Configuracion

Getting Started with HP Switching & Routing
Rev. 13.31 Course ID: 00731204

Track: HP ATP – FlexNetwork Solutions V1 certification
HP ExpertOne
Web-based Training
 Copyright 2013 Hewlett‐Packard Development Company, L.P.
The information contained herein is subject to change without notice. The only warranties for HP products and
services are set forth in the express warranty statements accompanying such products and services. Nothing
herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial
errors or omissions contained herein.
This is an HP copyrighted work that may not be reproduced without the written permission of HP. You may not
use these materials to deliver training to any person outside of your organization without the written permission
of HP.
Getting Started with HP Switching & Routing

Web-based Training
Rev. 13.31
HP Switch Overview
Module 1
Module 1: HP Switch Overview
Objectives
Describe the following types of switches and explain how they

are used in today’s networks:
•Core, distribution, and access layer switches
•Layer 2 and Layer 3 switches
•Modular and fixed-port switches
After completing this •Managed, smart-managed, and unmanaged switches
module, you should be
able to:
Explain how HP switches help organizations meet today’s
business and technical challenges
Explain how the HP ProVision command line interface (CLI)

and the Comware CLI are separated into different privilege
levels and identify tasks that can be completed at each level
Comware ProVision
After completing this module, you should be able to:
• Describe the following types of switches and explain how they are used
in today’s networks:
• Core, distribution, and access layer switches
• Layer 2 and Layer 3 switches
• Modular and fixed-port switches
• Managed, smart-managed, and unmanaged switches
• Explain how HP switches help organizations meet today’s business and
technical challenges
• Explain how the HP ProVision command line interface (CLI) and the
Comware CLI are separated into different privilege levels and identify
tasks that can be completed at each level
Rev. 13.31 1 –1
Getting Started with HP Switching and Routing
Lesson 1: Introduction
In this lesson, you will review what small, medium, and

large companies require from their network to meet their
current business goals.
You will then learn how HP helps IT organizations meet

these requirements, allowing companies to move beyond
the limitations of aging, traditional networks.
In this lesson, you will review what small, medium, and large companies
require from their network to meet their current business goals.
You will then learn how HP helps IT organizations meet these requirements,
allowing companies to move beyond the limitations of aging, traditional
networks.
1 –2 Rev. 13.31
HP Switch Overview
Current networking challenges
Data center
Campus LAN
Branch office
Introduction
To understand the challenges companies are facing today, you should
consider three areas: data center, campus LAN, and branch office.
Data Center
Companies, seeking to improve efficiency and save money, are
consolidating resources in centralized data centers, which are rapidly
evolving and generating dramatic changes:
• Server virtualization, which allows a single physical system to host

multiple virtual machines, increases the demand for bandwidth at the
data center edge. The portability of virtual servers also means that the
network edge must constantly adjust to new services.
• Traditional client-server application models drove traffic from the
workstation to the server (north-south). In the data center, cloud
computing and federated applications now drive more traffic between
servers (east-west).
• Administrators also want to converge LAN and Storage Area Network
(SAN) traffic.
To accommodate all of these services, the network must deliver high

performance, high flexibility, high scalability, high availability, and low
latency. To keep up, you also need a single pane of glass management tool
through which you can manage all components.
Rev. 13.31 1 –3
Campus LAN
Companies are moving resources out of the LAN and into the data center
and private or public clouds, driving more traffic across WAN connections.
At the same time, documents and applications—such as Unified
Communications and Collaboration (UC&C) solutions—are becoming more
media rich, increasing the need for more bandwidth and less latency. If the
network cannot deliver, the user experience suffers.
Users are also relying more heavily on mobile devices—increasingly as

their preferred method of access—and wireless LANs (WLANs) are being
deployed in hospitals, campuses, warehouses, and other spaces. Campus
networks must transform to support the delivery of applications and
services to wired and mobile workers alike. Unfortunately, existing WLAN
deployments often deliver a substandard user experience.
Branch office
Rather than deploy services at each branch office, companies are
consolidating services at centralized data centers. Resource consolidation
increases the demand for bandwidth and low latency on WAN links.
Companies are also reducing the number of IT staff at branch office or even
eliminating them.
While these changes may save money and increase efficiency, they
introduce new challenges for branch office solutions. Customers need fast,
reliable WAN connections and solutions that can survive locally when a
WAN outage occurs.
1 –4 Rev. 13.31
HP Switch Overview
Customer requirements
Companies of all sizes—small, medium, and large—now find themselves with networks that hinder rather than drive the
delivery of high-quality network services.
Companies have… But they need…

An infrastructure that supports An infrastructure that responds to
connectivity but does not add diverse users and applications
intelligence in a coherent fashion appropriately and consistently
A complicated system of A single-pane-of-glass solution that

management solutions for different manages the entire infrastructure
segments of the network
Separate silos of servers that All of their resources to work

experience differing traffic loads efficiently all of the time
Companies of all sizes—small, medium, and large—now find themselves

with networks that hinder rather than drive the delivery of high-quality
network services.
Companies have…
• An infrastructure that supports connectivity but does not add intelligence

in a coherent fashion
• A complicated system of management solutions for different segments of
the network
• Separate silos of servers that experience differing traffic loads
But they need…
• An infrastructure that responds to diverse users and applications

appropriately and consistently
• A single-pane-of-glass solution that manages the entire infrastructure
• All of their resources to work efficiently all of the time
Rev. 13.31 1 –5
Converged networks with HP FlexNetwork
Introduction
To help companies evolve their network to meet these needs, HP provides
the FlexNetwork architecture.
HP FlexFabric
HP FlexFabric creates a low-latency, highly resilient infrastructure, uniquely
tuned for adapting to a virtualized environment, on which compute and
storage traffic converges.
HP FlexCampus
HP FlexCampus converges wired and wireless networks to deliver secure
identity-based access to employees and guests.
HP FlexBranch
HP FlexBranch simplifies the deployment and management of
standardized, secure, responsive, and resilient end-to-end solutions across
many branches.
HP FlexManagement
HP FlexManagement converges management of all network components
into a single solution, helping to orchestrate network management
according to business needs.
1 –6 Rev. 13.31
HP Switch Overview
HP FlexNetwork
HP FlexNetwork is based on open standards. It is scalable, secure, and
agile. Although divided into different components, the HP FlexNetwork
offers a consistent set of services and a unified management solution.
Rev. 13.31 1 –7
HP FlexFabric LAN/SAN convergence
Introduction
Another issue facing companies is having to manage LANs and Storage
Area Networks (SANs) as separate infrastructures. Companies want to
simplify and save money by converging data and storage traffic onto a
single network. However, traditional Ethernet does not meet storage’s need
for high-speed, lossless delivery.
HP provides servers with Converged Network Adaptors (CNAs) as well as

Fibre Channel over Ethernet (FCoE) switches, enabling companies to
benefit from the first phase of LAN/SAN convergence.
1) In a traditional network, the LAN and SAN are completely separate

physical networks, one devoted to data traffic and the other to storage.
Servers require two sets of NICs, and different groups manage each
network, increasing costs and creating logistical problems.
1 –8 Rev. 13.31
HP Switch Overview
HP FlexFabric LAN/SAN convergence (cont.)
2) HP servers and switches provide an interim step toward LAN/SAN

convergence. In this step, the SAN still hosts the storage components.
However, the server connects only to the LAN, using its Converged
Network Adapters to handle both data and storage traffic. This phase
allows customers to save money on server components without
requiring a pitchfork upgrade for storage.
Rev. 13.31 1 –9
HP FlexFabric LAN/SAN convergence (cont.)
3) With full convergence, LAN and SAN traffic traverse the same network
infrastructure and both are managed through a single pane of glass.
1 –10 Rev. 13.31

HP Switch Overview
Open standards
HP is also committed to supporting industry open

standards. Open standards give companies the freedom
to implement multivendor solutions and ensure
continuing support for a converged network—no matter
what applications are later deployed.
For example, HP AllianceOne, an extensive system of
partnerships, tests a wide variety of solutions across the
server, storage, and network components of the HP
FlexNetwork.
HP AllianceOne
Thus, HP products:
Make it easy to integrate new applications

into core business practices
Increase application flexibility
Help reduce costs
HP is also committed to supporting industry open standards. Open

standards give companies the freedom to implement multivendor solutions
and ensure continuing support for a converged network—no matter what
applications are later deployed.
For example, HP AllianceOne, an extensive system of partnerships, tests a

wide variety of solutions across the server, storage, and network
components of the HP FlexNetwork.
Thus, HP products:
 Make it easy to integrate new applications into core business practices

 Increase application flexibility
 Help reduce costs
Rev. 13.31 1 –11

HP warranty
For many switches, HP provides a lifetime warranty,

which includes:
Fans and power supplies
Advanced replacement at no cost
Next-day business delivery
Software maintenance
Technical assistance
Some restrictions apply. For complete warranty

information, visit:
http://www.hp.com/networking/warranty
For many switches, HP provides a lifetime warranty, which includes:
 Fans and power supplies

 Advanced replacement at no cost
 Next-day business delivery
 Software maintenance
 Technical assistance
Some restrictions apply. For complete warranty information, visit:

http://www.hp.com/networking/warranty
1 –12 Rev. 13.31

HP Switch Overview
Green business technology
In addition, HP is committed to developing energy-efficient products.

Some of HP’s green technologies include options such as low-power idle
mode and the ability to power down unused Ethernet ports on switches.
Most energy efficient functions are easily monitored and managed.
Several of HP’s switches have earned the Miercom Certified Green
Standard for networking devices.
In addition, HP is committed to developing energy-efficient products. Some

of HP’s green technologies include options such as low power idle mode
and the ability to power down unused Ethernet ports on switches. Most
energy efficient functions are easily monitored and managed. Several of
HP’s switches have earned the Miercom Certified Green Standard for
networking devices.
Rev. 13.31 1 –13

Lesson 1: Summary
In this lesson, you learned how HP is helping companies

transform their network, providing an infrastructure that
responds to diverse users and applications appropriately
and consistently.
You also learned that this highly scalable network

architecture is built on the FlexFabric architecture.
Because the FlexNetwork is built on open standards, you

are not locked into proprietary applications or services.
You can choose solutions that best meet your company’s
needs.
 In this lesson, you learned how HP is helping companies transform their

network, providing an infrastructure that responds to diverse users and
applications appropriately and consistently.
 You also learned that this highly scalable network architecture is built on
the FlexFabric architecture.
 Because the FlexNetwork is built on open standards, you are not locked
into proprietary applications or services. You can choose solutions that
best meet your company’s needs.
1 –14 Rev. 13.31

HP Switch Overview
In this lesson, you will begin to learn about switch technology.

Specifically, you will learn how switches can be categorized
based on the following criteria:
Deployment in the network architecture
Open Systems Interconnection (OSI) layer
Manageability
Form factor
Support for stacking technologies
In this lesson, you will begin to learn about switch technology. Specifically,
you will learn how switches can be categorized based on the following
criteria:
 Deployment in the network architecture

 Open Systems Interconnection (OSI) layer
 Manageability
 Form factor
 Support for stacking technologies
Rev. 13.31 1 –15

Deployment options: three-tier networks
Switches can be categorized by where they are

deployed in the network environment. Traditional
networks are organized into three tiers:
Core switches establish the backbone of the

network.
Distribution switches are consolidation

points for LAN access or server access
switches and connect to the core switches.
LAN or server access switches support

workstations and servers.
Switches can be categorized by where they are deployed in the network

environment. Traditional networks are organized into three tiers:
 Core switches establish the backbone of the network.

 Distribution switches are consolidation points for LAN access or server
access switches and connect to the core switches.
 LAN or server access switches support workstations and servers.
1 –16 Rev. 13.31

HP Switch Overview
Deployment options: two-tier networks
HP also supports two-tier networks:
The distribution layer is eliminated; the LAN

and server access switches connect directly
to the core switches.
Traffic flows directly from the edge to the

core, reducing latency.
HP also supports two-tier networks:
 The distribution layer is eliminated; the LAN and server access switches
connect directly to the core switches.
 Traffic flows directly from the edge to the core, reducing latency.
Rev. 13.31 1 –17

Layer 2 and Layer 3 switches
Introduction
Switches are also categorized based on their ability to forward traffic at the
Data Link or the Network Layer of the Open Systems Interconnection (OSI)
model.
Layer 1
The Physical Layer controls the physical medium, defining the electrical and
mechanical specifications for the network connection.
Layer 2
The Data Link Layer describes the procedures (called protocols) that
control data transfer across the physical infrastructure.
Layer 3
The Network Layer is primarily responsible for logical addressing and the
routing of traffic across internetworks.
Layer 4
The Transport Layer ensures the reliable transfer of data between hosts. It
provides flow control, error checking, and data recovery.
Layer 5
The Session Layer defines the process of establishing and maintaining a
session (a two-way communication) between two applications.
1 –18 Rev. 13.31

HP Switch Overview
Layer 6
The Presentation Layer translates the data from the lower layers to a format
that can be used by the Application Layer.
Layer 7
The Application Layer defines how applications access network services.
Ethernet
Ethernet is a Layer 1 and Layer 2 protocol. It defines the electrical and
mechanical specifications of the physical media that the network uses and
also controls data transfer across the physical infrastructure.
Layer 2 switch
A Layer 2 switch forwards traffic based on the frame’s Data Link Layer
information, specifically the hardware address, which is called the Media
Access Control (MAC) address. (You will learn more about Layer 2
forwarding later in this course.)
Layer 3 switch
A Layer 3 switch can route traffic based on Network Layer information. To
route traffic, Layer 3 switches must have the appropriate IP route. Layer 3
switches support static routes and routes learned through routing protocols.
Some switches support only static routes and are called Light Layer 3
switches. (You will learn more about Layer 3 routing later in this course.)
Rev. 13.31 1 –19

Switch manageability
Managed
Smart web-managed
Unmanaged
Introduction
Switches are also categorized based on their level of manageability.
Managed
Managed switches support Simple Network Management Protocol (SNMP)
and allow you to configure each port’s communication parameters and
many other aspects of the switch through a command line interface (CLI).
Many managed switches also provide a graphical user interface, such as a
Web browser interface. All of HP’s enterprise switches are managed.
Smart web-managed
Smart web-managed switches, as the name suggests, can be managed
through a Web browser interface. The Web browser interface is designed to
be intuitive, making it easy to configure and manage switch features.
In addition, these switch support Simple Network Management Protocol

(SNMP). You can, therefore, manage them through a centralized SNMP
console.
Unmanaged
Unmanaged switches provide basic Layer 2 switching and are not
configurable. These switches are commonly referred to as “plug-and-play”
switches and are designed for small to medium businesses (SMBs) that
need basic switch functionality.
1 –20 Rev. 13.31

HP Switch Overview
Form factor
Fixed-port switches
Modular switches
Flex-chassis switches
Introduction
Another way switches are categorized is by their form factor or physical
frame. (Regardless of their form factor, all types of switches support high-
speed links, either through traditional copper cabling or fiber optic cabling.)
Fixed-port switches
Fixed-port switches have a predefined number of ports. Typically, the switch
is one rack unit (RU).
An RU refers to the amount of vertical space the hardware will take up in an

equipment rack in the wiring, server room, or data center. For example,
most server racks have 42U, meaning that they can accommodate 42 1U
devices.
Modular switches
Modular switches do not have a defined number of ports. Instead, port type
and density in a modular switch are defined by the type and number of
modules that are installed in the chassis.
Flex-chassis switches
Flex-chassis switches contain a number of fixed ports as well as room to
accommodate a limited number of modules, which allow you to add extra
high-speed ports or advanced features or services.
Rev. 13.31 1 –21

Meshed stacking and IRF
Meshed stacking
Introduction
Switches may also be categorized based on their support for stacking.
Traditional stacking enables you to connect several switches and manage
them through a single IP address.
HP also offers two, more advanced stacking technologies: meshed stacking

and Intelligent Resilient Framework (IRF).
Meshed stacking
Available on the HP 3800 Switch Series, meshed stacking allows you to
aggregate up to five switches to form a fully meshed stack for resiliency and
management via a single interface. Direct links run to and from each switch
in the stack, forming a single logical switch.
1 –22 Rev. 13.31

HP Switch Overview
Meshed stacking and IRF (cont.)
IRF
IRF
IRF allows you to combine multiple switches, creating a single resilient
virtual switch. To other devices on the network, each IRF system appears to
be one device, which has one MAC address and one bridge ID. Routing
updates originate from this one device.
The IRF system draws on each switch’s capabilities during normal

operation. As a result, the IRF system provides high performance while
greatly simplifying the design and operations of data center and campus
networks.
In addition, the IRF system provides both device-level and link-level

redundancy. If a switch (or a switch component) fails or becomes
unavailable, the IRF system can quickly and seamlessly fail over,
preventing service interruption and guaranteeing complete continuity for
business-critical applications.
IRF runs on many HP switches, including the HP 5120, 5500, 5800, 5820,
5830, 7500, 9500, 10500, and 12500 Switch Series.
Benefits
IRF and meshed stacking offer many benefits over traditional stacking:
 Unified management: You can manage the stack through a single

master switch.
Rev. 13.31 1 –23

 High availability: IRF and meshed stacking provide N:1 failover and
redundant links.
 Increased performance: All available links remain active and provide
load balancing, which increases efficiency in switching and routing.
 Scalability: You can increase network bandwidth and processing
capabilities by adding switches to the meshed stack or IRF system.
 Flattened architecture: By enabling access layer switches to share
highly available links to the core, meshed stacking and IRF help
customers create low-latency, two-tier architectures in both the campus
LAN and data center.
1 –24 Rev. 13.31

HP Switch Overview
Lesson 2: Summary
In this lesson, you learned how switches can be

categorized based on criteria such as the network tier
where they are deployed, Layer 2 or 3 functionality,
manageability, form factor, and stacking capability.
In this lesson, you learned how switches can be categorized based on

criteria such as the network tier where they are deployed, Layer 2 or 3
functionality, manageability, form factor, and stacking capability.
Rev. 13.31 1 –25

In this lesson, you will begin to apply what you have

learned about switches. You will take a look at a few HP
switches, considering features such as their form factor,
manageability, forwarding and switching capabilities, and
stacking capabilities.
You will also learn how to access and begin managing HP

switches.
 In this lesson, you will begin to apply what you have learned about
switches. You will take a look at a few HP switches, considering features
such as their form factor, manageability, forwarding and switching
capabilities, and stacking capabilities.
 You will also learn how to access and begin managing HP switches.
1 –26 Rev. 13.31

HP Switch Overview
HP switch portfolio
FlexFabric switches
Featured Switch Form Switches Manageability Forwarding & Power over Stacking
Series Factor Routing Ethernet (PoE) / IRF
5800 Switch Series Flex- • 5800-24G, 5800-24G- Managed Layer 3/4 Yes IRF with
chassis PoE+, & 5800-24G-SFP up to 9
• 5800-48G, 5800-48G- switches
PoE, & 5800-48G with 2
slots
• 5800AF-48G
5820 Switch Series Flex- • 5820-14XG-SFP+ with 2 Managed Layer 3/4 No IRF with
chassis slots up to 9
• 5820-24XG-SFP+ switches
• 5820AF-24XG
5830 Switch Series Fixed-port • 5830AF-48G with 1 Managed Layer 3/4 No IRF with
interface slot up to 4
• 5830AF-96G switches
5920 Switch Series Fixed-port • 5920AF-24XG Managed Layer 3/4 No IRF with
up to 4
switches
12500 Switch Series Modular • 12504 (4 slots) Managed Layer 3/4 Yes IRF with
• 12508 (8 slots) up to 4
• 12518 (18 slots) switches
Introduction
You will now be introduced to several switches in each part of the
FlexNetwork architecture. And because small businesses have specific
technical, management, and budget requirements, you will examine
switches ideally suited for these environments.
FlexFabric switches
This table provides basic information about some of the switches that can
be used to implement FlexFabric. To view information about other switches
that play a role in FlexFabric, go to http://www.hp.com/go/networking.
Rev. 13.31 1 –27

HP switch portfolio (cont.)
FlexCampus switches
Featured Switch Form Factor Switches Manageability Forwarding & PoE Stacking
Series Routing
2530 Switch Series Fixed • 2530-24G Managed Layer 2 Yes Yes, up

• 2530-48G (designated to 16
• 2530-24G-PoE+ switches) switches
• 2530-48G-PoE+
3800 Switch Series Fixed • 3800-24G-2SFP+ Managed Layer 3/4 Yes Meshed
• 3800-24G-2XG (designated stacking
• 3800-24G-PoE+-2XG switches)
• 3800-24G-PoE+-2SFP+
• 3800-48G-PoE+-4SFP+
• 3800-48G-4SFP+
• 3800-48G-4XG
• 3800-48G-PoE+-4XG
• 3800-24SFP-2SFP+
8200 zl Switch Modular • 8206 zl Managed Layer 3/4 Yes No
Series • 8212 zl (designated
modules)
10500 Switch Series Modular • 10504 Managed Layer 3/4 Yes IRF with
• 10508 & 10508-V* up to 4
• 10512 switches
FlexCampus switches
be used to implement FlexCampus. To view information about other
switches that play a role in FlexCampus, go to
http://www.hp.com/go/networking. (Keep in mind that some FlexCampus
switches, such as the 2530 Switch Series, can be deployed in FlexBranch
as well.)
1 –28 Rev. 13.31

HP Switch Overview
FlexBranch switches
Featured Switch Form Switches Manageability Forwarding PoE Stacking/

Series Factor & Routing IRF
2620 Switch Series Fixed-port • 2620-24, 26020-24-PP0E+, Managed Layer 3/4 Yes Up to 16
& 2620-24-PoE+ (designated switches
• 2620-48 & 2620-48-PoE+ switches)
2910 al Switch Fixed-port • 2910-24G al Managed Layer 3/4 Yes Up to 16
Series • 2910-48G al (designated switches
• 2910-24-G-PoE+ al switches)
• 2910-48G-PoE+ al
2920 Switch Series Fixed-port • 2920-24G Managed Layer 3/4 Yes Up to 4
• 2920-24G-PoE+ (designated switches
• 2920-48G switches)
• 2920-48G-PoE+
5400 zl Switch Modular • 5406 zl Managed Layer 3/4 Yes No
Series • 5412 zl (designated
modules)
5500 HI Switch Fixed-port • 5500-24G-4SFP HI Switch Managed Layer 3/4 No IRF with
Series with 2 Interface Slots up to 9
• 5500-48G-4SFP HI Switch switches
with 2 Interface Slots
FlexBranch switches
be used to implement FlexBranch. To view information about other switches
that play a role in FlexBranch, go to http://www.hp.com/go/networking.
(Keep in mind that some switches, such as the 2620, 2910 al, 2920, and
5400 zl, can be deployed in FlexCampus as well.)
Rev. 13.31 1 –29

Small business switches
Featured Switch Form Factor Switches Manageability Forwarding & PoE Stacking
Series Routing
1410 Switch Series Fixed-port • 1410-8G Unmanaged Layer 2 No No

• 1410-16G
• 1410-24G
• 1410-8
• 1410-16
• 1410-24
• 1410-24-2G
1810 Switch Series Fixed-port • 1810-8G v2 Web browser Layer 2 No No
• 1810-24G v2 Interface;
• 1810-48G SNMP v1 & v2
• 1810-8 v2
• 1810-24 v2
1910 Switch Series Modular • 1910-48G Web browser Light Layer 3 Yes No
• 1910-24G-PoE Interface; (32 static (designated
• 1910-24G SNMP v1, v2, & routes) switches)
• 1910-16G v3
• 1910-8G
• 1910-8G-PoE+
Small business switches

Small businesses need to provide competitive services but do not have the
budgets and IT staff of larger companies. They need switches that are easy
to deploy and manage. To see a complete list of switches for small
businesses, visit http://www.hp.com/go/networking.
1 –30 Rev. 13.31

HP Switch Overview
Switch software
HP managed switches run one of the following:
ProVision software Comware software
The 8200 zl Switch Series

runs the ProVision software.
The 10500 Switch Series

runs the Comware software.
Both ProVision software and Comware software provide many of the same features. There are some differences, of
course, but a detailed comparison is beyond the scope of this course. For now, you simply need to understand that the
software determines the structure of the command line interface (CLI) and the commands you enter. (For more in-depth
information, attend Building SMB Networks with HP Technologies, which is an instructor-led training course.)
You will now learn more about ProVision and Comware switches.
HP managed switches run one of the following:
 ProVision software
 Comware software
Both ProVision software and Comware software provide many of the same
features. There are some differences, of course, but a detailed comparison
is beyond the scope of this course. For now, you simply need to understand
that the software determines the structure of the command line interface
(CLI) and the commands you enter. (For more in-depth information, attend
Building SMB Networks with HP Technologies, which is an instructor-led
training course.)
You will now learn more about ProVision and Comware switches.
Rev. 13.31 1 –31

Switch management interfaces
ProVision CLI
Comware CLI
ProVision menu interface
Comware Web browser interface
ProVision Web browser interface
Introduction
Both ProVision and Comware switches are managed primarily through their
CLI. ProVision switches offer two additional management interfaces: the
menu interface and the Web browser interface. Some Comware switches
also provide a Web browser interface.
Keep in mind that the CLI is the primary interface for both ProVision and
Comware switches, and this course will focus on that interface.
ProVision CLI
The example above shows the ProVision CLI. You will learn more about
how to access the CLI and navigate in it in the next slides.
ProVision menu interface

The example above shows the ProVision menu interface, which you initially
access through the CLI by entering the menu command. As mentioned
earlier, this course will not cover the menu interface, focusing instead on the
CLI.
ProVision Web browser interface

The example above shows the ProVision web browser interface. As
mentioned earlier, this course will not cover the web browser interface,
focusing instead on the CLI.
1 –32 Rev. 13.31

HP Switch Overview
Comware CLI
The example above shows the Comware CLI. You will learn more about
how to access the CLI and navigate in it in the next slides.
Comware Web browser interface

The example above shows the Comware web browser interface. As
mentioned earlier, this course will not cover the web browser interface,
focusing instead on the CLI.
Rev. 13.31 1 –33

In-band and out-of-band management
Introduction
You can access a switch’s CLI in two ways.
What is out-of-band management?

