplink
The uplink port now supports VLANs 1, 20, and 30. The frames the uplink port transmits for VLAN 1 remain untagged.
However, the frames for VLAN 20 and VLAN 30 are tagged.
When the switch receives untagged traffic on the uplink port, it assumes that traffic belongs to VLAN 1. If the port receives
frames that contain tags for VLAN 20 or VLAN 30, the switch processes those frames. If the port receives frames with tags
for a different VLAN (such as VLAN 40 or VLAN 50), the switch drops them.
The uplink port now supports VLANs 1, 20, and 30. The frames the uplink
port transmits for VLAN 1 remain untagged. However, the frames for VLAN
20 and VLAN 30 are tagged.
When the switch receives untagged traffic on the uplink port, it assumes
that traffic belongs to VLAN 1. If the port receives frames that contain tags
for VLAN 20 or VLAN 30, the switch processes those frames. If the port
receives frames with tags for a different VLAN (such as VLAN 40 or VLAN
50), the switch drops them.
Module 3: VLANS
DHCP—A VLAN can receive an IP address from a Static—You can manually configure the IP
DHCP server. By default, the default VLAN, address using this command:
VLAN 1, is configured to receive an IP address Edge_1(config)# vlan 20
from a DHCP server. Edge_1(vlan-20)# ip address 10.1.20.1/24
VLAN 20
6 users
Uplink
As you recall, each VLAN is associated with an IP subnet. You must assign
the switch an IP address in that VLAN’s subnet if you want the switch to
send and receive IP traffic on a VLAN. In this case, the switch is routing
traffic for endpoints in that VLAN. (You will learn more about this function in
Module 4: Routing.)
You may also want to assign the switch an IP address for a VLAN if you
want to manage the switch on that VLAN.
In this example, you want the switch to route traffic in VLAN 20, which is
assigned the IP address 10.1.20.1 in the IP subnet 10.1.20.0/24.
You can assign an IP address to a VLAN in one of the following ways:
Edge_1(config)# vlan 20
Edge_1(vlan-20)# ip address 10.1.20.1/24
Module 3: VLANS
You can use a similar command to determine which VLANs are associated with a particular port. For instance, to view the
VLANs associated with port d4, use the command show vlans port d4 detail.
You can use the show vlans command to learn which switch ports are
members of a given VLAN.
You can use a similar command to determine which VLANs are associated
with a particular port. For instance, to view the VLANs associated with port
d4, use the command show vlans port d4 detail.
Rev. 13.31 3 –21
Getting Started with HP Switching and Routing
Module 3: VLANS
• An access port belongs to one VLAN and sends and receives untagged traffic only.
• A trunk port can belong to multiple VLANs and can send and receive untagged frames for one VLAN and tagged frames
for multiple VLANs.
• A hybrid port can belong to multiple VLANs. It can assign a frame to a VLAN based on information other than the
802.1Q field.
Introduction
HP Comware switches also support VLANs and 802.1Q tagging. However,
Comware switches use slightly different terminology and have different
configuration commands than ProVision switches. On Comware switches,
you configure VLAN support by first determining the type of port that should
be used.
Access port
An access port belongs to one VLAN and sends and receives untagged
traffic only. Generally, you use an access port to connect workstations or
endpoints.
Trunk port
A trunk port can belong to multiple VLANs and can send and receive
untagged frames for one VLAN and tagged frames for multiple VLANs.
Trunk ports are used for switch-to-switch links, allowing you to extend VLAN
boundaries across switches.
Hybrid port
A hybrid port can belong to multiple VLANs. It can assign a frame to a
VLAN based on information other than the 802.1Q field. For example, a
hybrid port can look at the MAC address, the protocol, or the IP subnet of
frames to determine VLAN membership. Hybrid ports are used for
specialized functions, which are not covered in this course. For more
information, see the Building SMB Networks with HP Technologies course.
Module 3: VLANS
• By default all ports are configured as access ports that support the default VLAN.
• You must create a VLAN on the switch before assigning it to an access or trunk port.
• An access port can support only one untagged VLAN.
• A trunk port can support one untagged VLAN and multiple tagged VLANs.
• The PVID and permitted VLANs on connected trunk ports must match.
Introduction
Before you learn how to configure access and trunk ports on Comware
switches, you should review some basic guidelines.
By default all ports are configured as access ports that support the
default VLAN.
Like ProVision switches, Comware switches have a default VLAN, which is
VLAN 1. In addition, all ports are configured as access ports that support
VLAN 1.
With these settings, each port will accept frames that do not contain an
802.1Q tag and that have a source IP address in VLAN 1.
A trunk port can support one untagged VLAN and multiple tagged
VLANs.
Just like an access port, a trunk port can support only one untagged VLAN.
However, a trunk port can support any number of tagged VLANs. This
allows the trunk port to function as a switch-to-switch connection.
The trunk port’s port VLAN ID (PVID) determines the port’s untagged
VLAN. By default, all trunk ports’ PVID is the default VLAN, VLAN 1.
The trunk port’s permitted VLANs list determines the VLANs for which the
port carries traffic. Any VLAN in the permitted VLAN list that is not the PVID
is tagged.
By default, a trunk port has only VLAN 1 in its permitted VLANs list, so it
carries only untagged traffic. To add the tagged VLANs, you simply specify
them as permitted.
Often you keep the default PVID, but if you change it, the new PVID is not
automatically added to the permitted VLANs list, nor is VLAN 1 removed
from the permitted VLANs list. Therefore, the trunk port will not transmit or
accept any untagged traffic, and it will accept frames that are tagged for
VLAN 1. To allow the port to send and receive untagged traffic again,
remember to add the new PVID to the permitted list. Also remember to
remove VLAN 1, if you do not want it on the port. Of course, the PVID and
permitted VLANs on directly connected trunk ports must match.
The PVID and permitted VLANs on connected trunk ports must match.
When you connect two trunk ports to establish a switch-to-switch
connection, you must ensure that their VLAN settings match, or traffic will
be dropped. They must have the same PVID and permitted VLANs.
Module 3: VLANS
• Creating VLANs
• Configuring access ports
• Configuring trunk ports
• Adding permitted VLANs to trunk ports
• Changing the trunk port’s PVID
• Configuring IP addresses
Introduction
Now that you understand the guidelines for configuring VLANs on Comware
switches, you can examine the commands.
Creating VLANs
Use the command shown here to create the VLAN so that you can assign
access or trunk ports to it.
Syntax:
[Switch] vlan <VLAN ID>
Example:
[Switch] vlan 10
Syntax:
[Switch] vlan <VLAN ID>
[Switch-vlan<ID>] port <interface-list>
Example:
[Switch] vlan 10
[Switch-vlan10] port gigabitethernet 1/0/1
Syntax:
[Switch] interface <interface type> <ID>
[Switch-<interface type><ID>] port link-type trunk
Example:
[Switch] interface g1/0/6
[Switch-GigabitEthernet1/0/6] port link-type trunk
Remember that connected trunk ports must support the same VLANs, or
traffic will be dropped.
Syntax:
[Switch-<interface type><ID>] port trunk permit vlan
<VLAN ID list>
Example:
[Switch-GigabitEthernet1/0/6]port trunk permit vlan 10
20
Syntax:
[Switch-<interface type><ID>] port trunk pvid vlan
<VLAN ID>
Configuring IP addresses
As you learned earlier, you must configure an IP address on a VLAN if you
want the switch to send and receive its own IP traffic on that VLAN. Use the
commands shown here to:
Syntax:
[Switch] interface vlan-interface <VLAN ID>
[Switch-vlan-interfaceID] ip address <IP address> <mask
| prefix length>
Example:
[Switch] interface vlan-interface 1
[Switch-vlan-interface1] ip address 10.1.1.1
255.255.255.0
[Switch-vlan-interface1] interface vlan-interface 10
[Switch-vlan-interface10] ip address 10.1.10.1
255.255.255.0
[Switch-vlan-interface10] interface vlan-interface 20
[Switch-vlan-interface20] ip address 10.1.20.1
255.255.255.0
Module 3: VLANS
GVRP
In this module, you have learned how to manually configure VLAN memberships on ProVision and Comware switches.
Rather than manually configuring VLAN settings on switch ports, however, you can use the GARP VLAN Registration
Protocol (GVRP) to dynamically create VLANs on ports that are connected to other GVRP-aware switches. (Generic Attribute
Registration Protocol [GARP] is a protocol that defines procedures by which end stations and switches can register
attributes with each other.)