With out-of-band management, you connect your management station to
the switch’s console port with a serial cable and access the CLI with
terminal emulation software. This is called out-of-band management
because you are not connecting to the switch through a network port.
Some Comware switches also permit you to connect to an AUX port

through a modem connection.
What is in-band management?

With in-band management, your management communications run over
network connections. You require IP connectivity to the switch through a
direct or indirect Ethernet connection. To open a management session, you
must use terminal emulation software that supports either Telnet or Secure
Shell (SSH). With the Telnet protocol, data is transmitted in clear text and is
vulnerable to snooping. With the SSH protocol, data is encrypted. You will
learn more about SSH in “Module 2: Security.”
What application do you need to access the CLI?

There are many options, but one commonly used terminal emulation
application is Tera Term, which is shareware that you can download and
use for free.
1 –34 Rev. 13.31

HP Switch Overview
HP ProVision switches: management users

You can access the CLI of an HP ProVision switch as operator or manager:
Operator provides read-only access. You can view only

statistics and configuration information.
Manager provides read-write access. You can make

configuration changes and view information.
You can protect access to the switch by configuring a password for each user. At factory default settings, there are no
passwords for either user.
You can access the CLI of an HP ProVision switch as operator or manager:
 Operator provides read-only access. You can view only statistics and
configuration information.
 Manager provides read-write access. You can make configuration
changes and view information.
You can protect access to the switch by configuring a password for each
user. At factory default settings, there are no passwords for either user.
Rev. 13.31 1 –35

HP ProVision switches: CLI structure
View Switch prompt Tasks

Operator Switch> View statistics and configuration
information.
Manager Switch# Begin configuring the switch (such as

updating system software).
Global configuration Switch(config)# Make configuration changes to the

switch features.
Context configuration Switch Make configuration changes within a

(<context>)# specific context, such as to a VLAN,
one or more ports, or routing
Examples: protocols.
Switch(vlan-1)#
Switch(rip)#
Introduction
The HP ProVision switch CLI is organized into different levels, or contexts.
You can tell the context by the switch prompt.
Operator context
The > symbol in the switch prompt indicates you are at the operator level.
At this level you can view statistics and configuration information. To move
to the manager level, enter enable. If a manager password has been
configured on the switch, you will be prompted to enter that password.
Manager context
The # symbol in the switch prompt appears at the manager level. From this
context, you can view additional information and begin managing the
switch. For example, you can update the switch software. To move to the
global configuration context, enter configure terminal (or a command
shortcut such as config).
Global configuration context

The word config in the switch prompt indicates you are at the global
configuration context. At this context, you can make configuration changes
to the system’s software features.
Context configuration
From the global configuration context, you can enter commands to move to
other contexts, from which you configure particular settings. For example,
you might move to a physical interface context or a VLAN context to
1 –36 Rev. 13.31
HP Switch Overview
configure settings specific to that interface or VLAN. You can also access
contexts for protocols such as Routing Information Protocol (RIP) or Open
Shortest Path First (OSPF).
The prompt changes to indicate the context as shown in these examples:
Switch(vlan-1)#
Switch(rip)#
Rev. 13.31 1 –37

HP Comware switches: User interfaces
Introduction
On Comware switches, you access the CLI through user interfaces.
Inband management
In-band access, which allows multiple users to access the switch through
the IP network, uses virtual interfaces VTY0, VTY1, VTY2, and so on. At a
switch’s default settings, you are required to enter a password for these
interfaces, but to eliminate a potential security weakness, the switch does
not have a default password. You must configure a unique password for
your particular company.
To access a Comware switch for the first time, you must use out-of-band
management. You can then configure a password for in-band management
or change the authentication method to any of the three methods described
for out-of-band management.
Out-of-band management
Out-of-band connections use the AUX0 interface and require no password
at default settings, enabling initial access to the switch. You can leave this
default authentication method (none) for out-of-band management, or you
can configure the AUX0 interface to require users to log in with a password
or with a username and password. If you require a username and password
(an authentication method called scheme authentication), the switch checks
the credentials against a local list of users or an external authentication
server, as dictated by its Authentication, Authorization, and Accounting
(AAA) domain settings.
1 –38 Rev. 13.31
HP Switch Overview
HP Comware switches: CLI command levels
On Comware switches, each CLI command is associated with one of four command levels. The command level for each
command is configurable, but most network managers leave the commands at the default settings.
The figure below shows the four command levels and the types of commands that are available at each level.
Manager: System (file and user)

3 management commands (read-write)
System: Services configuration

2 commands (read-write)
CLI
command
levels
1 Monitor: Basic read-only commands
Visitor: Diagnosis commands such as

0 ping and traceroute
On Comware switches, each CLI command is associated with one of four

command levels. The command level for each command is configurable,
but most network managers leave the commands at the default settings.
The figure below shows the four command levels and the types of
commands that are available at each level.
Rev. 13.31 1 –39

HP Comware switches: Privilege levels
The types of commands that you can enter depend on

your privilege level, which the Comware switch assigns To move between levels, simply enter super <level>.
you when you log in. Privilege levels equate to the CLI
command levels. To move to a higher level, enter the super password
for that level. For example, to move to the manager
You may enter any command that is available to your
level, enter super 3 <password>.
current privilege level and lower.
You can always move to a lower level than your
current level although this action is not necessary
because you have access to those commands at the
higher level.
User Privilege Levels CLI Command Levels

Manager 3 Manager super 3
System 2 System super 2
Monitor 1 Monitor super 1
Visitor 0 Visitor super 0
The types of commands that you can enter depend on your privilege level,
which the Comware switch assigns you when you log in. Privilege levels
equate to the CLI command levels.
You may enter any command that is available to your current privilege level
and lower.
 To move between levels, simply enter super <level>.

 To move to a higher level, enter the super password for that level. For
example, to move to the manager level, enter super 3 <password>.
 You can always move to a lower level than your current level although
this action is not necessary because you have access to those
commands at the higher level.
1 –40 Rev. 13.31

HP Switch Overview
HP ProVision switches: CLI structure
Introduction
The Comware CLI is divided into views, each of which contains a set of
related commands. In addition to having the privilege to enter a particular
command, you must be in the correct view. As the table shows, the switch
prompt indicates the current view.
User view
The user view is indicated by angle brackets (<>). In this view, you can view
settings, troubleshoot system problems, and manage files. You can move to
the system view by entering the command: system-view.
System view
The system view is indicated by square brackets ([ ]). In this view, you can
make configuration changes to the switch’s software. You can also access
other command views. You can return to the user view by entering quit.
Other command views

Other command views give you access to configure interfaces, both
physical and virtual, including the user interfaces. Many other features can
be configured within their specific view mode. To exit a specific view and
return to the system view, enter quit.
Rev. 13.31 1 –41

HP CLI help
Both HP ProVision and Comware CLIs offer help features to assist you in navigating the interface. The table shows the
common help commands for both.
You want to: HP ProVision HP Comware

View a brief description for help [Enter] ?
all available commands at ?
your context or view
[Tab]
View commands that start <string>? <string>?

with certain letters <string>[Tab]
Auto-complete a command Type as many characters as necessary to identify the
command uniquely and press [Tab]
Note that you do not have to complete the command. You
just need to enter enough characters to complete the
command.
View the options for a <command> ? <command> ?
command
View hotkeys No help option display hotkey
Both HP ProVision and Comware CLIs offer help features to assist you in
navigating the interface. The table shows the common help commands for
both.
1 –42 Rev. 13.31

HP Switch Overview
ProVision switches: CLI compatibility
display commands
Frequently used commands
Fundamental commands
Introduction
Because many companies have both ProVision and Comware switches, HP
has been focusing on providing CLI compatibility within the ProVision
software. Specifically, HP has been adding support for certain Comware
commands within the ProVision CLI. This effort is designed to help network
administrators who are familiar with Comware commands to use the
ProVision CLI more easily.
The following switches provide this CLI compatibility:
 HP 8200 zl Switch Series

 HP 6600 Switch Series
 HP 6200 yl Switch Series
 HP 5400 zl Switch Series
 HP 2910al Switch Series
Note that this course outlines the CLI compatibility support available at the
time the course was published. Check your ProVision switch documentation
to learn more about the switches and the software versions that support this
Rev. 13.31 1 –43

feature and to determine the exact Comware commands that are

supported.
display commands
Many HP switches that run the ProVision software support more than 200
Comware display commands, which allow you to view information about
the switch and its configuration. (Natively, ProVision switches support show
commands, which provide similar functionality as display commands.)
Frequently used commands

To help network administrators who are familiar with Comware switches to
easily manage ProVision switches, HP has also added support for common
Comware commands that allow you to move within the CLI hierarchy,
reverse (or undo) a command, and save a configuration (as shown in the
examples provided).
Fundamental commands
To help network administrators who are familiar with Comware switches
manage ProVision switches more easily, HP has also added support for
fundamental Comware configuration commands, such as the file
management commands shown here.
Extended help
HP has also added extended help messages to the ProVision help feature.
These messages will help network administrators who are familiar with
Comware identify the equivalent command on the ProVision switch. When
this feature is enabled, these network administrators can simply type the
first part of the Comware configuration command and press the [tab] key.
The help feature then will provide a reference to the correct ProVision
command. It may also provide guidance on the next action for those
configuration items that may not be intuitive due to naming or concept
differences between Comware and ProVision software.
Of course, not all Comware configuration commands require the new help
feature: Some configuration commands are identical, or very similar, to
ProVision commands. Using these commands is self-explanatory.
1 –44 Rev. 13.31

HP Switch Overview
Summary
In this module you have learned about :
The benefits of HP switches
The different ways in which switches are categorized
In-band and out-of-band management access
CLI structure of HP ProVision and Comware switches
In this module you have learned about:
 The benefits of HP switches

 The different ways in which switches are categorized
 In-band and out-of-band management access
 CLI structure of HP ProVision and Comware switches
Rev. 13.31 1 –45

PAGE INTENTIONALLY LEFT BLANK
1 –46 Rev. 13.31

Security
Module 2
Module 2: Security
Objectives
This module introduces you to the basics of network security. You will
learn about today’s security landscape and evolving threats. You will
also learn the basics of securing HP networking infrastructure devices
from improper access.
Describe ways in which attackers gain unauthorized access to

a network
After completing this

module, you should be Explain factors that make a network vulnerable to
able to: unauthorized access
Take the proper measures to physically secure infrastructure

devices for unauthorized access
This module introduces you to the basics of network security. You will learn
about today’s security landscape and evolving threats. You will also learn
the basics of securing HP networking infrastructure devices from improper
access.
• Describe ways in which attackers gain unauthorized access to a network

• Explain factors that make a network vulnerable to unauthorized access
• Take the proper measures to physically secure infrastructure devices for
unauthorized access
Rev. 13.31 2 –1
Module 2: Security
Introduction
As soon as you connect a switch or router to a

network, it becomes part of the network’s
security environment. It can be either a secure
or a weak link in the network’s defenses.
To ensure that you deploy a switch securely,

you must understand the types of threats that
travel through the network infrastructure or
even target the network infrastructure itself.
As soon as you connect a switch or router to a network, it becomes part of

the network’s security environment. It can be either a secure or a weak link
in the network’s defenses.
To ensure that you deploy a switch securely, you must understand the types
of threats that travel through the network infrastructure or even target the
network infrastructure itself.
2 –2 Rev. 13.31
Security
Module 2: Security
Overview of attacks
First, consider the source of threats and attacks.

Originally, security solutions were designed to protect a
trusted network from external threats. Although external
threats still exist, attacks often originate within the network.
Some authorized users might intentionally launch attacks.
Malicious employees, former employees, contractors, or
guests could access data inappropriately, misuse resources, or
launch attacks.
Authorized users can also unintentionally introduce threats:
connecting insecure or infected devices to the network,
opening infected files, downloading applications with hidden
malware, using weak passwords, or leaking passwords.
First, consider the source of threats and attacks.
Originally, security solutions were designed to protect a trusted network

from external threats. Although external threats still exist, attacks often
originate within the network.
Some authorized users might intentionally launch attacks. Malicious

employees, former employees, contractors, or guests could access data
inappropriately, misuse resources, or launch attacks.
Authorized users can also unintentionally introduce threats: connecting

insecure or infected devices to the network, opening infected files,
downloading applications with hidden malware, using weak passwords, or
leaking passwords.
Rev. 13.31 2 –3
Module 2: Security
Common attacks
Unauthorized access
Denial of Service (DoS)
Impersonation
Reconnaissance
Malware
Viruses and Worms
Introduction
You should be aware of several broad categories of threats, which might
originate externally or internally.
Unauthorized Access
Unauthorized attacks occur when an unauthorized user accesses your
network either by guessing, stealing, or cracking a password or by finding
insecure network access points. Hackers might be able to crack passwords
by trying many different dictionary words or by wiretapping and
eavesdropping on communications. Hackers can also trick users into
revealing passwords or find passwords that are stored insecurely.
Denial of Service (DoS)

DoS attacks occur when hackers are able to overwhelm a network’s
resources. For example, hackers might generate enough traffic to consume
available bandwidth or send a server or infrastructure device so much traffic
that the device’s processor is continually at 100 percent utilization. By tying
up these resources, hackers prevent valid users from accessing network
services.
Hackers also use Distributed DoS (DDoS) attacks, transforming many

computers into “zombies” that launch the attack and magnify the power of
the attack while concealing the source. In a variation, called a reflective
DDoS attack, the “zombie” computers send spoofed requests to Internet
2 –4 Rev. 13.31
Security
reflectors (Web servers and so forth). The reflectors then flood the spoofed
address, which is the target of the attack.
Impersonation
Impersonation attacks occur when attackers masquerade as legitimate
resource providers to steal private information or install malware on a
workstation. Two common types of impersonation attacks are man-in-the-
middle (MITM) attacks and phishing attacks:
• In an MITM attack, hackers intercept communications between two

endpoints that believe they are communicating with each other and
replace the contents of the communication.
• In a phishing attack, the hacker poses as a trusted server and tricks
users into sending passwords or other sensitive data.
Reconnaissance
Reconnaissance attacks are used to gather information about a network
and to discover potential vulnerabilities a hacker can exploit. Hackers often
use tools that can be legitimately used as troubleshooting tools such as:
• Port scanners, to find open TCP or UDP ports

• Network mapping software, which discovers information about all
available endpoints and applications on a network
Malware
Malware describes any software designed to use network resources or
infiltrate network devices without the knowledge or consent of the device
owner. Types of malware include:
• Adware, which displays unwanted pop-up ads on infected systems

• Spyware, which records Web sites visited, keystrokes, and other
personal information, which can be used for identity theft or unauthorized
network access
• Rootkits, which allow a hacker to hijack the system, using it as a
backdoor to access other resources or turning it into a “zombie” to
launch attacks
• Trojan horses, which are programs that users intentionally install without
knowing the program contains malware
• Viruses and worms, which are malicious bits of code. (Viruses and worms
are covered as their own topic in this section.)
Viruses and Worms

Viruses and worms are small, malicious bits of code that self-replicate and
propagate. The terms virus and worm are often used interchangeably, but
there is a difference between the two. Viruses spread through files, which
users must open, while worms propagate using network connections.
Rev. 13.31 2 –5
Viruses and worms are often polymorphic/metamorphic. They use self-

encryption and self-alteration to disguise themselves and avoid detection by
anti-virus software.
Unchecked, viruses and worms can spread rampant through an

unprotected network and cause enormous amounts of damage to vital files
and network resources.
2 –6 Rev. 13.31
Security
Module 2: Security
Need for physical security
Introduction
As you have learned, internal users can unwittingly allow their endpoints to
become compromised, and hackers can then use the endpoints to launch
harmful attacks. Consider what can happen if hackers compromise a
network infrastructure device, which supports hundreds or even thousands
of users’ traffic.
Protecting your infrastructure begins by controlling who has physical access

to these devices.
Modules or the switch

With physical access to the switch, malicious users can remove modules
from modular switches or steal the entire switch.
Console port
If a hacker has physical access to the switch and no one has restricted
access to the console port, the hacker can easily establish a terminal
session to the command-line interface (CLI) of the switch through that
console port. Hackers that gain management access can hijack the switch
and gain unauthorized access, perform network reconnaissance attacks,
initiate DoS attacks, and disable security features. By default, both HP
Comware and ProVision switches are not configured with a password for
console port access.
Rev. 13.31 2 –7
Reset and Clear buttons

ProVision switches have Reset and Clear buttons. Some Comware
switches have Reset buttons. These buttons are provided to help
troubleshoot problems and allow you to reboot the switch, reset the switch
to factory default settings, and clear management passwords. However, an
unauthorized user could use these functions to disable a switch or gain
management access to it.
Ports
Users with physical access to a switch can disconnect or move Ethernet
cables, causing a DoS attack for users or other services connected through
that link.
Power cord
Users with physical access to a switch can unplug the power, causing a
DoS for users or other services connected through the switch.
2 –8 Rev. 13.31
Security
Module 2: Security
Defense in depth
To confront these threats, organizations require Defense in

Depth. This layered approach to security employs multiple
solutions to guard against the same threat. For example:
A switch is locked away from unauthorized access,

and a password also protects its management
interfaces.
Switches enforce authentication to prevent most

users who would maliciously release a virus from
ever connecting. An Intrusion Prevention System
(IPS) blocks viruses introduced by devices owned by
legitimate users who do not know their devices are
infected.
To confront these threats, organizations require Defense in Depth. This

layered approach to security employs multiple solutions to guard against
the same threat. For example:
• A switch is locked away from unauthorized access, and a password also

protects its management interfaces.
• Switches enforce authentication to prevent most users who would
maliciously release a virus from ever connecting. An Intrusion Prevention
System (IPS) blocks viruses introduced by devices owned by legitimate
users who do not know their devices are infected.
Rev. 13.31 2 –9
Module 2: Security
HP Security and Risk Management—Principles
Protect what matters
Build it in
Make it intelligent
Introduction
Managing multiple layers of security can be challenging, particularly as
valuable data proliferates and becomes dispersed in Bring Your Own
Device (BYOD) and cloud solutions. HP Security and Risk Management
solutions help companies integrate security across the enterprise.
Build it in
Rather than bolt on security as an after-thought, HP solutions build security
into every component and also ensure that each component participates in
the integrated, business-level strategy.
Make it intelligent
HP security solutions collect information from end-to-end. By combining and
correlating information from many areas, including endpoints, applications,
and network infrastructure devices, security solutions can make intelligent
choices that protect the company and prove regulatory compliance without
interfering with productivity.
Protect what matters

HP helps to maximize the value of security solutions by ensuring that these
solutions protect the data that is most valuable to the business.
2 –10 Rev. 13.31

Security
Module 2: Security
Security and Risk Management—Areas
The HP Security and Risk Management portfolio includes solutions in six areas.
Security governance, risk, and compliance Endpoint security
Operations security Network security
Application security Data center security
Introduction
The HP Security and Risk Management portfolio includes solutions in six
areas.
Security governance, risk, and compliance

The HP Information Security Management (ISM) service replaces disparate
security processes with an integrated service that governs security for the
entire enterprise from endpoint to network to application to the cloud.
Operations security
HP operations security solutions integrate security solutions and processes
with overarching business orchestration solutions and processes.
Application security
From the earliest stages of application architecture, whether for in-house
applications or cloud services, HP helps you to design the appropriate
security measures and build them into the application.
Endpoint security
HP provides a wide portfolio of solutions for securing servers, desktops,
laptops, printers, and other endpoints—as well as solutions for ensuring
proper access control and data protection for BYOD.
Rev. 13.31 2 –11

Network security
Each component of the network infrastructure supports secure data
transmission with built-in protections against exploits and unauthorized
network traffic. In addition, HP provides industry-leading network security
solutions such as next-generation firewalls and HP TippingPoint IPSs.
Data center security

Several HP services help you to design a complete, integrated security
solution for all components of your data center or private cloud, including
both physical and virtual components of servers and the network
infrastructure.
2 –12 Rev. 13.31

Security
Module 2: Security
Security built into the network infrastructure
Introduction
Although this course does not cover specific security services and
solutions, HP network infrastructure devices do play a role in an overall
security solution.
The HP network infrastructure provides a solid foundation for secure

communications.
Secure device management

HP switches enable you to implement best practices for managing them
securely. You will delve into the details later in this module.
Built-in protection against DHCP attacks

Used on most networks today, Dynamic Host Configuration Protocol
(DHCP) is vulnerable to attacks such as address spoofing and address
exhaustion. With address spoofing, a rogue DHCP server assigns invalid
addresses to network devices so these devices cannot operate on the
network. With address exhaustion, an attacker requests IP addresses from
a legitimate DHCP server until the DHCP server’s supply of available IP
addresses (pool) is exhausted. When a DHCP server’s IP pool is
exhausted, valid network hosts cannot receive an IP address and cannot
access the network.
HP switches can provide protection against these attacks by setting trusted

ports for particular DHCP messages.
Rev. 13.31 2 –13

Built-in protection against STP attacks

Spanning Tree Protocol (STP), which you will learn more about in “Module
6: Redundancy,” enables redundant network links. Devices running STP
exchange Bridge Protocol Data Units (BPDUs) to determine active network
links; other links are disabled. In an STP attack, a rogue device sends
spoofed BPDUs, joins the spanning tree, and affects link selection, which
wreaks havoc on the network.
HP switches offer BPDU protection and guard features, which ensure that
untrusted BPDUs are dropped. Some switches have additional features for
ignoring unauthorized STP messages.
Built-in protection against ARP attacks

Switches and other devices use Address Resolution Protocol (ARP) to
resolve IP addresses to MAC addresses. Switches maintain a table of
known IP addresses and the associated MAC addresses. Rogue devices
use ARP attacks to “poison” these tables, so that network IP addresses are
associated with the MAC addresses of rogue devices. When traffic is sent
to these rogue devices, attackers can gather confidential information.
HP switches can protect against ARP poisoning. They use DHCP snooping
to build tables that specify the expected ports for particular MAC addresses
and, based on those expectations, reject suspicious ARP messages.
2 –14 Rev. 13.31

Security
Module 2: Security
Intelligent decisions supported by the network infrastructure
Introduction
The HP network infrastructure devices also help to collect information and
enforce intelligent security decisions.
Basic access control

Basic access control ensures that only authorized users, as defined by
business policies, are allowed to connect to the network and use network
resources. Basic access control ensures that a stranger cannot connect a
laptop to an open network port in your office and join the company network
without first passing an authentication test. Basic access control also
protects wireless LANs (WLANs), checking the credentials of wireless users
and devices as they initially connect and roam across the campus. This
access control also manages the rights of authorized users after they
connect to the network, according to business policies.
Endpoint integrity
Endpoint integrity forms a key element of a BYOD solution. Authorized
users may still endanger the network if they use insecure devices. An
insecure device is not properly protected: It might not have a firewall or anti-
virus software, or its anti-virus software might be out of date. It might be
running unauthorized software or be infected by malware. Endpoint integrity
isolates such devices until they are brought into compliance.
Rev. 13.31 2 –15

For example, an authorized user connects to the network with a device that
has outdated anti-virus software. Endpoint integrity ensures that the device
is quarantined and the user is notified of the problem. The device is not
allowed out of quarantine and allowed normal access to the network until
the user updates the antivirus software.
Security policy enforcement

HP switches can take a number of actions to support policies configured
centrally, including blocking all traffic, applying VLAN assignments, and so
on.
In addition, a number of HP switches support OpenFlow, an emerging

network virtualization technology. As one of the mechanisms delivering
Software-Defined Networking (SDN), OpenFlow forms the foundation for
complete abstraction and centralization of the network control plane,
promising to extend network virtualization in many innovative ways.
OpenFlow works by replacing a network infrastructure device’s own

processing and forwarding decisions with decisions programmed on an
ongoing basis by centralized controllers. In addition, switches that support
OpenFlow will be able to collect information and enforce decisions for a
security solution that interfaces with the SDN controller.
Integration with centralized logging and management solutions

HP switches can send logs and SNMP traps to centralized solutions that
archive and manage logs and events across the enterprise.
2 –16 Rev. 13.31

Security
Module 2: Security
Ensuring physical security
Introduction
While implementing a complete security solution might lie beyond your
realm of responsibility, you can do your part by ensuring that you deploy
infrastructure devices securely.
Earlier you learned about vulnerabilities that can arise when a switch lacks
physical security.
Modules or the switch

Whenever possible, you should store switches in a secure, locked, and
preferably camera-monitored room. If this is not possible, you should bolt
the switch in place.
Console port
To protect management access to the switch’s console port, you should
store the switch in a secure, locked, and preferably camera-monitored
room. If you cannot secure the switch physically, you should disable the
console port.
You should consider setting a secure password for console access even on
physically secure switches.
Rev. 13.31 2 –17

Reset and Clear buttons

You should do one of the following:
• Store the switch in a secure, locked, and preferably camera-monitored

room so that only authorized staff can use the buttons.
• Configure the switch to disable the buttons. (The Building SMB Networks
with HP Technologies course will teach you how.)
Ports
The only way to protect against a user disconnecting cables is to store the
switch in a secure, locked, and preferably camera-monitored room.
Power cord
The only way to protect against a user removing the switch power is to
store the switch in a secure, locked, and preferably camera-monitored
room.
2 –18 Rev. 13.31

Security
Module 2: Security
Authenticating management users
You will now focus on securing your network infrastructure

devices by authenticating management users. Specifically,
you will learn how to:
•Ensure that only authorized users have access to

a switch
•Distinguish between the levels of access
provided to management users
You should generally set up authentication for all

forms of management access:
•Console port (might not be necessary if the

device is physically secure)
•Telnet
•Secure Shell (SSH)
•HTTP and HTTP over Secure Sockets Layer
(HTTPS)
You will now focus on securing your network infrastructure devices by

authenticating management users. Specifically, you will learn how to:
• Ensure that only authorized users have access to a switch

• Distinguish between the levels of access provided to management users
You should generally set up authentication for all forms of management

access:
• Console port (might not be necessary if the device is physically secure)

• Telnet
• Secure Shell (SSH)
• HTTP and HTTP over Secure Sockets Layer (HTTPS)
Rev. 13.31 2 –19

Module 2: Security
Authentication on Comware switches
Introduction
As you learned previously, Comware switches have several user interfaces,
which control various forms of management access. For each interface, you
can select one of the following authentication methods:
• None: No authentication is required (not recommended).