When GVRP is enabled on a switch, it advertises any configured static VLANs on all its ports. If a GVRP-aware switch port
receives the advertisement, it can dynamically join the advertised VLAN. This dynamic VLAN is tagged on the port.
Both ProVision and Comware switches support GVRP. (GVRP configuration and management is not covered in this course.
For more information, see your switch documentation.)
Module 3: VLANS
Introduction
You now know how to configure VLANs on switch ports. Next, you will look
at an example of how switches use Layer 2 forwarding to enable two
devices within the same VLAN to communicate. In this example, a
workstation wants to communicate with a database server, and both
devices are in the same VLAN. However, as you can see, there are several
switches between them.
Step 1
Before the workstation can send a frame to the server, it must know the
server’s MAC address so that it can place the correct destination address in
the frame. The application on the workstation knows or is configured with
the server’s IP address. Therefore, the workstation sends an Address
Resolution Protocol (ARP) request, which is a broadcast to the entire
VLAN, requesting the MAC address associated with the server’s IP
address. In this instance, the Ethernet frame that the workstation sends has
a destination MAC address of FFFFFF:FFFFFF, which is the broadcast
address.
Step 2
The switch to which the workstation is connected receives the ARP request.
Because this frame is a broadcast, the switch sends it out all of its ports that
are members of VLAN 30. (This is sometimes called flooding.)
Step 3
When other switches along the path to the database server receive the
broadcast, they also flood the frame out all of their ports that belong to
VLAN 30.
Step 4
The database server finally receives the ARP request. It responds to the
request by sending a directed frame (not a broadcast) to the workstation’s
MAC address, wherein it conveys its hardware or MAC address.
Module 3: VLANS
Introduction
Now that the workstation knows the MAC address of the database server, it
can send Ethernet frames directly to the server.
Step 1
The workstation addresses a frame to the database server’s MAC address.
Step 2
The Edge_1 switch operates as a Layer 2 switch. It checks its Layer 2
forwarding table and forwards the frame through port B2 to the IT switch.
(If the switch did not know the port for this MAC address, it would flood the
frame like a broadcast. But all the switches in this example learned the port
for the server’s MAC address when they received the server’s ARP
response on its way back to the workstation.)
Step 3
The IT_switch is a Layer 3 switch. You do not need to understand its Layer
3 functions now but simply know that it acts as a Layer 2 switch for all
frames that are not destined to its own MAC address.
In this case, the destination MAC address is different from its own MAC
address, so the switch checks its MAC forwarding table. The switch
forwards the frame through port C9.
3 –32 Rev. 13.31
VLANs
Step 4
The Edge_2 switch receives the frame through port B24, submits it to its
Layer 2 forwarding table lookup, and forwards it through port B1 to the
database server.
Module 3: VLANS
You now understand how switches forward traffic at Layer 2. They make
forwarding decisions based on information in the Ethernet header of a
frame such as the destination MAC address and the 802.1Q VLAN tag.
Module 3: VLANS
Summary
Module 4: Routing
Objectives
This module explains when a Layer 3 switch or router is required to route traffic to its destination. It also guides you
through the process of enabling routing and configuring a static route on HP Comware and ProVision switches.
Rev. 13.31 4 –1
Getting Started with HP Switching and Routing
Module 4: Routing
Introduction
When a device needs to communicate with another device in the same
VLAN or subnet, the switch (or switches) can forward traffic between the
two devices at Layer 2.
Layer 2 forwarding
Switches acting at Layer 2 use information in the Ethernet header to
forward traffic, specifically the destination Media Access Control (MAC)
address and perhaps an 802.1Q tag. The switch does not process the
frame past the Ethernet header, ignoring the IP or other Layer 3 header.
The switch follows two simple rules. First, it looks up the port for the
destination MAC address in its MAC forwarding table and forwards the
frame on that port. Second, if the switch does not know the MAC address, it
floods the frame out all ports that belong to the frame’s VLAN.
4 –2 Rev. 13.31
Routing
through Switch C and onto Switch B, all of the switches forward the traffic
by looking up the destination MAC address in their forwarding tables.
Layer 3 forwarding
To route traffic, a Layer 3 switch uses information in the packet’s Layer 3
header. IP is by far the most common Layer 3 protocol, and this course
focuses on IP routing. Specifically, therefore, the Layer 3 switch relies on
the packet’s destination IP address to make routing decisions. (For the
purposes of this course, the IP header is a version 4 IP header.)
Rev. 13.31 4 –3
Getting Started with HP Switching and Routing
Module 4: Routing
Routing overview
Introduction
Before you consider how a switch learns how to route traffic to specific
subnets, you should understand at a high level how a packet is transmitted
from a device in one subnet to a device in another subnet.
In the example network, the default gateway for devices in VLAN 20 (which
is associated with subnet 10.1.20.0/24) is Switch B (which has the IP
address 10.1.20.1).
The default gateway is responsible for knowing where to send traffic so that
it will reach its final destination. (You will learn how the default gateway
gathers and stores this information later in this module.)
4. Return traffic
If the destination device, in this case a server, wants to send traffic to the
originating device, it must send the traffic to its default gateway. In this case,
Switch C is the default gateway for VLAN 30 (which is subnet 10.1.30.0/24).
Rev. 13.31 4 –5
Getting Started with HP Switching and Routing
Module 4: Routing
Types of routes
Layer 3 switches and routers learn the next hop for destination networks
through routes. There are two types of routes:
• Direct routes are for local networks, which are those networks directly
connected to the switch.
• Indirect routes are for remote networks, which are those networks not
directly connected to the switch.
4 –6 Rev. 13.31
Routing
Module 4: Routing
Direct routes
Introduction
A switch or router has direct routes to the subnets assigned to its own Layer
3 interfaces:
Rev. 13.31 4 –7
Getting Started with HP Switching and Routing
The direct route to subnet 10.1.10.0/24 lets Switch C route traffic that it
receives on VLAN 20 to any destination in VLAN 10. Similarly, the direct
route to subnet 10.1.20.0/24 would let Switch C route traffic received on
VLAN 10 back to a destination in VLAN 20.
3. Layer 2 switch
Switch A does not have IP routing enabled. Therefore, it forwards the traffic
at Layer 2 and does not have direct (or indirect) routes.
4 –8 Rev. 13.31
Routing
Module 4: Routing
Indirect routes
Default route
Introduction
An indirect route enables a switch to communicate with “non-local”
destinations using one or more intermediate hops. Indirect routes must be
entered manually or learned through a routing protocol.
Static route
A static route is a route to a specific remote network. A network
administrator must manually enter a static route.
Default route
A default route is a special type of indirect route that tells a Layer 3 switch
how to forward a packet when it does not know a specific route to the
destination address. Default routes may be static or dynamic. On the
example network, Switch C has a default route to WAN router A, which
connects to the Internet.
Dynamic route
A switch learns a dynamic route through a routing protocol. Routing
protocols allow switches and routers to exchange routing information to
determine the best paths between networks. (This course does not focus on
routing protocols. The Building SMB Networks with HP Technologies course
covers routing protocols in more detail.)
Rev. 13.31 4 –9
Getting Started with HP Switching and Routing
Module 4: Routing
Static routes
Introduction
In the example network, Switch B does not support subnet 10.1.30.1/24
(VLAN 30). To route traffic to this subnet, therefore, the switch needs a
route, which would include the information shown in the graphic: the next
hop, which would be 10.1.2.1, and the forwarding interface, which would be
VLAN 2.
The switch could have a static route or a dynamic route to this network. As
mentioned earlier, this course focuses on static routes. Click each tab to
learn about the advantages and disadvantages of using a static route.
Advantages
Static routes work best for networks with simple topologies. When a
network does not have many paths for traffic to traverse, you might find it
easier to configure a couple of static routes manually rather than implement
a routing protocol. With static routes, you also have complete control over
which next hop each Layer 3 switch uses for each destination subnet.
Disadvantages
The larger a network is and the more VLANs and subnets it supports, the
more tedious and difficult it is to configure every route on every Layer 3
switch and router manually.
In addition, static routes might not adapt well to network topology changes.
For example, if you added another path to VLAN 30 for Switch B (perhaps
by adding another switch), you would need to reconfigure the route. In
addition, although there are ways to configure backup static routes, these
routes might not respond to changing conditions several hops away. Thus if
a hop in the path to a destination becomes unavailable, the destination may
become unreachable. Dynamic routing protocols, on the other hand, allow
Layer 3 switches and routers to adapt to network changes.