• Password: All users who log in through the same interface use the same
password and receive the same level of access.
• Authentication, Authorization, and Accounting (AAA): Users
authenticate to either a local list or to an external server (usually a
RADIUS server). They are authorized for the level of management
access associated with their account.
The figure shows the AAA authentication process.
Step 1
When a user attempts to establish a management session, the switch
prompts the user for his or her credentials.
Step 2
The user supplies the credentials: a user name and password.
2 –20 Rev. 13.31

Security
Step 3
The switch forwards the login credentials to a RADIUS or TACACS server
for validation. (Alternatively, the switch could have a local record of user
accounts and validate the credentials itself.)
Step 4
The server validates the login credentials and notifies the switch whether or
not to grant the user access. If the user is granted access, the server also
tells the switch what level of access the user receives. The switch enforces
the decision.
Rev. 13.31 2 –21

Module 2: Security
Authentication on ProVision switches
Introduction
HP ProVision switches also support multiple authentication methods. You
can select a primary and backup method for each access method: Telnet,
SSH, console, or Web.
• None: No authentication is required (not recommended).

• Local authentication: All operators log in with a single operator account,
and all managers log in with a single manager account.
• Remote RADIUS or TACACS+ authentication: The switch sends a
request to an authentication sever (usually a RADIUS server). Each
management user has a unique user account, and when a user logs in
successfully, the authentication server assigns each user an attribute for
either operator or manager access.
The figure illustrates the steps in the local authentication process.
Step 1
When a user attempts to open a management session, the switch prompts
the user for a password.
Step 2
The user submits a password. If the password matches the manager or
operator password, the user receives manager or operator privilege,
respectively. If the user does not enter valid credentials, he or she cannot
access the switch.
2 –22 Rev. 13.31

Security
Module 2: Security
Secure management protocols 1 The out-of-band console connection

does not provide encryption but is
When you manage a switch, you send free from snooping.
vital information over the connection.
For out-of-band management, such as
with a connection to the console port of
the switch, you can be certain that no
one can intercept the data.
With in-band management, however, Access the CLI with SSHv2 to encrypt
the vital data crosses the shared 2
in-band management traffic.
network. Hackers might be able to
intercept and read data sent in clear-
text and then use that data to obtain Access the Web interface with
unauthorized access to your switches or
3
HTTPS to encrypt in-band
to impersonate network servers.
management traffic.
You must protect the data’s privacy by

using secure management protocols
that support encryption.
When you manage a switch, you send vital information over the connection.
For out-of-band management, such as with a connection to the console port
of the switch, you can be certain that no one can intercept the data.
With in-band management, however, the vital data crosses the shared
network. Hackers might be able to intercept and read data sent in clear-text
and then use that data to obtain unauthorized access to your switches or to
impersonate network servers.
You must protect the data’s privacy by using secure management protocols
that support encryption.
Rev. 13.31 2 –23

Module 2: Security
SSHv2
Introduction
SSHv2 ensures the privacy and integrity of management traffic by:
• Securing authentication
• Encrypting management traffic
SSH establishes a secure tunnel between your management station and

the switch. The figure shows the process of establishing the tunnel and
logging the user in.
Step 1
The management station establishes a secure tunnel on the SSHv2
Transport Layer. The station and the switch agree on shared encryption and
hash keys using the secure Diffie-Hellman exchange. Using these keys, the
station and switch can transform data so that hackers cannot tamper with it
(hash keys) or read it (encryption keys). When establishing the tunnel, the
switch also uses a public-private key pair to prove its identity, which
ensures that the management station does not send credentials to an
imposter.
For more information about hashing and the Diffie-Hellman exchange, refer
to the HP Network Infrastructure Security Technologies WBT.
2 –24 Rev. 13.31

Security
Step 2
The switch requests the management user’s credentials. The credentials
are passed to the switch through the secure tunnel. The switch can then
authenticate the user locally or to a remote server, as previously discussed.
Step 3
The management station and switch establish communication channels to
transmit the management session data within the secure tunnel.
Rev. 13.31 2 –25

Module 2: Security
HTTPS
Introduction
HTTPS uses the Secure Sockets Layer (SSL) protocol. Like SSHv2, SSL
creates a secure tunnel using encryption and hashing keys generated in a
Diffie-Hellman exchange.
The figure illustrates the process.
Step 1
Your management station and the switch establish a secure tunnel using
the SSL protocol. When establishing the tunnel, the switch authenticates
itself using a digital certificate.
Step 2
All further communications run securely over the encrypted SSL connection.
These communications include your authentication credentials and all
management traffic after you log in successfully.
2 –26 Rev. 13.31

Security
Module 2: Security
SSH and HTTP requirements
How do I set up HTTPS on HP Comware switches? How do I set up HTTPS on HP ProVision switches?
How do I set up SSH on HP Comware switches? How do I set up SSH on HP ProVision switches?
Introduction
Read the following questions to learn how to use the secure management
protocols.
How do I set up HTTPS on HP Comware switches?

On Comware switches, you need to generate and export a certificate
request, which you then have signed by a certificate authority (CA). A CA is
a trusted third-party company that certifies identities.
You must then install the signed certificate and enable the HTTPS server on
the switch.
If you have software version 5.20 F2218P01-US or later, you can simply
enable HTTPS, which automatically generates a self-signed certificate.
In addition, the Comware switches require user accounts for HTTPS

access, so you must configure at least one VTY user interface that uses
AAA (scheme) authentication, either to the local list or to a RADIUS server.
The user’s account must specify a service type of “web.”
How do I set up HTTPS on HP ProVision switches?

On ProVision switches, you need to generate and export a certificate
request, which you then have signed by a certificate authority (CA). A CA is
a trusted third-party company that certifies identities. You must then install
the signed certificate and enable HTTPS on the switch.
Rev. 13.31 2 –27

You can alternatively generate a self-signed certificate and enable HTTPS.
You can choose any option that you learned about earlier for authenticating
operators and managers.
How do I set up SSH on HP Comware switches?

On Comware switches, you must generate a public/private key pair for
SSH. You can install the public key on management stations’ SSH clients
manually or trust the key the first time you connect.
You must also enable the SSH server, which is disabled by default.
The Comware switches require user accounts for SSH access, so you must
configure at least one VTY user interface that uses AAA (scheme)
authentication, either to the local list or to a RADIUS server. You must
create an SSH user on the switch for each local or RADIUS user who is
allowed SSH access. The SSH user settings indicate whether this user
authenticates with a password or uses public-key authentication.
Password authentication allows SSH users to log in with the password in

their accounts. If you select public-key authentication, you must generate a
public/private key pair on each authorized manager’s SSH client and install
the public keys on the switch.
How do I set up SSH on HP ProVision switches?

On ProVision switches, you must generate a public/private key pair for
SSH. You can install the public key on management stations’ SSH clients
manually or trust the key the first time you connect.
You can also use SSH keys to authorize managers. Generate a

public/private key pair on each authorized manager’s SSH client. Then
install those keys on the switch as authorized client keys. Alternatively,
operators and managers can just authenticate with usernames and
passwords, using the options that you learned about earlier.
2 –28 Rev. 13.31

Security
Module 2: Security
Summary
In this module, you learned about network threats and the

measures you can take to protect against these threats.
Specifically, you learned about:
Threats originating from inside and outside a

company’s network
HP’s defense strategy that helps protect against

threats, no matter where they originate
Methods for securing your infrastructure, both

from physical tampering and unauthorized access
In this module, you learned about network threats and the measures you
can take to protect against these threats. Specifically, you learned about:
• Threats originating from inside and outside a company’s network

• HP’s defense strategy that helps protect against threats, no matter where
they originate
• Methods for securing your infrastructure, both from physical tampering
and unauthorized access
Rev. 13.31 2 –29

2 –30 Rev. 13.31

VLANs
Module 3
Module 3: VLANS
Objectives
This module explains one of the most fundamental aspects of managing today’s networks, virtual LANs (VLANs).
Describe how VLANs are used in today’s Explain how to configure VLANs on HP
networks Comware and ProVision switches
Explain how the 802.1Q standard enables Explain the terms tagged, untagged, access
network infrastructure devices to transmit port, trunk port, and hybrid port as they
and receive traffic from multiple network relate to VLANs
segments
This module explains one of the most fundamental aspects of managing

today’s networks, virtual LANs (VLANs).
• Describe how VLANs are used in today’s networks

• Explain how the 802.1Q standard enables network infrastructure devices
to transmit and receive traffic from multiple network segments
• Explain how to configure VLANs on HP Comware and ProVision switches
• Explain the terms tagged, untagged, access port, trunk port, and hybrid
port as they relate to VLANs
Rev. 13.31 3 –1
Module 3: VLANS
Definition of a VLAN
A LAN is typically defined as a group of connected devices in close physical proximity. A virtual LAN (VLAN), on the other
hand, is not defined by physical proximity. A VLAN is a logical group of devices that has been assigned to a particular
subnet.
VLANs can span multiple switches and can be used to segment the otherwise flat structure of a LAN.
This course focuses on port-based VLANs, which are defined on switch ports.
In this example network, some switch ports
have been assigned to VLAN 10, some to VLAN 20, and others to VLAN 30.
A LAN is typically defined as a group of connected devices in close physical

proximity. A virtual LAN (VLAN), on the other hand, is not defined by
physical proximity. A VLAN is a logical group of devices that has been
assigned to a particular subnet.
VLANs can span multiple switches and can be used to segment the
otherwise flat structure of a LAN.
This course focuses on port-based VLANs, which are defined on switch

ports. In this example network, some switch ports have been assigned to
VLAN 10, some to VLAN 20, and others to VLAN 30.
3 –2 Rev. 13.31
VLANs
Module 3: VLANS
IP addressing for VLANs
Each VLAN is associated with an IP subnet. In the example network, VLAN 10 is associated with 10.1.10.0/24, VLAN
20 with 10.1.20.0/24, and VLAN 30 with 10.1.30.0/24.
All VLANs are located within the larger 10.1.0.0/16 subnet.
NOTE: In this course, Classless Inter-Domain Routing (CIDR) is used to express network IP
addresses. In place of the subnet mask, CIDR uses a prefix length, which indicates how
many bits are in the network portion of the address. For more information about CIDR, see
Request for Comments (RFC) 1519 (http://www.ietf.org/rfc/rfc1519.txt).
Each VLAN is associated with an IP subnet. In the example network, VLAN

10 is associated with 10.1.10.0/24, VLAN 20 with 10.1.20.0/24, and VLAN
30 with 10.1.30.0/24.
All VLANs are located within the larger 10.1.0.0/16 subnet.
Note: In this course, Classless Inter-Domain Routing (CIDR) is used to

express network IP addresses. In place of the subnet mask, CIDR uses a
prefix length, which indicates how many bits are in the network portion of
the address. For more information about CIDR, see Request for Comments
(RFC) 1519 (http://www.ietf.org/rfc/rfc1519.txt).
Rev. 13.31 3 –3
Module 3: VLANS
Need for VLANs on today’s network
Introduction
Now that you have a basic understanding of what VLANs are, you should
consider why companies use them.
Security
Today’s networks provide services for different groups of users, such as
employees, partners, and visitors. If all of these users are on the same
subnet, it is easier for users to compromise security. For example, visitors
might be able to view employees’ data as that data is transmitted across
the network. They might try to access data center servers when they should
only access the Internet. You can (and should) implement security to
prevent unauthorized users from accessing these servers. However, users
might still be able to launch scans, use a protocol analyzer to view traffic on
the wire, or launch attacks.
Companies can use VLANs to isolate traffic and help to ensure users only
have access to the resources to which they should be granted access,
increasing security.
Broadcast domain
An Ethernet network is, by definition, a broadcast domain. Devices on
Ethernet networks send broadcasts to discover other devices or to provide
information about themselves.
3 –4 Rev. 13.31
VLANs
Broadcasts are forwarded to all devices in the broadcast domain, which

defines the portion of the network to which devices can send traffic at the
Data Link layer. A routing switch or router is required to route data between
broadcast domains.
In a large broadcast domain, broadcasts can negatively affect the endpoints

that must process them and consume bandwidth.
VLANs improve network performance. They break large broadcast domains

into smaller broadcast domains, ensuring that every device’s broadcasts do
not flood the entire network infrastructure.
Rev. 13.31 3 –5
Module 3: VLANS
Example of network segmentation with VLANs
Introduction
Now you will look at an example of how a network designer might use
VLANs to segment a company network. In this example, the company is
using subnet 10.1.0.0/16. The network designer must plan the VLANs and
IP addresses in tandem. Each VLAN will be associated with a unique IP
subnet, and each department will be assigned to one or more VLANs.
Phase 1: Design
For the IP addressing scheme, each subnet will have a subnet mask of
255.255.255.0 (/24), which means that the network address uses the first
three octets:
• The first octet for all subnets is “10” because the company is using
private addresses in the 10.0.0.0/8 block.
• The second octet is being used as a site identifier. In the scenario above,
“1” has been assigned to identify this building. For other buildings, the
company uses different values in the second octet.
• The third octet includes the VLAN ID. Each department or type of user
will be assigned a different VLAN ID.
• The fourth octet is the host portion of the IP address. Certain addresses
are reserved; 1 to 30 are used for servers, printers, and other shared
network devices.
3 –6 Rev. 13.31
VLANs
Users’ workstations can receive IP addresses in the 30 to 180 range. The

remaining host numbers are reserved for future expansion.
Phase 2: Guests
The network designer knows that guests will need to access the network,
primarily so that they can connect to the Internet while they are on-site. The
network designer assigns VLAN 10 and subnet 10.1.10.0/24 to guests.
Phase 3: IT
The network designer assigns the IT group VLANs 1 and 5. VLAN 1 is
associated with 10.1.1.0/24, and VLAN 5 is associated with 10.1.5.0/24.
Phase 4 : Administration
The network designer assigns the Administration group VLAN 20, and
VLAN 20 is associated with the 10.1.20.0/24 subnet.
Phase 5: Customer service

The network designer assigns the Customer Service group VLAN 30, and
VLAN 30 is associated with the 10.1.30.0/24 subnet.
Phase 6: Accounting
Finally, the network designer assigns the Accounting group to VLAN 40,
and VLAN 40 is associated with the 10.1.40.0/24 subnet.
Each department is segmented into a logical group, independent of the

users’ location in the building. The VLAN boundaries ensure that users
have access only to those resources to which they are allowed. The VLANs
also create separate broadcast domains. For example, the broadcast traffic
for the Accounting VLAN is not sent to the Customer Service VLAN.
Rev. 13.31 3 –7
Module 3: VLANS
VLANs and the IEEE 802.1Q standard
Introduction
An Ethernet link might support multiple VLANs, so a mechanism is required
to identify the VLAN to which particular traffic belongs.
The Institute of Electrical and Electronics Engineers (IEEE) 802.1Q

standard defines a 4-byte field that can be inserted into an Ethernet frame.
Often referred to as the 802.1Q “tag,” this field allows each Ethernet frame
to be identified as part of a particular VLAN.
802.1Q-compliant switches can add this tag to an Ethernet frame. These

switches also use the information in the tag to make decisions about how to
transmit traffic on the network.
TPID
The Tag Protocol ID (TPID) subfield identifies the frame as an 802.1Q
frame.
TCI
The Tag Control Information (TCI) field contains three components,
including the VLAN ID.
3 –8 Rev. 13.31
VLANs
User Priority
The 802.1p standard, User Priority, allows devices to apply quality of
service (QoS) to traffic. That is, 802.1p-compliant devices can classify and
mark frames with the priorities from 0-7. The current IEEE
recommendations for the priority associated with each value are:
7 (highest): Network control

6: Internetwork control
5: Voice
4: Video
3: Critical applications
2: Excellent effort
0 (normal traffic): Best effort
1 (lowest): Background
Formerly, the recommendations were slightly different:
7 (highest): Network management

6: Voice
5: Video
4: Controlled load
3: Excellent effort
0 (normal traffic): Best effort
2: Undefined
1 (lowest): Background
You should check your switch documentation to determine how it handles

the values.
Switches that support 802.1p handle the traffic based on the setting
configured. For example, they will transmit frames with the 7 value before
they transmit frames with 3 value. 802.1p is one way to ensure that delay-
sensitive applications (such as voice over IP, or VoIP) receive priority
handling.
CFI
The Canonical Format Indicator (CFI) indicates whether the information in
the frame’s MAC address is included in canonical format, which is
sometimes called the “standard notation.” This format establishes the order
in which bits are submitted. If a device uses the Canonical format, it orders
the least important bit first. If a device uses the non-canonical format (which
is also called bit-reversed order), it orders the most important bit first.
If the value is 0, the MAC address is in canonical format. If the value is 1, it

is not.
Rev. 13.31 3 –9
VLAN ID
The VLAN ID associates the frame with a specific VLAN. This is the VLAN
ID or VLAN number. If this field is empty or set to a value of 0, the frame is
not identified as belonging to a specific VLAN. Frames that do not have the
VLAN ID tag set are often referred to as “untagged” frames.
The VLAN ID field has 12 bits, providing up to 4096 IDs (212 = 4096). IDs 0
and 4095 are reserved, so a network can support up to 4094 VLANs.
3 –10 Rev. 13.31

VLANs
Module 3: VLANS
Example Ethernet frame with 802.1Q tag
Introduction
This graphic provides an example of an Ethernet frame that contains an
802.1Q VLAN tag.
Devices that are not 802.1Q-compliant cannot add or act on these tags.
Because they do not recognize the 802.1Q tag and may consider the
802.1Q tag data illegal, these devices may even drop frames that contain
an 802.1Q tag.
Devices that do not support 802.1Q can still be part of a VLAN. However,
you must configure their connected switch ports to strip away the 802.1Q
tag—you will learn how later.
Ethernet header
This part of the Ethernet frame header contains the destination and source
MAC addresses for the frame. The destination MAC address indicates the
Ethernet interface, whether a switch port or endpoint NIC, that should
receive the Ethernet frame. For example, this frame is addressed to a
device with the MAC address 0004e1-e1100. A broadcast frame—that is, a
frame that is sent out to everyone on the network segment—has the
destination MAC address set to FFFFFF-FFFFFF.
Rev. 13.31 3 –11

The source MAC address is the hardware address of the device that sent
the Ethernet frame. In this case, the frame was sent by a device with MAC
address 080046-44f11ca.
802.1Q field
This part of the Ethernet frame header contains the 802.1Q tag information.
As you learned in the previous frame, the first 2 bytes are the Tag Protocol
ID (TPID) field. In this frame, TPID is set to 8100. Note that this is the
hexadecimal representation of the value for the 2-byte field, and it indicates
that this is an 802.1Q-tagged frame.
When a switch receives a frame with a TPID of 8100, it interprets the next
two bytes as Tag Control Information (TCI) for 802.1Q. The first three bits of
the TCI data are the user priority. In this frame, these three bits are set to 0,
so the user priority is set to 0 or best effort.
The fourth bit of the TCI data is the Canonical Format Indicator (CFI). This
bit is set to 0 (turned off), which indicates that the MAC address in the
Ethernet frame is in canonical format.
The last 12 bits are the VLAN tag or the VLAN ID to which the frame
belongs. In this example, the VLAN ID is set to a hexadecimal value of 014,
which when converted to decimal notation is 20. So this frame belongs to
VLAN 20.
Type field
The next part of the Ethernet header is a type identifier, which indicates the
type of data that follows (the payload). In this example, the type field is set
to the hexadecimal value of 0800, which is the type identifier for IP data.
Notice that the next part of the Ethernet frame contains an IP header that
includes two IP addresses.
Payload
Here you see the payload of the Ethernet frame, beginning with the Layer 3
header, an IP header in this case. Note that the IP header is distinct or
separate from the Ethernet header. The IP header contains information that
a Layer 3 switch or router would use to forward traffic. You will learn about
Layer 3 switches and routers later in this course.
Right now, just notice that the IP header contains a source IP and a
destination IP, which are the IP address of the device that sent the data and
the IP address for which the data is intended.
3 –12 Rev. 13.31

VLANs
Module 3: VLANS
VLAN membership on HP ProVision switches
Introduction
You will now examine how HP switches implement VLANs, beginning with
ProVision switches.
To allow a ProVision switch port to carry traffic in a particular VLAN, you

must configure the port as a member of that VLAN. On ProVision switches,
you can configure the port as an untagged or tagged member of that VLAN.
Untagged VLAN membership

When you configure a port as an untagged member of a VLAN, the switch
must ensure that the traffic it transmits and receives for that VLAN on that
port does not include the 802.1Q tag. The specific behavior of the switch is
outlined below.
• Transmit—The switch does not apply the 802.1Q tag to traffic that it
transmits in its untagged VLAN on that port.
• Receive—The switch assigns all untagged traffic that it receives on that
port to this VLAN.
Devices that do not support 802.1Q must be connected to switch ports that
are untagged members of a VLAN.
Rev. 13.31 3 –13

Tagged VLAN membership

When you configure a port as a tagged member of a VLAN, the switch must
ensure that the traffic it transmits and receives for that VLAN on that port
contains the 802.1Q tag. Furthermore, the 802.1Q tag must contain the
proper VLAN ID. The specific behavior of the switch is outlined below.
• Transmit—The switch adds an 802.1Q tag (with the proper VLAN ID) to
all frames that it transmits in this VLAN.
• Receive—The switch accepts frames with an 802.1Q tag for this VLAN. If
the switch receives a frame with an 802.1Q tag for a VLAN for which it has
an untagged membership or no membership, it drops the frame. For
example, if the port is a tagged member of only VLAN 10 and it receives a
frame with an 802.1Q tag that has a VLAN ID of 20, the switch will drop
the frame.
Tagged memberships are required to allow a port to carry traffic in multiple

VLANs. Generally, you use tagged VLAN memberships for ports that
connect to other switches.
3 –14 Rev. 13.31

VLANs
Module 3: VLANS
HP ProVision VLAN guidelines
• By default all ports are members of the default VLAN.

• A port must be a member of at least one VLAN.
• A port can be an untagged member of only one VLAN.
• A port can be a tagged member of multiple VLANs.
• Untagged and tagged memberships on connected ports must match.
Introduction
Now that you understand tagged and untagged VLAN memberships, you
will review some basic guidelines for configuring VLANs on ProVision
switches.
By default all ports are members of the default VLAN.

At factory default settings, ProVision switches have one VLAN, which is
called the default VLAN, or VLAN 1. All switch ports are untagged members
of this VLAN, until you assign them to other VLANs.
The switch also uses this VLAN for its control traffic so it is recommended
that you configure users’ ports as members of other VLANs.
A port must be a member of at least one VLAN.

A port must be a tagged or untagged member of at least one VLAN.
(Remember that by default, all ports are untagged members of VLAN 1.) If
you attempt to remove a port’s last VLAN membership, the switch applies
an untagged membership in the default VLAN
(VLAN 1).
Rev. 13.31 3 –15

A port can be an untagged member of only one VLAN.

A port can be a member of only one untagged VLAN. This makes sense
because, as you learned, the switch assigns all untagged traffic it receives
on that port to this VLAN. If the port had multiple untagged assignments,
the switch would not be able to distinguish among them.
A port can be a tagged member of multiple VLANs.

A port can be a tagged member of multiple VLANs. Tagged VLAN
memberships are required for ports that carry traffic in multiple VLANs. For
example, a port that connects to another switch would probably need to
carry traffic in multiple VLANs.
Untagged and tagged memberships on connected ports must match.

Connected ports must have matching VLAN memberships in both ID and
type. For example, if VLAN 20 is tagged on switch 1’s port, it should not be
untagged on the connected port on switch 2.
3 –16 Rev. 13.31

VLANs
Module 3: VLANS
Configuring untagged VLAN memberships

Now that you know how ProVision switches handle VLAN 20 VLAN 30
VLANs, you will take a quick look at the basic
commands for configuring VLANs on HP ProVision
switches. For example, if you wanted to create VLAN
20 and make several contiguous ports untagged
members of this VLAN, you would enter:
Edge_1(config)# vlan 20
Edge_1(vlan-20)# untagged a1-a6
As shown in the next command, you can use commas to

list non-contiguous ports in the untagged command:
Edge_1(vlan-20)# vlan 30
Edge_1(vlan-30)# untagged a22,a24,b1-b5
Now that you know how ProVision switches handle VLANs, you will take a
quick look at the basic commands for configuring VLANs on HP ProVision
switches. For example, if you wanted to create VLAN 20 and make several
contiguous ports untagged members of this VLAN, you would enter:
Edge_1(vlan-20)# untagged a1-a6
As shown in the next command, you can use commas to list non-
contiguous ports in the untagged command:
Edge_1(vlan-30)# untagged a22,a24,b1-b5
Rev. 13.31 3 –17

Module 3: VLANS
Configuring tagged VLAN memberships
As mentioned earlier, switch-to-switch ports typically need to support traffic for multiple VLANs. In this example, the
uplink port of an edge switch is defined as a tagged member of VLANs 20 and 30. The uplink port is also an untagged
member of VLAN 1, which it uses for control traffic and also to allow management access.
Because switch ports are untagged members of VLAN 1 by default, you do not have to configure this VLAN membership
on the uplink port. To configure the uplink port as a tagged member of VLANs 20 and 30, you would enter the following
commands:
Edge_1(vlan-20)# tagged b24
VLAN 20 VLAN 30
6 users 7 users VLAN 1,
20, 30
Uplink
As mentioned earlier, switch-to-switch ports typically need to support traffic

for multiple VLANs. In this example, the uplink port of an edge switch is
defined as a tagged member of VLANs 20 and 30. The uplink port is also
an untagged member of VLAN 1, which it uses for control traffic and also to
allow management access.
Because switch ports are untagged members of VLAN 1 by default, you do

not have to configure this VLAN membership on the uplink port. To
configure the uplink port as a tagged member of VLANs 20 and 30, you
would enter the following commands:
3 –18 Rev. 13.31

VLANs
Module 3: VLANS
Processing traffic on a switch port that supports multiple VLANs
VLAN 20 VLAN 30
6 users 7 users VLAN 1,
20, 30
Uplink
The uplink port now supports VLANs 1, 20, and 30. The frames the uplink port transmits for VLAN 1 remain untagged.
However, the frames for VLAN 20 and VLAN 30 are tagged.
When the switch receives untagged traffic on the uplink port, it assumes that traffic belongs to VLAN 1. If the port receives
frames that contain tags for VLAN 20 or VLAN 30, the switch processes those frames. If the port receives frames with tags
for a different VLAN (such as VLAN 40 or VLAN 50), the switch drops them.
The uplink port now supports VLANs 1, 20, and 30. The frames the uplink
port transmits for VLAN 1 remain untagged. However, the frames for VLAN
20 and VLAN 30 are tagged.
When the switch receives untagged traffic on the uplink port, it assumes
that traffic belongs to VLAN 1. If the port receives frames that contain tags
for VLAN 20 or VLAN 30, the switch processes those frames. If the port
receives frames with tags for a different VLAN (such as VLAN 40 or VLAN
50), the switch drops them.
Rev. 13.31 3 –19

Module 3: VLANS
Configuring VLAN IP addresses on ProVision switches

As you recall, each VLAN is associated with an IP subnet. You must assign the switch an IP address in that VLAN’s subnet if
you want the switch to send and receive IP traffic on a VLAN. In this case, the switch is routing traffic for endpoints in that
VLAN. (You will learn more about this function inModule 4: Routing.)
You may also want to assign the switch an IP address for a VLAN if you want to manage the switch on that VLAN.
In this example, you want the switch to route traffic in VLAN 20, which is assigned the IP address 10.1.20.1 in the IP subnet
10.1.20.0/24.
You can assign an IP address to a VLAN in one of the following ways:
DHCP—A VLAN can receive an IP address from a Static—You can manually configure the IP
DHCP server. By default, the default VLAN, address using this command:
VLAN 1, is configured to receive an IP address Edge_1(config)# vlan 20
from a DHCP server. Edge_1(vlan-20)# ip address 10.1.20.1/24
VLAN 20
6 users
Uplink
As you recall, each VLAN is associated with an IP subnet. You must assign
the switch an IP address in that VLAN’s subnet if you want the switch to
send and receive IP traffic on a VLAN. In this case, the switch is routing
traffic for endpoints in that VLAN. (You will learn more about this function in
Module 4: Routing.)
You may also want to assign the switch an IP address for a VLAN if you
want to manage the switch on that VLAN.
In this example, you want the switch to route traffic in VLAN 20, which is
assigned the IP address 10.1.20.1 in the IP subnet 10.1.20.0/24.
You can assign an IP address to a VLAN in one of the following ways:
• DHCP—A VLAN can receive an IP address from a DHCP server. By

default, the default VLAN, VLAN 1, is configured to receive an IP address
from a DHCP server.
• Static—You can manually configure the IP address using this command:
Edge_1(vlan-20)# ip address 10.1.20.1/24
3 –20 Rev. 13.31

VLANs
Module 3: VLANS
Viewing VLAN port status on ProVision switches

You can use the show vlans command to learn which switch ports are members of a given VLAN.
Edge_1# show vlans 20

Status and Counters – VLAN Information – Ports – VLAN 20
802.1Q VLAN ID : 20
Name : VLAN20
Status : Static
Port Information Mode Unknown VLAN Status
A1 Untagged Learn Up
B24 Tagged Learn Up
.
.
.
You can use a similar command to determine which VLANs are associated with a particular port. For instance, to view the
VLANs associated with port d4, use the command show vlans port d4 detail.
You can use the show vlans command to learn which switch ports are
members of a given VLAN.
Edge_1# show vlans 20

Status and Counters – VLAN Information – Ports – VLAN
20
802.1Q VLAN ID : 20
Name : VLAN20
Status : Static
Port Information Mode Unknown VLAN Status
B24 Tagged Learn Up
.
.
.
You can use a similar command to determine which VLANs are associated
with a particular port. For instance, to view the VLANs associated with port
d4, use the command show vlans port d4 detail.
Rev. 13.31 3 –21
Module 3: VLANS
HP Comware switch VLAN support
• An access port belongs to one VLAN and sends and receives untagged traffic only.
• A trunk port can belong to multiple VLANs and can send and receive untagged frames for one VLAN and tagged frames
for multiple VLANs.
• A hybrid port can belong to multiple VLANs. It can assign a frame to a VLAN based on information other than the
802.1Q field.
Introduction
HP Comware switches also support VLANs and 802.1Q tagging. However,
Comware switches use slightly different terminology and have different
configuration commands than ProVision switches. On Comware switches,
you configure VLAN support by first determining the type of port that should
be used.
Access port
An access port belongs to one VLAN and sends and receives untagged
traffic only. Generally, you use an access port to connect workstations or
endpoints.
Trunk port
A trunk port can belong to multiple VLANs and can send and receive
untagged frames for one VLAN and tagged frames for multiple VLANs.
Trunk ports are used for switch-to-switch links, allowing you to extend VLAN
boundaries across switches.
3 –22 Rev. 13.31

VLANs
Hybrid port
A hybrid port can belong to multiple VLANs. It can assign a frame to a
VLAN based on information other than the 802.1Q field. For example, a
hybrid port can look at the MAC address, the protocol, or the IP subnet of
frames to determine VLAN membership. Hybrid ports are used for
specialized functions, which are not covered in this course. For more
information, see the Building SMB Networks with HP Technologies course.
Rev. 13.31 3 –23

Module 3: VLANS
Guidelines for configuring VLANs on HP Comware switches
• By default all ports are configured as access ports that support the default VLAN.
• You must create a VLAN on the switch before assigning it to an access or trunk port.
• An access port can support only one untagged VLAN.
• A trunk port can support one untagged VLAN and multiple tagged VLANs.
• The PVID and permitted VLANs on connected trunk ports must match.
Introduction
Before you learn how to configure access and trunk ports on Comware
switches, you should review some basic guidelines.
By default all ports are configured as access ports that support the
default VLAN.
Like ProVision switches, Comware switches have a default VLAN, which is
VLAN 1. In addition, all ports are configured as access ports that support
VLAN 1.
With these settings, each port will accept frames that do not contain an
802.1Q tag and that have a source IP address in VLAN 1.
You must create a VLAN on the switch before assigning it to an

access or trunk port.
If you want an access port or a trunk port to support a VLAN, you must first
create that VLAN on the switch.
An access port can support only one untagged VLAN.

Once you create a VLAN on the switch, you can configure an access port to
support that VLAN. An access port can support only one VLAN and that
VLAN is untagged.
3 –24 Rev. 13.31

VLANs
A trunk port can support one untagged VLAN and multiple tagged
VLANs.
Just like an access port, a trunk port can support only one untagged VLAN.
However, a trunk port can support any number of tagged VLANs. This
allows the trunk port to function as a switch-to-switch connection.
The trunk port’s port VLAN ID (PVID) determines the port’s untagged
VLAN. By default, all trunk ports’ PVID is the default VLAN, VLAN 1.
The trunk port’s permitted VLANs list determines the VLANs for which the
port carries traffic. Any VLAN in the permitted VLAN list that is not the PVID
is tagged.
By default, a trunk port has only VLAN 1 in its permitted VLANs list, so it
carries only untagged traffic. To add the tagged VLANs, you simply specify
them as permitted.
Often you keep the default PVID, but if you change it, the new PVID is not
automatically added to the permitted VLANs list, nor is VLAN 1 removed
from the permitted VLANs list. Therefore, the trunk port will not transmit or
accept any untagged traffic, and it will accept frames that are tagged for
VLAN 1. To allow the port to send and receive untagged traffic again,
remember to add the new PVID to the permitted list. Also remember to
remove VLAN 1, if you do not want it on the port. Of course, the PVID and
permitted VLANs on directly connected trunk ports must match.
The PVID and permitted VLANs on connected trunk ports must match.
When you connect two trunk ports to establish a switch-to-switch
connection, you must ensure that their VLAN settings match, or traffic will
be dropped. They must have the same PVID and permitted VLANs.
Rev. 13.31 3 –25

Module 3: VLANS
Configuring VLANs on HP Comware switches
• Creating VLANs
• Configuring access ports
• Configuring trunk ports
• Adding permitted VLANs to trunk ports
• Changing the trunk port’s PVID
• Configuring IP addresses
Introduction
Now that you understand the guidelines for configuring VLANs on Comware
switches, you can examine the commands.
Creating VLANs
Use the command shown here to create the VLAN so that you can assign
access or trunk ports to it.
Syntax:
[Switch] vlan <VLAN ID>
Example:
[Switch] vlan 10
Configuring access ports

Use the commands shown here to:
• Access the VLAN, moving to the Layer 2 VLAN context

• Add the port to the VLAN
3 –26 Rev. 13.31

VLANs
Syntax:
[Switch] vlan <VLAN ID>
[Switch-vlan<ID>] port <interface-list>
Example:
[Switch] vlan 10
[Switch-vlan10] port gigabitethernet 1/0/1
Configuring trunk ports

Use the commands shown here to:
• Move to the trunk port’s interface context

• Change the port’s type to trunk
Syntax:
[Switch] interface <interface type> <ID>
[Switch-<interface type><ID>] port link-type trunk
Example:
[Switch] interface g1/0/6
[Switch-GigabitEthernet1/0/6] port link-type trunk
Adding permitted VLANs to trunk ports

You must configure the trunk port to permit the VLANs you want it to
support. All VLANs that are not the PVID are tagged. You will receive an
error if you have not already created the VLANs. Separate the VLAN IDs by
a space to indicate those individual VLANs. Use a – to indicate a range.
Remember that connected trunk ports must support the same VLANs, or
traffic will be dropped.
Syntax:
[Switch-<interface type><ID>] port trunk permit vlan
<VLAN ID list>
Example:
[Switch-GigabitEthernet1/0/6]port trunk permit vlan 10
20
Changing the trunk port’s PVID

As you learned earlier, the trunk port’s PVID defines its untagged VLAN
and is, by default, VLAN 1. Note that PVID on connected trunk ports must
match.
Use these commands to:
• Change the PVID

• Permit the new PVID (if you want the port to support untagged traffic)
Syntax:
[Switch-<interface type><ID>] port trunk pvid vlan
<VLAN ID>
Rev. 13.31 3 –27

[Switch-<interface type><ID>] port trunk permit vlan

<VLAN ID>
Example:
[Switch-<interface type><ID>] port trunk pvid vlan 2
[Switch-<interface type><ID>] port trunk permit vlan 2
Configuring IP addresses
As you learned earlier, you must configure an IP address on a VLAN if you
want the switch to send and receive its own IP traffic on that VLAN. Use the
commands shown here to:
• Create a Layer 3 VLAN interface

• Assign the VLAN interface an IP address
In this example, the switch has an IP address on the three VLANs

supported on its trunk port. Each VLAN is associated with a /24 subnet, and
the switch has host address 1 for each.
Syntax:
[Switch] interface vlan-interface <VLAN ID>
[Switch-vlan-interfaceID] ip address <IP address> <mask
| prefix length>
Example:
[Switch] interface vlan-interface 1
[Switch-vlan-interface1] ip address 10.1.1.1
255.255.255.0
[Switch-vlan-interface1] interface vlan-interface 10
255.255.255.0
[Switch-vlan-interface10] interface vlan-interface 20
255.255.255.0
3 –28 Rev. 13.31

VLANs
Module 3: VLANS
GVRP
In this module, you have learned how to manually configure VLAN memberships on ProVision and Comware switches.
Rather than manually configuring VLAN settings on switch ports, however, you can use the GARP VLAN Registration
Protocol (GVRP) to dynamically create VLANs on ports that are connected to other GVRP-aware switches. (Generic Attribute
Registration Protocol [GARP] is a protocol that defines procedures by which end stations and switches can register
attributes with each other.)
When GVRP is enabled on a switch, it advertises any configured static VLANs on all its ports. If a GVRP-aware switch port
receives the advertisement, it can dynamically join the advertised VLAN. This dynamic VLAN is tagged on the port.
Both ProVision and Comware switches support GVRP. (GVRP configuration and management is not covered in this course.
For more information, see your switch documentation.)
In this module, you have learned how to manually configure VLAN

memberships on ProVision and Comware switches. Rather than manually
configuring VLAN settings on switch ports, however, you can use the GARP
VLAN Registration Protocol (GVRP) to dynamically create VLANs on ports
that are connected to other GVRP-aware switches. (Generic Attribute
Registration Protocol [GARP] is a protocol that defines procedures by which
end stations and switches can register attributes with each other.)
When GVRP is enabled on a switch, it advertises any configured static
VLANs on all its ports. If a GVRP-aware switch port receives the
advertisement, it can dynamically join the advertised VLAN. This dynamic
VLAN is tagged on the port.
Both ProVision and Comware switches support GVRP. (GVRP configuration

and management is not covered in this course. For more information, see
your switch documentation.)
Rev. 13.31 3 –29

Module 3: VLANS
Example: Discovering a device’s destination address
Introduction
You now know how to configure VLANs on switch ports. Next, you will look
at an example of how switches use Layer 2 forwarding to enable two
devices within the same VLAN to communicate. In this example, a
workstation wants to communicate with a database server, and both
devices are in the same VLAN. However, as you can see, there are several
switches between them.
Step 1
Before the workstation can send a frame to the server, it must know the
server’s MAC address so that it can place the correct destination address in
the frame. The application on the workstation knows or is configured with
the server’s IP address. Therefore, the workstation sends an Address
Resolution Protocol (ARP) request, which is a broadcast to the entire
VLAN, requesting the MAC address associated with the server’s IP
address. In this instance, the Ethernet frame that the workstation sends has
a destination MAC address of FFFFFF:FFFFFF, which is the broadcast
address.
Step 2
The switch to which the workstation is connected receives the ARP request.
Because this frame is a broadcast, the switch sends it out all of its ports that
are members of VLAN 30. (This is sometimes called flooding.)
3 –30 Rev. 13.31

VLANs
Step 3
When other switches along the path to the database server receive the
broadcast, they also flood the frame out all of their ports that belong to
VLAN 30.
Step 4
The database server finally receives the ARP request. It responds to the
request by sending a directed frame (not a broadcast) to the workstation’s
MAC address, wherein it conveys its hardware or MAC address.
Rev. 13.31 3 –31

Module 3: VLANS
Example: Layer 2 forwarding
Introduction
Now that the workstation knows the MAC address of the database server, it
can send Ethernet frames directly to the server.
Step 1
The workstation addresses a frame to the database server’s MAC address.
Step 2
The Edge_1 switch operates as a Layer 2 switch. It checks its Layer 2
forwarding table and forwards the frame through port B2 to the IT switch.
(If the switch did not know the port for this MAC address, it would flood the
frame like a broadcast. But all the switches in this example learned the port
for the server’s MAC address when they received the server’s ARP
response on its way back to the workstation.)
Step 3
The IT_switch is a Layer 3 switch. You do not need to understand its Layer
3 functions now but simply know that it acts as a Layer 2 switch for all
frames that are not destined to its own MAC address.
In this case, the destination MAC address is different from its own MAC
address, so the switch checks its MAC forwarding table. The switch
forwards the frame through port C9.
3 –32 Rev. 13.31
VLANs
Step 4
The Edge_2 switch receives the frame through port B24, submits it to its
Layer 2 forwarding table lookup, and forwards it through port B1 to the
database server.
Rev. 13.31 3 –33

Module 3: VLANS
Layer 2 or Layer 3 forwarding
You now understand how switches

forward traffic at Layer 2. They make
forwarding decisions based on
information in the Ethernet header of
a frame such as the destination MAC
address and the 802.1Q VLAN tag.
When devices that are in separate VLANs or subnets need to

communicate, the traffic must be routed. Switches that support
routing use Layer 3 information, such as the IP address, to
make forwarding switches. Switches that support routing are
sometimes called routing switches or Layer 3 switches.
For example, if the workstations in VLAN 20 want to
communicate with the servers in VLAN 30, the switch must use
Layer 3 data to route the traffic between the VLANs. You will
learn more about this process in Module 4: Routing.
You now understand how switches forward traffic at Layer 2. They make
forwarding decisions based on information in the Ethernet header of a
frame such as the destination MAC address and the 802.1Q VLAN tag.
When devices that are in separate VLANs or subnets need to

communicate, the traffic must be routed. Switches that support routing use
Layer 3 information, such as the IP address, to make forwarding switches.
Switches that support routing are sometimes called routing switches or
Layer 3 switches.
For example, if the workstations in VLAN 20 want to communicate with the

servers in VLAN 30, the switch must use Layer 3 data to route the traffic
between the VLANs. You will learn more about this process in Module 4:
Routing.
3 –34 Rev. 13.31

VLANs
Module 3: VLANS
Summary
This module described the fundamentals of VLANs:
VLANs are used to segment the network to limit broadcast

domains.
VLANs separate user traffic into different subnets,

increasing network security.
The 802.1Q field allows an Ethernet frame to be tagged for

VLAN membership.
VLANs are configured differently on HP Comware and

ProVision switches, but the underlying principles are the
same.
This module described the fundamentals of VLANs:
• VLANs are used to segment the network to limit broadcast domains.