Module 4: Routing
Default route
The default route is the route of last
resort. When a Layer 3 switch or router
cannot match traffic to a specific route, it
will use the default route.
Often, the default route is used to enable
connectivity to the Internet. A Layer 3
switch is configured with the IP
address of an Internet-accessible
router. Any traffic for which
the Layer 3 switch does not
have a route it forwards to the
router to resolve.
A default route usually shows as
0.0.0.0/0 in a routing table. This notation
tells the router to forward any traffic that
cannot be specifically matched out the
interface associated with the default
route.
The default route is the route of last resort. When a Layer 3 switch or router
cannot match traffic to a specific route, it will use the default route.
Module 4: Routing
Routing tables
• Because switches sometimes have more than one route to the same destination, they must be able to prioritize
routes.
• Comware and ProVision switches use the following to prioritize routes:
• Administrative distance or preference
• Metric or cost
Introduction
At a minimum, a Layer 3 switch requires the following information about
each IP route, which the switch stores in its routing table:
You have already learned about the destination network and the next hop.
Because switches sometimes have more than one route to the same
destination, they must be able to prioritize routes.
likely for the route to be selected. Directly connected routes always have an
administrative distance of 0.
Metric or cost
Switches also need a way to compare routes that are learned by the same
routing protocol or method.
ProVision switches use the route metric to compare routes learned by the
same routing protocol or method. For example, when a routing protocol
discovers more than one route to a destination, the switch selects the route
with the lowest metric as its best route.
Comware switches use the route cost to compare routes learned from the
same protocol or method. Lowest cost routes are preferred. However, when
a routing protocol discovers multiple routes to the same destination with the
same cost, Comware switches can load balance traffic over all of the same-
cost routes.
Note that the Layer 3 switch does not compare the metric or cost between
routes acquired through different methods. Each routing protocol selects
one lowest metric or cost route to each destination (or, in the case of
Comware switches, several load-balanced routes). For example, Routing
Information Protocol (RIP) might select one lowest-cost route to
10.1.30.0/24, and Open Shortest Path First (OSPF) might do the same. The
switch then must choose between the RIP route and the OSPF route, and it
uses administrative distance or preference to do so. (Both RIP and OSPF
are routing protocols.)
Module 4: Routing
Each Layer 3 switch or router stores its selected routes in a routing table. The example
below shows a routing table from a Comware switch.
Introduction
Each Layer 3 switch or router stores its selected routes in a routing table.
The example shows a routing table from a Comware switch.
Destination/Mask
The Destination/Mask field specifies the network address and subnet mask
for the destination. Note that an IP address might match multiple routes,
which means the Layer 3 switch knows more than one route to the same IP
address. In this case, the Layer 3 switch uses the most specific route (the
route with the longest mask) to route the packet.
Proto
The Proto field indicates the protocol or method by which the route was
discovered. Possible values include Static (a static route), Direct (a direct
connection), or a routing protocol such as RIP or OSPF.
Pre
The Pre field indicates the administrative preference. The switch uses
administrative preference to choose between two or more routes to the
same destination that were discovered through different protocols or
methods. For example, one route might be a static route while another
route might be an OSPF route. (OSPF is a routing protocol.)
Cost
The Cost field indicates the cost of the route. The switch uses the cost to
choose between routes to the same destination that are learned through the
same protocol or method. For example, the routes might both be OSPF
routes.
NextHop
The NextHop field indicates the next hop for each route.
Interface
The Interface field indicates the switch interface that will be used to forward
traffic to or toward the destination. As you recall, on all Layer 3 switches,
the interface is usually a VLAN interface. However, for routers, the interface
might be a physical port that has been assigned an IP address.
Module 4: Routing
For indirect routes, the next hop is always another Layer 3 switch or router that knows how to route the packet toward the
destination. For a route to remain in the routing table, the Layer 3 switch must be able to reach the next hop.
In this example, the next hop for the default route (0.0.0.0/0) is 10.1.4.2, which is in the 10.1.4.0/24 subnet. The switch
knows a route to 10.1.4.0/24, which is directly connected on VLAN 500, so it can reach the next hop.
For an indirect route, the forwarding interface is the interface on which the local device reaches the next hop. In this case,
it is VLAN 500.
For indirect routes, the next hop is always another Layer 3 switch or router
that knows how to route the packet toward the destination. For a route to
remain in the routing table, the Layer 3 switch must be able to reach the
next hop.
In this example, the next hop for the default route (0.0.0.0/0) is 10.1.4.2,
which is in the 10.1.4.0/24 subnet. The switch knows a route to 10.1.4.0/24,
which is directly connected on VLAN 500, so it can reach the next hop.
For an indirect route, the forwarding interface is the interface on which the
local device reaches the next hop. In this case, it is VLAN 500.
Module 4: Routing
For direct routes, Comware switches display the following information in the routing
table:
Introduction
Comware switches handle direct routes as outlined below.
Next Hop
When a Layer 3 switch has a direct route to a subnet, the next hop is the IP
address of the switch on that subnet. For direct routes to the IP address of
the Comware switch itself, the next hop is the loopback address.
Interface
The forwarding interface for a direct route is the VLAN interface (or Layer 3
physical interface) associated with that subnet. The forwarding interface for
a direct route to the IP address of the switch is the loopback interface.
As you can see, if the packet is destined to the IP address of the switch, the
switch processes the packet locally. If the packet is destined to another IP
address on the directly connected subnet, the switch forwards the packet
on the associated interface.
Module 4: Routing
HP ProVision switches display routing information in a slightly different order, as shown in this example.
Introduction
HP ProVision switches display routing information in a slightly different
order, as shown in this example.
Destination
The Destination field contains the destination network and subnet mask,
which the switch uses to match a packet’s destination IP address to a
route.
Gateway
The Gateway field indicates the gateway (or next hop) for the route. For
indirect routes, the gateway is the next hop’s IP address, just as in
Comware switches. However, on ProVision switches, the gateway for a
direct, or “connected,” route is the name of the VLAN associated with the
connected subnet.
VLAN
The VLAN field indicates the forwarding interface for the route.
Type
The Type field indicates the type of route. ProVision switches use the term
“connected” to indicate a direct route. The example routing table displays
only connected and static routes, but ProVision switches also support
routing protocols such as RIP and OSPF, which are listed by these names.
Sub-Type
The Sub-Type field is used when routes have been discovered through the
OSPF protocol.
Metric
As you learned, ProVision switches use metrics to choose between routes
that were discovered in the same way (such as two OSPF routes or two
RIP routes).
Dist.
The Dist. field indicates the administrative distance, a route prioritization
method used to choose between routes of different types.
Module 4: Routing
Introduction
You now understand that a Layer 3 switch uses its routing table and a
packet’s IP address to discover the packet’s next hop and forwarding
interface.
You will take a close look at this process by following a packet as it is routed
from a source workstation at 10.1.20.53/24 to a database server at
10.1.30.101/24.
Step 1
The workstation knows the IP address of the server (10.1.30.101) and
recognizes that this address is on a different network. Because the packet
must be routed, the workstation sends the traffic to its default gateway,
Switch C, which has the IP address of 10.1.20.1.
If the workstation does not know the MAC address for 10.1.20.1 (because it
has not recently communicated with its default gateway), it sends an ARP
request to find the MAC address. The ARP response resolves the IP
address 10.1.20.1 to Switch C’s MAC address (00-1D-B3-F1-EF-40).
The workstation then sends an Ethernet frame, which has the MAC
destination address for Switch C, to its directly attached switch, Switch B.
However, the packet’s IP destination address is 10.1.30.101, which is the
server’s IP address.
Module 4: Routing
Step 2
When Switch B receives the frame, it uses the destination MAC address to
forward the frame at Layer 2. The switch looks up the destination MAC
address in its MAC forwarding table and forwards the frame out the correct
port. (If the switch does not know the MAC address, it can flood the frame
out on VLAN 20.)
Module 4: Routing
Step 3
When Switch C receives the frame, it recognizes its address in the
destination MAC address field and removes the Ethernet header. Switch C
examines the IP header and realizes that it needs to route the packet since
the destination IP address is not its own IP address.
Switch C looks up the most specific route that matches the destination
address in its routing table. The routing table shows that the destination IP
address is a directly connected route on the VLAN 30 interface.
Module 4: Routing
Step 4
Switch C has determined that it must forward the packet on the VLAN 30
interface. To do so, it must add a new Ethernet header.