• VLANs separate user traffic into different subnets, increasing network
security.
• The 802.1Q field allows an Ethernet frame to be tagged for VLAN
membership.
• VLANs are configured differently on HP Comware and ProVision
switches, but the underlying principles are the same.
Rev. 13.31 3 –35

3 –36 Rev. 13.31

Routing
Module 4
Module 4: Routing
Objectives
This module explains when a Layer 3 switch or router is required to route traffic to its destination. It also guides you
through the process of enabling routing and configuring a static route on HP Comware and ProVision switches.
Explain when a Layer 3 switch or router is required to route

traffic

module, you should be List the basic components of routing tables and explain the
able to: purpose of each component
Describe how Layer 3 switches use static and default routes

to ensure that traffic reaches its final destination
This module explains when a Layer 3 switch or router is required to route

traffic to its destination. It also guides you through the process of enabling
routing and configuring a static route on HP Comware and ProVision
switches.
• Explain when a Layer 3 switch or router is required to route traffic

• List the basic components of routing tables and explain the purpose of
each component
• Describe how Layer 3 switches use static and default routes to ensure
that traffic reaches its final destination
Rev. 13.31 4 –1
Module 4: Routing
Layer 2 switching and Layer 3 routing
Introduction
When a device needs to communicate with another device in the same
VLAN or subnet, the switch (or switches) can forward traffic between the
two devices at Layer 2.
If a device needs to communicate with a device in a different VLAN,

however, a Layer 3 switch or router must route the traffic at Layer 3.
Although the traffic can be routed by a Layer 3 switch or a router, the
examples in this course focus on Layer 3 switches.
Layer 2 forwarding
Switches acting at Layer 2 use information in the Ethernet header to
forward traffic, specifically the destination Media Access Control (MAC)
address and perhaps an 802.1Q tag. The switch does not process the
frame past the Ethernet header, ignoring the IP or other Layer 3 header.
The switch follows two simple rules. First, it looks up the port for the
destination MAC address in its MAC forwarding table and forwards the
frame on that port. Second, if the switch does not know the MAC address, it
floods the frame out all ports that belong to the frame’s VLAN.
In this example, if a workstation in VLAN 20 that is connected to Switch A

needs to send data to a workstation in VLAN 20 that is connected to switch
B, the traffic can be forwarded at Layer 2. As the data travels from Switch A
4 –2 Rev. 13.31
Routing
through Switch C and onto Switch B, all of the switches forward the traffic
by looking up the destination MAC address in their forwarding tables.
Layer 3 forwarding
To route traffic, a Layer 3 switch uses information in the packet’s Layer 3
header. IP is by far the most common Layer 3 protocol, and this course
focuses on IP routing. Specifically, therefore, the Layer 3 switch relies on
the packet’s destination IP address to make routing decisions. (For the
purposes of this course, the IP header is a version 4 IP header.)
In this example, when a workstation in VLAN 20 that is connected to Switch

B needs to send data to a server in VLAN 30 with IP address
10.1.30.101/24, the workstation knows that the server is in a different
network. The workstation sends its traffic to the Layer 3 switch, and the
Layer 3 switch routes the traffic to the server. The rest of this module
explains how this process works.
Rev. 13.31 4 –3
Module 4: Routing
Routing overview
Introduction
Before you consider how a switch learns how to route traffic to specific
subnets, you should understand at a high level how a packet is transmitted
from a device in one subnet to a device in another subnet.
1. Send traffic to default gateway

A typical device is connected to one subnet. If that device needs to send
traffic to a device in a different VLAN or subnet, it sends that traffic to its
default gateway.
In the example network, the default gateway for devices in VLAN 20 (which
is associated with subnet 10.1.20.0/24) is Switch B (which has the IP
address 10.1.20.1).
The default gateway is responsible for knowing where to send traffic so that
it will reach its final destination. (You will learn how the default gateway
gathers and stores this information later in this module.)
2. Route traffic to next hop

In this example network, Switch B does not support VLAN 30 (which is
associated with subnet 10.1.30.0/24). To route traffic to VLAN 30, therefore,
Switch B must know the route, or pathway, to the destination network.
Actually, it is more accurate to say that Switch B must know the next hop in
the route, meaning the next device that can send the packet onto its final
destination.
4 –4 Rev. 13.31
Routing
In the example network, Switch C is the next hop. To be more specific,

because Switch B and Switch C connect on VLAN 2, switch C’s VLAN 2 IP
address, 10.1.2.1, is the next hop.
3. Forward traffic at Layer 2

Switch C supports VLAN 30 (with subnet 10.1.30.0/24) and the servers are
attached directly to it. Therefore, Switch C forwards the traffic destined to
the server at Layer 2.
4. Return traffic
If the destination device, in this case a server, wants to send traffic to the
originating device, it must send the traffic to its default gateway. In this case,
Switch C is the default gateway for VLAN 30 (which is subnet 10.1.30.0/24).
Switch C does not support VLAN 20 (subnet 10.1.20.0/24). To route traffic

from VLAN 30 back to VLAN 20, Switch C must know the next hop address
in the path. In this example, Switch B is the next hop. Again, more precisely,
the next hop is switch B’s IP address in VLAN 2, 10.1.2.2.
Rev. 13.31 4 –5
Module 4: Routing
Types of routes
Layer 3 switches and routers learn the next hop for

destination networks through routes. There are two
types of routes:
Direct routes are for local networks, which are those

networks directly connected to the switch.
Indirect routes are for remote networks, which are

those networks not directly connected to the switch.
Layer 3 switches and routers learn the next hop for destination networks
through routes. There are two types of routes:
• Direct routes are for local networks, which are those networks directly
connected to the switch.
• Indirect routes are for remote networks, which are those networks not
directly connected to the switch.
4 –6 Rev. 13.31
Routing
Module 4: Routing
Direct routes
Introduction
A switch or router has direct routes to the subnets assigned to its own Layer
3 interfaces:
• On a Layer 3 switch, Layer 3 interfaces are typically VLAN interfaces

configured with IP addresses.
• Routers and some Layer 3 switches allow you to assign IP addresses
directly to ports or aggregated links. In that case, these physical
interfaces are also Layer 3 interfaces.
Typically, when you enable IP routing on a switch, the switch automatically

creates a direct route for all active Layer 3 interfaces that have an IP
address.
1. Adding direct routes

Switch C has been assigned the IP address 10.1.10.1/24 for VLAN 10. IP
routing is enabled, allowing the switch to function as a Layer 3 switch. As
soon as Switch C has one active port in VLAN 10 (which is the link
between Switch C and Switch A in this example), VLAN 10 is “up,” and the
switch adds a direct route to 10.1.10.0/24.
Similarly, as VLAN 20 comes up, Switch C adds a direct route to

10.1.20.0/24.
Rev. 13.31 4 –7
The direct route to subnet 10.1.10.0/24 lets Switch C route traffic that it
receives on VLAN 20 to any destination in VLAN 10. Similarly, the direct
route to subnet 10.1.20.0/24 would let Switch C route traffic received on
VLAN 10 back to a destination in VLAN 20.
2. Forwarding traffic at Layer 2

Because Switch C has a direct route to VLAN 10, it forwards all traffic
destined to devices in VLAN 10 at Layer 2. When a switch routes traffic
using a direct route, it is responsible for discovering the MAC address of the
final destination IP address. To discover the MAC address, the switch floods
an Address Resolution Protocol (ARP) request to all the ports in VLAN 2.
When the switch receives an ARP response with the MAC address, it
forwards the traffic on the appropriate port for that MAC address. In this
example, Switch C forwards the traffic on the port that connects to switch A.
3. Layer 2 switch
Switch A does not have IP routing enabled. Therefore, it forwards the traffic
at Layer 2 and does not have direct (or indirect) routes.
4 –8 Rev. 13.31
Routing
Module 4: Routing
Indirect routes
Default route
Introduction
An indirect route enables a switch to communicate with “non-local”
destinations using one or more intermediate hops. Indirect routes must be
entered manually or learned through a routing protocol.
Static route
A static route is a route to a specific remote network. A network
administrator must manually enter a static route.
Default route
A default route is a special type of indirect route that tells a Layer 3 switch
how to forward a packet when it does not know a specific route to the
destination address. Default routes may be static or dynamic. On the
example network, Switch C has a default route to WAN router A, which
connects to the Internet.
Dynamic route
A switch learns a dynamic route through a routing protocol. Routing
protocols allow switches and routers to exchange routing information to
determine the best paths between networks. (This course does not focus on
routing protocols. The Building SMB Networks with HP Technologies course
covers routing protocols in more detail.)
Rev. 13.31 4 –9
Module 4: Routing
Static routes
Introduction
In the example network, Switch B does not support subnet 10.1.30.1/24
(VLAN 30). To route traffic to this subnet, therefore, the switch needs a
route, which would include the information shown in the graphic: the next
hop, which would be 10.1.2.1, and the forwarding interface, which would be
VLAN 2.
The switch could have a static route or a dynamic route to this network. As
mentioned earlier, this course focuses on static routes. Click each tab to
learn about the advantages and disadvantages of using a static route.
Advantages
Static routes work best for networks with simple topologies. When a
network does not have many paths for traffic to traverse, you might find it
easier to configure a couple of static routes manually rather than implement
a routing protocol. With static routes, you also have complete control over
which next hop each Layer 3 switch uses for each destination subnet.
Disadvantages
The larger a network is and the more VLANs and subnets it supports, the
more tedious and difficult it is to configure every route on every Layer 3
switch and router manually.
4 –10 Rev. 13.31

Routing
In addition, static routes might not adapt well to network topology changes.
For example, if you added another path to VLAN 30 for Switch B (perhaps
by adding another switch), you would need to reconfigure the route. In
addition, although there are ways to configure backup static routes, these
routes might not respond to changing conditions several hops away. Thus if
a hop in the path to a destination becomes unavailable, the destination may
become unreachable. Dynamic routing protocols, on the other hand, allow
Layer 3 switches and routers to adapt to network changes.
Rev. 13.31 4 –11

Module 4: Routing
Default route
The default route is the route of last
resort. When a Layer 3 switch or router
cannot match traffic to a specific route, it
will use the default route.
Often, the default route is used to enable
connectivity to the Internet. A Layer 3
switch is configured with the IP
address of an Internet-accessible
router. Any traffic for which
the Layer 3 switch does not
have a route it forwards to the
router to resolve.
A default route usually shows as
0.0.0.0/0 in a routing table. This notation
tells the router to forward any traffic that
cannot be specifically matched out the
interface associated with the default
route.
The default route is the route of last resort. When a Layer 3 switch or router
cannot match traffic to a specific route, it will use the default route.
Often, the default route is used to enable connectivity to the Internet. A

Layer 3 switch is configured with the IP address of an Internet-accessible
router. Any traffic for which
the Layer 3 switch does not have a route it forwards to the router to resolve.
A default route usually shows as 0.0.0.0/0 in a routing table. This notation

tells the router to forward any traffic that cannot be specifically matched out
the interface associated with the default route.
4 –12 Rev. 13.31

Routing
Module 4: Routing
Routing tables
• Because switches sometimes have more than one route to the same destination, they must be able to prioritize
routes.
• Comware and ProVision switches use the following to prioritize routes:
• Administrative distance or preference
• Metric or cost
Introduction
At a minimum, a Layer 3 switch requires the following information about
each IP route, which the switch stores in its routing table:
• Destination network and subnet mask

• Next hop (which is sometimes called gateway)
• Route prioritization methods
• Administrative distance or preference
• Metric or cost
You have already learned about the destination network and the next hop.
Because switches sometimes have more than one route to the same
destination, they must be able to prioritize routes.
Administrative distance or preference

Switches need a method for comparing routes to the same destination that
are learned by different routing protocols or methods. ProVision switches
use administrative distance, while Comware switches use preferences.
On ProVision switches, each route is assigned an administrative, which

defines the reliability of the routing protocol or method of discovery. The
lower the distance, the more reliable the route is deemed, and the more
Rev. 13.31 4 –13

likely for the route to be selected. Directly connected routes always have an
administrative distance of 0.
For example, an 8212 zl switch might have a static route to 10.1.30.0/24

with administrative distance 1. The switch might also have a route learned
by Routing Information Protocol (RIP) to 10.1.30.0/24 with administrative
distance 120. (RIP is a routing protocol.) The switch selects the static route
because this route has the lower administrative distance. The switch still
knows the other route and will add it to its routing table if the next hop for
the selected (static) route becomes unreachable. The non-selected route
acts as a backup.
Similarly, Comware switches use the preference option to compare routes
to the same destination that were learned with different routing protocols or
methods. Routes with the lower preference value are selected.
Metric or cost
Switches also need a way to compare routes that are learned by the same
routing protocol or method.
ProVision switches use the route metric to compare routes learned by the
same routing protocol or method. For example, when a routing protocol
discovers more than one route to a destination, the switch selects the route
with the lowest metric as its best route.
Comware switches use the route cost to compare routes learned from the
same protocol or method. Lowest cost routes are preferred. However, when
a routing protocol discovers multiple routes to the same destination with the
same cost, Comware switches can load balance traffic over all of the same-
cost routes.
Note that the Layer 3 switch does not compare the metric or cost between
routes acquired through different methods. Each routing protocol selects
one lowest metric or cost route to each destination (or, in the case of
Comware switches, several load-balanced routes). For example, Routing
Information Protocol (RIP) might select one lowest-cost route to
10.1.30.0/24, and Open Shortest Path First (OSPF) might do the same. The
switch then must choose between the RIP route and the OSPF route, and it
uses administrative distance or preference to do so. (Both RIP and OSPF
are routing protocols.)
4 –14 Rev. 13.31

Routing
Module 4: Routing
HP Comware routing table
Each Layer 3 switch or router stores its selected routes in a routing table. The example
below shows a routing table from a Comware switch.
Introduction
Each Layer 3 switch or router stores its selected routes in a routing table.
The example shows a routing table from a Comware switch.
Destination/Mask
The Destination/Mask field specifies the network address and subnet mask
for the destination. Note that an IP address might match multiple routes,
which means the Layer 3 switch knows more than one route to the same IP
address. In this case, the Layer 3 switch uses the most specific route (the
route with the longest mask) to route the packet.
Proto
The Proto field indicates the protocol or method by which the route was
discovered. Possible values include Static (a static route), Direct (a direct
connection), or a routing protocol such as RIP or OSPF.
Pre
The Pre field indicates the administrative preference. The switch uses
administrative preference to choose between two or more routes to the
same destination that were discovered through different protocols or
methods. For example, one route might be a static route while another
route might be an OSPF route. (OSPF is a routing protocol.)
Rev. 13.31 4 –15

Cost
The Cost field indicates the cost of the route. The switch uses the cost to
choose between routes to the same destination that are learned through the
same protocol or method. For example, the routes might both be OSPF
routes.
NextHop
The NextHop field indicates the next hop for each route.
Interface
The Interface field indicates the switch interface that will be used to forward
traffic to or toward the destination. As you recall, on all Layer 3 switches,
the interface is usually a VLAN interface. However, for routers, the interface
might be a physical port that has been assigned an IP address.
4 –16 Rev. 13.31

Routing
Module 4: Routing
HP Comware indirect routes
For indirect routes, the next hop is always another Layer 3 switch or router that knows how to route the packet toward the
destination. For a route to remain in the routing table, the Layer 3 switch must be able to reach the next hop.
In this example, the next hop for the default route (0.0.0.0/0) is 10.1.4.2, which is in the 10.1.4.0/24 subnet. The switch
knows a route to 10.1.4.0/24, which is directly connected on VLAN 500, so it can reach the next hop.
For an indirect route, the forwarding interface is the interface on which the local device reaches the next hop. In this case,
it is VLAN 500.
Routing Tables: Public

Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 1.1.4.2 Vlan500
10.1.2.0/24 Direct 0 0 10.1.2.3 Vlan300
10.1.2.3/32 Direct 0 0 127.0.0.1 InLoop0
10.1.4.0/30 Direct 0 0 10.1.4.1 Vlan500
10.1.4.1/32 Direct 0 0 127.0.0.1 InLoop0
For indirect routes, the next hop is always another Layer 3 switch or router
that knows how to route the packet toward the destination. For a route to
remain in the routing table, the Layer 3 switch must be able to reach the
next hop.
In this example, the next hop for the default route (0.0.0.0/0) is 10.1.4.2,
which is in the 10.1.4.0/24 subnet. The switch knows a route to 10.1.4.0/24,
which is directly connected on VLAN 500, so it can reach the next hop.
For an indirect route, the forwarding interface is the interface on which the
local device reaches the next hop. In this case, it is VLAN 500.
Rev. 13.31 4 –17

Module 4: Routing
HP Comware direct routes
For direct routes, Comware switches display the following information in the routing
table:
Introduction
Comware switches handle direct routes as outlined below.
Next Hop
When a Layer 3 switch has a direct route to a subnet, the next hop is the IP
address of the switch on that subnet. For direct routes to the IP address of
the Comware switch itself, the next hop is the loopback address.
In this example, the Comware switch has IP address 10.1.2.3/24 on VLAN

300. The next hop for the route to 10.1.2.0/24 is 10.1.2.3, the IP address of
the switch on this subnet. The next hop for 10.1.2.3/32 is the loopback
address.
Interface
The forwarding interface for a direct route is the VLAN interface (or Layer 3
physical interface) associated with that subnet. The forwarding interface for
a direct route to the IP address of the switch is the loopback interface.
As you can see, if the packet is destined to the IP address of the switch, the
switch processes the packet locally. If the packet is destined to another IP
address on the directly connected subnet, the switch forwards the packet
on the associated interface.
4 –18 Rev. 13.31

Routing
Module 4: Routing
HP ProVision routing table
HP ProVision switches display routing information in a slightly different order, as shown in this example.
Introduction
HP ProVision switches display routing information in a slightly different
order, as shown in this example.
Destination
The Destination field contains the destination network and subnet mask,
which the switch uses to match a packet’s destination IP address to a
route.
Gateway
The Gateway field indicates the gateway (or next hop) for the route. For
indirect routes, the gateway is the next hop’s IP address, just as in
Comware switches. However, on ProVision switches, the gateway for a
direct, or “connected,” route is the name of the VLAN associated with the
connected subnet.
VLAN
The VLAN field indicates the forwarding interface for the route.
Type
The Type field indicates the type of route. ProVision switches use the term
“connected” to indicate a direct route. The example routing table displays
only connected and static routes, but ProVision switches also support
routing protocols such as RIP and OSPF, which are listed by these names.
Rev. 13.31 4 –19

Sub-Type
The Sub-Type field is used when routes have been discovered through the
OSPF protocol.
Metric
As you learned, ProVision switches use metrics to choose between routes
that were discovered in the same way (such as two OSPF routes or two
RIP routes).
Dist.
The Dist. field indicates the administrative distance, a route prioritization
method used to choose between routes of different types.
4 –20 Rev. 13.31

Routing
Module 4: Routing
Routing example: Step 1
Introduction
You now understand that a Layer 3 switch uses its routing table and a
packet’s IP address to discover the packet’s next hop and forwarding
interface.
You will take a close look at this process by following a packet as it is routed
from a source workstation at 10.1.20.53/24 to a database server at
10.1.30.101/24.
Step 1
The workstation knows the IP address of the server (10.1.30.101) and
recognizes that this address is on a different network. Because the packet
must be routed, the workstation sends the traffic to its default gateway,
Switch C, which has the IP address of 10.1.20.1.
If the workstation does not know the MAC address for 10.1.20.1 (because it
has not recently communicated with its default gateway), it sends an ARP
request to find the MAC address. The ARP response resolves the IP
address 10.1.20.1 to Switch C’s MAC address (00-1D-B3-F1-EF-40).
The workstation then sends an Ethernet frame, which has the MAC
destination address for Switch C, to its directly attached switch, Switch B.
However, the packet’s IP destination address is 10.1.30.101, which is the
server’s IP address.
Rev. 13.31 4 –21

Module 4: Routing
Step 2
When Switch B receives the frame, it uses the destination MAC address to
forward the frame at Layer 2. The switch looks up the destination MAC
address in its MAC forwarding table and forwards the frame out the correct
port. (If the switch does not know the MAC address, it can flood the frame
out on VLAN 20.)
4 –22 Rev. 13.31

Routing
Module 4: Routing
Step 3
When Switch C receives the frame, it recognizes its address in the
destination MAC address field and removes the Ethernet header. Switch C
examines the IP header and realizes that it needs to route the packet since
the destination IP address is not its own IP address.
Switch C looks up the most specific route that matches the destination
address in its routing table. The routing table shows that the destination IP
address is a directly connected route on the VLAN 30 interface.
Switch C determines that it must forward the packet on VLAN 30.
Rev. 13.31 4 –23

Module 4: Routing
Step 4
Switch C has determined that it must forward the packet on the VLAN 30
interface. To do so, it must add a new Ethernet header.
When using a direct route, the switch forwards the frame directly to the
destination, which is the server’s MAC address. Switch C uses ARP to
resolve the server’s IP address to a MAC address and to determine the
physical forwarding port.
Note that if Switch C were using an indirect route, it would use ARP to
resolve the next hop router’s IP address to a MAC address. It would then
specify that MAC address instead of the actual destination device’s MAC
address.
4 –24 Rev. 13.31

Routing
Module 4: Routing
Step 5
When Switch D receives the frame, it uses its MAC (Layer 2) forwarding
table to find the correct port for the destination MAC address. (If Switch D
does not know the port, it floods the frame.)
The traffic has now reached its destination, the database server with IP
address 10.1.30.101/24 and MAC address 00-E0-52-F0-4C-0F.
Rev. 13.31 4 –25

Module 4: Routing
VLAN tagging on HP ProVision switches: Step 1
Introduction
Now that you understand how traffic is routed between VLANs, you will now
examine how HP ProVision switches handle VLAN assignments and 802.Q
tagging as they forward and route the traffic. You will examine this topic
using the same scenario as before: you will trace an IP packet sent from a
workstation to a database server.
Step 1
Before you look at the flow of traffic and how frames are tagged, you must
understand port VLAN membership. In this example, switches support
multiple VLANs on their switch-to-switch ports. All of the switch-to-switch
ports are untagged members of VLAN 1 and tagged members of one or
more other VLANs. VLANs on this network include:
• Faculty VLAN, which is VLAN 10

• Student VLAN, which is VLAN 20
• Data Center VLAN, which is VLAN 30
The source workstation and destination database server, on the other hand,
do not support 802.1Q, and the ports are untagged members of their
respective VLANs:
• The workstation is a member of the Student VLAN, VLAN 20.

• The database server is a member of the Data Center VLAN, VLAN 30.
4 –26 Rev. 13.31

Routing
Module 4: Routing
Step 2
When the source workstation sends the frame (containing the packet
destined for the database server), Switch B receives the frame on a port
that is an untagged member of VLAN 20.
The workstation does not support 802.1Q. The frame does not include an
802.1Q tag at this point.
Rev. 13.31 4 –27

Module 4: Routing
Step 3
Switch B forwards the frame to Switch C on a port that is tagged for VLAN
20. Because the port is tagged for VLAN 20, the switch inserts the 802.1Q
tag into the Ethernet frame.
4 –28 Rev. 13.31

Routing
Module 4: Routing
Step 4
Switch C routes the packet to VLAN 30. Because the link between Switch C
and Switch D is tagged, Switch C removes the VLAN 20 802.1Q tag from
the Ethernet frame and then inserts the VLAN 30 802.1Q VLAN tag into the
Ethernet frame.
Rev. 13.31 4 –29

Module 4: Routing
Step 5
Switch D receives the frame on a port that is a tagged member of VLAN 30.
However, because the server is connected to Switch D on an untagged port
that is a member of VLAN 30, Switch D removes the 802.1Q tag before
forwarding the frame to the switch.
4 –30 Rev. 13.31

Routing
Module 4: Routing
Access and trunk ports on HP Comware switches
Introduction
You will now trace a packet on a similar network that includes Comware
switches instead of ProVision switches. Again, all switches on this network
must support multiple VLANs, including the default VLAN, VLAN 1.
Step 1
The source workstation and destination database server do not support
802.1Q. Consequently, the workstation is connected to an access port
assigned to VLAN 20, and the server is connected to an access port in
VLAN 30. The workstation sends an untagged frame (containing the packet
destined for the database server) to its directly connected switch, Switch B.
Step 2
Switch B must send VLAN 20 traffic to Switch C, the default gateway for
that VLAN. The Switch B port that connects to Switch C must also support
VLAN 1 traffic, so the port is a trunk port, which supports multiple VLANs.
The trunk port must be configured to support VLAN 20. (If VLAN 20 is not
permitted, the trunk port will discard the frame.)
Switch B inserts the 802.1Q tag into the Ethernet frame and sends it to
Switch C.
Step 3
Switch C receives the frame on a trunk port that permits VLAN 20. Switch C
then checks its routing table and determines that it must route the packet to
Rev. 13.31 4 –31

VLAN 30 and forward it to Switch D. The Switch C port that connects to

Switch D is configured as a trunk port that permits VLAN 30. Switch C adds
a new Ethernet header and inserts the 802.1Q tag in the frame.
Step 4
Switch D receives the frame on a trunk port that permits VLAN 30. Switch D
checks its MAC table and determines it must forward the frame to the
access port that connects to the destination database server. (If this entry
was not in the switch’s MAC table, the switch would flood an ARP request
in VLAN 30 to resolve the IP address.) Switch D removes the 802.1Q field
from the frame and forwards it to the server.
4 –32 Rev. 13.31

Routing
Module 4: Routing
VLANs on HP ProVision and Comware switches
The table below summarizes how port-based VLANs are supported on ProVision and Comware switches. (Both ProVision
and Comware switches support advanced VLANs. To learn more about VLANs, attend the Building SMB Networks with HP
Technologies course.)
Type of connection ProVision switches Comware switches

Switch-to-switch links • Maximum of one • Trunk port, which is
(carry traffic in multiple untagged VLAN configured to “permit”
VLANs) membership (which is by multiple VLANs
default VLAN 1) • PVID, which is the
• Multiple tagged VLAN untagged VLAN, and
memberships multiple tagged VLANs
Connection to devices Untagged VLAN Access port (in the
that do not support membership (in the appropriate VLAN)
802.1Q appropriate VLAN)
The table summarizes how port-based VLANs are supported on ProVision

and Comware switches. (Both ProVision and Comware switches support
advanced VLANs. To learn more about VLANs, attend the Building SMB
Networks with HP Technologies course.)
Rev. 13.31 4 –33

Module 4: Routing
Summary
In this module, you learned about the following:
When a Layer 3 switch or router is required to route traffic
What information a Layer 3 switch requires to route traffic
How routing information is displayed in HP Comware and

ProVision switches
How static and default routes are used to ensure traffic

reaches its destination
How VLAN tagging works with Layer 3 routing
In this module, you learned about the following:
• When a Layer 3 switch or router is required to route traffic

• What information a Layer 3 switch requires to route traffic
• How routing information is displayed in HP Comware and ProVision
switches
• How static and default routes are used to ensure traffic reaches its
destination
• How VLAN tagging works with Layer 3 routing
4 –34 Rev. 13.31