When using a direct route, the switch forwards the frame directly to the
destination, which is the server’s MAC address. Switch C uses ARP to
resolve the server’s IP address to a MAC address and to determine the
physical forwarding port.
Note that if Switch C were using an indirect route, it would use ARP to
resolve the next hop router’s IP address to a MAC address. It would then
specify that MAC address instead of the actual destination device’s MAC
address.
Module 4: Routing
Step 5
When Switch D receives the frame, it uses its MAC (Layer 2) forwarding
table to find the correct port for the destination MAC address. (If Switch D
does not know the port, it floods the frame.)
The traffic has now reached its destination, the database server with IP
address 10.1.30.101/24 and MAC address 00-E0-52-F0-4C-0F.
Module 4: Routing
Introduction
Now that you understand how traffic is routed between VLANs, you will now
examine how HP ProVision switches handle VLAN assignments and 802.Q
tagging as they forward and route the traffic. You will examine this topic
using the same scenario as before: you will trace an IP packet sent from a
workstation to a database server.
Step 1
Before you look at the flow of traffic and how frames are tagged, you must
understand port VLAN membership. In this example, switches support
multiple VLANs on their switch-to-switch ports. All of the switch-to-switch
ports are untagged members of VLAN 1 and tagged members of one or
more other VLANs. VLANs on this network include:
The source workstation and destination database server, on the other hand,
do not support 802.1Q, and the ports are untagged members of their
respective VLANs:
Module 4: Routing
Step 2
When the source workstation sends the frame (containing the packet
destined for the database server), Switch B receives the frame on a port
that is an untagged member of VLAN 20.
The workstation does not support 802.1Q. The frame does not include an
802.1Q tag at this point.
Module 4: Routing
Step 3
Switch B forwards the frame to Switch C on a port that is tagged for VLAN
20. Because the port is tagged for VLAN 20, the switch inserts the 802.1Q
tag into the Ethernet frame.
Module 4: Routing
Step 4
Switch C routes the packet to VLAN 30. Because the link between Switch C
and Switch D is tagged, Switch C removes the VLAN 20 802.1Q tag from
the Ethernet frame and then inserts the VLAN 30 802.1Q VLAN tag into the
Ethernet frame.
Module 4: Routing
Step 5
Switch D receives the frame on a port that is a tagged member of VLAN 30.
However, because the server is connected to Switch D on an untagged port
that is a member of VLAN 30, Switch D removes the 802.1Q tag before
forwarding the frame to the switch.
Module 4: Routing
Introduction
You will now trace a packet on a similar network that includes Comware
switches instead of ProVision switches. Again, all switches on this network
must support multiple VLANs, including the default VLAN, VLAN 1.
Step 1
The source workstation and destination database server do not support
802.1Q. Consequently, the workstation is connected to an access port
assigned to VLAN 20, and the server is connected to an access port in
VLAN 30. The workstation sends an untagged frame (containing the packet
destined for the database server) to its directly connected switch, Switch B.
Step 2
Switch B must send VLAN 20 traffic to Switch C, the default gateway for
that VLAN. The Switch B port that connects to Switch C must also support
VLAN 1 traffic, so the port is a trunk port, which supports multiple VLANs.
The trunk port must be configured to support VLAN 20. (If VLAN 20 is not
permitted, the trunk port will discard the frame.)
Switch B inserts the 802.1Q tag into the Ethernet frame and sends it to
Switch C.
Step 3
Switch C receives the frame on a trunk port that permits VLAN 20. Switch C
then checks its routing table and determines that it must route the packet to
Step 4
Switch D receives the frame on a trunk port that permits VLAN 30. Switch D
checks its MAC table and determines it must forward the frame to the
access port that connects to the destination database server. (If this entry
was not in the switch’s MAC table, the switch would flood an ARP request
in VLAN 30 to resolve the IP address.) Switch D removes the 802.1Q field
from the frame and forwards it to the server.
Module 4: Routing
The table below summarizes how port-based VLANs are supported on ProVision and Comware switches. (Both ProVision
and Comware switches support advanced VLANs. To learn more about VLANs, attend the Building SMB Networks with HP
Technologies course.)
Module 4: Routing
Summary
In this module, you learned about the following:
Module objectives
This module explains how to use link aggregation to increase bandwidth on selected network links. You will first learn
about Link Aggregation Control Protocol (LACP), the industry-standard protocol for establishing aggregated links. You will
then learn how link aggregation is implemented on HP ProVision and Comware switches.
Rev. 13.31 5 –1
Getting Started with HP Switching and Routing
5 –2 Rev. 13.31
Link Aggregation
For example, a company may be using 1-GbE links. If the switches provide
enough ports, the company can aggregate some of these 1-GbE links to
increase the available bandwidth between particular switches. This solution
offers a cost-effective alternative to purchasing 10-GbE links.
Rev. 13.31 5 –3
Getting Started with HP Switching and Routing
• Static LACP
• Dynamic LACP
Introduction
As is often the case, individual vendors saw the need to provide more
bandwidth and developed proprietary technologies to aggregate links. To
standardize aggregated links for multivendor environments, IEEE
developed the Link Aggregation Control Protocol (LACP). The original
standard is known as 802.3ad, but it has been subsequently updated to
802.1AX-2008. However, LACP is still frequently referred to as the 802.3ad
standard.
LACP allows you to create aggregated links between any two devices that
support the standard. For example, you can create links between any two
switches that support LACP or between a server and a switch.
LACP defines two types of aggregated links: static (or manual) or dynamic.
Static
With static LACP, aggregated links are established or configured manually.
If one of the connections in the aggregated links fails, the LACP-enabled
devices detect the failure but continue forwarding traffic on the remaining
connections.
Dynamic
With dynamic LACP, aggregated links are established automatically, using
the negotiation process outlined in the LACP standard. (You will learn about
5 –4 Rev. 13.31
Link Aggregation
Rev. 13.31 5 –5
Getting Started with HP Switching and Routing
LACP requirements
The LACP standard outlines some requirements for physical links that will
be part of the aggregated link:
Once the aggregated link is established, LACP ensures the physical links
continue using the same speed and duplex settings.
5 –6 Rev. 13.31
Link Aggregation
Introduction
When configured to use dynamic LACP, switches use LACP data units
(LACPDUs) to exchange information and establish a dynamic aggregated
link. Exchanging LACPDUs allows devices to determine if links can be
aggregated. For example, the devices determine if all of the links are the
same media type and speed. LACPDUs also allow devices to manage the
aggregated link, including handling failovers and adding or removing
physical links.
Source MAC
Like all Ethernet frames, the LACPDU contains the MAC address of the
sending device.
System identifier
The system identifier is the concatenation of a MAC address and the LACP
system priority. The LACP standard allows the switch to use its own MAC
address or a MAC address that is assigned to one of the ports in the
aggregated link. The system priority is a user-configurable number, which is
used to determine which switch will select the ports that are active in the
aggregated link. The switch that has the lower system priority will select the
active ports.
Rev. 13.31 5 –7
Getting Started with HP Switching and Routing
Port priority
The port priority is a user-configurable number that is used to determine
which ports are active and which are standby. Ports that have lower port
priority numbers will be used for active links before those with higher port
priority numbers.
5 –8 Rev. 13.31
Link Aggregation
Introduction
A dynamic LACP port can operate in one of two states: active or passive.
Passive
Passive ports listen for LACPDUs. If passive ports receive an LACPDU
from an active port, they respond with their own LACPDU.
Active
Active ports transmit LACPDUs to advertise that they can create
aggregated links.
Both ports can be active, however. In this configuration, both ports will
advertise that they support LACP, respond to the other port’s
advertisement, and establish the aggregated link.
Rev. 13.31 5 –9
Getting Started with HP Switching and Routing
Conversations
Introduction
LACP provides guidelines for managing traffic transmitted over the
aggregated link, based on what it defines as a conversation. Simply put, a
conversation is a one-way communication between a source device and a
destination device.
Manage a conversation
The LACP standard stipulates that an LACP-enabled device should
transmit all the frames in a given conversation over the same physical
connection within the aggregated link. If it is necessary to move a
5 –10 Rev. 13.31
Link Aggregation
Before you begin learning how to implement link aggregation on HP Comware and ProVision switches, you should be aware
of some differences in terminology.
Introduction
ProVision switches support two methods for creating aggregated links:
Port trunking has been an option on HP switches since the mid-1990s. With
port trunking, HP recommends that all links in the same trunk group use the
same speed, duplex, and flow control settings. In addition, the physical links
establishing the aggregated link must start and end on the same switch.