Link Aggregation
Module 5
Module 5: Link Aggregation
Module objectives
This module explains how to use link aggregation to increase bandwidth on selected network links. You will first learn
about Link Aggregation Control Protocol (LACP), the industry-standard protocol for establishing aggregated links. You will
then learn how link aggregation is implemented on HP ProVision and Comware switches.
Explain how dynamic and static aggregated links are

implemented on HP switches
module, you will be Explain how aggregated links support VLANs on HP switches
able to:
Describe the basic similarities and differences between Link
Aggregation Control Protocol (LACP) and HP port trunking
This module explains how to use link aggregation to increase bandwidth on

selected network links. You will first learn about Link Aggregation Control
Protocol (LACP), the industry-standard protocol for establishing aggregated
links. You will then learn how link aggregation is implemented on HP
ProVision and Comware switches.
After completing this module, you will be able to:
• Explain how dynamic and static aggregated links are implemented on HP

switches
• Explain how aggregated links support VLANs on HP switches
• Describe the basic similarities and differences between Link Aggregation
Control Protocol (LACP) and HP port trunking
Rev. 13.31 5 –1
Ever-increasing bandwidth requirements
Business networks deliver critical services for both employees

and customers. With both employees and customers accessing
bandwidth-intensive and delay-sensitive applications,
network bandwidth must increase to keep pace with demand.
Also, as businesses move toward a converged infrastructure,
network bandwidth must be sufficient to deliver all the
services the network supports.
Business networks deliver critical services for both employees and

customers. With both employees and customers accessing bandwidth-
intensive and delay-sensitive applications, network bandwidth must
increase to keep pace with demand. Also, as businesses move toward a
converged infrastructure, network bandwidth must be sufficient to deliver all
the services the network supports.
5 –2 Rev. 13.31
Link Aggregation
Benefits of link aggregation
Link aggregation allows multiple physical links to function

as a single logical link, increasing the available bandwidth
for the devices using that link. Link aggregation provides a
scalable, cost-effective way to increase bandwidth.
For example, a company may be using 1-GbE links. If the
switches provide enough ports, the company can
aggregate some of these 1-GbE links to increase the
available bandwidth between particular switches. This
solution offers a cost-effective alternative to purchasing
10-GbE links.
In addition to increasing bandwidth, link aggregation adds
resiliency to the link. If one link in the aggregated group
fails, the remaining links can still carry traffic.
Link aggregation allows multiple physical links to function as a single logical

link, increasing the available bandwidth for the devices using that link. Link
aggregation provides a scalable, cost-effective way to increase bandwidth.
For example, a company may be using 1-GbE links. If the switches provide
enough ports, the company can aggregate some of these 1-GbE links to
increase the available bandwidth between particular switches. This solution
offers a cost-effective alternative to purchasing 10-GbE links.
In addition to increasing bandwidth, link aggregation adds resiliency to the

link. If one link in the aggregated group fails, the remaining links can still
carry traffic.
Rev. 13.31 5 –3
LACP: the industry standard
• Static LACP
• Dynamic LACP
Introduction
As is often the case, individual vendors saw the need to provide more
bandwidth and developed proprietary technologies to aggregate links. To
standardize aggregated links for multivendor environments, IEEE
developed the Link Aggregation Control Protocol (LACP). The original
standard is known as 802.3ad, but it has been subsequently updated to
802.1AX-2008. However, LACP is still frequently referred to as the 802.3ad
standard.
LACP allows you to create aggregated links between any two devices that
support the standard. For example, you can create links between any two
switches that support LACP or between a server and a switch.
LACP defines two types of aggregated links: static (or manual) or dynamic.
Static
With static LACP, aggregated links are established or configured manually.
If one of the connections in the aggregated links fails, the LACP-enabled
devices detect the failure but continue forwarding traffic on the remaining
connections.
Dynamic
With dynamic LACP, aggregated links are established automatically, using
the negotiation process outlined in the LACP standard. (You will learn about
5 –4 Rev. 13.31
Link Aggregation
this negotiation process later in this module.) If one of the connections in

the aggregated links fails, the LACP-enabled devices can automatically add
a standby connection, if one has been configured. If a standby connection
has not been configured, the devices continue forwarding traffic on the
remaining connections in the aggregated link.
Rev. 13.31 5 –5
LACP requirements
The LACP standard outlines some requirements for physical

links that will be part of the aggregated link:
All links must operate in full duplex (FDx) mode.
All links must be the same media type (such as

10/100/1000Base-T or 100FX) and speed.
The links must be established between two devices.
Once the aggregated link is established, LACP ensures the

physical links continue using the same speed and duplex
settings.
The LACP standard outlines some requirements for physical links that will
be part of the aggregated link:
• All links must operate in full duplex (FDx) mode.

• All links must be the same media type (such as 10/100/1000Base-T or
100FX) and speed.
• The links must be established between two devices.
Once the aggregated link is established, LACP ensures the physical links
continue using the same speed and duplex settings.
5 –6 Rev. 13.31
Link Aggregation
Dynamic LACP link negotiation
Switches configured to use dynamic LACP exchange LACPDUs, which include:

• Source MAC address
• System identifier
• Port priority
Introduction
When configured to use dynamic LACP, switches use LACP data units
(LACPDUs) to exchange information and establish a dynamic aggregated
link. Exchanging LACPDUs allows devices to determine if links can be
aggregated. For example, the devices determine if all of the links are the
same media type and speed. LACPDUs also allow devices to manage the
aggregated link, including handling failovers and adding or removing
physical links.
Source MAC
Like all Ethernet frames, the LACPDU contains the MAC address of the
sending device.
System identifier
The system identifier is the concatenation of a MAC address and the LACP
system priority. The LACP standard allows the switch to use its own MAC
address or a MAC address that is assigned to one of the ports in the
aggregated link. The system priority is a user-configurable number, which is
used to determine which switch will select the ports that are active in the
aggregated link. The switch that has the lower system priority will select the
active ports.
Rev. 13.31 5 –7
Port priority
The port priority is a user-configurable number that is used to determine
which ports are active and which are standby. Ports that have lower port
priority numbers will be used for active links before those with higher port
priority numbers.
5 –8 Rev. 13.31
Link Aggregation
Dynamic LACP: active and passive
Introduction
A dynamic LACP port can operate in one of two states: active or passive.
Passive
Passive ports listen for LACPDUs. If passive ports receive an LACPDU
from an active port, they respond with their own LACPDU.
Active
Active ports transmit LACPDUs to advertise that they can create
aggregated links.
Establishing the link

Two directly connected dynamic LACP ports exchange LACPDUs and
establish a link only if at least one port is active. If both ports are in a
passive state, no LACPDUs are exchanged because both ports listen for
LACPDUs and do not send LACPDUs until they receive one.
Both ports can be active, however. In this configuration, both ports will
advertise that they support LACP, respond to the other port’s
advertisement, and establish the aggregated link.
Rev. 13.31 5 –9
Conversations
Introduction
LACP provides guidelines for managing traffic transmitted over the
aggregated link, based on what it defines as a conversation. Simply put, a
conversation is a one-way communication between a source device and a
destination device.
Select a physical link

An LACP-enabled device identifies a conversation using the destination
MAC address and the source MAC address in the Ethernet frame and then
assigns the conversation to a particular physical connection in the
aggregated link. In the example shown here, the conversation between the
workstation and the server has been assigned to Link 2. All of the frames
that the workstation sends to the server in this communication session will
be sent over Link 2 unless, of course, Link 2 fails.
If the server responds to the workstation, a new conversation begins. The

server’s directly connected switch will assign that conversation to one of the
physical connections in the aggregated link. It does not have to assign that
conversation to Link 2.
Manage a conversation
The LACP standard stipulates that an LACP-enabled device should
transmit all the frames in a given conversation over the same physical
connection within the aggregated link. If it is necessary to move a
5 –10 Rev. 13.31
Link Aggregation
conversation (if the physical connection becomes unavailable, for example),

the LACP-enabled device must ensure that the destination device has
successfully received all of the frames already transmitted in that
conversation.
Recognize when the conversation ends

When a source devices stops sending frames to the destination device, the
conversation ends. The next time the workstation starts sending frames to
the server, the switch considers it a new conversation and assigns it to a
link, which may or may not be Link 2.
Rev. 13.31 5 –11

Link aggregation terminology
Before you begin learning how to implement link aggregation on HP Comware and ProVision switches, you should be aware
of some differences in terminology.
On HP Comware switches, link aggregation is referred to as

bridge aggregation. The logical interface is called an
aggregate interface.
On HP ProVision switches, link aggregation has traditionally

been referred to as port trunking. The logical interface is
called a trunk. (Be careful to distinguish this term from the
Comware term trunk port, which carries traffic for multiple
VLANs.)
On Cisco switches, an aggregated link is called an

EtherChannel.
Before you begin learning how to implement link aggregation on HP

Comware and ProVision switches, you should be aware of some
differences in terminology.
• On HP Comware switches, link aggregation is referred to as bridge

aggregation. The logical interface is called an aggregate interface.
• On HP ProVision switches, link aggregation has traditionally been
referred to as port trunking. The logical interface is called a trunk. (Be
careful to distinguish this term from the Comware term trunk port, which
carries traffic for multiple VLANs.)
• On Cisco switches, an aggregated link is called an EtherChannel.
5 –12 Rev. 13.31

Link Aggregation
HP ProVision switches: LACP or port trunking
• Static aggregated link

• Dynamic aggregated link
Introduction
ProVision switches support two methods for creating aggregated links:
• LACP, which can be used to create static or dynamic aggregated links

• Port trunking, which can be used to create static aggregated links
Port trunking has been an option on HP switches since the mid-1990s. With
port trunking, HP recommends that all links in the same trunk group use the
same speed, duplex, and flow control settings. In addition, the physical links
establishing the aggregated link must start and end on the same switch.
(Later in this module, you will learn about distributed trunking, which allows
one switch to establish a trunk with two remote devices.)
Static aggregated link

A static aggregated link created through LACP or port trunking is configured
and maintained manually. It recognizes only those ports that you configure
as part of the link; you cannot configure standby ports (which could become
active if one of the ports in the aggregated link failed).
Dynamic aggregated link

A dynamic aggregated link is automatically established and maintained by
LACP. (Port trunking does not support dynamic links.)
Rev. 13.31 5 –13

A dynamic aggregated link also supports standby physical links, which

provide additional failover if a functioning physical link within the aggregated
link becomes unavailable. Standby physical links are typically not counted
in the maximum allowed number of physical links for an aggregated link.
This allows you to set up an aggregated link with the maximum number of
physical links allowed by the switch (a number that varies from switch to
switch) and designate standby links, thereby providing maximum bandwidth
and redundancy.
5 –14 Rev. 13.31

Link Aggregation
HP ProVision switches: configuring static aggregated links
• Command syntax
• LACP example
• Port trunking example
Introduction
You will now take a quick look at the process of configuring a static
aggregated link on ProVision switches.
When creating a trunk, you should configure the trunk on the switch before
connecting the cables. If you connect the cables first, you will create a
network loop, unless you have enabled Spanning Tree Protocol (STP) or
another protocol for managing redundant links.
You should also complete the static trunk configuration on both switches
before the redundant links are connected.
Command syntax
When you configure static aggregated links on ProVision switches, you use
the trunk command:
Switch(config)# trunk <port numbers> <trunk name> <lacp

| trunk>
Rev. 13.31 5 –15

You specify the following options:
• Port numbers: If you are making non-contiguous ports part of the link,
use commas to separate the ports. For a range of ports, use a hyphen.
For example :
a1,b1,c1
a3-a10
• Trunk name: To name the trunk, you include a number after trk. For
example, you might create trk1 or trk5.
• LACP or trunk: Specify if you want to use LACP or trunk (for port
trunking) to create the static trunk.
LACP example
For example, to create a static LACP trunk with ports A1, B7, and C3 and
name it Trk1, enter:
Switch(config)# trunk a1,b7,c3 trkl lacp
Port trunking example

For example, to create a static trunk (using port trunking) with ports A1 to
A7 and name it Trk2, enter:
Switch(config)# trunk a1-a7 trk2 trunk
5 –16 Rev. 13.31

Link Aggregation
HP ProVision switches: configuring dynamic aggregated links
To configure a dynamic LACP aggregated link on ProVision switches, you use the interface command.
Switch(config)# interface <port numbers> lacp [active | passive]
Remember that you use commas to separate non-contiguous ports and a hyphen for a range of contiguous ports. Then,
specify if you want this port to be active or passive. For example:
Switch(config)# interface a1,b7 lacp active
After you create a dynamic LACP aggregated link, the switch automatically names it Dynx, replacing x with the next
available number. For example, the first dynamic LACP aggregated link is called Dyn1.
To configure a dynamic LACP aggregated link on ProVision switches, you

use the interface command.
Switch(config)# interface <port numbers> lacp [active |

passive]
Remember that you use commas to separate non-contiguous ports and a

hyphen for a range of contiguous ports. Then, specify if you want this port
to be active or passive. For example:
Switch(config)# interface a1,b7 lacp active
After you create a dynamic LACP aggregated link, the switch automatically
names it Dynx, replacing x with the next available number. For example, the
first dynamic LACP aggregated link is called Dyn1.
Rev. 13.31 5 –17

HP ProVision switches: VLANS and aggregated links
• Configuring VLANs on static aggregated links

• Using GVRP to provide VLAN support on dynamic aggregated links
Introduction
Creating an aggregated link affects any existing VLAN memberships on the
ports that you assign to the aggregated link. Specifically, all VLAN
memberships are removed from the port. For example, suppose port 24 is a
tagged member of VLANs 10, 20, and 30. If you make port 24 a member of
an aggregated link, all those VLAN memberships are removed.
When the aggregated link is configured, it automatically becomes an

untagged member of the switch’s default VLAN, VLAN 1.
Typically, you want an aggregated link to carry traffic from more than one
VLAN. The steps you take to allow the aggregated link to support multiple
VLANs vary, depending on whether the link is static or dynamic.
Static aggregated link

With static aggregated links, you can simply make the aggregated link a
member of a VLAN. You configure the aggregated link just as you would a
port. For example, if you wanted to make Trk1 a tagged member of VLAN
10, you would enter:
Switch(config)# vlan 10 tagged trk1
You can check VLAN membership by using the show run command. As
you can see, the port will be listed under the VLANs to which it belongs.
5 –18 Rev. 13.31
Link Aggregation
Dynamic aggregated link

On ProVision switches, you cannot manually assign a dynamic aggregated
link to a VLAN. Instead, you must use GARP VLAN Registration Protocol
(GVRP) to allow the aggregated link to carry traffic from multiple VLANs.
To view information about the link, use the show lacp command.
Rev. 13.31 5 –19

HP ProVision switches: load distribution
Introduction
One of the benefits of using link aggregation is that switches can distribute
conversations across the physical connections within the aggregated link.
Because the LACP standard does not require devices to use a specific
algorithm to distribute conversations, each switch vendor uses its own
algorithm.
Distributing conversations
When you implement an aggregated link on a ProVision switch, it identifies
each conversation that is transmitted across the link. Earlier in this module
you learned that a conversation is a one-way communication between a
source device and a destination device. By default, the HP 3500, 3800,
5400 zl, 6200 yl, 6600, and 8200 zl Switch Series use Layer 3 or Layer 2
information to identify a conversation and then apply an algorithm to
distribute the conversations across the connections in the aggregated link.
If a Layer 3 IP address is available, the switch's calculation will include the
last five bits of the IP source address and IP destination address. For other
traffic, the switch will use the source and destination MAC addresses.
Rather than use the default setting, you can configure the switch to use
Layer 4 information-UDP or TCP ports-for load balancing. (A detailed
discussion of using Layer 4 information for load balancing is beyond the
scope of this course. Check your switch documentation for more
information.)
5 –20 Rev. 13.31

Link Aggregation
The number of possible outcomes of the hashing operation used in the

algorithm is equal to the number of links in the trunk. On a ProVision switch,
load distribution becomes more evenly balanced as the number of
conversations and links increases.
As shown in this example, when a workstation sends a frame to the server,

that frame and all subsequent frames that the workstation sends to the
server during that communication session constitute a conversation and will
be assigned to the same link.
Building a table of conversations

As the switch assigns a conversation to a link, it adds information about the
conversation to its internal table. The two switches that have established
the aggregated link build their tables independently of one another. That is,
each switch is unaware of the other switch’s table and does not take this
into account when making link assignments.
In this example, the switch directly connected to the workstation assigned

the conversation to link 4. The switch directly connected to the server,
however, assigned the return traffic (which is a different conversation) to
link 2.
Rev. 13.31 5 –21

HP ProVision switches: distributed trunking
Introduction
In addition to static and dynamic aggregated links, some ProVision switches
support distributed trunking, which provides high availability and load
sharing for server-to-switch connections or switch-to-switch connections.
Server-to-switch distributed trunking

Distributed trunking allows you to establish multiple connections between
two switches, which work together to form one side of the aggregated link,
and a device (such as a switch or a server), which forms the other side of
the connection. If the connection between one distributed trunking (DT)
switch and the server fails or if a DT switch becomes unavailable, the
server sends all traffic to the remaining DT switch.
When HP introduced server-to-switch distributed trunking, it supported only

LACP. With subsequent software updates on the switches that support this
feature, these server-to-switch distributed trunks can also be created using
HP port trunking.
Switch-to-switch distributed trunking

Distributed trunking also allows you to connect two distributed trunking (DT)
switches to another switch, which is called the distributed trunking device.
The trunk appears to the distributed trunking device—in this example,
switch 3—as if it is connected to a single device. The distributed trunking
5 –22 Rev. 13.31

Link Aggregation
device must support LACP or be able to form a trunk with a switch that is
using HP port trunking.
Benefits of distributed trunking

Like traditional aggregated links, distributed trunking increases bandwidth,
thereby improving performance. It also improves performance because the
distributed trunking (DT) switches load share traffic across the physical
connections in the distributed trunk. Performance is enhanced even more
because the traffic can be handled by one of two DT switches.
In addition to increasing bandwidth, distributed trunking provides device-

level redundancy and link-failure protection. If one of the DT switches
becomes unavailable, the distributed trunking device continues to send and
receive traffic through its connection to the other DT switch. Likewise, if one
of the links in the distributed trunk becomes unavailable, the distributed
trunking device (the switch or server connected to the two DT switches)
simply sends and receives traffic over the other links in the distributed trunk.
Support for distributed trunking

The following HP ProVision switches support distributed trunking:
• HP 3500 Switch Series

• HP 5400 zl Switch Series
• HP 6200-24G-mGBIC yl Switch
• HP 8200 zl Switch Series
With the exception of the 3800 Switch Series, these switches run the K.XX
software. Distributed trunking for server-to-switch connections was
introduced in the K.14 software release. The K.15.03 software release
allowed you to use port trunking to create server-to-switch distributed
trunks, and the K.15.05 software added support for switch-to-switch
distributed trunking.
The 3800 Switch Series runs the KA.XX software and supported server-to-
switch distributed trunking in the initial release. The KA.15.09 software
release provided support for switch-to-switch distributed trunking.
Rev. 13.31 5 –23

HP Comware switches: static and dynamic bridge aggregation
As you learned earlier, link aggregation is called bridge aggregation on Comware

switches. Comware switches support two types of bridge aggregation:
Static bridge aggregation—The Comware switches do not use

LACP for static bridge aggregation.
Dynamic bridge aggregation—The Comware switches exchange

LACPDUs to set up dynamic bridge aggregation. Because the
switches are using a protocol for the bridge aggregation, the term
“dynamic” is used to describe the configuration. Based on the
LACP standard, however, the switches are actually using the static
LACP operational mode.
As you learned earlier, link aggregation is called bridge aggregation on

Comware switches. Comware switches support two types of bridge
aggregation:
• Static bridge aggregation—The Comware switches do not use LACP

for static bridge aggregation.
• Dynamic bridge aggregation—The Comware switches exchange
LACPDUs to set up dynamic bridge aggregation. Because the switches
are using a protocol for the bridge aggregation, the term “dynamic” is
used to describe the configuration. Based on the LACP standard,
however, the switches are actually using the static LACP operational
mode.
5 –24 Rev. 13.31

Link Aggregation
HP Comware switches: aggregation groups
Configuration Example Settings Affects Aggregation

State?
Port Port rate Yes
Duplex mode
Link status (up/down)
Class-one GVRP VLANs No
MSTP settings
Class-two Port type (trunk or access) Yes
Default VLAN (for port)
Permitted VLANs*
Due to space constraints, this course lists only some of the class
settings.
Introduction
To configure bridge aggregation on Comware switches, you create an
aggregation group and assign ports to that group. When you add a port to
an aggregation group, that port can have one of two states:
• Selected: A selected port forwards traffic for the link aggregation group.
• Unselected: An unselected port cannot forward traffic for the link
aggregation group.
Settings that affect aggregation state

Certain settings affect a port’s aggregation state (whether it’s selected or
unselected). For the purposes of aggregation, configuration settings are
grouped into classes. The table shows that the class one settings do not
affect a port’s aggregation state, but port settings and class two settings do
affect this state.
HP recommends that before you create a link aggregation group, you

ensure that all ports that will be added to the group have the same port and
class two configuration settings.
After you add ports to a link aggregation group, any additional class two
configurations made to a link aggregation group are automatically
synchronized to all of its member ports. These configurations are retained
Rev. 13.31 5 –25

on the member ports after they are removed from the link aggregation
group.
Reference ports
For each link aggregation group, Comware switches select a reference port.
The switches use the reference port to help determine the aggregation state
of each port. Simply put, the switches compare the port attributes and
class-two configurations of other member ports to those of the reference
port. The ports with settings that match the reference port can be selected
(if they meet other criteria as well).
The process for selecting this reference port differs slightly, depending on if
the link aggregation group is static or dynamic.
5 –26 Rev. 13.31

Link Aggregation
HP Comware switches: selecting a reference port for static aggregation groups
Criteria used for selecting a port in the static aggregation groups
Introduction
Now let’s take a look at how the switches select a reference port for static
link aggregation groups.
Initial selection criteria

For static link aggregation groups, a Comware switch selects a reference
port from member ports that:
• Are in the up state

• Have the same class two configuration settings as the aggregate
interface
Next selection criteria

After the switch identifies the ports that are up and have the same class two
configuration settings, it then applies the following selection criteria in the
order listed:
• Full-duplex, high-speed
• Full-duplex, low-speed
• Half-duplex, high-speed
• Half-duplex, low-speed
Rev. 13.31 5 –27

In other words, the switch will select a port operating in full-duplex, whether
it is a high-speed or low-speed port, before it will select a port operating in
half-duplex.
Final selection criteria

If two or more ports have the same duplex mode and speed, the switch
selects the port with the lower port number.
5 –28 Rev. 13.31

Link Aggregation
HP Comware switches: aggregation state of static port members
Introduction
Once the switch selects the reference port, it determines the aggregation
state of each member port in the static link aggregation group.
Does the port support the reference port’s line speed and duplex
mode?
If the answer is yes, the switch applies the next criterion.
If the answer is no, the port’s aggregation state is set to unselected.
Is the port up or down?