(Later in this module, you will learn about distributed trunking, which allows
one switch to establish a trunk with two remote devices.)
• Command syntax
• LACP example
• Port trunking example
Introduction
You will now take a quick look at the process of configuring a static
aggregated link on ProVision switches.
When creating a trunk, you should configure the trunk on the switch before
connecting the cables. If you connect the cables first, you will create a
network loop, unless you have enabled Spanning Tree Protocol (STP) or
another protocol for managing redundant links.
You should also complete the static trunk configuration on both switches
before the redundant links are connected.
Command syntax
When you configure static aggregated links on ProVision switches, you use
the trunk command:
• Port numbers: If you are making non-contiguous ports part of the link,
use commas to separate the ports. For a range of ports, use a hyphen.
For example :
a1,b1,c1
a3-a10
• Trunk name: To name the trunk, you include a number after trk. For
example, you might create trk1 or trk5.
• LACP or trunk: Specify if you want to use LACP or trunk (for port
trunking) to create the static trunk.
LACP example
For example, to create a static LACP trunk with ports A1, B7, and C3 and
name it Trk1, enter:
To configure a dynamic LACP aggregated link on ProVision switches, you use the interface command.
Switch(config)# interface <port numbers> lacp [active | passive]
Remember that you use commas to separate non-contiguous ports and a hyphen for a range of contiguous ports. Then,
specify if you want this port to be active or passive. For example:
After you create a dynamic LACP aggregated link, the switch automatically names it Dynx, replacing x with the next
available number. For example, the first dynamic LACP aggregated link is called Dyn1.
After you create a dynamic LACP aggregated link, the switch automatically
names it Dynx, replacing x with the next available number. For example, the
first dynamic LACP aggregated link is called Dyn1.
Introduction
Creating an aggregated link affects any existing VLAN memberships on the
ports that you assign to the aggregated link. Specifically, all VLAN
memberships are removed from the port. For example, suppose port 24 is a
tagged member of VLANs 10, 20, and 30. If you make port 24 a member of
an aggregated link, all those VLAN memberships are removed.
Typically, you want an aggregated link to carry traffic from more than one
VLAN. The steps you take to allow the aggregated link to support multiple
VLANs vary, depending on whether the link is static or dynamic.
You can check VLAN membership by using the show run command. As
you can see, the port will be listed under the VLANs to which it belongs.
5 –18 Rev. 13.31
Link Aggregation
To view information about the link, use the show lacp command.
Introduction
One of the benefits of using link aggregation is that switches can distribute
conversations across the physical connections within the aggregated link.
Because the LACP standard does not require devices to use a specific
algorithm to distribute conversations, each switch vendor uses its own
algorithm.
Distributing conversations
When you implement an aggregated link on a ProVision switch, it identifies
each conversation that is transmitted across the link. Earlier in this module
you learned that a conversation is a one-way communication between a
source device and a destination device. By default, the HP 3500, 3800,
5400 zl, 6200 yl, 6600, and 8200 zl Switch Series use Layer 3 or Layer 2
information to identify a conversation and then apply an algorithm to
distribute the conversations across the connections in the aggregated link.
If a Layer 3 IP address is available, the switch's calculation will include the
last five bits of the IP source address and IP destination address. For other
traffic, the switch will use the source and destination MAC addresses.
Rather than use the default setting, you can configure the switch to use
Layer 4 information-UDP or TCP ports-for load balancing. (A detailed
discussion of using Layer 4 information for load balancing is beyond the
scope of this course. Check your switch documentation for more
information.)
Introduction
In addition to static and dynamic aggregated links, some ProVision switches
support distributed trunking, which provides high availability and load
sharing for server-to-switch connections or switch-to-switch connections.
device must support LACP or be able to form a trunk with a switch that is
using HP port trunking.
With the exception of the 3800 Switch Series, these switches run the K.XX
software. Distributed trunking for server-to-switch connections was
introduced in the K.14 software release. The K.15.03 software release
allowed you to use port trunking to create server-to-switch distributed
trunks, and the K.15.05 software added support for switch-to-switch
distributed trunking.
The 3800 Switch Series runs the KA.XX software and supported server-to-
switch distributed trunking in the initial release. The KA.15.09 software
release provided support for switch-to-switch distributed trunking.
Introduction
To configure bridge aggregation on Comware switches, you create an
aggregation group and assign ports to that group. When you add a port to
an aggregation group, that port can have one of two states:
• Selected: A selected port forwards traffic for the link aggregation group.
• Unselected: An unselected port cannot forward traffic for the link
aggregation group.
After you add ports to a link aggregation group, any additional class two
configurations made to a link aggregation group are automatically
synchronized to all of its member ports. These configurations are retained
on the member ports after they are removed from the link aggregation
group.
Reference ports
For each link aggregation group, Comware switches select a reference port.
The switches use the reference port to help determine the aggregation state
of each port. Simply put, the switches compare the port attributes and
class-two configurations of other member ports to those of the reference
port. The ports with settings that match the reference port can be selected
(if they meet other criteria as well).
The process for selecting this reference port differs slightly, depending on if
the link aggregation group is static or dynamic.
Introduction
Now let’s take a look at how the switches select a reference port for static
link aggregation groups.
• Full-duplex, high-speed
• Full-duplex, low-speed
• Half-duplex, high-speed
• Half-duplex, low-speed
In other words, the switch will select a port operating in full-duplex, whether
it is a high-speed or low-speed port, before it will select a port operating in
half-duplex.
Introduction
Once the switch selects the reference port, it determines the aggregation
state of each member port in the static link aggregation group.
Does the port support the reference port’s line speed and duplex
mode?
If the answer is yes, the switch applies the next criterion.
Do the port attributes and class two configurations match those of the
reference port?
If the answer is yes, the switch applies the next criterion.
Depending on why the ports have been set to unselected, they might be
used as standby links in case the selected links become unavailable. For
example, if a port is unselected because the link aggregation group reached
its maximum number of ports, the port’s state could be changed to selected
if another selected port fails.
For dynamic link aggregation groups, Comware switches use a two-step process:
1. They select the switch on which the reference port will reside.
2. The selected switch determines the reference port.
Introduction
For dynamic aggregation groups, the Comware switches use a different
process for selecting the reference port. The two switches setting up a
dynamic link use a two-step process:
• They select the switch on which the reference port will reside.
• The selected switch determines the reference port.
During the process of selecting a reference port, the two switches forming a
dynamic aggregated link identified which switch has the lower LACP system
priority. In addition to selecting the reference port, this switch effectively
determines the aggregation state (selected or unselected) for member ports
on both switches.
The switch uses the same criteria to determine the aggregation state for
dynamic aggregate ports as it does for static aggregate ports. For dynamic
link aggregation, however, the switch adds another criterion: it checks that
the port attributes and class two configuration settings of each peer port
match those of the peer port that connects to the reference port.
This table summarizes the advantages and disadvantages of each type of link aggregation on Comware switches. Please
note that for dynamic link aggregation groups, a port’s state depends on the peer port’s state.
Introduction
For both static and dynamic aggregation groups, Comware switches
provide flexibility in how traffic is distributed across the physical links in the
group. You can configure load sharing globally or per aggregation group.
Global
For the global setting, you can configure the switch to load share based on:
• Source IP address
• Destination IP address
• Source MAC address
• Destination MAC address
• Source IP address and destination IP address
• Source IP address and source port
• Destination IP address and destination port
• Source IP address, source port, destination IP address, and destination
port
• Any combination of incoming port, source MAC address, and destination
MAC address
• Source IP address
• Destination IP address
• Source MAC address
• Destination MAC address
• Layer 1 Multiprotocol Labe Switching (MPLS) label (which is used on
networks that support telecommunications)
• Destination IP address and source IP address
• Destination MAC address and source MAC address
• Layer 1MPLS label and Layer 2MPLS label
To create a static link aggregation group on a Comware switch, you must be at the system view command level. Enter the
following command. Note that the default mode for aggregated links is static, so you do not have to include an option to
ensure that the link aggregation group is static.
After you have created the static link aggregation group, you must move to a port interface view to add the port to the link
aggregation group.
Repeat this step for each port interface that will be part of the link aggregation group.
After you have created the static link aggregation group, you must move to
a port interface view to add the port to the link aggregation group.
Repeat this step for each port interface that will be part of the link
aggregation group.