If the answer is up, the switch applies the next criterion.
If the answer is down, the port’s aggregation state is set to unselected.
Do the port attributes and class two configurations match those of the
reference port?
If the answer is yes, the switch applies the next criterion.
If the answer is no, the port’s aggregation state is set to unselected.
Has the link aggregation group reached the maximum number of

links?
If the answer is yes, the port’s aggregation state is set to unselected.
Rev. 13.31 5 –29
If the answer is no, the port’s aggregation state is set to selected.
Depending on why the ports have been set to unselected, they might be
used as standby links in case the selected links become unavailable. For
example, if a port is unselected because the link aggregation group reached
its maximum number of ports, the port’s state could be changed to selected
if another selected port fails.
5 –30 Rev. 13.31

Link Aggregation
HP Comware switches: reference port for dynamic link aggregation groups
For dynamic link aggregation groups, Comware switches use a two-step process:
1. They select the switch on which the reference port will reside.
2. The selected switch determines the reference port.
Introduction
For dynamic aggregation groups, the Comware switches use a different
process for selecting the reference port. The two switches setting up a
dynamic link use a two-step process:
• They select the switch on which the reference port will reside.
• The selected switch determines the reference port.
Selecting the switch

To select which switch will host the reference port, the two switches
compare their LACP system priority. The switch with the lower priority
number is selected. If the switches have the same LACP priority, the switch
with the lowest MAC address is selected.
Selecting the reference port

The selected switch determines the reference port based on which port in
its link aggregation group has the lowest LACP port priority. If two ports
have the same port priority, the switch will select the port with the lowest
port number.
Rev. 13.31 5 –31

HP Comware switches: aggregation state of dynamic member ports
During the process of selecting a reference port, the two switches

forming a dynamic aggregated link identified which switch has the
lower LACP system priority. In addition to selecting the reference
port, this switch effectively determines the aggregation state
(selected or unselected) for member ports on both switches.
The switch uses the same criteria to determine the aggregation
state for dynamic aggregate ports as it does for static aggregate
ports. For dynamic link aggregation, however, the switch adds
another criterion: it checks that the port attributes and class two
configuration settings of each peer port match those of the peer
port that connects to the reference port.
During the process of selecting a reference port, the two switches forming a
dynamic aggregated link identified which switch has the lower LACP system
priority. In addition to selecting the reference port, this switch effectively
determines the aggregation state (selected or unselected) for member ports
on both switches.
The switch uses the same criteria to determine the aggregation state for
dynamic aggregate ports as it does for static aggregate ports. For dynamic
link aggregation, however, the switch adds another criterion: it checks that
the port attributes and class two configuration settings of each peer port
match those of the peer port that connects to the reference port.
5 –32 Rev. 13.31

Link Aggregation
HP Comware switches: static versus dynamic aggregation links
This table summarizes the advantages and disadvantages of each type of link aggregation on Comware switches. Please
note that for dynamic link aggregation groups, a port’s state depends on the peer port’s state.
Type Advantages Disadvantages

Static Aggregation is stable. A port’s You must manually manage the
aggregation state is not affected aggregation state. The switch
by other ports within the group. cannot change the aggregation
state of ports to match their peers’
aggregation state.
Dynamic Linked switches automatically Depending on the network
maintain link aggregation. environment, aggregation can be
unstable. A port’s aggregation
state is affected by the network
environment.
This table summarizes the advantages and disadvantages of each type of

link aggregation on Comware switches. Please note that for dynamic link
aggregation groups, a port’s state depends on the peer port’s state.
Rev. 13.31 5 –33

HP Comware switches: load sharing
You can configure load sharing:

• Globally
• Aggregation group
Introduction
For both static and dynamic aggregation groups, Comware switches
provide flexibility in how traffic is distributed across the physical links in the
group. You can configure load sharing globally or per aggregation group.
Global
For the global setting, you can configure the switch to load share based on:
• Source IP address
• Destination IP address
• Destination MAC address
• Source IP address and destination IP address
• Source IP address and source port
• Destination IP address and destination port
• Source IP address, source port, destination IP address, and destination
port
• Any combination of incoming port, source MAC address, and destination
MAC address
5 –34 Rev. 13.31

Link Aggregation
Per aggregation group

If load sharing has been defined both globally and for a particular
aggregation group, the switch will apply the settings for the aggregation
group. For each aggregation group, you can configure the switch to load
share based on:
• Source IP address
• Destination IP address
• Destination MAC address
• Layer 1 Multiprotocol Labe Switching (MPLS) label (which is used on
networks that support telecommunications)
• Destination IP address and source IP address
• Destination MAC address and source MAC address
• Layer 1MPLS label and Layer 2MPLS label
Rev. 13.31 5 –35

HP Comware switches: configuring static aggregation groups
To create a static link aggregation group on a Comware switch, you must be at the system view command level. Enter the
following command. Note that the default mode for aggregated links is static, so you do not have to include an option to
ensure that the link aggregation group is static.
[Switch] interface bridge-aggregation <number>

[Switch-Bridge-Aggregation1] quit
After you have created the static link aggregation group, you must move to a port interface view to add the port to the link
aggregation group.
[Switch] interface <interface name> <interface number>

[Switch-GigabitEthernet1/0/1] port link-aggregation group <number>
Repeat this step for each port interface that will be part of the link aggregation group.
To create a static link aggregation group on a Comware switch, you must be

at the system view command level. Enter the following command. Note that
the default mode for aggregated links is static, so you do not have to
include an option to ensure that the link aggregation group is static.
[Switch] interface bridge-aggregation <number>

After you have created the static link aggregation group, you must move to
a port interface view to add the port to the link aggregation group.
[Switch] interface <interface name> <interface number>

[Switch-GigabitEthernet1/0/1] port link-aggregation
group <number>
Repeat this step for each port interface that will be part of the link
aggregation group.
5 –36 Rev. 13.31

Link Aggregation
HP Comware switches: configuring dynamic link aggregation groups
Just as you would for a static aggregate interface, you must first create a link aggregation group and assign it a number.
[Switch] interface bridge-aggregation 2
Because the default mode for link aggregation on Comware switches is static, you must set the mode to dynamic.
[Switch-Bridge-Aggregation2] link-aggregation mode dynamic

You then assign ports to the dynamic aggregate interface by accessing each port interface and entering the port link-
aggregation group command.
[Switch-GigabitEthernet1/0/22] port link-aggregation group 2
You can also configure LACP options such as system priority and port priority. As you learned, system priority is used to
determine which switch will select the reference port and the aggregation state of all the ports in the link aggregation
group. Port priority is used in the process of determine which port is the reference port. Again, smaller numbers have a
higher priority.
Just as you would for a static aggregate interface, you must first create a
link aggregation group and assign it a number.
Because the default mode for link aggregation on Comware switches is

static, you must set the mode to dynamic.
[Switch-Bridge-Aggregation2] link-aggregation mode

dynamic
You then assign ports to the dynamic aggregate interface by accessing

each port interface and entering the port link-aggregation group command.

[Switch-GigabitEthernet1/0/22] port link-aggregation
group 2
Rev. 13.31 5 –37

You can also configure LACP options such as system priority and port
priority. As you learned, system priority is used to determine which switch
will select the reference port and the aggregation state of all the ports in the
link aggregation group. Port priority is used in the process of determine
which port is the reference port. Again, smaller numbers have a higher
priority.
5 –38 Rev. 13.31

Link Aggregation
HP Comware switches: configuring VLANs on aggregate interfaces
You can configure VLANs for both static and dynamic aggregation groups. You use the same commands that you use to
configure VLANs for any interface on a Comware switch. For example, you can make an aggregation group a trunk port and
add permitted VLANs using these commands.

[Switch-Bridge-Aggregation1] port link-type trunk
[Switch-Bridge-Aggregation1] port trunk permit vlan 100 200
You can configure VLANs for both static and dynamic aggregation groups.
You use the same commands that you use to configure VLANs for any
interface on a Comware switch. For example, you can make an aggregation
group a trunk port and add permitted VLANs using these commands.

[Switch-Bridge-Aggregation1] port link-type trunk
[Switch-Bridge-Aggregation1] port trunk permit vlan
100 200
Rev. 13.31 5 –39

Summary
In this module you learned about the different link aggregation technologies supported on HP ProVision and Comware
switches. You should now have a solid understanding of the following:
Link aggregation is a cost-effective way to increase bandwidth

and add resiliency.
LACP is the industry standard for link aggregation.
HP ProVision switches support static aggregated links (which

are implemented through LACP or port trunking) or dynamic
aggregated links (which are implemented through LACP).
Comware switches support static aggregated interfaces

(which are not implemented through LACP) and dynamic
aggregated interfaces (which are implemented through LACP).
In this module you learned about the different link aggregation technologies
supported on HP ProVision and Comware switches. You should now have
a solid understanding of the following:
• Link aggregation is a cost-effective way to increase bandwidth and add

resiliency.
• LACP is the industry standard for link aggregation.
• HP ProVision switches support static aggregated links (which are
implemented through LACP or port trunking) or dynamic aggregated links
(which are implemented through LACP).
• Comware switches support static aggregated interfaces (which are not
implemented through LACP) and dynamic aggregated interfaces (which
are implemented through LACP).
5 –40 Rev. 13.31

Redundancy
Module 6
Module 6: Redundancy
Module Objectives
HP Comware and ProVision switches support a number of technologies that provide redundancy and increase network
uptime. This module focuses on two:
Spanning Tree Protocol (STP)
HP Intelligent Resilient Framework (IRF)
Explain how spanning tree technologies are

used in today’s networks
Compare STP, Rapid Spanning Tree

Protocol (RSTP), and Multiple Spanning
Tree Protocol (MSTP)
Describe the advantages of using HP IRF to

provide network redundancy
HP Comware and ProVision switches support a number of technologies that

provide redundancy and increase network uptime. This module focuses on
two:
• Spanning Tree Protocol (STP)

• HP Intelligent Resilient Framework (IRF)
• Explain how spanning tree technologies are used in today’s networks

• Compare STP, Rapid Spanning Tree Protocol (RSTP), and Multiple
Spanning Tree Protocol (MSTP)
• Describe the advantages of using HP IRF to provide network redundancy
Rev. 13.31
6–1
Need for network redundancy
Networks deliver critical services to users. If a network is not designed to provide redundancy, a network link failure could
prevent users from accessing essential network services.
To protect against failures, you need to add redundant network links. However, simply adding links creates network
loops, which result in broadcast storms that make the network inaccessible. To function properly, an Ethernet network
must have only one active pathway between two devices.
Networks deliver critical services to users. If a network is not designed to

provide redundancy, a network link failure could prevent users from
accessing essential network services.
To protect against failures, you need to add redundant network links.

However, simply adding links creates network loops, which result in
broadcast storms that make the network inaccessible. To function properly,
an Ethernet network must have only one active pathway between two
devices.
6–2 Rev. 13.31

Redundancy
Lesson 1
This lesson describes the basics of spanning tree, explaining how it

enables network redundancy and eliminates network loops. It first
focuses on the original standard, Spanning Tree Protocol (STP),
and then describes the enhancements provided by Rapid Spanning
Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP).
This lesson describes the basics of spanning tree, explaining how it enables
network redundancy and eliminates network loops. It first focuses on the
original standard, Spanning Tree Protocol (STP), and then describes the
enhancements provided by Rapid Spanning Tree Protocol (RSTP) and
Multiple Spanning Tree Protocol (MSTP).
Rev. 13.31
6–3
STP overview
STP is an industry-standard link management protocol

that supports path redundancy while preventing network
loops. STP automatically detects redundant links,
calculates the lowest cost path (or preferred path) through
the network, and then blocks all other redundant links.
STP is an industry-standard link management protocol that supports path

redundancy while preventing network loops. STP automatically detects
redundant links, calculates the lowest cost path (or preferred path) through
the network, and then blocks all other redundant links.
6–4 Rev. 13.31

Redundancy
STP overview
If a link in the preferred path fails, STP automatically

opens a new preferred path so the traffic can be forwarded
and will continue to reach its destination. When creating
this new path, STP changes the status of any previously
blocked links from “blocking” to “forwarding.”
If a link in the preferred path fails, STP automatically opens a new preferred
path so the traffic can be forwarded and will continue to reach its
destination. When creating this new path, STP changes the status of any
previously blocked links from “blocking” to “forwarding.”
Rev. 13.31
6–5
STP convergence
Introduction
In spanning-tree terminology, the process of detecting redundant links and
calculating a preferred network path is called convergence. The first step in
the convergence process is to elect a root bridge, which serves as the
central point (or root) of the STP network. The root bridge is also
responsible for notifying other switches of any STP changes.
To elect a root bridge, the switches in an STP network exchange Bridge

Priority Data Units (BPDUs).
Bridge ID
To elect a root bridge, switches in the same STP network compare bridge
IDs in BPDUs. The switch with the lowest bridge ID is elected the root
bridge.
Bridge priority and MAC address

A bridge ID has two parts:
• Bridge priority
• Media Access Control (MAC )address
You can configure the bridge ID on most STP-compliant devices, thereby

determining which device is elected the root bridge. By default, the bridge
priority for each switch is typically 32768.
6–6 Rev. 13.31
Redundancy
Bridge ID
As you have learned, each switch has a default bridge priority. If all switches in an STP network are using the same bridge
priority—such as the default bridge priority—the switches must compare the other part of the bridge ID—their MAC
addresses.
If such an environment, the switch with the lowest MAC address is elected root bridge. However, the switch with the lowest
MAC address may not be the best candidate for root bridge. For example, it might be oldest or slowest device.
Rather than leave the election of the root bridge to chance, you should select the switch you want to function as the root
bridge and change its bridge priority so that it is the lowest on the network. (You will learn how to configure the bridge ID
on a switch later in this module.)
As you have learned, each switch has a default bridge priority. If all
switches in an STP network are using the same bridge priority—such as the
default bridge priority—the switches must compare the other part of the
bridge ID—their MAC addresses.
If such an environment, the switch with the lowest MAC address is elected
root bridge. However, the switch with the lowest MAC address may not be
the best candidate for root bridge. For example, it might be oldest or
slowest device.
Rather than leave the election of the root bridge to chance, you should
select the switch you want to function as the root bridge and change its
bridge priority so that it is the lowest on the network. (You will learn how to
configure the bridge ID on a switch later in this module.)
Rev. 13.31
6–7
Breaking down the election process
At the beginning of the convergence process, each switch sends a BPDU frame with its own bridge ID in the root ID field.
Each switch also analyzes the BPDUs it receives to determine if there is a bridge ID or root ID lower than its own. If a switch
finds a lower bridge ID or root ID value than what it has in its root ID field, it substitutes the lower value in its BPDU and
considers the switch with that bridge ID to be the root bridge.
At the end of the election process, all switches in the STP convergence recognize the switch with the lowest bridge ID to be
the root bridge and insert the root bridge’s bridge ID into the root ID field of their BPDUs.
Switches constantly exchange BPDUs in an STP network. If switches stop receiving BPDUs from the root bridge for a set
period of time, they assume the root bridge has failed and begin a new election process.
At the beginning of the convergence process, each switch sends a BPDU

frame with its own bridge ID in the root ID field.
Each switch also analyzes the BPDUs it receives to determine if there is a

bridge ID or root ID lower than its own. If a switch finds a lower bridge ID or
root ID value than what it has in its root ID field, it substitutes the lower
value in its BPDU and considers the switch with that bridge ID to be the root
bridge.
At the end of the election process, all switches in the STP convergence
recognize the switch with the lowest bridge ID to be the root bridge and
insert the root bridge’s bridge ID into the root ID field of their BPDUs.
Switches constantly exchange BPDUs in an STP network. If switches stop

receiving BPDUs from the root bridge for a set period of time, they assume
the root bridge has failed and begin a new election process.
6–8 Rev. 13.31

Redundancy
Root path and root cost
After electing a root bridge, switches continue

exchanging BPDUs to determine the lowest cost
path to the root bridge. This path is the preferred
path for traffic and is also called the root path.
To calculate a path cost, switches add the cost of all
the links in a particular path. STP assigns a cost for
a link based on port speed: the higher the port
speed, the lower the cost. (Path costs were updated
in RSTP. The costs shown here are the RSTP costs.)
You can configure link costs for each link manually
although this practice is not recommended. 10 Gigabit = 2,000
1 Gigabit = 20,000
100 Mbps = 200,000
10 Mbps = 2,000,000
After electing a root bridge, switches continue exchanging BPDUs to

determine the lowest cost path to the root bridge. This path is the preferred
path for traffic and is also called the root path.
To calculate a path cost, switches add the cost of all the links in a particular
path. STP assigns a cost for a link based on port speed: the higher the port
speed, the lower the cost. (Path costs were updated in RSTP. The costs
shown here are the RSTP costs.)
You can configure link costs for each link manually although this practice is
not recommended.
Rev. 13.31
6–9
Path costs
ProVision Default Comware Default

Connection Type
Path Costs Path Costs
10 Gbps 2,000 2
1 Gbps 20,000 20
100 Mbps 200,000 200
10 Mbps 2,000,000 2,000
Because path costs were updated in the RSTP standard, it is possible that some STP-enabled devices support the STP
standard by default while others support the RSTP standard. Some devices might also use their own path costs by default.
When implementing spanning tree, you should ensure that all devices are using the same path costs so they can accurately
calculate the root path.
For example, by default ProVision switches use the RSTP path costs while Comware switches use the path costs listed in
the table. You can easily configure the Comware switches to use the RSTP path costs, as you will learn later in this module.
Because path costs were updated in the RSTP standard, it is possible that
some STP-enabled devices support the STP standard by default while
others support the RSTP standard. Some devices might also use their own
path costs by default. When implementing spanning tree, you should
ensure that all devices are using the same path costs so they can
accurately calculate the root path.
For example, by default ProVision switches use the RSTP path costs while
Comware switches use the path costs listed in the table. You can easily
configure the Comware switches to use the RSTP path costs, as you will
learn later in this module.
6–10 Rev. 13.31

Redundancy
Root path cost
As switches forward BPDUs, they add the cost of each link to the BPDUs’ root path cost field. Switches use this field to
compare the total path costs of each redundant path that leads from the switch to the root bridge.
The path with the lowest cost becomes the root path.
As switches forward BPDUs, they add the cost of each link to the BPDUs’
root path cost field. Switches use this field to compare the total path costs
of each redundant path that leads from the switch to the root bridge.
The path with the lowest cost becomes the root path.
Rev. 13.31
6–11
Root port and designated port
The switch’s port that leads to the root

path is called the root port. In the
example network, the root path for
Switch C leads directly to Switch A.
The Switch C port that connects to
Switch A is the root port.
You may also encounter the term
designated port when working with
STP. A designated port is a port that is
active but is not the root port.
Switches on a spanning tree network
use designated ports to send and
receive frames to a specific segment.
You should also know that on blocked
links only one of the ports is actually
in a blocking state. (You will learn
more about STP port states later in
this module.) This port is called the
alternate port. The other side of the
blocked link is a designated port.
The switch’s port that leads to the root path is called the root port. In the
example network, the root path for Switch C leads directly to Switch A. The
Switch C port that connects to Switch A is the root port.
You may also encounter the term designated port when working with STP. A
designated port is a port that is active but is not the root port. Switches on a
spanning tree network use designated ports to send and receive frames to
a specific segment.
You should also know that on blocked links only one of the ports is actually
in a blocking state. (You will learn more about STP port states later in this
module.) This port is called the alternate port. The other side of the blocked
link is a designated port.
6–12 Rev. 13.31

Redundancy
Using the bridge ID as the tie-breaker
After exchanging BPDUs with other switches, a switch might find that two or more paths have the same lowest cost. In
this case, the switch uses the bridge IDs of its STP neighbors as a tie-breaker. That is, the neighbor with the lowest bridge
ID has the lowest-cost path to the root bridge.
In this example network, Switch C has two paths to the root bridge, one path through Switch A and one path through
Switch D. Both paths have the same cost.
To choose the root path, Switch C compares the bridge priority of Switch A and Switch D. Path 1 becomes the root path
because switch A’s bridge priority is lower than switch D’s.
Path Link cost Path cost

Path 1 2,000 + 2,000 4,000
Path 2 2,000 + 2,000 4,000
After exchanging BPDUs with other switches, a switch might find that two or
more paths have the same lowest cost. In this case, the switch uses the
bridge IDs of its STP neighbors as a tie-breaker. That is, the neighbor with
the lowest bridge ID has the lowest-cost path to the root bridge.
In this example network, Switch C has two paths to the root bridge, one
path through Switch A and one path through Switch D. Both paths have the
same cost.
To choose the root path, Switch C compares the bridge priority of Switch A
and Switch D. Path 1 becomes the root path because switch A’s bridge
priority is lower than switch D’s.
Rev. 13.31
6–13
Using the port ID as a tie breaker
If multiple links connect to the same switch, the

bridge ID cannot be used as the tie-breaker to
determine the lowest-cost path.
For example, in the network shown here Switch
B and Switch C are connected with two links.
Because both ports have the same STP
neighbor (with the same bridge ID), the switch
uses the port ID, another field in the BPDU, as
the tie breaker. The port with the lowest port ID
becomes the root port, leading to the lowest
path.
Similar to the bridge ID, the port ID includes a
user-configurable field and a vendor-assigned
field. (The vendor-assigned field is a unique
number assigned to each port, with 256
possible values.)
If multiple links connect to the same switch, the bridge ID cannot be used
as the tie-breaker to determine the lowest-cost path.
For example, in the network shown here Switch B and Switch C are
connected with two links. Because both ports have the same STP neighbor
(with the same bridge ID), the switch uses the port ID, another field in the
BPDU, as the tie breaker. The port with the lowest port ID becomes the root
port, leading to the lowest path.
Similar to the bridge ID, the port ID includes a user-configurable field and a
vendor-assigned field. (The vendor-assigned field is a unique number
assigned to each port, with 256 possible values.)
6–14 Rev. 13.31

Redundancy
STP port states
• Listening
• Learning
• Forwarding
• Blocking
Introduction
Switch ports that participate in the STP convergence process can be in one
of several states.
Note that these are the states defined in the original standard. The RSTP
standard changed these states, and you will learn more about these
changes later in this module.
Listening
In the listening state, the port sends and receives BPDUs but discards data
frames. The port typically moves quickly from the listening state to the
learning state.
Learning
In the learning state, the port sends and receives BPDUs and begins
gathering information about the STP network. The switch uses the
information the port gathers to populate its MAC address table. However,
the port does not forward data frames yet.
Forwarding
The port moves to a forwarding state if it is part of a root path. In this state,
the port actively receives and sends data frames as part of a root path. The
port also continues to receive and forward BPDUs.
Rev. 13.31
6–15
Blocking
The port is in a blocking state when the port is first initialized and spanning
tree is enabled. If the port is configured to support STP, the port will then
move to a listening state and determine if other STP-enabled devices are
functioning on the network.
The port will then go through the listening and learning states. If the port is
not part of a root path, it will move to the blocking state. In this state, the
port does not receive and transmit data frames. The port is essentially in
standby mode. It may continue to receive BPDUs and may change to a
forwarding state if a link fails and it becomes part of a root path.
6–16 Rev. 13.31

Redundancy
Edge ports
In an STP network, you do not want all ports to participate

in the convergence process. For example, if a port connects
to an endpoint, you do not want that port to listen for or
send BPDUs.
Such ports should be designated as edge ports. Edge ports

do not participate in the STP convergence or send and
listen for BPDUs.
In an STP network, you do not want all ports to participate in the

convergence process. For example, if a port connects to an endpoint, you
do not want that port to listen for or send BPDUs.
Such ports should be designated as edge ports. Edge ports do not

participate in the STP convergence or send and listen for BPDUs.
Rev. 13.31
6–17
STP limitations and enhancements
Introduction
The original STP standard was released in 1990. As networks evolved, its
limitations became apparent.
Slow convergence
With the original STP standard, convergence could take as long as 30 to 50
seconds. With the services running on networks today, 30 to 50 seconds
hinders network performance. Today’s networks require much faster
convergence times.
In 1998 IEEE 802.1w, an amendment to the STP standard, was released.

Called Rapid Tree Spanning Protocol, or RSTP, this amendment
significantly reduced convergence.
In 2004 802.1w was incorporated into the main STP standard, which is
known as IEEE 802.1D-2004.
Ineffective use of redundant links

With both STP and RSTP, blocked links are idle, functioning solely as
backup links in case the active link becomes unavailable. With users putting
more demands on network bandwidth, companies cannot afford to have idle
links. They want to use redundant links to transmit traffic, while still being
able to rely on the links for redundancy.
6–18 Rev. 13.31

Redundancy
In 1998, an amendment to the 802.1Q (VLAN tagging) standard was

released. Known as 802.1s, Multiple Spanning Tree Protocol, or MSTP,
provided an extension to STP and RSTP, allowing the protocol to use
separate spanning tree instances for groups of VLANs.
In 2003 802.1s was merged into IEEE 802.1Q-2003.
Rev. 13.31
6–19
RSTP enhancements
RSTP uses essentially the same convergence process that STP uses to elect a root bridge and identify the root path.
However, RSTP enables faster convergence and allows faster transition of ports to a forwarding state.
With RSTP, convergence can occur in 1 second or less, but will typically occur within 6 seconds. STP convergence, on the
other hand, can take up to 50 seconds.
RSTP uses essentially the same convergence process that STP uses to
elect a root bridge and identify the root path. However, RSTP enables faster
convergence and allows faster transition of ports to a forwarding state.
With RSTP, convergence can occur in 1 second or less, but will typically
occur within 6 seconds. STP convergence, on the other hand, can take up
to 50 seconds.
6–20 Rev. 13.31

Redundancy
RSTP changes
You should be aware of at least two changes in the RSTP standard.