Just as you would for a static aggregate interface, you must first create a link aggregation group and assign it a number.
Because the default mode for link aggregation on Comware switches is static, you must set the mode to dynamic.
You then assign ports to the dynamic aggregate interface by accessing each port interface and entering the port link-
aggregation group command.
[Switch] interface g1/0/22
[Switch-GigabitEthernet1/0/22] port link-aggregation group 2
You can also configure LACP options such as system priority and port priority. As you learned, system priority is used to
determine which switch will select the reference port and the aggregation state of all the ports in the link aggregation
group. Port priority is used in the process of determine which port is the reference port. Again, smaller numbers have a
higher priority.
Just as you would for a static aggregate interface, you must first create a
link aggregation group and assign it a number.
You can also configure LACP options such as system priority and port
priority. As you learned, system priority is used to determine which switch
will select the reference port and the aggregation state of all the ports in the
link aggregation group. Port priority is used in the process of determine
which port is the reference port. Again, smaller numbers have a higher
priority.
You can configure VLANs for both static and dynamic aggregation groups. You use the same commands that you use to
configure VLANs for any interface on a Comware switch. For example, you can make an aggregation group a trunk port and
add permitted VLANs using these commands.
You can configure VLANs for both static and dynamic aggregation groups.
You use the same commands that you use to configure VLANs for any
interface on a Comware switch. For example, you can make an aggregation
group a trunk port and add permitted VLANs using these commands.
Summary
In this module you learned about the different link aggregation technologies supported on HP ProVision and Comware
switches. You should now have a solid understanding of the following:
In this module you learned about the different link aggregation technologies
supported on HP ProVision and Comware switches. You should now have
a solid understanding of the following:
Module 6: Redundancy
Module Objectives
HP Comware and ProVision switches support a number of technologies that provide redundancy and increase network
uptime. This module focuses on two:
Spanning Tree Protocol (STP)
Rev. 13.31
6–1
Getting Started with HP Switching and Routing
Module 6: Redundancy
Networks deliver critical services to users. If a network is not designed to provide redundancy, a network link failure could
prevent users from accessing essential network services.
To protect against failures, you need to add redundant network links. However, simply adding links creates network
loops, which result in broadcast storms that make the network inaccessible. To function properly, an Ethernet network
must have only one active pathway between two devices.
Module 6: Redundancy
Lesson 1
This lesson describes the basics of spanning tree, explaining how it enables
network redundancy and eliminates network loops. It first focuses on the
original standard, Spanning Tree Protocol (STP), and then describes the
enhancements provided by Rapid Spanning Tree Protocol (RSTP) and
Multiple Spanning Tree Protocol (MSTP).
Rev. 13.31
6–3
Getting Started with HP Switching and Routing
Module 6: Redundancy
STP overview
Module 6: Redundancy
STP overview
If a link in the preferred path fails, STP automatically opens a new preferred
path so the traffic can be forwarded and will continue to reach its
destination. When creating this new path, STP changes the status of any
previously blocked links from “blocking” to “forwarding.”
Rev. 13.31
6–5
Getting Started with HP Switching and Routing
Module 6: Redundancy
STP convergence
Introduction
In spanning-tree terminology, the process of detecting redundant links and
calculating a preferred network path is called convergence. The first step in
the convergence process is to elect a root bridge, which serves as the
central point (or root) of the STP network. The root bridge is also
responsible for notifying other switches of any STP changes.
Bridge ID
To elect a root bridge, switches in the same STP network compare bridge
IDs in BPDUs. The switch with the lowest bridge ID is elected the root
bridge.
• Bridge priority
• Media Access Control (MAC )address
Module 6: Redundancy
Bridge ID
As you have learned, each switch has a default bridge priority. If all switches in an STP network are using the same bridge
priority—such as the default bridge priority—the switches must compare the other part of the bridge ID—their MAC
addresses.
If such an environment, the switch with the lowest MAC address is elected root bridge. However, the switch with the lowest
MAC address may not be the best candidate for root bridge. For example, it might be oldest or slowest device.
Rather than leave the election of the root bridge to chance, you should select the switch you want to function as the root
bridge and change its bridge priority so that it is the lowest on the network. (You will learn how to configure the bridge ID
on a switch later in this module.)
As you have learned, each switch has a default bridge priority. If all
switches in an STP network are using the same bridge priority—such as the
default bridge priority—the switches must compare the other part of the
bridge ID—their MAC addresses.
If such an environment, the switch with the lowest MAC address is elected
root bridge. However, the switch with the lowest MAC address may not be
the best candidate for root bridge. For example, it might be oldest or
slowest device.
Rather than leave the election of the root bridge to chance, you should
select the switch you want to function as the root bridge and change its
bridge priority so that it is the lowest on the network. (You will learn how to
configure the bridge ID on a switch later in this module.)
Rev. 13.31
6–7
Getting Started with HP Switching and Routing
Module 6: Redundancy
At the beginning of the convergence process, each switch sends a BPDU frame with its own bridge ID in the root ID field.
Each switch also analyzes the BPDUs it receives to determine if there is a bridge ID or root ID lower than its own. If a switch
finds a lower bridge ID or root ID value than what it has in its root ID field, it substitutes the lower value in its BPDU and
considers the switch with that bridge ID to be the root bridge.
At the end of the election process, all switches in the STP convergence recognize the switch with the lowest bridge ID to be
the root bridge and insert the root bridge’s bridge ID into the root ID field of their BPDUs.
Switches constantly exchange BPDUs in an STP network. If switches stop receiving BPDUs from the root bridge for a set
period of time, they assume the root bridge has failed and begin a new election process.
At the end of the election process, all switches in the STP convergence
recognize the switch with the lowest bridge ID to be the root bridge and
insert the root bridge’s bridge ID into the root ID field of their BPDUs.
Module 6: Redundancy
1 Gigabit = 20,000
10 Mbps = 2,000,000
To calculate a path cost, switches add the cost of all the links in a particular
path. STP assigns a cost for a link based on port speed: the higher the port
speed, the lower the cost. (Path costs were updated in RSTP. The costs
shown here are the RSTP costs.)
You can configure link costs for each link manually although this practice is
not recommended.
Rev. 13.31
6–9
Getting Started with HP Switching and Routing
Module 6: Redundancy
Path costs
Because path costs were updated in the RSTP standard, it is possible that some STP-enabled devices support the STP
standard by default while others support the RSTP standard. Some devices might also use their own path costs by default.
When implementing spanning tree, you should ensure that all devices are using the same path costs so they can accurately
calculate the root path.
For example, by default ProVision switches use the RSTP path costs while Comware switches use the path costs listed in
the table. You can easily configure the Comware switches to use the RSTP path costs, as you will learn later in this module.
Because path costs were updated in the RSTP standard, it is possible that
some STP-enabled devices support the STP standard by default while
others support the RSTP standard. Some devices might also use their own
path costs by default. When implementing spanning tree, you should
ensure that all devices are using the same path costs so they can
accurately calculate the root path.
For example, by default ProVision switches use the RSTP path costs while
Comware switches use the path costs listed in the table. You can easily
configure the Comware switches to use the RSTP path costs, as you will
learn later in this module.
Module 6: Redundancy
As switches forward BPDUs, they add the cost of each link to the BPDUs’ root path cost field. Switches use this field to
compare the total path costs of each redundant path that leads from the switch to the root bridge.
The path with the lowest cost becomes the root path.
As switches forward BPDUs, they add the cost of each link to the BPDUs’
root path cost field. Switches use this field to compare the total path costs
of each redundant path that leads from the switch to the root bridge.
The path with the lowest cost becomes the root path.
Rev. 13.31
6–11
Getting Started with HP Switching and Routing
Module 6: Redundancy
The switch’s port that leads to the root path is called the root port. In the
example network, the root path for Switch C leads directly to Switch A. The
Switch C port that connects to Switch A is the root port.
You may also encounter the term designated port when working with STP. A
designated port is a port that is active but is not the root port. Switches on a
spanning tree network use designated ports to send and receive frames to
a specific segment.
You should also know that on blocked links only one of the ports is actually
in a blocking state. (You will learn more about STP port states later in this
module.) This port is called the alternate port. The other side of the blocked
link is a designated port.
Module 6: Redundancy
After exchanging BPDUs with other switches, a switch might find that two or more paths have the same lowest cost. In
this case, the switch uses the bridge IDs of its STP neighbors as a tie-breaker. That is, the neighbor with the lowest bridge
ID has the lowest-cost path to the root bridge.
In this example network, Switch C has two paths to the root bridge, one path through Switch A and one path through
Switch D. Both paths have the same cost.
To choose the root path, Switch C compares the bridge priority of Switch A and Switch D. Path 1 becomes the root path
because switch A’s bridge priority is lower than switch D’s.
After exchanging BPDUs with other switches, a switch might find that two or
more paths have the same lowest cost. In this case, the switch uses the
bridge IDs of its STP neighbors as a tie-breaker. That is, the neighbor with
the lowest bridge ID has the lowest-cost path to the root bridge.
In this example network, Switch C has two paths to the root bridge, one
path through Switch A and one path through Switch D. Both paths have the
same cost.
To choose the root path, Switch C compares the bridge priority of Switch A
and Switch D. Path 1 becomes the root path because switch A’s bridge
priority is lower than switch D’s.
Rev. 13.31
6–13
Getting Started with HP Switching and Routing
Module 6: Redundancy
If multiple links connect to the same switch, the bridge ID cannot be used
as the tie-breaker to determine the lowest-cost path.
For example, in the network shown here Switch B and Switch C are
connected with two links. Because both ports have the same STP neighbor
(with the same bridge ID), the switch uses the port ID, another field in the
BPDU, as the tie breaker. The port with the lowest port ID becomes the root
port, leading to the lowest path.
Similar to the bridge ID, the port ID includes a user-configurable field and a
vendor-assigned field. (The vendor-assigned field is a unique number
assigned to each port, with 256 possible values.)
Module 6: Redundancy
• Listening
• Learning
• Forwarding
• Blocking
Introduction
Switch ports that participate in the STP convergence process can be in one
of several states.
Note that these are the states defined in the original standard. The RSTP
standard changed these states, and you will learn more about these
changes later in this module.
Listening
In the listening state, the port sends and receives BPDUs but discards data
frames. The port typically moves quickly from the listening state to the
learning state.
Learning
In the learning state, the port sends and receives BPDUs and begins
gathering information about the STP network. The switch uses the
information the port gathers to populate its MAC address table. However,
the port does not forward data frames yet.
Forwarding
The port moves to a forwarding state if it is part of a root path. In this state,
the port actively receives and sends data frames as part of a root path. The
port also continues to receive and forward BPDUs.
Rev. 13.31
6–15
Getting Started with HP Switching and Routing
Blocking
The port is in a blocking state when the port is first initialized and spanning
tree is enabled. If the port is configured to support STP, the port will then
move to a listening state and determine if other STP-enabled devices are
functioning on the network.
The port will then go through the listening and learning states. If the port is
not part of a root path, it will move to the blocking state. In this state, the
port does not receive and transmit data frames. The port is essentially in
standby mode. It may continue to receive BPDUs and may change to a
forwarding state if a link fails and it becomes part of a root path.
Module 6: Redundancy
Edge ports
Rev. 13.31
6–17
Getting Started with HP Switching and Routing
Module 6: Redundancy
Introduction
The original STP standard was released in 1990. As networks evolved, its
limitations became apparent.
Slow convergence
With the original STP standard, convergence could take as long as 30 to 50
seconds. With the services running on networks today, 30 to 50 seconds
hinders network performance. Today’s networks require much faster
convergence times.
In 2004 802.1w was incorporated into the main STP standard, which is
known as IEEE 802.1D-2004.
Rev. 13.31
6–19
Getting Started with HP Switching and Routing
Module 6: Redundancy
RSTP enhancements
RSTP uses essentially the same convergence process that STP uses to elect a root bridge and identify the root path.
However, RSTP enables faster convergence and allows faster transition of ports to a forwarding state.
With RSTP, convergence can occur in 1 second or less, but will typically occur within 6 seconds. STP convergence, on the
other hand, can take up to 50 seconds.
RSTP uses essentially the same convergence process that STP uses to
elect a root bridge and identify the root path. However, RSTP enables faster
convergence and allows faster transition of ports to a forwarding state.
With RSTP, convergence can occur in 1 second or less, but will typically
occur within 6 seconds. STP convergence, on the other hand, can take up
to 50 seconds.
Module 6: Redundancy
RSTP changes
Rev. 13.31
6–21
Getting Started with HP Switching and Routing
Module 6: Redundancy
MSTP enhancements
MSTP enhanced the use of STP on networks that support multiple VLANs,
while still delivering the fast convergence introduced with RSTP. MSTP
supports multiple spanning tree instances on the same network, and each
instance can include one or more VLANs. MSTP supports multiple
preferred paths for data traffic, providing load sharing across redundant
network links.
Module 6: Redundancy
MSTP instances
MSTP allows you to create multiple instances of STP and assign specific
VLANs to each instance. This example network has two MSTP instances:
This frame shows two different views of the same network, but keep in mind
that the switches are supporting both instances simultaneously.
In the next frame, you will examine this example in more depth.
Rev. 13.31
6–23
Getting Started with HP Switching and Routing
Module 6: Redundancy
In the example network, Switch B is the root bridge for instance 1, and
Switch A is the root bridge for instance 2. Each instance has different active
links. For example, the link between Switch A and Switch C is active for
instance 2, yet blocked for instance 1. For instance 1, the ports are in a
discarding state, but they are in a forwarding state for instance 2.
MSTP allows for greater network utilization and capacity because multiple
instances mean that ports have less idle time.
Module 6: Redundancy
MSTP regions
Introduction
An MSTP region is a group of switches that collectively defines the same
instances and participates in the same convergence process to elect a root
bridge and identify active paths for each instance. To recognize that they
are in the same region, switches must share certain MSTP attributes.
Configuration name
You must manually configure an MSTP region name, which identifies that
MSTP region.
Rev. 13.31
6–25
Getting Started with HP Switching and Routing
Module 6: Redundancy
In an MSTP network, each switch can belong to only one MSTP region. To
identify all the switches in a particular region, MSTP-enabled switches use
BPDUs to communicate their MSTP region attributes. If another switch’s
MSTP region attributes match its own, a switch knows that the other switch
is in the same MSTP region.
Module 6: Redundancy
When MSTP is enabled, all of the VLANs configured on the switch are
initially assigned to the Internal Spanning Tree (IST), which is the default
MSTP instance within the MSTP region. Likewise, if you later create a
VLAN on the switch, it is added to the IST.
For example, suppose the network includes VLANs 1, 20, 30, 40, and 50.
When you enable MSTP, all these VLANs are part of the IST.
When you configure the MSTP region, these VLANs are moved to the
instance you specify. For example, you might configure the MSTP with
three instances: instance 1 includes VLAN 20 and 30, instance 2 includes
VLANs 40 and 50, and instance 3 includes VLAN 60. As you assign these
VLANs to an instance, they are moved from the IST to that instance.
At least one VLAN should remain in the IST to ensure connectivity in case
of a configuration error. Typically, this is the default VLAN (VLAN 1).
Rev. 13.31
6–27
Getting Started with HP Switching and Routing
Module 6: Redundancy
Module 6: Redundancy
Networks that support more than one MSTP region or MSTP and RSTP simultaneously need a mechanism to control
common links. In such environments, Common Spanning Tree, which is automatically enabled with MSTP, determines
whether a link between MSTP regions (or between a region and a legacy RSTP switch) is forwarding traffic or discarding
traffic. Common Spanning Tree ensures that there is only one active path.
Networks that support more than one MSTP region or MSTP and RSTP
simultaneously need a mechanism to control common links. In such
environments, Common Spanning Tree, which is automatically enabled with
MSTP, determines whether a link between MSTP regions (or between a
region and a legacy RSTP switch) is forwarding traffic or discarding traffic.
Common Spanning Tree ensures that there is only one active path.
Rev. 13.31
6–29
Getting Started with HP Switching and Routing
Module 6: Redundancy
HP Comware switches
By default, Comware switches support MSTP although it is disabled. When
you enable STP on Comware switches, they begin using MSTP, and all
ports are configured to participate in the spanning tree network. You must
manually configure ports that connect to endpoints such as workstations,
servers, or printers as edge ports.
If you want a Comware switch to run RSTP, you must specify RSTP as the
STP “mode.”
HP ProVision switches
By default, ProVision switches support MSTP, but it is disabled. When STP
is enabled, switch ports are automatically configured as auto-edge ports.
Auto-edge ports listen for BPDUs for 3 seconds. If the ports do not receive
a BPDU, they transition to a forwarding state and begin to transmit data
frames. Thereafter, these ports will not transmit BPDUs or participate in the
STP convergence process.