RSTP costs
Port states—The RSTP standard changed the blocking and Link Cost
listening states to the discarding state. However, in most 10 Mbps 2,000,000
discussions of STP, the term blocking is still used.
16 Mbps 1,250,000
Path costs—As mentioned earlier, RSTP uses different 100 Mbps 200,000
path costs than the original spanning tree. When 1 Gbps 20,000
configuring a spanning tree network, you must ensure that
all STP-enabled devices are using the same path costs. 2 Gbps 10,000
10 Gbps 2,000
You should be aware of at least two changes in the RSTP standard.
• Port states—The RSTP standard changed the blocking and listening

states to the discarding state. However, in most discussions of STP, the
term blocking is still used.
• Path costs—As mentioned earlier, RSTP uses different path costs than
the original spanning tree. When configuring a spanning tree network,
you must ensure that all STP-enabled devices are using the same path
costs.
Rev. 13.31
6–21
MSTP enhancements
MSTP enhanced the use of STP on networks that

support multiple VLANs, while still delivering the
fast convergence introduced with RSTP. MSTP
supports multiple spanning tree instances on the
same network, and each instance can include one
or more VLANs. MSTP supports multiple preferred
paths for data traffic, providing load sharing across
redundant network links.
You will now take a closer look at MSTP.
MSTP enhanced the use of STP on networks that support multiple VLANs,
while still delivering the fast convergence introduced with RSTP. MSTP
supports multiple spanning tree instances on the same network, and each
instance can include one or more VLANs. MSTP supports multiple
preferred paths for data traffic, providing load sharing across redundant
network links.
You will now take a closer look at MSTP.
6–22 Rev. 13.31

Redundancy
MSTP instances
MSTP allows you to create multiple instances of

STP and assign specific VLANs to each instance.
This example network has two MSTP instances:
Instance 1 supports VLANs 1, 8, 10, 16.
Instance 2 supports VLANs 4, 5, 6.
This frame shows two different views of the same
network, but keep in mind that the switches are
supporting both instances simultaneously.
In the next frame, you will examine this example
in more depth.
MSTP allows you to create multiple instances of STP and assign specific
VLANs to each instance. This example network has two MSTP instances:
Instance 1 supports VLANs 1, 8, 10, 16.
Instance 2 supports VLANs 4, 5, 6.
This frame shows two different views of the same network, but keep in mind
that the switches are supporting both instances simultaneously.
In the next frame, you will examine this example in more depth.
Rev. 13.31
6–23
Taking a closer look at MSTP instances
Each MSTP instance converges independently of

other instances defined on the network. As a
result, each instance can have a different root
bridge and block different redundant links. In
addition, each STP-enabled link can be part of
more than one instance.
In the example network, Switch B is the root bridge
for instance 1, and Switch A is the root bridge for
instance 2. Each instance has different active
links. For example, the link between Switch A and
Switch C is active for instance 2, yet blocked for
instance 1. For instance 1, the ports are in a
discarding state, but they are in a forwarding state
for instance 2.
MSTP allows for greater network utilization and
capacity because multiple instances mean that
ports have less idle time.
Each MSTP instance converges independently of other instances defined

on the network. As a result, each instance can have a different root bridge
and block different redundant links. In addition, each STP-enabled link can
be part of more than one instance.
In the example network, Switch B is the root bridge for instance 1, and
Switch A is the root bridge for instance 2. Each instance has different active
links. For example, the link between Switch A and Switch C is active for
instance 2, yet blocked for instance 1. For instance 1, the ports are in a
discarding state, but they are in a forwarding state for instance 2.
MSTP allows for greater network utilization and capacity because multiple
instances mean that ports have less idle time.
6–24 Rev. 13.31

Redundancy
MSTP regions
Introduction
An MSTP region is a group of switches that collectively defines the same
instances and participates in the same convergence process to elect a root
bridge and identify active paths for each instance. To recognize that they
are in the same region, switches must share certain MSTP attributes.
Configuration name
You must manually configure an MSTP region name, which identifies that
MSTP region.
Configuration revision number

The switches must use the same configuration revision number. You can
leave this field at the default value of 0, or manually configure it.
VLANs and MSTP Instances

You must create the same MSTP instances on all the switches in the same
region. You must also ensure that you assign the same VLANs to each
instance.
Rev. 13.31
6–25
MSTP regions (continued)
In an MSTP network, each switch can belong

to only one MSTP region. To identify all the
switches in a particular region, MSTP-enabled
switches use BPDUs to communicate their
MSTP region attributes. If another switch’s
MSTP region attributes match its own, a
switch knows that the other switch is in the
same MSTP region.
If you misconfigure an MSTP region attribute
on one of the switches that should be in the
same region, it will not join that region.
Instead, its unique attributes will define a
separate region. If this happens, the MSTP
instances defined on the switch will be
logically disconnected from the instances
defined on other switches, eliminating the
MSTP load-sharing benefits.
In an MSTP network, each switch can belong to only one MSTP region. To
identify all the switches in a particular region, MSTP-enabled switches use
BPDUs to communicate their MSTP region attributes. If another switch’s
MSTP region attributes match its own, a switch knows that the other switch
is in the same MSTP region.
If you misconfigure an MSTP region attribute on one of the switches that

should be in the same region, it will not join that region. Instead, its unique
attributes will define a separate region. If this happens, the MSTP instances
defined on the switch will be logically disconnected from the instances
defined on other switches, eliminating the MSTP load-sharing benefits.
6–26 Rev. 13.31

Redundancy
Internal Spanning Tree (IST)
When MSTP is enabled, all of the VLANs configured on

the switch are initially assigned to the Internal
Spanning Tree (IST), which is the default MSTP
instance within the MSTP region. Likewise, if you later
create a VLAN on the switch, it is added to the IST.
For example, suppose the network includes VLANs 1,
20, 30, 40, and 50. When you enable MSTP, all these
VLANs are part of the IST.
When you configure the MSTP region, these VLANs

are moved to the instance you specify. For example,
you might configure the MSTP with three instances:
instance 1 includes VLAN 20 and 30, instance 2
includes VLANs 40 and 50, and instance 3 includes
VLAN 60. As you assign these VLANs to an instance,
they are moved from the IST to that instance.
At least one VLAN should remain in the IST to ensure
connectivity in case of a configuration error. Typically,
this is the default VLAN (VLAN 1).
When MSTP is enabled, all of the VLANs configured on the switch are
initially assigned to the Internal Spanning Tree (IST), which is the default
MSTP instance within the MSTP region. Likewise, if you later create a
VLAN on the switch, it is added to the IST.
For example, suppose the network includes VLANs 1, 20, 30, 40, and 50.
When you enable MSTP, all these VLANs are part of the IST.
When you configure the MSTP region, these VLANs are moved to the
instance you specify. For example, you might configure the MSTP with
three instances: instance 1 includes VLAN 20 and 30, instance 2 includes
VLANs 40 and 50, and instance 3 includes VLAN 60. As you assign these
VLANs to an instance, they are moved from the IST to that instance.
At least one VLAN should remain in the IST to ensure connectivity in case
of a configuration error. Typically, this is the default VLAN (VLAN 1).
Rev. 13.31
6–27
MSTP interoperability with RSTP and STP
Because MSTP implements the same basic principles

as the earlier versions of the protocol, it is completely
interoperable and compatible with STP and RSTP.
MSTP will emulate STP and RSTP behaviors when
encountering devices that are running those versions
of the protocol.
Because MSTP implements the same basic principles as the earlier

versions of the protocol, it is completely interoperable and compatible with
STP and RSTP. MSTP will emulate STP and RSTP behaviors when
encountering devices that are running those versions of the protocol.
6–28 Rev. 13.31

Redundancy
Common Spanning Tree
Networks that support more than one MSTP region or MSTP and RSTP simultaneously need a mechanism to control
common links. In such environments, Common Spanning Tree, which is automatically enabled with MSTP, determines
whether a link between MSTP regions (or between a region and a legacy RSTP switch) is forwarding traffic or discarding
traffic. Common Spanning Tree ensures that there is only one active path.
Networks that support more than one MSTP region or MSTP and RSTP
simultaneously need a mechanism to control common links. In such
environments, Common Spanning Tree, which is automatically enabled with
MSTP, determines whether a link between MSTP regions (or between a
region and a legacy RSTP switch) is forwarding traffic or discarding traffic.
Common Spanning Tree ensures that there is only one active path.
Rev. 13.31
6–29
Default STP settings on HP switches
ProVision switches Comware switches
HP Comware switches
By default, Comware switches support MSTP although it is disabled. When
you enable STP on Comware switches, they begin using MSTP, and all
ports are configured to participate in the spanning tree network. You must
manually configure ports that connect to endpoints such as workstations,
servers, or printers as edge ports.
If you want a Comware switch to run RSTP, you must specify RSTP as the
STP “mode.”
HP ProVision switches
By default, ProVision switches support MSTP, but it is disabled. When STP
is enabled, switch ports are automatically configured as auto-edge ports.
Auto-edge ports listen for BPDUs for 3 seconds. If the ports do not receive
a BPDU, they transition to a forwarding state and begin to transmit data
frames. Thereafter, these ports will not transmit BPDUs or participate in the
STP convergence process.
6–30 Rev. 13.31

Redundancy
Configuring MSTP on HP Comware switches
Step 1: Create the region.

Step 2: Specify the region revision number.
Step 3: Create the MSTP instances and assign VLANs to them.
Step 4: Activate the MSTP region.
Step 5: Configure the root bridge and backup root bridge.
Step 6: Configure the switches to use the standard cost calculations.
Step 7: Enable STP.
Step 8: Save the configuration.
Introduction
You will now review the steps for configuring MSTP on HP Comware
switches.
Step 1
From the system view, enter the command to create the region (called
hplab in this example).
[Switch] stp region-configuration
[Switch-mst-region] region-name hplab1
Step 2
Specify the region revision number.
[Switch-mst-region] revision-level 1
Step 3
Create the instances and assign VLANs to them. In this example, instance
1 will include VLANs 10 and 20, and instance 2 will include VLANs 30 and
40.
[Switch-mst-region] instance 1 vlan 10 20
[Switch-mst-region] instance 2 vlan 30 40
Rev. 13.31
6–31
Step 4
Activate the MSTP region and return to the system view.
[Switch-mst-region] active region-configuration
[Switch-mst-region] quit
Step 5
Configure the switch as a root bridge or backup root bridge (optional,
depending on if you want this switch to fulfill these roles). In this example,
the switch will function as the root bridge in the IST (designated as instance
0) and instance 1 and as the backup root bridge in instance 2.
[Switch] stp instance 0 root primary
[Switch] stp instance 1 root primary
[Switch] stp instance 2 root secondary
Step 6
By default Comware switches use a non-standard method for calculating
port costs. To ensure that all the switches in a heterogeneous environment
are using the same method for calculating cost, you should configure the
switches to use the standard cost calculations, using the command above.
[Switch] stp pathcost-standard dot1t
Step 7
Enable spanning tree. Because the Comware switches default to MSTP,
you do not have to configure the mode setting.
[Switch] stp enable
Step 8
Save the configuration.
[Switch] save
6–32 Rev. 13.31

Redundancy
Configuring MSTP on HP ProVision switches
Step 1: Configure the MSTP region.

Step 2: Create the MSTP instances and assign VLANs to each one.
Step 3: Configure the root bridge and backup root bridge.
Step 4: Enable STP.
Step 5: Save the configuration.
Introduction
You will now review the steps for configuring MSTP on HP ProVision
switches.
Step 1
Configure the MSTP region. In this example, the region name is hplab, and
the revision number is set to 1.
Switch(config)# spanning-tree config-name hplab
Switch(config)# spanning-tree config-revision 1
Step 2
Create the MSTP instances. In this example, the region will have two
instances. Instance 1 will include VLANs 10 and 20, and instance 2 will
include VLANs 30 and 40.
Switch(config)# spanning-tree instance 1 vlan 10 20
Switch(config)# spanning-tree instance 2 vlan 30 40
Step 3
Configure the switch as the root bridge or backup root bridge for IST or the
MSTP instances. This step is optional, depending on if you want the switch
to fulfill these roles. In the example, the switch will be configured as the root
bridge for IST and instance 1 and as the backup root bridge for instance 2.
On ProVision switches, the priority value (0 or 1 in the example) is
multiplied by 4096 to derive the bridge priority. The default priority is 8 (8 x
Rev. 13.31
6–33
4096 = 32768). By setting a switch’s bridge priority to 0, you ensure that it

has the lowest bridge priority on the MSTP network.
Switch(config)# spanning-tree priority 0
Switch(config)# spanning-tree instance 1 priority 0
Switch(config)# spanning-tree instance 2 priority 1
Step 4
Enable spanning tree.
Switch(config)# spanning-tree
Step 5
Save the configuration.
Switch(config)# write memory
6–34 Rev. 13.31

Redundancy
Summary
In this lesson you learned about the basic operations of

STP. You learned how STP-enabled switches elect a root
bridge and then select the preferred path to that root
bridge, blocking all other redundant paths.
You also learned how RSTP and MSTP overcome the

limitations in the original standard. Finally, you reviewed
the steps for configuring MSTP on Comware and ProVision
switches.
In this lesson you learned about the basic operations of STP. You learned
how STP-enabled switches elect a root bridge and then select the preferred
path to that root bridge, blocking all other redundant paths.
You also learned how RSTP and MSTP overcome the limitations in the
original standard. Finally, you reviewed the steps for configuring MSTP on
Comware and ProVision switches.
Rev. 13.31
6–35
Lesson 2
Traditional stacking allows you to connect multiple switches together and manage them from a single interface.
Within the stack, however, each switch continues to operate independently.
HP Intelligent Resilient Framework (IRF) goes beyond simple stacking by combining two or more Comware
switches into one virtual switch. This lesson describes the advantages of using IRF and briefly outlines basic IRF
functionality.
Traditional stacking allows you to connect multiple switches together and

manage them from a single interface. Within the stack, however, each
switch continues to operate independently.
HP Intelligent Resilient Framework (IRF) goes beyond simple stacking by

combining two or more Comware switches into one virtual switch. This
lesson describes the advantages of using IRF and briefly outlines basic IRF
functionality.
6–36 Rev. 13.31

Redundancy
Advantages of using IRF
Introduction
IRF simplifies network design and network operations, provides a high level
of reliability, streamlines management, and provides scalability.
Simplified network design

With IRF, you can simplify the network design at both Layer 2 and Layer 3.
In Lesson 1, you learned how to build a resilient network using MSTP.
Instead of implementing a complicated spanning tree topology for Layer 2
redundancy, however, you can use IRF, which provides both device and link
redundancy. When you connect the virtual switch to the network, you can
use aggregated links, which efficiently load-balance traffic across
themselves for full utilization of the bandwidth. If necessary, you can
expand the uplink bandwidth by simply adding another link to the link
aggregation group.
Reliability
IRF provides both link and node redundancy. You can aggregate members’
IRF links and the links between the IRF virtual device and its upper or lower
layer devices.
In addition, the IRF virtual device includes multiple member devices that
operate in 1:N redundancy: If the master fails, the IRF virtual device
immediately elects a new master to prevent service interruption. In addition,
failover is extremely fast—under 2 milliseconds.
Rev. 13.31
6–37
Streamlined management
Whether you manage the IRF virtual device from the CLI or use a
management platform such as HP Intelligent Management Center, you will
manage it as a single device. You can connect to the IRF device’s
management interfaces through any member’s COM port, or using Telnet,
SSH, HTTP, or HTTPS to the IRF device’s IP address. Configurations are
performed on the master (which you will learn more about on the following
pages) and distributed to all associated switches, greatly simplifying
network setup, operation, and maintenance.
6–38 Rev. 13.31

Redundancy
Advantages of using IRF (continued)
Simplified network operations

IRF allows you to simplify the network design at Layer 3. The IRF virtual
device acts as a single router with a single IP address per interface. For
example, the IRF device can act as a redundant default gateway (without
implementing another Layer 3 redundancy mechanism such as Virtual
Router Redundancy Protocol). Routing protocols calculate the routes of the
IRF virtual device instead of calculating the routes of each member. This
design eliminates numerous protocol packet exchanges among the
members, simplifies network operations, and shortens the convergence
time.
In addition, without IRF, routing switches with redundant routes between

each other would need to use Equal-Cost Multipath (ECMP) to load balance
traffic. But with IRF, you can simply create a link aggregation between the
IRF virtual devices and run the desired routing protocol.
Scalability
IRF virtual devices are scalable. You can increase the bandwidth and
processing capability of an IRF virtual device simply by adding member
devices. Each member device has its own CPU, and each one
independently processes and forwards protocol packets.
Rev. 13.31
6–39
The number of switches you can connect in one IRF virtual device varies,
depending on the switch models you are using. For the stackable switch
models, you can connect up to nine switches in an IRF virtual device. For
the modular switches, you can connect up to four switches.
6–40 Rev. 13.31

Redundancy
Master and slaves
Within an IRF virtual device, one of the switches is

elected as the master, which manages and maintains
the system. (You’ll learn more about this election
process later in this lesson.)
The other members act as slaves, which process

services and function as backups. If the master fails,
one of the slaves will be elected master and assume
responsibility for managing the IRF virtual device.
Within an IRF virtual device, one of the switches is elected as the master,
which manages and maintains the system. (You’ll learn more about this
election process later in this lesson.)
The other members act as slaves, which process services and function as
backups. If the master fails, one of the slaves will be elected master and
assume responsibility for managing the IRF virtual device.
Rev. 13.31
6–41
Daisy chain or ring topology
Introduction
When you implement an IRF virtual device, you must decide which topology you
will use: the daisy chain topology or the ring topology.
Daisy chain topology

In the daisy chain topology, each switch is connected to one other switch,
essentially forming a line. This topology is typically used when the switches in the
IRF virtual device are located in separate locations. The daisy chain topology can
be less reliable than the ring topology because if a link fails the IRF virtual device
will separate into two independent virtual switches.
Ring topology
In a ring topology, each switch is connected to two other switches, forming a ring.
Because each switch connects to two other switches, this topology is more reliable
than the daisy chain. If a link in the ring fails, the IRF virtual device will still be
connected in a daisy chain and will continue to function as one virtual switch.
6–42 Rev. 13.31

Redundancy
IRF ports
The switches in an IRF virtual device communicate through logical ports called IRF ports, which are bound to the actual
physical ports that connect the switches. Each IRF port can be bound to one or more physical ports.
As shown in the figure, IRF ports are numbered as IRF-port1 and IRF-port2. IRF-port1 on one switch must be connected to
IRF-port2 on its neighbor.
The switches in an IRF virtual device communicate through logical ports

called IRF ports, which are bound to the actual physical ports that connect
the switches. Each IRF port can be bound to one or more physical ports.
As shown in the figure, IRF ports are numbered as IRF-port1 and IRF-port2.
IRF-port1 on one switch must be connected to IRF-port2 on its neighbor.
Rev. 13.31
6–43
Member ID
The IRF virtual device uses member IDs to uniquely

identify and manage the members. If member IDs are not
unique, the IRF virtual device cannot be established.
The IRF virtual device uses member IDs to uniquely identify and manage
the members. If member IDs are not unique, the IRF virtual device cannot
be established.
6–44 Rev. 13.31

Redundancy
Electing a primary switch
When a new IRF virtual device is

formed, members undergo an election
process to identify the master, using
the following rules:
The member with the highest priority is elected.

• On the switch you want to be master,
configure a high IRF priority number.
If all members have the same priority:

• Member with the longest system up-time is If an existing IRF virtual device has a topology change,
members use these rules:
elected.
• Member with the lowest bridge address is The current master is elected.
elected.
If the current master is unavailable, the rules for
electing a master for a new IRF device apply.
When a new IRF virtual device is formed, members undergo an election

process to identify the master, using the following rules:
• The member with the highest priority is elected.

• On the switch you want to be master, configure a high IRF priority
number.
• If all members have the same priority:
• Member with the longest system up-time is elected.
• Member with the lowest bridge address is elected.
If an existing IRF virtual device has a topology change, members use these
rules:
• The current master is elected.

• If the current master is unavailable, the rules for electing a master for a
new IRF device apply.
Rev. 13.31
6–45
Establishing and maintaining the IRF virtual device
• Topology discovery
• Role election
• Maintenance
Introduction
IRF members exchange messages to establish and maintain the IRF virtual
device.
Topology discovery
After you connect the members of an IRF virtual device and configure the
IRF settings, the members exchange hello packets with their directly
connected IRF neighbors. These packets provide topology information such
as:
• IRF port connection states

• Member ID
• Priorities
• Bridge MAC addresses
Each member records its known topology information locally. After all
members have obtained complete topology information, the IRF virtual
device enters the next stage: role election.
Role election
Role election occurs when a topology change occurs. For example:
• The IRF virtual device is first established.

• A member is added.
6–46 Rev. 13.31
Redundancy
• The master is unavailable or is removed from the IRF virtual device.
Maintenance
If topology changes occur in the IRF virtual device, members will exchange
messages to communicate these changes. For example, if a member
switch becomes unavailable, its directly connected neighbor broadcasts the
change, immediately sending a leave message to other IRF members. The
members that receive the leave message determine whether a master or a
slave left the IRF virtual device, according to the locally saved IRF topology
information. If the master left the IRF virtual device, a role election is held,
and the local topology is updated. If a slave left the IRF virtual device, the
local IRF topology is updated to ensure fast convergence of the IRF
topology.
Rev. 13.31
6–47
Summary
In this lesson, you learned that IRF creates a single virtual

switch, which provides significant advantages for
management, network design, and network operations.
You also learned that IRF provides a high level of reliability
and resiliency at the link and device level.
You then learned the basic operations of an IRF virtual

device, including the IRF topology, member roles, IRF
virtual ports, and the IRF election process.
To learn more about IRF, attend the Building SMB Networks
with HP Technologies course.
In this lesson, you learned that IRF creates a single virtual switch, which
provides significant advantages for management, network design, and
network operations. You also learned that IRF provides a high level of
reliability and resiliency at the link and device level.
You then learned the basic operations of an IRF virtual device, including the
IRF topology, member roles, IRF virtual ports, and the IRF election process.
To learn more about IRF, attend the Building SMB Networks with HP
Technologies course.
6–48 Rev. 13.31

Configuracion

Uploaded by

Copyright:

Available Formats

You might also like

Configuracion

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuracion

Uploaded by

Copyright:

Available Formats

Getting Started with HP Switching & Routing

Rev. 13.31 Course ID: 00731204

Getting Started with HP Switching & Routing

Module 1: HP Switch Overview

Describe the following types of switches and explain how they

Explain how the HP ProVision command line interface (CLI)

After completing this module, you should be able to:

Module 1: HP Switch Overview

In this lesson, you will review what small, medium, and

You will then learn how HP helps IT organizations meet

Module 1: HP Switch Overview

Current networking challenges

• Server virtualization, which allows a single physical system to host

To accommodate all of these services, the network must deliver high

Users are also relying more heavily on mobile devices—increasingly as

Module 1: HP Switch Overview

Companies have… But they need…

A complicated system of A single-pane-of-glass solution that

Separate silos of servers that All of their resources to work

Companies of all sizes—small, medium, and large—now find themselves

• An infrastructure that supports connectivity but does not add intelligence

But they need…

• An infrastructure that responds to diverse users and applications

Module 1: HP Switch Overview

Converged networks with HP FlexNetwork

Module 1: HP Switch Overview

HP FlexFabric LAN/SAN convergence

HP provides servers with Converged Network Adaptors (CNAs) as well as

1) In a traditional network, the LAN and SAN are completely separate

Module 1: HP Switch Overview

HP FlexFabric LAN/SAN convergence (cont.)

2) HP servers and switches provide an interim step toward LAN/SAN

Module 1: HP Switch Overview

HP FlexFabric LAN/SAN convergence (cont.)

1 –10 Rev. 13.31

Module 1: HP Switch Overview

HP is also committed to supporting industry open

Make it easy to integrate new applications

Increase application flexibility

Help reduce costs

HP is also committed to supporting industry open standards. Open

For example, HP AllianceOne, an extensive system of partnerships, tests a

 Make it easy to integrate new applications into core business practices

Rev. 13.31 1 –11

Module 1: HP Switch Overview

For many switches, HP provides a lifetime warranty,

Fans and power supplies

Advanced replacement at no cost

Next-day business delivery

Some restrictions apply. For complete warranty

For many switches, HP provides a lifetime warranty, which includes:

 Fans and power supplies

Some restrictions apply. For complete warranty information, visit:

1 –12 Rev. 13.31

Module 1: HP Switch Overview

Green business technology

In addition, HP is committed to developing energy-efficient products.

In addition, HP is committed to developing energy-efficient products. Some