Module 6: Redundancy
Introduction
You will now review the steps for configuring MSTP on HP Comware
switches.
Step 1
From the system view, enter the command to create the region (called
hplab in this example).
[Switch] stp region-configuration
[Switch-mst-region] region-name hplab1
Step 2
Specify the region revision number.
[Switch-mst-region] revision-level 1
Step 3
Create the instances and assign VLANs to them. In this example, instance
1 will include VLANs 10 and 20, and instance 2 will include VLANs 30 and
40.
[Switch-mst-region] instance 1 vlan 10 20
[Switch-mst-region] instance 2 vlan 30 40
Rev. 13.31
6–31
Getting Started with HP Switching and Routing
Step 4
Activate the MSTP region and return to the system view.
[Switch-mst-region] active region-configuration
[Switch-mst-region] quit
Step 5
Configure the switch as a root bridge or backup root bridge (optional,
depending on if you want this switch to fulfill these roles). In this example,
the switch will function as the root bridge in the IST (designated as instance
0) and instance 1 and as the backup root bridge in instance 2.
[Switch] stp instance 0 root primary
[Switch] stp instance 1 root primary
[Switch] stp instance 2 root secondary
Step 6
By default Comware switches use a non-standard method for calculating
port costs. To ensure that all the switches in a heterogeneous environment
are using the same method for calculating cost, you should configure the
switches to use the standard cost calculations, using the command above.
[Switch] stp pathcost-standard dot1t
Step 7
Enable spanning tree. Because the Comware switches default to MSTP,
you do not have to configure the mode setting.
[Switch] stp enable
Step 8
Save the configuration.
[Switch] save
Module 6: Redundancy
Introduction
You will now review the steps for configuring MSTP on HP ProVision
switches.
Step 1
Configure the MSTP region. In this example, the region name is hplab, and
the revision number is set to 1.
Switch(config)# spanning-tree config-name hplab
Switch(config)# spanning-tree config-revision 1
Step 2
Create the MSTP instances. In this example, the region will have two
instances. Instance 1 will include VLANs 10 and 20, and instance 2 will
include VLANs 30 and 40.
Switch(config)# spanning-tree instance 1 vlan 10 20
Switch(config)# spanning-tree instance 2 vlan 30 40
Step 3
Configure the switch as the root bridge or backup root bridge for IST or the
MSTP instances. This step is optional, depending on if you want the switch
to fulfill these roles. In the example, the switch will be configured as the root
bridge for IST and instance 1 and as the backup root bridge for instance 2.
On ProVision switches, the priority value (0 or 1 in the example) is
multiplied by 4096 to derive the bridge priority. The default priority is 8 (8 x
Rev. 13.31
6–33
Getting Started with HP Switching and Routing
Step 4
Enable spanning tree.
Switch(config)# spanning-tree
Step 5
Save the configuration.
Switch(config)# write memory
Module 6: Redundancy
Summary
In this lesson you learned about the basic operations of STP. You learned
how STP-enabled switches elect a root bridge and then select the preferred
path to that root bridge, blocking all other redundant paths.
You also learned how RSTP and MSTP overcome the limitations in the
original standard. Finally, you reviewed the steps for configuring MSTP on
Comware and ProVision switches.
Rev. 13.31
6–35
Getting Started with HP Switching and Routing
Module 6: Redundancy
Lesson 2
Traditional stacking allows you to connect multiple switches together and manage them from a single interface.
Within the stack, however, each switch continues to operate independently.
HP Intelligent Resilient Framework (IRF) goes beyond simple stacking by combining two or more Comware
switches into one virtual switch. This lesson describes the advantages of using IRF and briefly outlines basic IRF
functionality.
Module 6: Redundancy
Introduction
IRF simplifies network design and network operations, provides a high level
of reliability, streamlines management, and provides scalability.
Reliability
IRF provides both link and node redundancy. You can aggregate members’
IRF links and the links between the IRF virtual device and its upper or lower
layer devices.
In addition, the IRF virtual device includes multiple member devices that
operate in 1:N redundancy: If the master fails, the IRF virtual device
immediately elects a new master to prevent service interruption. In addition,
failover is extremely fast—under 2 milliseconds.
Rev. 13.31
6–37
Getting Started with HP Switching and Routing
Streamlined management
Whether you manage the IRF virtual device from the CLI or use a
management platform such as HP Intelligent Management Center, you will
manage it as a single device. You can connect to the IRF device’s
management interfaces through any member’s COM port, or using Telnet,
SSH, HTTP, or HTTPS to the IRF device’s IP address. Configurations are
performed on the master (which you will learn more about on the following
pages) and distributed to all associated switches, greatly simplifying
network setup, operation, and maintenance.
Module 6: Redundancy
Scalability
IRF virtual devices are scalable. You can increase the bandwidth and
processing capability of an IRF virtual device simply by adding member
devices. Each member device has its own CPU, and each one
independently processes and forwards protocol packets.
Rev. 13.31
6–39
Getting Started with HP Switching and Routing
The number of switches you can connect in one IRF virtual device varies,
depending on the switch models you are using. For the stackable switch
models, you can connect up to nine switches in an IRF virtual device. For
the modular switches, you can connect up to four switches.
Module 6: Redundancy
Within an IRF virtual device, one of the switches is elected as the master,
which manages and maintains the system. (You’ll learn more about this
election process later in this lesson.)
The other members act as slaves, which process services and function as
backups. If the master fails, one of the slaves will be elected master and
assume responsibility for managing the IRF virtual device.
Rev. 13.31
6–41
Getting Started with HP Switching and Routing
Module 6: Redundancy
Introduction
When you implement an IRF virtual device, you must decide which topology you
will use: the daisy chain topology or the ring topology.
Ring topology
In a ring topology, each switch is connected to two other switches, forming a ring.
Because each switch connects to two other switches, this topology is more reliable
than the daisy chain. If a link in the ring fails, the IRF virtual device will still be
connected in a daisy chain and will continue to function as one virtual switch.
Module 6: Redundancy
IRF ports
The switches in an IRF virtual device communicate through logical ports called IRF ports, which are bound to the actual
physical ports that connect the switches. Each IRF port can be bound to one or more physical ports.
As shown in the figure, IRF ports are numbered as IRF-port1 and IRF-port2. IRF-port1 on one switch must be connected to
IRF-port2 on its neighbor.
As shown in the figure, IRF ports are numbered as IRF-port1 and IRF-port2.
IRF-port1 on one switch must be connected to IRF-port2 on its neighbor.
Rev. 13.31
6–43
Getting Started with HP Switching and Routing
Module 6: Redundancy
Member ID
The IRF virtual device uses member IDs to uniquely identify and manage
the members. If member IDs are not unique, the IRF virtual device cannot
be established.
Module 6: Redundancy
If an existing IRF virtual device has a topology change, members use these
rules:
Rev. 13.31
6–45
Getting Started with HP Switching and Routing
Module 6: Redundancy
• Topology discovery
• Role election
• Maintenance
Introduction
IRF members exchange messages to establish and maintain the IRF virtual
device.
Topology discovery
After you connect the members of an IRF virtual device and configure the
IRF settings, the members exchange hello packets with their directly
connected IRF neighbors. These packets provide topology information such
as:
Each member records its known topology information locally. After all
members have obtained complete topology information, the IRF virtual
device enters the next stage: role election.
Role election
Role election occurs when a topology change occurs. For example:
Maintenance
If topology changes occur in the IRF virtual device, members will exchange
messages to communicate these changes. For example, if a member
switch becomes unavailable, its directly connected neighbor broadcasts the
change, immediately sending a leave message to other IRF members. The
members that receive the leave message determine whether a master or a
slave left the IRF virtual device, according to the locally saved IRF topology
information. If the master left the IRF virtual device, a role election is held,
and the local topology is updated. If a slave left the IRF virtual device, the
local IRF topology is updated to ensure fast convergence of the IRF
topology.
Rev. 13.31
6–47
Getting Started with HP Switching and Routing
Module 6: Redundancy
Summary
In this lesson, you learned that IRF creates a single virtual switch, which
provides significant advantages for management, network design, and
network operations. You also learned that IRF provides a high level of
reliability and resiliency at the link and device level.
You then learned the basic operations of an IRF virtual device, including the
IRF topology, member roles, IRF virtual ports, and the IRF election process.
To learn more about IRF, attend the Building SMB Networks with HP
Technologies course.